From 98213deae4e7d61cdc8f9cc45740715996f87fd6 Mon Sep 17 00:00:00 2001
From: Michael Young <m.a.young@durham.ac.uk>
Date: May 17 2016 18:36:31 +0000
Subject: xen no longer crashes when built without -fno-tree-coalesce-vars

in systemd only try to load kernel modules that are in Fedora (#1291089)
x86 software guest page walk PS bit handling flaw [XSA-176, CVE-2016-4480]

---

diff --git a/xen.gcc6.fix.patch b/xen.gcc6.fix.patch
index 5516e75..336ca35 100644
--- a/xen.gcc6.fix.patch
+++ b/xen.gcc6.fix.patch
@@ -169,14 +169,3 @@
  	}
  #else
          if (params[0]) {
---- xen-4.6.1/config/StdGNU.mk.orig	2016-02-09 14:44:19.000000000 +0000
-+++ xen-4.6.1/config/StdGNU.mk	2016-04-03 17:46:41.413520321 +0100
-@@ -37,7 +37,7 @@
- SHLIB_LDFLAGS = -shared
- 
- ifneq ($(debug),y)
--CFLAGS += -O2 -fomit-frame-pointer
-+CFLAGS += -O2 -fomit-frame-pointer -fno-tree-coalesce-vars
- else
- # Less than -O1 produces bad code and large stack frames
- CFLAGS += -O1 -fno-omit-frame-pointer
diff --git a/xen.modules.tidy.patch b/xen.modules.tidy.patch
new file mode 100644
index 0000000..35cf6f8
--- /dev/null
+++ b/xen.modules.tidy.patch
@@ -0,0 +1,19 @@
+--- xen-4.6.1/tools/configure.orig	2016-05-14 19:41:52.823267045 +0100
++++ xen-4.6.1/tools/configure	2016-05-14 19:54:54.847929632 +0100
+@@ -4125,15 +4125,8 @@
+ xen-blkback
+ xen-netback
+ xen-pciback
+-evtchn
+-gntdev
+-netbk
+-blkbk
+-xen-scsibk
+-usbbk
+-pciback
++xen-scsiback
+ xen-acpi-processor
+-blktap2
+ "
+ ;;
+ *)
diff --git a/xen.spec b/xen.spec
index eb7d095..ccdfa94 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.6.1
-Release: 8%{?dist}
+Release: 9%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -150,6 +150,8 @@ Patch108: xsa179-qemuu-4.6-0002-vga-add-vbe_enabled-helper.patch
 Patch109: xsa179-qemuu-4.6-0003-vga-factor-out-vga-register-setup.patch
 Patch110: xsa179-qemuu-4.6-0004-vga-update-vga-register-setup-on-vbe-changes.patch
 Patch111: xsa179-qemuu-4.6-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch
+Patch112: xen.modules.tidy.patch
+Patch113: xsa176.patch
 
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -401,6 +403,8 @@ manage Xen virtual machines.
 %patch109 -p1
 %patch110 -p1
 %patch111 -p1
+%patch112 -p1
+%patch113 -p1
 
 # stubdom sources
 cp -v %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} stubdom
@@ -930,6 +934,11 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Sat May 14 2016 Michael Young <m.a.young@durham.ac.uk> - 4.6.1-9
+- xen no longer crashes when built without -fno-tree-coalesce-vars
+- in systemd only try to load kernel modules that are in Fedora (#1291089)
+- x86 software guest page walk PS bit handling flaw [XSA-176, CVE-2016-4480]
+
 * Tue May 10 2016 Michael Young <m.a.young@durham.ac.uk> - 4.6.1-8
 - create link to /usr/bin/qemu-system-i386 from /usr/lib/xen/bin
 	for back compatibility and for virt-manager (#1334554) (#1299745)
diff --git a/xsa176.patch b/xsa176.patch
new file mode 100644
index 0000000..1c15abd
--- /dev/null
+++ b/xsa176.patch
@@ -0,0 +1,45 @@
+x86/mm: fully honor PS bits in guest page table walks
+
+In L4 entries it is currently unconditionally reserved (and hence
+should, when set, always result in a reserved bit page fault), and is
+reserved on hardware not supporting 1Gb pages (and hence should, when
+set, similarly cause a reserved bit page fault on such hardware).
+
+This is CVE-2016-4480 / XSA-176.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/mm/guest_walk.c
++++ b/xen/arch/x86/mm/guest_walk.c
+@@ -226,6 +226,11 @@ guest_walk_tables(struct vcpu *v, struct
+         rc |= _PAGE_PRESENT;
+         goto out;
+     }
++    if ( gflags & _PAGE_PSE )
++    {
++        rc |= _PAGE_PSE | _PAGE_INVALID_BIT;
++        goto out;
++    }
+     rc |= ((gflags & mflags) ^ mflags);
+ 
+     /* Map the l3 table */
+@@ -247,7 +252,7 @@ guest_walk_tables(struct vcpu *v, struct
+     }
+     rc |= ((gflags & mflags) ^ mflags);
+     
+-    pse1G = (gflags & _PAGE_PSE) && guest_supports_1G_superpages(v); 
++    pse1G = !!(gflags & _PAGE_PSE);
+ 
+     if ( pse1G )
+     {
+@@ -267,6 +272,8 @@ guest_walk_tables(struct vcpu *v, struct
+             /* _PAGE_PSE_PAT not set: remove _PAGE_PAT from flags. */
+             flags &= ~_PAGE_PAT;
+ 
++        if ( !guest_supports_1G_superpages(v) )
++            rc |= _PAGE_PSE | _PAGE_INVALID_BIT;
+         if ( gfn_x(start) & GUEST_L3_GFN_MASK & ~0x1 )
+             rc |= _PAGE_INVALID_BITS;
+