xen: update to 4.7.1

Xen 4.7.1 contains the following XSAs: 184, 185, 186, 187, 188 and 190 which
where missing in the previous package. Additionally XSAs 191, 192, 193, 194,
195, 197 and 198 are also applied.

Approved by:	bapt
Sponsored by:	Citrix Systems R&D

9 files changed, 484 insertions, 186 deletions

diff --git a/emulators/xen-kernel/Makefile b/emulators/xen-kernel/Makefile
index 20d9a53ee3b4..1edad90afe36 100644
--- a/emulators/xen-kernel/Makefile
+++ b/emulators/xen-kernel/Makefile
@@ -2,10 +2,10 @@
 
 PORTNAME=	xen
 PKGNAMESUFFIX=	-kernel
-PORTVERSION=	4.7.0
-PORTREVISION=   3
+PORTVERSION=	4.7.1
+PORTREVISION=   0
 CATEGORIES=	emulators
-MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${PORTVERSION}/
+MASTER_SITES=	http://downloads.xenproject.org/release/xen/${PORTVERSION}/
 
 MAINTAINER=	royger@FreeBSD.org
 COMMENT=	Hypervisor using a microkernel design
@@ -40,9 +40,11 @@ PLIST_FILES=	/boot/xen \
 EXTRA_PATCHES=	${FILESDIR}/0001-xen-logdirty-prevent-preemption-if-finished.patch:-p1 \
 		${FILESDIR}/0002-xen-rework-paging_log_dirty_op-to-work-with-hvm-gues.patch:-p1 \
 		${FILESDIR}/kconf_arch.patch:-p1 \
-		${FILESDIR}/xsa182-unstable.patch:-p1 \
-		${FILESDIR}/xsa183-unstable.patch:-p1
-
+		${FILESDIR}/xsa191.patch \
+		${FILESDIR}/xsa192.patch \
+		${FILESDIR}/xsa193-4.7.patch \
+		${FILESDIR}/xsa194.patch \
+		${FILESDIR}/xsa195.patch
 
 .include <bsd.port.options.mk>
 
diff --git a/emulators/xen-kernel/distinfo b/emulators/xen-kernel/distinfo
index 0a74ef3ee7e1..1b8190668041 100644
--- a/emulators/xen-kernel/distinfo
+++ b/emulators/xen-kernel/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1467644898
-SHA256 (xen-4.7.0.tar.gz) = be5876144d49729572ae06142e0bb93f1c1f2695578141eff2931995add24623
-SIZE (xen-4.7.0.tar.gz) = 20702550
+TIMESTAMP = 1480690512
+SHA256 (xen-4.7.1.tar.gz) = e87f4b0575e78657ee23d31470a15ecf1ce8c3a92a771cda46bbcd4d0d671ffe
+SIZE (xen-4.7.1.tar.gz) = 20706864
diff --git a/emulators/xen-kernel/files/xsa182-unstable.patch b/emulators/xen-kernel/files/xsa182-unstable.patch
deleted file mode 100644
index 3e40e8a5300f..000000000000
--- a/emulators/xen-kernel/files/xsa182-unstable.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From 00593655e231ed5ea20704120037026e33b83fbb Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Mon, 11 Jul 2016 14:32:03 +0100
-Subject: [PATCH] x86/pv: Remove unsafe bits from the mod_l?_entry() fastpath
-
-All changes in writeability and cacheability must go through full
-re-validation.
-
-Rework the logic as a whitelist, to make it clearer to follow.
-
-This is XSA-182
-
-Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Tim Deegan <tim@xen.org>
----
- xen/arch/x86/mm.c          | 28 ++++++++++++++++------------
- xen/include/asm-x86/page.h |  1 +
- 2 files changed, 17 insertions(+), 12 deletions(-)
-
-diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
-index dbcf6cb..56ca19f 100644
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-@@ -1852,6 +1852,14 @@ static inline int update_intpte(intpte_t *p,
-                   _t ## e_get_intpte(_o), _t ## e_get_intpte(_n),   \
-                   (_m), (_v), (_ad))
- 
-+/*
-+ * PTE flags that a guest may change without re-validating the PTE.
-+ * All other bits affect translation, caching, or Xen's safety.
-+ */
-+#define FASTPATH_FLAG_WHITELIST                                     \
-+    (_PAGE_NX_BIT | _PAGE_AVAIL_HIGH | _PAGE_AVAIL | _PAGE_GLOBAL | \
-+     _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_USER)
-+
- /* Update the L1 entry at pl1e to new value nl1e. */
- static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e,
-                         unsigned long gl1mfn, int preserve_ad,
-@@ -1891,9 +1899,8 @@ static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e,
-             nl1e = l1e_from_pfn(page_to_mfn(page), l1e_get_flags(nl1e));
-         }
- 
--        /* Fast path for identical mapping, r/w, presence, and cachability. */
--        if ( !l1e_has_changed(ol1e, nl1e,
--                              PAGE_CACHE_ATTRS | _PAGE_RW | _PAGE_PRESENT) )
-+        /* Fast path for sufficiently-similar mappings. */
-+        if ( !l1e_has_changed(ol1e, nl1e, ~FASTPATH_FLAG_WHITELIST) )
-         {
-             adjust_guest_l1e(nl1e, pt_dom);
-             rc = UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, pt_vcpu,
-@@ -1970,11 +1977,8 @@ static int mod_l2_entry(l2_pgentry_t *pl2e,
-             return -EINVAL;
-         }
- 
--        /* Fast path for identical mapping and presence. */
--        if ( !l2e_has_changed(ol2e, nl2e,
--                              unlikely(opt_allow_superpage)
--                              ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT
--                              : _PAGE_PRESENT) )
-+        /* Fast path for sufficiently-similar mappings. */
-+        if ( !l2e_has_changed(ol2e, nl2e, ~FASTPATH_FLAG_WHITELIST) )
-         {
-             adjust_guest_l2e(nl2e, d);
-             if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) )
-@@ -2039,8 +2043,8 @@ static int mod_l3_entry(l3_pgentry_t *pl3e,
-             return -EINVAL;
-         }
- 
--        /* Fast path for identical mapping and presence. */
--        if ( !l3e_has_changed(ol3e, nl3e, _PAGE_PRESENT) )
-+        /* Fast path for sufficiently-similar mappings. */
-+        if ( !l3e_has_changed(ol3e, nl3e, ~FASTPATH_FLAG_WHITELIST) )
-         {
-             adjust_guest_l3e(nl3e, d);
-             rc = UPDATE_ENTRY(l3, pl3e, ol3e, nl3e, pfn, vcpu, preserve_ad);
-@@ -2103,8 +2107,8 @@ static int mod_l4_entry(l4_pgentry_t *pl4e,
-             return -EINVAL;
-         }
- 
--        /* Fast path for identical mapping and presence. */
--        if ( !l4e_has_changed(ol4e, nl4e, _PAGE_PRESENT) )
-+        /* Fast path for sufficiently-similar mappings. */
-+        if ( !l4e_has_changed(ol4e, nl4e, ~FASTPATH_FLAG_WHITELIST) )
-         {
-             adjust_guest_l4e(nl4e, d);
-             rc = UPDATE_ENTRY(l4, pl4e, ol4e, nl4e, pfn, vcpu, preserve_ad);
-diff --git a/xen/include/asm-x86/page.h b/xen/include/asm-x86/page.h
-index 224852a..4ae387f 100644
---- a/xen/include/asm-x86/page.h
-+++ b/xen/include/asm-x86/page.h
-@@ -313,6 +313,7 @@ void efi_update_l4_pgtable(unsigned int l4idx, l4_pgentry_t);
- #define _PAGE_AVAIL2   _AC(0x800,U)
- #define _PAGE_AVAIL    _AC(0xE00,U)
- #define _PAGE_PSE_PAT  _AC(0x1000,U)
-+#define _PAGE_AVAIL_HIGH (_AC(0x7ff, U) << 12)
- #define _PAGE_NX       (cpu_has_nx ? _PAGE_NX_BIT : 0)
- /* non-architectural flags */
- #define _PAGE_PAGED   0x2000U
--- 
-2.1.4
-
diff --git a/emulators/xen-kernel/files/xsa183-unstable.patch b/emulators/xen-kernel/files/xsa183-unstable.patch
deleted file mode 100644
index 573c530112c2..000000000000
--- a/emulators/xen-kernel/files/xsa183-unstable.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 2fd4f34058fb5f87fbd80978dbd2cb458aff565d Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Wed, 15 Jun 2016 18:32:14 +0100
-Subject: [PATCH] x86/entry: Avoid SMAP violation in
- compat_create_bounce_frame()
-
-A 32bit guest kernel might be running on user mappings.
-compat_create_bounce_frame() must whitelist its guest accesses to avoid
-risking a SMAP violation.
-
-For both variants of create_bounce_frame(), re-blacklist user accesses if
-execution exits via an exception table redirection.
-
-This is XSA-183 / CVE-2016-6259
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: George Dunlap <george.dunlap@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
----
-v2:
- * Include CLAC on the exit paths from compat_create_bounce_frame which occur
-   from faults attempting to load %fs
- * Reposition ASM_STAC to avoid breaking the macro-op fusion of test/jz
----
- xen/arch/x86/x86_64/compat/entry.S | 3 +++
- xen/arch/x86/x86_64/entry.S        | 2 ++
- 2 files changed, 5 insertions(+)
-
-diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
-index 7f02afd..e80c53c 100644
---- a/xen/arch/x86/x86_64/compat/entry.S
-+++ b/xen/arch/x86/x86_64/compat/entry.S
-@@ -318,6 +318,7 @@ ENTRY(compat_int80_direct_trap)
- compat_create_bounce_frame:
-         ASSERT_INTERRUPTS_ENABLED
-         mov   %fs,%edi
-+        ASM_STAC
-         testb $2,UREGS_cs+8(%rsp)
-         jz    1f
-         /* Push new frame at registered guest-OS stack base. */
-@@ -364,6 +365,7 @@ compat_create_bounce_frame:
-         movl  TRAPBOUNCE_error_code(%rdx),%eax
- .Lft8:  movl  %eax,%fs:(%rsi)           # ERROR CODE
- 1:
-+        ASM_CLAC
-         /* Rewrite our stack frame and return to guest-OS mode. */
-         /* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */
-         andl  $~(X86_EFLAGS_VM|X86_EFLAGS_RF|\
-@@ -403,6 +405,7 @@ compat_crash_page_fault_4:
-         addl  $4,%esi
- compat_crash_page_fault:
- .Lft14: mov   %edi,%fs
-+        ASM_CLAC
-         movl  %esi,%edi
-         call  show_page_walk
-         jmp   dom_crash_sync_extable
-diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
-index ad8c64c..f7178cd 100644
---- a/xen/arch/x86/x86_64/entry.S
-+++ b/xen/arch/x86/x86_64/entry.S
-@@ -420,9 +420,11 @@ domain_crash_page_fault_16:
- domain_crash_page_fault_8:
-         addq  $8,%rsi
- domain_crash_page_fault:
-+        ASM_CLAC
-         movq  %rsi,%rdi
-         call  show_page_walk
- ENTRY(dom_crash_sync_extable)
-+        ASM_CLAC
-         # Get out of the guest-save area of the stack.
-         GET_STACK_END(ax)
-         leaq  STACK_CPUINFO_FIELD(guest_cpu_user_regs)(%rax),%rsp
--- 
-2.1.4
-
diff --git a/emulators/xen-kernel/files/xsa191.patch b/emulators/xen-kernel/files/xsa191.patch
new file mode 100644
index 000000000000..956f1c97ad09
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa191.patch
@@ -0,0 +1,152 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/hvm: Fix the handling of non-present segments
+
+In 32bit, the data segments may be NULL to indicate that the segment is
+ineligible for use.  In both 32bit and 64bit, the LDT selector may be NULL to
+indicate that the entire LDT is ineligible for use.  However, nothing in Xen
+actually checks for this condition when performing other segmentation
+checks.  (Note however that limit and writeability checks are correctly
+performed).
+
+Neither Intel nor AMD specify the exact behaviour of loading a NULL segment.
+Experimentally, AMD zeroes all attributes but leaves the base and limit
+unmodified.  Intel zeroes the base, sets the limit to 0xfffffff and resets the
+attributes to just .G and .D/B.
+
+The use of the segment information in the VMCB/VMCS is equivalent to a native
+pipeline interacting with the segment cache.  The present bit can therefore
+have a subtly different meaning, and it is now cooked to uniformly indicate
+whether the segment is usable or not.
+
+GDTR and IDTR don't have access rights like the other segments, but for
+consistency, they are treated as being present so no special casing is needed
+elsewhere in the segmentation logic.
+
+AMD hardware does not consider the present bit for %cs and %tr, and will
+function as if they were present.  They are therefore unconditionally set to
+present when reading information from the VMCB, to maintain the new meaning of
+usability.
+
+Intel hardware has a separate unusable bit in the VMCS segment attributes.
+This bit is inverted and stored in the present field, so the hvm code can work
+with architecturally-common state.
+
+This is XSA-191.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/hvm/hvm.c                 |  8 ++++++++
+ xen/arch/x86/hvm/svm/svm.c             |  4 ++++
+ xen/arch/x86/hvm/vmx/vmx.c             | 20 +++++++++++---------
+ xen/arch/x86/x86_emulate/x86_emulate.c |  4 ++++
+ 4 files changed, 27 insertions(+), 9 deletions(-)
+
+diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
+index 704fd64..deb1783 100644
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -2512,6 +2512,10 @@ bool_t hvm_virtual_to_linear_addr(
+          */
+         addr = (uint32_t)(addr + reg->base);
+ 
++        /* Segment not valid for use (cooked meaning of .p)? */
++        if ( !reg->attr.fields.p )
++            goto out;
++
+         switch ( access_type )
+         {
+         case hvm_access_read:
+@@ -2767,6 +2771,10 @@ static int hvm_load_segment_selector(
+     hvm_get_segment_register(
+         v, (sel & 4) ? x86_seg_ldtr : x86_seg_gdtr, &desctab);
+ 
++    /* Segment not valid for use (cooked meaning of .p)? */
++    if ( !desctab.attr.fields.p )
++        goto fail;
++
+     /* Check against descriptor table limit. */
+     if ( ((sel & 0xfff8) + 7) > desctab.limit )
+         goto fail;
+diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c
+index 16427f6..4cba406 100644
+--- a/xen/arch/x86/hvm/svm/svm.c
++++ b/xen/arch/x86/hvm/svm/svm.c
+@@ -627,6 +627,7 @@ static void svm_get_segment_register(struct vcpu *v, enum x86_segment seg,
+     {
+     case x86_seg_cs:
+         memcpy(reg, &vmcb->cs, sizeof(*reg));
++        reg->attr.fields.p = 1;
+         reg->attr.fields.g = reg->limit > 0xFFFFF;
+         break;
+     case x86_seg_ds:
+@@ -660,13 +661,16 @@ static void svm_get_segment_register(struct vcpu *v, enum x86_segment seg,
+     case x86_seg_tr:
+         svm_sync_vmcb(v);
+         memcpy(reg, &vmcb->tr, sizeof(*reg));
++        reg->attr.fields.p = 1;
+         reg->attr.fields.type |= 0x2;
+         break;
+     case x86_seg_gdtr:
+         memcpy(reg, &vmcb->gdtr, sizeof(*reg));
++        reg->attr.bytes = 0x80;
+         break;
+     case x86_seg_idtr:
+         memcpy(reg, &vmcb->idtr, sizeof(*reg));
++        reg->attr.bytes = 0x80;
+         break;
+     case x86_seg_ldtr:
+         svm_sync_vmcb(v);
+diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
+index 9a8f694..a652c52 100644
+--- a/xen/arch/x86/hvm/vmx/vmx.c
++++ b/xen/arch/x86/hvm/vmx/vmx.c
+@@ -1035,10 +1035,12 @@ void vmx_get_segment_register(struct vcpu *v, enum x86_segment seg,
+     reg->sel = sel;
+     reg->limit = limit;
+ 
+-    reg->attr.bytes = (attr & 0xff) | ((attr >> 4) & 0xf00);
+-    /* Unusable flag is folded into Present flag. */
+-    if ( attr & (1u<<16) )
+-        reg->attr.fields.p = 0;
++    /*
++     * Fold VT-x representation into Xen's representation.  The Present bit is
++     * unconditionally set to the inverse of unusable.
++     */
++    reg->attr.bytes =
++        (!(attr & (1u << 16)) << 7) | (attr & 0x7f) | ((attr >> 4) & 0xf00);
+ 
+     /* Adjust for virtual 8086 mode */
+     if ( v->arch.hvm_vmx.vmx_realmode && seg <= x86_seg_tr 
+@@ -1118,11 +1120,11 @@ static void vmx_set_segment_register(struct vcpu *v, enum x86_segment seg,
+         }
+     }
+ 
+-    attr = ((attr & 0xf00) << 4) | (attr & 0xff);
+-
+-    /* Not-present must mean unusable. */
+-    if ( !reg->attr.fields.p )
+-        attr |= (1u << 16);
++    /*
++     * Unfold Xen representation into VT-x representation.  The unusable bit
++     * is unconditionally set to the inverse of present.
++     */
++    attr = (!(attr & (1u << 7)) << 16) | ((attr & 0xf00) << 4) | (attr & 0xff);
+ 
+     /* VMX has strict consistency requirement for flag G. */
+     attr |= !!(limit >> 20) << 15;
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index 7a707dc..7cb6f98 100644
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1367,6 +1367,10 @@ protmode_load_seg(
+                                  &desctab, ctxt)) )
+         return rc;
+ 
++    /* Segment not valid for use (cooked meaning of .p)? */
++    if ( !desctab.attr.fields.p )
++        goto raise_exn;
++
+     /* Check against descriptor table limit. */
+     if ( ((sel & 0xfff8) + 7) > desctab.limit )
+         goto raise_exn;
diff --git a/emulators/xen-kernel/files/xsa192.patch b/emulators/xen-kernel/files/xsa192.patch
new file mode 100644
index 000000000000..b573a132c9fd
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa192.patch
@@ -0,0 +1,64 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86/HVM: don't load LDTR with VM86 mode attrs during task switch
+
+Just like TR, LDTR is purely a protected mode facility and hence needs
+to be loaded accordingly. Also move its loading to where it
+architecurally belongs.
+
+This is XSA-192.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -2728,17 +2728,16 @@ static void hvm_unmap_entry(void *p)
+ }
+ 
+ static int hvm_load_segment_selector(
+-    enum x86_segment seg, uint16_t sel)
++    enum x86_segment seg, uint16_t sel, unsigned int eflags)
+ {
+     struct segment_register desctab, cs, segr;
+     struct desc_struct *pdesc, desc;
+     u8 dpl, rpl, cpl;
+     bool_t writable;
+     int fault_type = TRAP_invalid_tss;
+-    struct cpu_user_regs *regs = guest_cpu_user_regs();
+     struct vcpu *v = current;
+ 
+-    if ( regs->eflags & X86_EFLAGS_VM )
++    if ( eflags & X86_EFLAGS_VM )
+     {
+         segr.sel = sel;
+         segr.base = (uint32_t)sel << 4;
+@@ -2986,6 +2985,8 @@ void hvm_task_switch(
+     if ( rc != HVMCOPY_okay )
+         goto out;
+ 
++    if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt, 0) )
++        goto out;
+ 
+     if ( hvm_set_cr3(tss.cr3, 1) )
+         goto out;
+@@ -3008,13 +3009,12 @@ void hvm_task_switch(
+     }
+ 
+     exn_raised = 0;
+-    if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt) ||
+-         hvm_load_segment_selector(x86_seg_es, tss.es) ||
+-         hvm_load_segment_selector(x86_seg_cs, tss.cs) ||
+-         hvm_load_segment_selector(x86_seg_ss, tss.ss) ||
+-         hvm_load_segment_selector(x86_seg_ds, tss.ds) ||
+-         hvm_load_segment_selector(x86_seg_fs, tss.fs) ||
+-         hvm_load_segment_selector(x86_seg_gs, tss.gs) )
++    if ( hvm_load_segment_selector(x86_seg_es, tss.es, tss.eflags) ||
++         hvm_load_segment_selector(x86_seg_cs, tss.cs, tss.eflags) ||
++         hvm_load_segment_selector(x86_seg_ss, tss.ss, tss.eflags) ||
++         hvm_load_segment_selector(x86_seg_ds, tss.ds, tss.eflags) ||
++         hvm_load_segment_selector(x86_seg_fs, tss.fs, tss.eflags) ||
++         hvm_load_segment_selector(x86_seg_gs, tss.gs, tss.eflags) )
+         exn_raised = 1;
+ 
+     rc = hvm_copy_to_guest_virt(
diff --git a/emulators/xen-kernel/files/xsa193-4.7.patch b/emulators/xen-kernel/files/xsa193-4.7.patch
new file mode 100644
index 000000000000..c5486efa544b
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa193-4.7.patch
@@ -0,0 +1,68 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86/PV: writes of %fs and %gs base MSRs require canonical addresses
+
+Commit c42494acb2 ("x86: fix FS/GS base handling when using the
+fsgsbase feature") replaced the use of wrmsr_safe() on these paths
+without recognizing that wr{f,g}sbase() use just wrmsrl() and that the
+WR{F,G}SBASE instructions also raise #GP for non-canonical input.
+
+Similarly arch_set_info_guest() needs to prevent non-canonical
+addresses from getting stored into state later to be loaded by context
+switch code. For consistency also check stack pointers and LDT base.
+DR0..3, otoh, already get properly checked in set_debugreg() (albeit
+we discard the error there).
+
+The SHADOW_GS_BASE check isn't strictly necessary, but I think we
+better avoid trying the WRMSR if we know it's going to fail.
+
+This is XSA-193.
+
+Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/domain.c
++++ b/xen/arch/x86/domain.c
+@@ -890,7 +890,13 @@ int arch_set_info_guest(
+     {
+         if ( !compat )
+         {
+-            if ( !is_canonical_address(c.nat->user_regs.eip) ||
++            if ( !is_canonical_address(c.nat->user_regs.rip) ||
++                 !is_canonical_address(c.nat->user_regs.rsp) ||
++                 !is_canonical_address(c.nat->kernel_sp) ||
++                 (c.nat->ldt_ents && !is_canonical_address(c.nat->ldt_base)) ||
++                 !is_canonical_address(c.nat->fs_base) ||
++                 !is_canonical_address(c.nat->gs_base_kernel) ||
++                 !is_canonical_address(c.nat->gs_base_user) ||
+                  !is_canonical_address(c.nat->event_callback_eip) ||
+                  !is_canonical_address(c.nat->syscall_callback_eip) ||
+                  !is_canonical_address(c.nat->failsafe_callback_eip) )
+--- a/xen/arch/x86/traps.c
++++ b/xen/arch/x86/traps.c
+@@ -2723,19 +2723,22 @@ static int emulate_privileged_op(struct
+         switch ( regs->_ecx )
+         {
+         case MSR_FS_BASE:
+-            if ( is_pv_32bit_domain(currd) )
++            if ( is_pv_32bit_domain(currd) ||
++                 !is_canonical_address(msr_content) )
+                 goto fail;
+             wrfsbase(msr_content);
+             v->arch.pv_vcpu.fs_base = msr_content;
+             break;
+         case MSR_GS_BASE:
+-            if ( is_pv_32bit_domain(currd) )
++            if ( is_pv_32bit_domain(currd) ||
++                 !is_canonical_address(msr_content) )
+                 goto fail;
+             wrgsbase(msr_content);
+             v->arch.pv_vcpu.gs_base_kernel = msr_content;
+             break;
+         case MSR_SHADOW_GS_BASE:
+-            if ( is_pv_32bit_domain(currd) )
++            if ( is_pv_32bit_domain(currd) ||
++                 !is_canonical_address(msr_content) )
+                 goto fail;
+             if ( wrmsr_safe(MSR_SHADOW_GS_BASE, msr_content) )
+                 goto fail;
diff --git a/emulators/xen-kernel/files/xsa194.patch b/emulators/xen-kernel/files/xsa194.patch
new file mode 100644
index 000000000000..946bd8783dd9
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa194.patch
@@ -0,0 +1,144 @@
+From 71096b016f7fd54a72af73576948cb25cf42ebcb Mon Sep 17 00:00:00 2001
+From: Roger Pau Monné <roger.pau@citrix.com>Date: Wed, 2 Nov 2016 15:02:00 +0000
+Subject: [PATCH] libelf: fix stack memory leak when loading 32 bit symbol
+ tables
+
+The 32 bit Elf structs are smaller than the 64 bit ones, which means that
+when loading them there's some padding left uninitialized at the end of each
+struct (because the size indicated in e_ehsize and e_shentsize is
+smaller than the size of elf_ehdr and elf_shdr).
+
+Fix this by introducing a new helper that is used to set
+[caller_]xdest_{base/size} and that takes care of performing the appropriate
+memset of the region. This newly introduced helper is then used to set and
+unset xdest_{base/size} in elf_load_bsdsyms. Now that the full struct
+is zeroed, there's no need to specifically zero the undefined section.
+
+This is XSA-194.
+
+Suggested-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+Also remove the open coded (and redundant with the earlier
+elf_memset_unchecked()) use of caller_xdest_* from elf_init().
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
+---
+ xen/common/libelf/libelf-loader.c | 14 +++-----------
+ xen/common/libelf/libelf-tools.c  | 11 +++++++++--
+ xen/include/xen/libelf.h          | 15 +++++++++------
+ 3 files changed, 21 insertions(+), 19 deletions(-)
+
+diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c
+index 4d3ae4d..bc1f87b 100644
+--- a/xen/common/libelf/libelf-loader.c
++++ b/xen/common/libelf/libelf-loader.c
+@@ -43,8 +43,6 @@ elf_errorstatus elf_init(struct elf_binary *elf, const char *image_input, size_t
+     elf->ehdr = ELF_MAKE_HANDLE(elf_ehdr, (elf_ptrval)image_input);
+     elf->class = elf_uval_3264(elf, elf->ehdr, e32.e_ident[EI_CLASS]);
+     elf->data = elf_uval_3264(elf, elf->ehdr, e32.e_ident[EI_DATA]);
+-    elf->caller_xdest_base = NULL;
+-    elf->caller_xdest_size = 0;
+ 
+     /* Sanity check phdr. */
+     offset = elf_uval(elf, elf->ehdr, e_phoff) +
+@@ -284,9 +282,8 @@ do {                                                                \
+ #define SYMTAB_INDEX    1
+ #define STRTAB_INDEX    2
+ 
+-    /* Allow elf_memcpy_safe to write to symbol_header. */
+-    elf->caller_xdest_base = &header;
+-    elf->caller_xdest_size = sizeof(header);
++    /* Allow elf_memcpy_safe to write to header. */
++    elf_set_xdest(elf, &header, sizeof(header));
+ 
+     /*
+      * Calculate the position of the various elements in GUEST MEMORY SPACE.
+@@ -319,11 +316,7 @@ do {                                                                \
+     elf_store_field_bitness(elf, header_handle, e_phentsize, 0);
+     elf_store_field_bitness(elf, header_handle, e_phnum, 0);
+ 
+-    /* Zero the undefined section. */
+-    section_handle = ELF_MAKE_HANDLE(elf_shdr,
+-                     ELF_REALPTR2PTRVAL(&header.elf_header.section[SHN_UNDEF]));
+     shdr_size = elf_uval(elf, elf->ehdr, e_shentsize);
+-    elf_memset_safe(elf, ELF_HANDLE_PTRVAL(section_handle), 0, shdr_size);
+ 
+     /*
+      * The symtab section header is going to reside in section[SYMTAB_INDEX],
+@@ -404,8 +397,7 @@ do {                                                                \
+     }
+ 
+     /* Remove permissions from elf_memcpy_safe. */
+-    elf->caller_xdest_base = NULL;
+-    elf->caller_xdest_size = 0;
++    elf_set_xdest(elf, NULL, 0);
+ 
+ #undef SYMTAB_INDEX
+ #undef STRTAB_INDEX
+diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c
+index 5a4757b..e73e729 100644
+--- a/xen/common/libelf/libelf-tools.c
++++ b/xen/common/libelf/libelf-tools.c
+@@ -59,8 +59,7 @@ bool elf_access_ok(struct elf_binary * elf,
+         return 1;
+     if ( elf_ptrval_in_range(ptrval, size, elf->dest_base, elf->dest_size) )
+         return 1;
+-    if ( elf_ptrval_in_range(ptrval, size,
+-                             elf->caller_xdest_base, elf->caller_xdest_size) )
++    if ( elf_ptrval_in_range(ptrval, size, elf->xdest_base, elf->xdest_size) )
+         return 1;
+     elf_mark_broken(elf, "out of range access");
+     return 0;
+@@ -373,6 +372,14 @@ bool elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr
+     return ((p_type == PT_LOAD) && (p_flags & (PF_R | PF_W | PF_X)) != 0);
+ }
+ 
++void elf_set_xdest(struct elf_binary *elf, void *addr, uint64_t size)
++{
++    elf->xdest_base = addr;
++    elf->xdest_size = size;
++    if ( addr != NULL )
++        elf_memset_safe(elf, ELF_REALPTR2PTRVAL(addr), 0, size);
++}
++
+ /*
+  * Local variables:
+  * mode: C
+diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h
+index 95b5370..cf62bc7 100644
+--- a/xen/include/xen/libelf.h
++++ b/xen/include/xen/libelf.h
+@@ -210,13 +210,11 @@ struct elf_binary {
+     uint64_t bsd_symtab_pend;
+ 
+     /*
+-     * caller's other acceptable destination
+-     *
+-     * Again, these are trusted and must be valid (or 0) so long
+-     * as the struct elf_binary is in use.
++     * caller's other acceptable destination.
++     * Set by elf_set_xdest.  Do not set these directly.
+      */
+-    void *caller_xdest_base;
+-    uint64_t caller_xdest_size;
++    void *xdest_base;
++    uint64_t xdest_size;
+ 
+ #ifndef __XEN__
+     /* misc */
+@@ -494,5 +492,10 @@ static inline void ELF_ADVANCE_DEST(struct elf_binary *elf, uint64_t amount)
+     }
+ }
+ 
++/* Specify a (single) additional destination, to which the image may
++ * cause writes.  As with dest_base and dest_size, the values provided
++ * are trusted and must be valid so long as the struct elf_binary
++ * is in use or until elf_set_xdest(,0,0) is called. */
++void elf_set_xdest(struct elf_binary *elf, void *addr, uint64_t size);
+ 
+ #endif /* __XEN_LIBELF_H__ */
+-- 
+2.1.4
+
diff --git a/emulators/xen-kernel/files/xsa195.patch b/emulators/xen-kernel/files/xsa195.patch
new file mode 100644
index 000000000000..a193a5cca031
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa195.patch
@@ -0,0 +1,45 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86emul: fix huge bit offset handling
+
+We must never chop off the high 32 bits.
+
+This is XSA-195.
+
+Reported-by: George Dunlap <george.dunlap@citrix.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -2549,6 +2549,12 @@ x86_emulate(
+         else
+         {
+             /*
++             * Instructions such as bt can reference an arbitrary offset from
++             * their memory operand, but the instruction doing the actual
++             * emulation needs the appropriate op_bytes read from memory.
++             * Adjust both the source register and memory operand to make an
++             * equivalent instruction.
++             *
+              * EA       += BitOffset DIV op_bytes*8
+              * BitOffset = BitOffset MOD op_bytes*8
+              * DIV truncates towards negative infinity.
+@@ -2560,14 +2566,15 @@ x86_emulate(
+                 src.val = (int32_t)src.val;
+             if ( (long)src.val < 0 )
+             {
+-                unsigned long byte_offset;
+-                byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
++                unsigned long byte_offset =
++                    op_bytes + (((-src.val - 1) >> 3) & ~(op_bytes - 1L));
++
+                 ea.mem.off -= byte_offset;
+                 src.val = (byte_offset << 3) + src.val;
+             }
+             else
+             {
+-                ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
++                ea.mem.off += (src.val >> 3) & ~(op_bytes - 1L);
+                 src.val &= (op_bytes << 3) - 1;
+             }
+         }