Mail archive
alpine-devel

[alpine-devel] [PATCH] xen: update to 4.1.4

From: Roger Pau Monne <roger.pau_at_citrix.com>
Date: Fri, 21 Dec 2012 11:19:01 +0100

---
Apply against 2.3/2.4 stable trees
---
 main/xen/APKBUILD        |   50 +----
 main/xen/xsa-12.patch    |   32 ---
 main/xen/xsa-13.patch    |   41 ----
 main/xen/xsa-14.patch    |   32 ---
 main/xen/xsa-15-1.patch  |   37 ---
 main/xen/xsa-15-2.patch  |   54 -----
 main/xen/xsa-15-3.patch  |   32 ---
 main/xen/xsa-15-4.patch  |   51 -----
 main/xen/xsa-15-5.patch  |  563 ----------------------------------------------
 main/xen/xsa-16.patch    |   42 ----
 main/xen/xsa-17.patch    |  122 ----------
 main/xen/xsa-20.patch    |   56 -----
 main/xen/xsa-21.patch    |   42 ----
 main/xen/xsa-22.patch    |   51 -----
 main/xen/xsa-23.patch    |   44 ----
 main/xen/xsa-24.patch    |   41 ----
 main/xen/xsa-25.patch    |  474 --------------------------------------
 main/xen/xsa26-4.1.patch |  107 ---------
 main/xen/xsa27-4.1.patch |  168 --------------
 main/xen/xsa28-4.1.patch |   36 ---
 main/xen/xsa29-4.1.patch |   49 ----
 main/xen/xsa30-4.1.patch |   57 -----
 main/xen/xsa31-4.1.patch |   50 ----
 23 files changed, 3 insertions(+), 2228 deletions(-)
 delete mode 100644 main/xen/xsa-12.patch
 delete mode 100644 main/xen/xsa-13.patch
 delete mode 100644 main/xen/xsa-14.patch
 delete mode 100644 main/xen/xsa-15-1.patch
 delete mode 100644 main/xen/xsa-15-2.patch
 delete mode 100644 main/xen/xsa-15-3.patch
 delete mode 100644 main/xen/xsa-15-4.patch
 delete mode 100644 main/xen/xsa-15-5.patch
 delete mode 100644 main/xen/xsa-16.patch
 delete mode 100644 main/xen/xsa-17.patch
 delete mode 100644 main/xen/xsa-20.patch
 delete mode 100644 main/xen/xsa-21.patch
 delete mode 100644 main/xen/xsa-22.patch
 delete mode 100644 main/xen/xsa-23.patch
 delete mode 100644 main/xen/xsa-24.patch
 delete mode 100644 main/xen/xsa-25.patch
 delete mode 100644 main/xen/xsa26-4.1.patch
 delete mode 100644 main/xen/xsa27-4.1.patch
 delete mode 100644 main/xen/xsa28-4.1.patch
 delete mode 100644 main/xen/xsa29-4.1.patch
 delete mode 100644 main/xen/xsa30-4.1.patch
 delete mode 100644 main/xen/xsa31-4.1.patch
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 2d8c316..e5eba08 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
_at_@ -2,8 +2,8 @@
 # Contributor: Roger Pau Monne <roger.pau_at_entel.upc.edu>
 # Maintainer: William Pitcock <nenolod_at_dereferenced.org>
 pkgname=xen
-pkgver=4.1.3
-pkgrel=1
+pkgver=4.1.4
+pkgrel=0
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86 x86_64"
_at_@ -22,28 +22,6 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	define_fsimage_dir.patch
 	librt.patch
 	busybox-sed.patch
-	xsa-12.patch
-	xsa-13.patch
-	xsa-14.patch
-	xsa-15-1.patch
-	xsa-15-2.patch
-	xsa-15-3.patch
-	xsa-15-4.patch
-	xsa-15-5.patch
-	xsa-16.patch
-	xsa-17.patch
-	xsa-20.patch
-	xsa-21.patch
-	xsa-22.patch
-	xsa-23.patch
-	xsa-24.patch
-	xsa-25.patch
-	xsa26-4.1.patch
-	xsa27-4.1.patch
-	xsa28-4.1.patch
-	xsa29-4.1.patch
-	xsa30-4.1.patch
-	xsa31-4.1.patch
 
 	xenstored.initd
 	xenstored.confd
_at_@ -135,7 +113,7 @@ hypervisor() {
 	mv "$pkgdir"/boot "$subpkgdir"/
 }
 
-md5sums="bed929d5c5e5135cab40e2a6aab73fa0  xen-4.1.3.tar.gz
+md5sums="f71e0ffd2c31a855c28935f642ae94f8  xen-4.1.4.tar.gz
 6d4b045ae56be6288733d0e078f591ea  blktap2_libvhd_add_iconv.patch
 ed3283697cb1ddff066f4087eabf68c6  detect_libiconv.patch
 503f0883f4a0b50fe4e37e09ed9a6177  fix_bswap_blktap.patch
_at_@ -143,28 +121,6 @@ b973dc1ffcc6872e222b36f3b7b4836b  fix_bswap_blktap2.patch
 0bb8a435020a5a49b38b1a447fb69977  define_fsimage_dir.patch
 fa06495a175571f4aa3b6cb88937953e  librt.patch
 1bea3543ddc712330527b62fd9ff6520  busybox-sed.patch
-8a7bf334786c3fcafa9f9ae407c56a86  xsa-12.patch
-73ba610d9098022f4fc3fb8b10111836  xsa-13.patch
-e7b2e777128fb45386642be324fbd85e  xsa-14.patch
-e38a8799c358c5959bc0146f7fb7bd2f  xsa-15-1.patch
-8097d6451ab6d33f8374df316562a961  xsa-15-2.patch
-75a12e9f62188677e5be6b33990b8b3c  xsa-15-3.patch
-060667428ae4f12ab93a218238d3ff14  xsa-15-4.patch
-ff8c8c952808a5d1c8258013608b8f19  xsa-15-5.patch
-bbd0801bd2f8b501b366368be1520090  xsa-16.patch
-a9d0b6ea849e40be80bed23b93138bba  xsa-17.patch
-c7ba117dba1ee05c8944cc62c4dd1ce1  xsa-20.patch
-1324c3a8999ca113ca0b60daad361bb0  xsa-21.patch
-24e3db4c01c2ad8d17539b7a20d057d2  xsa-22.patch
-4d16a72c8c5e28ab439227e7e96d5650  xsa-23.patch
-8d58e94aa0d3ed43178fdcbd1af7d9fc  xsa-24.patch
-e5f0a25cc5cb7245be0be5c9d19adef2  xsa-25.patch
-0ef1933756429c5204d4cb59e20a609a  xsa26-4.1.patch
-075932924d01e4fc231bf37a14241ccb  xsa27-4.1.patch
-0d59195f99e5f871cd4606cfb9c2ffdf  xsa28-4.1.patch
-8e69a2b2819a26504ca12353dc6ce829  xsa29-4.1.patch
-4acab55051e542761d9ac5f782964dcb  xsa30-4.1.patch
-2b9c5737b2910dc077c6e654b973947f  xsa31-4.1.patch
 6e5739dad7e2bd1b625e55ddc6c782b7  xenstored.initd
 b017ccdd5e1c27bbf1513e3569d4ff07  xenstored.confd
 ed262f15fb880badb53575539468646c  xenconsoled.initd
diff --git a/main/xen/xsa-12.patch b/main/xen/xsa-12.patch
deleted file mode 100644
index 8f7295a..0000000
--- a/main/xen/xsa-12.patch
+++ /dev/null
_at_@ -1,32 +0,0 @@
-From ab4f401a1a2149dff14667a383f2e4a1757682ef Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Date: Wed, 5 Sep 2012 12:27:54 +0100
-Subject: [PATCH] xen: prevent a 64 bit guest setting reserved bits in DR7
-
-The upper 32 bits of this register are reserved and should be written as
-zero.
-
-This is XSA-12 / CVE-2012-3494
-
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: Ian Campbell <ian.campbell_at_citrix.com>
----
- xen/include/asm-x86/debugreg.h |    2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/xen/include/asm-x86/debugreg.h b/xen/include/asm-x86/debugreg.h
-index 9b7e971..24021b8 100644
---- a/xen/include/asm-x86/debugreg.h
-+++ b/xen/include/asm-x86/debugreg.h
-_at_@ -58,7 +58,7 @@
-    We can slow the instruction pipeline for instructions coming via the
-    gdt or the ldt if we want to.  I am not sure why this is an advantage */
- 
--#define DR_CONTROL_RESERVED_ZERO (0x0000d800ul) /* Reserved, read as zero */
-+#define DR_CONTROL_RESERVED_ZERO (~0xffff27fful) /* Reserved, read as zero */
- #define DR_CONTROL_RESERVED_ONE  (0x00000400ul) /* Reserved, read as one */
- #define DR_LOCAL_EXACT_ENABLE    (0x00000100ul) /* Local exact enable */
- #define DR_GLOBAL_EXACT_ENABLE   (0x00000200ul) /* Global exact enable */
--- 
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-13.patch b/main/xen/xsa-13.patch
deleted file mode 100644
index 1a28194..0000000
--- a/main/xen/xsa-13.patch
+++ /dev/null
_at_@ -1,41 +0,0 @@
-From 06f0a9bfc333916cece9516a7ff1e35289e9f16f Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Date: Wed, 5 Sep 2012 12:28:17 +0100
-Subject: [PATCH] xen: handle out-of-pirq condition correctly in
- PHYSDEVOP_get_free_pirq
-
-This is XSA-13 / CVE-2012-3495
-
-Signed-off-by: Ian Campbell <ian.campbell_at_citrix.com>
-Signed-off-by: Jan Beulich <JBeulich_at_suse.com>
----
- xen/arch/x86/physdev.c |   11 ++++++++---
- 1 files changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c
-index 8c24559..e037a94 100644
---- a/xen/arch/x86/physdev.c
-+++ b/xen/arch/x86/physdev.c
-_at_@ -587,11 +587,16 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE(void) arg)
-             break;
- 
-         spin_lock(&d->event_lock);
--        out.pirq = get_free_pirq(d, out.type, 0);
--        d->arch.pirq_irq[out.pirq] = PIRQ_ALLOCATED;
-+        ret = get_free_pirq(d, out.type, 0);
-+        if ( ret >= 0 )
-+            d->arch.pirq_irq[ret] = PIRQ_ALLOCATED;
-         spin_unlock(&d->event_lock);
- 
--        ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
-+        if ( ret >= 0 )
-+        {
-+            out.pirq = ret;
-+            ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
-+        }
- 
-         rcu_unlock_domain(d);
-         break;
--- 
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-14.patch b/main/xen/xsa-14.patch
deleted file mode 100644
index 6029ced..0000000
--- a/main/xen/xsa-14.patch
+++ /dev/null
_at_@ -1,32 +0,0 @@
-From 161e4805de91e10fbe30d91c1f1bbe967d4365d8 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Date: Wed, 5 Sep 2012 12:29:05 +0100
-Subject: [PATCH] xen: Don't BUG_ON() PoD operations on a non-translated
- guest.
-
-This is XSA-14 / CVE-2012-3496
-
-Signed-off-by: Tim Deegan <tim_at_xen.org>
-Reviewed-by: Ian Campbell <ian.campbell_at_citrix.com>
-Tested-by: Ian Campbell <ian.campbell_at_citrix.com>
----
- xen/arch/x86/mm/p2m.c |    3 ++-
- 1 files changed, 2 insertions(+), 1 deletions(-)
-
-diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
-index e095118..eda9c8f 100644
---- a/xen/arch/x86/mm/p2m.c
-+++ b/xen/arch/x86/mm/p2m.c
-_at_@ -2414,7 +2414,8 @@ guest_physmap_mark_populate_on_demand(struct domain *d, unsigned long gfn,
-     int pod_count = 0;
-     int rc = 0;
- 
--    BUG_ON(!paging_mode_translate(d));
-+    if ( !paging_mode_translate(d) )
-+        return -EINVAL;
- 
-     rc = gfn_check_limit(d, gfn, order);
-     if ( rc != 0 )
--- 
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-15-1.patch b/main/xen/xsa-15-1.patch
deleted file mode 100644
index 4a68bc5..0000000
--- a/main/xen/xsa-15-1.patch
+++ /dev/null
_at_@ -1,37 +0,0 @@
-From 16bae237b197bc925a60c5c783004e609e9b43c1 Mon Sep 17 00:00:00 2001
-From: Ian Campbell <ian.campbell_at_citrix.com>
-Date: Tue, 25 Sep 2012 12:24:06 +0200
-Subject: [PATCH] tmem: only allow tmem control operations from privileged
- domains
-
-This is part of XSA-15 / CVE-2012-3497.
-
-Signed-off-by: Ian Campbell <ian.campbell_at_citrix.com>
-Acked-by: Dan Magenheimer <dan.magenheimer_at_oracle.com>
-Acked-by: Jan Beulich <jbeulich_at_suse.com>
-xen-unstable changeset: 25850:0dba5a888655
-xen-unstable date: Tue Sep 11 12:06:30 UTC 2012
----
- xen/common/tmem.c |    6 ++----
- 1 files changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/xen/common/tmem.c b/xen/common/tmem.c
-index 1c155db..06c9e0e 100644
---- a/xen/common/tmem.c
-+++ b/xen/common/tmem.c
-_at_@ -2544,10 +2544,8 @@ static NOINLINE int do_tmem_control(struct tmem_op *op)
-     OID *oidp = (OID *)(&op->u.ctrl.oid[0]);
- 
-     if (!tmh_current_is_privileged())
--    {
--        /* don't fail... mystery: sometimes dom0 fails here */
--        /* return -EPERM; */
--    }
-+        return -EPERM;
-+
-     switch(subop)
-     {
-     case TMEMC_THAW:
--- 
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-15-2.patch b/main/xen/xsa-15-2.patch
deleted file mode 100644
index c099431..0000000
--- a/main/xen/xsa-15-2.patch
+++ /dev/null
_at_@ -1,54 +0,0 @@
-From afdc11f69ab71efa24145f9e747964066bcecefd Mon Sep 17 00:00:00 2001
-From: Ian Campbell <ian.campbell_at_citrix.com>
-Date: Tue, 25 Sep 2012 12:24:37 +0200
-Subject: [PATCH] tmem: consistently make pool_id a uint32_t
-
-Treating it as an int could allow a malicious guest to provide a
-negative pool_Id, by passing the MAX_POOLS_PER_DOMAIN limit check and
-allowing access to the negative offsets of the pool array.
-
-This is part of XSA-15 / CVE-2012-3497.
-
-Signed-off-by: Ian Campbell <ian.campbell_at_citrix.com>
-Acked-by: Dan Magenheimer <dan.magenheimer_at_oracle.com>
-Acked-by: Jan Beulich <jbeulich_at_suse.com>
-xen-unstable changeset: 25851:fcf567acc92a
-xen-unstable date: Tue Sep 11 12:06:43 UTC 2012
----
- xen/common/tmem.c |    6 +++---
- 1 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/xen/common/tmem.c b/xen/common/tmem.c
-index 06c9e0e..63a9ed0 100644
---- a/xen/common/tmem.c
-+++ b/xen/common/tmem.c
-_at_@ -2420,7 +2420,7 @@ static NOINLINE int tmemc_save_subop(int cli_id, uint32_t pool_id,
-     return rc;
- }
- 
--static NOINLINE int tmemc_save_get_next_page(int cli_id, int pool_id,
-+static NOINLINE int tmemc_save_get_next_page(int cli_id, uint32_t pool_id,
-                         tmem_cli_va_t buf, uint32_t bufsize)
- {
-     client_t *client = tmh_client_from_cli_id(cli_id);
-_at_@ -2512,7 +2512,7 @@ out:
-     return ret;
- }
- 
--static int tmemc_restore_put_page(int cli_id, int pool_id, OID *oidp,
-+static int tmemc_restore_put_page(int cli_id, uint32_t pool_id, OID *oidp,
-                       uint32_t index, tmem_cli_va_t buf, uint32_t bufsize)
- {
-     client_t *client = tmh_client_from_cli_id(cli_id);
-_at_@ -2524,7 +2524,7 @@ static int tmemc_restore_put_page(int cli_id, int pool_id, OID *oidp,
-     return do_tmem_put(pool,oidp,index,0,0,0,bufsize,buf.p);
- }
- 
--static int tmemc_restore_flush_page(int cli_id, int pool_id, OID *oidp,
-+static int tmemc_restore_flush_page(int cli_id, uint32_t pool_id, OID *oidp,
-                         uint32_t index)
- {
-     client_t *client = tmh_client_from_cli_id(cli_id);
--- 
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-15-3.patch b/main/xen/xsa-15-3.patch
deleted file mode 100644
index 7a4dec5..0000000
--- a/main/xen/xsa-15-3.patch
+++ /dev/null
_at_@ -1,32 +0,0 @@
-From c7cafe83e0bee450cb0bde6c4921d5819dc96542 Mon Sep 17 00:00:00 2001
-From: Ian Campbell <ian.campbell_at_citrix.com>
-Date: Tue, 25 Sep 2012 12:24:57 +0200
-Subject: [PATCH] tmem: check the pool_id is valid when destroying a tmem pool
-
-This is part of XSA-15 / CVE-2012-3497.
-
-Signed-off-by: Ian Campbell <ian.campbell_at_citrix.com>
-Acked-by: Dan Magenheimer <dan.magenheimer_at_oracle.com>
-Acked-by: Jan Beulich <jbeulich_at_suse.com>
-xen-unstable changeset: 25852:d189d99ef00c
-xen-unstable date: Tue Sep 11 12:06:54 UTC 2012
----
- xen/common/tmem.c |    2 ++
- 1 files changed, 2 insertions(+), 0 deletions(-)
-
-diff --git a/xen/common/tmem.c b/xen/common/tmem.c
-index 63a9ed0..6ad0670 100644
---- a/xen/common/tmem.c
-+++ b/xen/common/tmem.c
-_at_@ -1873,6 +1873,8 @@ static NOINLINE int do_tmem_destroy_pool(uint32_t pool_id)
- 
-     if ( client->pools == NULL )
-         return 0;
-+    if ( pool_id >= MAX_POOLS_PER_DOMAIN )
-+        return 0;
-     if ( (pool = client->pools[pool_id]) == NULL )
-         return 0;
-     client->pools[pool_id] = NULL;
--- 
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-15-4.patch b/main/xen/xsa-15-4.patch
deleted file mode 100644
index b9c6cfe..0000000
--- a/main/xen/xsa-15-4.patch
+++ /dev/null
_at_@ -1,51 +0,0 @@
-From e28173699e5651c323f66062e73cca29a65c097f Mon Sep 17 00:00:00 2001
-From: Ian Campbell <ian.campbell_at_citrix.com>
-Date: Tue, 25 Sep 2012 12:25:25 +0200
-Subject: [PATCH] tmem: check for a valid client ("domain") in the save subops
-
-This is part of XSA-15 / CVE-2012-3497.
-
-Signed-off-by: Ian Campbell <ian.campbell_at_citrix.com>
-Acked-by: Jan Beulich <jbeulich_at_suse.com>
-Acked-by: Dan Magenheimer <dan.magenheimer_at_oracle.com>
-xen-unstable changeset: 25853:f53c5aadbba9
-xen-unstable date: Tue Sep 11 12:17:27 UTC 2012
----
- xen/common/tmem.c |    8 ++++++++
- 1 files changed, 8 insertions(+), 0 deletions(-)
-
-diff --git a/xen/common/tmem.c b/xen/common/tmem.c
-index 6ad0670..83e3a06 100644
---- a/xen/common/tmem.c
-+++ b/xen/common/tmem.c
-_at_@ -2382,12 +2382,18 @@ static NOINLINE int tmemc_save_subop(int cli_id, uint32_t pool_id,
-         rc = MAX_POOLS_PER_DOMAIN;
-         break;
-     case TMEMC_SAVE_GET_CLIENT_WEIGHT:
-+        if ( client == NULL )
-+            break;
-         rc = client->weight == -1 ? -2 : client->weight;
-         break;
-     case TMEMC_SAVE_GET_CLIENT_CAP:
-+        if ( client == NULL )
-+            break;
-         rc = client->cap == -1 ? -2 : client->cap;
-         break;
-     case TMEMC_SAVE_GET_CLIENT_FLAGS:
-+        if ( client == NULL )
-+            break;
-         rc = (client->compress ? TMEM_CLIENT_COMPRESS : 0 ) |
-              (client->was_frozen ? TMEM_CLIENT_FROZEN : 0 );
-         break;
-_at_@ -2411,6 +2417,8 @@ static NOINLINE int tmemc_save_subop(int cli_id, uint32_t pool_id,
-         *uuid = pool->uuid[1];
-         rc = 0;
-     case TMEMC_SAVE_END:
-+        if ( client == NULL )
-+            break;
-         client->live_migrating = 0;
-         if ( !list_empty(&client->persistent_invalidated_list) )
-             list_for_each_entry_safe(pgp,pgp2,
--- 
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-15-5.patch b/main/xen/xsa-15-5.patch
deleted file mode 100644
index d45e96d..0000000
--- a/main/xen/xsa-15-5.patch
+++ /dev/null
_at_@ -1,563 +0,0 @@
-From 1266749162fd232c79898706f01082847a0e618e Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich_at_suse.com>
-Date: Tue, 25 Sep 2012 12:26:06 +0200
-Subject: [PATCH] tmem: don't access guest memory without using the accessors
- intended for this
-
-This is not permitted, not even for buffers coming from Dom0 (and it
-would also break the moment Dom0 runs in HVM mode). An implication from
-the changes here is that tmh_copy_page() can't be used anymore for
-control operations calling tmh_copy_{from,to}_client() (as those pass
-the buffer by virtual address rather than MFN).
-
-Note that tmemc_save_get_next_page() previously didn't set the returned
-handle's pool_id field, while the new code does. It need to be
-confirmed that this is not a problem (otherwise the copy-out operation
-will require further tmh_...() abstractions to be added).
-
-Further note that the patch removes (rather than adjusts) an invalid
-call to unmap_domain_page() (no matching map_domain_page()) from
-tmh_compress_from_client() and adds a missing one to an error return
-path in tmh_copy_from_client().
-
-Finally note that the patch adds a previously missing return statement
-to cli_get_page() (without which that function could de-reference a
-NULL pointer, triggerable from guest mode).
-
-This is part of XSA-15 / CVE-2012-3497.
-
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Acked-by: Dan Magenheimer <dan.magenheimer_at_oracle.com>
-xen-unstable changeset: 25854:ccd60ed6c555
-xen-unstable date: Tue Sep 11 12:17:49 UTC 2012
----
- xen/common/tmem.c          |   90 ++++++++++++++++++++++++--------------------
- xen/common/tmem_xen.c      |   90 ++++++++++++++++++++++++++++++-------------
- xen/include/xen/tmem_xen.h |   20 ++++++---
- 3 files changed, 125 insertions(+), 75 deletions(-)
-
-diff --git a/xen/common/tmem.c b/xen/common/tmem.c
-index 83e3a06..ae02b37 100644
---- a/xen/common/tmem.c
-+++ b/xen/common/tmem.c
-_at_@ -387,11 +387,13 @@ static NOINLINE int pcd_copy_to_client(tmem_cli_mfn_t cmfn, pgp_t *pgp)
-     pcd = pgp->pcd;
-     if ( pgp->size < PAGE_SIZE && pgp->size != 0 &&
-          pcd->size < PAGE_SIZE && pcd->size != 0 )
--        ret = tmh_decompress_to_client(cmfn, pcd->cdata, pcd->size, NULL);
-+        ret = tmh_decompress_to_client(cmfn, pcd->cdata, pcd->size,
-+                                       tmh_cli_buf_null);
-     else if ( tmh_tze_enabled() && pcd->size < PAGE_SIZE )
-         ret = tmh_copy_tze_to_client(cmfn, pcd->tze, pcd->size);
-     else
--        ret = tmh_copy_to_client(cmfn, pcd->pfp, 0, 0, PAGE_SIZE, NULL);
-+        ret = tmh_copy_to_client(cmfn, pcd->pfp, 0, 0, PAGE_SIZE,
-+                                 tmh_cli_buf_null);
-     tmem_read_unlock(&pcd_tree_rwlocks[firstbyte]);
-     return ret;
- }
-_at_@ -1447,7 +1449,7 @@ static inline void tmem_ensure_avail_pages(void)
- /************ TMEM CORE OPERATIONS ************************************/
- 
- static NOINLINE int do_tmem_put_compress(pgp_t *pgp, tmem_cli_mfn_t cmfn,
--                                         void *cva)
-+                                         tmem_cli_va_t clibuf)
- {
-     void *dst, *p;
-     size_t size;
-_at_@ -1466,7 +1468,7 @@ static NOINLINE int do_tmem_put_compress(pgp_t *pgp, tmem_cli_mfn_t cmfn,
-     if ( pgp->pfp != NULL )
-         pgp_free_data(pgp, pgp->us.obj->pool);
-     START_CYC_COUNTER(compress);
--    ret = tmh_compress_from_client(cmfn, &dst, &size, cva);
-+    ret = tmh_compress_from_client(cmfn, &dst, &size, clibuf);
-     if ( (ret == -EFAULT) || (ret == 0) )
-         goto out;
-     else if ( (size == 0) || (size >= tmem_subpage_maxsize()) ) {
-_at_@ -1493,7 +1495,8 @@ out:
- }
- 
- static NOINLINE int do_tmem_dup_put(pgp_t *pgp, tmem_cli_mfn_t cmfn,
--       pagesize_t tmem_offset, pagesize_t pfn_offset, pagesize_t len, void *cva)
-+       pagesize_t tmem_offset, pagesize_t pfn_offset, pagesize_t len,
-+       tmem_cli_va_t clibuf)
- {
-     pool_t *pool;
-     obj_t *obj;
-_at_@ -1515,7 +1518,7 @@ static NOINLINE int do_tmem_dup_put(pgp_t *pgp, tmem_cli_mfn_t cmfn,
-     /* can we successfully manipulate pgp to change out the data? */
-     if ( len != 0 && client->compress && pgp->size != 0 )
-     {
--        ret = do_tmem_put_compress(pgp,cmfn,cva);
-+        ret = do_tmem_put_compress(pgp, cmfn, clibuf);
-         if ( ret == 1 )
-             goto done;
-         else if ( ret == 0 )
-_at_@ -1533,7 +1536,8 @@ copy_uncompressed:
-         goto failed_dup;
-     pgp->size = 0;
-     /* tmh_copy_from_client properly handles len==0 and offsets != 0 */
--    ret = tmh_copy_from_client(pgp->pfp,cmfn,tmem_offset,pfn_offset,len,0);
-+    ret = tmh_copy_from_client(pgp->pfp, cmfn, tmem_offset, pfn_offset, len,
-+                               tmh_cli_buf_null);
-     if ( ret == -EFAULT )
-         goto bad_copy;
-     if ( tmh_dedup_enabled() && !is_persistent(pool) )
-_at_@ -1585,7 +1589,7 @@ cleanup:
- static NOINLINE int do_tmem_put(pool_t *pool,
-               OID *oidp, uint32_t index,
-               tmem_cli_mfn_t cmfn, pagesize_t tmem_offset,
--              pagesize_t pfn_offset, pagesize_t len, void *cva)
-+              pagesize_t pfn_offset, pagesize_t len, tmem_cli_va_t clibuf)
- {
-     obj_t *obj = NULL, *objfound = NULL, *objnew = NULL;
-     pgp_t *pgp = NULL, *pgpdel = NULL;
-_at_@ -1599,7 +1603,8 @@ static NOINLINE int do_tmem_put(pool_t *pool,
-     {
-         ASSERT_SPINLOCK(&objfound->obj_spinlock);
-         if ((pgp = pgp_lookup_in_obj(objfound, index)) != NULL)
--            return do_tmem_dup_put(pgp,cmfn,tmem_offset,pfn_offset,len,cva);
-+            return do_tmem_dup_put(pgp, cmfn, tmem_offset, pfn_offset, len,
-+                                   clibuf);
-     }
- 
-     /* no puts allowed into a frozen pool (except dup puts) */
-_at_@ -1634,7 +1639,7 @@ static NOINLINE int do_tmem_put(pool_t *pool,
-     if ( len != 0 && client->compress )
-     {
-         ASSERT(pgp->pfp == NULL);
--        ret = do_tmem_put_compress(pgp,cmfn,cva);
-+        ret = do_tmem_put_compress(pgp, cmfn, clibuf);
-         if ( ret == 1 )
-             goto insert_page;
-         if ( ret == -ENOMEM )
-_at_@ -1658,7 +1663,8 @@ copy_uncompressed:
-         goto delete_and_free;
-     }
-     /* tmh_copy_from_client properly handles len==0 (TMEM_NEW_PAGE) */
--    ret = tmh_copy_from_client(pgp->pfp,cmfn,tmem_offset,pfn_offset,len,cva);
-+    ret = tmh_copy_from_client(pgp->pfp, cmfn, tmem_offset, pfn_offset, len,
-+                               clibuf);
-     if ( ret == -EFAULT )
-         goto bad_copy;
-     if ( tmh_dedup_enabled() && !is_persistent(pool) )
-_at_@ -1728,12 +1734,13 @@ free:
- 
- static NOINLINE int do_tmem_get(pool_t *pool, OID *oidp, uint32_t index,
-               tmem_cli_mfn_t cmfn, pagesize_t tmem_offset,
--              pagesize_t pfn_offset, pagesize_t len, void *cva)
-+              pagesize_t pfn_offset, pagesize_t len, tmem_cli_va_t clibuf)
- {
-     obj_t *obj;
-     pgp_t *pgp;
-     client_t *client = pool->client;
-     DECL_LOCAL_CYC_COUNTER(decompress);
-+    int rc = -EFAULT;
- 
-     if ( !_atomic_read(pool->pgp_count) )
-         return -EEMPTY;
-_at_@ -1758,16 +1765,18 @@ static NOINLINE int do_tmem_get(pool_t *pool, OID *oidp, uint32_t index,
-     if ( tmh_dedup_enabled() && !is_persistent(pool) &&
-               pgp->firstbyte != NOT_SHAREABLE )
-     {
--        if ( pcd_copy_to_client(cmfn, pgp) == -EFAULT )
-+        rc = pcd_copy_to_client(cmfn, pgp);
-+        if ( rc <= 0 )
-             goto bad_copy;
-     } else if ( pgp->size != 0 ) {
-         START_CYC_COUNTER(decompress);
--        if ( tmh_decompress_to_client(cmfn, pgp->cdata,
--                                      pgp->size, cva) == -EFAULT )
-+        rc = tmh_decompress_to_client(cmfn, pgp->cdata,
-+                                      pgp->size, clibuf);
-+        if ( rc <= 0 )
-             goto bad_copy;
-         END_CYC_COUNTER(decompress);
-     } else if ( tmh_copy_to_client(cmfn, pgp->pfp, tmem_offset,
--                                 pfn_offset, len, cva) == -EFAULT)
-+                                 pfn_offset, len, clibuf) == -EFAULT)
-         goto bad_copy;
-     if ( is_ephemeral(pool) )
-     {
-_at_@ -1807,8 +1816,7 @@ static NOINLINE int do_tmem_get(pool_t *pool, OID *oidp, uint32_t index,
- bad_copy:
-     /* this should only happen if the client passed a bad mfn */
-     failed_copies++;
--    return -EFAULT;
--
-+    return rc;
- }
- 
- static NOINLINE int do_tmem_flush_page(pool_t *pool, OID *oidp, uint32_t index)
-_at_@ -2348,7 +2356,6 @@ static NOINLINE int tmemc_save_subop(int cli_id, uint32_t pool_id,
-     pool_t *pool = (client == NULL || pool_id >= MAX_POOLS_PER_DOMAIN)
-                    ? NULL : client->pools[pool_id];
-     uint32_t p;
--    uint64_t *uuid;
-     pgp_t *pgp, *pgp2;
-     int rc = -1;
- 
-_at_@ -2412,9 +2419,7 @@ static NOINLINE int tmemc_save_subop(int cli_id, uint32_t pool_id,
-     case TMEMC_SAVE_GET_POOL_UUID:
-          if ( pool == NULL )
-              break;
--        uuid = (uint64_t *)buf.p;
--        *uuid++ = pool->uuid[0];
--        *uuid = pool->uuid[1];
-+        tmh_copy_to_client_buf(buf, pool->uuid, 2);
-         rc = 0;
-     case TMEMC_SAVE_END:
-         if ( client == NULL )
-_at_@ -2439,7 +2444,7 @@ static NOINLINE int tmemc_save_get_next_page(int cli_id, uint32_t pool_id,
-     pgp_t *pgp;
-     OID oid;
-     int ret = 0;
--    struct tmem_handle *h;
-+    struct tmem_handle h;
-     unsigned int pagesize = 1 << (pool->pageshift+12);
- 
-     if ( pool == NULL || is_ephemeral(pool) )
-_at_@ -2470,11 +2475,13 @@ static NOINLINE int tmemc_save_get_next_page(int cli_id, uint32_t pool_id,
-                          pgp_t,us.pool_pers_pages);
-     pool->cur_pgp = pgp;
-     oid = pgp->us.obj->oid;
--    h = (struct tmem_handle *)buf.p;
--    *(OID *)&h->oid[0] = oid;
--    h->index = pgp->index;
--    buf.p = (void *)(h+1);
--    ret = do_tmem_get(pool, &oid, h->index,0,0,0,pagesize,buf.p);
-+    h.pool_id = pool_id;
-+    BUILD_BUG_ON(sizeof(h.oid) != sizeof(oid));
-+    memcpy(h.oid, oid.oid, sizeof(h.oid));
-+    h.index = pgp->index;
-+    tmh_copy_to_client_buf(buf, &h, 1);
-+    tmh_client_buf_add(buf, sizeof(h));
-+    ret = do_tmem_get(pool, &oid, pgp->index, 0, 0, 0, pagesize, buf);
- 
- out:
-     tmem_spin_unlock(&pers_lists_spinlock);
-_at_@ -2486,7 +2493,7 @@ static NOINLINE int tmemc_save_get_next_inv(int cli_id, tmem_cli_va_t buf,
- {
-     client_t *client = tmh_client_from_cli_id(cli_id);
-     pgp_t *pgp;
--    struct tmem_handle *h;
-+    struct tmem_handle h;
-     int ret = 0;
- 
-     if ( client == NULL )
-_at_@ -2512,10 +2519,11 @@ static NOINLINE int tmemc_save_get_next_inv(int cli_id, tmem_cli_va_t buf,
-                          pgp_t,client_inv_pages);
-         client->cur_pgp = pgp;
-     }
--    h = (struct tmem_handle *)buf.p;
--    h->pool_id = pgp->pool_id;
--    *(OID *)&h->oid = pgp->inv_oid;
--    h->index = pgp->index;
-+    h.pool_id = pgp->pool_id;
-+    BUILD_BUG_ON(sizeof(h.oid) != sizeof(pgp->inv_oid));
-+    memcpy(h.oid, pgp->inv_oid.oid, sizeof(h.oid));
-+    h.index = pgp->index;
-+    tmh_copy_to_client_buf(buf, &h, 1);
-     ret = 1;
- out:
-     tmem_spin_unlock(&pers_lists_spinlock);
-_at_@ -2531,7 +2539,7 @@ static int tmemc_restore_put_page(int cli_id, uint32_t pool_id, OID *oidp,
- 
-     if ( pool == NULL )
-         return -1;
--    return do_tmem_put(pool,oidp,index,0,0,0,bufsize,buf.p);
-+    return do_tmem_put(pool, oidp, index, 0, 0, 0, bufsize, buf);
- }
- 
- static int tmemc_restore_flush_page(int cli_id, uint32_t pool_id, OID *oidp,
-_at_@ -2735,19 +2743,19 @@ EXPORT long do_tmem_op(tmem_cli_op_t uops)
-         break;
-     case TMEM_NEW_PAGE:
-         tmem_ensure_avail_pages();
--        rc = do_tmem_put(pool, oidp,
--                         op.u.gen.index, op.u.gen.cmfn, 0, 0, 0, NULL);
-+        rc = do_tmem_put(pool, oidp, op.u.gen.index, op.u.gen.cmfn, 0, 0, 0,
-+                         tmh_cli_buf_null);
-         break;
-     case TMEM_PUT_PAGE:
-         tmem_ensure_avail_pages();
--        rc = do_tmem_put(pool, oidp,
--                    op.u.gen.index, op.u.gen.cmfn, 0, 0, PAGE_SIZE, NULL);
-+        rc = do_tmem_put(pool, oidp, op.u.gen.index, op.u.gen.cmfn, 0, 0,
-+                         PAGE_SIZE, tmh_cli_buf_null);
-         if (rc == 1) succ_put = 1;
-         else non_succ_put = 1;
-         break;
-     case TMEM_GET_PAGE:
-         rc = do_tmem_get(pool, oidp, op.u.gen.index, op.u.gen.cmfn,
--                         0, 0, PAGE_SIZE, 0);
-+                         0, 0, PAGE_SIZE, tmh_cli_buf_null);
-         if (rc == 1) succ_get = 1;
-         else non_succ_get = 1;
-         break;
-_at_@ -2766,13 +2774,13 @@ EXPORT long do_tmem_op(tmem_cli_op_t uops)
-     case TMEM_READ:
-         rc = do_tmem_get(pool, oidp, op.u.gen.index, op.u.gen.cmfn,
-                          op.u.gen.tmem_offset, op.u.gen.pfn_offset,
--                         op.u.gen.len,0);
-+                         op.u.gen.len, tmh_cli_buf_null);
-         break;
-     case TMEM_WRITE:
-         rc = do_tmem_put(pool, oidp,
-                          op.u.gen.index, op.u.gen.cmfn,
-                          op.u.gen.tmem_offset, op.u.gen.pfn_offset,
--                         op.u.gen.len, NULL);
-+                         op.u.gen.len, tmh_cli_buf_null);
-         break;
-     case TMEM_XCHG:
-         /* need to hold global lock to ensure xchg is atomic */
-diff --git a/xen/common/tmem_xen.c b/xen/common/tmem_xen.c
-index 4934c42..bcd49f2 100644
---- a/xen/common/tmem_xen.c
-+++ b/xen/common/tmem_xen.c
-_at_@ -50,6 +50,7 @@ DECL_CYC_COUNTER(pg_copy);
- #define LZO_DSTMEM_PAGES 2
- static DEFINE_PER_CPU_READ_MOSTLY(unsigned char *, workmem);
- static DEFINE_PER_CPU_READ_MOSTLY(unsigned char *, dstmem);
-+static DEFINE_PER_CPU_READ_MOSTLY(void *, scratch_page);
- 
- #ifdef COMPARE_COPY_PAGE_SSE2
- #include <asm/flushtlb.h>  /* REMOVE ME AFTER TEST */
-_at_@ -140,12 +141,12 @@ static inline void cli_put_page(void *cli_va, pfp_t *cli_pfp,
- 
- EXPORT int tmh_copy_from_client(pfp_t *pfp,
-     tmem_cli_mfn_t cmfn, pagesize_t tmem_offset,
--    pagesize_t pfn_offset, pagesize_t len, void *cli_va)
-+    pagesize_t pfn_offset, pagesize_t len, tmem_cli_va_t clibuf)
- {
-     unsigned long tmem_mfn, cli_mfn = 0;
--    void *tmem_va;
-+    char *tmem_va, *cli_va = NULL;
-     pfp_t *cli_pfp = NULL;
--    bool_t tmemc = cli_va != NULL; /* if true, cli_va is control-op buffer */
-+    int rc = 1;
- 
-     ASSERT(pfp != NULL);
-     tmem_mfn = page_to_mfn(pfp);
-_at_@ -156,62 +157,76 @@ EXPORT int tmh_copy_from_client(pfp_t *pfp,
-         unmap_domain_page(tmem_va);
-         return 1;
-     }
--    if ( !tmemc )
-+    if ( guest_handle_is_null(clibuf) )
-     {
-         cli_va = cli_get_page(cmfn, &cli_mfn, &cli_pfp, 0);
-         if ( cli_va == NULL )
-+        {
-+            unmap_domain_page(tmem_va);
-             return -EFAULT;
-+        }
-     }
-     mb();
--    if (len == PAGE_SIZE && !tmem_offset && !pfn_offset)
-+    if ( len == PAGE_SIZE && !tmem_offset && !pfn_offset && cli_va )
-         tmh_copy_page(tmem_va, cli_va);
-     else if ( (tmem_offset+len <= PAGE_SIZE) &&
-               (pfn_offset+len <= PAGE_SIZE) )
--        memcpy((char *)tmem_va+tmem_offset,(char *)cli_va+pfn_offset,len);
--    if ( !tmemc )
-+    {
-+        if ( cli_va )
-+            memcpy(tmem_va + tmem_offset, cli_va + pfn_offset, len);
-+        else if ( copy_from_guest_offset(tmem_va + tmem_offset, clibuf,
-+                                         pfn_offset, len) )
-+            rc = -EFAULT;
-+    }
-+    if ( cli_va )
-         cli_put_page(cli_va, cli_pfp, cli_mfn, 0);
-     unmap_domain_page(tmem_va);
--    return 1;
-+    return rc;
- }
- 
- EXPORT int tmh_compress_from_client(tmem_cli_mfn_t cmfn,
--    void **out_va, size_t *out_len, void *cli_va)
-+    void **out_va, size_t *out_len, tmem_cli_va_t clibuf)
- {
-     int ret = 0;
-     unsigned char *dmem = this_cpu(dstmem);
-     unsigned char *wmem = this_cpu(workmem);
-+    char *scratch = this_cpu(scratch_page);
-     pfp_t *cli_pfp = NULL;
-     unsigned long cli_mfn = 0;
--    bool_t tmemc = cli_va != NULL; /* if true, cli_va is control-op buffer */
-+    void *cli_va = NULL;
- 
-     if ( dmem == NULL || wmem == NULL )
-         return 0;  /* no buffer, so can't compress */
--    if ( !tmemc )
-+    if ( guest_handle_is_null(clibuf) )
-     {
-         cli_va = cli_get_page(cmfn, &cli_mfn, &cli_pfp, 0);
-         if ( cli_va == NULL )
-             return -EFAULT;
-     }
-+    else if ( !scratch )
-+        return 0;
-+    else if ( copy_from_guest(scratch, clibuf, PAGE_SIZE) )
-+        return -EFAULT;
-     mb();
--    ret = lzo1x_1_compress(cli_va, PAGE_SIZE, dmem, out_len, wmem);
-+    ret = lzo1x_1_compress(cli_va ?: scratch, PAGE_SIZE, dmem, out_len, wmem);
-     ASSERT(ret == LZO_E_OK);
-     *out_va = dmem;
--    if ( !tmemc )
-+    if ( cli_va )
-         cli_put_page(cli_va, cli_pfp, cli_mfn, 0);
--    unmap_domain_page(cli_va);
-     return 1;
- }
- 
- EXPORT int tmh_copy_to_client(tmem_cli_mfn_t cmfn, pfp_t *pfp,
--    pagesize_t tmem_offset, pagesize_t pfn_offset, pagesize_t len, void *cli_va)
-+    pagesize_t tmem_offset, pagesize_t pfn_offset, pagesize_t len,
-+    tmem_cli_va_t clibuf)
- {
-     unsigned long tmem_mfn, cli_mfn = 0;
--    void *tmem_va;
-+    char *tmem_va, *cli_va = NULL;
-     pfp_t *cli_pfp = NULL;
--    bool_t tmemc = cli_va != NULL; /* if true, cli_va is control-op buffer */
-+    int rc = 1;
- 
-     ASSERT(pfp != NULL);
--    if ( !tmemc )
-+    if ( guest_handle_is_null(clibuf) )
-     {
-         cli_va = cli_get_page(cmfn, &cli_mfn, &cli_pfp, 1);
-         if ( cli_va == NULL )
-_at_@ -219,37 +234,48 @@ EXPORT int tmh_copy_to_client(tmem_cli_mfn_t cmfn, pfp_t *pfp,
-     }
-     tmem_mfn = page_to_mfn(pfp);
-     tmem_va = map_domain_page(tmem_mfn);
--    if (len == PAGE_SIZE && !tmem_offset && !pfn_offset)
-+    if ( len == PAGE_SIZE && !tmem_offset && !pfn_offset && cli_va )
-         tmh_copy_page(cli_va, tmem_va);
-     else if ( (tmem_offset+len <= PAGE_SIZE) && (pfn_offset+len <= PAGE_SIZE) )
--        memcpy((char *)cli_va+pfn_offset,(char *)tmem_va+tmem_offset,len);
-+    {
-+        if ( cli_va )
-+            memcpy(cli_va + pfn_offset, tmem_va + tmem_offset, len);
-+        else if ( copy_to_guest_offset(clibuf, pfn_offset,
-+                                       tmem_va + tmem_offset, len) )
-+            rc = -EFAULT;
-+    }
-     unmap_domain_page(tmem_va);
--    if ( !tmemc )
-+    if ( cli_va )
-         cli_put_page(cli_va, cli_pfp, cli_mfn, 1);
-     mb();
--    return 1;
-+    return rc;
- }
- 
- EXPORT int tmh_decompress_to_client(tmem_cli_mfn_t cmfn, void *tmem_va,
--                                    size_t size, void *cli_va)
-+                                    size_t size, tmem_cli_va_t clibuf)
- {
-     unsigned long cli_mfn = 0;
-     pfp_t *cli_pfp = NULL;
-+    void *cli_va = NULL;
-+    char *scratch = this_cpu(scratch_page);
-     size_t out_len = PAGE_SIZE;
--    bool_t tmemc = cli_va != NULL; /* if true, cli_va is control-op buffer */
-     int ret;
- 
--    if ( !tmemc )
-+    if ( guest_handle_is_null(clibuf) )
-     {
-         cli_va = cli_get_page(cmfn, &cli_mfn, &cli_pfp, 1);
-         if ( cli_va == NULL )
-             return -EFAULT;
-     }
--    ret = lzo1x_decompress_safe(tmem_va, size, cli_va, &out_len);
-+    else if ( !scratch )
-+        return 0;
-+    ret = lzo1x_decompress_safe(tmem_va, size, cli_va ?: scratch, &out_len);
-     ASSERT(ret == LZO_E_OK);
-     ASSERT(out_len == PAGE_SIZE);
--    if ( !tmemc )
-+    if ( cli_va )
-         cli_put_page(cli_va, cli_pfp, cli_mfn, 1);
-+    else if ( copy_to_guest(clibuf, scratch, PAGE_SIZE) )
-+        return -EFAULT;
-     mb();
-     return 1;
- }
-_at_@ -419,6 +445,11 @@ static int cpu_callback(
-             struct page_info *p = alloc_domheap_pages(0, workmem_order, 0);
-             per_cpu(workmem, cpu) = p ? page_to_virt(p) : NULL;
-         }
-+        if ( per_cpu(scratch_page, cpu) == NULL )
-+        {
-+            struct page_info *p = alloc_domheap_page(NULL, 0);
-+            per_cpu(scratch_page, cpu) = p ? page_to_virt(p) : NULL;
-+        }
-         break;
-     }
-     case CPU_DEAD:
-_at_@ -435,6 +466,11 @@ static int cpu_callback(
-             free_domheap_pages(p, workmem_order);
-             per_cpu(workmem, cpu) = NULL;
-         }
-+        if ( per_cpu(scratch_page, cpu) != NULL )
-+        {
-+            free_domheap_page(virt_to_page(per_cpu(scratch_page, cpu)));
-+            per_cpu(scratch_page, cpu) = NULL;
-+        }
-         break;
-     }
-     default:
-diff --git a/xen/include/xen/tmem_xen.h b/xen/include/xen/tmem_xen.h
-index 3dbf6f8..68ece29 100644
---- a/xen/include/xen/tmem_xen.h
-+++ b/xen/include/xen/tmem_xen.h
-_at_@ -482,27 +482,33 @@ static inline int tmh_get_tmemop_from_client(tmem_op_t *op, tmem_cli_op_t uops)
-     return copy_from_guest(op, uops, 1);
- }
- 
-+#define tmh_cli_buf_null guest_handle_from_ptr(NULL, char)
-+
- static inline void tmh_copy_to_client_buf_offset(tmem_cli_va_t clibuf, int off,
-                                            char *tmembuf, int len)
- {
-     copy_to_guest_offset(clibuf,off,tmembuf,len);
- }
- 
-+#define tmh_copy_to_client_buf(clibuf, tmembuf, cnt) \
-+    copy_to_guest(guest_handle_cast(clibuf, void), tmembuf, cnt)
-+
-+#define tmh_client_buf_add guest_handle_add_offset
-+
- #define TMH_CLI_ID_NULL ((cli_id_t)((domid_t)-1L))
- 
- #define tmh_cli_id_str "domid"
- #define tmh_client_str "domain"
- 
--extern int tmh_decompress_to_client(tmem_cli_mfn_t,void*,size_t,void*);
-+int tmh_decompress_to_client(tmem_cli_mfn_t, void *, size_t, tmem_cli_va_t);
- 
--extern int tmh_compress_from_client(tmem_cli_mfn_t,void**,size_t *,void*);
-+int tmh_compress_from_client(tmem_cli_mfn_t, void **, size_t *, tmem_cli_va_t);
- 
--extern int tmh_copy_from_client(pfp_t *pfp,
--    tmem_cli_mfn_t cmfn, pagesize_t tmem_offset,
--    pagesize_t pfn_offset, pagesize_t len, void *cva);
-+int tmh_copy_from_client(pfp_t *, tmem_cli_mfn_t, pagesize_t tmem_offset,
-+    pagesize_t pfn_offset, pagesize_t len, tmem_cli_va_t);
- 
--extern int tmh_copy_to_client(tmem_cli_mfn_t cmfn, pfp_t *pfp,
--    pagesize_t tmem_offset, pagesize_t pfn_offset, pagesize_t len, void *cva);
-+int tmh_copy_to_client(tmem_cli_mfn_t, pfp_t *, pagesize_t tmem_offset,
-+    pagesize_t pfn_offset, pagesize_t len, tmem_cli_va_t);
- 
- extern int tmh_copy_tze_to_client(tmem_cli_mfn_t cmfn, void *tmem_va, pagesize_t len);
- 
--- 
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-16.patch b/main/xen/xsa-16.patch
deleted file mode 100644
index a61988e..0000000
--- a/main/xen/xsa-16.patch
+++ /dev/null
_at_@ -1,42 +0,0 @@
-From 8195a57243996267cdd9ba84dfea3c954a217a75 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Date: Wed, 5 Sep 2012 12:29:56 +0100
-Subject: [PATCH] x86/pvhvm: properly range-check
- PHYSDEVOP_map_pirq/MAP_PIRQ_TYPE_GSI
-
-This is being used as a array index, and hence must be validated before
-use.
-
-This is XSA-16 / CVE-2012-3498.
-
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
----
- xen/arch/x86/physdev.c |    7 +++++++
- 1 files changed, 7 insertions(+), 0 deletions(-)
-
-diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c
-index e037a94..a5a58a1 100644
---- a/xen/arch/x86/physdev.c
-+++ b/xen/arch/x86/physdev.c
-_at_@ -40,11 +40,18 @@ static int physdev_hvm_map_pirq(
-         struct hvm_girq_dpci_mapping *girq;
-         uint32_t machine_gsi = 0;
- 
-+        if ( map->index < 0 || map->index >= NR_HVM_IRQS )
-+        {
-+            ret = -EINVAL;
-+            break;
-+        }
-+
-         /* find the machine gsi corresponding to the
-          * emulated gsi */
-         hvm_irq_dpci = domain_get_irq_dpci(d);
-         if ( hvm_irq_dpci )
-         {
-+            BUILD_BUG_ON(ARRAY_SIZE(hvm_irq_dpci->girq) < NR_HVM_IRQS);
-             list_for_each_entry ( girq,
-                                   &hvm_irq_dpci->girq[map->index],
-                                   list )
--- 
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-17.patch b/main/xen/xsa-17.patch
deleted file mode 100644
index 891037b..0000000
--- a/main/xen/xsa-17.patch
+++ /dev/null
_at_@ -1,122 +0,0 @@
-From a56ae4b5069c7b23ee657b15f08443a9b14a8e7b Mon Sep 17 00:00:00 2001
-From: Ian Campbell <ian.campbell_at_citrix.com>
-Date: Wed, 5 Sep 2012 12:31:40 +0100
-Subject: [PATCH] console: bounds check whenever changing the cursor due to an escape code
-
-This is XSA-17 / CVE-2012-3515
-
-Signed-off-by: Ian Campbell <ian.campbell_at_citrix.com>
----
- console.c |   57 ++++++++++++++++++++++++++++-----------------------------
- 1 files changed, 28 insertions(+), 29 deletions(-)
-
-diff --git a/tools/ioemu-qemu-xen/console.c b/tools/ioemu-qemu-xen/console.c
-index 5e6e3d0..9984d6f 100644
---- a/tools/ioemu-qemu-xen/console.c
-+++ b/tools/ioemu-qemu-xen/console.c
-_at_@ -794,6 +794,26 @@ static void console_clear_xy(TextConsole *s, int x, int y)
-     update_xy(s, x, y);
- }
- 
-+/* set cursor, checking bounds */
-+static void set_cursor(TextConsole *s, int x, int y)
-+{
-+    if (x < 0) {
-+        x = 0;
-+    }
-+    if (y < 0) {
-+        y = 0;
-+    }
-+    if (y >= s->height) {
-+        y = s->height - 1;
-+    }
-+    if (x >= s->width) {
-+        x = s->width - 1;
-+    }
-+
-+    s->x = x;
-+    s->y = y;
-+}
-+
- static void console_putchar(TextConsole *s, int ch)
- {
-     TextCell *c;
-_at_@ -869,7 +889,8 @@ static void console_putchar(TextConsole *s, int ch)
-                     s->esc_params[s->nb_esc_params] * 10 + ch - '0';
-             }
-         } else {
--            s->nb_esc_params++;
-+            if (s->nb_esc_params < MAX_ESC_PARAMS)
-+                s->nb_esc_params++;
-             if (ch == ';')
-                 break;
- #ifdef DEBUG_CONSOLE
-_at_@ -883,59 +904,37 @@ static void console_putchar(TextConsole *s, int ch)
-                 if (s->esc_params[0] == 0) {
-                     s->esc_params[0] = 1;
-                 }
--                s->y -= s->esc_params[0];
--                if (s->y < 0) {
--                    s->y = 0;
--                }
-+                set_cursor(s, s->x, s->y - s->esc_params[0]);
-                 break;
-             case 'B':
-                 /* move cursor down */
-                 if (s->esc_params[0] == 0) {
-                     s->esc_params[0] = 1;
-                 }
--                s->y += s->esc_params[0];
--                if (s->y >= s->height) {
--                    s->y = s->height - 1;
--                }
-+                set_cursor(s, s->x, s->y + s->esc_params[0]);
-                 break;
-             case 'C':
-                 /* move cursor right */
-                 if (s->esc_params[0] == 0) {
-                     s->esc_params[0] = 1;
-                 }
--                s->x += s->esc_params[0];
--                if (s->x >= s->width) {
--                    s->x = s->width - 1;
--                }
-+                set_cursor(s, s->x + s->esc_params[0], s->y);
-                 break;
-             case 'D':
-                 /* move cursor left */
-                 if (s->esc_params[0] == 0) {
-                     s->esc_params[0] = 1;
-                 }
--                s->x -= s->esc_params[0];
--                if (s->x < 0) {
--                    s->x = 0;
--                }
-+                set_cursor(s, s->x - s->esc_params[0], s->y);
-                 break;
-             case 'G':
-                 /* move cursor to column */
--                s->x = s->esc_params[0] - 1;
--                if (s->x < 0) {
--                    s->x = 0;
--                }
-+                set_cursor(s, s->esc_params[0] - 1, s->y);
-                 break;
-             case 'f':
-             case 'H':
-                 /* move cursor to row, column */
--                s->x = s->esc_params[1] - 1;
--                if (s->x < 0) {
--                    s->x = 0;
--                }
--                s->y = s->esc_params[0] - 1;
--                if (s->y < 0) {
--                    s->y = 0;
--                }
-+                set_cursor(s, s->esc_params[1] - 1, s->esc_params[0] - 1);
-                 break;
-             case 'J':
-                 switch (s->esc_params[0]) {
--- 
-1.7.2.5
-
diff --git a/main/xen/xsa-20.patch b/main/xen/xsa-20.patch
deleted file mode 100644
index a8c8838..0000000
--- a/main/xen/xsa-20.patch
+++ /dev/null
_at_@ -1,56 +0,0 @@
-From f2e0eab9afae9245f38a31deeafe90953d63ea07 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Date: Wed, 14 Nov 2012 11:33:36 +0000
-Subject: [PATCH] VCPU/timers: Prevent overflow in calculations, leading to
- DoS vulnerability
-
-The timer action for a vcpu periodic timer is to calculate the next
-expiry time, and to reinsert itself into the timer queue.  If the
-deadline ends up in the past, Xen never leaves __do_softirq().  The
-affected PCPU will stay in an infinite loop until Xen is killed by the
-watchdog (if enabled).
-
-This is a security problem, XSA-20 / CVE-2012-4535.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Acked-by: Ian Campbell <ian.campbell_at_citrix.com>
-Committed-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
-
-xen-unstable changeset: 26148:bf58b94b3cef
-Backport-requested-by: security_at_xen.org
-Committed-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
----
- xen/common/domain.c    |    3 +++
- xen/include/xen/time.h |    2 ++
- 2 files changed, 5 insertions(+), 0 deletions(-)
-
-diff --git a/xen/common/domain.c b/xen/common/domain.c
-index 98e36ee..054f7c4 100644
---- a/xen/common/domain.c
-+++ b/xen/common/domain.c
-_at_@ -873,6 +873,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN_GUEST_HANDLE(void) arg)
-         if ( set.period_ns < MILLISECS(1) )
-             return -EINVAL;
- 
-+        if ( set.period_ns > STIME_DELTA_MAX )
-+            return -EINVAL;
-+
-         v->periodic_period = set.period_ns;
-         vcpu_force_reschedule(v);
- 
-diff --git a/xen/include/xen/time.h b/xen/include/xen/time.h
-index 0f67e90..c7b420b 100644
---- a/xen/include/xen/time.h
-+++ b/xen/include/xen/time.h
-_at_@ -53,6 +53,8 @@ struct tm gmtime(unsigned long t);
- #define MILLISECS(_ms)  ((s_time_t)((_ms) * 1000000ULL))
- #define MICROSECS(_us)  ((s_time_t)((_us) * 1000ULL))
- #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1))
-+/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */
-+#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2))
- 
- extern void update_vcpu_system_time(struct vcpu *v);
- extern void update_domain_wallclock_time(struct domain *d);
--- 
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-21.patch b/main/xen/xsa-21.patch
deleted file mode 100644
index d82e570..0000000
--- a/main/xen/xsa-21.patch
+++ /dev/null
_at_@ -1,42 +0,0 @@
-From 50d1a7fea0a60cd66733cfd8666a95f00d586549 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Date: Wed, 14 Nov 2012 11:35:06 +0000
-Subject: [PATCH] x86/physdev: Range check pirq parameter from guests
-
-Otherwise Xen will read beyond either end of the struct
-domain.arch.pirq_emuirq array, usually resulting in a fatal page fault.
-
-This vulnerability was introduced by c/s 23241:d21100f1d00e, which adds
-a call to domain_pirq_to_emuirq() which uses the guest provided pirq
-value before range checking it, and was fixed by c/s 23573:584c2e5e03d9
-which changed the behaviour of the domain_pirq_to_emuirq() macro to use
-radix trees instead of a flat array.
-
-This is XSA-21 / CVE-2012-4536.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Acked-by: Jan Beulich <jbeulich_at_suse.com>
-Acked-by: Ian Campbell <ian.campbell_at_citrix.com>
-Committed-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
----
- xen/arch/x86/physdev.c |    4 ++++
- 1 files changed, 4 insertions(+), 0 deletions(-)
-
-diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c
-index 7d5a023..de364f0 100644
---- a/xen/arch/x86/physdev.c
-+++ b/xen/arch/x86/physdev.c
-_at_@ -234,6 +234,10 @@ static int physdev_unmap_pirq(struct physdev_unmap_pirq *unmap)
-     if ( ret )
-         return ret;
- 
-+    ret = -EINVAL;
-+    if ( unmap->pirq < 0 || unmap->pirq >= d->nr_pirqs )
-+        goto free_domain;
-+
-     if ( is_hvm_domain(d) )
-     {
-         spin_lock(&d->event_lock);
--- 
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-22.patch b/main/xen/xsa-22.patch
deleted file mode 100644
index 570005f..0000000
--- a/main/xen/xsa-22.patch
+++ /dev/null
_at_@ -1,51 +0,0 @@
-From 9070a6ef041756341286e88e7fad7de3e01c66f9 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Date: Wed, 14 Nov 2012 11:40:45 +0000
-Subject: [PATCH] x86/physmap: Prevent incorrect updates of m2p mappings
-
-In certain conditions, such as low memory, set_p2m_entry() can fail.
-Currently, the p2m and m2p tables will get out of sync because we still
-update the m2p table after the p2m update has failed.
-
-If that happens, subsequent guest-invoked memory operations can cause
-BUG()s and ASSERT()s to kill Xen.
-
-This is fixed by only updating the m2p table iff the p2m was
-successfully updated.
-
-This is a security problem, XSA-22 / CVE-2012-4537.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Acked-by: Ian Campbell <ian.campbell_at_citrix.com>
-Acked-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Committed-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
----
- xen/arch/x86/mm/p2m.c |    4 ++++
- 1 files changed, 4 insertions(+), 0 deletions(-)
-
-diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
-index 82e1b55..f494d25 100644
---- a/xen/arch/x86/mm/p2m.c
-+++ b/xen/arch/x86/mm/p2m.c
-_at_@ -2558,7 +2558,10 @@ guest_physmap_add_entry(struct p2m_domain *p2m, unsigned long gfn,
-     if ( mfn_valid(_mfn(mfn)) ) 
-     {
-         if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) )
-+        {
-             rc = -EINVAL;
-+            goto out; /* Failed to update p2m, bail without updating m2p. */
-+        }
-         if ( !p2m_is_grant(t) )
-         {
-             for ( i = 0; i < (1UL << page_order); i++ )
-_at_@ -2579,6 +2582,7 @@ guest_physmap_add_entry(struct p2m_domain *p2m, unsigned long gfn,
-         }
-     }
- 
-+out:
-     audit_p2m(p2m, 1);
-     p2m_unlock(p2m);
- 
--- 
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-23.patch b/main/xen/xsa-23.patch
deleted file mode 100644
index 35a6470..0000000
--- a/main/xen/xsa-23.patch
+++ /dev/null
_at_@ -1,44 +0,0 @@
-From 1d435032de14b9dec808102940309047903f7ed0 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Date: Wed, 14 Nov 2012 11:43:29 +0000
-Subject: [PATCH] xen/mm/shadow: check toplevel pagetables are present before
- unhooking them.
-
-If the guest has not fully populated its top-level PAE entries when it calls
-HVMOP_pagetable_dying, the shadow code could try to unhook entries from
-MFN 0.  Add a check to avoid that case.
-
-This issue was introduced by c/s 21239:b9d2db109cf5.
-
-This is a security problem, XSA-23 / CVE-2012-4538.
-
-Signed-off-by: Tim Deegan <tim_at_xen.org>
-Tested-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Acked-by: Ian Campbell <ian.campbell_at_citrix.com>
-Committed-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
----
- xen/arch/x86/mm/shadow/multi.c |    8 ++++++--
- 1 files changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
-index d510e7f..91879cf 100644
---- a/xen/arch/x86/mm/shadow/multi.c
-+++ b/xen/arch/x86/mm/shadow/multi.c
-_at_@ -4737,8 +4737,12 @@ static void sh_pagetable_dying(struct vcpu *v, paddr_t gpa)
-     }
-     for ( i = 0; i < 4; i++ )
-     {
--        if ( fast_path )
--            smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
-+        if ( fast_path ) {
-+            if ( pagetable_is_null(v->arch.shadow_table[i]) )
-+                smfn = _mfn(INVALID_MFN);
-+            else
-+                smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
-+        }
-         else
-         {
-             /* retrieving the l2s */
--- 
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-24.patch b/main/xen/xsa-24.patch
deleted file mode 100644
index 53c6fe7..0000000
--- a/main/xen/xsa-24.patch
+++ /dev/null
_at_@ -1,41 +0,0 @@
-From 95a0c10357c502a0b0b960e7133e792695ef0b58 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Date: Wed, 14 Nov 2012 11:46:12 +0000
-Subject: [PATCH] compat/gnttab: Prevent infinite loop in compat code
-
-c/s 20281:95ea2052b41b, which introduces Grant Table version 2
-hypercalls introduces a vulnerability whereby the compat hypercall
-handler can fall into an infinite loop.
-
-If the watchdog is enabled, Xen will die after the timeout.
-
-This is a security problem, XSA-24 / CVE-2012-4539.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Acked-by: Jan Beulich <jbeulich_at_suse.com>
-Acked-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Committed-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
-
-xen-unstable changeset: 26151:b64a7d868f06
-Backport-requested-by: security_at_xen.org
-Committed-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
----
- xen/common/compat/grant_table.c |    2 ++
- 1 files changed, 2 insertions(+), 0 deletions(-)
-
-diff --git a/xen/common/compat/grant_table.c b/xen/common/compat/grant_table.c
-index ca60395..d09a65b 100644
---- a/xen/common/compat/grant_table.c
-+++ b/xen/common/compat/grant_table.c
-_at_@ -310,6 +310,8 @@ int compat_grant_table_op(unsigned int cmd,
- #undef XLAT_gnttab_get_status_frames_HNDL_frame_list
-                 if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) )
-                     rc = -EFAULT;
-+                else
-+                    i = 1;
-             }
-             break;
-         }
--- 
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-25.patch b/main/xen/xsa-25.patch
deleted file mode 100644
index 0157f20..0000000
--- a/main/xen/xsa-25.patch
+++ /dev/null
_at_@ -1,474 +0,0 @@
-From 7ce4c765975097bddffaa2fc482d5c16355687af Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Date: Fri, 26 Oct 2012 16:10:04 +0100
-Subject: [PATCH] libxc: builder: limit maximum size of kernel/ramdisk.
-
-Allowing user supplied kernels of arbitrary sizes, especially during
-decompression, can swallow up dom0 memory leading to either virtual
-address space exhaustion in the builder process or allocation
-failures/OOM killing of both toolstack and unrelated processes.
-
-We disable these checks when building in a stub domain for pvgrub
-since this uses the guest's own memory and is isolated.
-
-Decompression of gzip compressed kernels and ramdisks has been safe
-since 14954:58205257517d (Xen 3.1.0 onwards).
-
-This is XSA-25 / CVE-2012-4544.
-
-Also make explicit checks for buffer overflows in various
-decompression routines. These were already ruled out due to other
-properties of the code but check them as a belt-and-braces measure.
-
-Signed-off-by: Ian Campbell <ian.campbell_at_citrix.com>
-Acked-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
-[ Includes 25589:60f09d1ab1fe for CVE-2012-2625 ]
----
- stubdom/grub/kexec.c               |    4 ++
- tools/libxc/xc_dom.h               |   23 ++++++++++-
- tools/libxc/xc_dom_bzimageloader.c |   59 +++++++++++++++++++++++++--
- tools/libxc/xc_dom_core.c          |   77 ++++++++++++++++++++++++++++++++++--
- tools/pygrub/src/pygrub            |   61 ++++++++++++++++++++--------
- 5 files changed, 198 insertions(+), 26 deletions(-)
-
-diff --git a/stubdom/grub/kexec.c b/stubdom/grub/kexec.c
-index 06bef52..b21c91a 100644
---- a/stubdom/grub/kexec.c
-+++ b/stubdom/grub/kexec.c
-_at_@ -137,6 +137,10 @@ void kexec(void *kernel, long kernel_size, void *module, long module_size, char
-     dom = xc_dom_allocate(xc_handle, cmdline, features);
-     dom->allocate = kexec_allocate;
- 
-+    /* We are using guest owned memory, therefore no limits. */
-+    xc_dom_kernel_max_size(dom, 0);
-+    xc_dom_ramdisk_max_size(dom, 0);
-+
-     dom->kernel_blob = kernel;
-     dom->kernel_size = kernel_size;
- 
-diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h
-index e72f066..7043f96 100644
---- a/tools/libxc/xc_dom.h
-+++ b/tools/libxc/xc_dom.h
-_at_@ -52,6 +52,9 @@ struct xc_dom_image {
-     void *ramdisk_blob;
-     size_t ramdisk_size;
- 
-+    size_t max_kernel_size;
-+    size_t max_ramdisk_size;
-+
-     /* arguments and parameters */
-     char *cmdline;
-     uint32_t f_requested[XENFEAT_NR_SUBMAPS];
-_at_@ -175,6 +178,23 @@ void xc_dom_release_phys(struct xc_dom_image *dom);
- void xc_dom_release(struct xc_dom_image *dom);
- int xc_dom_mem_init(struct xc_dom_image *dom, unsigned int mem_mb);
- 
-+/* Set this larger if you have enormous ramdisks/kernels. Note that
-+ * you should trust all kernels not to be maliciously large (e.g. to
-+ * exhaust all dom0 memory) if you do this (see CVE-2012-4544 /
-+ * XSA-25). You can also set the default independently for
-+ * ramdisks/kernels in xc_dom_allocate() or call
-+ * xc_dom_{kernel,ramdisk}_max_size.
-+ */
-+#ifndef XC_DOM_DECOMPRESS_MAX
-+#define XC_DOM_DECOMPRESS_MAX (1024*1024*1024) /* 1GB */
-+#endif
-+
-+int xc_dom_kernel_check_size(struct xc_dom_image *dom, size_t sz);
-+int xc_dom_kernel_max_size(struct xc_dom_image *dom, size_t sz);
-+
-+int xc_dom_ramdisk_check_size(struct xc_dom_image *dom, size_t sz);
-+int xc_dom_ramdisk_max_size(struct xc_dom_image *dom, size_t sz);
-+
- size_t xc_dom_check_gzip(xc_interface *xch,
-                      void *blob, size_t ziplen);
- int xc_dom_do_gunzip(xc_interface *xch,
-_at_@ -224,7 +244,8 @@ void xc_dom_log_memory_footprint(struct xc_dom_image *dom);
- void *xc_dom_malloc(struct xc_dom_image *dom, size_t size);
- void *xc_dom_malloc_page_aligned(struct xc_dom_image *dom, size_t size);
- void *xc_dom_malloc_filemap(struct xc_dom_image *dom,
--                            const char *filename, size_t * size);
-+                            const char *filename, size_t * size,
-+                            const size_t max_size);
- char *xc_dom_strdup(struct xc_dom_image *dom, const char *str);
- 
- /* --- alloc memory pool ------------------------------------------- */
-diff --git a/tools/libxc/xc_dom_bzimageloader.c b/tools/libxc/xc_dom_bzimageloader.c
-index 9852e67..73cfad1 100644
---- a/tools/libxc/xc_dom_bzimageloader.c
-+++ b/tools/libxc/xc_dom_bzimageloader.c
-_at_@ -47,13 +47,19 @@ static int xc_try_bzip2_decode(
-     char *out_buf;
-     char *tmp_buf;
-     int retval = -1;
--    int outsize;
-+    unsigned int outsize;
-     uint64_t total;
- 
-     stream.bzalloc = NULL;
-     stream.bzfree = NULL;
-     stream.opaque = NULL;
- 
-+    if ( dom->kernel_size == 0)
-+    {
-+        DOMPRINTF("BZIP2: Input is 0 size");
-+        return -1;
-+    }
-+
-     ret = BZ2_bzDecompressInit(&stream, 0, 0);
-     if ( ret != BZ_OK )
-     {
-_at_@ -66,6 +72,17 @@ static int xc_try_bzip2_decode(
-      * the input buffer to start, and we'll realloc as needed.
-      */
-     outsize = dom->kernel_size;
-+
-+    /*
-+     * stream.avail_in and outsize are unsigned int, while kernel_size
-+     * is a size_t. Check we aren't overflowing.
-+     */
-+    if ( outsize != dom->kernel_size )
-+    {
-+        DOMPRINTF("BZIP2: Input too large");
-+        goto bzip2_cleanup;
-+    }
-+
-     out_buf = malloc(outsize);
-     if ( out_buf == NULL )
-     {
-_at_@ -98,13 +115,20 @@ static int xc_try_bzip2_decode(
-         if ( stream.avail_out == 0 )
-         {
-             /* Protect against output buffer overflow */
--            if ( outsize > INT_MAX / 2 )
-+            if ( outsize > UINT_MAX / 2 )
-             {
-                 DOMPRINTF("BZIP2: output buffer overflow");
-                 free(out_buf);
-                 goto bzip2_cleanup;
-             }
- 
-+            if ( xc_dom_kernel_check_size(dom, outsize * 2) )
-+            {
-+                DOMPRINTF("BZIP2: output too large");
-+                free(out_buf);
-+                goto bzip2_cleanup;
-+            }
-+
-             tmp_buf = realloc(out_buf, outsize * 2);
-             if ( tmp_buf == NULL )
-             {
-_at_@ -172,9 +196,15 @@ static int xc_try_lzma_decode(
-     unsigned char *out_buf;
-     unsigned char *tmp_buf;
-     int retval = -1;
--    int outsize;
-+    size_t outsize;
-     const char *msg;
- 
-+    if ( dom->kernel_size == 0)
-+    {
-+        DOMPRINTF("LZMA: Input is 0 size");
-+        return -1;
-+    }
-+
-     ret = lzma_alone_decoder(&stream, 128*1024*1024);
-     if ( ret != LZMA_OK )
-     {
-_at_@ -251,13 +281,20 @@ static int xc_try_lzma_decode(
-         if ( stream.avail_out == 0 )
-         {
-             /* Protect against output buffer overflow */
--            if ( outsize > INT_MAX / 2 )
-+            if ( outsize > SIZE_MAX / 2 )
-             {
-                 DOMPRINTF("LZMA: output buffer overflow");
-                 free(out_buf);
-                 goto lzma_cleanup;
-             }
- 
-+            if ( xc_dom_kernel_check_size(dom, outsize * 2) )
-+            {
-+                DOMPRINTF("LZMA: output too large");
-+                free(out_buf);
-+                goto lzma_cleanup;
-+            }
-+
-             tmp_buf = realloc(out_buf, outsize * 2);
-             if ( tmp_buf == NULL )
-             {
-_at_@ -327,6 +364,12 @@ static int xc_try_lzo1x_decode(
-         0x89, 0x4c, 0x5a, 0x4f, 0x00, 0x0d, 0x0a, 0x1a, 0x0a
-     };
- 
-+    /*
-+     * lzo_uint should match size_t. Check that this is the case to be
-+     * sure we won't overflow various lzo_uint fields.
-+     */
-+    XC_BUILD_BUG_ON(sizeof(lzo_uint) != sizeof(size_t));
-+
-     ret = lzo_init();
-     if ( ret != LZO_E_OK )
-     {
-_at_@ -406,6 +449,14 @@ static int xc_try_lzo1x_decode(
-         if ( src_len <= 0 || src_len > dst_len || src_len > left )
-             break;
- 
-+        msg = "Output buffer overflow";
-+        if ( *size > SIZE_MAX - dst_len )
-+            break;
-+
-+        msg = "Decompressed image too large";
-+        if ( xc_dom_kernel_check_size(dom, *size + dst_len) )
-+            break;
-+
-         msg = "Failed to (re)alloc memory";
-         tmp_buf = realloc(out_buf, *size + dst_len);
-         if ( tmp_buf == NULL )
-diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c
-index fea9de5..2a01d7c 100644
---- a/tools/libxc/xc_dom_core.c
-+++ b/tools/libxc/xc_dom_core.c
-_at_@ -159,7 +159,8 @@ void *xc_dom_malloc_page_aligned(struct xc_dom_image *dom, size_t size)
- }
- 
- void *xc_dom_malloc_filemap(struct xc_dom_image *dom,
--                            const char *filename, size_t * size)
-+                            const char *filename, size_t * size,
-+                            const size_t max_size)
- {
-     struct xc_dom_mem *block = NULL;
-     int fd = -1;
-_at_@ -171,6 +172,13 @@ void *xc_dom_malloc_filemap(struct xc_dom_image *dom,
-     lseek(fd, 0, SEEK_SET);
-     *size = lseek(fd, 0, SEEK_END);
- 
-+    if ( max_size && *size > max_size )
-+    {
-+        xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY,
-+                     "tried to map file which is too large");
-+        goto err;
-+    }
-+
-     block = malloc(sizeof(*block));
-     if ( block == NULL )
-         goto err;
-_at_@ -222,6 +230,40 @@ char *xc_dom_strdup(struct xc_dom_image *dom, const char *str)
- }
- 
- /* ------------------------------------------------------------------------ */
-+/* decompression buffer sizing                                              */
-+int xc_dom_kernel_check_size(struct xc_dom_image *dom, size_t sz)
-+{
-+    /* No limit */
-+    if ( !dom->max_kernel_size )
-+        return 0;
-+
-+    if ( sz > dom->max_kernel_size )
-+    {
-+        xc_dom_panic(dom->xch, XC_INVALID_KERNEL,
-+                     "kernel image too large");
-+        return 1;
-+    }
-+
-+    return 0;
-+}
-+
-+int xc_dom_ramdisk_check_size(struct xc_dom_image *dom, size_t sz)
-+{
-+    /* No limit */
-+    if ( !dom->max_ramdisk_size )
-+        return 0;
-+
-+    if ( sz > dom->max_ramdisk_size )
-+    {
-+        xc_dom_panic(dom->xch, XC_INVALID_KERNEL,
-+                     "ramdisk image too large");
-+        return 1;
-+    }
-+
-+    return 0;
-+}
-+
-+/* ------------------------------------------------------------------------ */
- /* read files, copy memory blocks, with transparent gunzip                  */
- 
- size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen)
-_at_@ -235,7 +277,7 @@ size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen)
- 
-     gzlen = blob + ziplen - 4;
-     unziplen = gzlen[3] << 24 | gzlen[2] << 16 | gzlen[1] << 8 | gzlen[0];
--    if ( (unziplen < 0) || (unziplen > (1024*1024*1024)) ) /* 1GB limit */
-+    if ( (unziplen < 0) || (unziplen > XC_DOM_DECOMPRESS_MAX) )
-     {
-         xc_dom_printf
-             (xch,
-_at_@ -288,6 +330,9 @@ int xc_dom_try_gunzip(struct xc_dom_image *dom, void **blob, size_t * size)
-     if ( unziplen == 0 )
-         return 0;
- 
-+    if ( xc_dom_kernel_check_size(dom, unziplen) )
-+        return 0;
-+
-     unzip = xc_dom_malloc(dom, unziplen);
-     if ( unzip == NULL )
-         return -1;
-_at_@ -588,6 +633,9 @@ struct xc_dom_image *xc_dom_allocate(xc_interface *xch,
-     memset(dom, 0, sizeof(*dom));
-     dom->xch = xch;
- 
-+    dom->max_kernel_size = XC_DOM_DECOMPRESS_MAX;
-+    dom->max_ramdisk_size = XC_DOM_DECOMPRESS_MAX;
-+
-     if ( cmdline )
-         dom->cmdline = xc_dom_strdup(dom, cmdline);
-     if ( features )
-_at_@ -608,10 +656,25 @@ struct xc_dom_image *xc_dom_allocate(xc_interface *xch,
-     return NULL;
- }
- 
-+int xc_dom_kernel_max_size(struct xc_dom_image *dom, size_t sz)
-+{
-+    DOMPRINTF("%s: kernel_max_size=%zx", __FUNCTION__, sz);
-+    dom->max_kernel_size = sz;
-+    return 0;
-+}
-+
-+int xc_dom_ramdisk_max_size(struct xc_dom_image *dom, size_t sz)
-+{
-+    DOMPRINTF("%s: ramdisk_max_size=%zx", __FUNCTION__, sz);
-+    dom->max_ramdisk_size = sz;
-+    return 0;
-+}
-+
- int xc_dom_kernel_file(struct xc_dom_image *dom, const char *filename)
- {
-     DOMPRINTF("%s: filename=\"%s\"", __FUNCTION__, filename);
--    dom->kernel_blob = xc_dom_malloc_filemap(dom, filename, &dom->kernel_size);
-+    dom->kernel_blob = xc_dom_malloc_filemap(dom, filename, &dom->kernel_size,
-+                                             dom->max_kernel_size);
-     if ( dom->kernel_blob == NULL )
-         return -1;
-     return xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size);
-_at_@ -621,7 +684,9 @@ int xc_dom_ramdisk_file(struct xc_dom_image *dom, const char *filename)
- {
-     DOMPRINTF("%s: filename=\"%s\"", __FUNCTION__, filename);
-     dom->ramdisk_blob =
--        xc_dom_malloc_filemap(dom, filename, &dom->ramdisk_size);
-+        xc_dom_malloc_filemap(dom, filename, &dom->ramdisk_size,
-+                              dom->max_ramdisk_size);
-+
-     if ( dom->ramdisk_blob == NULL )
-         return -1;
- //    return xc_dom_try_gunzip(dom, &dom->ramdisk_blob, &dom->ramdisk_size);
-_at_@ -781,7 +846,11 @@ int xc_dom_build_image(struct xc_dom_image *dom)
-         void *ramdiskmap;
- 
-         unziplen = xc_dom_check_gzip(dom->xch, dom->ramdisk_blob, dom->ramdisk_size);
-+        if ( xc_dom_ramdisk_check_size(dom, unziplen) != 0 )
-+            unziplen = 0;
-+
-         ramdisklen = unziplen ? unziplen : dom->ramdisk_size;
-+
-         if ( xc_dom_alloc_segment(dom, &dom->ramdisk_seg, "ramdisk", 0,
-                                   ramdisklen) != 0 )
-             goto err;
-diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub
-index 17c0083..1a3c1c3 100644
---- a/tools/pygrub/src/pygrub
-+++ b/tools/pygrub/src/pygrub
-_at_@ -28,6 +28,7 @@ import grub.LiloConf
- import grub.ExtLinuxConf
- 
- PYGRUB_VER = 0.6
-+FS_READ_MAX = 1024 * 1024
- 
- def enable_cursor(ison):
-     if ison:
-_at_@ -421,7 +422,8 @@ class Grub:
-         if self.__dict__.get('cf', None) is None:
-             raise RuntimeError, "couldn't find bootloader config file in the image provided."
-         f = fs.open_file(self.cf.filename)
--        buf = f.read()
-+        # limit read size to avoid pathological cases
-+        buf = f.read(FS_READ_MAX)
-         del f
-         self.cf.parse(buf)
- 
-_at_@ -670,6 +672,37 @@ if __name__ == "__main__":
-     def usage():
-         print >> sys.stderr, "Usage: %s [-q|--quiet] [-i|--interactive] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] <image>" %(sys.argv[0],)
- 
-+    def copy_from_image(fs, file_to_read, file_type, output_directory,
-+                        not_really):
-+        if not_really:
-+            if fs.file_exists(file_to_read):
-+                return "<%s:%s>" % (file_type, file_to_read)
-+            else:
-+                sys.exit("The requested %s file does not exist" % file_type)
-+        try:
-+            datafile = fs.open_file(file_to_read)
-+        except Exception, e:
-+            print >>sys.stderr, e
-+            sys.exit("Error opening %s in guest" % file_to_read)
-+        (tfd, ret) = tempfile.mkstemp(prefix="boot_"+file_type+".",
-+                                      dir=output_directory)
-+        dataoff = 0
-+        while True:
-+            data = datafile.read(FS_READ_MAX, dataoff)
-+            if len(data) == 0:
-+                os.close(tfd)
-+                del datafile
-+                return ret
-+            try:
-+                os.write(tfd, data)
-+            except Exception, e:
-+                print >>sys.stderr, e
-+                os.close(tfd)
-+                os.unlink(ret)
-+                del datafile
-+                sys.exit("Error writing temporary copy of "+file_type)
-+            dataoff += len(data)
-+
-     try:
-         opts, args = getopt.gnu_getopt(sys.argv[1:], 'qinh::',
-                                    ["quiet", "interactive", "not-really", "help", 
-_at_@ -786,24 +819,18 @@ if __name__ == "__main__":
-     if not fs:
-         raise RuntimeError, "Unable to find partition containing kernel"
- 
--    if not_really:
--        bootcfg["kernel"] = "<kernel:%s>" % chosencfg["kernel"]
--    else:
--        data = fs.open_file(chosencfg["kernel"]).read()
--        (tfd, bootcfg["kernel"]) = tempfile.mkstemp(prefix="boot_kernel.",
--                                                    dir=output_directory)
--        os.write(tfd, data)
--        os.close(tfd)
-+    bootcfg["kernel"] = copy_from_image(fs, chosencfg["kernel"], "kernel",
-+                                        output_directory, not_really)
- 
-     if chosencfg["ramdisk"]:
--        if not_really:
--            bootcfg["ramdisk"] = "<ramdisk:%s>" % chosencfg["ramdisk"]
--        else:
--            data = fs.open_file(chosencfg["ramdisk"],).read()
--            (tfd, bootcfg["ramdisk"]) = tempfile.mkstemp(
--                prefix="boot_ramdisk.", dir=output_directory)
--            os.write(tfd, data)
--            os.close(tfd)
-+        try:
-+            bootcfg["ramdisk"] = copy_from_image(fs, chosencfg["ramdisk"],
-+                                                 "ramdisk", output_directory,
-+                                                 not_really)
-+        except:
-+            if not not_really:
-+                os.unlink(bootcfg["kernel"])
-+            raise
-     else:
-         initrd = None
- 
--- 
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa26-4.1.patch b/main/xen/xsa26-4.1.patch
deleted file mode 100644
index e8b8e7d..0000000
--- a/main/xen/xsa26-4.1.patch
+++ /dev/null
_at_@ -1,107 +0,0 @@
-gnttab: fix releasing of memory upon switches between versions
-
-gnttab_unpopulate_status_frames() incompletely freed the pages
-previously used as status frame in that they did not get removed from
-the domain's xenpage_list, thus causing subsequent list corruption
-when those pages did get allocated again for the same or another purpose.
-
-Similarly, grant_table_create() and gnttab_grow_table() both improperly
-clean up in the event of an error - pages already shared with the guest
-can't be freed by just passing them to free_xenheap_page(). Fix this by
-sharing the pages only after all allocations succeeded.
-
-This is CVE-2012-5510 / XSA-26.
-
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Acked-by: Ian Campbell <ian.campbell_at_citrix.com>
-
-diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
-index 6c0aa6f..a180aef 100644
---- a/xen/common/grant_table.c
-+++ b/xen/common/grant_table.c
-_at_@ -1126,12 +1126,13 @@ fault:
- }
- 
- static int
--gnttab_populate_status_frames(struct domain *d, struct grant_table *gt)
-+gnttab_populate_status_frames(struct domain *d, struct grant_table *gt,
-+                              unsigned int req_nr_frames)
- {
-     unsigned i;
-     unsigned req_status_frames;
- 
--    req_status_frames = grant_to_status_frames(gt->nr_grant_frames);
-+    req_status_frames = grant_to_status_frames(req_nr_frames);
-     for ( i = nr_status_frames(gt); i < req_status_frames; i++ )
-     {
-         if ( (gt->status[i] = alloc_xenheap_page()) == NULL )
-_at_@ -1162,7 +1163,12 @@ gnttab_unpopulate_status_frames(struct domain *d, struct grant_table *gt)
- 
-     for ( i = 0; i < nr_status_frames(gt); i++ )
-     {
--        page_set_owner(virt_to_page(gt->status[i]), dom_xen);
-+        struct page_info *pg = virt_to_page(gt->status[i]);
-+
-+        BUG_ON(page_get_owner(pg) != d);
-+        if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) )
-+            put_page(pg);
-+        BUG_ON(pg->count_info & ~PGC_xen_heap);
-         free_xenheap_page(gt->status[i]);
-         gt->status[i] = NULL;
-     }
-_at_@ -1200,19 +1206,18 @@ gnttab_grow_table(struct domain *d, unsigned int req_nr_frames)
-         clear_page(gt->shared_raw[i]);
-     }
- 
--    /* Share the new shared frames with the recipient domain */
--    for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ )
--        gnttab_create_shared_page(d, gt, i);
--
--    gt->nr_grant_frames = req_nr_frames;
--
-     /* Status pages - version 2 */
-     if (gt->gt_version > 1)
-     {
--        if ( gnttab_populate_status_frames(d, gt) )
-+        if ( gnttab_populate_status_frames(d, gt, req_nr_frames) )
-             goto shared_alloc_failed;
-     }
- 
-+    /* Share the new shared frames with the recipient domain */
-+    for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ )
-+        gnttab_create_shared_page(d, gt, i);
-+    gt->nr_grant_frames = req_nr_frames;
-+
-     return 1;
- 
- shared_alloc_failed:
-_at_@ -2134,7 +2139,7 @@ gnttab_set_version(XEN_GUEST_HANDLE(gnttab_set_version_t uop))
- 
-     if ( op.version == 2 && gt->gt_version < 2 )
-     {
--        res = gnttab_populate_status_frames(d, gt);
-+        res = gnttab_populate_status_frames(d, gt, nr_grant_frames(gt));
-         if ( res < 0)
-             goto out_unlock;
-     }
-_at_@ -2449,9 +2454,6 @@ grant_table_create(
-         clear_page(t->shared_raw[i]);
-     }
-     
--    for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ )
--        gnttab_create_shared_page(d, t, i);
--
-     /* Status pages for grant table - for version 2 */
-     t->status = xmalloc_array(grant_status_t *,
-                               grant_to_status_frames(max_nr_grant_frames));
-_at_@ -2459,6 +2461,10 @@ grant_table_create(
-         goto no_mem_4;
-     memset(t->status, 0,
-            grant_to_status_frames(max_nr_grant_frames) * sizeof(t->status[0]));
-+
-+    for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ )
-+        gnttab_create_shared_page(d, t, i);
-+
-     t->nr_status_frames = 0;
- 
-     /* Okay, install the structure. */
diff --git a/main/xen/xsa27-4.1.patch b/main/xen/xsa27-4.1.patch
deleted file mode 100644
index f0764cb..0000000
--- a/main/xen/xsa27-4.1.patch
+++ /dev/null
_at_@ -1,168 +0,0 @@
-hvm: Limit the size of large HVM op batches
-
-Doing large p2m updates for HVMOP_track_dirty_vram without preemption
-ties up the physical processor. Integrating preemption into the p2m
-updates is hard so simply limit to 1GB which is sufficient for a 15000
-* 15000 * 32bpp framebuffer.
-
-For HVMOP_modified_memory and HVMOP_set_mem_type preemptible add the
-necessary machinery to handle preemption.
-
-This is CVE-2012-5511 / XSA-27.
-
-Signed-off-by: Tim Deegan <tim_at_xen.org>
-Signed-off-by: Ian Campbell <ian.campbell_at_citrix.com>
-Acked-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
-
-x86/paging: Don't allocate user-controlled amounts of stack memory.
-
-This is XSA-27 / CVE-2012-5511.
-
-Signed-off-by: Tim Deegan <tim_at_xen.org>
-Acked-by: Jan Beulich <jbeulich_at_suse.com>
-v2: Provide definition of GB to fix x86-32 compile.
-
-Signed-off-by: Jan Beulich <JBeulich_at_suse.com>
-Acked-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
-
-
-diff -r 5639047d6c9f xen/arch/x86/hvm/hvm.c
---- a/xen/arch/x86/hvm/hvm.c	Mon Nov 19 09:43:48 2012 +0100
-+++ b/xen/arch/x86/hvm/hvm.c	Mon Nov 19 16:00:33 2012 +0000
-_at_@ -3471,6 +3471,9 @@ long do_hvm_op(unsigned long op, XEN_GUE
-         if ( !is_hvm_domain(d) )
-             goto param_fail2;
- 
-+        if ( a.nr > GB(1) >> PAGE_SHIFT )
-+            goto param_fail2;
-+
-         rc = xsm_hvm_param(d, op);
-         if ( rc )
-             goto param_fail2;
-_at_@ -3498,7 +3501,6 @@ long do_hvm_op(unsigned long op, XEN_GUE
-         struct xen_hvm_modified_memory a;
-         struct domain *d;
-         struct p2m_domain *p2m;
--        unsigned long pfn;
- 
-         if ( copy_from_guest(&a, arg, 1) )
-             return -EFAULT;
-_at_@ -3526,8 +3528,9 @@ long do_hvm_op(unsigned long op, XEN_GUE
-             goto param_fail3;
- 
-         p2m = p2m_get_hostp2m(d);
--        for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
-+        while ( a.nr > 0 )
-         {
-+            unsigned long pfn = a.first_pfn;
-             p2m_type_t t;
-             mfn_t mfn = gfn_to_mfn(p2m, pfn, &t);
-             if ( p2m_is_paging(t) )
-_at_@ -3548,6 +3551,19 @@ long do_hvm_op(unsigned long op, XEN_GUE
-                 /* don't take a long time and don't die either */
-                 sh_remove_shadows(d->vcpu[0], mfn, 1, 0);
-             }
-+
-+            a.first_pfn++;
-+            a.nr--;
-+
-+            /* Check for continuation if it's not the last interation */
-+            if ( a.nr > 0 && hypercall_preempt_check() )
-+            {
-+                if ( copy_to_guest(arg, &a, 1) )
-+                    rc = -EFAULT;
-+                else
-+                    rc = -EAGAIN;
-+                break;
-+            }
-         }
- 
-     param_fail3:
-_at_@ -3595,7 +3611,6 @@ long do_hvm_op(unsigned long op, XEN_GUE
-         struct xen_hvm_set_mem_type a;
-         struct domain *d;
-         struct p2m_domain *p2m;
--        unsigned long pfn;
-         
-         /* Interface types to internal p2m types */
-         p2m_type_t memtype[] = {
-_at_@ -3625,8 +3640,9 @@ long do_hvm_op(unsigned long op, XEN_GUE
-             goto param_fail4;
- 
-         p2m = p2m_get_hostp2m(d);
--        for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
-+        while ( a.nr > 0 )
-         {
-+            unsigned long pfn = a.first_pfn;
-             p2m_type_t t;
-             p2m_type_t nt;
-             mfn_t mfn;
-_at_@ -3662,6 +3678,19 @@ long do_hvm_op(unsigned long op, XEN_GUE
-                     goto param_fail4;
-                 }
-             }
-+
-+            a.first_pfn++;
-+            a.nr--;
-+
-+            /* Check for continuation if it's not the last interation */
-+            if ( a.nr > 0 && hypercall_preempt_check() )
-+            {
-+                if ( copy_to_guest(arg, &a, 1) )
-+                    rc = -EFAULT;
-+                else
-+                    rc = -EAGAIN;
-+                goto param_fail4;
-+            }
-         }
- 
-         rc = 0;
-diff -r 5639047d6c9f xen/arch/x86/mm/paging.c
---- a/xen/arch/x86/mm/paging.c	Mon Nov 19 09:43:48 2012 +0100
-+++ b/xen/arch/x86/mm/paging.c	Mon Nov 19 16:00:33 2012 +0000
-_at_@ -529,13 +529,18 @@ int paging_log_dirty_range(struct domain
- 
-     if ( !d->arch.paging.log_dirty.fault_count &&
-          !d->arch.paging.log_dirty.dirty_count ) {
--        int size = (nr + BITS_PER_LONG - 1) / BITS_PER_LONG;
--        unsigned long zeroes[size];
--        memset(zeroes, 0x00, size * BYTES_PER_LONG);
-+        static uint8_t zeroes[PAGE_SIZE];
-+        int off, size;
-+
-+        size = ((nr + BITS_PER_LONG - 1) / BITS_PER_LONG) * sizeof (long);
-         rv = 0;
--        if ( copy_to_guest_offset(dirty_bitmap, 0, (uint8_t *) zeroes,
--                                  size * BYTES_PER_LONG) != 0 )
--            rv = -EFAULT;
-+        for ( off = 0; !rv && off < size; off += sizeof zeroes )
-+        {
-+            int todo = min(size - off, (int) PAGE_SIZE);
-+            if ( copy_to_guest_offset(dirty_bitmap, off, zeroes, todo) )
-+                rv = -EFAULT;
-+            off += todo;
-+        }
-         goto out;
-     }
-     d->arch.paging.log_dirty.fault_count = 0;
-diff -r 5639047d6c9f xen/include/asm-x86/config.h
---- a/xen/include/asm-x86/config.h	Mon Nov 19 09:43:48 2012 +0100
-+++ b/xen/include/asm-x86/config.h	Mon Nov 19 16:00:33 2012 +0000
-_at_@ -108,6 +108,9 @@ extern unsigned int trampoline_xen_phys_
- extern unsigned char trampoline_cpu_started;
- extern char wakeup_start[];
- extern unsigned int video_mode, video_flags;
-+
-+#define GB(_gb) (_gb ## UL << 30)
-+
- #endif
- 
- #define asmlinkage
-_at_@ -123,7 +126,6 @@ extern unsigned int video_mode, video_fl
- #define PML4_ADDR(_slot)                             \
-     ((((_slot ## UL) >> 8) * 0xffff000000000000UL) | \
-      (_slot ## UL << PML4_ENTRY_BITS))
--#define GB(_gb) (_gb ## UL << 30)
- #else
- #define PML4_ENTRY_BYTES (1 << PML4_ENTRY_BITS)
- #define PML4_ADDR(_slot)                             \
diff --git a/main/xen/xsa28-4.1.patch b/main/xen/xsa28-4.1.patch
deleted file mode 100644
index fe4638e..0000000
--- a/main/xen/xsa28-4.1.patch
+++ /dev/null
_at_@ -1,36 +0,0 @@
-x86/HVM: range check xen_hvm_set_mem_access.hvmmem_access before use
-
-Otherwise an out of bounds array access can happen if changing the
-default access is being requested, which - if it doesn't crash Xen -
-would subsequently allow reading arbitrary memory through
-HVMOP_get_mem_access (again, unless that operation crashes Xen).
-
-This is XSA-28 / CVE-2012-5512.
-
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Acked-by: Tim Deegan <tim_at_xen.org>
-Acked-by: Ian Campbell <ian.campbell_at_citrix.com>
-
-diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
-index 66cf805..08b6418 100644
---- a/xen/arch/x86/hvm/hvm.c
-+++ b/xen/arch/x86/hvm/hvm.c
-_at_@ -3699,7 +3699,7 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE(void) arg)
-             return rc;
- 
-         rc = -EINVAL;
--        if ( !is_hvm_domain(d) )
-+        if ( !is_hvm_domain(d) || a.hvmmem_access >= ARRAY_SIZE(memaccess) )
-             goto param_fail5;
- 
-         p2m = p2m_get_hostp2m(d);
-_at_@ -3719,9 +3719,6 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE(void) arg)
-              ((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) )
-             goto param_fail5;
-             
--        if ( a.hvmmem_access >= ARRAY_SIZE(memaccess) )
--            goto param_fail5;
--
-         for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
-         {
-             p2m_type_t t;
diff --git a/main/xen/xsa29-4.1.patch b/main/xen/xsa29-4.1.patch
deleted file mode 100644
index f8f6e38..0000000
--- a/main/xen/xsa29-4.1.patch
+++ /dev/null
_at_@ -1,49 +0,0 @@
-xen: add missing guest address range checks to XENMEM_exchange handlers
-
-Ever since its existence (3.0.3 iirc) the handler for this has been
-using non address range checking guest memory accessors (i.e.
-the ones prefixed with two underscores) without first range
-checking the accessed space (via guest_handle_okay()), allowing
-a guest to access and overwrite hypervisor memory.
-
-This is XSA-29 / CVE-2012-5513.
-
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Acked-by: Ian Campbell <ian.campbell_at_citrix.com>
-Acked-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
-
-diff --git a/xen/common/compat/memory.c b/xen/common/compat/memory.c
-index 2402984..1d877fc 100644
---- a/xen/common/compat/memory.c
-+++ b/xen/common/compat/memory.c
-_at_@ -114,6 +114,12 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE(void) compat)
-                   (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) )
-                 return -EINVAL;
- 
-+            if ( !compat_handle_okay(cmp.xchg.in.extent_start,
-+                                     cmp.xchg.in.nr_extents) ||
-+                 !compat_handle_okay(cmp.xchg.out.extent_start,
-+                                     cmp.xchg.out.nr_extents) )
-+                return -EFAULT;
-+
-             start_extent = cmp.xchg.nr_exchanged;
-             end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) /
-                          (((1U << ABS(order_delta)) + 1) *
-diff --git a/xen/common/memory.c b/xen/common/memory.c
-index 4e7c234..59379d3 100644
---- a/xen/common/memory.c
-+++ b/xen/common/memory.c
-_at_@ -289,6 +289,13 @@ static long memory_exchange(XEN_GUEST_HANDLE(xen_memory_exchange_t) arg)
-         goto fail_early;
-     }
- 
-+    if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) ||
-+         !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) )
-+    {
-+        rc = -EFAULT;
-+        goto fail_early;
-+    }
-+
-     /* Only privileged guests can allocate multi-page contiguous extents. */
-     if ( !multipage_allocation_permitted(current->domain,
-                                          exch.in.extent_order) ||
diff --git a/main/xen/xsa30-4.1.patch b/main/xen/xsa30-4.1.patch
deleted file mode 100644
index 817879a..0000000
--- a/main/xen/xsa30-4.1.patch
+++ /dev/null
_at_@ -1,57 +0,0 @@
-xen: fix error handling of guest_physmap_mark_populate_on_demand()
-
-The only user of the "out" label bypasses a necessary unlock, thus
-enabling the caller to lock up Xen.
-
-Also, the function was never meant to be called by a guest for itself,
-so rather than inspecting the code paths in depth for potential other
-problems this might cause, and adjusting e.g. the non-guest printk()
-in the above error path, just disallow the guest access to it.
-
-Finally, the printk() (considering its potential of spamming the log,
-the more that it's not using XENLOG_GUEST), is being converted to
-P2M_DEBUG(), as debugging is what it apparently was added for in the
-first place.
-
-This is XSA-30 / CVE-2012-5514.
-
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Acked-by: Ian Campbell <ian.campbell_at_citrix.com>
-Acked-by: George Dunlap <george.dunlap_at_eu.citrix.com>
-Acked-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
-
-diff -r 5639047d6c9f xen/arch/x86/mm/p2m.c
---- a/xen/arch/x86/mm/p2m.c	Mon Nov 19 09:43:48 2012 +0100
-+++ b/xen/arch/x86/mm/p2m.c	Thu Nov 22 17:07:37 2012 +0000
-_at_@ -2412,6 +2412,9 @@ guest_physmap_mark_populate_on_demand(st
-     mfn_t omfn;
-     int rc = 0;
- 
-+    if ( !IS_PRIV_FOR(current->domain, d) )
-+        return -EPERM;
-+
-     if ( !paging_mode_translate(d) )
-         return -EINVAL;
- 
-_at_@ -2430,8 +2433,7 @@ guest_physmap_mark_populate_on_demand(st
-         omfn = gfn_to_mfn_query(p2m, gfn + i, &ot);
-         if ( p2m_is_ram(ot) )
-         {
--            printk("%s: gfn_to_mfn returned type %d!\n",
--                   __func__, ot);
-+            P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot);
-             rc = -EBUSY;
-             goto out;
-         }
-_at_@ -2453,10 +2455,10 @@ guest_physmap_mark_populate_on_demand(st
-         BUG_ON(p2m->pod.entry_count < 0);
-     }
- 
-+out:
-     audit_p2m(p2m, 1);
-     p2m_unlock(p2m);
- 
--out:
-     return rc;
- }
- 
diff --git a/main/xen/xsa31-4.1.patch b/main/xen/xsa31-4.1.patch
deleted file mode 100644
index 1f3d929..0000000
--- a/main/xen/xsa31-4.1.patch
+++ /dev/null
_at_@ -1,50 +0,0 @@
-memop: limit guest specified extent order
-
-Allowing unbounded order values here causes almost unbounded loops
-and/or partially incomplete requests, particularly in PoD code.
-
-The added range checks in populate_physmap(), decrease_reservation(),
-and the "in" one in memory_exchange() architecturally all could use
-PADDR_BITS - PAGE_SHIFT, and are being artificially constrained to
-MAX_ORDER.
-
-This is XSA-31 / CVE-2012-5515.
-
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Acked-by: Tim Deegan <tim_at_xen.org>
-Acked-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
-
-diff --git a/xen/common/memory.c b/xen/common/memory.c
-index 4e7c234..9b9fb18 100644
---- a/xen/common/memory.c
-+++ b/xen/common/memory.c
-_at_@ -117,7 +117,8 @@ static void populate_physmap(struct memop_args *a)
- 
-         if ( a->memflags & MEMF_populate_on_demand )
-         {
--            if ( guest_physmap_mark_populate_on_demand(d, gpfn,
-+            if ( a->extent_order > MAX_ORDER ||
-+                 guest_physmap_mark_populate_on_demand(d, gpfn,
-                                                        a->extent_order) < 0 )
-                 goto out;
-         }
-_at_@ -216,7 +217,8 @@ static void decrease_reservation(struct memop_args *a)
-     xen_pfn_t gmfn;
- 
-     if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done,
--                                     a->nr_extents-1) )
-+                                     a->nr_extents-1) ||
-+         a->extent_order > MAX_ORDER )
-         return;
- 
-     for ( i = a->nr_done; i < a->nr_extents; i++ )
-_at_@ -278,6 +280,9 @@ static long memory_exchange(XEN_GUEST_HANDLE(xen_memory_exchange_t) arg)
-     if ( (exch.nr_exchanged > exch.in.nr_extents) ||
-          /* Input and output domain identifiers match? */
-          (exch.in.domid != exch.out.domid) ||
-+         /* Extent orders are sensible? */
-+         (exch.in.extent_order > MAX_ORDER) ||
-+         (exch.out.extent_order > MAX_ORDER) ||
-          /* Sizes of input and output lists do not overflow a long? */
-          ((~0UL >> exch.in.extent_order) < exch.in.nr_extents) ||
-          ((~0UL >> exch.out.extent_order) < exch.out.nr_extents) ||
-- 
1.7.7.5 (Apple Git-26)
---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Fri Dec 21 2012 - 11:19:01 UTC