diff --git a/qemu.CVE-2016-4002.patch b/qemu.CVE-2016-4002.patch
new file mode 100644
index 0000000..617f1d6
--- /dev/null
+++ b/qemu.CVE-2016-4002.patch
@@ -0,0 +1,31 @@
+From: Prasad J Pandit
+
+When receiving packets over MIPSnet network device, it uses
+ receive buffer of size 1514 bytes. In case the controller
+accepts large(MTU) packets, it could lead to memory corruption.
+Add check to avoid it.
+
+Reported by: Oleksandr Bazhaniuk
+
+Signed-off-by: Prasad J Pandit
+---
+ tools/qemu-xen/hw/net/mipsnet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/qemu-xen/hw/net/mipsnet.c b/tools/qemu-xen/hw/net/mipsnet.c
+index f261011..e134b31 100644
+--- a/tools/qemu-xen/hw/net/mipsnet.c
++++ b/tools/qemu-xen/hw/net/mipsnet.c
+@@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
+ if (!mipsnet_can_receive(nc))
+ return -1;
+
++ if (size >= sizeof(s->rx_buffer)) {
++ return -1;
++ }
+ s->busy = 1;
+
+ /* Just accept everything. */
+--
+2.5.5
+
diff --git a/qemu.CVE-2016-4037.patch b/qemu.CVE-2016-4037.patch
new file mode 100644
index 0000000..b19df5f
--- /dev/null
+++ b/qemu.CVE-2016-4037.patch
@@ -0,0 +1,63 @@
+------------------------------------------------------------------------
+*From*: Gerd Hoffmann
+*Subject*: [Qemu-devel] [PATCH 1/2] ehci: apply limit to itd/sidt
+descriptors
+*Date*: Mon, 18 Apr 2016 11:27:22 +0200
+
+------------------------------------------------------------------------
+
+Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a
+DoS by the guest (create a circular itd queue and let qemu ehci
+emulation run in circles forever). Unfortunaly this has two problems:
+First it misses the case of sitds, and second it reportly breaks
+freebsd.
+
+So lets go for a different approach: just count the number of itds and
+sitds we have seen per frame and apply a limit. That should really
+catch all cases now.
+
+Signed-off-by: Gerd Hoffmann
+---
+ hw/usb/hcd-ehci.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/tools/qemu-xen/hw/usb/hcd-ehci.c b/tools/qemu-xen/hw/usb/hcd-ehci.c
+index 159f58d..923f110 100644
+--- a/tools/qemu-xen/hw/usb/hcd-ehci.c
++++ b/tools/qemu-xen/hw/usb/hcd-ehci.c
+@@ -2011,6 +2011,7 @@ static int ehci_state_writeback(EHCIQueue *q)
+ static void ehci_advance_state(EHCIState *ehci, int async)
+ {
+ EHCIQueue *q = NULL;
++ int idt_count = 0;
+ int again;
+
+ do {
+@@ -2035,10 +2036,12 @@ static void ehci_advance_state(EHCIState *ehci, int async)
+
+ case EST_FETCHITD:
+ again = ehci_state_fetchitd(ehci, async);
++ idt_count++;
+ break;
+
+ case EST_FETCHSITD:
+ again = ehci_state_fetchsitd(ehci, async);
++ idt_count++;
+ break;
+
+ case EST_ADVANCEQUEUE:
+@@ -2092,6 +2095,11 @@ static void ehci_advance_state(EHCIState *ehci, int async)
+ ehci_reset(ehci);
+ again = 0;
+ }
++
++ /* limit the amout of idts we are willing to process each frame */
++ if (idt_count > 16) {
++ again = 0;
++ }
+ }
+ while (again);
+ }
+--
+1.8.3.1
+
diff --git a/qemu.git-156a2e4dbffa85997636a7a39ef12da6f1b40254.patch b/qemu.git-156a2e4dbffa85997636a7a39ef12da6f1b40254.patch
deleted file mode 100644
index 6cd271d..0000000
--- a/qemu.git-156a2e4dbffa85997636a7a39ef12da6f1b40254.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 156a2e4dbffa85997636a7a39ef12da6f1b40254 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann
-Date: Mon, 14 Dec 2015 09:21:23 +0100
-Subject: [PATCH] ehci: make idt processing more robust
-
-Make ehci_process_itd return an error in case we didn't do any actual
-iso transfer because we've found no active transaction. That'll avoid
-ehci happily run in circles forever if the guest builds a loop out of
-idts.
-
-This is CVE-2015-8558.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Qinghao Tang
-Tested-by: P J P
-Signed-off-by: Gerd Hoffmann
----
- hw/usb/hcd-ehci.c | 5 +++--
- 1 files changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/tools/qemu-xen/hw/usb/hcd-ehci.c b/tools/qemu-xen/hw/usb/hcd-ehci.c
-index 4e2161b..d07f228 100644
---- a/tools/qemu-xen/hw/usb/hcd-ehci.c
-+++ b/tools/qemu-xen/hw/usb/hcd-ehci.c
-@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
- {
- USBDevice *dev;
- USBEndpoint *ep;
-- uint32_t i, len, pid, dir, devaddr, endp;
-+ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
- uint32_t pg, off, ptr1, ptr2, max, mult;
-
- ehci->periodic_sched_active = PERIODIC_ACTIVE;
-@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
- ehci_raise_irq(ehci, USBSTS_INT);
- }
- itd->transact[i] &= ~ITD_XACT_ACTIVE;
-+ xfers++;
- }
- }
-- return 0;
-+ return xfers ? 0 : -1;
- }
-
-
---
-1.7.0.4
-
diff --git a/qemu.git-3a15cc0e1ee7168db0782133d2607a6bfa422d66.patch b/qemu.git-3a15cc0e1ee7168db0782133d2607a6bfa422d66.patch
new file mode 100644
index 0000000..0373190
--- /dev/null
+++ b/qemu.git-3a15cc0e1ee7168db0782133d2607a6bfa422d66.patch
@@ -0,0 +1,46 @@
+From 3a15cc0e1ee7168db0782133d2607a6bfa422d66 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit
+Date: Fri, 8 Apr 2016 11:33:48 +0530
+Subject: [PATCH] net: stellaris_enet: check packet length against receive buffer
+
+When receiving packets over Stellaris ethernet controller, it
+uses receive buffer of size 2048 bytes. In case the controller
+accepts large(MTU) packets, it could lead to memory corruption.
+Add check to avoid it.
+
+Reported-by: Oleksandr Bazhaniuk
+Signed-off-by: Prasad J Pandit
+Message-id: 1460095428-22698-1-git-send-email-ppandit@redhat.com
+Reviewed-by: Peter Maydell
+Signed-off-by: Peter Maydell
+---
+ tools/qemu-xen/hw/net/stellaris_enet.c | 12 +++++++++++-
+ 1 files changed, 11 insertions(+), 1 deletions(-)
+
+diff --git a/tools/qemu-xen/hw/net/stellaris_enet.c b/tools/qemu-xen/hw/net/stellaris_enet.c
+index 84cf60b..6880894 100644
+--- a/tools/qemu-xen/hw/net/stellaris_enet.c
++++ b/tools/qemu-xen/hw/net/stellaris_enet.c
+@@ -236,8 +236,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si
+ n = s->next_packet + s->np;
+ if (n >= 31)
+ n -= 31;
+- s->np++;
+
++ if (size >= sizeof(s->rx[n].data) - 6) {
++ /* If the packet won't fit into the
++ * emulated 2K RAM, this is reported
++ * as a FIFO overrun error.
++ */
++ s->ris |= SE_INT_FOV;
++ stellaris_enet_update(s);
++ return -1;
++ }
++
++ s->np++;
+ s->rx[n].len = size + 6;
+ p = s->rx[n].data;
+ *(p++) = (size + 6);
+--
+1.7.0.4
+
diff --git a/qemu.trad.CVE-2016-4001.patch b/qemu.trad.CVE-2016-4001.patch
new file mode 100644
index 0000000..9ca362f
--- /dev/null
+++ b/qemu.trad.CVE-2016-4001.patch
@@ -0,0 +1,46 @@
+From 3a15cc0e1ee7168db0782133d2607a6bfa422d66 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit
+Date: Fri, 8 Apr 2016 11:33:48 +0530
+Subject: [PATCH] net: stellaris_enet: check packet length against receive buffer
+
+When receiving packets over Stellaris ethernet controller, it
+uses receive buffer of size 2048 bytes. In case the controller
+accepts large(MTU) packets, it could lead to memory corruption.
+Add check to avoid it.
+
+Reported-by: Oleksandr Bazhaniuk
+Signed-off-by: Prasad J Pandit
+Message-id: 1460095428-22698-1-git-send-email-ppandit@redhat.com
+Reviewed-by: Peter Maydell
+Signed-off-by: Peter Maydell
+---
+ tools/qemu-xen-traditional/hw/stellaris_enet.c | 12 +++++++++++-
+ 1 files changed, 11 insertions(+), 1 deletions(-)
+
+diff --git a/tools/qemu-xen-traditional/hw/stellaris_enet.c b/tools/qemu-xen-traditional/hw/stellaris_enet.c
+index 84cf60b..6880894 100644
+--- a/tools/qemu-xen-traditional/hw/stellaris_enet.c
++++ b/tools/qemu-xen-traditional/hw/stellaris_enet.c
+@@ -236,8 +236,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si
+ n = s->next_packet + s->np;
+ if (n >= 31)
+ n -= 31;
+- s->np++;
+
++ if (size >= sizeof(s->rx[n].data) - 6) {
++ /* If the packet won't fit into the
++ * emulated 2K RAM, this is reported
++ * as a FIFO overrun error.
++ */
++ s->ris |= SE_INT_FOV;
++ stellaris_enet_update(s);
++ return -1;
++ }
++
++ s->np++;
+ s->rx[n].len = size + 6;
+ p = s->rx[n].data;
+ *(p++) = (size + 6);
+--
+1.7.0.4
+
diff --git a/qemu.trad.CVE-2016-4002.patch b/qemu.trad.CVE-2016-4002.patch
new file mode 100644
index 0000000..e122297
--- /dev/null
+++ b/qemu.trad.CVE-2016-4002.patch
@@ -0,0 +1,31 @@
+From: Prasad J Pandit
+
+When receiving packets over MIPSnet network device, it uses
+ receive buffer of size 1514 bytes. In case the controller
+accepts large(MTU) packets, it could lead to memory corruption.
+Add check to avoid it.
+
+Reported by: Oleksandr Bazhaniuk
+
+Signed-off-by: Prasad J Pandit
+---
+ tools/qemu-xen-traditional/hw/mipsnet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/qemu-xen-traditional/hw/mipsnet.c b/tools/qemu-xen-traditional/hw/mipsnet.c
+index f261011..e134b31 100644
+--- a/tools/qemu-xen-traditional/hw/mipsnet.c
++++ b/tools/qemu-xen-traditional/hw/mipsnet.c
+@@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
+ if (!mipsnet_can_receive(opaque))
+ return;
+
++ if (size >= sizeof(s->rx_buffer)) {
++ return;
++ }
+ s->busy = 1;
+
+ /* Just accept everything. */
+--
+2.5.5
+
diff --git a/xen.spec b/xen.spec
index 88a3e6c..fa59e93 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.6.1
-Release: 5%{?dist}
+Release: 6%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -106,7 +106,6 @@ Patch54: xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
Patch55: xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
Patch60: xsa164.patch
Patch66: qemu.git-43b11a91dd861a946b231b89b754285.patch
-Patch67: qemu.git-156a2e4dbffa85997636a7a39ef12da6f1b40254.patch
Patch68: qemu.git-d9a3b33d2c9f996537b7f1d0246dee2d0120cefb.patch
Patch69: qemu.git-a7278b36fcab9af469563bd7b.patch
Patch70: qemu.git-c6048f849c7e3f009786df76206e895.patch
@@ -134,6 +133,12 @@ Patch91: qemu.CVE-2015-8817+8.patch
Patch92: qemu.git-60253ed1e6ec6d8e5ef2efe7bf755f475.patch
Patch93: xen.glibc.fix.patch
Patch94: xsa172.patch
+Patch95: xsa173-4.6.patch
+Patch96: qemu.git-3a15cc0e1ee7168db0782133d2607a6bfa422d66.patch
+Patch97: qemu.trad.CVE-2016-4001.patch
+Patch98: qemu.CVE-2016-4002.patch
+Patch99: qemu.trad.CVE-2016-4002.patch
+Patch100: qemu.CVE-2016-4037.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -341,7 +346,6 @@ manage Xen virtual machines.
%patch55 -p1
%patch60 -p1
%patch66 -p1
-%patch67 -p1
%patch68 -p1
%patch69 -p1
%patch70 -p1
@@ -369,6 +373,12 @@ manage Xen virtual machines.
%patch92 -p1
%patch93 -p1
%patch94 -p1
+%patch95 -p1
+%patch96 -p1
+%patch97 -p1
+%patch98 -p1
+%patch99 -p1
+%patch100 -p1
# stubdom sources
cp -v %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} stubdom
@@ -895,6 +905,15 @@ rm -rf %{buildroot}
%endif
%changelog
+* Mon Apr 18 2016 Michael Young - 4.6.1-6
+- x86 shadow pagetables: address width overflow [XSA-173, CVE-2016-3960]
+ (#1328118)
+- Qemu: net: buffer overflow in stellaris_enet emulator [CVE-2016-4001]
+ (#1325886)
+- Qemu: net: buffer overflow in MIPSnet emulator [CVE-2016-4002] (#1326084)
+- qemu: Infinite loop vulnerability in usb_ehci using siTD process
+ [CVE-2016-4037] (#1328081) (supercedes CVE-2015-8558 patch)
+
* Sun Apr 03 2016 Michael Young - 4.6.1-5
- build with -fno-tree-coalesce-vars to avoid a crash on boot
diff --git a/xsa173-4.6.patch b/xsa173-4.6.patch
new file mode 100644
index 0000000..aecf120
--- /dev/null
+++ b/xsa173-4.6.patch
@@ -0,0 +1,244 @@
+commit 54a4651cb4e744960fb375ed99909d7dfb943caf
+Author: Tim Deegan
+Date: Wed Mar 16 16:51:27 2016 +0000
+
+ x86: limit GFNs to 32 bits for shadowed superpages.
+
+ Superpage shadows store the shadowed GFN in the backpointer field,
+ which for non-BIGMEM builds is 32 bits wide. Shadowing a superpage
+ mapping of a guest-physical address above 2^44 would lead to the GFN
+ being truncated there, and a crash when we come to remove the shadow
+ from the hash table.
+
+ Track the valid width of a GFN for each guest, including reporting it
+ through CPUID, and enforce it in the shadow pagetables. Set the
+ maximum witth to 32 for guests where this truncation could occur.
+
+ This is XSA-173.
+
+ Signed-off-by: Tim Deegan
+ Signed-off-by: Jan Beulich
+
+Reported-by: Ling Liu
+diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c
+index 35ef21b..528c283 100644
+--- a/xen/arch/x86/cpu/common.c
++++ b/xen/arch/x86/cpu/common.c
+@@ -38,6 +38,7 @@ integer_param("cpuid_mask_ext_edx", opt_cpuid_mask_ext_edx);
+ const struct cpu_dev *__read_mostly cpu_devs[X86_VENDOR_NUM] = {};
+
+ unsigned int paddr_bits __read_mostly = 36;
++unsigned int hap_paddr_bits __read_mostly = 36;
+
+ /*
+ * Default host IA32_CR_PAT value to cover all memory types.
+@@ -211,7 +212,7 @@ static void __init early_cpu_detect(void)
+
+ static void __cpuinit generic_identify(struct cpuinfo_x86 *c)
+ {
+- u32 tfms, capability, excap, ebx;
++ u32 tfms, capability, excap, ebx, eax;
+
+ /* Get vendor name */
+ cpuid(0x00000000, &c->cpuid_level,
+@@ -248,8 +249,11 @@ static void __cpuinit generic_identify(struct cpuinfo_x86 *c)
+ }
+ if ( c->extended_cpuid_level >= 0x80000004 )
+ get_model_name(c); /* Default name */
+- if ( c->extended_cpuid_level >= 0x80000008 )
+- paddr_bits = cpuid_eax(0x80000008) & 0xff;
++ if ( c->extended_cpuid_level >= 0x80000008 ) {
++ eax = cpuid_eax(0x80000008);
++ paddr_bits = eax & 0xff;
++ hap_paddr_bits = ((eax >> 16) & 0xff) ?: paddr_bits;
++ }
+ }
+
+ /* Might lift BIOS max_leaf=3 limit. */
+diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
+index e200aab..0b4d9f0 100644
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -4567,8 +4567,7 @@ void hvm_cpuid(unsigned int input, unsigned int *eax, unsigned int *ebx,
+ break;
+
+ case 0x80000008:
+- count = cpuid_eax(0x80000008);
+- count = (count >> 16) & 0xff ?: count & 0xff;
++ count = d->arch.paging.gfn_bits + PAGE_SHIFT;
+ if ( (*eax & 0xff) > count )
+ *eax = (*eax & ~0xff) | count;
+
+diff --git a/xen/arch/x86/mm/guest_walk.c b/xen/arch/x86/mm/guest_walk.c
+index 773454d..06543d3 100644
+--- a/xen/arch/x86/mm/guest_walk.c
++++ b/xen/arch/x86/mm/guest_walk.c
+@@ -93,6 +93,12 @@ void *map_domain_gfn(struct p2m_domain *p2m, gfn_t gfn, mfn_t *mfn,
+ struct page_info *page;
+ void *map;
+
++ if ( gfn_x(gfn) >> p2m->domain->arch.paging.gfn_bits )
++ {
++ *rc = _PAGE_INVALID_BIT;
++ return NULL;
++ }
++
+ /* Translate the gfn, unsharing if shared */
+ page = get_page_from_gfn_p2m(p2m->domain, p2m, gfn_x(gfn), p2mt, NULL,
+ q);
+@@ -326,20 +332,8 @@ guest_walk_tables(struct vcpu *v, struct p2m_domain *p2m,
+ flags &= ~_PAGE_PAT;
+
+ if ( gfn_x(start) & GUEST_L2_GFN_MASK & ~0x1 )
+- {
+-#if GUEST_PAGING_LEVELS == 2
+- /*
+- * Note that _PAGE_INVALID_BITS is zero in this case, yielding a
+- * no-op here.
+- *
+- * Architecturally, the walk should fail if bit 21 is set (others
+- * aren't being checked at least in PSE36 mode), but we'll ignore
+- * this here in order to avoid specifying a non-natural, non-zero
+- * _PAGE_INVALID_BITS value just for that case.
+- */
+-#endif
+ rc |= _PAGE_INVALID_BITS;
+- }
++
+ /* Increment the pfn by the right number of 4k pages.
+ * Mask out PAT and invalid bits. */
+ start = _gfn((gfn_x(start) & ~GUEST_L2_GFN_MASK) +
+@@ -422,5 +416,11 @@ set_ad:
+ put_page(mfn_to_page(mfn_x(gw->l1mfn)));
+ }
+
++ /* If this guest has a restricted physical address space then the
++ * target GFN must fit within it. */
++ if ( !(rc & _PAGE_PRESENT)
++ && gfn_x(guest_l1e_get_gfn(gw->l1e)) >> d->arch.paging.gfn_bits )
++ rc |= _PAGE_INVALID_BITS;
++
+ return rc;
+ }
+diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
+index 6eb2167..f3475c6 100644
+--- a/xen/arch/x86/mm/hap/hap.c
++++ b/xen/arch/x86/mm/hap/hap.c
+@@ -448,6 +448,8 @@ void hap_domain_init(struct domain *d)
+ {
+ INIT_PAGE_LIST_HEAD(&d->arch.paging.hap.freelist);
+
++ d->arch.paging.gfn_bits = hap_paddr_bits - PAGE_SHIFT;
++
+ /* Use HAP logdirty mechanism. */
+ paging_log_dirty_init(d, hap_enable_log_dirty,
+ hap_disable_log_dirty,
+diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c
+index bad8360..98d0d2c 100644
+--- a/xen/arch/x86/mm/shadow/common.c
++++ b/xen/arch/x86/mm/shadow/common.c
+@@ -51,6 +51,16 @@ int shadow_domain_init(struct domain *d, unsigned int domcr_flags)
+ INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.freelist);
+ INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.pinned_shadows);
+
++ d->arch.paging.gfn_bits = paddr_bits - PAGE_SHIFT;
++#ifndef CONFIG_BIGMEM
++ /*
++ * Shadowed superpages store GFNs in 32-bit page_info fields.
++ * Note that we cannot use guest_supports_superpages() here.
++ */
++ if ( !is_pv_domain(d) || opt_allow_superpage )
++ d->arch.paging.gfn_bits = 32;
++#endif
++
+ /* Use shadow pagetables for log-dirty support */
+ paging_log_dirty_init(d, sh_enable_log_dirty,
+ sh_disable_log_dirty, sh_clean_dirty_bitmap);
+diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
+index 43c9488..71477fe 100644
+--- a/xen/arch/x86/mm/shadow/multi.c
++++ b/xen/arch/x86/mm/shadow/multi.c
+@@ -525,7 +525,8 @@ _sh_propagate(struct vcpu *v,
+ ASSERT(GUEST_PAGING_LEVELS > 3 || level != 3);
+
+ /* Check there's something for the shadows to map to */
+- if ( !p2m_is_valid(p2mt) && !p2m_is_grant(p2mt) )
++ if ( (!p2m_is_valid(p2mt) && !p2m_is_grant(p2mt))
++ || gfn_x(target_gfn) >> d->arch.paging.gfn_bits )
+ {
+ *sp = shadow_l1e_empty();
+ goto done;
+diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h
+index c6c6e71..74c3a52 100644
+--- a/xen/include/asm-x86/domain.h
++++ b/xen/include/asm-x86/domain.h
+@@ -193,6 +193,9 @@ struct paging_domain {
+ /* log dirty support */
+ struct log_dirty_domain log_dirty;
+
++ /* Number of valid bits in a gfn. */
++ unsigned int gfn_bits;
++
+ /* preemption handling */
+ struct {
+ const struct domain *dom;
+diff --git a/xen/include/asm-x86/guest_pt.h b/xen/include/asm-x86/guest_pt.h
+index f8a0d76..b5db401 100644
+--- a/xen/include/asm-x86/guest_pt.h
++++ b/xen/include/asm-x86/guest_pt.h
+@@ -210,15 +210,17 @@ guest_supports_nx(struct vcpu *v)
+ }
+
+
+-/* Some bits are invalid in any pagetable entry. */
+-#if GUEST_PAGING_LEVELS == 2
+-#define _PAGE_INVALID_BITS (0)
+-#elif GUEST_PAGING_LEVELS == 3
+-#define _PAGE_INVALID_BITS \
+- get_pte_flags(((1ull<<63) - 1) & ~((1ull<