Mail archive
alpine-aports

[alpine-aports] [PATCH] main/xen: upgrade to 4.9.1

From: Daniel Sabogal <dsabogalcc_at_gmail.com>
Date: Sun, 26 Nov 2017 19:05:42 -0500

Security fixes for all applicable XSAs up to (and including) XSA-245
Upstream rombios makefile now enforces non-PIC/PIE mode
---
 main/xen/APKBUILD             |  63 +-----
 main/xen/rombios-no-pie.patch |  22 --
 main/xen/xsa226-1.patch       | 149 -------------
 main/xen/xsa226-2.patch       | 280 ------------------------
 main/xen/xsa227.patch         |  52 -----
 main/xen/xsa228.patch         | 198 -----------------
 main/xen/xsa230.patch         |  38 ----
 main/xen/xsa231-4.9.patch     | 108 ---------
 main/xen/xsa232.patch         |  23 --
 main/xen/xsa233.patch         |  52 -----
 main/xen/xsa234-4.9.patch     | 192 ----------------
 main/xen/xsa235-4.9.patch     |  49 -----
 main/xen/xsa236-4.9.patch     |  66 ------
 main/xen/xsa237-1.patch       |  27 ---
 main/xen/xsa237-2.patch       |  66 ------
 main/xen/xsa237-3.patch       |  55 -----
 main/xen/xsa237-4.patch       | 124 -----------
 main/xen/xsa237-5.patch       |  37 ----
 main/xen/xsa238.patch         |  45 ----
 main/xen/xsa239.patch         |  46 ----
 main/xen/xsa240-1.patch       | 494 ------------------------------------------
 main/xen/xsa240-2.patch       |  83 -------
 main/xen/xsa241-4.9.patch     | 120 ----------
 main/xen/xsa242-4.9.patch     |  43 ----
 main/xen/xsa243-1.patch       |  93 --------
 main/xen/xsa243-2.patch       |  54 -----
 main/xen/xsa244.patch         |  59 -----
 main/xen/xsa245-1.patch       |  48 ----
 main/xen/xsa245-2.patch       |  73 -------
 29 files changed, 3 insertions(+), 2756 deletions(-)
 delete mode 100644 main/xen/rombios-no-pie.patch
 delete mode 100644 main/xen/xsa226-1.patch
 delete mode 100644 main/xen/xsa226-2.patch
 delete mode 100644 main/xen/xsa227.patch
 delete mode 100644 main/xen/xsa228.patch
 delete mode 100644 main/xen/xsa230.patch
 delete mode 100644 main/xen/xsa231-4.9.patch
 delete mode 100644 main/xen/xsa232.patch
 delete mode 100644 main/xen/xsa233.patch
 delete mode 100644 main/xen/xsa234-4.9.patch
 delete mode 100644 main/xen/xsa235-4.9.patch
 delete mode 100644 main/xen/xsa236-4.9.patch
 delete mode 100644 main/xen/xsa237-1.patch
 delete mode 100644 main/xen/xsa237-2.patch
 delete mode 100644 main/xen/xsa237-3.patch
 delete mode 100644 main/xen/xsa237-4.patch
 delete mode 100644 main/xen/xsa237-5.patch
 delete mode 100644 main/xen/xsa238.patch
 delete mode 100644 main/xen/xsa239.patch
 delete mode 100644 main/xen/xsa240-1.patch
 delete mode 100644 main/xen/xsa240-2.patch
 delete mode 100644 main/xen/xsa241-4.9.patch
 delete mode 100644 main/xen/xsa242-4.9.patch
 delete mode 100644 main/xen/xsa243-1.patch
 delete mode 100644 main/xen/xsa243-2.patch
 delete mode 100644 main/xen/xsa244.patch
 delete mode 100644 main/xen/xsa245-1.patch
 delete mode 100644 main/xen/xsa245-2.patch
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 19d4fbd78e..e128a57be4 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
_at_@ -2,8 +2,8 @@
 # Contributor: Roger Pau Monne <roger.pau_at_entel.upc.edu>
 # Maintainer: William Pitcock <nenolod_at_dereferenced.org>
 pkgname=xen
-pkgver=4.9.0
-pkgrel=8
+pkgver=4.9.1
+pkgrel=0
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64 armhf aarch64"
_at_@ -145,39 +145,10 @@ source="https://downloads.xenproject.org/release/$pkgname/$pkgver/$pkgname-$pkgv
 	http://xenbits.xen.org/xen-extfiles/zlib-$_ZLIB_VERSION.tar.gz
 	http://xenbits.xen.org/xen-extfiles/ipxe-git-$_IPXE_GIT_TAG.tar.gz
 
-	xsa226-1.patch
-	xsa226-2.patch
-	xsa227.patch
-	xsa228.patch
-	xsa230.patch
-	xsa231-4.9.patch
-	xsa232.patch
-	xsa233.patch
-	xsa234-4.9.patch
-	xsa235-4.9.patch
-	xsa236-4.9.patch
-	xsa237-1.patch
-	xsa237-2.patch
-	xsa237-3.patch
-	xsa237-4.patch
-	xsa237-5.patch
-	xsa238.patch
-	xsa239.patch
-	xsa240-1.patch
-	xsa240-2.patch
-	xsa241-4.9.patch
-	xsa242-4.9.patch
-	xsa243-1.patch
-	xsa243-2.patch
-	xsa244.patch
-	xsa245-1.patch
-	xsa245-2.patch
-
 	qemu-coroutine-gthread.patch
 	qemu-xen_paths.patch
 
 	hotplug-vif-vtrill.patch
-	rombios-no-pie.patch
 
 	musl-support.patch
 	musl-hvmloader-fix-stdint.patch
_at_@ -422,7 +393,7 @@ EOF
 
 }
 
-sha512sums="97f8075c49ef9ec0adbe95106c0cff4f9379578fd568777697565476c3fd948335d72ddcacf8be65fd9db219c0a35dcdc007f355f7e5874dd950fd4c0a0f966f  xen-4.9.0.tar.gz
+sha512sums="9d22f0aa5dcd01a1c105d17c14bce570cc597e884ddb9b4a46b80a72f647625b76ae5213cede423d0458c14e1906983595a9269bb6e6ff2e9e7e4dea840f4274  xen-4.9.1.tar.gz
 2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf  gmp-4.3.2.tar.bz2
 c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb  grub-0.97.tar.gz
 1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d  lwip-1.3.0.tar.gz
_at_@ -432,37 +403,9 @@ c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a36
 4928b5b82f57645be9408362706ff2c4d9baa635b21b0d41b1c82930e8c60a759b1ea4fa74d7e6c7cae1b7692d006aa5cb72df0c3b88bf049779aa2b566f9d35  tpm_emulator-0.7.4.tar.gz
 021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e  zlib-1.2.3.tar.gz
 82ba65e1c676d32b29c71e6395c9506cab952c8f8b03f692e2b50133be8f0c0146d0f22c223262d81a4df579986fde5abc6507869f4965be4846297ef7b4b890  ipxe-git-827dd1bfee67daa683935ce65316f7e0f057fe1c.tar.gz
-45fed43bbdcf63fc3ded0a2629e27a5d58306a244dba2e005cf8814aa50cde962c41e5e72075a1d678eb9c18af17e1cbf078884214fd29df0ad551977c9880c2  xsa226-1.patch
-4d1e729c592efefd705233b49484991801606b2122a64ff14abbf994bb3e77ec75c4989d43753ce2043cc4fe13d34fb1cef7ee1adb291ff16625bb3b125e5508  xsa226-2.patch
-7d66494e833d46f8a213af0f2b107a12617d5e8b45c3b07daee229c75bd6aad98284bc0e19f15706d044b58273cc7f0c193ef8553faa22fadeae349689e763c8  xsa227.patch
-d406f14531af707325790909d08ce299ac2f2cb4b87f9a8ddb0fba10bd83bed84cc1633e07632cc2f841c50bc1a9af6240c89539a2e6ba6028cb127e218f86fc  xsa228.patch
-df174a1675f74b73e78bc3cb1c9f16536199dfd1922c0cc545a807e92bc24941a816891838258e118f477109548487251a7eaccb2d1dd9b6994c8c76fc5b058f  xsa230.patch
-7ef6637112c3d24a3541d40ca79b8d5ed8a152401c8b7bfa4cde3e2e264544ba22d27c199d58f24616af2228f5e4075c2af2744d21a70b8cb4d4b1f1a7feedde  xsa231-4.9.patch
-fb742225a4f3dbf2a574c4a6e3ef61a5da0c91aaeed77a2247023bdefcd4e0b6c08f1c9ffb42eaac3d38739c401443c3cf7aebb507b1d779c415b6cbffabbc10  xsa232.patch
-a322ac6c5ac2f858a59096108032fd42974eaaeeebd8f4966119149665f32bed281e333e743136e79add2e6f3844d88b6a3e4d5a685c2808702fd3a9e6396cd4  xsa233.patch
-cafeef137cd82cefc3e974b42b974c6562e822c9b359efb654ac374e663d9fc123be210eec17b278f40eabb77c93d3bf0ff03e445607159ad0712808a609a906  xsa234-4.9.patch
-8bab6e59577b51f0c6b8a547c9a37a257bd0460e7219512e899d25f80a74084745d2a4c54e55ad12526663d40f218cb8f833b71350220d36e3750d002ff43d29  xsa235-4.9.patch
-a951c3d29a6b05b42021bd49419becff51123a245256659240a3af5701bbf51e7d3c1a79835a7cc9a5fdf7c1c6aa330a35a586cb56d69d847c256642f0fc8e55  xsa236-4.9.patch
-a447b4f0a5379da46b5f0eb5b77eab07c3cfe8d303af6e116e03c7d88a9fc9ea154043165631d29248c07516ab8fdfd5de4da1ccf0ab7358d90fb7f9c87bf221  xsa237-1.patch
-10f2d84f783fb8bae5a39c463a32f4ac5d4d2614a7eecf109dcccd5418b8ec5e523691e79b3578d9c7b113f368a94d360acb9534808c440852a91c36369f88fd  xsa237-2.patch
-50607fca2e02eed322927e0288c77e7a6c541794fa2c70c78ada0c2fa762b5ad0f3b5108ecb9f01d8826f89dab492d56c502236c70234e6ba741e94a39356ea3  xsa237-3.patch
-c8aab545cd4118e74cbb2010f0a844e88608d44bd3117e765221445a8007a0dfa9ee0f4d5c10c3cd7f307a8b7718d896b928c4e06449dc63f7cfec7a10d356bb  xsa237-4.patch
-d3dfb9208deb6fc2be949e34fc1be84fbed1269bd99b8b31c176da34cc916c50955c7768b4aac75dbe4377634ae5d8390a03e0ff5ffa2ad00b9fab788449deaa  xsa237-5.patch
-b154c0925bbceab40e8f3b689e2d1fb321b42c685fdcb6bd29b0411ccd856731480a2fbb8025c633f9edf34cec938e5d8888cc71e8158212c078bb595d07a29d  xsa238.patch
-8b09cd12c7adfef69a02a2965cda22ef6499fd42c8a84a20a6af231f422a6e8a0e597501c327532e1580c1067ee4bf35579e3cf98dee9302ed34ba87f74bf6d2  xsa239.patch
-e209e629757b3471eae415913c34c662882172daad634083ee29823c2cb3f00e98886352085c1afc5d0f622781e65fae7b41ebfcbe6fd5e37c428337f5d2506c  xsa240-1.patch
-344519cd83ad13245de0e183b7afe564597b30d20756e44f98c0a00df55020d7ef85b92e71701c9791842a48cec93e0fcb9bfba2443313b3aafd8d21ea36abf4  xsa240-2.patch
-560d8062b5683b6533a67eebafdd81e6a9d2c9194cc9f9b1404544503238d4f1d98bccb1afac477f6a55ffbc67cf9629a43fd67a745ca9093e2adc0478dd0ddb  xsa241-4.9.patch
-86aa763949ca36a36120a40eafbdf3a8e8bc04acd32ee6bc1e3ae90b189b86b9b166b81a9e0a4f86a7eb1fcc8723ae8ba6bd0f84fa9732e7e4e1ccea45d0b7c1  xsa242-4.9.patch
-9f269e262aa67ff9a304ed6fc64ee9c5c9f6fd606d520fc2614cd173cddc9735ad42f91a97b91f1b9c5368d54d514820937edd0ce302dc3839b426398dc6b700  xsa243-1.patch
-8aaf0599259b1ff34171684467089da4a26af8fe67eedf22066955b34b2460c45abdf0f19a5a5e3dd3231b944674c62b9d3112ad7d765afc4bdbcdcfbad226e1  xsa243-2.patch
-0fd35e74be6f049f1f376aa8295b14f57b92f5e45e7487e5b485c2b8f6faa2950d0fe7d8a863692b3dab8a3a7ef1d9dd94be2c6b55d01802b0d86c84d2fa9e29  xsa244.patch
-b19197934e8685fc2af73f404b5c8cbed66d9241e5ff902d1a77fdc227e001a13b775a53d6e303d5f27419f5590561c84ec69409152d9773a5e6050c16e92f1b  xsa245-1.patch
-75369673232b2107b59dc0242d6fc224c016b9dcbf3299eab90a1d7c365d617fbc91f7b25075b394fee92782db37ce83c416387fa5ad4c4fcd51d0775a8a754f  xsa245-2.patch
 c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562  qemu-coroutine-gthread.patch
 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3  qemu-xen_paths.patch
 f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3  hotplug-vif-vtrill.patch
-5514d7697c87f7d54d64723d44446b9bd84f6c984e763bd21d4eeaf502bf0c5b765f7b2180f8ca496b3baf97e7efd600b1cc1fdd1284b6ecbffe9846190ca069  rombios-no-pie.patch
 e635cf27ca022ca5bc829e089b5e9a3ce9e566d4701d06bc38a22e356de45a71bc33e170d6db333d4efe8389144419cc27834a2eee0bcae9118d4ca9aff64306  musl-support.patch
 77b08e9655e091b0352e4630d520b54c6ca6d659d1d38fbb4b3bfc9ff3e66db433a2e194ead32bb10ff962c382d800a670e82b7a62835b238e294b22808290ea  musl-hvmloader-fix-stdint.patch
 8c3b57eab8641bcee3dbdc1937ea7874f77b9722a5a0aa3ddb8dff8cc0ced7e19703ef5d998621b3809bea7c16f3346cfa47610ec9ab014ad0de12651c94e5ff  stdint_local.h
diff --git a/main/xen/rombios-no-pie.patch b/main/xen/rombios-no-pie.patch
deleted file mode 100644
index 6387f4ef47..0000000000
--- a/main/xen/rombios-no-pie.patch
+++ /dev/null
_at_@ -1,22 +0,0 @@
---- ./tools/firmware/rombios/32bit/tcgbios/Makefile.orig
-+++ ./tools/firmware/rombios/32bit/tcgbios/Makefile
-_at_@ -3,7 +3,7 @@
- 
- TARGET  = tcgbiosext.o
- 
--CFLAGS += $(CFLAGS_xeninclude) -I.. -I../.. -I../../../../libacpi
-+CFLAGS += $(CFLAGS_xeninclude) -I.. -I../.. -I../../../../libacpi -fno-pie
- 
- .PHONY: all
- all: $(TARGET)
---- ./tools/firmware/rombios/32bit/Makefile.orig
-+++ ./tools/firmware/rombios/32bit/Makefile
-_at_@ -3,7 +3,7 @@
- 
- TARGET = 32bitbios_flat.h
- 
--CFLAGS += $(CFLAGS_xeninclude) -I.. -I../../../libacpi
-+CFLAGS += $(CFLAGS_xeninclude) -I.. -I../../../libacpi -fno-pie
- 
- SUBDIRS = tcgbios
- 
diff --git a/main/xen/xsa226-1.patch b/main/xen/xsa226-1.patch
deleted file mode 100644
index d60bbe2db1..0000000000
--- a/main/xen/xsa226-1.patch
+++ /dev/null
_at_@ -1,149 +0,0 @@
-From: Jan Beulich <jbeulich_at_suse.com>
-Subject: gnttab: don't use possibly unbounded tail calls
-
-There is no guarantee that the compiler would actually translate them
-to branches instead of calls, so only ones with a known recursion limit
-are okay:
-- __release_grant_for_copy() can call itself only once, as
-  __acquire_grant_for_copy() won't permit use of multi-level transitive
-  grants,
-- __acquire_grant_for_copy() is fine to call itself with the last
-  argument false, as that prevents further recursion,
-- __acquire_grant_for_copy() must not call itself to recover from an
-  observed change to the active entry's pin count
-
-This is part of CVE-2017-12135 / XSA-226.
-
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-
---- a/xen/common/compat/grant_table.c
-+++ b/xen/common/compat/grant_table.c
-_at_@ -258,9 +258,9 @@ int compat_grant_table_op(unsigned int cmd,
-                 rc = gnttab_copy(guest_handle_cast(nat.uop, gnttab_copy_t), n);
-             if ( rc > 0 )
-             {
--                ASSERT(rc < n);
--                i -= n - rc;
--                n = rc;
-+                ASSERT(rc <= n);
-+                i -= rc;
-+                n -= rc;
-             }
-             if ( rc >= 0 )
-             {
---- a/xen/common/grant_table.c
-+++ b/xen/common/grant_table.c
-_at_@ -2103,8 +2103,10 @@ __release_grant_for_copy(
- 
-     if ( td != rd )
-     {
--        /* Recursive calls, but they're tail calls, so it's
--           okay. */
-+        /*
-+         * Recursive calls, but they're bounded (acquire permits only a single
-+         * level of transitivity), so it's okay.
-+         */
-         if ( released_write )
-             __release_grant_for_copy(td, trans_gref, 0);
-         else if ( released_read )
-_at_@ -2255,10 +2257,11 @@ __acquire_grant_for_copy(
-                 return rc;
-             }
- 
--            /* We dropped the lock, so we have to check that nobody
--               else tried to pin (or, for that matter, unpin) the
--               reference in *this* domain.  If they did, just give up
--               and try again. */
-+            /*
-+             * We dropped the lock, so we have to check that nobody else tried
-+             * to pin (or, for that matter, unpin) the reference in *this*
-+             * domain.  If they did, just give up and tell the caller to retry.
-+             */
-             if ( act->pin != old_pin )
-             {
-                 __fixup_status_for_copy_pin(act, status);
-_at_@ -2266,9 +2269,8 @@ __acquire_grant_for_copy(
-                 active_entry_release(act);
-                 grant_read_unlock(rgt);
-                 put_page(*page);
--                return __acquire_grant_for_copy(rd, gref, ldom, readonly,
--                                                frame, page, page_off, length,
--                                                allow_transitive);
-+                *page = NULL;
-+                return ERESTART;
-             }
- 
-             /* The actual remote remote grant may or may not be a
-_at_@ -2574,7 +2576,7 @@ static int gnttab_copy_one(const struct
-     {
-         gnttab_copy_release_buf(src);
-         rc = gnttab_copy_claim_buf(op, &op->source, src, GNTCOPY_source_gref);
--        if ( rc < 0 )
-+        if ( rc )
-             goto out;
-     }
- 
-_at_@ -2584,7 +2586,7 @@ static int gnttab_copy_one(const struct
-     {
-         gnttab_copy_release_buf(dest);
-         rc = gnttab_copy_claim_buf(op, &op->dest, dest, GNTCOPY_dest_gref);
--        if ( rc < 0 )
-+        if ( rc )
-             goto out;
-     }
- 
-_at_@ -2593,6 +2595,14 @@ static int gnttab_copy_one(const struct
-     return rc;
- }
- 
-+/*
-+ * gnttab_copy(), other than the various other helpers of
-+ * do_grant_table_op(), returns (besides possible error indicators)
-+ * "count - i" rather than "i" to ensure that even if no progress
-+ * was made at all (perhaps due to gnttab_copy_one() returning a
-+ * positive value) a non-zero value is being handed back (zero needs
-+ * to be avoided, as that means "success, all done").
-+ */
- static long gnttab_copy(
-     XEN_GUEST_HANDLE_PARAM(gnttab_copy_t) uop, unsigned int count)
- {
-_at_@ -2606,7 +2616,7 @@ static long gnttab_copy(
-     {
-         if ( i && hypercall_preempt_check() )
-         {
--            rc = i;
-+            rc = count - i;
-             break;
-         }
- 
-_at_@ -2616,13 +2626,20 @@ static long gnttab_copy(
-             break;
-         }
- 
--        op.status = gnttab_copy_one(&op, &dest, &src);
--        if ( op.status != GNTST_okay )
-+        rc = gnttab_copy_one(&op, &dest, &src);
-+        if ( rc > 0 )
-+        {
-+            rc = count - i;
-+            break;
-+        }
-+        if ( rc != GNTST_okay )
-         {
-             gnttab_copy_release_buf(&src);
-             gnttab_copy_release_buf(&dest);
-         }
- 
-+        op.status = rc;
-+        rc = 0;
-         if ( unlikely(__copy_field_to_guest(uop, &op, status)) )
-         {
-             rc = -EFAULT;
-_at_@ -3160,6 +3177,7 @@ do_grant_table_op(
-         rc = gnttab_copy(copy, count);
-         if ( rc > 0 )
-         {
-+            rc = count - rc;
-             guest_handle_add_offset(copy, rc);
-             uop = guest_handle_cast(copy, void);
-         }
diff --git a/main/xen/xsa226-2.patch b/main/xen/xsa226-2.patch
deleted file mode 100644
index 2cf93bdd29..0000000000
--- a/main/xen/xsa226-2.patch
+++ /dev/null
_at_@ -1,280 +0,0 @@
-From: Jan Beulich <jbeulich_at_suse.com>
-Subject: gnttab: fix transitive grant handling
-
-Processing of transitive grants must not use the fast path, or else
-reference counting breaks due to the skipped recursive call to
-__acquire_grant_for_copy() (its __release_grant_for_copy()
-counterpart occurs independent of original pin count). Furthermore
-after re-acquiring temporarily dropped locks we need to verify no grant
-properties changed if the original pin count was non-zero; checking
-just the pin counts is sufficient only for well-behaved guests. As a
-result, __release_grant_for_copy() needs to mirror that new behavior.
-
-Furthermore a __release_grant_for_copy() invocation was missing on the
-retry path of __acquire_grant_for_copy(), and gnttab_set_version() also
-needs to bail out upon encountering a transitive grant.
-
-This is part of CVE-2017-12135 / XSA-226.
-
-Reported-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-
---- a/xen/common/grant_table.c
-+++ b/xen/common/grant_table.c
-_at_@ -2050,13 +2050,8 @@ __release_grant_for_copy(
-     unsigned long r_frame;
-     uint16_t *status;
-     grant_ref_t trans_gref;
--    int released_read;
--    int released_write;
-     struct domain *td;
- 
--    released_read = 0;
--    released_write = 0;
--
-     grant_read_lock(rgt);
- 
-     act = active_entry_acquire(rgt, gref);
-_at_@ -2086,17 +2081,11 @@ __release_grant_for_copy(
- 
-         act->pin -= GNTPIN_hstw_inc;
-         if ( !(act->pin & (GNTPIN_devw_mask|GNTPIN_hstw_mask)) )
--        {
--            released_write = 1;
-             gnttab_clear_flag(_GTF_writing, status);
--        }
-     }
- 
-     if ( !act->pin )
--    {
-         gnttab_clear_flag(_GTF_reading, status);
--        released_read = 1;
--    }
- 
-     active_entry_release(act);
-     grant_read_unlock(rgt);
-_at_@ -2104,13 +2093,10 @@ __release_grant_for_copy(
-     if ( td != rd )
-     {
-         /*
--         * Recursive calls, but they're bounded (acquire permits only a single
-+         * Recursive call, but it is bounded (acquire permits only a single
-          * level of transitivity), so it's okay.
-          */
--        if ( released_write )
--            __release_grant_for_copy(td, trans_gref, 0);
--        else if ( released_read )
--            __release_grant_for_copy(td, trans_gref, 1);
-+        __release_grant_for_copy(td, trans_gref, readonly);
- 
-         rcu_unlock_domain(td);
-     }
-_at_@ -2184,8 +2170,108 @@ __acquire_grant_for_copy(
-                  act->domid, ldom, act->pin);
- 
-     old_pin = act->pin;
--    if ( !act->pin ||
--         (!readonly && !(act->pin & (GNTPIN_devw_mask|GNTPIN_hstw_mask))) )
-+    if ( sha2 && (shah->flags & GTF_type_mask) == GTF_transitive )
-+    {
-+        if ( (!old_pin || (!readonly &&
-+                           !(old_pin & (GNTPIN_devw_mask|GNTPIN_hstw_mask)))) &&
-+             (rc = _set_status_v2(ldom, readonly, 0, shah, act,
-+                                  status)) != GNTST_okay )
-+            goto unlock_out;
-+
-+        if ( !allow_transitive )
-+            PIN_FAIL(unlock_out_clear, GNTST_general_error,
-+                     "transitive grant when transitivity not allowed\n");
-+
-+        trans_domid = sha2->transitive.trans_domid;
-+        trans_gref = sha2->transitive.gref;
-+        barrier(); /* Stop the compiler from re-loading
-+                      trans_domid from shared memory */
-+        if ( trans_domid == rd->domain_id )
-+            PIN_FAIL(unlock_out_clear, GNTST_general_error,
-+                     "transitive grants cannot be self-referential\n");
-+
-+        /*
-+         * We allow the trans_domid == ldom case, which corresponds to a
-+         * grant being issued by one domain, sent to another one, and then
-+         * transitively granted back to the original domain.  Allowing it
-+         * is easy, and means that you don't need to go out of your way to
-+         * avoid it in the guest.
-+         */
-+
-+        /* We need to leave the rrd locked during the grant copy. */
-+        td = rcu_lock_domain_by_id(trans_domid);
-+        if ( td == NULL )
-+            PIN_FAIL(unlock_out_clear, GNTST_general_error,
-+                     "transitive grant referenced bad domain %d\n",
-+                     trans_domid);
-+
-+        /*
-+         * __acquire_grant_for_copy() could take the lock on the
-+         * remote table (if rd == td), so we have to drop the lock
-+         * here and reacquire.
-+         */
-+        active_entry_release(act);
-+        grant_read_unlock(rgt);
-+
-+        rc = __acquire_grant_for_copy(td, trans_gref, rd->domain_id,
-+                                      readonly, &grant_frame, page,
-+                                      &trans_page_off, &trans_length, 0);
-+
-+        grant_read_lock(rgt);
-+        act = active_entry_acquire(rgt, gref);
-+
-+        if ( rc != GNTST_okay )
-+        {
-+            __fixup_status_for_copy_pin(act, status);
-+            rcu_unlock_domain(td);
-+            active_entry_release(act);
-+            grant_read_unlock(rgt);
-+            return rc;
-+        }
-+
-+        /*
-+         * We dropped the lock, so we have to check that the grant didn't
-+         * change, and that nobody else tried to pin/unpin it. If anything
-+         * changed, just give up and tell the caller to retry.
-+         */
-+        if ( rgt->gt_version != 2 ||
-+             act->pin != old_pin ||
-+             (old_pin && (act->domid != ldom || act->frame != grant_frame ||
-+                          act->start != trans_page_off ||
-+                          act->length != trans_length ||
-+                          act->trans_domain != td ||
-+                          act->trans_gref != trans_gref ||
-+                          !act->is_sub_page)) )
-+        {
-+            __release_grant_for_copy(td, trans_gref, readonly);
-+            __fixup_status_for_copy_pin(act, status);
-+            rcu_unlock_domain(td);
-+            active_entry_release(act);
-+            grant_read_unlock(rgt);
-+            put_page(*page);
-+            *page = NULL;
-+            return ERESTART;
-+        }
-+
-+        if ( !old_pin )
-+        {
-+            act->domid = ldom;
-+            act->start = trans_page_off;
-+            act->length = trans_length;
-+            act->trans_domain = td;
-+            act->trans_gref = trans_gref;
-+            act->frame = grant_frame;
-+            act->gfn = -1ul;
-+            /*
-+             * The actual remote remote grant may or may not be a sub-page,
-+             * but we always treat it as one because that blocks mappings of
-+             * transitive grants.
-+             */
-+            act->is_sub_page = 1;
-+        }
-+    }
-+    else if ( !old_pin ||
-+              (!readonly && !(old_pin & (GNTPIN_devw_mask|GNTPIN_hstw_mask))) )
-     {
-         if ( (rc = _set_status(rgt->gt_version, ldom,
-                                readonly, 0, shah, act,
-_at_@ -2206,79 +2292,6 @@ __acquire_grant_for_copy(
-             trans_page_off = 0;
-             trans_length = PAGE_SIZE;
-         }
--        else if ( (shah->flags & GTF_type_mask) == GTF_transitive )
--        {
--            if ( !allow_transitive )
--                PIN_FAIL(unlock_out_clear, GNTST_general_error,
--                         "transitive grant when transitivity not allowed\n");
--
--            trans_domid = sha2->transitive.trans_domid;
--            trans_gref = sha2->transitive.gref;
--            barrier(); /* Stop the compiler from re-loading
--                          trans_domid from shared memory */
--            if ( trans_domid == rd->domain_id )
--                PIN_FAIL(unlock_out_clear, GNTST_general_error,
--                         "transitive grants cannot be self-referential\n");
--
--            /* We allow the trans_domid == ldom case, which
--               corresponds to a grant being issued by one domain, sent
--               to another one, and then transitively granted back to
--               the original domain.  Allowing it is easy, and means
--               that you don't need to go out of your way to avoid it
--               in the guest. */
--
--            /* We need to leave the rrd locked during the grant copy */
--            td = rcu_lock_domain_by_id(trans_domid);
--            if ( td == NULL )
--                PIN_FAIL(unlock_out_clear, GNTST_general_error,
--                         "transitive grant referenced bad domain %d\n",
--                         trans_domid);
--
--            /*
--             * __acquire_grant_for_copy() could take the lock on the
--             * remote table (if rd == td), so we have to drop the lock
--             * here and reacquire
--             */
--            active_entry_release(act);
--            grant_read_unlock(rgt);
--
--            rc = __acquire_grant_for_copy(td, trans_gref, rd->domain_id,
--                                          readonly, &grant_frame, page,
--                                          &trans_page_off, &trans_length, 0);
--
--            grant_read_lock(rgt);
--            act = active_entry_acquire(rgt, gref);
--
--            if ( rc != GNTST_okay ) {
--                __fixup_status_for_copy_pin(act, status);
--                rcu_unlock_domain(td);
--                active_entry_release(act);
--                grant_read_unlock(rgt);
--                return rc;
--            }
--
--            /*
--             * We dropped the lock, so we have to check that nobody else tried
--             * to pin (or, for that matter, unpin) the reference in *this*
--             * domain.  If they did, just give up and tell the caller to retry.
--             */
--            if ( act->pin != old_pin )
--            {
--                __fixup_status_for_copy_pin(act, status);
--                rcu_unlock_domain(td);
--                active_entry_release(act);
--                grant_read_unlock(rgt);
--                put_page(*page);
--                *page = NULL;
--                return ERESTART;
--            }
--
--            /* The actual remote remote grant may or may not be a
--               sub-page, but we always treat it as one because that
--               blocks mappings of transitive grants. */
--            is_sub_page = 1;
--            act->gfn = -1ul;
--        }
-         else if ( !(sha2->hdr.flags & GTF_sub_page) )
-         {
-             rc = __get_paged_frame(sha2->full_page.frame, &grant_frame, page, readonly, rd);
-_at_@ -2710,10 +2723,13 @@ gnttab_set_version(XEN_GUEST_HANDLE_PARA
-     case 2:
-         for ( i = 0; i < GNTTAB_NR_RESERVED_ENTRIES; i++ )
-         {
--            if ( ((shared_entry_v2(gt, i).hdr.flags & GTF_type_mask) ==
--                  GTF_permit_access) &&
--                 (shared_entry_v2(gt, i).full_page.frame >> 32) )
-+            switch ( shared_entry_v2(gt, i).hdr.flags & GTF_type_mask )
-             {
-+            case GTF_permit_access:
-+                 if ( !(shared_entry_v2(gt, i).full_page.frame >> 32) )
-+                     break;
-+                 /* fall through */
-+            case GTF_transitive:
-                 gdprintk(XENLOG_WARNING,
-                          "tried to change grant table version to 1 with non-representable entries\n");
-                 res = -ERANGE;
diff --git a/main/xen/xsa227.patch b/main/xen/xsa227.patch
deleted file mode 100644
index 86aa41e2d4..0000000000
--- a/main/xen/xsa227.patch
+++ /dev/null
_at_@ -1,52 +0,0 @@
-From fa7268b94f8a0a7792ee12d5b8e23a60e52a3a84 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Date: Tue, 20 Jun 2017 19:18:54 +0100
-Subject: [PATCH] x86/grant: Disallow misaligned PTEs
-
-Pagetable entries must be aligned to function correctly.  Disallow attempts
-from the guest to have a grant PTE created at a misaligned address, which
-would result in corruption of the L1 table with largely-guest-controlled
-values.
-
-This is XSA-227
-
-Signed-off-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Reviewed-by: Jan Beulich <jbeulich_at_suse.com>
----
- xen/arch/x86/mm.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
-index 97b3b4b..00f517a 100644
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-_at_@ -3763,6 +3763,9 @@ static int create_grant_pte_mapping(
-     l1_pgentry_t ol1e;
-     struct domain *d = v->domain;
- 
-+    if ( !IS_ALIGNED(pte_addr, sizeof(nl1e)) )
-+        return GNTST_general_error;
-+
-     adjust_guest_l1e(nl1e, d);
- 
-     gmfn = pte_addr >> PAGE_SHIFT;
-_at_@ -3819,6 +3822,16 @@ static int destroy_grant_pte_mapping(
-     struct page_info *page;
-     l1_pgentry_t ol1e;
- 
-+    /*
-+     * addr comes from Xen's active_entry tracking so isn't guest controlled,
-+     * but it had still better be PTE-aligned.
-+     */
-+    if ( !IS_ALIGNED(addr, sizeof(ol1e)) )
-+    {
-+        ASSERT_UNREACHABLE();
-+        return GNTST_general_error;
-+    }
-+
-     gmfn = addr >> PAGE_SHIFT;
-     page = get_page_from_gfn(d, gmfn, NULL, P2M_ALLOC);
- 
--- 
-2.1.4
-
diff --git a/main/xen/xsa228.patch b/main/xen/xsa228.patch
deleted file mode 100644
index 65add3a588..0000000000
--- a/main/xen/xsa228.patch
+++ /dev/null
_at_@ -1,198 +0,0 @@
-From 9a52c78eb4ff7836bf7ac9ecd918b289cead1f3f Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich_at_suse.com>
-Date: Mon, 31 Jul 2017 15:17:56 +0100
-Subject: [PATCH] gnttab: split maptrack lock to make it fulfill its purpose
- again
-
-The way the lock is currently being used in get_maptrack_handle(), it
-protects only the maptrack limit: The function acts on current's list
-only, so races on list accesses are impossible even without the lock.
-
-Otoh list access races are possible between __get_maptrack_handle() and
-put_maptrack_handle(), due to the invocation of the former for other
-than current from steal_maptrack_handle(). Introduce a per-vCPU lock
-for list accesses to become race free again. This lock will be
-uncontended except when it becomes necessary to take the steal path,
-i.e. in the common case there should be no meaningful performance
-impact.
-
-When in get_maptrack_handle adds a stolen entry to a fresh, empty,
-freelist, we think that there is probably no concurrency.  However,
-this is not a fast path and adding the locking there makes the code
-clearly correct.
-
-Also, while we are here: the stolen maptrack_entry's tail pointer was
-not properly set.  Set it.
-
-This is XSA-228.
-
-Reported-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
----
- docs/misc/grant-tables.txt    |  7 ++++++-
- xen/common/grant_table.c      | 30 ++++++++++++++++++++++++------
- xen/include/xen/grant_table.h |  2 +-
- xen/include/xen/sched.h       |  1 +
- 4 files changed, 32 insertions(+), 8 deletions(-)
-
-diff --git a/docs/misc/grant-tables.txt b/docs/misc/grant-tables.txt
-index 417ce2d..64da5cf 100644
---- a/docs/misc/grant-tables.txt
-+++ b/docs/misc/grant-tables.txt
-_at_@ -87,7 +87,8 @@ is complete.
-                                inconsistent grant table state such as current
-                                version, partially initialized active table pages,
-                                etc.
--  grant_table->maptrack_lock : spinlock used to protect the maptrack free list
-+  grant_table->maptrack_lock : spinlock used to protect the maptrack limit
-+  v->maptrack_freelist_lock  : spinlock used to protect the maptrack free list
-   active_grant_entry->lock   : spinlock used to serialize modifications to
-                                active entries
- 
-_at_@ -102,6 +103,10 @@ is complete.
-  The maptrack free list is protected by its own spinlock. The maptrack
-  lock may be locked while holding the grant table lock.
- 
-+ The maptrack_freelist_lock is an innermost lock.  It may be locked
-+ while holding other locks, but no other locks may be acquired within
-+ it.
-+
-  Active entries are obtained by calling active_entry_acquire(gt, ref).
-  This function returns a pointer to the active entry after locking its
-  spinlock. The caller must hold the grant table read lock before
-diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
-index ae34547..ee33bd8 100644
---- a/xen/common/grant_table.c
-+++ b/xen/common/grant_table.c
-_at_@ -304,11 +304,16 @@ __get_maptrack_handle(
- {
-     unsigned int head, next, prev_head;
- 
-+    spin_lock(&v->maptrack_freelist_lock);
-+
-     do {
-         /* No maptrack pages allocated for this VCPU yet? */
-         head = read_atomic(&v->maptrack_head);
-         if ( unlikely(head == MAPTRACK_TAIL) )
-+        {
-+            spin_unlock(&v->maptrack_freelist_lock);
-             return -1;
-+        }
- 
-         /*
-          * Always keep one entry in the free list to make it easier to
-_at_@ -316,12 +321,17 @@ __get_maptrack_handle(
-          */
-         next = read_atomic(&maptrack_entry(t, head).ref);
-         if ( unlikely(next == MAPTRACK_TAIL) )
-+        {
-+            spin_unlock(&v->maptrack_freelist_lock);
-             return -1;
-+        }
- 
-         prev_head = head;
-         head = cmpxchg(&v->maptrack_head, prev_head, next);
-     } while ( head != prev_head );
- 
-+    spin_unlock(&v->maptrack_freelist_lock);
-+
-     return head;
- }
- 
-_at_@ -380,6 +390,8 @@ put_maptrack_handle(
-     /* 2. Add entry to the tail of the list on the original VCPU. */
-     v = currd->vcpu[maptrack_entry(t, handle).vcpu];
- 
-+    spin_lock(&v->maptrack_freelist_lock);
-+
-     cur_tail = read_atomic(&v->maptrack_tail);
-     do {
-         prev_tail = cur_tail;
-_at_@ -388,6 +400,8 @@ put_maptrack_handle(
- 
-     /* 3. Update the old tail entry to point to the new entry. */
-     write_atomic(&maptrack_entry(t, prev_tail).ref, handle);
-+
-+    spin_unlock(&v->maptrack_freelist_lock);
- }
- 
- static inline int
-_at_@ -411,10 +425,6 @@ get_maptrack_handle(
-      */
-     if ( nr_maptrack_frames(lgt) >= max_maptrack_frames )
-     {
--        /*
--         * Can drop the lock since no other VCPU can be adding a new
--         * frame once they've run out.
--         */
-         spin_unlock(&lgt->maptrack_lock);
- 
-         /*
-_at_@ -426,8 +436,12 @@ get_maptrack_handle(
-             handle = steal_maptrack_handle(lgt, curr);
-             if ( handle == -1 )
-                 return -1;
-+            spin_lock(&curr->maptrack_freelist_lock);
-+            maptrack_entry(lgt, handle).ref = MAPTRACK_TAIL;
-             curr->maptrack_tail = handle;
--            write_atomic(&curr->maptrack_head, handle);
-+            if ( curr->maptrack_head == MAPTRACK_TAIL )
-+                write_atomic(&curr->maptrack_head, handle);
-+            spin_unlock(&curr->maptrack_freelist_lock);
-         }
-         return steal_maptrack_handle(lgt, curr);
-     }
-_at_@ -460,12 +474,15 @@ get_maptrack_handle(
-     smp_wmb();
-     lgt->maptrack_limit += MAPTRACK_PER_PAGE;
- 
-+    spin_unlock(&lgt->maptrack_lock);
-+    spin_lock(&curr->maptrack_freelist_lock);
-+
-     do {
-         new_mt[i - 1].ref = read_atomic(&curr->maptrack_head);
-         head = cmpxchg(&curr->maptrack_head, new_mt[i - 1].ref, handle + 1);
-     } while ( head != new_mt[i - 1].ref );
- 
--    spin_unlock(&lgt->maptrack_lock);
-+    spin_unlock(&curr->maptrack_freelist_lock);
- 
-     return handle;
- }
-_at_@ -3475,6 +3492,7 @@ grant_table_destroy(
- 
- void grant_table_init_vcpu(struct vcpu *v)
- {
-+    spin_lock_init(&v->maptrack_freelist_lock);
-     v->maptrack_head = MAPTRACK_TAIL;
-     v->maptrack_tail = MAPTRACK_TAIL;
- }
-diff --git a/xen/include/xen/grant_table.h b/xen/include/xen/grant_table.h
-index 4e77899..100f2b3 100644
---- a/xen/include/xen/grant_table.h
-+++ b/xen/include/xen/grant_table.h
-_at_@ -78,7 +78,7 @@ struct grant_table {
-     /* Mapping tracking table per vcpu. */
-     struct grant_mapping **maptrack;
-     unsigned int          maptrack_limit;
--    /* Lock protecting the maptrack page list, head, and limit */
-+    /* Lock protecting the maptrack limit */
-     spinlock_t            maptrack_lock;
-     /* The defined versions are 1 and 2.  Set to 0 if we don't know
-        what version to use yet. */
-diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
-index 6673b27..8690f29 100644
---- a/xen/include/xen/sched.h
-+++ b/xen/include/xen/sched.h
-_at_@ -230,6 +230,7 @@ struct vcpu
-     int              controller_pause_count;
- 
-     /* Grant table map tracking. */
-+    spinlock_t       maptrack_freelist_lock;
-     unsigned int     maptrack_head;
-     unsigned int     maptrack_tail;
- 
--- 
-2.1.4
-
diff --git a/main/xen/xsa230.patch b/main/xen/xsa230.patch
deleted file mode 100644
index c3b50c8aaa..0000000000
--- a/main/xen/xsa230.patch
+++ /dev/null
_at_@ -1,38 +0,0 @@
-From: Jan Beulich <jbeulich_at_suse.com>
-Subject: gnttab: correct pin status fixup for copy
-
-Regardless of copy operations only setting GNTPIN_hst*, GNTPIN_dev*
-also need to be taken into account when deciding whether to clear
-_GTF_{read,writ}ing. At least for consistency with code elsewhere the
-read part better doesn't use any mask at all.
-
-This is XSA-230.
-
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
-index ae34547..9c9d33c 100644
---- a/xen/common/grant_table.c
-+++ b/xen/common/grant_table.c
-_at_@ -2107,10 +2107,10 @@ __release_grant_for_copy(
- static void __fixup_status_for_copy_pin(const struct active_grant_entry *act,
-                                    uint16_t *status)
- {
--    if ( !(act->pin & GNTPIN_hstw_mask) )
-+    if ( !(act->pin & (GNTPIN_hstw_mask | GNTPIN_devw_mask)) )
-         gnttab_clear_flag(_GTF_writing, status);
- 
--    if ( !(act->pin & GNTPIN_hstr_mask) )
-+    if ( !act->pin )
-         gnttab_clear_flag(_GTF_reading, status);
- }
- 
-_at_@ -2318,7 +2318,7 @@ __acquire_grant_for_copy(
-  
-  unlock_out_clear:
-     if ( !(readonly) &&
--         !(act->pin & GNTPIN_hstw_mask) )
-+         !(act->pin & (GNTPIN_hstw_mask | GNTPIN_devw_mask)) )
-         gnttab_clear_flag(_GTF_writing, status);
- 
-     if ( !act->pin )
diff --git a/main/xen/xsa231-4.9.patch b/main/xen/xsa231-4.9.patch
deleted file mode 100644
index 251165e6bd..0000000000
--- a/main/xen/xsa231-4.9.patch
+++ /dev/null
_at_@ -1,108 +0,0 @@
-From: George Dunlap <george.dunlap_at_citrix.com>
-Subject: xen/mm: make sure node is less than MAX_NUMNODES
-
-The output of MEMF_get_node(memflags) can be as large as nodeid_t can
-hold (currently 255).  This is then used as an index to arrays of size
-MAX_NUMNODE, which is 64 on x86 and 1 on ARM, can be passed in by an
-untrusted guest (via memory_exchange and increase_reservation) and is
-not currently bounds-checked.
-
-Check the value in page_alloc.c before using it, and also check the
-value in the hypercall call sites and return -EINVAL if appropriate.
-Don't permit domains other than the hardware or control domain to
-allocate node-constrained memory.
-
-This is XSA-231.
-
-Reported-by: Matthew Daley <mattd_at_bugfuzz.com>
-Signed-off-by: George Dunlap <george.dunlap_at_citrix.com>
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-
---- a/xen/common/memory.c
-+++ b/xen/common/memory.c
-_at_@ -411,6 +411,31 @@ static void decrease_reservation(struct
-     a->nr_done = i;
- }
- 
-+static bool propagate_node(unsigned int xmf, unsigned int *memflags)
-+{
-+    const struct domain *currd = current->domain;
-+
-+    BUILD_BUG_ON(XENMEMF_get_node(0) != NUMA_NO_NODE);
-+    BUILD_BUG_ON(MEMF_get_node(0) != NUMA_NO_NODE);
-+
-+    if ( XENMEMF_get_node(xmf) == NUMA_NO_NODE )
-+        return true;
-+
-+    if ( is_hardware_domain(currd) || is_control_domain(currd) )
-+    {
-+        if ( XENMEMF_get_node(xmf) >= MAX_NUMNODES )
-+            return false;
-+
-+        *memflags |= MEMF_node(XENMEMF_get_node(xmf));
-+        if ( xmf & XENMEMF_exact_node_request )
-+            *memflags |= MEMF_exact_node;
-+    }
-+    else if ( xmf & XENMEMF_exact_node_request )
-+        return false;
-+
-+    return true;
-+}
-+
- static long memory_exchange(XEN_GUEST_HANDLE_PARAM(xen_memory_exchange_t) arg)
- {
-     struct xen_memory_exchange exch;
-_at_@ -483,6 +508,12 @@ static long memory_exchange(XEN_GUEST_HA
-         }
-     }
- 
-+    if ( unlikely(!propagate_node(exch.out.mem_flags, &memflags)) )
-+    {
-+        rc = -EINVAL;
-+        goto fail_early;
-+    }
-+
-     d = rcu_lock_domain_by_any_id(exch.in.domid);
-     if ( d == NULL )
-     {
-_at_@ -501,7 +532,6 @@ static long memory_exchange(XEN_GUEST_HA
-         d,
-         XENMEMF_get_address_bits(exch.out.mem_flags) ? :
-         (BITS_PER_LONG+PAGE_SHIFT)));
--    memflags |= MEMF_node(XENMEMF_get_node(exch.out.mem_flags));
- 
-     for ( i = (exch.nr_exchanged >> in_chunk_order);
-           i < (exch.in.nr_extents >> in_chunk_order);
-_at_@ -864,12 +894,8 @@ static int construct_memop_from_reservat
-         }
-         read_unlock(&d->vnuma_rwlock);
-     }
--    else
--    {
--        a->memflags |= MEMF_node(XENMEMF_get_node(r->mem_flags));
--        if ( r->mem_flags & XENMEMF_exact_node_request )
--            a->memflags |= MEMF_exact_node;
--    }
-+    else if ( unlikely(!propagate_node(r->mem_flags, &a->memflags)) )
-+        return -EINVAL;
- 
-     return 0;
- }
---- a/xen/common/page_alloc.c
-+++ b/xen/common/page_alloc.c
-_at_@ -706,9 +706,13 @@ static struct page_info *alloc_heap_page
-         if ( node >= MAX_NUMNODES )
-             node = cpu_to_node(smp_processor_id());
-     }
-+    else if ( unlikely(node >= MAX_NUMNODES) )
-+    {
-+        ASSERT_UNREACHABLE();
-+        return NULL;
-+    }
-     first_node = node;
- 
--    ASSERT(node < MAX_NUMNODES);
-     ASSERT(zone_lo <= zone_hi);
-     ASSERT(zone_hi < NR_ZONES);
- 
diff --git a/main/xen/xsa232.patch b/main/xen/xsa232.patch
deleted file mode 100644
index 9e5f35c7d6..0000000000
--- a/main/xen/xsa232.patch
+++ /dev/null
_at_@ -1,23 +0,0 @@
-From: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Subject: grant_table: fix GNTTABOP_cache_flush handling
-
-Don't fall over a NULL grant_table pointer when the owner of the domain
-is a system domain (DOMID_{XEN,IO} etc).
-
-This is XSA-232.
-
-Reported-by: Matthew Daley <mattd_at_bugfuzz.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Reviewed-by: Jan Beulich <jbeulich_at_suse.com>
-
---- a/xen/common/grant_table.c
-+++ b/xen/common/grant_table.c
-_at_@ -3053,7 +3053,7 @@ static int cache_flush(gnttab_cache_flus
- 
-     page = mfn_to_page(mfn);
-     owner = page_get_owner_and_reference(page);
--    if ( !owner )
-+    if ( !owner || !owner->grant_table )
-     {
-         rcu_unlock_domain(d);
-         return -EPERM;
diff --git a/main/xen/xsa233.patch b/main/xen/xsa233.patch
deleted file mode 100644
index 6013c52b41..0000000000
--- a/main/xen/xsa233.patch
+++ /dev/null
_at_@ -1,52 +0,0 @@
-From: Juergen Gross <jgross_at_suse.com>
-Subject: tools/xenstore: dont unlink connection object twice
-
-A connection object of a domain with associated stubdom has two
-parents: the domain and the stubdom. When cleaning up the list of
-active domains in domain_cleanup() make sure not to unlink the
-connection twice from the same domain. This could happen when the
-domain and its stubdom are being destroyed at the same time leading
-to the domain loop being entered twice.
-
-Additionally don't use talloc_free() in this case as it will remove
-a random parent link, leading eventually to a memory leak. Use
-talloc_unlink() instead specifying the context from which the
-connection object should be removed.
-
-This is XSA-233.
-
-Reported-by: Eric Chanudet <chanudete_at_ainfosec.com>
-Signed-off-by: Juergen Gross <jgross_at_suse.com>
-Reviewed-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
-
---- a/tools/xenstore/xenstored_domain.c
-+++ b/tools/xenstore/xenstored_domain.c
-_at_@ -221,10 +221,11 @@ static int destroy_domain(void *_domain)
- static void domain_cleanup(void)
- {
- 	xc_dominfo_t dominfo;
--	struct domain *domain, *tmp;
-+	struct domain *domain;
- 	int notify = 0;
- 
--	list_for_each_entry_safe(domain, tmp, &domains, list) {
-+ again:
-+	list_for_each_entry(domain, &domains, list) {
- 		if (xc_domain_getinfo(*xc_handle, domain->domid, 1,
- 				      &dominfo) == 1 &&
- 		    dominfo.domid == domain->domid) {
-_at_@ -236,8 +237,12 @@ static void domain_cleanup(void)
- 			if (!dominfo.dying)
- 				continue;
- 		}
--		talloc_free(domain->conn);
--		notify = 0; /* destroy_domain() fires the watch */
-+		if (domain->conn) {
-+			talloc_unlink(talloc_autofree_context(), domain->conn);
-+			domain->conn = NULL;
-+			notify = 0; /* destroy_domain() fires the watch */
-+			goto again;
-+		}
- 	}
- 
- 	if (notify)
diff --git a/main/xen/xsa234-4.9.patch b/main/xen/xsa234-4.9.patch
deleted file mode 100644
index 8dbf401720..0000000000
--- a/main/xen/xsa234-4.9.patch
+++ /dev/null
_at_@ -1,192 +0,0 @@
-From: Jan Beulich <jbeulich_at_suse.com>
-Subject: gnttab: also validate PTE permissions upon destroy/replace
-
-In order for PTE handling to match up with the reference counting done
-by common code, presence and writability of grant mapping PTEs must
-also be taken into account; validating just the frame number is not
-enough. This is in particular relevant if a guest fiddles with grant
-PTEs via non-grant hypercalls.
-
-Note that the flags being passed to replace_grant_host_mapping()
-already happen to be those of the existing mapping, so no new function
-parameter is needed.
-
-This is XSA-234.
-
-Reported-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-_at_@ -4058,7 +4058,8 @@ static int create_grant_pte_mapping(
- }
- 
- static int destroy_grant_pte_mapping(
--    uint64_t addr, unsigned long frame, struct domain *d)
-+    uint64_t addr, unsigned long frame, unsigned int grant_pte_flags,
-+    struct domain *d)
- {
-     int rc = GNTST_okay;
-     void *va;
-_at_@ -4104,17 +4105,29 @@ static int destroy_grant_pte_mapping(
- 
-     ol1e = *(l1_pgentry_t *)va;
-     
--    /* Check that the virtual address supplied is actually mapped to frame. */
--    if ( unlikely(l1e_get_pfn(ol1e) != frame) )
-+    /*
-+     * Check that the PTE supplied actually maps frame (with appropriate
-+     * permissions).
-+     */
-+    if ( unlikely(l1e_get_pfn(ol1e) != frame) ||
-+         unlikely((l1e_get_flags(ol1e) ^ grant_pte_flags) &
-+                  (_PAGE_PRESENT | _PAGE_RW)) )
-     {
-         page_unlock(page);
--        gdprintk(XENLOG_WARNING,
--                 "PTE entry %"PRIpte" for address %"PRIx64" doesn't match frame %lx\n",
--                 l1e_get_intpte(ol1e), addr, frame);
-+        gdprintk(XENLOG_ERR,
-+                 "PTE %"PRIpte" at %"PRIx64" doesn't match grant (%"PRIpte")\n",
-+                 l1e_get_intpte(ol1e), addr,
-+                 l1e_get_intpte(l1e_from_pfn(frame, grant_pte_flags)));
-         rc = GNTST_general_error;
-         goto failed;
-     }
- 
-+    if ( unlikely((l1e_get_flags(ol1e) ^ grant_pte_flags) &
-+                  ~(_PAGE_AVAIL | PAGE_CACHE_ATTRS)) )
-+        gdprintk(XENLOG_WARNING,
-+                 "PTE flags %x at %"PRIx64" don't match grant (%x)\n",
-+                 l1e_get_flags(ol1e), addr, grant_pte_flags);
-+
-     /* Delete pagetable entry. */
-     if ( unlikely(!UPDATE_ENTRY
-                   (l1, 
-_at_@ -4123,7 +4136,8 @@ static int destroy_grant_pte_mapping(
-                    0)) )
-     {
-         page_unlock(page);
--        gdprintk(XENLOG_WARNING, "Cannot delete PTE entry at %p\n", va);
-+        gdprintk(XENLOG_WARNING, "Cannot delete PTE entry at %"PRIx64"\n",
-+                 addr);
-         rc = GNTST_general_error;
-         goto failed;
-     }
-_at_@ -4191,7 +4205,8 @@ static int create_grant_va_mapping(
- }
- 
- static int replace_grant_va_mapping(
--    unsigned long addr, unsigned long frame, l1_pgentry_t nl1e, struct vcpu *v)
-+    unsigned long addr, unsigned long frame, unsigned int grant_pte_flags,
-+    l1_pgentry_t nl1e, struct vcpu *v)
- {
-     l1_pgentry_t *pl1e, ol1e;
-     unsigned long gl1mfn;
-_at_@ -4227,20 +4242,33 @@ static int replace_grant_va_mapping(
- 
-     ol1e = *pl1e;
- 
--    /* Check that the virtual address supplied is actually mapped to frame. */
--    if ( unlikely(l1e_get_pfn(ol1e) != frame) )
--    {
--        gdprintk(XENLOG_WARNING,
--                 "PTE entry %lx for address %lx doesn't match frame %lx\n",
--                 l1e_get_pfn(ol1e), addr, frame);
-+    /*
-+     * Check that the virtual address supplied is actually mapped to frame
-+     * (with appropriate permissions).
-+     */
-+    if ( unlikely(l1e_get_pfn(ol1e) != frame) ||
-+         unlikely((l1e_get_flags(ol1e) ^ grant_pte_flags) &
-+                  (_PAGE_PRESENT | _PAGE_RW)) )
-+    {
-+        gdprintk(XENLOG_ERR,
-+                 "PTE %"PRIpte" for %lx doesn't match grant (%"PRIpte")\n",
-+                 l1e_get_intpte(ol1e), addr,
-+                 l1e_get_intpte(l1e_from_pfn(frame, grant_pte_flags)));
-         rc = GNTST_general_error;
-         goto unlock_and_out;
-     }
- 
-+    if ( unlikely((l1e_get_flags(ol1e) ^ grant_pte_flags) &
-+                  ~(_PAGE_AVAIL | PAGE_CACHE_ATTRS)) )
-+        gdprintk(XENLOG_WARNING,
-+                 "PTE flags %x for %"PRIx64" don't match grant (%x)\n",
-+                 l1e_get_flags(ol1e), addr, grant_pte_flags);
-+
-     /* Delete pagetable entry. */
-     if ( unlikely(!UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, v, 0)) )
-     {
--        gdprintk(XENLOG_WARNING, "Cannot delete PTE entry at %p\n", pl1e);
-+        gdprintk(XENLOG_WARNING, "Cannot delete PTE entry for %"PRIx64"\n",
-+                 addr);
-         rc = GNTST_general_error;
-         goto unlock_and_out;
-     }
-_at_@ -4254,9 +4282,11 @@ static int replace_grant_va_mapping(
- }
- 
- static int destroy_grant_va_mapping(
--    unsigned long addr, unsigned long frame, struct vcpu *v)
-+    unsigned long addr, unsigned long frame, unsigned int grant_pte_flags,
-+    struct vcpu *v)
- {
--    return replace_grant_va_mapping(addr, frame, l1e_empty(), v);
-+    return replace_grant_va_mapping(addr, frame, grant_pte_flags,
-+                                    l1e_empty(), v);
- }
- 
- static int create_grant_p2m_mapping(uint64_t addr, unsigned long frame,
-_at_@ -4351,20 +4381,39 @@ int replace_grant_host_mapping(
-     unsigned long gl1mfn;
-     struct page_info *l1pg;
-     int rc;
-+    unsigned int grant_pte_flags;
-     
-     if ( paging_mode_external(current->domain) )
-         return replace_grant_p2m_mapping(addr, frame, new_addr, flags);
- 
-+    grant_pte_flags =
-+        _PAGE_PRESENT | _PAGE_ACCESSED | _PAGE_DIRTY | _PAGE_GNTTAB | _PAGE_NX;
-+
-+    if ( flags & GNTMAP_application_map )
-+        grant_pte_flags |= _PAGE_USER;
-+    if ( !(flags & GNTMAP_readonly) )
-+        grant_pte_flags |= _PAGE_RW;
-+    /*
-+     * On top of the explicit settings done by create_grant_host_mapping()
-+     * also open-code relevant parts of adjust_guest_l1e(). Don't mirror
-+     * available and cachability flags, though.
-+     */
-+    if ( !is_pv_32bit_domain(curr->domain) )
-+        grant_pte_flags |= (grant_pte_flags & _PAGE_USER)
-+                           ? _PAGE_GLOBAL
-+                           : _PAGE_GUEST_KERNEL | _PAGE_USER;
-+
-     if ( flags & GNTMAP_contains_pte )
-     {
-         if ( !new_addr )
--            return destroy_grant_pte_mapping(addr, frame, curr->domain);
-+            return destroy_grant_pte_mapping(addr, frame, grant_pte_flags,
-+                                             curr->domain);
-         
-         return GNTST_general_error;
-     }
- 
-     if ( !new_addr )
--        return destroy_grant_va_mapping(addr, frame, curr);
-+        return destroy_grant_va_mapping(addr, frame, grant_pte_flags, curr);
- 
-     pl1e = guest_map_l1e(new_addr, &gl1mfn);
-     if ( !pl1e )
-_at_@ -4412,7 +4461,7 @@ int replace_grant_host_mapping(
-     put_page(l1pg);
-     guest_unmap_l1e(pl1e);
- 
--    rc = replace_grant_va_mapping(addr, frame, ol1e, curr);
-+    rc = replace_grant_va_mapping(addr, frame, grant_pte_flags, ol1e, curr);
-     if ( rc && !paging_mode_refcounts(curr->domain) )
-         put_page_from_l1e(ol1e, curr->domain);
- 
diff --git a/main/xen/xsa235-4.9.patch b/main/xen/xsa235-4.9.patch
deleted file mode 100644
index 25dd650755..0000000000
--- a/main/xen/xsa235-4.9.patch
+++ /dev/null
_at_@ -1,49 +0,0 @@
-From: Jan Beulich <jbeulich_at_suse.com>
-Subject: arm/mm: release grant lock on xenmem_add_to_physmap_one() error paths
-
-Commit 55021ff9ab ("xen/arm: add_to_physmap_one: Avoid to map mfn 0 if
-an error occurs") introduced error paths not releasing the grant table
-lock. Replace them by a suitable check after the lock was dropped.
-
-This is XSA-235.
-
-Reported-by: Wei Liu <wei.liu2_at_citrix.com>
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: Julien Grall <julien.grall_at_arm.com>
-
---- a/xen/arch/arm/mm.c
-+++ b/xen/arch/arm/mm.c
-_at_@ -1164,7 +1164,7 @@ int xenmem_add_to_physmap_one(
-             if ( idx < nr_status_frames(d->grant_table) )
-                 mfn = virt_to_mfn(d->grant_table->status[idx]);
-             else
--                return -EINVAL;
-+                mfn = mfn_x(INVALID_MFN);
-         }
-         else
-         {
-_at_@ -1175,14 +1175,21 @@ int xenmem_add_to_physmap_one(
-             if ( idx < nr_grant_frames(d->grant_table) )
-                 mfn = virt_to_mfn(d->grant_table->shared_raw[idx]);
-             else
--                return -EINVAL;
-+                mfn = mfn_x(INVALID_MFN);
-         }
- 
--        d->arch.grant_table_gfn[idx] = gfn;
-+        if ( mfn != mfn_x(INVALID_MFN) )
-+        {
-+            d->arch.grant_table_gfn[idx] = gfn;
- 
--        t = p2m_ram_rw;
-+            t = p2m_ram_rw;
-+        }
- 
-         grant_write_unlock(d->grant_table);
-+
-+        if ( mfn == mfn_x(INVALID_MFN) )
-+            return -EINVAL;
-+
-         break;
-     case XENMAPSPACE_shared_info:
-         if ( idx != 0 )
diff --git a/main/xen/xsa236-4.9.patch b/main/xen/xsa236-4.9.patch
deleted file mode 100644
index 203025dbae..0000000000
--- a/main/xen/xsa236-4.9.patch
+++ /dev/null
_at_@ -1,66 +0,0 @@
-From: Jan Beulich <jbeulich_at_suse.com>
-Subject: gnttab: fix pin count / page reference race
-
-Dropping page references before decrementing pin counts is a bad idea
-if assumptions are being made that a non-zero pin count implies a valid
-page. Fix the order of operations in gnttab_copy_release_buf(), but at
-the same time also remove the assertion that was found to trigger:
-map_grant_ref() also has the potential of causing a race here, and
-changing the order of operations there would likely be quite a bit more
-involved.
-
-This is XSA-236.
-
-Reported-by: Pawel Wieczorkiewicz <wipawel_at_amazon.de>
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-
---- a/xen/common/grant_table.c
-+++ b/xen/common/grant_table.c
-_at_@ -2330,9 +2330,20 @@ __acquire_grant_for_copy(
-         td = page_get_owner_and_reference(*page);
-         /*
-          * act->pin being non-zero should guarantee the page to have a
--         * non-zero refcount and hence a valid owner.
-+         * non-zero refcount and hence a valid owner (matching the one on
-+         * record), with one exception: If the owning domain is dying we
-+         * had better not make implications from pin count (map_grant_ref()
-+         * updates pin counts before obtaining page references, for
-+         * example).
-          */
--        ASSERT(td);
-+        if ( td != rd || rd->is_dying )
-+        {
-+            if ( td )
-+                put_page(*page);
-+            *page = NULL;
-+            rc = GNTST_bad_domain;
-+            goto unlock_out_clear;
-+        }
-     }
- 
-     act->pin += readonly ? GNTPIN_hstr_inc : GNTPIN_hstw_inc;
-_at_@ -2451,6 +2462,11 @@ static void gnttab_copy_release_buf(stru
-         unmap_domain_page(buf->virt);
-         buf->virt = NULL;
-     }
-+    if ( buf->have_grant )
-+    {
-+        __release_grant_for_copy(buf->domain, buf->ptr.u.ref, buf->read_only);
-+        buf->have_grant = 0;
-+    }
-     if ( buf->have_type )
-     {
-         put_page_type(buf->page);
-_at_@ -2461,11 +2477,6 @@ static void gnttab_copy_release_buf(stru
-         put_page(buf->page);
-         buf->page = NULL;
-     }
--    if ( buf->have_grant )
--    {
--        __release_grant_for_copy(buf->domain, buf->ptr.u.ref, buf->read_only);
--        buf->have_grant = 0;
--    }
- }
- 
- static int gnttab_copy_claim_buf(const struct gnttab_copy *op,
diff --git a/main/xen/xsa237-1.patch b/main/xen/xsa237-1.patch
deleted file mode 100644
index 7c9dff9672..0000000000
--- a/main/xen/xsa237-1.patch
+++ /dev/null
_at_@ -1,27 +0,0 @@
-From: Jan Beulich <jbeulich_at_suse.com>
-Subject: x86: don't allow MSI pIRQ mapping on unowned device
-
-MSI setup should be permitted only for existing devices owned by the
-respective guest (the operation may still be carried out by the domain
-controlling that guest).
-
-This is part of XSA-237.
-
-Reported-by: HW42 <hw42_at_ipsumj.de>
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-
---- a/xen/arch/x86/irq.c
-+++ b/xen/arch/x86/irq.c
-_at_@ -1963,7 +1963,10 @@ int map_domain_pirq(
-         if ( !cpu_has_apic )
-             goto done;
- 
--        pdev = pci_get_pdev(msi->seg, msi->bus, msi->devfn);
-+        pdev = pci_get_pdev_by_domain(d, msi->seg, msi->bus, msi->devfn);
-+        if ( !pdev )
-+            goto done;
-+
-         ret = pci_enable_msi(msi, &msi_desc);
-         if ( ret )
-         {
diff --git a/main/xen/xsa237-2.patch b/main/xen/xsa237-2.patch
deleted file mode 100644
index 0add704587..0000000000
--- a/main/xen/xsa237-2.patch
+++ /dev/null
_at_@ -1,66 +0,0 @@
-From: Jan Beulich <jbeulich_at_suse.com>
-Subject: x86: enforce proper privilege when (un)mapping pIRQ-s
-
-(Un)mapping of IRQs, just like other RESOURCE__ADD* / RESOURCE__REMOVE*
-actions (in FLASK terms) should be XSM_DM_PRIV rather than XSM_TARGET.
-This in turn requires bypassing the XSM check in physdev_unmap_pirq()
-for the HVM emuirq case just like is being done in physdev_map_pirq().
-The primary goal security wise, however, is to no longer allow HVM
-guests, by specifying their own domain ID instead of DOMID_SELF, to
-enter code paths intended for PV guest and the control domains of HVM
-guests only.
-
-This is part of XSA-237.
-
-Reported-by: HW42 <hw42_at_ipsumj.de>
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: George Dunlap <george.dunlap_at_citrix.com>
-
---- a/xen/arch/x86/physdev.c
-+++ b/xen/arch/x86/physdev.c
-_at_@ -111,7 +111,7 @@ int physdev_map_pirq(domid_t domid, int
-     if ( d == NULL )
-         return -ESRCH;
- 
--    ret = xsm_map_domain_pirq(XSM_TARGET, d);
-+    ret = xsm_map_domain_pirq(XSM_DM_PRIV, d);
-     if ( ret )
-         goto free_domain;
- 
-_at_@ -256,13 +256,14 @@ int physdev_map_pirq(domid_t domid, int
- int physdev_unmap_pirq(domid_t domid, int pirq)
- {
-     struct domain *d;
--    int ret;
-+    int ret = 0;
- 
-     d = rcu_lock_domain_by_any_id(domid);
-     if ( d == NULL )
-         return -ESRCH;
- 
--    ret = xsm_unmap_domain_pirq(XSM_TARGET, d);
-+    if ( domid != DOMID_SELF || !is_hvm_domain(d) || !has_pirq(d) )
-+        ret = xsm_unmap_domain_pirq(XSM_DM_PRIV, d);
-     if ( ret )
-         goto free_domain;
- 
---- a/xen/include/xsm/dummy.h
-+++ b/xen/include/xsm/dummy.h
-_at_@ -453,7 +453,7 @@ static XSM_INLINE char *xsm_show_irq_sid
- 
- static XSM_INLINE int xsm_map_domain_pirq(XSM_DEFAULT_ARG struct domain *d)
- {
--    XSM_ASSERT_ACTION(XSM_TARGET);
-+    XSM_ASSERT_ACTION(XSM_DM_PRIV);
-     return xsm_default_action(action, current->domain, d);
- }
- 
-_at_@ -465,7 +465,7 @@ static XSM_INLINE int xsm_map_domain_irq
- 
- static XSM_INLINE int xsm_unmap_domain_pirq(XSM_DEFAULT_ARG struct domain *d)
- {
--    XSM_ASSERT_ACTION(XSM_TARGET);
-+    XSM_ASSERT_ACTION(XSM_DM_PRIV);
-     return xsm_default_action(action, current->domain, d);
- }
- 
diff --git a/main/xen/xsa237-3.patch b/main/xen/xsa237-3.patch
deleted file mode 100644
index 5c69c48265..0000000000
--- a/main/xen/xsa237-3.patch
+++ /dev/null
_at_@ -1,55 +0,0 @@
-From: Jan Beulich <jbeulich_at_suse.com>
-Subject: x86/MSI: disallow redundant enabling
-
-At the moment, Xen attempts to allow redundant enabling of MSI by
-having pci_enable_msi() return 0, and point to the existing MSI
-descriptor, when the msi already exists.
-
-Unfortunately, if subsequent errors are encountered, the cleanup
-paths assume pci_enable_msi() had done full initialization, and
-hence undo everything that was assumed to be done by that
-function without also undoing other setup that would normally
-occur only after that function was called (in map_domain_pirq()
-itself).
-
-Rather than try to make the redundant enabling case work properly, just
-forbid it entirely by having pci_enable_msi() return -EEXIST when MSI
-is already set up.
-
-This is part of XSA-237.
-
-Reported-by: HW42 <hw42_at_ipsumj.de>
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Reviewed-by: George Dunlap <george.dunlap_at_citrix.com>
-
---- a/xen/arch/x86/msi.c
-+++ b/xen/arch/x86/msi.c
-_at_@ -1050,11 +1050,10 @@ static int __pci_enable_msi(struct msi_i
-     old_desc = find_msi_entry(pdev, msi->irq, PCI_CAP_ID_MSI);
-     if ( old_desc )
-     {
--        printk(XENLOG_WARNING "irq %d already mapped to MSI on %04x:%02x:%02x.%u\n",
-+        printk(XENLOG_ERR "irq %d already mapped to MSI on %04x:%02x:%02x.%u\n",
-                msi->irq, msi->seg, msi->bus,
-                PCI_SLOT(msi->devfn), PCI_FUNC(msi->devfn));
--        *desc = old_desc;
--        return 0;
-+        return -EEXIST;
-     }
- 
-     old_desc = find_msi_entry(pdev, -1, PCI_CAP_ID_MSIX);
-_at_@ -1118,11 +1117,10 @@ static int __pci_enable_msix(struct msi_
-     old_desc = find_msi_entry(pdev, msi->irq, PCI_CAP_ID_MSIX);
-     if ( old_desc )
-     {
--        printk(XENLOG_WARNING "irq %d already mapped to MSI-X on %04x:%02x:%02x.%u\n",
-+        printk(XENLOG_ERR "irq %d already mapped to MSI-X on %04x:%02x:%02x.%u\n",
-                msi->irq, msi->seg, msi->bus,
-                PCI_SLOT(msi->devfn), PCI_FUNC(msi->devfn));
--        *desc = old_desc;
--        return 0;
-+        return -EEXIST;
-     }
- 
-     old_desc = find_msi_entry(pdev, -1, PCI_CAP_ID_MSI);
diff --git a/main/xen/xsa237-4.patch b/main/xen/xsa237-4.patch
deleted file mode 100644
index a16ec1bba1..0000000000
--- a/main/xen/xsa237-4.patch
+++ /dev/null
_at_@ -1,124 +0,0 @@
-From: Jan Beulich <jbeulich_at_suse.com>
-Subject: x86/IRQ: conditionally preserve irq <-> pirq mapping on map error paths
-
-Mappings that had been set up before should not be torn down when
-handling unrelated errors.
-
-This is part of XSA-237.
-
-Reported-by: HW42 <hw42_at_ipsumj.de>
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: George Dunlap <george.dunlap_at_citrix.com>
-
---- a/xen/arch/x86/irq.c
-+++ b/xen/arch/x86/irq.c
-_at_@ -1251,7 +1251,8 @@ static int prepare_domain_irq_pirq(struc
-         return -ENOMEM;
-     }
-     *pinfo = info;
--    return 0;
-+
-+    return !!err;
- }
- 
- static void set_domain_irq_pirq(struct domain *d, int irq, struct pirq *pirq)
-_at_@ -1294,7 +1295,10 @@ int init_domain_irq_mapping(struct domai
-             continue;
-         err = prepare_domain_irq_pirq(d, i, i, &info);
-         if ( err )
-+        {
-+            ASSERT(err < 0);
-             break;
-+        }
-         set_domain_irq_pirq(d, i, info);
-     }
- 
-_at_@ -1902,6 +1906,7 @@ int map_domain_pirq(
-     struct pirq *info;
-     struct irq_desc *desc;
-     unsigned long flags;
-+    DECLARE_BITMAP(prepared, MAX_MSI_IRQS) = {};
- 
-     ASSERT(spin_is_locked(&d->event_lock));
- 
-_at_@ -1945,8 +1950,10 @@ int map_domain_pirq(
-     }
- 
-     ret = prepare_domain_irq_pirq(d, irq, pirq, &info);
--    if ( ret )
-+    if ( ret < 0 )
-         goto revoke;
-+    if ( !ret )
-+        __set_bit(0, prepared);
- 
-     desc = irq_to_desc(irq);
- 
-_at_@ -2018,8 +2025,10 @@ int map_domain_pirq(
-             irq = create_irq(NUMA_NO_NODE);
-             ret = irq >= 0 ? prepare_domain_irq_pirq(d, irq, pirq + nr, &info)
-                            : irq;
--            if ( ret )
-+            if ( ret < 0 )
-                 break;
-+            if ( !ret )
-+                __set_bit(nr, prepared);
-             msi_desc[nr].irq = irq;
- 
-             if ( irq_permit_access(d, irq) != 0 )
-_at_@ -2052,15 +2061,15 @@ int map_domain_pirq(
-                 desc->msi_desc = NULL;
-                 spin_unlock_irqrestore(&desc->lock, flags);
-             }
--            while ( nr-- )
-+            while ( nr )
-             {
-                 if ( irq >= 0 && irq_deny_access(d, irq) )
-                     printk(XENLOG_G_ERR
-                            "dom%d: could not revoke access to IRQ%d (pirq %d)\n",
-                            d->domain_id, irq, pirq);
--                if ( info )
-+                if ( info && test_bit(nr, prepared) )
-                     cleanup_domain_irq_pirq(d, irq, info);
--                info = pirq_info(d, pirq + nr);
-+                info = pirq_info(d, pirq + --nr);
-                 irq = info->arch.irq;
-             }
-             msi_desc->irq = -1;
-_at_@ -2076,12 +2085,14 @@ int map_domain_pirq(
-         spin_lock_irqsave(&desc->lock, flags);
-         set_domain_irq_pirq(d, irq, info);
-         spin_unlock_irqrestore(&desc->lock, flags);
-+        ret = 0;
-     }
- 
- done:
-     if ( ret )
-     {
--        cleanup_domain_irq_pirq(d, irq, info);
-+        if ( test_bit(0, prepared) )
-+            cleanup_domain_irq_pirq(d, irq, info);
-  revoke:
-         if ( irq_deny_access(d, irq) )
-             printk(XENLOG_G_ERR
---- a/xen/arch/x86/physdev.c
-+++ b/xen/arch/x86/physdev.c
-_at_@ -186,7 +186,7 @@ int physdev_map_pirq(domid_t domid, int
-         }
-         else if ( type == MAP_PIRQ_TYPE_MULTI_MSI )
-         {
--            if ( msi->entry_nr <= 0 || msi->entry_nr > 32 )
-+            if ( msi->entry_nr <= 0 || msi->entry_nr > MAX_MSI_IRQS )
-                 ret = -EDOM;
-             else if ( msi->entry_nr != 1 && !iommu_intremap )
-                 ret = -EOPNOTSUPP;
---- a/xen/include/asm-x86/msi.h
-+++ b/xen/include/asm-x86/msi.h
-_at_@ -56,6 +56,8 @@
- /* MAX fixed pages reserved for mapping MSIX tables. */
- #define FIX_MSIX_MAX_PAGES              512
- 
-+#define MAX_MSI_IRQS 32 /* limited by MSI capability struct properties */
-+
- struct msi_info {
-     u16 seg;
-     u8 bus;
diff --git a/main/xen/xsa237-5.patch b/main/xen/xsa237-5.patch
deleted file mode 100644
index 155ba15d08..0000000000
--- a/main/xen/xsa237-5.patch
+++ /dev/null
_at_@ -1,37 +0,0 @@
-From: Jan Beulich <jbeulich_at_suse.com>
-Subject: x86/FLASK: fix unmap-domain-IRQ XSM hook
-
-The caller and the FLASK implementation of xsm_unmap_domain_irq()
-disagreed about what the "data" argument points to in the MSI case:
-Change both sides to pass/take a PCI device.
-
-This is part of XSA-237.
-
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-
---- a/xen/arch/x86/irq.c
-+++ b/xen/arch/x86/irq.c
-_at_@ -2143,7 +2143,8 @@ int unmap_domain_pirq(struct domain *d,
-         nr = msi_desc->msi.nvec;
-     }
- 
--    ret = xsm_unmap_domain_irq(XSM_HOOK, d, irq, msi_desc);
-+    ret = xsm_unmap_domain_irq(XSM_HOOK, d, irq,
-+                               msi_desc ? msi_desc->dev : NULL);
-     if ( ret )
-         goto done;
- 
---- a/xen/xsm/flask/hooks.c
-+++ b/xen/xsm/flask/hooks.c
-_at_@ -918,8 +918,8 @@ static int flask_unmap_domain_msi (struc
-                                    u32 *sid, struct avc_audit_data *ad)
- {
- #ifdef CONFIG_HAS_PCI
--    struct msi_info *msi = data;
--    u32 machine_bdf = (msi->seg << 16) | (msi->bus << 8) | msi->devfn;
-+    const struct pci_dev *pdev = data;
-+    u32 machine_bdf = (pdev->seg << 16) | (pdev->bus << 8) | pdev->devfn;
- 
-     AVC_AUDIT_DATA_INIT(ad, DEV);
-     ad->device = machine_bdf;
diff --git a/main/xen/xsa238.patch b/main/xen/xsa238.patch
deleted file mode 100644
index 0d7d48fef8..0000000000
--- a/main/xen/xsa238.patch
+++ /dev/null
_at_@ -1,45 +0,0 @@
-From cdc2887076b19b39fab9faec495082586f3113df Mon Sep 17 00:00:00 2001
-From: XenProject Security Team <security_at_xenproject.org>
-Date: Tue, 5 Sep 2017 13:41:37 +0200
-Subject: x86/ioreq server: correctly handle bogus
- XEN_DMOP_{,un}map_io_range_to_ioreq_server arguments
-
-Misbehaving device model can pass incorrect XEN_DMOP_map/
-unmap_io_range_to_ioreq_server arguments, namely end < start when
-specifying address range. When this happens we hit ASSERT(s <= e) in
-rangeset_contains_range()/rangeset_overlaps_range() with debug builds.
-Production builds will not trap right away but may misbehave later
-while handling such bogus ranges.
-
-This is XSA-238.
-
-Signed-off-by: Vitaly Kuznetsov <vkuznets_at_redhat.com>
-Reviewed-by: Jan Beulich <jbeulich_at_suse.com>
----
- xen/arch/x86/hvm/ioreq.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/xen/arch/x86/hvm/ioreq.c b/xen/arch/x86/hvm/ioreq.c
-index b2a8b0e986..8c8bf1f0ec 100644
---- a/xen/arch/x86/hvm/ioreq.c
-+++ b/xen/arch/x86/hvm/ioreq.c
-_at_@ -820,6 +820,9 @@ int hvm_map_io_range_to_ioreq_server(struct domain *d, ioservid_t id,
-     struct hvm_ioreq_server *s;
-     int rc;
- 
-+    if ( start > end )
-+        return -EINVAL;
-+
-     spin_lock_recursive(&d->arch.hvm_domain.ioreq_server.lock);
- 
-     rc = -ENOENT;
-_at_@ -872,6 +875,9 @@ int hvm_unmap_io_range_from_ioreq_server(struct domain *d, ioservid_t id,
-     struct hvm_ioreq_server *s;
-     int rc;
- 
-+    if ( start > end )
-+        return -EINVAL;
-+
-     spin_lock_recursive(&d->arch.hvm_domain.ioreq_server.lock);
- 
-     rc = -ENOENT;
diff --git a/main/xen/xsa239.patch b/main/xen/xsa239.patch
deleted file mode 100644
index 5daecb5e47..0000000000
--- a/main/xen/xsa239.patch
+++ /dev/null
_at_@ -1,46 +0,0 @@
-From: Jan Beulich <jbeulich_at_suse.com>
-Subject: x86/HVM: prefill partially used variable on emulation paths
-
-Certain handlers ignore the access size (vioapic_write() being the
-example this was found with), perhaps leading to subsequent reads
-seeing data that wasn't actually written by the guest. For
-consistency and extra safety also do this on the read path of
-hvm_process_io_intercept(), even if this doesn't directly affect what
-guests get to see, as we've supposedly already dealt with read handlers
-leaving data completely unitialized.
-
-This is XSA-239.
-
-Reported-by: Roger Pau Monné <roger.pau_at_citrix.com>
-Reviewed-by: Roger Pau Monné <roger.pau_at_citrix.com>
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-
---- a/xen/arch/x86/hvm/emulate.c
-+++ b/xen/arch/x86/hvm/emulate.c
-_at_@ -129,7 +129,7 @@ static int hvmemul_do_io(
-         .count = *reps,
-         .dir = dir,
-         .df = df,
--        .data = data,
-+        .data = data_is_addr ? data : 0,
-         .data_is_ptr = data_is_addr, /* ioreq_t field name is misleading */
-         .state = STATE_IOREQ_READY,
-     };
---- a/xen/arch/x86/hvm/intercept.c
-+++ b/xen/arch/x86/hvm/intercept.c
-_at_@ -127,6 +127,7 @@ int hvm_process_io_intercept(const struc
-             addr = (p->type == IOREQ_TYPE_COPY) ?
-                    p->addr + step * i :
-                    p->addr;
-+            data = 0;
-             rc = ops->read(handler, addr, p->size, &data);
-             if ( rc != X86EMUL_OKAY )
-                 break;
-_at_@ -161,6 +162,7 @@ int hvm_process_io_intercept(const struc
-         {
-             if ( p->data_is_ptr )
-             {
-+                data = 0;
-                 switch ( hvm_copy_from_guest_phys(&data, p->data + step * i,
-                                                   p->size) )
-                 {
diff --git a/main/xen/xsa240-1.patch b/main/xen/xsa240-1.patch
deleted file mode 100644
index 515ad22b66..0000000000
--- a/main/xen/xsa240-1.patch
+++ /dev/null
_at_@ -1,494 +0,0 @@
-From 867988237d3e472fe2c99e81ae733e103422566c Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich_at_suse.com>
-Date: Thu, 28 Sep 2017 15:17:25 +0100
-Subject: [PATCH 1/2] x86: limit linear page table use to a single level
-
-That's the only way that they're meant to be used. Without such a
-restriction arbitrarily long chains of same-level page tables can be
-built, tearing down of which may then cause arbitrarily deep recursion,
-causing a stack overflow. To facilitate this restriction, a counter is
-being introduced to track both the number of same-level entries in a
-page table as well as the number of uses of a page table in another
-same-level one (counting into positive and negative direction
-respectively, utilizing the fact that both counts can't be non-zero at
-the same time).
-
-Note that the added accounting introduces a restriction on the number
-of times a page can be used in other same-level page tables - more than
-32k of such uses are no longer possible.
-
-Note also that some put_page_and_type[_preemptible]() calls are
-replaced with open-coded equivalents.  This seemed preferrable to
-adding "parent_table" to the matrix of functions.
-
-Note further that cross-domain same-level page table references are no
-longer permitted (they probably never should have been).
-
-This is XSA-240.
-
-Reported-by: Jann Horn <jannh_at_google.com>
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Signed-off-by: George Dunlap <george.dunlap_at_citrix.com>
----
- xen/arch/x86/domain.c        |   1 +
- xen/arch/x86/mm.c            | 171 ++++++++++++++++++++++++++++++++++++++-----
- xen/include/asm-x86/domain.h |   2 +
- xen/include/asm-x86/mm.h     |  25 +++++--
- 4 files changed, 175 insertions(+), 24 deletions(-)
-
-diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
-index d7e699228c..d7ed72c246 100644
---- a/xen/arch/x86/domain.c
-+++ b/xen/arch/x86/domain.c
-_at_@ -1226,6 +1226,7 @@ int arch_set_info_guest(
-                     rc = -ERESTART;
-                     /* Fallthrough */
-                 case -ERESTART:
-+                    v->arch.old_guest_ptpg = NULL;
-                     v->arch.old_guest_table =
-                         pagetable_get_page(v->arch.guest_table);
-                     v->arch.guest_table = pagetable_null();
-diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
-index 86f5eda52d..1e469bd354 100644
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-_at_@ -747,6 +747,61 @@ static void put_data_page(
-         put_page(page);
- }
- 
-+static bool inc_linear_entries(struct page_info *pg)
-+{
-+    typeof(pg->linear_pt_count) nc = read_atomic(&pg->linear_pt_count), oc;
-+
-+    do {
-+        /*
-+         * The check below checks for the "linear use" count being non-zero
-+         * as well as overflow.  Signed integer overflow is undefined behavior
-+         * according to the C spec.  However, as long as linear_pt_count is
-+         * smaller in size than 'int', the arithmetic operation of the
-+         * increment below won't overflow; rather the result will be truncated
-+         * when stored.  Ensure that this is always true.
-+         */
-+        BUILD_BUG_ON(sizeof(nc) >= sizeof(int));
-+        oc = nc++;
-+        if ( nc <= 0 )
-+            return false;
-+        nc = cmpxchg(&pg->linear_pt_count, oc, nc);
-+    } while ( oc != nc );
-+
-+    return true;
-+}
-+
-+static void dec_linear_entries(struct page_info *pg)
-+{
-+    typeof(pg->linear_pt_count) oc;
-+
-+    oc = arch_fetch_and_add(&pg->linear_pt_count, -1);
-+    ASSERT(oc > 0);
-+}
-+
-+static bool inc_linear_uses(struct page_info *pg)
-+{
-+    typeof(pg->linear_pt_count) nc = read_atomic(&pg->linear_pt_count), oc;
-+
-+    do {
-+        /* See the respective comment in inc_linear_entries(). */
-+        BUILD_BUG_ON(sizeof(nc) >= sizeof(int));
-+        oc = nc--;
-+        if ( nc >= 0 )
-+            return false;
-+        nc = cmpxchg(&pg->linear_pt_count, oc, nc);
-+    } while ( oc != nc );
-+
-+    return true;
-+}
-+
-+static void dec_linear_uses(struct page_info *pg)
-+{
-+    typeof(pg->linear_pt_count) oc;
-+
-+    oc = arch_fetch_and_add(&pg->linear_pt_count, 1);
-+    ASSERT(oc < 0);
-+}
-+
- /*
-  * We allow root tables to map each other (a.k.a. linear page tables). It
-  * needs some special care with reference counts and access permissions:
-_at_@ -777,15 +832,35 @@ get_##level##_linear_pagetable(                                             \
-                                                                             \
-     if ( (pfn = level##e_get_pfn(pde)) != pde_pfn )                         \
-     {                                                                       \
-+        struct page_info *ptpg = mfn_to_page(pde_pfn);                      \
-+                                                                            \
-+        /* Make sure the page table belongs to the correct domain. */       \
-+        if ( unlikely(page_get_owner(ptpg) != d) )                          \
-+            return 0;                                                       \
-+                                                                            \
-         /* Make sure the mapped frame belongs to the correct domain. */     \
-         if ( unlikely(!get_page_from_pagenr(pfn, d)) )                      \
-             return 0;                                                       \
-                                                                             \
-         /*                                                                  \
--         * Ensure that the mapped frame is an already-validated page table. \
-+         * Ensure that the mapped frame is an already-validated page table  \
-+         * and is not itself having linear entries, as well as that the     \
-+         * containing page table is not iself in use as a linear page table \
-+         * elsewhere.                                                       \
-          * If so, atomically increment the count (checking for overflow).   \
-          */                                                                 \
-         page = mfn_to_page(pfn);                                            \
-+        if ( !inc_linear_entries(ptpg) )                                    \
-+        {                                                                   \
-+            put_page(page);                                                 \
-+            return 0;                                                       \
-+        }                                                                   \
-+        if ( !inc_linear_uses(page) )                                       \
-+        {                                                                   \
-+            dec_linear_entries(ptpg);                                       \
-+            put_page(page);                                                 \
-+            return 0;                                                       \
-+        }                                                                   \
-         y = page->u.inuse.type_info;                                        \
-         do {                                                                \
-             x = y;                                                          \
-_at_@ -793,6 +868,8 @@ get_##level##_linear_pagetable(                                             \
-                  unlikely((x & (PGT_type_mask|PGT_validated)) !=            \
-                           (PGT_##level##_page_table|PGT_validated)) )       \
-             {                                                               \
-+                dec_linear_uses(page);                                      \
-+                dec_linear_entries(ptpg);                                   \
-                 put_page(page);                                             \
-                 return 0;                                                   \
-             }                                                               \
-_at_@ -1226,6 +1303,9 @@ get_page_from_l4e(
-             l3e_remove_flags((pl3e), _PAGE_USER|_PAGE_RW|_PAGE_ACCESSED);   \
-     } while ( 0 )
- 
-+static int _put_page_type(struct page_info *page, bool preemptible,
-+                          struct page_info *ptpg);
-+
- void put_page_from_l1e(l1_pgentry_t l1e, struct domain *l1e_owner)
- {
-     unsigned long     pfn = l1e_get_pfn(l1e);
-_at_@ -1296,17 +1376,22 @@ static int put_page_from_l2e(l2_pgentry_t l2e, unsigned long pfn)
-     if ( l2e_get_flags(l2e) & _PAGE_PSE )
-         put_superpage(l2e_get_pfn(l2e));
-     else
--        put_page_and_type(l2e_get_page(l2e));
-+    {
-+        struct page_info *pg = l2e_get_page(l2e);
-+        int rc = _put_page_type(pg, false, mfn_to_page(pfn));
-+
-+        ASSERT(!rc);
-+        put_page(pg);
-+    }
- 
-     return 0;
- }
- 
--static int __put_page_type(struct page_info *, int preemptible);
--
- static int put_page_from_l3e(l3_pgentry_t l3e, unsigned long pfn,
-                              int partial, bool_t defer)
- {
-     struct page_info *pg;
-+    int rc;
- 
-     if ( !(l3e_get_flags(l3e) & _PAGE_PRESENT) || (l3e_get_pfn(l3e) == pfn) )
-         return 1;
-_at_@ -1329,21 +1414,28 @@ static int put_page_from_l3e(l3_pgentry_t l3e, unsigned long pfn,
-     if ( unlikely(partial > 0) )
-     {
-         ASSERT(!defer);
--        return __put_page_type(pg, 1);
-+        return _put_page_type(pg, true, mfn_to_page(pfn));
-     }
- 
-     if ( defer )
-     {
-+        current->arch.old_guest_ptpg = mfn_to_page(pfn);
-         current->arch.old_guest_table = pg;
-         return 0;
-     }
- 
--    return put_page_and_type_preemptible(pg);
-+    rc = _put_page_type(pg, true, mfn_to_page(pfn));
-+    if ( likely(!rc) )
-+        put_page(pg);
-+
-+    return rc;
- }
- 
- static int put_page_from_l4e(l4_pgentry_t l4e, unsigned long pfn,
-                              int partial, bool_t defer)
- {
-+    int rc = 1;
-+
-     if ( (l4e_get_flags(l4e) & _PAGE_PRESENT) && 
-          (l4e_get_pfn(l4e) != pfn) )
-     {
-_at_@ -1352,18 +1444,22 @@ static int put_page_from_l4e(l4_pgentry_t l4e, unsigned long pfn,
-         if ( unlikely(partial > 0) )
-         {
-             ASSERT(!defer);
--            return __put_page_type(pg, 1);
-+            return _put_page_type(pg, true, mfn_to_page(pfn));
-         }
- 
-         if ( defer )
-         {
-+            current->arch.old_guest_ptpg = mfn_to_page(pfn);
-             current->arch.old_guest_table = pg;
-             return 0;
-         }
- 
--        return put_page_and_type_preemptible(pg);
-+        rc = _put_page_type(pg, true, mfn_to_page(pfn));
-+        if ( likely(!rc) )
-+            put_page(pg);
-     }
--    return 1;
-+
-+    return rc;
- }
- 
- static int alloc_l1_table(struct page_info *page)
-_at_@ -1561,6 +1657,7 @@ static int alloc_l3_table(struct page_info *page)
-         {
-             page->nr_validated_ptes = i;
-             page->partial_pte = 0;
-+            current->arch.old_guest_ptpg = NULL;
-             current->arch.old_guest_table = page;
-         }
-         while ( i-- > 0 )
-_at_@ -1654,6 +1751,7 @@ static int alloc_l4_table(struct page_info *page)
-                 {
-                     if ( current->arch.old_guest_table )
-                         page->nr_validated_ptes++;
-+                    current->arch.old_guest_ptpg = NULL;
-                     current->arch.old_guest_table = page;
-                 }
-             }
-_at_@ -2403,14 +2501,20 @@ int free_page_type(struct page_info *pag
- }
- 
- 
--static int __put_final_page_type(
--    struct page_info *page, unsigned long type, int preemptible)
-+static int _put_final_page_type(struct page_info *page, unsigned long type,
-+                                bool preemptible, struct page_info *ptpg)
- {
-     int rc = free_page_type(page, type, preemptible);
- 
-     /* No need for atomic update of type_info here: noone else updates it. */
-     if ( rc == 0 )
-     {
-+        if ( ptpg && PGT_type_equal(type, ptpg->u.inuse.type_info) )
-+        {
-+            dec_linear_uses(page);
-+            dec_linear_entries(ptpg);
-+        }
-+        ASSERT(!page->linear_pt_count || page_get_owner(page)->is_dying);
-         /*
-          * Record TLB information for flush later. We do not stamp page tables
-          * when running in shadow mode:
-_at_@ -2446,8 +2550,8 @@ static int __put_final_page_type(
- }
- 
- 
--static int __put_page_type(struct page_info *page,
--                           int preemptible)
-+static int _put_page_type(struct page_info *page, bool preemptible,
-+                          struct page_info *ptpg)
- {
-     unsigned long nx, x, y = page->u.inuse.type_info;
-     int rc = 0;
-_at_@ -2474,12 +2578,28 @@ static int __put_page_type(struct page_info *page,
-                                            x, nx)) != x) )
-                     continue;
-                 /* We cleared the 'valid bit' so we do the clean up. */
--                rc = __put_final_page_type(page, x, preemptible);
-+                rc = _put_final_page_type(page, x, preemptible, ptpg);
-+                ptpg = NULL;
-                 if ( x & PGT_partial )
-                     put_page(page);
-                 break;
-             }
- 
-+            if ( ptpg && PGT_type_equal(x, ptpg->u.inuse.type_info) )
-+            {
-+                /*
-+                 * page_set_tlbflush_timestamp() accesses the same union
-+                 * linear_pt_count lives in. Unvalidated page table pages,
-+                 * however, should occur during domain destruction only
-+                 * anyway.  Updating of linear_pt_count luckily is not
-+                 * necessary anymore for a dying domain.
-+                 */
-+                ASSERT(page_get_owner(page)->is_dying);
-+                ASSERT(page->linear_pt_count < 0);
-+                ASSERT(ptpg->linear_pt_count > 0);
-+                ptpg = NULL;
-+            }
-+
-             /*
-              * Record TLB information for flush later. We do not stamp page
-              * tables when running in shadow mode:
-_at_@ -2499,6 +2619,13 @@ static int __put_page_type(struct page_info *page,
-             return -EINTR;
-     }
- 
-+    if ( ptpg && PGT_type_equal(x, ptpg->u.inuse.type_info) )
-+    {
-+        ASSERT(!rc);
-+        dec_linear_uses(page);
-+        dec_linear_entries(ptpg);
-+    }
-+
-     return rc;
- }
- 
-_at_@ -2638,6 +2765,7 @@ static int __get_page_type(struct page_info *page, unsigned long type,
-             page->nr_validated_ptes = 0;
-             page->partial_pte = 0;
-         }
-+        page->linear_pt_count = 0;
-         rc = alloc_page_type(page, type, preemptible);
-     }
- 
-_at_@ -2652,7 +2780,7 @@ static int __get_page_type(struct page_info *page, unsigned long type,
- 
- void put_page_type(struct page_info *page)
- {
--    int rc = __put_page_type(page, 0);
-+    int rc = _put_page_type(page, false, NULL);
-     ASSERT(rc == 0);
-     (void)rc;
- }
-_at_@ -2668,7 +2796,7 @@ int get_page_type(struct page_info *page, unsigned long type)
- 
- int put_page_type_preemptible(struct page_info *page)
- {
--    return __put_page_type(page, 1);
-+    return _put_page_type(page, true, NULL);
- }
- 
- int get_page_type_preemptible(struct page_info *page, unsigned long type)
-_at_@ -2878,11 +3006,14 @@ int put_old_guest_table(struct vcpu *v)
-     if ( !v->arch.old_guest_table )
-         return 0;
- 
--    switch ( rc = put_page_and_type_preemptible(v->arch.old_guest_table) )
-+    switch ( rc = _put_page_type(v->arch.old_guest_table, true,
-+                                 v->arch.old_guest_ptpg) )
-     {
-     case -EINTR:
-     case -ERESTART:
-         return -ERESTART;
-+    case 0:
-+        put_page(v->arch.old_guest_table);
-     }
- 
-     v->arch.old_guest_table = NULL;
-_at_@ -3042,6 +3173,7 @@ int new_guest_cr3(unsigned long mfn)
-                 rc = -ERESTART;
-                 /* fallthrough */
-             case -ERESTART:
-+                curr->arch.old_guest_ptpg = NULL;
-                 curr->arch.old_guest_table = page;
-                 break;
-             default:
-_at_@ -3310,7 +3442,10 @@ long do_mmuext_op(
-                     if ( type == PGT_l1_page_table )
-                         put_page_and_type(page);
-                     else
-+                    {
-+                        curr->arch.old_guest_ptpg = NULL;
-                         curr->arch.old_guest_table = page;
-+                    }
-                 }
-             }
- 
-_at_@ -3346,6 +3481,7 @@ long do_mmuext_op(
-             {
-             case -EINTR:
-             case -ERESTART:
-+                curr->arch.old_guest_ptpg = NULL;
-                 curr->arch.old_guest_table = page;
-                 rc = 0;
-                 break;
-_at_@ -3425,6 +3561,7 @@ long do_mmuext_op(
-                         rc = -ERESTART;
-                         /* fallthrough */
-                     case -ERESTART:
-+                        curr->arch.old_guest_ptpg = NULL;
-                         curr->arch.old_guest_table = page;
-                         break;
-                     default:
-diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h
-index 924caac834..5a512918cc 100644
---- a/xen/include/asm-x86/domain.h
-+++ b/xen/include/asm-x86/domain.h
-_at_@ -527,6 +527,8 @@ struct arch_vcpu
-     pagetable_t guest_table_user;       /* (MFN) x86/64 user-space pagetable */
-     pagetable_t guest_table;            /* (MFN) guest notion of cr3 */
-     struct page_info *old_guest_table;  /* partially destructed pagetable */
-+    struct page_info *old_guest_ptpg;   /* containing page table of the */
-+                                        /* former, if any */
-     /* guest_table holds a ref to the page, and also a type-count unless
-      * shadow refcounts are in use */
-     pagetable_t shadow_table[4];        /* (MFN) shadow(s) of guest */
-diff --git a/xen/include/asm-x86/mm.h b/xen/include/asm-x86/mm.h
-index 119d7dec6b..445da50d47 100644
---- a/xen/include/asm-x86/mm.h
-+++ b/xen/include/asm-x86/mm.h
-_at_@ -124,11 +124,11 @@ struct page_info
-         u32 tlbflush_timestamp;
- 
-         /*
--         * When PGT_partial is true then this field is valid and indicates
--         * that PTEs in the range [0, _at_nr_validated_ptes) have been validated.
--         * An extra page reference must be acquired (or not dropped) whenever
--         * PGT_partial gets set, and it must be dropped when the flag gets
--         * cleared. This is so that a get() leaving a page in partially
-+         * When PGT_partial is true then the first two fields are valid and
-+         * indicate that PTEs in the range [0, _at_nr_validated_ptes) have been
-+         * validated. An extra page reference must be acquired (or not dropped)
-+         * whenever PGT_partial gets set, and it must be dropped when the flag
-+         * gets cleared. This is so that a get() leaving a page in partially
-          * validated state (where the caller would drop the reference acquired
-          * due to the getting of the type [apparently] failing [-ERESTART])
-          * would not accidentally result in a page left with zero general
-_at_@ -152,10 +152,18 @@ struct page_info
-          * put_page_from_lNe() (due to the apparent failure), and hence it
-          * must be dropped when the put operation is resumed (and completes),
-          * but it must not be acquired if picking up the page for validation.
-+         *
-+         * The 3rd field, _at_linear_pt_count, indicates
-+         * - by a positive value, how many same-level page table entries a page
-+         *   table has,
-+         * - by a negative value, in how many same-level page tables a page is
-+         *   in use.
-          */
-         struct {
--            u16 nr_validated_ptes;
--            s8 partial_pte;
-+            u16 nr_validated_ptes:PAGETABLE_ORDER + 1;
-+            u16 :16 - PAGETABLE_ORDER - 1 - 2;
-+            s16 partial_pte:2;
-+            s16 linear_pt_count;
-         };
- 
-         /*
-_at_@ -206,6 +214,9 @@ struct page_info
- #define PGT_count_width   PG_shift(9)
- #define PGT_count_mask    ((1UL<<PGT_count_width)-1)
- 
-+/* Are the 'type mask' bits identical? */
-+#define PGT_type_equal(x, y) (!(((x) ^ (y)) & PGT_type_mask))
-+
-  /* Cleared when the owning guest 'frees' this page. */
- #define _PGC_allocated    PG_shift(1)
- #define PGC_allocated     PG_mask(1, 1)
--- 
-2.14.1
-
diff --git a/main/xen/xsa240-2.patch b/main/xen/xsa240-2.patch
deleted file mode 100644
index 5e057c5652..0000000000
--- a/main/xen/xsa240-2.patch
+++ /dev/null
_at_@ -1,83 +0,0 @@
-From e614979ce054044d9e19023f1ef10dae6e38baf4 Mon Sep 17 00:00:00 2001
-From: George Dunlap <george.dunlap_at_citrix.com>
-Date: Fri, 22 Sep 2017 11:46:55 +0100
-Subject: [PATCH 2/2] x86/mm: Disable PV linear pagetables by default
-
-Allowing pagetables to point to other pagetables of the same level
-(often called 'linear pagetables') has been included in Xen since its
-inception.  But it is not used by the most common PV guests (Linux,
-NetBSD, minios), and has been the source of a number of subtle
-reference-counting bugs.
-
-Add a command-line option to control whether PV linear pagetables are
-allowed (disabled by default).
-
-Reported-by: Jann Horn <jannh_at_google.com>
-Signed-off-by: George Dunlap <george.dunlap_at_citrix.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
----
-Changes since v2:
-- s/_/-/; in command-line option
-- Added __read_mostly
----
- docs/misc/xen-command-line.markdown | 15 +++++++++++++++
- xen/arch/x86/mm.c                   | 10 ++++++++++
- 2 files changed, 25 insertions(+)
-
-diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
-index 44d99852aa..45ef873abb 100644
---- a/docs/misc/xen-command-line.markdown
-+++ b/docs/misc/xen-command-line.markdown
-_at_@ -1374,6 +1374,21 @@ The following resources are available:
-     CDP, one COS will corespond two CBMs other than one with CAT, due to the
-     sum of CBMs is fixed, that means actual `cos_max` in use will automatically
-     reduce to half when CDP is enabled.
-+
-+### pv-linear-pt
-+> `= <boolean>`
-+
-+> Default: `false`
-+
-+Allow PV guests to have pagetable entries pointing to other pagetables
-+of the same level (i.e., allowing L2 PTEs to point to other L2 pages).
-+This technique is often called "linear pagetables", and is sometimes
-+used to allow operating systems a simple way to consistently map the
-+current process's pagetables into its own virtual address space.
-+
-+None of the most common PV operating systems (Linux, NetBSD, MiniOS)
-+use this technique, but there may be custom operating systems which
-+do.
- 
- ### reboot
- > `= t[riple] | k[bd] | a[cpi] | p[ci] | P[ower] | e[fi] | n[o] [, [w]arm | [c]old]`
-diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
-index 1e469bd354..32952a46b9 100644
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-_at_@ -814,6 +814,9 @@ static void dec_linear_uses(struct page_info *pg)
-  *     frame if it is mapped by a different root table. This is sufficient and
-  *     also necessary to allow validation of a root table mapping itself.
-  */
-+static bool __read_mostly pv_linear_pt_enable = false;
-+boolean_param("pv-linear-pt", pv_linear_pt_enable);
-+
- #define define_get_linear_pagetable(level)                                  \
- static int                                                                  \
- get_##level##_linear_pagetable(                                             \
-_at_@ -823,6 +826,13 @@ get_##level##_linear_pagetable(                                             \
-     struct page_info *page;                                                 \
-     unsigned long pfn;                                                      \
-                                                                             \
-+    if ( !pv_linear_pt_enable )                                             \
-+    {                                                                       \
-+        gdprintk(XENLOG_WARNING,                                            \
-+                 "Attempt to create linear p.t. (feature disabled)\n");     \
-+        return 0;                                                           \
-+    }                                                                       \
-+                                                                            \
-     if ( (level##e_get_flags(pde) & _PAGE_RW) )                             \
-     {                                                                       \
-         gdprintk(XENLOG_WARNING,                                            \
--- 
-2.14.1
-
diff --git a/main/xen/xsa241-4.9.patch b/main/xen/xsa241-4.9.patch
deleted file mode 100644
index 514e4c7a4b..0000000000
--- a/main/xen/xsa241-4.9.patch
+++ /dev/null
_at_@ -1,120 +0,0 @@
-From: Jan Beulich <jbeulich_at_suse.com>
-Subject: x86: don't store possibly stale TLB flush time stamp
-
-While the timing window is extremely narrow, it is theoretically
-possible for an update to the TLB flush clock and a subsequent flush
-IPI to happen between the read and write parts of the update of the
-per-page stamp. Exclude this possibility by disabling interrupts
-across the update, preventing the IPI to be serviced in the middle.
-
-This is XSA-241.
-
-Reported-by: Jann Horn <jannh_at_google.com>
-Suggested-by: George Dunlap <george.dunlap_at_citrix.com>
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: George Dunlap <george.dunlap_at_citrix.com>
-
---- a/xen/arch/arm/smp.c
-+++ b/xen/arch/arm/smp.c
-_at_@ -1,3 +1,4 @@
-+#include <xen/mm.h>
- #include <asm/system.h>
- #include <asm/smp.h>
- #include <asm/cpregs.h>
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-_at_@ -2524,7 +2524,7 @@ static int _put_final_page_type(struct p
-          */
-         if ( !(shadow_mode_enabled(page_get_owner(page)) &&
-                (page->count_info & PGC_page_table)) )
--            page->tlbflush_timestamp = tlbflush_current_time();
-+            page_set_tlbflush_timestamp(page);
-         wmb();
-         page->u.inuse.type_info--;
-     }
-_at_@ -2534,7 +2534,7 @@ static int _put_final_page_type(struct p
-                 (PGT_count_mask|PGT_validated|PGT_partial)) == 1);
-         if ( !(shadow_mode_enabled(page_get_owner(page)) &&
-                (page->count_info & PGC_page_table)) )
--            page->tlbflush_timestamp = tlbflush_current_time();
-+            page_set_tlbflush_timestamp(page);
-         wmb();
-         page->u.inuse.type_info |= PGT_validated;
-     }
-_at_@ -2588,7 +2588,7 @@ static int _put_page_type(struct page_in
-             if ( ptpg && PGT_type_equal(x, ptpg->u.inuse.type_info) )
-             {
-                 /*
--                 * page_set_tlbflush_timestamp() accesses the same union
-+                 * set_tlbflush_timestamp() accesses the same union
-                  * linear_pt_count lives in. Unvalidated page table pages,
-                  * however, should occur during domain destruction only
-                  * anyway.  Updating of linear_pt_count luckily is not
-_at_@ -2609,7 +2609,7 @@ static int _put_page_type(struct page_in
-              */
-             if ( !(shadow_mode_enabled(page_get_owner(page)) &&
-                    (page->count_info & PGC_page_table)) )
--                page->tlbflush_timestamp = tlbflush_current_time();
-+                page_set_tlbflush_timestamp(page);
-         }
- 
-         if ( likely((y = cmpxchg(&page->u.inuse.type_info, x, nx)) == x) )
---- a/xen/arch/x86/mm/shadow/common.c
-+++ b/xen/arch/x86/mm/shadow/common.c
-_at_@ -1464,7 +1464,7 @@ void shadow_free(struct domain *d, mfn_t
-          * TLBs when we reuse the page.  Because the destructors leave the
-          * contents of the pages in place, we can delay TLB flushes until
-          * just before the allocator hands the page out again. */
--        sp->tlbflush_timestamp = tlbflush_current_time();
-+        page_set_tlbflush_timestamp(sp);
-         perfc_decr(shadow_alloc_count);
-         page_list_add_tail(sp, &d->arch.paging.shadow.freelist);
-         sp = next;
---- a/xen/common/page_alloc.c
-+++ b/xen/common/page_alloc.c
-_at_@ -960,7 +960,7 @@ static void free_heap_pages(
-         /* If a page has no owner it will need no safety TLB flush. */
-         pg[i].u.free.need_tlbflush = (page_get_owner(&pg[i]) != NULL);
-         if ( pg[i].u.free.need_tlbflush )
--            pg[i].tlbflush_timestamp = tlbflush_current_time();
-+            page_set_tlbflush_timestamp(&pg[i]);
- 
-         /* This page is not a guest frame any more. */
-         page_set_owner(&pg[i], NULL); /* set_gpfn_from_mfn snoops pg owner */
---- a/xen/include/asm-arm/flushtlb.h
-+++ b/xen/include/asm-arm/flushtlb.h
-_at_@ -12,6 +12,11 @@ static inline void tlbflush_filter(cpuma
- 
- #define tlbflush_current_time()                 (0)
- 
-+static inline void page_set_tlbflush_timestamp(struct page_info *page)
-+{
-+    page->tlbflush_timestamp = tlbflush_current_time();
-+}
-+
- #if defined(CONFIG_ARM_32)
- # include <asm/arm32/flushtlb.h>
- #elif defined(CONFIG_ARM_64)
---- a/xen/include/asm-x86/flushtlb.h
-+++ b/xen/include/asm-x86/flushtlb.h
-_at_@ -23,6 +23,20 @@ DECLARE_PER_CPU(u32, tlbflush_time);
- 
- #define tlbflush_current_time() tlbflush_clock
- 
-+static inline void page_set_tlbflush_timestamp(struct page_info *page)
-+{
-+    /*
-+     * Prevent storing a stale time stamp, which could happen if an update
-+     * to tlbflush_clock plus a subsequent flush IPI happen between the
-+     * reading of tlbflush_clock and the writing of the struct page_info
-+     * field.
-+     */
-+    ASSERT(local_irq_is_enabled());
-+    local_irq_disable();
-+    page->tlbflush_timestamp = tlbflush_current_time();
-+    local_irq_enable();
-+}
-+
- /*
-  * _at_cpu_stamp is the timestamp at last TLB flush for the CPU we are testing.
-  * _at_lastuse_stamp is a timestamp taken when the PFN we are testing was last 
diff --git a/main/xen/xsa242-4.9.patch b/main/xen/xsa242-4.9.patch
deleted file mode 100644
index 8adfa61fd7..0000000000
--- a/main/xen/xsa242-4.9.patch
+++ /dev/null
_at_@ -1,43 +0,0 @@
-From: Jan Beulich <jbeulich_at_suse.com>
-Subject: x86: don't allow page_unlock() to drop the last type reference
-
-Only _put_page_type() does the necessary cleanup, and hence not all
-domain pages can be released during guest cleanup (leaving around
-zombie domains) if we get this wrong.
-
-This is XSA-242.
-
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-_at_@ -1923,7 +1923,11 @@ void page_unlock(struct page_info *page)
- 
-     do {
-         x = y;
-+        ASSERT((x & PGT_count_mask) && (x & PGT_locked));
-+
-         nx = x - (1 | PGT_locked);
-+        /* We must not drop the last reference here. */
-+        ASSERT(nx & PGT_count_mask);
-     } while ( (y = cmpxchg(&page->u.inuse.type_info, x, nx)) != x );
- }
- 
-_at_@ -2611,6 +2615,17 @@ static int _put_page_type(struct page_in
-                    (page->count_info & PGC_page_table)) )
-                 page_set_tlbflush_timestamp(page);
-         }
-+        else if ( unlikely((nx & (PGT_locked | PGT_count_mask)) ==
-+                           (PGT_locked | 1)) )
-+        {
-+            /*
-+             * We must not drop the second to last reference when the page is
-+             * locked, as page_unlock() doesn't do any cleanup of the type.
-+             */
-+            cpu_relax();
-+            y = page->u.inuse.type_info;
-+            continue;
-+        }
- 
-         if ( likely((y = cmpxchg(&page->u.inuse.type_info, x, nx)) == x) )
-             break;
diff --git a/main/xen/xsa243-1.patch b/main/xen/xsa243-1.patch
deleted file mode 100644
index aaff277514..0000000000
--- a/main/xen/xsa243-1.patch
+++ /dev/null
_at_@ -1,93 +0,0 @@
-From: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Subject: x86/shadow: Don't create self-linear shadow mappings for 4-level translated guests
-
-When initially creating a monitor table for 4-level translated guests, don't
-install a shadow-linear mapping.  This mapping is actually self-linear, and
-trips up the writeable heuristic logic into following Xen's mappings, not the
-guests' shadows it was expecting to follow.
-
-A consequence of this is that sh_guess_wrmap() needs to cope with there being
-no shadow-linear mapping present, which in practice occurs once each time a
-vcpu switches to 4-level paging from a different paging mode.
-
-An appropriate shadow-linear slot will be inserted into the monitor table
-either while constructing lower level monitor tables, or by sh_update_cr3().
-
-While fixing this, clarify the safety of the other mappings.  Despite
-appearing unsafe, it is correct to create a guest-linear mapping for
-translated domains; this is self-linear and doesn't point into the translated
-domain.  Drop a dead clause for translate != external guests.
-
-This is XSA-243.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Acked-by: Tim Deegan <tim_at_xen.org>
-
-diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
-index 8d4f244..a18d286 100644
---- a/xen/arch/x86/mm/shadow/multi.c
-+++ b/xen/arch/x86/mm/shadow/multi.c
-_at_@ -1485,26 +1485,38 @@ void sh_install_xen_entries_in_l4(struct domain *d, mfn_t gl4mfn, mfn_t sl4mfn)
-         sl4e[shadow_l4_table_offset(RO_MPT_VIRT_START)] = shadow_l4e_empty();
-     }
- 
--    /* Shadow linear mapping for 4-level shadows.  N.B. for 3-level
--     * shadows on 64-bit xen, this linear mapping is later replaced by the
--     * monitor pagetable structure, which is built in make_monitor_table
--     * and maintained by sh_update_linear_entries. */
--    sl4e[shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START)] =
--        shadow_l4e_from_mfn(sl4mfn, __PAGE_HYPERVISOR_RW);
--
--    /* Self linear mapping.  */
--    if ( shadow_mode_translate(d) && !shadow_mode_external(d) )
-+    /*
-+     * Linear mapping slots:
-+     *
-+     * Calling this function with gl4mfn == sl4mfn is used to construct a
-+     * monitor table for translated domains.  In this case, gl4mfn forms the
-+     * self-linear mapping (i.e. not pointing into the translated domain), and
-+     * the shadow-linear slot is skipped.  The shadow-linear slot is either
-+     * filled when constructing lower level monitor tables, or via
-+     * sh_update_cr3() for 4-level guests.
-+     *
-+     * Calling this function with gl4mfn != sl4mfn is used for non-translated
-+     * guests, where the shadow-linear slot is actually self-linear, and the
-+     * guest-linear slot points into the guests view of its pagetables.
-+     */
-+    if ( shadow_mode_translate(d) )
-     {
--        // linear tables may not be used with translated PV guests
--        sl4e[shadow_l4_table_offset(LINEAR_PT_VIRT_START)] =
-+        ASSERT(mfn_eq(gl4mfn, sl4mfn));
-+
-+        sl4e[shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START)] =
-             shadow_l4e_empty();
-     }
-     else
-     {
--        sl4e[shadow_l4_table_offset(LINEAR_PT_VIRT_START)] =
--            shadow_l4e_from_mfn(gl4mfn, __PAGE_HYPERVISOR_RW);
-+        ASSERT(!mfn_eq(gl4mfn, sl4mfn));
-+
-+        sl4e[shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START)] =
-+            shadow_l4e_from_mfn(sl4mfn, __PAGE_HYPERVISOR_RW);
-     }
- 
-+    sl4e[shadow_l4_table_offset(LINEAR_PT_VIRT_START)] =
-+        shadow_l4e_from_mfn(gl4mfn, __PAGE_HYPERVISOR_RW);
-+
-     unmap_domain_page(sl4e);
- }
- #endif
-_at_@ -4405,6 +4417,11 @@ static int sh_guess_wrmap(struct vcpu *v, unsigned long vaddr, mfn_t gmfn)
- 
-     /* Carefully look in the shadow linear map for the l1e we expect */
- #if SHADOW_PAGING_LEVELS >= 4
-+    /* Is a shadow linear map is installed in the first place? */
-+    sl4p  = v->arch.paging.shadow.guest_vtable;
-+    sl4p += shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START);
-+    if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) )
-+        return 0;
-     sl4p = sh_linear_l4_table(v) + shadow_l4_linear_offset(vaddr);
-     if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) )
-         return 0;
diff --git a/main/xen/xsa243-2.patch b/main/xen/xsa243-2.patch
deleted file mode 100644
index 1aca5d3dbd..0000000000
--- a/main/xen/xsa243-2.patch
+++ /dev/null
_at_@ -1,54 +0,0 @@
-From: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Subject: x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap()
-
-The fix for XSA-243 / CVE-2017-15592 (c/s bf2b4eadcf379) introduced a change
-in behaviour for sh_guest_wrmap(), where it had to cope with no shadow linear
-mapping being present.
-
-As the name suggests, guest_vtable is a mapping of the guests pagetable, not
-Xen's pagetable, meaning that it isn't the pagetable we need to check for the
-shadow linear slot in.
-
-The practical upshot is that a shadow HVM vcpu which switches into 4-level
-paging mode, with an L4 pagetable that contains a mapping which aliases Xen's
-SH_LINEAR_PT_VIRT_START will fool the safety check for whether a SHADOW_LINEAR
-mapping is present.  As the check passes (when it should have failed), Xen
-subsequently falls over the missing mapping with a pagefault such as:
-
-    (XEN) Pagetable walk from ffff8140a0503880:
-    (XEN)  L4[0x102] = 000000046c218063 ffffffffffffffff
-    (XEN)  L3[0x102] = 000000046c218063 ffffffffffffffff
-    (XEN)  L2[0x102] = 000000046c218063 ffffffffffffffff
-    (XEN)  L1[0x103] = 0000000000000000 ffffffffffffffff
-
-This is part of XSA-243.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Reviewed-by: Tim Deegan <tim_at_xen.org>
-
---- a/xen/arch/x86/mm/shadow/multi.c
-+++ b/xen/arch/x86/mm/shadow/multi.c
-_at_@ -4350,11 +4350,18 @@ static int sh_guess_wrmap(struct vcpu *v
- 
-     /* Carefully look in the shadow linear map for the l1e we expect */
- #if SHADOW_PAGING_LEVELS >= 4
--    /* Is a shadow linear map is installed in the first place? */
--    sl4p  = v->arch.paging.shadow.guest_vtable;
--    sl4p += shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START);
--    if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) )
--        return 0;
-+    /*
-+     * Non-external guests (i.e. PV) have a SHADOW_LINEAR mapping from the
-+     * moment their shadows are created.  External guests (i.e. HVM) may not,
-+     * but always have a regular linear mapping, which we can use to observe
-+     * whether a SHADOW_LINEAR mapping is present.
-+     */
-+    if ( paging_mode_external(d) )
-+    {
-+        sl4p =  __linear_l4_table + l4_linear_offset(SH_LINEAR_PT_VIRT_START);
-+        if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) )
-+            return 0;
-+    }
-     sl4p = sh_linear_l4_table(v) + shadow_l4_linear_offset(vaddr);
-     if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) )
-         return 0;
diff --git a/main/xen/xsa244.patch b/main/xen/xsa244.patch
deleted file mode 100644
index c35a80be32..0000000000
--- a/main/xen/xsa244.patch
+++ /dev/null
_at_@ -1,59 +0,0 @@
-From: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Subject: [PATCH] x86/cpu: Fix IST handling during PCPU bringup
-
-Clear IST references in newly allocated IDTs.  Nothing good will come of
-having them set before the TSS is suitably constructed (although the chances
-of the CPU surviving such an IST interrupt/exception is extremely slim).
-
-Uniformly set the IST references after the TSS is in place.  This fixes an
-issue on AMD hardware, where onlining a PCPU while PCPU0 is in HVM context
-will cause IST_NONE to be copied into the new IDT, making that PCPU vulnerable
-to privilege escalation from PV guests until it subsequently schedules an HVM
-guest.
-
-This is XSA-244
-
-Signed-off-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Reviewed-by: Jan Beulich <jbeulich_at_suse.com>
----
- xen/arch/x86/cpu/common.c | 5 +++++
- xen/arch/x86/smpboot.c    | 3 +++
- 2 files changed, 8 insertions(+)
-
-diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c
-index 78f5667..6cf3628 100644
---- a/xen/arch/x86/cpu/common.c
-+++ b/xen/arch/x86/cpu/common.c
-_at_@ -640,6 +640,7 @@ void __init early_cpu_init(void)
-  * - Sets up TSS with stack pointers, including ISTs
-  * - Inserts TSS selector into regular and compat GDTs
-  * - Loads GDT, IDT, TR then null LDT
-+ * - Sets up IST references in the IDT
-  */
- void load_system_tables(void)
- {
-_at_@ -702,6 +703,10 @@ void load_system_tables(void)
- 	asm volatile ("ltr  %w0" : : "rm" (TSS_ENTRY << 3) );
- 	asm volatile ("lldt %w0" : : "rm" (0) );
- 
-+	set_ist(&idt_tables[cpu][TRAP_double_fault],  IST_DF);
-+	set_ist(&idt_tables[cpu][TRAP_nmi],	      IST_NMI);
-+	set_ist(&idt_tables[cpu][TRAP_machine_check], IST_MCE);
-+
- 	/*
- 	 * Bottom-of-stack must be 16-byte aligned!
- 	 *
-diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c
-index 3ca716c..1609b62 100644
---- a/xen/arch/x86/smpboot.c
-+++ b/xen/arch/x86/smpboot.c
-_at_@ -724,6 +724,9 @@ static int cpu_smpboot_alloc(unsigned int cpu)
-     if ( idt_tables[cpu] == NULL )
-         goto oom;
-     memcpy(idt_tables[cpu], idt_table, IDT_ENTRIES * sizeof(idt_entry_t));
-+    set_ist(&idt_tables[cpu][TRAP_double_fault],  IST_NONE);
-+    set_ist(&idt_tables[cpu][TRAP_nmi],           IST_NONE);
-+    set_ist(&idt_tables[cpu][TRAP_machine_check], IST_NONE);
- 
-     for ( stub_page = 0, i = cpu & ~(STUBS_PER_PAGE - 1);
-           i < nr_cpu_ids && i <= (cpu | (STUBS_PER_PAGE - 1)); ++i )
diff --git a/main/xen/xsa245-1.patch b/main/xen/xsa245-1.patch
deleted file mode 100644
index 2047686903..0000000000
--- a/main/xen/xsa245-1.patch
+++ /dev/null
_at_@ -1,48 +0,0 @@
-From a48d47febc1340f27d6c716545692641a09b414c Mon Sep 17 00:00:00 2001
-From: Julien Grall <julien.grall_at_arm.com>
-Date: Thu, 21 Sep 2017 14:13:08 +0100
-Subject: [PATCH 1/2] xen/page_alloc: Cover memory unreserved after boot in
- first_valid_mfn
-
-On Arm, some regions (e.g Initramfs, Dom0 Kernel...) are marked as
-reserved until the hardware domain is built and they are copied into its
-memory. Therefore, they will not be added in the boot allocator via
-init_boot_pages.
-
-Instead, init_xenheap_pages will be called once the region are not used
-anymore.
-
-Update first_valid_mfn in both init_heap_pages and init_boot_pages
-(already exist) to cover all the cases.
-
-Signed-off-by: Julien Grall <julien.grall_at_arm.com>
-[Adjust comment, added locking around first_valid_mfn update]
-Signed-off-by: Boris Ostrovsky <boris.ostrovsky_at_oracle.com>
----
- xen/common/page_alloc.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c
-index 0b9f6cc6df..fbe5a8af39 100644
---- a/xen/common/page_alloc.c
-+++ b/xen/common/page_alloc.c
-_at_@ -1700,6 +1700,16 @@ static void init_heap_pages(
- {
-     unsigned long i;
- 
-+    /*
-+     * Some pages may not go through the boot allocator (e.g reserved
-+     * memory at boot but released just after --- kernel, initramfs,
-+     * etc.).
-+     * Update first_valid_mfn to ensure those regions are covered.
-+     */
-+    spin_lock(&heap_lock);
-+    first_valid_mfn = min_t(unsigned long, page_to_mfn(pg), first_valid_mfn);
-+    spin_unlock(&heap_lock);
-+
-     for ( i = 0; i < nr_pages; i++ )
-     {
-         unsigned int nid = phys_to_nid(page_to_maddr(pg+i));
--- 
-2.11.0
-
diff --git a/main/xen/xsa245-2.patch b/main/xen/xsa245-2.patch
deleted file mode 100644
index cd4d2709be..0000000000
--- a/main/xen/xsa245-2.patch
+++ /dev/null
_at_@ -1,73 +0,0 @@
-From cbfcf039d0e0b6f4c4cb3de612f7bf788a0c47cd Mon Sep 17 00:00:00 2001
-From: Julien Grall <julien.grall_at_arm.com>
-Date: Mon, 18 Sep 2017 14:24:08 +0100
-Subject: [PATCH 2/2] xen/arm: Correctly report the memory region in the dummy
- NUMA helpers
-
-NUMA is currently not supported on Arm. Because common code is
-NUMA-aware, dummy helpers are instead provided to expose a single node.
-
-Those helpers are for instance used to know the region to scrub.
-
-However the memory region is not reported correctly. Indeed, the
-frametable may not be at the beginning of the memory and there might be
-multiple memory banks. This will lead to not scrub some part of the
-memory.
-
-The memory information can be found using:
-    * first_valid_mfn as the start of the memory
-    * max_page - first_valid_mfn as the spanned pages
-
-Note that first_valid_mfn is now been exported. The prototype has been
-added in asm-arm/numa.h and not in a common header because I would
-expect the variable to become static once NUMA is fully supported on
-Arm.
-
-Signed-off-by: Julien Grall <julien.grall_at_arm.com>
----
- xen/common/page_alloc.c    |  6 +++++-
- xen/include/asm-arm/numa.h | 10 ++++++++--
- 2 files changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c
-index fbe5a8af39..472c6fe329 100644
---- a/xen/common/page_alloc.c
-+++ b/xen/common/page_alloc.c
-_at_@ -192,7 +192,11 @@ PAGE_LIST_HEAD(page_broken_list);
-  * BOOT-TIME ALLOCATOR
-  */
- 
--static unsigned long __initdata first_valid_mfn = ~0UL;
-+/*
-+ * first_valid_mfn is exported because it is use in ARM specific NUMA
-+ * helpers. See comment in asm-arm/numa.h.
-+ */
-+unsigned long first_valid_mfn = ~0UL;
- 
- static struct bootmem_region {
-     unsigned long s, e; /* MFNs _at_s through @e-1 inclusive are free */
-diff --git a/xen/include/asm-arm/numa.h b/xen/include/asm-arm/numa.h
-index a2c1a3476d..3e7384da9e 100644
---- a/xen/include/asm-arm/numa.h
-+++ b/xen/include/asm-arm/numa.h
-_at_@ -12,9 +12,15 @@ static inline __attribute__((pure)) nodeid_t phys_to_nid(paddr_t addr)
-     return 0;
- }
- 
-+/*
-+ * TODO: make first_valid_mfn static when NUMA is supported on Arm, this
-+ * is required because the dummy helpers is using it.
-+ */
-+extern unsigned long first_valid_mfn;
-+
- /* XXX: implement NUMA support */
--#define node_spanned_pages(nid) (total_pages)
--#define node_start_pfn(nid) (pdx_to_pfn(frametable_base_pdx))
-+#define node_spanned_pages(nid) (max_page - first_valid_mfn)
-+#define node_start_pfn(nid) (first_valid_mfn)
- #define __node_distance(a, b) (20)
- 
- static inline unsigned int arch_get_dma_bitsize(void)
--- 
-2.11.0
-
-- 
2.15.0
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Sun Nov 26 2017 - 19:05:42 GMT