public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
From: "Tomáš Mózes" <hydrapolic@gmail.com>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/xen-upstream-patches:main commit in: /
Date: Wed, 18 Oct 2023 18:31:30 +0000 (UTC)	[thread overview]
Message-ID: <1697653808.ffe00bc5becaed2dbaed9fdcadb6eea0bd4f9dd4.hydrapolic@gentoo> (raw)

commit:     ffe00bc5becaed2dbaed9fdcadb6eea0bd4f9dd4
Author:     Tomáš Mózes <hydrapolic <AT> gmail <DOT> com>
AuthorDate: Wed Oct 18 18:30:08 2023 +0000
Commit:     Tomáš Mózes <hydrapolic <AT> gmail <DOT> com>
CommitDate: Wed Oct 18 18:30:08 2023 +0000
URL:        https://gitweb.gentoo.org/proj/xen-upstream-patches.git/commit/?id=ffe00bc5

Xen 4.17.3-pre-patchset-0

Signed-off-by: Tomáš Mózes <hydrapolic <AT> gmail.com>

 0001-update-Xen-version-to-4.17.1-pre.patch        | 136 ------
 0001-update-Xen-version-to-4.17.3-pre.patch        |  25 +
 ...ild-with-old-gcc-after-CPU-policy-changes.patch |  84 ++++
 ...not-release-irq-until-all-cleanup-is-done.patch |  90 ----
 ...EN_LIB_DIR-to-store-bootloader-from-pygru.patch |  45 ++
 ...not-forward-MADT-Local-APIC-NMI-structure.patch | 103 ----
 0004-build-define-ARCH-and-SRCARCH-later.patch     |  67 +++
 ...-t-mark-external-IRQs-as-pending-when-vLA.patch |  71 ---
 ...remove-TARGET_SUBARCH-a-duplicate-of-ARCH.patch |  50 ++
 ...n-don-t-mark-IRQ-vectors-as-pending-when-.patch |  60 ---
 ...remove-TARGET_ARCH-a-duplicate-of-SRCARCH.patch | 123 +++++
 ...-t-mark-evtchn-upcall-vector-as-pending-w.patch |  70 ---
 ...ate-XEN_BUILD_-and-XEN_DOMAIN-immediately.patch |  58 +++
 ...roadcast-accept-partial-broadcast-success.patch |  34 --
 ...valuate-XEN_COMPILE_ARCH-and-XEN_OS-immed.patch |  50 ++
 ...cate-the-ESRT-when-booting-via-multiboot2.patch | 195 --------
 ...prevent-overflow-with-high-frequency-TSCs.patch |  34 --
 ...ork-wrapping-of-libc-functions-in-test-an.patch | 245 ++++++++++
 0010-rombios-Work-around-GCC-issue-99578.patch     |  43 ++
 ...tored-Fix-incorrect-scope-after-an-if-sta.patch |  52 --
 0011-rombios-Avoid-using-K-R-function-syntax.patch |  74 +++
 ...-evtchn-OCaml-5-support-fix-potential-res.patch |  68 ---
 0012-rombios-Remove-the-use-of-egrep.patch         |  34 ++
 ...l-evtchn-Add-binding-for-xenevtchn_fdopen.patch |  81 ----
 0013-CI-Resync-FreeBSD-config-with-staging.patch   |  62 +++
 ...-evtchn-Extend-the-init-binding-with-a-cl.patch |  90 ----
 0014-tools-oxenstored-Style-fixes-to-Domain.patch  |  64 ---
 ...-Fix-Wsingle-bit-bitfield-constant-conver.patch |  43 ++
 ...tored-Bind-the-DOM_EXC-VIRQ-in-in-Event.i.patch |  82 ----
 0015-xen-vcpu-ignore-VCPU_SSHOTTMR_future.patch    | 143 ++++++
 ...tored-Rename-some-port-variables-to-remot.patch | 144 ------
 0016-x86-head-check-base-address-alignment.patch   |  85 ++++
 ...oxenstored-Implement-Domain.rebind_evtchn.patch |  67 ---
 ...e-Handle-start-of-day-RUNNING-transitions.patch | 275 +++++++++++
 ...tored-Rework-Domain-evtchn-handling-to-us.patch | 209 --------
 ...sanitize-IO-APIC-pins-before-enabling-lap.patch | 113 +++++
 ...tored-Keep-dev-xen-evtchn-open-across-liv.patch | 367 --------------
 ...-x86-ioapic-add-a-raw-field-to-RTE-struct.patch | 147 ++++++
 ...tored-Log-live-update-issues-at-warning-l.patch |  42 --
 ...RTE-modifications-must-use-ioapic_write_e.patch | 180 +++++++
 ...ename-io_apic_read_remap_rte-local-variab.patch |  64 +++
 ...oxenstored-Set-uncaught-exception-handler.patch |  83 ----
 ...tored-syslog-Avoid-potential-NULL-derefer.patch |  55 ---
 ...ass-full-IO-APIC-RTE-for-remapping-table-.patch | 462 ++++++++++++++++++
 0023-build-correct-gas-noexecstack-check.patch     |  34 ++
 ...tored-Render-backtraces-more-nicely-in-Sy.patch |  83 ----
 ...s-xenstore-simplify-loop-handling-connect.patch | 136 ------
 ...tly-correct-JSON-generation-of-CPU-policy.patch |  38 ++
 0025-tboot-Disable-CET-at-shutdown.patch           |  53 ++
 ...-Restore-Xen-s-MSR_PAT-value-on-S3-resume.patch |  36 --
 ...uild-with-recent-QEMU-use-enable-trace-ba.patch |  50 --
 ...-valid-condition-in-svm_get_pending_event.patch |  29 ++
 ...pat-produce-stubs-for-headers-not-otherwi.patch |  74 ---
 ...ert-x86-VMX-sanitize-rIP-before-re-enteri.patch | 100 ++++
 ...ix-reporting-of-spurious-i8259-interrupts.patch |  41 ++
 ...culate-model-specific-LBRs-once-at-start-.patch | 342 -------------
 ...pport-for-CPUs-without-model-specific-LBR.patch |  83 ----
 ...e-Handle-cache-flush-of-an-element-at-the.patch | 111 +++++
 ...end-Zenbleed-check-to-models-good-ucode-i.patch |  48 ++
 ...fix-PAE-check-for-top-level-table-unshado.patch |  39 --
 ...uilding-flask-headers-before-descending-i.patch |  50 --
 ...rl-Fix-confusion-between-SPEC_CTRL_EXIT_T.patch |  74 +++
 ...x-an-incorrect-assignment-to-uart-io_size.patch |  34 --
 ...rl-Fold-DO_SPEC_CTRL_EXIT_TO_XEN-into-it-.patch |  85 ++++
 0033-libxl-fix-guest-kexec-skip-cpuid-policy.patch |  72 ---
 ...rl-Turn-the-remaining-SPEC_CTRL_-ENTRY-EX.patch |  83 ++++
 ...-xenctrl-Make-domain_getinfolist-tail-rec.patch |  71 ---
 ...rl-Improve-all-SPEC_CTRL_-ENTER-EXIT-_-co.patch | 106 ++++
 ...-xenctrl-Use-larger-chunksize-in-domain_g.patch |  41 --
 ...djust-restore_all_xen-to-hold-stack_end-i.patch |  74 +++
 ...aml-xb-mmap-Use-Data_abstract_val-wrapper.patch |  75 ---
 ...rack-the-IST-ness-of-an-entry-for-the-exi.patch | 109 +++++
 0037-tools-ocaml-xb-Drop-Xs_ring.write.patch       |  62 ---
 ...ec-ctrl-Issue-VERW-during-IST-exit-to-Xen.patch |  89 ++++
 ...tored-validate-config-file-before-live-up.patch | 131 -----
 ...md-Introduce-is_zen-1-2-_uarch-predicates.patch |  91 ++++
 ...l-libs-Don-t-declare-stubs-as-taking-void.patch |  61 ---
 ...6-spec-ctrl-Mitigate-the-Zen1-DIV-leakage.patch | 228 +++++++++
 ...-libs-Allocate-the-correct-amount-of-memo.patch |  80 ---
 ...defer-releasing-of-PV-s-top-level-shadow-.patch | 455 +++++++++++++++++
 ...-evtchn-Don-t-reference-Custom-objects-wi.patch | 213 --------
 ...ored-domain_entry_fix-Handle-conflicting-.patch |  64 +++
 ...-vi-flush-IOMMU-TLB-when-flushing-the-DTE.patch | 186 +++++++
 ...-xc-Fix-binding-for-xc_domain_assign_devi.patch |  70 ---
 0043-libfsimage-xfs-Remove-dead-code.patch         |  71 +++
 ...-xc-Don-t-reference-Abstract_Tag-objects-.patch |  76 ---
 ...-xfs-Amend-mask32lo-to-allow-the-value-32.patch |  33 ++
 ...-libs-Fix-memory-resource-leaks-with-caml.patch |  61 ---
 ...xfs-Sanity-check-the-superblock-during-mo.patch | 137 ++++++
 ...rl-Mitigate-Cross-Thread-Return-Address-P.patch | 120 -----
 ...Remove-clang-8-from-Debian-unstable-conta.patch |  84 ----
 ...-xfs-Add-compile-time-check-to-libfsimage.patch |  62 +++
 ...ix-parallel-build-between-flex-bison-and-.patch |  50 --
 ...tools-pygrub-Remove-unnecessary-hypercall.patch |  60 +++
 0048-tools-pygrub-Small-refactors.patch            |  65 +++
 ...uid-Infrastructure-for-leaves-7-1-ecx-edx.patch | 126 -----
 ...ools-pygrub-Open-the-output-files-earlier.patch | 105 ++++
 ...isable-CET-SS-on-parts-susceptible-to-fra.patch | 195 --------
 ...pect-credit2_runqueue-all-when-arranging-.patch |  69 ---
 ...image-Export-a-new-function-to-preload-al.patch | 126 +++++
 0051-build-make-FILE-symbol-paths-consistent.patch |  42 --
 0051-tools-pygrub-Deprivilege-pygrub.patch         | 307 ++++++++++++
 ...upport-for-running-bootloader-in-restrict.patch | 251 ++++++++++
 ...MD-apply-the-patch-early-on-every-logical.patch | 154 ------
 ...t-bootloader-execution-in-restricted-mode.patch | 158 ++++++
 ...-mem_sharing-teardown-before-paging-teard.patch | 111 -----
 ...-asymmetry-with-AMD-DR-MASK-context-switc.patch | 104 ++++
 ...Work-around-Clang-IAS-macro-expansion-bug.patch | 109 -----
 ...ect-the-auditing-of-guest-breakpoint-addr.patch |  86 ++++
 ...ng-Wunicode-diagnostic-when-building-asm-.patch |  83 ----
 ...KG_CONFIG_FILE-instead-of-PKG_CONFIG-vari.patch |  91 ----
 ...Fix-resource-leaks-in-xc_core_arch_map_p2.patch |  65 ---
 ...Fix-leak-on-realloc-failure-in-backup_pte.patch |  56 ---
 ...MD-late-load-the-patch-on-every-logical-t.patch |  90 ----
 ...account-for-log-dirty-mode-when-pre-alloc.patch |  92 ----
 ...nd-number-of-pinned-cache-attribute-regio.patch |  50 --
 ...ialize-pinned-cache-attribute-list-manipu.patch | 126 -----
 ...rl-Defer-CR4_PV32_RESTORE-on-the-cstar_en.patch |  56 ---
 ...lement-VMExit-based-guest-Bus-Lock-detect.patch | 175 -------
 ...troduce-helper-to-set-VMX_INTR_SHADOW_NMI.patch | 102 ----
 0066-x86-vmx-implement-Notify-VM-Exit.patch        | 243 ----------
 ...python-change-s-size-type-for-Python-3.10.patch |  72 ---
 ...s-xenmon-Fix-xenmon.py-for-with-python3.x.patch |  54 ---
 ...rl-Add-BHI-controls-to-userspace-componen.patch |  51 --
 ...arking-fix-build-with-gcc12-and-NR_CPUS-1.patch |  95 ----
 ...help-gcc13-to-avoid-it-emitting-a-warning.patch | 129 -----
 0072-VT-d-constrain-IGD-check.patch                |  44 --
 0073-bunzip-work-around-gcc13-warning.patch        |  42 --
 0074-libacpi-fix-PCI-hotplug-AML.patch             |  57 ---
 ...ithout-XT-x2APIC-needs-to-be-forced-into-.patch |  42 --
 ...mmu-no-igfx-if-the-IOMMU-scope-contains-f.patch |  44 --
 ...fix-and-improve-sh_page_has_multiple_shad.patch |  47 --
 ...Fix-evaluate_nospec-code-generation-under.patch | 101 ----
 ...x86-shadow-Fix-build-with-no-PG_log_dirty.patch |  56 ---
 ...-t-spuriously-crash-the-domain-when-INIT-.patch |  51 --
 ...6-ucode-Fix-error-paths-control_thread_fn.patch |  56 ---
 ...-t-mention-stub-headers-more-than-once-in.patch |  37 --
 ...andle-accesses-adjacent-to-the-MSI-X-tabl.patch | 540 ---------------------
 ...rect-name-value-pair-parsing-for-PCI-port.patch |  59 ---
 0085-CI-Drop-automation-configs.patch              |  87 ----
 ...Switch-arm32-cross-builds-to-run-on-arm64.patch |  87 ----
 ...n-Remove-CentOS-7.2-containers-and-builds.patch | 145 ------
 ...mation-Remove-non-debug-x86_32-build-jobs.patch |  67 ---
 ...-llvm-8-from-the-Debian-Stretch-container.patch | 103 ----
 info.txt                                           |   6 +-
 145 files changed, 6138 insertions(+), 8495 deletions(-)

diff --git a/0001-update-Xen-version-to-4.17.1-pre.patch b/0001-update-Xen-version-to-4.17.1-pre.patch
deleted file mode 100644
index 1d1bb53..0000000
--- a/0001-update-Xen-version-to-4.17.1-pre.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-From 0b999fa2eadaeff840a8331b87f1f73abf3b14eb Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Tue, 20 Dec 2022 13:40:38 +0100
-Subject: [PATCH 01/89] update Xen version to 4.17.1-pre
-
----
- MAINTAINERS  | 92 +++++-----------------------------------------------
- xen/Makefile |  2 +-
- 2 files changed, 10 insertions(+), 84 deletions(-)
-
-diff --git a/MAINTAINERS b/MAINTAINERS
-index 175f10f33f..ebb908cc37 100644
---- a/MAINTAINERS
-+++ b/MAINTAINERS
-@@ -54,6 +54,15 @@ list. Remember to copy the appropriate stable branch maintainer who
- will be listed in this section of the MAINTAINERS file in the
- appropriate branch.
- 
-+The maintainer for this branch is:
-+
-+	Jan Beulich <jbeulich@suse.com>
-+
-+Tools backport requests should also be copied to:
-+
-+       Anthony Perard <anthony.perard@citrix.com>
-+
-+
- 	Unstable Subsystem Maintainers
- 	==============================
- 
-@@ -104,89 +113,6 @@ Descriptions of section entries:
- 	   xen-maintainers-<version format number of this file>
- 
- 
--	Check-in policy
--	===============
--
--In order for a patch to be checked in, in general, several conditions
--must be met:
--
--1. In order to get a change to a given file committed, it must have
--   the approval of at least one maintainer of that file.
--
--   A patch of course needs Acks from the maintainers of each file that
--   it changes; so a patch which changes xen/arch/x86/traps.c,
--   xen/arch/x86/mm/p2m.c, and xen/arch/x86/mm/shadow/multi.c would
--   require an Ack from each of the three sets of maintainers.
--
--   See below for rules on nested maintainership.
--
--2. It must have appropriate approval from someone other than the
--   submitter.  This can be either:
--
--  a. An Acked-by from a maintainer of the code being touched (a
--     co-maintainer if available, or a more general level maintainer if
--     not available; see the secton on nested maintainership)
--
--  b. A Reviewed-by by anyone of suitable stature in the community
--
--3. Sufficient time must have been given for anyone to respond.  This
--   depends in large part upon the urgency and nature of the patch.
--   For a straightforward uncontroversial patch, a day or two may be
--   sufficient; for a controversial patch, a week or two may be better.
--
--4. There must be no "open" objections.
--
--In a case where one person submits a patch and a maintainer gives an
--Ack, the Ack stands in for both the approval requirement (#1) and the
--Acked-by-non-submitter requirement (#2).
--
--In a case where a maintainer themselves submits a patch, the
--Signed-off-by meets the approval requirement (#1); so a Review
--from anyone in the community suffices for requirement #2.
--
--Before a maintainer checks in their own patch with another community
--member's R-b but no co-maintainer Ack, it is especially important to
--give their co-maintainer opportunity to give feedback, perhaps
--declaring their intention to check it in without their co-maintainers
--ack a day before doing so.
--
--Maintainers may choose to override non-maintainer objections in the
--case that consensus can't be reached.
--
--As always, no policy can cover all possible situations.  In
--exceptional circumstances, committers may commit a patch in absence of
--one or more of the above requirements, if they are reasonably
--confident that the other maintainers will approve of their decision in
--retrospect.
--
--       The meaning of nesting
--       ======================
--
--Many maintainership areas are "nested": for example, there are entries
--for xen/arch/x86 as well as xen/arch/x86/mm, and even
--xen/arch/x86/mm/shadow; and there is a section at the end called "THE
--REST" which lists all committers.  The meaning of nesting is that:
--
--1. Under normal circumstances, the Ack of the most specific maintainer
--is both necessary and sufficient to get a change to a given file
--committed.  So a change to xen/arch/x86/mm/shadow/multi.c requires the
--the Ack of the xen/arch/x86/mm/shadow maintainer for that part of the
--patch, but would not require the Ack of the xen/arch/x86 maintainer or
--the xen/arch/x86/mm maintainer.
--
--2. In unusual circumstances, a more general maintainer's Ack can stand
--in for or even overrule a specific maintainer's Ack.  Unusual
--circumstances might include:
-- - The patch is fixing a high-priority issue causing immediate pain,
-- and the more specific maintainer is not available.
-- - The more specific maintainer has not responded either to the
-- original patch, nor to "pings", within a reasonable amount of time.
-- - The more general maintainer wants to overrule the more specific
-- maintainer on some issue. (This should be exceptional.)
-- - In the case of a disagreement between maintainers, THE REST can
-- settle the matter by majority vote.  (This should be very exceptional
-- indeed.)
--
- 
- Maintainers List (try to look for most precise areas first)
- 
-diff --git a/xen/Makefile b/xen/Makefile
-index d7102a3b47..dcedfbc38e 100644
---- a/xen/Makefile
-+++ b/xen/Makefile
-@@ -6,7 +6,7 @@ this-makefile := $(call lastword,$(MAKEFILE_LIST))
- # All other places this is stored (eg. compile.h) should be autogenerated.
- export XEN_VERSION       = 4
- export XEN_SUBVERSION    = 17
--export XEN_EXTRAVERSION ?= .0$(XEN_VENDORVERSION)
-+export XEN_EXTRAVERSION ?= .1-pre$(XEN_VENDORVERSION)
- export XEN_FULLVERSION   = $(XEN_VERSION).$(XEN_SUBVERSION)$(XEN_EXTRAVERSION)
- -include xen-version
- 
--- 
-2.40.0
-

diff --git a/0001-update-Xen-version-to-4.17.3-pre.patch b/0001-update-Xen-version-to-4.17.3-pre.patch
new file mode 100644
index 0000000..1be1cd1
--- /dev/null
+++ b/0001-update-Xen-version-to-4.17.3-pre.patch
@@ -0,0 +1,25 @@
+From 2f337a04bfc2dda794ae0fc108577ec72932f83b Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Mon, 21 Aug 2023 15:52:13 +0200
+Subject: [PATCH 01/55] update Xen version to 4.17.3-pre
+
+---
+ xen/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xen/Makefile b/xen/Makefile
+index fbada570b8..f6005bd536 100644
+--- a/xen/Makefile
++++ b/xen/Makefile
+@@ -6,7 +6,7 @@ this-makefile := $(call lastword,$(MAKEFILE_LIST))
+ # All other places this is stored (eg. compile.h) should be autogenerated.
+ export XEN_VERSION       = 4
+ export XEN_SUBVERSION    = 17
+-export XEN_EXTRAVERSION ?= .2$(XEN_VENDORVERSION)
++export XEN_EXTRAVERSION ?= .3-pre$(XEN_VENDORVERSION)
+ export XEN_FULLVERSION   = $(XEN_VERSION).$(XEN_SUBVERSION)$(XEN_EXTRAVERSION)
+ -include xen-version
+ 
+-- 
+2.42.0
+

diff --git a/0002-x86-fix-build-with-old-gcc-after-CPU-policy-changes.patch b/0002-x86-fix-build-with-old-gcc-after-CPU-policy-changes.patch
new file mode 100644
index 0000000..1b62572
--- /dev/null
+++ b/0002-x86-fix-build-with-old-gcc-after-CPU-policy-changes.patch
@@ -0,0 +1,84 @@
+From 7d8897984927a51495e9a1b827aa4bce1d779b87 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Mon, 21 Aug 2023 15:53:17 +0200
+Subject: [PATCH 02/55] x86: fix build with old gcc after CPU policy changes
+
+Old gcc won't cope with initializers involving unnamed struct/union
+fields.
+
+Fixes: 441b1b2a50ea ("x86/emul: Switch x86_emulate_ctxt to cpu_policy")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
+master commit: 768846690d64bc730c1a1123e8de3af731bb2eb3
+master date: 2023-04-19 11:02:47 +0200
+---
+ tools/fuzz/x86_instruction_emulator/fuzz-emul.c | 4 +++-
+ xen/arch/x86/pv/emul-priv-op.c                  | 4 +++-
+ xen/arch/x86/pv/ro-page-fault.c                 | 4 +++-
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
+index 4885a68210..eeeb6931f4 100644
+--- a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
++++ b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
+@@ -893,12 +893,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size)
+     struct x86_emulate_ctxt ctxt = {
+         .data = &state,
+         .regs = &input.regs,
+-        .cpu_policy = &cp,
+         .addr_size = 8 * sizeof(void *),
+         .sp_size = 8 * sizeof(void *),
+     };
+     int rc;
+ 
++    /* Not part of the initializer, for old gcc to cope. */
++    ctxt.cpu_policy = &cp;
++
+     /* Reset all global state variables */
+     memset(&input, 0, sizeof(input));
+ 
+diff --git a/xen/arch/x86/pv/emul-priv-op.c b/xen/arch/x86/pv/emul-priv-op.c
+index 04416f1979..2c94beb10e 100644
+--- a/xen/arch/x86/pv/emul-priv-op.c
++++ b/xen/arch/x86/pv/emul-priv-op.c
+@@ -1327,12 +1327,14 @@ int pv_emulate_privileged_op(struct cpu_user_regs *regs)
+     struct domain *currd = curr->domain;
+     struct priv_op_ctxt ctxt = {
+         .ctxt.regs = regs,
+-        .ctxt.cpu_policy = currd->arch.cpu_policy,
+         .ctxt.lma = !is_pv_32bit_domain(currd),
+     };
+     int rc;
+     unsigned int eflags, ar;
+ 
++    /* Not part of the initializer, for old gcc to cope. */
++    ctxt.ctxt.cpu_policy = currd->arch.cpu_policy;
++
+     if ( !pv_emul_read_descriptor(regs->cs, curr, &ctxt.cs.base,
+                                   &ctxt.cs.limit, &ar, 1) ||
+          !(ar & _SEGMENT_S) ||
+diff --git a/xen/arch/x86/pv/ro-page-fault.c b/xen/arch/x86/pv/ro-page-fault.c
+index 0d02c7d2ab..f23ad5d184 100644
+--- a/xen/arch/x86/pv/ro-page-fault.c
++++ b/xen/arch/x86/pv/ro-page-fault.c
+@@ -356,7 +356,6 @@ int pv_ro_page_fault(unsigned long addr, struct cpu_user_regs *regs)
+     unsigned int addr_size = is_pv_32bit_domain(currd) ? 32 : BITS_PER_LONG;
+     struct x86_emulate_ctxt ctxt = {
+         .regs      = regs,
+-        .cpu_policy = currd->arch.cpu_policy,
+         .addr_size = addr_size,
+         .sp_size   = addr_size,
+         .lma       = addr_size > 32,
+@@ -364,6 +363,9 @@ int pv_ro_page_fault(unsigned long addr, struct cpu_user_regs *regs)
+     int rc;
+     bool mmio_ro;
+ 
++    /* Not part of the initializer, for old gcc to cope. */
++    ctxt.cpu_policy = currd->arch.cpu_policy;
++
+     /* Attempt to read the PTE that maps the VA being accessed. */
+     pte = guest_get_eff_kern_l1e(addr);
+ 
+-- 
+2.42.0
+

diff --git a/0002-x86-irq-do-not-release-irq-until-all-cleanup-is-done.patch b/0002-x86-irq-do-not-release-irq-until-all-cleanup-is-done.patch
deleted file mode 100644
index 1c7a13d..0000000
--- a/0002-x86-irq-do-not-release-irq-until-all-cleanup-is-done.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From 9cbc04a95f8a7f7cc27901211cbe19a42850c4ed Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
-Date: Tue, 20 Dec 2022 13:43:04 +0100
-Subject: [PATCH 02/89] x86/irq: do not release irq until all cleanup is done
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Current code in _clear_irq_vector() will mark the irq as unused before
-doing the cleanup required when move_in_progress is true.
-
-This can lead to races in create_irq() if the function picks an irq
-desc that's been marked as unused but has move_in_progress set, as the
-call to assign_irq_vector() in that function can then fail with
--EAGAIN.
-
-Prevent that by only marking irq descs as unused when all the cleanup
-has been done.  While there also use write_atomic() when setting
-IRQ_UNUSED in _clear_irq_vector() and add a barrier in order to
-prevent the setting of IRQ_UNUSED getting reordered by the compiler.
-
-The check for move_in_progress cannot be removed from
-_assign_irq_vector(), as other users (io_apic_set_pci_routing() and
-ioapic_guest_write()) can still pass active irq descs to
-assign_irq_vector().
-
-Note the trace point is not moved and is now set before the irq is
-marked as unused.  This is done so that the CPU mask provided in the
-trace point is the one belonging to the current vector, not the old
-one.
-
-Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: e267d11969a40f0aec33dbf966f5a6490b205f43
-master date: 2022-12-02 10:32:21 +0100
----
- xen/arch/x86/irq.c | 31 ++++++++++++++++---------------
- 1 file changed, 16 insertions(+), 15 deletions(-)
-
-diff --git a/xen/arch/x86/irq.c b/xen/arch/x86/irq.c
-index cd0c8a30a8..20150b1c7f 100644
---- a/xen/arch/x86/irq.c
-+++ b/xen/arch/x86/irq.c
-@@ -220,27 +220,28 @@ static void _clear_irq_vector(struct irq_desc *desc)
-         clear_bit(vector, desc->arch.used_vectors);
-     }
- 
--    desc->arch.used = IRQ_UNUSED;
--
-     trace_irq_mask(TRC_HW_IRQ_CLEAR_VECTOR, irq, vector, tmp_mask);
- 
--    if ( likely(!desc->arch.move_in_progress) )
--        return;
-+    if ( unlikely(desc->arch.move_in_progress) )
-+    {
-+        /* If we were in motion, also clear desc->arch.old_vector */
-+        old_vector = desc->arch.old_vector;
-+        cpumask_and(tmp_mask, desc->arch.old_cpu_mask, &cpu_online_map);
- 
--    /* If we were in motion, also clear desc->arch.old_vector */
--    old_vector = desc->arch.old_vector;
--    cpumask_and(tmp_mask, desc->arch.old_cpu_mask, &cpu_online_map);
-+        for_each_cpu(cpu, tmp_mask)
-+        {
-+            ASSERT(per_cpu(vector_irq, cpu)[old_vector] == irq);
-+            TRACE_3D(TRC_HW_IRQ_MOVE_FINISH, irq, old_vector, cpu);
-+            per_cpu(vector_irq, cpu)[old_vector] = ~irq;
-+        }
- 
--    for_each_cpu(cpu, tmp_mask)
--    {
--        ASSERT(per_cpu(vector_irq, cpu)[old_vector] == irq);
--        TRACE_3D(TRC_HW_IRQ_MOVE_FINISH, irq, old_vector, cpu);
--        per_cpu(vector_irq, cpu)[old_vector] = ~irq;
--    }
-+        release_old_vec(desc);
- 
--    release_old_vec(desc);
-+        desc->arch.move_in_progress = 0;
-+    }
- 
--    desc->arch.move_in_progress = 0;
-+    smp_wmb();
-+    write_atomic(&desc->arch.used, IRQ_UNUSED);
- }
- 
- void __init clear_irq_vector(int irq)
--- 
-2.40.0
-

diff --git a/0003-libxl-Use-XEN_LIB_DIR-to-store-bootloader-from-pygru.patch b/0003-libxl-Use-XEN_LIB_DIR-to-store-bootloader-from-pygru.patch
new file mode 100644
index 0000000..a395d7a
--- /dev/null
+++ b/0003-libxl-Use-XEN_LIB_DIR-to-store-bootloader-from-pygru.patch
@@ -0,0 +1,45 @@
+From 8d84be5b557b27e9cc53e48285aebad28a48468c Mon Sep 17 00:00:00 2001
+From: Anthony PERARD <anthony.perard@citrix.com>
+Date: Mon, 21 Aug 2023 15:53:47 +0200
+Subject: [PATCH 03/55] libxl: Use XEN_LIB_DIR to store bootloader from pygrub
+
+In osstest, the jobs using pygrub on arm64 on the branch linux-linus
+started to fails with:
+    [Errno 28] No space left on device
+    Error writing temporary copy of ramdisk
+
+This is because /var/run is small when dom0 has only 512MB to work
+with, /var/run is only 40MB. The size of both kernel and ramdisk on
+this jobs is now about 42MB, so not enough space in /var/run.
+
+So, to avoid writing a big binary in ramfs, we will use /var/lib
+instead, like we already do when saving the device model state on
+migration.
+
+Reported-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
+Reviewed-by: Jason Andryuk <jandryuk@gmail.com>
+master commit: ad89640ad766d3cb6c92fc8b6406ca6bbab44136
+master date: 2023-08-08 09:45:20 +0200
+---
+ tools/libs/light/libxl_bootloader.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/libs/light/libxl_bootloader.c b/tools/libs/light/libxl_bootloader.c
+index 1bc6e51827..108329b4a5 100644
+--- a/tools/libs/light/libxl_bootloader.c
++++ b/tools/libs/light/libxl_bootloader.c
+@@ -245,8 +245,8 @@ static void bootloader_cleanup(libxl__egc *egc, libxl__bootloader_state *bl)
+ static void bootloader_setpaths(libxl__gc *gc, libxl__bootloader_state *bl)
+ {
+     uint32_t domid = bl->domid;
+-    bl->outputdir = GCSPRINTF(XEN_RUN_DIR "/bootloader.%"PRIu32".d", domid);
+-    bl->outputpath = GCSPRINTF(XEN_RUN_DIR "/bootloader.%"PRIu32".out", domid);
++    bl->outputdir = GCSPRINTF(XEN_LIB_DIR "/bootloader.%"PRIu32".d", domid);
++    bl->outputpath = GCSPRINTF(XEN_LIB_DIR "/bootloader.%"PRIu32".out", domid);
+ }
+ 
+ /* Callbacks */
+-- 
+2.42.0
+

diff --git a/0003-x86-pvh-do-not-forward-MADT-Local-APIC-NMI-structure.patch b/0003-x86-pvh-do-not-forward-MADT-Local-APIC-NMI-structure.patch
deleted file mode 100644
index 47d6997..0000000
--- a/0003-x86-pvh-do-not-forward-MADT-Local-APIC-NMI-structure.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From b7b34bd66ac77326bb49b10130013b4a9f83e4a2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
-Date: Tue, 20 Dec 2022 13:43:37 +0100
-Subject: [PATCH 03/89] x86/pvh: do not forward MADT Local APIC NMI structures
- to dom0
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Currently Xen will passthrough any Local APIC NMI Structure found in
-the native ACPI MADT table to a PVH dom0.  This is wrong because PVH
-doesn't have access to the physical local APIC, and instead gets an
-emulated local APIC by Xen, that doesn't have the LINT0 or LINT1
-pins wired to anything.  Furthermore the ACPI Processor UIDs used in
-the APIC NMI Structures are likely to not match the ones generated by
-Xen for the Local x2APIC Structures, creating confusion to dom0.
-
-Fix this by removing the logic to passthrough the Local APIC NMI
-Structure for PVH dom0.
-
-Fixes: 1d74282c45 ('x86: setup PVHv2 Dom0 ACPI tables')
-Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: b39e6385250ccef9509af0eab9003ad5c1478842
-master date: 2022-12-02 10:33:40 +0100
----
- xen/arch/x86/hvm/dom0_build.c | 34 +---------------------------------
- 1 file changed, 1 insertion(+), 33 deletions(-)
-
-diff --git a/xen/arch/x86/hvm/dom0_build.c b/xen/arch/x86/hvm/dom0_build.c
-index 1864d048a1..3ac6b7b423 100644
---- a/xen/arch/x86/hvm/dom0_build.c
-+++ b/xen/arch/x86/hvm/dom0_build.c
-@@ -58,9 +58,6 @@
- static unsigned int __initdata acpi_intr_overrides;
- static struct acpi_madt_interrupt_override __initdata *intsrcovr;
- 
--static unsigned int __initdata acpi_nmi_sources;
--static struct acpi_madt_nmi_source __initdata *nmisrc;
--
- static unsigned int __initdata order_stats[MAX_ORDER + 1];
- 
- static void __init print_order_stats(const struct domain *d)
-@@ -763,25 +760,6 @@ static int __init cf_check acpi_set_intr_ovr(
-     return 0;
- }
- 
--static int __init cf_check acpi_count_nmi_src(
--    struct acpi_subtable_header *header, const unsigned long end)
--{
--    acpi_nmi_sources++;
--    return 0;
--}
--
--static int __init cf_check acpi_set_nmi_src(
--    struct acpi_subtable_header *header, const unsigned long end)
--{
--    const struct acpi_madt_nmi_source *src =
--        container_of(header, struct acpi_madt_nmi_source, header);
--
--    *nmisrc = *src;
--    nmisrc++;
--
--    return 0;
--}
--
- static int __init pvh_setup_acpi_madt(struct domain *d, paddr_t *addr)
- {
-     struct acpi_table_madt *madt;
-@@ -797,16 +775,11 @@ static int __init pvh_setup_acpi_madt(struct domain *d, paddr_t *addr)
-     acpi_table_parse_madt(ACPI_MADT_TYPE_INTERRUPT_OVERRIDE,
-                           acpi_count_intr_ovr, UINT_MAX);
- 
--    /* Count number of NMI sources in the MADT. */
--    acpi_table_parse_madt(ACPI_MADT_TYPE_NMI_SOURCE, acpi_count_nmi_src,
--                          UINT_MAX);
--
-     max_vcpus = dom0_max_vcpus();
-     /* Calculate the size of the crafted MADT. */
-     size = sizeof(*madt);
-     size += sizeof(*io_apic) * nr_ioapics;
-     size += sizeof(*intsrcovr) * acpi_intr_overrides;
--    size += sizeof(*nmisrc) * acpi_nmi_sources;
-     size += sizeof(*x2apic) * max_vcpus;
- 
-     madt = xzalloc_bytes(size);
-@@ -862,12 +835,7 @@ static int __init pvh_setup_acpi_madt(struct domain *d, paddr_t *addr)
-     acpi_table_parse_madt(ACPI_MADT_TYPE_INTERRUPT_OVERRIDE, acpi_set_intr_ovr,
-                           acpi_intr_overrides);
- 
--    /* Setup NMI sources. */
--    nmisrc = (void *)intsrcovr;
--    acpi_table_parse_madt(ACPI_MADT_TYPE_NMI_SOURCE, acpi_set_nmi_src,
--                          acpi_nmi_sources);
--
--    ASSERT(((void *)nmisrc - (void *)madt) == size);
-+    ASSERT(((void *)intsrcovr - (void *)madt) == size);
-     madt->header.length = size;
-     /*
-      * Calling acpi_tb_checksum here is a layering violation, but
--- 
-2.40.0
-

diff --git a/0004-build-define-ARCH-and-SRCARCH-later.patch b/0004-build-define-ARCH-and-SRCARCH-later.patch
new file mode 100644
index 0000000..aebcbb7
--- /dev/null
+++ b/0004-build-define-ARCH-and-SRCARCH-later.patch
@@ -0,0 +1,67 @@
+From 1c3927f8f6743538a35aa45a91a2d4adbde9f277 Mon Sep 17 00:00:00 2001
+From: Anthony PERARD <anthony.perard@citrix.com>
+Date: Wed, 5 Jul 2023 08:25:03 +0200
+Subject: [PATCH 04/55] build: define ARCH and SRCARCH later
+
+Defining ARCH and SRCARCH later in xen/Makefile allows to switch to
+immediate evaluation variable type.
+
+ARCH and SRCARCH depend on value defined in Config.mk and aren't used
+for e.g. TARGET_SUBARCH or TARGET_ARCH, and not before they're needed in
+a sub-make or a rule.
+
+This will help reduce the number of times the shell rune is been
+run.
+
+With GNU make 4.4, the number of execution of the command present in
+these $(shell ) increased greatly. This is probably because as of make
+4.4, exported variable are also added to the environment of $(shell )
+construct.
+
+Also, `make -d` shows a lot of these:
+    Makefile:39: not recursively expanding SRCARCH to export to shell function
+    Makefile:38: not recursively expanding ARCH to export to shell function
+
+Reported-by: Jason Andryuk <jandryuk@gmail.com>
+Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
+Tested-by: Jason Andryuk <jandryuk@gmail.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 58e0a3f3b2c430f8640ef9df67ac857b0008ebc8)
+---
+ xen/Makefile | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/xen/Makefile b/xen/Makefile
+index f6005bd536..7ecfa6e8e9 100644
+--- a/xen/Makefile
++++ b/xen/Makefile
+@@ -35,12 +35,6 @@ MAKEFLAGS += -rR
+ 
+ EFI_MOUNTPOINT ?= $(BOOT_DIR)/efi
+ 
+-ARCH=$(XEN_TARGET_ARCH)
+-SRCARCH=$(shell echo $(ARCH) | \
+-          sed -e 's/x86.*/x86/' -e s'/arm\(32\|64\)/arm/g' \
+-              -e s'/riscv.*/riscv/g')
+-export ARCH SRCARCH
+-
+ # Allow someone to change their config file
+ export KCONFIG_CONFIG ?= .config
+ 
+@@ -241,6 +235,13 @@ include scripts/Kbuild.include
+ include $(XEN_ROOT)/Config.mk
+ 
+ # Set ARCH/SUBARCH appropriately.
++
++ARCH := $(XEN_TARGET_ARCH)
++SRCARCH := $(shell echo $(ARCH) | \
++    sed -e 's/x86.*/x86/' -e 's/arm\(32\|64\)/arm/g' \
++        -e 's/riscv.*/riscv/g')
++export ARCH SRCARCH
++
+ export TARGET_SUBARCH  := $(XEN_TARGET_ARCH)
+ export TARGET_ARCH     := $(shell echo $(XEN_TARGET_ARCH) | \
+                             sed -e 's/x86.*/x86/' -e s'/arm\(32\|64\)/arm/g' \
+-- 
+2.42.0
+

diff --git a/0004-x86-HVM-don-t-mark-external-IRQs-as-pending-when-vLA.patch b/0004-x86-HVM-don-t-mark-external-IRQs-as-pending-when-vLA.patch
deleted file mode 100644
index 01dcba8..0000000
--- a/0004-x86-HVM-don-t-mark-external-IRQs-as-pending-when-vLA.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 54bb56e12868100c5ce06e33b4f57b6b2b8f37b9 Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Tue, 20 Dec 2022 13:44:07 +0100
-Subject: [PATCH 04/89] x86/HVM: don't mark external IRQs as pending when
- vLAPIC is disabled
-
-In software-disabled state an LAPIC does not accept any interrupt
-requests and hence no IRR bit would newly become set while in this
-state. As a result it is also wrong for us to mark IO-APIC or MSI
-originating vectors as having a pending request when the vLAPIC is in
-this state. Such interrupts are simply lost.
-
-Introduce (IO-APIC) or re-use (MSI) a local variable to help
-readability.
-
-Fixes: 4fe21ad3712e ("This patch add virtual IOAPIC support for VMX guest")
-Fixes: 85715f4bc7c9 ("MSI 5/6: add MSI support to passthrough HVM domain")
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
-master commit: f1d7aac1e3c3cd164e17d41791a575a5c3e87121
-master date: 2022-12-02 10:35:01 +0100
----
- xen/arch/x86/hvm/vioapic.c |  9 +++++++--
- xen/arch/x86/hvm/vmsi.c    | 10 ++++++----
- 2 files changed, 13 insertions(+), 6 deletions(-)
-
-diff --git a/xen/arch/x86/hvm/vioapic.c b/xen/arch/x86/hvm/vioapic.c
-index cb7f440160..41e3c4d5e4 100644
---- a/xen/arch/x86/hvm/vioapic.c
-+++ b/xen/arch/x86/hvm/vioapic.c
-@@ -460,9 +460,14 @@ static void vioapic_deliver(struct hvm_vioapic *vioapic, unsigned int pin)
- 
-     case dest_Fixed:
-         for_each_vcpu ( d, v )
--            if ( vlapic_match_dest(vcpu_vlapic(v), NULL, 0, dest, dest_mode) )
--                ioapic_inj_irq(vioapic, vcpu_vlapic(v), vector, trig_mode,
-+        {
-+            struct vlapic *vlapic = vcpu_vlapic(v);
-+
-+            if ( vlapic_enabled(vlapic) &&
-+                 vlapic_match_dest(vlapic, NULL, 0, dest, dest_mode) )
-+                ioapic_inj_irq(vioapic, vlapic, vector, trig_mode,
-                                delivery_mode);
-+        }
-         break;
- 
-     case dest_NMI:
-diff --git a/xen/arch/x86/hvm/vmsi.c b/xen/arch/x86/hvm/vmsi.c
-index 75f92885dc..3cd4923060 100644
---- a/xen/arch/x86/hvm/vmsi.c
-+++ b/xen/arch/x86/hvm/vmsi.c
-@@ -87,10 +87,12 @@ int vmsi_deliver(
- 
-     case dest_Fixed:
-         for_each_vcpu ( d, v )
--            if ( vlapic_match_dest(vcpu_vlapic(v), NULL,
--                                   0, dest, dest_mode) )
--                vmsi_inj_irq(vcpu_vlapic(v), vector,
--                             trig_mode, delivery_mode);
-+        {
-+            target = vcpu_vlapic(v);
-+            if ( vlapic_enabled(target) &&
-+                 vlapic_match_dest(target, NULL, 0, dest, dest_mode) )
-+                vmsi_inj_irq(target, vector, trig_mode, delivery_mode);
-+        }
-         break;
- 
-     default:
--- 
-2.40.0
-

diff --git a/0005-build-remove-TARGET_SUBARCH-a-duplicate-of-ARCH.patch b/0005-build-remove-TARGET_SUBARCH-a-duplicate-of-ARCH.patch
new file mode 100644
index 0000000..4f31614
--- /dev/null
+++ b/0005-build-remove-TARGET_SUBARCH-a-duplicate-of-ARCH.patch
@@ -0,0 +1,50 @@
+From 56076ef445073458c39c481f9b70c3b4ff848839 Mon Sep 17 00:00:00 2001
+From: Anthony PERARD <anthony.perard@citrix.com>
+Date: Wed, 5 Jul 2023 08:27:51 +0200
+Subject: [PATCH 05/55] build: remove TARGET_SUBARCH, a duplicate of ARCH
+
+Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit a6ab7dd061338c33faef629cbe52ed1608571d84)
+---
+ xen/Makefile | 3 +--
+ xen/build.mk | 2 +-
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/xen/Makefile b/xen/Makefile
+index 7ecfa6e8e9..6e89bcf348 100644
+--- a/xen/Makefile
++++ b/xen/Makefile
+@@ -234,7 +234,7 @@ include scripts/Kbuild.include
+ # we need XEN_TARGET_ARCH to generate the proper config
+ include $(XEN_ROOT)/Config.mk
+ 
+-# Set ARCH/SUBARCH appropriately.
++# Set ARCH/SRCARCH appropriately.
+ 
+ ARCH := $(XEN_TARGET_ARCH)
+ SRCARCH := $(shell echo $(ARCH) | \
+@@ -242,7 +242,6 @@ SRCARCH := $(shell echo $(ARCH) | \
+         -e 's/riscv.*/riscv/g')
+ export ARCH SRCARCH
+ 
+-export TARGET_SUBARCH  := $(XEN_TARGET_ARCH)
+ export TARGET_ARCH     := $(shell echo $(XEN_TARGET_ARCH) | \
+                             sed -e 's/x86.*/x86/' -e s'/arm\(32\|64\)/arm/g' \
+                                 -e s'/riscv.*/riscv/g')
+diff --git a/xen/build.mk b/xen/build.mk
+index 758590c68e..d049d3a53a 100644
+--- a/xen/build.mk
++++ b/xen/build.mk
+@@ -41,7 +41,7 @@ include/xen/compile.h: include/xen/compile.h.in .banner FORCE
+ targets += include/xen/compile.h
+ 
+ -include $(wildcard .asm-offsets.s.d)
+-asm-offsets.s: arch/$(TARGET_ARCH)/$(TARGET_SUBARCH)/asm-offsets.c
++asm-offsets.s: arch/$(TARGET_ARCH)/$(ARCH)/asm-offsets.c
+ 	$(CC) $(call cpp_flags,$(c_flags)) -S -g0 -o $@.new -MQ $@ $<
+ 	$(call move-if-changed,$@.new,$@)
+ 
+-- 
+2.42.0
+

diff --git a/0005-x86-Viridian-don-t-mark-IRQ-vectors-as-pending-when-.patch b/0005-x86-Viridian-don-t-mark-IRQ-vectors-as-pending-when-.patch
deleted file mode 100644
index 3086285..0000000
--- a/0005-x86-Viridian-don-t-mark-IRQ-vectors-as-pending-when-.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 5810edc049cd5828c2628a377ca8443610e54f82 Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Tue, 20 Dec 2022 13:44:38 +0100
-Subject: [PATCH 05/89] x86/Viridian: don't mark IRQ vectors as pending when
- vLAPIC is disabled
-
-In software-disabled state an LAPIC does not accept any interrupt
-requests and hence no IRR bit would newly become set while in this
-state. As a result it is also wrong for us to mark Viridian IPI or timer
-vectors as having a pending request when the vLAPIC is in this state.
-Such interrupts are simply lost.
-
-Introduce a local variable in send_ipi() to help readability.
-
-Fixes: fda96b7382ea ("viridian: add implementation of the HvSendSyntheticClusterIpi hypercall")
-Fixes: 26fba3c85571 ("viridian: add implementation of synthetic timers")
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Paul Durrant <paul@xen.org>
-master commit: 831419f82913417dee4e5b0f80769c5db590540b
-master date: 2022-12-02 10:35:32 +0100
----
- xen/arch/x86/hvm/viridian/synic.c    | 2 +-
- xen/arch/x86/hvm/viridian/viridian.c | 7 ++++++-
- 2 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/xen/arch/x86/hvm/viridian/synic.c b/xen/arch/x86/hvm/viridian/synic.c
-index e18538c60a..856bb898b8 100644
---- a/xen/arch/x86/hvm/viridian/synic.c
-+++ b/xen/arch/x86/hvm/viridian/synic.c
-@@ -359,7 +359,7 @@ bool viridian_synic_deliver_timer_msg(struct vcpu *v, unsigned int sintx,
-     BUILD_BUG_ON(sizeof(payload) > sizeof(msg->u.payload));
-     memcpy(msg->u.payload, &payload, sizeof(payload));
- 
--    if ( !vs->masked )
-+    if ( !vs->masked && vlapic_enabled(vcpu_vlapic(v)) )
-         vlapic_set_irq(vcpu_vlapic(v), vs->vector, 0);
- 
-     return true;
-diff --git a/xen/arch/x86/hvm/viridian/viridian.c b/xen/arch/x86/hvm/viridian/viridian.c
-index 25dca93e8b..2937ddd3a8 100644
---- a/xen/arch/x86/hvm/viridian/viridian.c
-+++ b/xen/arch/x86/hvm/viridian/viridian.c
-@@ -811,7 +811,12 @@ static void send_ipi(struct hypercall_vpmask *vpmask, uint8_t vector)
-         cpu_raise_softirq_batch_begin();
- 
-     for_each_vp ( vpmask, vp )
--        vlapic_set_irq(vcpu_vlapic(currd->vcpu[vp]), vector, 0);
-+    {
-+        struct vlapic *vlapic = vcpu_vlapic(currd->vcpu[vp]);
-+
-+        if ( vlapic_enabled(vlapic) )
-+            vlapic_set_irq(vlapic, vector, 0);
-+    }
- 
-     if ( nr > 1 )
-         cpu_raise_softirq_batch_finish();
--- 
-2.40.0
-

diff --git a/0006-build-remove-TARGET_ARCH-a-duplicate-of-SRCARCH.patch b/0006-build-remove-TARGET_ARCH-a-duplicate-of-SRCARCH.patch
new file mode 100644
index 0000000..9eef37a
--- /dev/null
+++ b/0006-build-remove-TARGET_ARCH-a-duplicate-of-SRCARCH.patch
@@ -0,0 +1,123 @@
+From 36e84ea02e1e8dce8f3a4e9351ab1c72dec3c11e Mon Sep 17 00:00:00 2001
+From: Anthony PERARD <anthony.perard@citrix.com>
+Date: Wed, 5 Jul 2023 08:29:49 +0200
+Subject: [PATCH 06/55] build: remove TARGET_ARCH, a duplicate of SRCARCH
+
+The same command is used to generate the value of both $(TARGET_ARCH)
+and $(SRCARCH), as $(ARCH) is an alias for $(XEN_TARGET_ARCH).
+
+Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit ac27b3beb9b7b423d5563768de890c7594c21b4e)
+---
+ xen/Makefile | 20 ++++++++------------
+ xen/Rules.mk |  2 +-
+ xen/build.mk |  6 +++---
+ 3 files changed, 12 insertions(+), 16 deletions(-)
+
+diff --git a/xen/Makefile b/xen/Makefile
+index 6e89bcf348..1a3b9a081f 100644
+--- a/xen/Makefile
++++ b/xen/Makefile
+@@ -242,10 +242,6 @@ SRCARCH := $(shell echo $(ARCH) | \
+         -e 's/riscv.*/riscv/g')
+ export ARCH SRCARCH
+ 
+-export TARGET_ARCH     := $(shell echo $(XEN_TARGET_ARCH) | \
+-                            sed -e 's/x86.*/x86/' -e s'/arm\(32\|64\)/arm/g' \
+-                                -e s'/riscv.*/riscv/g')
+-
+ export CONFIG_SHELL := $(SHELL)
+ export CC CXX LD NM OBJCOPY OBJDUMP ADDR2LINE
+ export YACC = $(if $(BISON),$(BISON),bison)
+@@ -262,7 +258,7 @@ export XEN_TREEWIDE_CFLAGS := $(CFLAGS)
+ ifneq ($(shell $(CC) --version 2>&1 | head -n 1 | grep clang),)
+ CLANG_FLAGS :=
+ 
+-ifeq ($(TARGET_ARCH),x86)
++ifeq ($(SRCARCH),x86)
+ # The tests to select whether the integrated assembler is usable need to happen
+ # before testing any assembler features, or else the result of the tests would
+ # be stale if the integrated assembler is not used.
+@@ -430,22 +426,22 @@ endif
+ 
+ ifdef building_out_of_srctree
+     CFLAGS += -I$(objtree)/include
+-    CFLAGS += -I$(objtree)/arch/$(TARGET_ARCH)/include
++    CFLAGS += -I$(objtree)/arch/$(SRCARCH)/include
+ endif
+ CFLAGS += -I$(srctree)/include
+-CFLAGS += -I$(srctree)/arch/$(TARGET_ARCH)/include
++CFLAGS += -I$(srctree)/arch/$(SRCARCH)/include
+ 
+ # Note that link order matters!
+ ALL_OBJS-y                := common/built_in.o
+ ALL_OBJS-y                += drivers/built_in.o
+ ALL_OBJS-y                += lib/built_in.o
+ ALL_OBJS-y                += xsm/built_in.o
+-ALL_OBJS-y                += arch/$(TARGET_ARCH)/built_in.o
++ALL_OBJS-y                += arch/$(SRCARCH)/built_in.o
+ ALL_OBJS-$(CONFIG_CRYPTO) += crypto/built_in.o
+ 
+ ALL_LIBS-y                := lib/lib.a
+ 
+-include $(srctree)/arch/$(TARGET_ARCH)/arch.mk
++include $(srctree)/arch/$(SRCARCH)/arch.mk
+ 
+ # define new variables to avoid the ones defined in Config.mk
+ export XEN_CFLAGS := $(CFLAGS)
+@@ -587,11 +583,11 @@ $(TARGET): outputmakefile FORCE
+ 	$(Q)$(MAKE) $(build)=tools
+ 	$(Q)$(MAKE) $(build)=. include/xen/compile.h
+ 	$(Q)$(MAKE) $(build)=include all
+-	$(Q)$(MAKE) $(build)=arch/$(TARGET_ARCH) include
+-	$(Q)$(MAKE) $(build)=. arch/$(TARGET_ARCH)/include/asm/asm-offsets.h
++	$(Q)$(MAKE) $(build)=arch/$(SRCARCH) include
++	$(Q)$(MAKE) $(build)=. arch/$(SRCARCH)/include/asm/asm-offsets.h
+ 	$(Q)$(MAKE) $(build)=. MKRELOC=$(MKRELOC) 'ALL_OBJS=$(ALL_OBJS-y)' 'ALL_LIBS=$(ALL_LIBS-y)' $@
+ 
+-SUBDIRS = xsm arch/$(TARGET_ARCH) common drivers lib test
++SUBDIRS = xsm arch/$(SRCARCH) common drivers lib test
+ define all_sources
+     ( find include -type f -name '*.h' -print; \
+       find $(SUBDIRS) -type f -name '*.[chS]' -print )
+diff --git a/xen/Rules.mk b/xen/Rules.mk
+index 59072ae8df..8af3dd7277 100644
+--- a/xen/Rules.mk
++++ b/xen/Rules.mk
+@@ -180,7 +180,7 @@ cpp_flags = $(filter-out -Wa$(comma)% -flto,$(1))
+ c_flags = -MMD -MP -MF $(depfile) $(XEN_CFLAGS)
+ a_flags = -MMD -MP -MF $(depfile) $(XEN_AFLAGS)
+ 
+-include $(srctree)/arch/$(TARGET_ARCH)/Rules.mk
++include $(srctree)/arch/$(SRCARCH)/Rules.mk
+ 
+ c_flags += $(_c_flags)
+ a_flags += $(_c_flags)
+diff --git a/xen/build.mk b/xen/build.mk
+index d049d3a53a..9ecb104f1e 100644
+--- a/xen/build.mk
++++ b/xen/build.mk
+@@ -41,11 +41,11 @@ include/xen/compile.h: include/xen/compile.h.in .banner FORCE
+ targets += include/xen/compile.h
+ 
+ -include $(wildcard .asm-offsets.s.d)
+-asm-offsets.s: arch/$(TARGET_ARCH)/$(ARCH)/asm-offsets.c
++asm-offsets.s: arch/$(SRCARCH)/$(ARCH)/asm-offsets.c
+ 	$(CC) $(call cpp_flags,$(c_flags)) -S -g0 -o $@.new -MQ $@ $<
+ 	$(call move-if-changed,$@.new,$@)
+ 
+-arch/$(TARGET_ARCH)/include/asm/asm-offsets.h: asm-offsets.s
++arch/$(SRCARCH)/include/asm/asm-offsets.h: asm-offsets.s
+ 	@(set -e; \
+ 	  echo "/*"; \
+ 	  echo " * DO NOT MODIFY."; \
+@@ -87,4 +87,4 @@ endif
+ targets += prelink.o
+ 
+ $(TARGET): prelink.o FORCE
+-	$(Q)$(MAKE) $(build)=arch/$(TARGET_ARCH) $@
++	$(Q)$(MAKE) $(build)=arch/$(SRCARCH) $@
+-- 
+2.42.0
+

diff --git a/0006-x86-HVM-don-t-mark-evtchn-upcall-vector-as-pending-w.patch b/0006-x86-HVM-don-t-mark-evtchn-upcall-vector-as-pending-w.patch
deleted file mode 100644
index 2577f20..0000000
--- a/0006-x86-HVM-don-t-mark-evtchn-upcall-vector-as-pending-w.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 26f39b3d705b667aa21f368c252abffb0b4d3e5d Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Tue, 20 Dec 2022 13:45:07 +0100
-Subject: [PATCH 06/89] x86/HVM: don't mark evtchn upcall vector as pending
- when vLAPIC is disabled
-
-Linux'es relatively new use of HVMOP_set_evtchn_upcall_vector has
-exposed a problem with the marking of the respective vector as
-pending: For quite some time Linux has been checking whether any stale
-ISR or IRR bits would still be set while preparing the LAPIC for use.
-This check is now triggering on the upcall vector, as the registration,
-at least for APs, happens before the LAPIC is actually enabled.
-
-In software-disabled state an LAPIC would not accept any interrupt
-requests and hence no IRR bit would newly become set while in this
-state. As a result it is also wrong for us to mark the upcall vector as
-having a pending request when the vLAPIC is in this state.
-
-To compensate for the "enabled" check added to the assertion logic, add
-logic to (conditionally) mark the upcall vector as having a request
-pending at the time the LAPIC is being software-enabled by the guest.
-Note however that, like for the pt_may_unmask_irq() we already have
-there, long term we may need to find a different solution. This will be
-especially relevant in case yet better LAPIC acceleration would
-eliminate notifications of guest writes to this and other registers.
-
-Fixes: 7b5b8ca7dffd ("x86/upcall: inject a spurious event after setting upcall vector")
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Juergen Gross <jgross@suse.com>
-master commit: f5d0279839b58cb622f0995dbf9cff056f03082e
-master date: 2022-12-06 13:51:49 +0100
----
- xen/arch/x86/hvm/irq.c    | 5 +++--
- xen/arch/x86/hvm/vlapic.c | 3 +++
- 2 files changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/xen/arch/x86/hvm/irq.c b/xen/arch/x86/hvm/irq.c
-index 858ab5b248..d93ffe4546 100644
---- a/xen/arch/x86/hvm/irq.c
-+++ b/xen/arch/x86/hvm/irq.c
-@@ -321,9 +321,10 @@ void hvm_assert_evtchn_irq(struct vcpu *v)
- 
-     if ( v->arch.hvm.evtchn_upcall_vector != 0 )
-     {
--        uint8_t vector = v->arch.hvm.evtchn_upcall_vector;
-+        struct vlapic *vlapic = vcpu_vlapic(v);
- 
--        vlapic_set_irq(vcpu_vlapic(v), vector, 0);
-+        if ( vlapic_enabled(vlapic) )
-+           vlapic_set_irq(vlapic, v->arch.hvm.evtchn_upcall_vector, 0);
-     }
-     else if ( is_hvm_pv_evtchn_domain(v->domain) )
-         vcpu_kick(v);
-diff --git a/xen/arch/x86/hvm/vlapic.c b/xen/arch/x86/hvm/vlapic.c
-index 257d3b6851..eb32f12e2d 100644
---- a/xen/arch/x86/hvm/vlapic.c
-+++ b/xen/arch/x86/hvm/vlapic.c
-@@ -829,6 +829,9 @@ void vlapic_reg_write(struct vcpu *v, unsigned int reg, uint32_t val)
-         {
-             vlapic->hw.disabled &= ~VLAPIC_SW_DISABLED;
-             pt_may_unmask_irq(vlapic_domain(vlapic), &vlapic->pt);
-+            if ( v->arch.hvm.evtchn_upcall_vector &&
-+                 vcpu_info(v, evtchn_upcall_pending) )
-+                vlapic_set_irq(vlapic, v->arch.hvm.evtchn_upcall_vector, 0);
-         }
-         break;
- 
--- 
-2.40.0
-

diff --git a/0007-build-evaluate-XEN_BUILD_-and-XEN_DOMAIN-immediately.patch b/0007-build-evaluate-XEN_BUILD_-and-XEN_DOMAIN-immediately.patch
new file mode 100644
index 0000000..81e5ca4
--- /dev/null
+++ b/0007-build-evaluate-XEN_BUILD_-and-XEN_DOMAIN-immediately.patch
@@ -0,0 +1,58 @@
+From a1f68fb56710c507f9c1ec8e8d784f5b1e4088f1 Mon Sep 17 00:00:00 2001
+From: Anthony PERARD <anthony.perard@citrix.com>
+Date: Mon, 31 Jul 2023 15:02:18 +0200
+Subject: [PATCH 07/55] build: evaluate XEN_BUILD_* and XEN_DOMAIN immediately
+
+With GNU make 4.4, the number of execution of the command present in
+these $(shell ) increased greatly. This is probably because as of make
+4.4, exported variable are also added to the environment of $(shell )
+construct.
+
+Also, `make -d` shows a lot of these:
+    Makefile:15: not recursively expanding XEN_BUILD_DATE to export to shell function
+    Makefile:16: not recursively expanding XEN_BUILD_TIME to export to shell function
+    Makefile:17: not recursively expanding XEN_BUILD_HOST to export to shell function
+    Makefile:14: not recursively expanding XEN_DOMAIN to export to shell function
+
+So to avoid having these command been run more than necessary, we
+will replace ?= by an equivalent but with immediate expansion.
+
+Reported-by: Jason Andryuk <jandryuk@gmail.com>
+Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
+Tested-by: Jason Andryuk <jandryuk@gmail.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 0c594c1b57ee2ecec5f70826c53a2cf02a9c2acb)
+---
+ xen/Makefile | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/xen/Makefile b/xen/Makefile
+index 1a3b9a081f..7bb9de7bdc 100644
+--- a/xen/Makefile
++++ b/xen/Makefile
+@@ -11,10 +11,18 @@ export XEN_FULLVERSION   = $(XEN_VERSION).$(XEN_SUBVERSION)$(XEN_EXTRAVERSION)
+ -include xen-version
+ 
+ export XEN_WHOAMI	?= $(USER)
+-export XEN_DOMAIN	?= $(shell ([ -x /bin/dnsdomainname ] && /bin/dnsdomainname) || ([ -x /bin/domainname ] && /bin/domainname || echo [unknown]))
+-export XEN_BUILD_DATE	?= $(shell LC_ALL=C date)
+-export XEN_BUILD_TIME	?= $(shell LC_ALL=C date +%T)
+-export XEN_BUILD_HOST	?= $(shell hostname)
++ifeq ($(origin XEN_DOMAIN), undefined)
++export XEN_DOMAIN	:= $(shell ([ -x /bin/dnsdomainname ] && /bin/dnsdomainname) || ([ -x /bin/domainname ] && /bin/domainname || echo [unknown]))
++endif
++ifeq ($(origin XEN_BUILD_DATE), undefined)
++export XEN_BUILD_DATE	:= $(shell LC_ALL=C date)
++endif
++ifeq ($(origin XEN_BUILD_TIME), undefined)
++export XEN_BUILD_TIME	:= $(shell LC_ALL=C date +%T)
++endif
++ifeq ($(origin XEN_BUILD_HOST), undefined)
++export XEN_BUILD_HOST	:= $(shell hostname)
++endif
+ 
+ # Best effort attempt to find a python interpreter, defaulting to Python 3 if
+ # available.  Fall back to just `python` if `which` is nowhere to be found.
+-- 
+2.42.0
+

diff --git a/0007-ioreq_broadcast-accept-partial-broadcast-success.patch b/0007-ioreq_broadcast-accept-partial-broadcast-success.patch
deleted file mode 100644
index 654990b..0000000
--- a/0007-ioreq_broadcast-accept-partial-broadcast-success.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From c3e37c60fbf8f8cd71db0f0846c9c7aeadf02963 Mon Sep 17 00:00:00 2001
-From: Per Bilse <per.bilse@citrix.com>
-Date: Tue, 20 Dec 2022 13:45:38 +0100
-Subject: [PATCH 07/89] ioreq_broadcast(): accept partial broadcast success
-
-Avoid incorrectly triggering an error when a broadcast buffered ioreq
-is not handled by all registered clients, as long as the failure is
-strictly because the client doesn't handle buffered ioreqs.
-
-Signed-off-by: Per Bilse <per.bilse@citrix.com>
-Reviewed-by: Paul Durrant <paul@xen.org>
-master commit: a44734df6c24fadbdb001f051cc5580c467caf7d
-master date: 2022-12-07 12:17:30 +0100
----
- xen/common/ioreq.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/xen/common/ioreq.c b/xen/common/ioreq.c
-index 4617aef29b..ecb8f545e1 100644
---- a/xen/common/ioreq.c
-+++ b/xen/common/ioreq.c
-@@ -1317,7 +1317,8 @@ unsigned int ioreq_broadcast(ioreq_t *p, bool buffered)
- 
-     FOR_EACH_IOREQ_SERVER(d, id, s)
-     {
--        if ( !s->enabled )
-+        if ( !s->enabled ||
-+             (buffered && s->bufioreq_handling == HVM_IOREQSRV_BUFIOREQ_OFF) )
-             continue;
- 
-         if ( ioreq_send(s, p, buffered) == IOREQ_STATUS_UNHANDLED )
--- 
-2.40.0
-

diff --git a/0008-Config.mk-evaluate-XEN_COMPILE_ARCH-and-XEN_OS-immed.patch b/0008-Config.mk-evaluate-XEN_COMPILE_ARCH-and-XEN_OS-immed.patch
new file mode 100644
index 0000000..8a4cb7d
--- /dev/null
+++ b/0008-Config.mk-evaluate-XEN_COMPILE_ARCH-and-XEN_OS-immed.patch
@@ -0,0 +1,50 @@
+From 476d2624ec3cf3e60709580ff1df208bb8f616e2 Mon Sep 17 00:00:00 2001
+From: Anthony PERARD <anthony.perard@citrix.com>
+Date: Mon, 31 Jul 2023 15:02:34 +0200
+Subject: [PATCH 08/55] Config.mk: evaluate XEN_COMPILE_ARCH and XEN_OS
+ immediately
+
+With GNU make 4.4, the number of execution of the command present in
+these $(shell ) increased greatly. This is probably because as of make
+4.4, exported variable are also added to the environment of $(shell )
+construct.
+
+So to avoid having these command been run more than necessary, we
+will replace ?= by an equivalent but with immediate expansion.
+
+Reported-by: Jason Andryuk <jandryuk@gmail.com>
+Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
+Tested-by: Jason Andryuk <jandryuk@gmail.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit a07414d989cf52e5e84192b78023bee1589bbda4)
+---
+ Config.mk | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/Config.mk b/Config.mk
+index 8bc2bcd5f6..4864033c73 100644
+--- a/Config.mk
++++ b/Config.mk
+@@ -19,13 +19,17 @@ or       = $(if $(strip $(1)),$(1),$(if $(strip $(2)),$(2),$(if $(strip $(3)),$(
+ 
+ -include $(XEN_ROOT)/.config
+ 
+-XEN_COMPILE_ARCH    ?= $(shell uname -m | sed -e s/i.86/x86_32/ \
++ifeq ($(origin XEN_COMPILE_ARCH), undefined)
++XEN_COMPILE_ARCH    := $(shell uname -m | sed -e s/i.86/x86_32/ \
+                          -e s/i86pc/x86_32/ -e s/amd64/x86_64/ \
+                          -e s/armv7.*/arm32/ -e s/armv8.*/arm64/ \
+                          -e s/aarch64/arm64/)
++endif
+ 
+ XEN_TARGET_ARCH     ?= $(XEN_COMPILE_ARCH)
+-XEN_OS              ?= $(shell uname -s)
++ifeq ($(origin XEN_OS), undefined)
++XEN_OS              := $(shell uname -s)
++endif
+ 
+ CONFIG_$(XEN_OS) := y
+ 
+-- 
+2.42.0
+

diff --git a/0008-EFI-relocate-the-ESRT-when-booting-via-multiboot2.patch b/0008-EFI-relocate-the-ESRT-when-booting-via-multiboot2.patch
deleted file mode 100644
index d1acae6..0000000
--- a/0008-EFI-relocate-the-ESRT-when-booting-via-multiboot2.patch
+++ /dev/null
@@ -1,195 +0,0 @@
-From 1dcc9b6dfe528c7815a314f9b5581804b5e23750 Mon Sep 17 00:00:00 2001
-From: Demi Marie Obenour <demi@invisiblethingslab.com>
-Date: Tue, 20 Dec 2022 13:46:09 +0100
-Subject: [PATCH 08/89] EFI: relocate the ESRT when booting via multiboot2
-
-This was missed in the initial patchset.
-
-Move efi_relocate_esrt() up to avoid adding a forward declaration.
-
-Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: 8d7acf3f7d8d2555c78421dced45bc49f79ae806
-master date: 2022-12-14 12:00:35 +0100
----
- xen/arch/x86/efi/efi-boot.h |   2 +
- xen/common/efi/boot.c       | 136 ++++++++++++++++++------------------
- 2 files changed, 70 insertions(+), 68 deletions(-)
-
-diff --git a/xen/arch/x86/efi/efi-boot.h b/xen/arch/x86/efi/efi-boot.h
-index 27f928ed3c..c94e53d139 100644
---- a/xen/arch/x86/efi/efi-boot.h
-+++ b/xen/arch/x86/efi/efi-boot.h
-@@ -823,6 +823,8 @@ void __init efi_multiboot2(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable
-     if ( gop )
-         efi_set_gop_mode(gop, gop_mode);
- 
-+    efi_relocate_esrt(SystemTable);
-+
-     efi_exit_boot(ImageHandle, SystemTable);
- }
- 
-diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c
-index b3de1011ee..d3c6b055ae 100644
---- a/xen/common/efi/boot.c
-+++ b/xen/common/efi/boot.c
-@@ -625,6 +625,74 @@ static size_t __init get_esrt_size(const EFI_MEMORY_DESCRIPTOR *desc)
-     return esrt_ptr->FwResourceCount * sizeof(esrt_ptr->Entries[0]);
- }
- 
-+static EFI_GUID __initdata esrt_guid = EFI_SYSTEM_RESOURCE_TABLE_GUID;
-+
-+static void __init efi_relocate_esrt(EFI_SYSTEM_TABLE *SystemTable)
-+{
-+    EFI_STATUS status;
-+    UINTN info_size = 0, map_key, mdesc_size;
-+    void *memory_map = NULL;
-+    UINT32 ver;
-+    unsigned int i;
-+
-+    for ( ; ; )
-+    {
-+        status = efi_bs->GetMemoryMap(&info_size, memory_map, &map_key,
-+                                      &mdesc_size, &ver);
-+        if ( status == EFI_SUCCESS && memory_map != NULL )
-+            break;
-+        if ( status == EFI_BUFFER_TOO_SMALL || memory_map == NULL )
-+        {
-+            info_size += 8 * mdesc_size;
-+            if ( memory_map != NULL )
-+                efi_bs->FreePool(memory_map);
-+            memory_map = NULL;
-+            status = efi_bs->AllocatePool(EfiLoaderData, info_size, &memory_map);
-+            if ( status == EFI_SUCCESS )
-+                continue;
-+            PrintErr(L"Cannot allocate memory to relocate ESRT\r\n");
-+        }
-+        else
-+            PrintErr(L"Cannot obtain memory map to relocate ESRT\r\n");
-+        return;
-+    }
-+
-+    /* Try to obtain the ESRT.  Errors are not fatal. */
-+    for ( i = 0; i < info_size; i += mdesc_size )
-+    {
-+        /*
-+         * ESRT needs to be moved to memory of type EfiACPIReclaimMemory
-+         * so that the memory it is in will not be used for other purposes.
-+         */
-+        void *new_esrt = NULL;
-+        const EFI_MEMORY_DESCRIPTOR *desc = memory_map + i;
-+        size_t esrt_size = get_esrt_size(desc);
-+
-+        if ( !esrt_size )
-+            continue;
-+        if ( desc->Type == EfiRuntimeServicesData ||
-+             desc->Type == EfiACPIReclaimMemory )
-+            break; /* ESRT already safe from reuse */
-+        status = efi_bs->AllocatePool(EfiACPIReclaimMemory, esrt_size,
-+                                      &new_esrt);
-+        if ( status == EFI_SUCCESS && new_esrt )
-+        {
-+            memcpy(new_esrt, (void *)esrt, esrt_size);
-+            status = efi_bs->InstallConfigurationTable(&esrt_guid, new_esrt);
-+            if ( status != EFI_SUCCESS )
-+            {
-+                PrintErr(L"Cannot install new ESRT\r\n");
-+                efi_bs->FreePool(new_esrt);
-+            }
-+        }
-+        else
-+            PrintErr(L"Cannot allocate memory for ESRT\r\n");
-+        break;
-+    }
-+
-+    efi_bs->FreePool(memory_map);
-+}
-+
- /*
-  * Include architecture specific implementation here, which references the
-  * static globals defined above.
-@@ -903,8 +971,6 @@ static UINTN __init efi_find_gop_mode(EFI_GRAPHICS_OUTPUT_PROTOCOL *gop,
-     return gop_mode;
- }
- 
--static EFI_GUID __initdata esrt_guid = EFI_SYSTEM_RESOURCE_TABLE_GUID;
--
- static void __init efi_tables(void)
- {
-     unsigned int i;
-@@ -1113,72 +1179,6 @@ static void __init efi_set_gop_mode(EFI_GRAPHICS_OUTPUT_PROTOCOL *gop, UINTN gop
- #define INVALID_VIRTUAL_ADDRESS (0xBAAADUL << \
-                                  (EFI_PAGE_SHIFT + BITS_PER_LONG - 32))
- 
--static void __init efi_relocate_esrt(EFI_SYSTEM_TABLE *SystemTable)
--{
--    EFI_STATUS status;
--    UINTN info_size = 0, map_key, mdesc_size;
--    void *memory_map = NULL;
--    UINT32 ver;
--    unsigned int i;
--
--    for ( ; ; )
--    {
--        status = efi_bs->GetMemoryMap(&info_size, memory_map, &map_key,
--                                      &mdesc_size, &ver);
--        if ( status == EFI_SUCCESS && memory_map != NULL )
--            break;
--        if ( status == EFI_BUFFER_TOO_SMALL || memory_map == NULL )
--        {
--            info_size += 8 * mdesc_size;
--            if ( memory_map != NULL )
--                efi_bs->FreePool(memory_map);
--            memory_map = NULL;
--            status = efi_bs->AllocatePool(EfiLoaderData, info_size, &memory_map);
--            if ( status == EFI_SUCCESS )
--                continue;
--            PrintErr(L"Cannot allocate memory to relocate ESRT\r\n");
--        }
--        else
--            PrintErr(L"Cannot obtain memory map to relocate ESRT\r\n");
--        return;
--    }
--
--    /* Try to obtain the ESRT.  Errors are not fatal. */
--    for ( i = 0; i < info_size; i += mdesc_size )
--    {
--        /*
--         * ESRT needs to be moved to memory of type EfiACPIReclaimMemory
--         * so that the memory it is in will not be used for other purposes.
--         */
--        void *new_esrt = NULL;
--        const EFI_MEMORY_DESCRIPTOR *desc = memory_map + i;
--        size_t esrt_size = get_esrt_size(desc);
--
--        if ( !esrt_size )
--            continue;
--        if ( desc->Type == EfiRuntimeServicesData ||
--             desc->Type == EfiACPIReclaimMemory )
--            break; /* ESRT already safe from reuse */
--        status = efi_bs->AllocatePool(EfiACPIReclaimMemory, esrt_size,
--                                      &new_esrt);
--        if ( status == EFI_SUCCESS && new_esrt )
--        {
--            memcpy(new_esrt, (void *)esrt, esrt_size);
--            status = efi_bs->InstallConfigurationTable(&esrt_guid, new_esrt);
--            if ( status != EFI_SUCCESS )
--            {
--                PrintErr(L"Cannot install new ESRT\r\n");
--                efi_bs->FreePool(new_esrt);
--            }
--        }
--        else
--            PrintErr(L"Cannot allocate memory for ESRT\r\n");
--        break;
--    }
--
--    efi_bs->FreePool(memory_map);
--}
--
- static void __init efi_exit_boot(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable)
- {
-     EFI_STATUS status;
--- 
-2.40.0
-

diff --git a/0009-x86-time-prevent-overflow-with-high-frequency-TSCs.patch b/0009-x86-time-prevent-overflow-with-high-frequency-TSCs.patch
deleted file mode 100644
index a9401d7..0000000
--- a/0009-x86-time-prevent-overflow-with-high-frequency-TSCs.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From a7a26da0b59da7233e6c6f63b180bab131398351 Mon Sep 17 00:00:00 2001
-From: Neowutran <xen@neowutran.ovh>
-Date: Tue, 20 Dec 2022 13:46:38 +0100
-Subject: [PATCH 09/89] x86/time: prevent overflow with high frequency TSCs
-
-Make sure tsc_khz is promoted to a 64-bit type before multiplying by
-1000 to avoid an 'overflow before widen' bug. Otherwise just above
-4.294GHz the value will overflow. Processors with clocks this high are
-now in production and require this to work correctly.
-
-Signed-off-by: Neowutran <xen@neowutran.ovh>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: ad15a0a8ca2515d8ac58edfc0bc1d3719219cb77
-master date: 2022-12-19 11:34:16 +0100
----
- xen/arch/x86/time.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/xen/arch/x86/time.c b/xen/arch/x86/time.c
-index b01acd390d..d882b43cf0 100644
---- a/xen/arch/x86/time.c
-+++ b/xen/arch/x86/time.c
-@@ -2585,7 +2585,7 @@ int tsc_set_info(struct domain *d,
-     case TSC_MODE_ALWAYS_EMULATE:
-         d->arch.vtsc_offset = get_s_time() - elapsed_nsec;
-         d->arch.tsc_khz = gtsc_khz ?: cpu_khz;
--        set_time_scale(&d->arch.vtsc_to_ns, d->arch.tsc_khz * 1000);
-+        set_time_scale(&d->arch.vtsc_to_ns, d->arch.tsc_khz * 1000UL);
- 
-         /*
-          * In default mode use native TSC if the host has safe TSC and
--- 
-2.40.0
-

diff --git a/0009-x86emul-rework-wrapping-of-libc-functions-in-test-an.patch b/0009-x86emul-rework-wrapping-of-libc-functions-in-test-an.patch
new file mode 100644
index 0000000..4f9c0bb
--- /dev/null
+++ b/0009-x86emul-rework-wrapping-of-libc-functions-in-test-an.patch
@@ -0,0 +1,245 @@
+From 37f1d68fa34220600f1e4ec82af5da70127757e5 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Fri, 18 Aug 2023 15:04:28 +0200
+Subject: [PATCH 09/55] x86emul: rework wrapping of libc functions in test and
+ fuzzing harnesses
+
+Our present approach is working fully behind the compiler's back. This
+was found to not work with LTO. Employ ld's --wrap= option instead. Note
+that while this makes the build work at least with new enough gcc (it
+doesn't with gcc7, for example, due to tool chain side issues afaict),
+according to my testing things still won't work when building the
+fuzzing harness with afl-cc: While with the gcc7 tool chain I see afl-as
+getting invoked, this does not happen with gcc13. Yet without using that
+assembler wrapper the resulting binary will look uninstrumented to
+afl-fuzz.
+
+While checking the resulting binaries I noticed that we've gained uses
+of snprintf() and strstr(), which only just so happen to not cause any
+problems. Add a wrappers for them as well.
+
+Since we don't have any actual uses of v{,sn}printf(), no definitions of
+their wrappers appear (just yet). But I think we want
+__wrap_{,sn}printf() to properly use __real_v{,sn}printf() right away,
+which means we need delarations of the latter.
+
+Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
+(cherry picked from commit 6fba45ca3be1c5d46cddb1eaf371d9e69550b244)
+---
+ tools/fuzz/x86_instruction_emulator/Makefile |  6 ++-
+ tools/tests/x86_emulator/Makefile            |  4 +-
+ tools/tests/x86_emulator/wrappers.c          | 55 ++++++++++++++------
+ tools/tests/x86_emulator/x86-emulate.h       | 14 +++--
+ 4 files changed, 53 insertions(+), 26 deletions(-)
+
+diff --git a/tools/fuzz/x86_instruction_emulator/Makefile b/tools/fuzz/x86_instruction_emulator/Makefile
+index 13aa238503..c83959c847 100644
+--- a/tools/fuzz/x86_instruction_emulator/Makefile
++++ b/tools/fuzz/x86_instruction_emulator/Makefile
+@@ -29,6 +29,8 @@ GCOV_FLAGS := --coverage
+ %-cov.o: %.c
+ 	$(CC) -c $(CFLAGS) $(GCOV_FLAGS) $< -o $@
+ 
++WRAPPED = $(shell sed -n 's,^ *WRAP(\([[:alnum:]_]*\));,\1,p' x86-emulate.h)
++
+ x86-emulate.h: x86_emulate/x86_emulate.h
+ x86-emulate.o x86-emulate-cov.o: x86-emulate.h x86_emulate/x86_emulate.c
+ fuzz-emul.o fuzz-emul-cov.o wrappers.o: x86-emulate.h
+@@ -37,10 +39,10 @@ x86-insn-fuzzer.a: fuzz-emul.o x86-emulate.o cpuid.o
+ 	$(AR) rc $@ $^
+ 
+ afl-harness: afl-harness.o fuzz-emul.o x86-emulate.o cpuid.o wrappers.o
+-	$(CC) $(CFLAGS) $^ -o $@
++	$(CC) $(CFLAGS) $(addprefix -Wl$(comma)--wrap=,$(WRAPPED)) $^ -o $@
+ 
+ afl-harness-cov: afl-harness-cov.o fuzz-emul-cov.o x86-emulate-cov.o cpuid.o wrappers.o
+-	$(CC) $(CFLAGS) $(GCOV_FLAGS) $^ -o $@
++	$(CC) $(CFLAGS) $(GCOV_FLAGS) $(addprefix -Wl$(comma)--wrap=,$(WRAPPED)) $^ -o $@
+ 
+ # Common targets
+ .PHONY: all
+diff --git a/tools/tests/x86_emulator/Makefile b/tools/tests/x86_emulator/Makefile
+index bd82598f97..a2fd6607c6 100644
+--- a/tools/tests/x86_emulator/Makefile
++++ b/tools/tests/x86_emulator/Makefile
+@@ -250,8 +250,10 @@ xop.h avx512f.h: simd-fma.c
+ 
+ endif # 32-bit override
+ 
++WRAPPED := $(shell sed -n 's,^ *WRAP(\([[:alnum:]_]*\));,\1,p' x86-emulate.h)
++
+ $(TARGET): x86-emulate.o cpuid.o test_x86_emulator.o evex-disp8.o predicates.o wrappers.o
+-	$(HOSTCC) $(HOSTCFLAGS) -o $@ $^
++	$(HOSTCC) $(HOSTCFLAGS) $(addprefix -Wl$(comma)--wrap=,$(WRAPPED)) -o $@ $^
+ 
+ .PHONY: clean
+ clean:
+diff --git a/tools/tests/x86_emulator/wrappers.c b/tools/tests/x86_emulator/wrappers.c
+index eba7cc93c5..3829a6f416 100644
+--- a/tools/tests/x86_emulator/wrappers.c
++++ b/tools/tests/x86_emulator/wrappers.c
+@@ -1,78 +1,103 @@
+ #include <stdarg.h>
+ 
+-#define WRAP(x) typeof(x) emul_##x
++#define WRAP(x) typeof(x) __wrap_ ## x, __real_ ## x
+ #include "x86-emulate.h"
+ 
+-size_t emul_fwrite(const void *src, size_t sz, size_t n, FILE *f)
++size_t __wrap_fwrite(const void *src, size_t sz, size_t n, FILE *f)
+ {
+     emul_save_fpu_state();
+-    sz = fwrite(src, sz, n, f);
++    sz = __real_fwrite(src, sz, n, f);
+     emul_restore_fpu_state();
+ 
+     return sz;
+ }
+ 
+-int emul_memcmp(const void *p1, const void *p2, size_t sz)
++int __wrap_memcmp(const void *p1, const void *p2, size_t sz)
+ {
+     int rc;
+ 
+     emul_save_fpu_state();
+-    rc = memcmp(p1, p2, sz);
++    rc = __real_memcmp(p1, p2, sz);
+     emul_restore_fpu_state();
+ 
+     return rc;
+ }
+ 
+-void *emul_memcpy(void *dst, const void *src, size_t sz)
++void *__wrap_memcpy(void *dst, const void *src, size_t sz)
+ {
+     emul_save_fpu_state();
+-    memcpy(dst, src, sz);
++    __real_memcpy(dst, src, sz);
+     emul_restore_fpu_state();
+ 
+     return dst;
+ }
+ 
+-void *emul_memset(void *dst, int c, size_t sz)
++void *__wrap_memset(void *dst, int c, size_t sz)
+ {
+     emul_save_fpu_state();
+-    memset(dst, c, sz);
++    __real_memset(dst, c, sz);
+     emul_restore_fpu_state();
+ 
+     return dst;
+ }
+ 
+-int emul_printf(const char *fmt, ...)
++int __wrap_printf(const char *fmt, ...)
+ {
+     va_list varg;
+     int rc;
+ 
+     emul_save_fpu_state();
+     va_start(varg, fmt);
+-    rc = vprintf(fmt, varg);
++    rc = __real_vprintf(fmt, varg);
+     va_end(varg);
+     emul_restore_fpu_state();
+ 
+     return rc;
+ }
+ 
+-int emul_putchar(int c)
++int __wrap_putchar(int c)
+ {
+     int rc;
+ 
+     emul_save_fpu_state();
+-    rc = putchar(c);
++    rc = __real_putchar(c);
+     emul_restore_fpu_state();
+ 
+     return rc;
+ }
+ 
+-int emul_puts(const char *str)
++int __wrap_puts(const char *str)
+ {
+     int rc;
+ 
+     emul_save_fpu_state();
+-    rc = puts(str);
++    rc = __real_puts(str);
+     emul_restore_fpu_state();
+ 
+     return rc;
+ }
++
++int __wrap_snprintf(char *buf, size_t n, const char *fmt, ...)
++{
++    va_list varg;
++    int rc;
++
++    emul_save_fpu_state();
++    va_start(varg, fmt);
++    rc = __real_vsnprintf(buf, n, fmt, varg);
++    va_end(varg);
++    emul_restore_fpu_state();
++
++    return rc;
++}
++
++char *__wrap_strstr(const char *s1, const char *s2)
++{
++    char *s;
++
++    emul_save_fpu_state();
++    s = __real_strstr(s1, s2);
++    emul_restore_fpu_state();
++
++    return s;
++}
+diff --git a/tools/tests/x86_emulator/x86-emulate.h b/tools/tests/x86_emulator/x86-emulate.h
+index 19bea9c38d..58760f096d 100644
+--- a/tools/tests/x86_emulator/x86-emulate.h
++++ b/tools/tests/x86_emulator/x86-emulate.h
+@@ -29,9 +29,7 @@
+ #ifdef EOF
+ # error "Must not include <stdio.h> before x86-emulate.h"
+ #endif
+-#ifdef WRAP
+-# include <stdio.h>
+-#endif
++#include <stdio.h>
+ 
+ #include <xen/xen.h>
+ 
+@@ -85,11 +83,7 @@ void emul_restore_fpu_state(void);
+  * around the actual function.
+  */
+ #ifndef WRAP
+-# if 0 /* This only works for explicit calls, not for compiler generated ones. */
+-#  define WRAP(x) typeof(x) x asm("emul_" #x)
+-# else
+-# define WRAP(x) asm(".equ " #x ", emul_" #x)
+-# endif
++# define WRAP(x) typeof(x) __wrap_ ## x
+ #endif
+ 
+ WRAP(fwrite);
+@@ -99,6 +93,10 @@ WRAP(memset);
+ WRAP(printf);
+ WRAP(putchar);
+ WRAP(puts);
++WRAP(snprintf);
++WRAP(strstr);
++WRAP(vprintf);
++WRAP(vsnprintf);
+ 
+ #undef WRAP
+ 
+-- 
+2.42.0
+

diff --git a/0010-rombios-Work-around-GCC-issue-99578.patch b/0010-rombios-Work-around-GCC-issue-99578.patch
new file mode 100644
index 0000000..3995f02
--- /dev/null
+++ b/0010-rombios-Work-around-GCC-issue-99578.patch
@@ -0,0 +1,43 @@
+From ae1045c42954772e48862162d0e95fbc9393c91e Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Thu, 17 Aug 2023 21:32:53 +0100
+Subject: [PATCH 10/55] rombios: Work around GCC issue 99578
+
+GCC 12 objects to pointers derived from a constant:
+
+  util.c: In function 'find_rsdp':
+  util.c:429:16: error: array subscript 0 is outside array bounds of 'uint16_t[0]' {aka 'short unsigned int[]'} [-Werror=array-bounds]
+    429 |     ebda_seg = *(uint16_t *)ADDR_FROM_SEG_OFF(0x40, 0xe);
+  cc1: all warnings being treated as errors
+
+This is a GCC bug, but work around it rather than turning array-bounds
+checking off generally.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit e35138a2ffbe1fe71edaaaaae71063dc545a8416)
+---
+ tools/firmware/rombios/32bit/util.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tools/firmware/rombios/32bit/util.c b/tools/firmware/rombios/32bit/util.c
+index 6c1c480514..a47e000a26 100644
+--- a/tools/firmware/rombios/32bit/util.c
++++ b/tools/firmware/rombios/32bit/util.c
+@@ -424,10 +424,10 @@ static struct acpi_20_rsdp *__find_rsdp(const void *start, unsigned int len)
+ struct acpi_20_rsdp *find_rsdp(void)
+ {
+     struct acpi_20_rsdp *rsdp;
+-    uint16_t ebda_seg;
++    uint16_t *volatile /* GCC issue 99578 */ ebda_seg =
++        ADDR_FROM_SEG_OFF(0x40, 0xe);
+ 
+-    ebda_seg = *(uint16_t *)ADDR_FROM_SEG_OFF(0x40, 0xe);
+-    rsdp = __find_rsdp((void *)(ebda_seg << 16), 1024);
++    rsdp = __find_rsdp((void *)(*ebda_seg << 16), 1024);
+     if (!rsdp)
+         rsdp = __find_rsdp((void *)0xE0000, 0x20000);
+ 
+-- 
+2.42.0
+

diff --git a/0010-tools-oxenstored-Fix-incorrect-scope-after-an-if-sta.patch b/0010-tools-oxenstored-Fix-incorrect-scope-after-an-if-sta.patch
deleted file mode 100644
index a8c427d..0000000
--- a/0010-tools-oxenstored-Fix-incorrect-scope-after-an-if-sta.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 2e8d7a08bcd111fe21569e9ace1a047df76da949 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Fri, 11 Nov 2022 18:50:34 +0000
-Subject: [PATCH 10/89] tools/oxenstored: Fix incorrect scope after an if
- statement
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-A debug statement got inserted into a single-expression if statement.
-
-Insert brackets to give the intended meaning, rather than the actual meaning
-where the "let con = Connections..." is outside and executed unconditionally.
-
-This results in some unnecessary ring checks for domains which otherwise have
-IO credit.
-
-Fixes: 42f0581a91d4 ("tools/oxenstored: Implement live update for socket connections")
-Reported-by: Edwin Török <edvin.torok@citrix.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit ee36179371fd4215a43fb179be2165f65c1cd1cd)
----
- tools/ocaml/xenstored/xenstored.ml | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/tools/ocaml/xenstored/xenstored.ml b/tools/ocaml/xenstored/xenstored.ml
-index ffd43a4eee..c5dc7a28d0 100644
---- a/tools/ocaml/xenstored/xenstored.ml
-+++ b/tools/ocaml/xenstored/xenstored.ml
-@@ -475,7 +475,7 @@ let _ =
- 
- 	let ring_scan_checker dom =
- 		(* no need to scan domains already marked as for processing *)
--		if not (Domain.get_io_credit dom > 0) then
-+		if not (Domain.get_io_credit dom > 0) then (
- 			debug "Looking up domid %d" (Domain.get_id dom);
- 			let con = Connections.find_domain cons (Domain.get_id dom) in
- 			if not (Connection.has_more_work con) then (
-@@ -490,7 +490,8 @@ let _ =
- 					let n = 32 + 2 * (Domains.number domains) in
- 					info "found lazy domain %d, credit %d" (Domain.get_id dom) n;
- 					Domain.set_io_credit ~n dom
--			) in
-+			)
-+		) in
- 
- 	let last_stat_time = ref 0. in
- 	let last_scan_time = ref 0. in
--- 
-2.40.0
-

diff --git a/0011-rombios-Avoid-using-K-R-function-syntax.patch b/0011-rombios-Avoid-using-K-R-function-syntax.patch
new file mode 100644
index 0000000..0bd761f
--- /dev/null
+++ b/0011-rombios-Avoid-using-K-R-function-syntax.patch
@@ -0,0 +1,74 @@
+From 24487fec3bbebbc1fd3f00d16bca7fb0f56a5f30 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Fri, 18 Aug 2023 10:47:46 +0100
+Subject: [PATCH 11/55] rombios: Avoid using K&R function syntax
+
+Clang-15 complains:
+
+  tcgbios.c:598:25: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
+  void tcpa_calling_int19h()
+                          ^
+                           void
+
+C2x formally removes K&R syntax.  The declarations for these functions in
+32bitprotos.h are already ANSI compatible.  Update the definitions to match.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit a562afa5679d4a7ceb9cb9222fec1fea9a61f738)
+---
+ tools/firmware/rombios/32bit/tcgbios/tcgbios.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/tools/firmware/rombios/32bit/tcgbios/tcgbios.c b/tools/firmware/rombios/32bit/tcgbios/tcgbios.c
+index fa22c4460a..ad0eac0d20 100644
+--- a/tools/firmware/rombios/32bit/tcgbios/tcgbios.c
++++ b/tools/firmware/rombios/32bit/tcgbios/tcgbios.c
+@@ -595,7 +595,7 @@ static void tcpa_add_measurement(uint32_t pcrIndex,
+ /*
+  * Add measurement to log about call of int 19h
+  */
+-void tcpa_calling_int19h()
++void tcpa_calling_int19h(void)
+ {
+ 	tcpa_add_measurement(4, EV_ACTION, 0);
+ }
+@@ -603,7 +603,7 @@ void tcpa_calling_int19h()
+ /*
+  * Add measurement to log about retuning from int 19h
+  */
+-void tcpa_returned_int19h()
++void tcpa_returned_int19h(void)
+ {
+ 	tcpa_add_measurement(4, EV_ACTION, 1);
+ }
+@@ -611,7 +611,7 @@ void tcpa_returned_int19h()
+ /*
+  * Add event separators for PCRs 0 to 7; specs 8.2.3
+  */
+-void tcpa_add_event_separators()
++void tcpa_add_event_separators(void)
+ {
+ 	uint32_t pcrIndex = 0;
+ 	while (pcrIndex <= 7) {
+@@ -624,7 +624,7 @@ void tcpa_add_event_separators()
+ /*
+  * Add a wake event to the log
+  */
+-void tcpa_wake_event()
++void tcpa_wake_event(void)
+ {
+ 	tcpa_add_measurement_to_log(6,
+ 	                            EV_ACTION,
+@@ -659,7 +659,7 @@ void tcpa_add_bootdevice(uint32_t bootcd, uint32_t bootdrv)
+  * Add measurement to the log about option rom scan
+  * 10.4.3 : action 14
+  */
+-void tcpa_start_option_rom_scan()
++void tcpa_start_option_rom_scan(void)
+ {
+ 	tcpa_add_measurement(2, EV_ACTION, 14);
+ }
+-- 
+2.42.0
+

diff --git a/0011-tools-ocaml-evtchn-OCaml-5-support-fix-potential-res.patch b/0011-tools-ocaml-evtchn-OCaml-5-support-fix-potential-res.patch
deleted file mode 100644
index c9cf630..0000000
--- a/0011-tools-ocaml-evtchn-OCaml-5-support-fix-potential-res.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From d11528a993f80c6a86f4cb0c30578c026348e3e4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edvin.torok@citrix.com>
-Date: Tue, 18 Jan 2022 15:04:48 +0000
-Subject: [PATCH 11/89] tools/ocaml/evtchn: OCaml 5 support, fix potential
- resource leak
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-There is no binding for xenevtchn_close().  In principle, this is a resource
-leak, but the typical usage is as a singleton that lives for the lifetime of
-the program.
-
-Ocaml 5 no longer permits storing a naked C pointer in an Ocaml value.
-
-Therefore, use a Custom block.  This allows us to use the finaliser callback
-to call xenevtchn_close(), if the Ocaml object goes out of scope.
-
-Signed-off-by: Edwin Török <edvin.torok@citrix.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit 22d5affdf0cecfa6faae46fbaec68b8018835220)
----
- tools/ocaml/libs/eventchn/xeneventchn_stubs.c | 21 +++++++++++++++++--
- 1 file changed, 19 insertions(+), 2 deletions(-)
-
-diff --git a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c
-index f889a7a2e4..37f1cc4e14 100644
---- a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c
-+++ b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c
-@@ -33,7 +33,22 @@
- #include <caml/fail.h>
- #include <caml/signals.h>
- 
--#define _H(__h) ((xenevtchn_handle *)(__h))
-+#define _H(__h) (*((xenevtchn_handle **)Data_custom_val(__h)))
-+
-+static void stub_evtchn_finalize(value v)
-+{
-+	xenevtchn_close(_H(v));
-+}
-+
-+static struct custom_operations xenevtchn_ops = {
-+	.identifier  = "xenevtchn",
-+	.finalize    = stub_evtchn_finalize,
-+	.compare     = custom_compare_default,     /* Can't compare     */
-+	.hash        = custom_hash_default,        /* Can't hash        */
-+	.serialize   = custom_serialize_default,   /* Can't serialize   */
-+	.deserialize = custom_deserialize_default, /* Can't deserialize */
-+	.compare_ext = custom_compare_ext_default, /* Can't compare     */
-+};
- 
- CAMLprim value stub_eventchn_init(void)
- {
-@@ -48,7 +63,9 @@ CAMLprim value stub_eventchn_init(void)
- 	if (xce == NULL)
- 		caml_failwith("open failed");
- 
--	result = (value)xce;
-+	result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1);
-+	_H(result) = xce;
-+
- 	CAMLreturn(result);
- }
- 
--- 
-2.40.0
-

diff --git a/0012-rombios-Remove-the-use-of-egrep.patch b/0012-rombios-Remove-the-use-of-egrep.patch
new file mode 100644
index 0000000..44702b4
--- /dev/null
+++ b/0012-rombios-Remove-the-use-of-egrep.patch
@@ -0,0 +1,34 @@
+From e418a77295e6b512d212b57123c11e4d4fb23e8c Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Fri, 18 Aug 2023 11:05:00 +0100
+Subject: [PATCH 12/55] rombios: Remove the use of egrep
+
+As the Alpine 3.18 container notes:
+
+  egrep: warning: egrep is obsolescent; using grep -E
+
+Adjust it.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 5ddac3c2852ecc120acab86fc403153a2097c5dc)
+---
+ tools/firmware/rombios/32bit/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/firmware/rombios/32bit/Makefile b/tools/firmware/rombios/32bit/Makefile
+index c058c71551..50d45647c2 100644
+--- a/tools/firmware/rombios/32bit/Makefile
++++ b/tools/firmware/rombios/32bit/Makefile
+@@ -26,7 +26,7 @@ $(TARGET): 32bitbios_all.o
+ 32bitbios_all.o: 32bitbios.o tcgbios/tcgbiosext.o util.o pmm.o
+ 	$(LD) $(LDFLAGS_DIRECT) -s -r $^ -o 32bitbios_all.o
+ 	@nm 32bitbios_all.o |                                \
+-	  egrep '^ +U ' >/dev/null && {                      \
++	  grep -E '^ +U ' >/dev/null && {                    \
+ 	    echo "There are undefined symbols in the BIOS:"; \
+ 	    nm -u 32bitbios_all.o;                           \
+ 	    exit 11;                                         \
+-- 
+2.42.0
+

diff --git a/0012-tools-ocaml-evtchn-Add-binding-for-xenevtchn_fdopen.patch b/0012-tools-ocaml-evtchn-Add-binding-for-xenevtchn_fdopen.patch
deleted file mode 100644
index 7e921fd..0000000
--- a/0012-tools-ocaml-evtchn-Add-binding-for-xenevtchn_fdopen.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 24d9dc2ae2f88249fcf81f7b7e612cdfb7c73e4b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edvin.torok@citrix.com>
-Date: Mon, 14 Nov 2022 13:36:19 +0000
-Subject: [PATCH 12/89] tools/ocaml/evtchn: Add binding for xenevtchn_fdopen()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-For live update, the new oxenstored needs to reconstruct an evtchn object
-around an existing file descriptor.
-
-Signed-off-by: Edwin Török <edvin.torok@citrix.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit 7ba68a6c558e1fd811c95cb7215a5cd07a3cc2ea)
----
- tools/ocaml/libs/eventchn/xeneventchn.ml      |  1 +
- tools/ocaml/libs/eventchn/xeneventchn.mli     |  4 ++++
- tools/ocaml/libs/eventchn/xeneventchn_stubs.c | 19 +++++++++++++++++++
- 3 files changed, 24 insertions(+)
-
-diff --git a/tools/ocaml/libs/eventchn/xeneventchn.ml b/tools/ocaml/libs/eventchn/xeneventchn.ml
-index dd00a1f0ea..be4de82f46 100644
---- a/tools/ocaml/libs/eventchn/xeneventchn.ml
-+++ b/tools/ocaml/libs/eventchn/xeneventchn.ml
-@@ -17,6 +17,7 @@
- type handle
- 
- external init: unit -> handle = "stub_eventchn_init"
-+external fdopen: Unix.file_descr -> handle = "stub_eventchn_fdopen"
- external fd: handle -> Unix.file_descr = "stub_eventchn_fd"
- 
- type t = int
-diff --git a/tools/ocaml/libs/eventchn/xeneventchn.mli b/tools/ocaml/libs/eventchn/xeneventchn.mli
-index 08c7337643..98b3c86f37 100644
---- a/tools/ocaml/libs/eventchn/xeneventchn.mli
-+++ b/tools/ocaml/libs/eventchn/xeneventchn.mli
-@@ -47,6 +47,10 @@ val init: unit -> handle
- (** Return an initialised event channel interface. On error it
-     will throw a Failure exception. *)
- 
-+val fdopen: Unix.file_descr -> handle
-+(** Return an initialised event channel interface, from an already open evtchn
-+    file descriptor.  On error it will throw a Failure exception. *)
-+
- val fd: handle -> Unix.file_descr
- (** Return a file descriptor suitable for Unix.select. When
-     the descriptor becomes readable, it is safe to call 'pending'.
-diff --git a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c
-index 37f1cc4e14..7bdf711bc1 100644
---- a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c
-+++ b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c
-@@ -69,6 +69,25 @@ CAMLprim value stub_eventchn_init(void)
- 	CAMLreturn(result);
- }
- 
-+CAMLprim value stub_eventchn_fdopen(value fdval)
-+{
-+	CAMLparam1(fdval);
-+	CAMLlocal1(result);
-+	xenevtchn_handle *xce;
-+
-+	caml_enter_blocking_section();
-+	xce = xenevtchn_fdopen(NULL, Int_val(fdval), 0);
-+	caml_leave_blocking_section();
-+
-+	if (xce == NULL)
-+		caml_failwith("evtchn fdopen failed");
-+
-+	result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1);
-+	_H(result) = xce;
-+
-+	CAMLreturn(result);
-+}
-+
- CAMLprim value stub_eventchn_fd(value xce)
- {
- 	CAMLparam1(xce);
--- 
-2.40.0
-

diff --git a/0013-CI-Resync-FreeBSD-config-with-staging.patch b/0013-CI-Resync-FreeBSD-config-with-staging.patch
new file mode 100644
index 0000000..dcd867b
--- /dev/null
+++ b/0013-CI-Resync-FreeBSD-config-with-staging.patch
@@ -0,0 +1,62 @@
+From f00d56309533427981f09ef2614f1bae4bcab62e Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Fri, 17 Feb 2023 11:16:32 +0000
+Subject: [PATCH 13/55] CI: Resync FreeBSD config with staging
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CI: Update FreeBSD to 13.1
+
+Also print the compiler version before starting.  It's not easy to find
+otherwise, and does change from time to time.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
+(cherry picked from commit 5e7667ea2dd33e0e5e0f3a96db37fdb4ecd98fba)
+
+CI: Update FreeBSD to 13.2
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Stefano Stabellini <sstabellini@kernel.org>
+(cherry picked from commit f872a624cbf92de9944483eea7674ef80ced1380)
+
+CI: Update FreeBSD to 12.4
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
+(cherry picked from commit a73560896ce3c513460f26bd1c205060d6ec4f8a)
+---
+ .cirrus.yml | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/.cirrus.yml b/.cirrus.yml
+index c38333e736..7e0beb200d 100644
+--- a/.cirrus.yml
++++ b/.cirrus.yml
+@@ -10,19 +10,20 @@ freebsd_template: &FREEBSD_TEMPLATE
+                                  libxml2 glib git
+ 
+   build_script:
++    - cc --version
+     - ./configure --with-system-seabios=/usr/local/share/seabios/bios.bin
+     - gmake -j`sysctl -n hw.ncpu` clang=y
+ 
+ task:
+   name: 'FreeBSD 12'
+   freebsd_instance:
+-    image_family: freebsd-12-3
++    image_family: freebsd-12-4
+   << : *FREEBSD_TEMPLATE
+ 
+ task:
+   name: 'FreeBSD 13'
+   freebsd_instance:
+-    image_family: freebsd-13-0
++    image_family: freebsd-13-2
+   << : *FREEBSD_TEMPLATE
+ 
+ task:
+-- 
+2.42.0
+

diff --git a/0013-tools-ocaml-evtchn-Extend-the-init-binding-with-a-cl.patch b/0013-tools-ocaml-evtchn-Extend-the-init-binding-with-a-cl.patch
deleted file mode 100644
index af889eb..0000000
--- a/0013-tools-ocaml-evtchn-Extend-the-init-binding-with-a-cl.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From c7cf603836e40de1b4a6ca7d1d52736eb4a10327 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edvin.torok@citrix.com>
-Date: Thu, 3 Nov 2022 14:50:38 +0000
-Subject: [PATCH 13/89] tools/ocaml/evtchn: Extend the init() binding with a
- cloexec flag
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-For live update, oxenstored wants to clear CLOEXEC on the evtchn handle, so it
-survives the execve() into the new oxenstored.
-
-Have the new interface match how cloexec works in other Ocaml standard
-libraries.
-
-Signed-off-by: Edwin Török <edvin.torok@citrix.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit 9bafe4a53306e7aa2ce6ffc96f7477c6f329f7a7)
----
- tools/ocaml/libs/eventchn/xeneventchn.ml      |  5 ++++-
- tools/ocaml/libs/eventchn/xeneventchn.mli     |  9 ++++++---
- tools/ocaml/libs/eventchn/xeneventchn_stubs.c | 10 +++++++---
- 3 files changed, 17 insertions(+), 7 deletions(-)
-
-diff --git a/tools/ocaml/libs/eventchn/xeneventchn.ml b/tools/ocaml/libs/eventchn/xeneventchn.ml
-index be4de82f46..c16fdd4674 100644
---- a/tools/ocaml/libs/eventchn/xeneventchn.ml
-+++ b/tools/ocaml/libs/eventchn/xeneventchn.ml
-@@ -16,7 +16,10 @@
- 
- type handle
- 
--external init: unit -> handle = "stub_eventchn_init"
-+external _init: bool -> handle = "stub_eventchn_init"
-+
-+let init ?(cloexec=true) () = _init cloexec
-+
- external fdopen: Unix.file_descr -> handle = "stub_eventchn_fdopen"
- external fd: handle -> Unix.file_descr = "stub_eventchn_fd"
- 
-diff --git a/tools/ocaml/libs/eventchn/xeneventchn.mli b/tools/ocaml/libs/eventchn/xeneventchn.mli
-index 98b3c86f37..870429b6b5 100644
---- a/tools/ocaml/libs/eventchn/xeneventchn.mli
-+++ b/tools/ocaml/libs/eventchn/xeneventchn.mli
-@@ -43,9 +43,12 @@ val to_int: t -> int
- 
- val of_int: int -> t
- 
--val init: unit -> handle
--(** Return an initialised event channel interface. On error it
--    will throw a Failure exception. *)
-+val init: ?cloexec:bool -> unit -> handle
-+(** [init ?cloexec ()]
-+    Return an initialised event channel interface.
-+    The default is to close the underlying file descriptor
-+    on [execve], which can be overriden with [~cloexec:false].
-+    On error it will throw a Failure exception. *)
- 
- val fdopen: Unix.file_descr -> handle
- (** Return an initialised event channel interface, from an already open evtchn
-diff --git a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c
-index 7bdf711bc1..aa8a69cc1e 100644
---- a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c
-+++ b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c
-@@ -50,14 +50,18 @@ static struct custom_operations xenevtchn_ops = {
- 	.compare_ext = custom_compare_ext_default, /* Can't compare     */
- };
- 
--CAMLprim value stub_eventchn_init(void)
-+CAMLprim value stub_eventchn_init(value cloexec)
- {
--	CAMLparam0();
-+	CAMLparam1(cloexec);
- 	CAMLlocal1(result);
- 	xenevtchn_handle *xce;
-+	unsigned int flags = 0;
-+
-+	if ( !Bool_val(cloexec) )
-+		flags |= XENEVTCHN_NO_CLOEXEC;
- 
- 	caml_enter_blocking_section();
--	xce = xenevtchn_open(NULL, 0);
-+	xce = xenevtchn_open(NULL, flags);
- 	caml_leave_blocking_section();
- 
- 	if (xce == NULL)
--- 
-2.40.0
-

diff --git a/0014-tools-oxenstored-Style-fixes-to-Domain.patch b/0014-tools-oxenstored-Style-fixes-to-Domain.patch
deleted file mode 100644
index aad4399..0000000
--- a/0014-tools-oxenstored-Style-fixes-to-Domain.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 0929960173bc76b8d90df73c8ee665747c233e18 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Wed, 30 Nov 2022 14:56:43 +0000
-Subject: [PATCH 14/89] tools/oxenstored: Style fixes to Domain
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This file has some style problems so severe that they interfere with the
-readability of the subsequent bugfix patches.
-
-Fix these issues ahead of time, to make the subsequent changes more readable.
-
-No functional change.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Edwin Török <edvin.torok@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit b45bfaf359e4821b1bf98a4fcd194d7fd176f167)
----
- tools/ocaml/xenstored/domain.ml | 16 +++++++---------
- 1 file changed, 7 insertions(+), 9 deletions(-)
-
-diff --git a/tools/ocaml/xenstored/domain.ml b/tools/ocaml/xenstored/domain.ml
-index 81cb59b8f1..ab08dcf37f 100644
---- a/tools/ocaml/xenstored/domain.ml
-+++ b/tools/ocaml/xenstored/domain.ml
-@@ -57,17 +57,16 @@ let is_paused_for_conflict dom = dom.conflict_credit <= 0.0
- let is_free_to_conflict = is_dom0
- 
- let string_of_port = function
--| None -> "None"
--| Some x -> string_of_int (Xeneventchn.to_int x)
-+	| None -> "None"
-+	| Some x -> string_of_int (Xeneventchn.to_int x)
- 
- let dump d chan =
- 	fprintf chan "dom,%d,%nd,%d\n" d.id d.mfn d.remote_port
- 
--let notify dom = match dom.port with
--| None ->
--	warn "domain %d: attempt to notify on unknown port" dom.id
--| Some port ->
--	Event.notify dom.eventchn port
-+let notify dom =
-+	match dom.port with
-+	| None -> warn "domain %d: attempt to notify on unknown port" dom.id
-+	| Some port -> Event.notify dom.eventchn port
- 
- let bind_interdomain dom =
- 	begin match dom.port with
-@@ -84,8 +83,7 @@ let close dom =
- 	| None -> ()
- 	| Some port -> Event.unbind dom.eventchn port
- 	end;
--	Xenmmap.unmap dom.interface;
--	()
-+	Xenmmap.unmap dom.interface
- 
- let make id mfn remote_port interface eventchn = {
- 	id = id;
--- 
-2.40.0
-

diff --git a/0014-tools-vchan-Fix-Wsingle-bit-bitfield-constant-conver.patch b/0014-tools-vchan-Fix-Wsingle-bit-bitfield-constant-conver.patch
new file mode 100644
index 0000000..6e29490
--- /dev/null
+++ b/0014-tools-vchan-Fix-Wsingle-bit-bitfield-constant-conver.patch
@@ -0,0 +1,43 @@
+From 052a8d24bc670ab6503e21dfd2fb8bccfc22aa73 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 8 Aug 2023 14:53:42 +0100
+Subject: [PATCH 14/55] tools/vchan: Fix
+ -Wsingle-bit-bitfield-constant-conversion
+
+Gitlab reports:
+
+  node.c:158:17: error: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Werror,-Wsingle-bit-bitfield-constant-conversion]
+
+        ctrl->blocking = 1;
+                       ^ ~
+  1 error generated.
+  make[4]: *** [/builds/xen-project/people/andyhhp/xen/tools/vchan/../../tools/Rules.mk:188: node.o] Error 1
+
+In Xen 4.18, this was fixed with c/s 99ab02f63ea8 ("tools: convert bitfields
+to unsigned type") but this is an ABI change which can't be backported.
+
+Swich 1 for -1 to provide a minimally invasive way to fix the build.
+
+No functional change.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+---
+ tools/vchan/node.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/vchan/node.c b/tools/vchan/node.c
+index f1638f013d..a28293b720 100644
+--- a/tools/vchan/node.c
++++ b/tools/vchan/node.c
+@@ -155,7 +155,7 @@ int main(int argc, char **argv)
+ 		perror("libxenvchan_*_init");
+ 		exit(1);
+ 	}
+-	ctrl->blocking = 1;
++	ctrl->blocking = -1;
+ 
+ 	srand(seed);
+ 	fprintf(stderr, "seed=%d\n", seed);
+-- 
+2.42.0
+

diff --git a/0015-tools-oxenstored-Bind-the-DOM_EXC-VIRQ-in-in-Event.i.patch b/0015-tools-oxenstored-Bind-the-DOM_EXC-VIRQ-in-in-Event.i.patch
deleted file mode 100644
index 8b83edf..0000000
--- a/0015-tools-oxenstored-Bind-the-DOM_EXC-VIRQ-in-in-Event.i.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From bc5cc00868ea29d814bb3d783e28b49d1acf63e9 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Tue, 29 Nov 2022 21:05:43 +0000
-Subject: [PATCH 15/89] tools/oxenstored: Bind the DOM_EXC VIRQ in in
- Event.init()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Xenstored always needs to bind the DOM_EXC VIRQ.
-
-Instead of doing it shortly after the call to Event.init(), do it in the
-constructor directly.  This removes the need for the field to be a mutable
-option.
-
-It will also simplify a future change to support live update.  Rename the
-field from virq_port (which could be any VIRQ) to it's proper name.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Edwin Török <edvin.torok@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit 9804a5db435fe40c8ded8cf36c2d2b2281c56f1d)
----
- tools/ocaml/xenstored/event.ml     | 9 ++++++---
- tools/ocaml/xenstored/xenstored.ml | 4 +---
- 2 files changed, 7 insertions(+), 6 deletions(-)
-
-diff --git a/tools/ocaml/xenstored/event.ml b/tools/ocaml/xenstored/event.ml
-index ccca90b6fc..a3be296374 100644
---- a/tools/ocaml/xenstored/event.ml
-+++ b/tools/ocaml/xenstored/event.ml
-@@ -17,12 +17,15 @@
- (**************** high level binding ****************)
- type t = {
- 	handle: Xeneventchn.handle;
--	mutable virq_port: Xeneventchn.t option;
-+	domexc: Xeneventchn.t;
- }
- 
--let init () = { handle = Xeneventchn.init (); virq_port = None; }
-+let init () =
-+	let handle = Xeneventchn.init () in
-+	let domexc = Xeneventchn.bind_dom_exc_virq handle in
-+	{ handle; domexc }
-+
- let fd eventchn = Xeneventchn.fd eventchn.handle
--let bind_dom_exc_virq eventchn = eventchn.virq_port <- Some (Xeneventchn.bind_dom_exc_virq eventchn.handle)
- let bind_interdomain eventchn domid port = Xeneventchn.bind_interdomain eventchn.handle domid port
- let unbind eventchn port = Xeneventchn.unbind eventchn.handle port
- let notify eventchn port = Xeneventchn.notify eventchn.handle port
-diff --git a/tools/ocaml/xenstored/xenstored.ml b/tools/ocaml/xenstored/xenstored.ml
-index c5dc7a28d0..55071b49ec 100644
---- a/tools/ocaml/xenstored/xenstored.ml
-+++ b/tools/ocaml/xenstored/xenstored.ml
-@@ -397,7 +397,6 @@ let _ =
- 	if cf.restart && Sys.file_exists Disk.xs_daemon_database then (
- 		let rwro = DB.from_file store domains cons Disk.xs_daemon_database in
- 		info "Live reload: database loaded";
--		Event.bind_dom_exc_virq eventchn;
- 		Process.LiveUpdate.completed ();
- 		rwro
- 	) else (
-@@ -413,7 +412,6 @@ let _ =
- 
- 		if cf.domain_init then (
- 			Connections.add_domain cons (Domains.create0 domains);
--			Event.bind_dom_exc_virq eventchn
- 		);
- 		rw_sock
- 	) in
-@@ -451,7 +449,7 @@ let _ =
- 			let port = Event.pending eventchn in
- 			debug "pending port %d" (Xeneventchn.to_int port);
- 			finally (fun () ->
--				if Some port = eventchn.Event.virq_port then (
-+				if port = eventchn.Event.domexc then (
- 					let (notify, deaddom) = Domains.cleanup domains in
- 					List.iter (Store.reset_permissions store) deaddom;
- 					List.iter (Connections.del_domain cons) deaddom;
--- 
-2.40.0
-

diff --git a/0015-xen-vcpu-ignore-VCPU_SSHOTTMR_future.patch b/0015-xen-vcpu-ignore-VCPU_SSHOTTMR_future.patch
new file mode 100644
index 0000000..81e010b
--- /dev/null
+++ b/0015-xen-vcpu-ignore-VCPU_SSHOTTMR_future.patch
@@ -0,0 +1,143 @@
+From 7b5155a79ea946dd513847d4e7ad2b7e6a4ebb73 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 5 Sep 2023 08:45:29 +0200
+Subject: [PATCH 15/55] xen/vcpu: ignore VCPU_SSHOTTMR_future
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The usage of VCPU_SSHOTTMR_future in Linux prior to 4.7 is bogus.
+When the hypervisor returns -ETIME (timeout in the past) Linux keeps
+retrying to setup the timer with a higher timeout instead of
+self-injecting a timer interrupt.
+
+On boxes without any hardware assistance for logdirty we have seen HVM
+Linux guests < 4.7 with 32vCPUs give up trying to setup the timer when
+logdirty is enabled:
+
+CE: Reprogramming failure. Giving up
+CE: xen increased min_delta_ns to 1000000 nsec
+CE: Reprogramming failure. Giving up
+CE: Reprogramming failure. Giving up
+CE: xen increased min_delta_ns to 506250 nsec
+CE: xen increased min_delta_ns to 759375 nsec
+CE: xen increased min_delta_ns to 1000000 nsec
+CE: Reprogramming failure. Giving up
+CE: Reprogramming failure. Giving up
+CE: Reprogramming failure. Giving up
+Freezing user space processes ...
+INFO: rcu_sched detected stalls on CPUs/tasks: { 14} (detected by 10, t=60002 jiffies, g=4006, c=4005, q=14130)
+Task dump for CPU 14:
+swapper/14      R  running task        0     0      1 0x00000000
+Call Trace:
+ [<ffffffff90160f5d>] ? rcu_eqs_enter_common.isra.30+0x3d/0xf0
+ [<ffffffff907b9bde>] ? default_idle+0x1e/0xd0
+ [<ffffffff90039570>] ? arch_cpu_idle+0x20/0xc0
+ [<ffffffff9010820a>] ? cpu_startup_entry+0x14a/0x1e0
+ [<ffffffff9005d3a7>] ? start_secondary+0x1f7/0x270
+ [<ffffffff900000d5>] ? start_cpu+0x5/0x14
+INFO: rcu_sched detected stalls on CPUs/tasks: { 26} (detected by 24, t=60002 jiffies, g=6922, c=6921, q=7013)
+Task dump for CPU 26:
+swapper/26      R  running task        0     0      1 0x00000000
+Call Trace:
+ [<ffffffff90160f5d>] ? rcu_eqs_enter_common.isra.30+0x3d/0xf0
+ [<ffffffff907b9bde>] ? default_idle+0x1e/0xd0
+ [<ffffffff90039570>] ? arch_cpu_idle+0x20/0xc0
+ [<ffffffff9010820a>] ? cpu_startup_entry+0x14a/0x1e0
+ [<ffffffff9005d3a7>] ? start_secondary+0x1f7/0x270
+ [<ffffffff900000d5>] ? start_cpu+0x5/0x14
+INFO: rcu_sched detected stalls on CPUs/tasks: { 26} (detected by 24, t=60002 jiffies, g=8499, c=8498, q=7664)
+Task dump for CPU 26:
+swapper/26      R  running task        0     0      1 0x00000000
+Call Trace:
+ [<ffffffff90160f5d>] ? rcu_eqs_enter_common.isra.30+0x3d/0xf0
+ [<ffffffff907b9bde>] ? default_idle+0x1e/0xd0
+ [<ffffffff90039570>] ? arch_cpu_idle+0x20/0xc0
+ [<ffffffff9010820a>] ? cpu_startup_entry+0x14a/0x1e0
+ [<ffffffff9005d3a7>] ? start_secondary+0x1f7/0x270
+ [<ffffffff900000d5>] ? start_cpu+0x5/0x14
+
+Thus leading to CPU stalls and a broken system as a result.
+
+Workaround this bogus usage by ignoring the VCPU_SSHOTTMR_future in
+the hypervisor.  Old Linux versions are the only ones known to have
+(wrongly) attempted to use the flag, and ignoring it is compatible
+with the behavior expected by any guests setting that flag.
+
+Note the usage of the flag has been removed from Linux by commit:
+
+c06b6d70feb3 xen/x86: don't lose event interrupts
+
+Which landed in Linux 4.7.
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Acked-by: Henry Wang <Henry.Wang@arm.com> # CHANGELOG
+Acked-by: Jan Beulich <jbeulich@suse.com>
+master commit: 19c6cbd90965b1440bd551069373d6fa3f2f365d
+master date: 2023-05-03 13:36:05 +0200
+---
+ CHANGELOG.md              |  6 ++++++
+ xen/common/domain.c       | 13 ++++++++++---
+ xen/include/public/vcpu.h |  5 ++++-
+ 3 files changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/CHANGELOG.md b/CHANGELOG.md
+index 7f4d0f25e9..bb0eceb69a 100644
+--- a/CHANGELOG.md
++++ b/CHANGELOG.md
+@@ -4,6 +4,12 @@ Notable changes to Xen will be documented in this file.
+ 
+ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
+ 
++## [4.17.3](https://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=RELEASE-4.17.3)
++
++### Changed
++ - Ignore VCPUOP_set_singleshot_timer's VCPU_SSHOTTMR_future flag. The only
++   known user doesn't use it properly, leading to in-guest breakage.
++
+ ## [4.17.0](https://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=RELEASE-4.17.0) - 2022-12-12
+ 
+ ### Changed
+diff --git a/xen/common/domain.c b/xen/common/domain.c
+index 53f7e734fe..30c2279673 100644
+--- a/xen/common/domain.c
++++ b/xen/common/domain.c
+@@ -1691,9 +1691,16 @@ long common_vcpu_op(int cmd, struct vcpu *v, XEN_GUEST_HANDLE_PARAM(void) arg)
+         if ( copy_from_guest(&set, arg, 1) )
+             return -EFAULT;
+ 
+-        if ( (set.flags & VCPU_SSHOTTMR_future) &&
+-             (set.timeout_abs_ns < NOW()) )
+-            return -ETIME;
++        if ( set.timeout_abs_ns < NOW() )
++        {
++            /*
++             * Simplify the logic if the timeout has already expired and just
++             * inject the event.
++             */
++            stop_timer(&v->singleshot_timer);
++            send_timer_event(v);
++            break;
++        }
+ 
+         migrate_timer(&v->singleshot_timer, smp_processor_id());
+         set_timer(&v->singleshot_timer, set.timeout_abs_ns);
+diff --git a/xen/include/public/vcpu.h b/xen/include/public/vcpu.h
+index 81a3b3a743..a836b264a9 100644
+--- a/xen/include/public/vcpu.h
++++ b/xen/include/public/vcpu.h
+@@ -150,7 +150,10 @@ typedef struct vcpu_set_singleshot_timer vcpu_set_singleshot_timer_t;
+ DEFINE_XEN_GUEST_HANDLE(vcpu_set_singleshot_timer_t);
+ 
+ /* Flags to VCPUOP_set_singleshot_timer. */
+- /* Require the timeout to be in the future (return -ETIME if it's passed). */
++ /*
++  * Request the timeout to be in the future (return -ETIME if it's passed)
++  * but can be ignored by the hypervisor.
++  */
+ #define _VCPU_SSHOTTMR_future (0)
+ #define VCPU_SSHOTTMR_future  (1U << _VCPU_SSHOTTMR_future)
+ 
+-- 
+2.42.0
+

diff --git a/0016-tools-oxenstored-Rename-some-port-variables-to-remot.patch b/0016-tools-oxenstored-Rename-some-port-variables-to-remot.patch
deleted file mode 100644
index 4f168d6..0000000
--- a/0016-tools-oxenstored-Rename-some-port-variables-to-remot.patch
+++ /dev/null
@@ -1,144 +0,0 @@
-From fd0d9b05970986545656c8f6f688f70f3e78a29b Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Wed, 30 Nov 2022 03:17:28 +0000
-Subject: [PATCH 16/89] tools/oxenstored: Rename some 'port' variables to
- 'remote_port'
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This will make the logic clearer when we plumb local_port through these
-functions.
-
-While doing this, rearrange the construct in Domains.create0 to separate the
-remote port handling from the interface handling.  (The interface logic is
-dubious in several ways, but not altered by this cleanup.)
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Edwin Török <edvin.torok@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit 31fbee749a75621039ca601eaee7222050a7dd83)
----
- tools/ocaml/xenstored/domains.ml   | 26 ++++++++++++--------------
- tools/ocaml/xenstored/process.ml   | 12 ++++++------
- tools/ocaml/xenstored/xenstored.ml |  8 ++++----
- 3 files changed, 22 insertions(+), 24 deletions(-)
-
-diff --git a/tools/ocaml/xenstored/domains.ml b/tools/ocaml/xenstored/domains.ml
-index 17fe2fa257..26018ac0dd 100644
---- a/tools/ocaml/xenstored/domains.ml
-+++ b/tools/ocaml/xenstored/domains.ml
-@@ -122,9 +122,9 @@ let cleanup doms =
- let resume _doms _domid =
- 	()
- 
--let create doms domid mfn port =
-+let create doms domid mfn remote_port =
- 	let interface = Xenctrl.map_foreign_range xc domid (Xenmmap.getpagesize()) mfn in
--	let dom = Domain.make domid mfn port interface doms.eventchn in
-+	let dom = Domain.make domid mfn remote_port interface doms.eventchn in
- 	Hashtbl.add doms.table domid dom;
- 	Domain.bind_interdomain dom;
- 	dom
-@@ -133,18 +133,16 @@ let xenstored_kva = ref ""
- let xenstored_port = ref ""
- 
- let create0 doms =
--	let port, interface =
--		(
--			let port = Utils.read_file_single_integer !xenstored_port
--			and fd = Unix.openfile !xenstored_kva
--					       [ Unix.O_RDWR ] 0o600 in
--			let interface = Xenmmap.mmap fd Xenmmap.RDWR Xenmmap.SHARED
--						  (Xenmmap.getpagesize()) 0 in
--			Unix.close fd;
--			port, interface
--		)
--		in
--	let dom = Domain.make 0 Nativeint.zero port interface doms.eventchn in
-+	let remote_port = Utils.read_file_single_integer !xenstored_port in
-+
-+	let interface =
-+		let fd = Unix.openfile !xenstored_kva [ Unix.O_RDWR ] 0o600 in
-+		let interface = Xenmmap.mmap fd Xenmmap.RDWR Xenmmap.SHARED (Xenmmap.getpagesize()) 0 in
-+		Unix.close fd;
-+		interface
-+	in
-+
-+	let dom = Domain.make 0 Nativeint.zero remote_port interface doms.eventchn in
- 	Hashtbl.add doms.table 0 dom;
- 	Domain.bind_interdomain dom;
- 	Domain.notify dom;
-diff --git a/tools/ocaml/xenstored/process.ml b/tools/ocaml/xenstored/process.ml
-index 72a79e9328..b2973aca2a 100644
---- a/tools/ocaml/xenstored/process.ml
-+++ b/tools/ocaml/xenstored/process.ml
-@@ -558,10 +558,10 @@ let do_transaction_end con t domains cons data =
- let do_introduce con t domains cons data =
- 	if not (Connection.is_dom0 con)
- 	then raise Define.Permission_denied;
--	let (domid, mfn, port) =
-+	let (domid, mfn, remote_port) =
- 		match (split None '\000' data) with
--		| domid :: mfn :: port :: _ ->
--			int_of_string domid, Nativeint.of_string mfn, int_of_string port
-+		| domid :: mfn :: remote_port :: _ ->
-+			int_of_string domid, Nativeint.of_string mfn, int_of_string remote_port
- 		| _                         -> raise Invalid_Cmd_Args;
- 		in
- 	let dom =
-@@ -569,18 +569,18 @@ let do_introduce con t domains cons data =
- 			let edom = Domains.find domains domid in
- 			if (Domain.get_mfn edom) = mfn && (Connections.find_domain cons domid) != con then begin
- 				(* Use XS_INTRODUCE for recreating the xenbus event-channel. *)
--				edom.remote_port <- port;
-+				edom.remote_port <- remote_port;
- 				Domain.bind_interdomain edom;
- 			end;
- 			edom
- 		else try
--			let ndom = Domains.create domains domid mfn port in
-+			let ndom = Domains.create domains domid mfn remote_port in
- 			Connections.add_domain cons ndom;
- 			Connections.fire_spec_watches (Transaction.get_root t) cons Store.Path.introduce_domain;
- 			ndom
- 		with _ -> raise Invalid_Cmd_Args
- 	in
--	if (Domain.get_remote_port dom) <> port || (Domain.get_mfn dom) <> mfn then
-+	if (Domain.get_remote_port dom) <> remote_port || (Domain.get_mfn dom) <> mfn then
- 		raise Domain_not_match
- 
- let do_release con t domains cons data =
-diff --git a/tools/ocaml/xenstored/xenstored.ml b/tools/ocaml/xenstored/xenstored.ml
-index 55071b49ec..1f11f576b5 100644
---- a/tools/ocaml/xenstored/xenstored.ml
-+++ b/tools/ocaml/xenstored/xenstored.ml
-@@ -167,10 +167,10 @@ let from_channel_f chan global_f socket_f domain_f watch_f store_f =
- 					global_f ~rw
- 				| "socket" :: fd :: [] ->
- 					socket_f ~fd:(int_of_string fd)
--				| "dom" :: domid :: mfn :: port :: []->
-+				| "dom" :: domid :: mfn :: remote_port :: []->
- 					domain_f (int_of_string domid)
- 					         (Nativeint.of_string mfn)
--					         (int_of_string port)
-+					         (int_of_string remote_port)
- 				| "watch" :: domid :: path :: token :: [] ->
- 					watch_f (int_of_string domid)
- 					        (unhexify path) (unhexify token)
-@@ -209,10 +209,10 @@ let from_channel store cons doms chan =
- 		else
- 			warn "Ignoring invalid socket FD %d" fd
- 	in
--	let domain_f domid mfn port =
-+	let domain_f domid mfn remote_port =
- 		let ndom =
- 			if domid > 0 then
--				Domains.create doms domid mfn port
-+				Domains.create doms domid mfn remote_port
- 			else
- 				Domains.create0 doms
- 			in
--- 
-2.40.0
-

diff --git a/0016-x86-head-check-base-address-alignment.patch b/0016-x86-head-check-base-address-alignment.patch
new file mode 100644
index 0000000..2b9cead
--- /dev/null
+++ b/0016-x86-head-check-base-address-alignment.patch
@@ -0,0 +1,85 @@
+From e5f9987d5f63ecc3cc9884c614aca699a41e7ca7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 5 Sep 2023 08:46:28 +0200
+Subject: [PATCH 16/55] x86/head: check base address alignment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ensure that the base address is 2M aligned, or else the page table
+entries created would be corrupt as reserved bits on the PDE end up
+set.
+
+We have encountered a broken firmware where grub2 would end up loading
+Xen at a non 2M aligned region when using the multiboot2 protocol, and
+that caused a very difficult to debug triple fault.
+
+If the alignment is not as required by the page tables print an error
+message and stop the boot.  Also add a build time check that the
+calculation of symbol offsets don't break alignment of passed
+addresses.
+
+The check could be performed earlier, but so far the alignment is
+required by the page tables, and hence feels more natural that the
+check lives near to the piece of code that requires it.
+
+Note that when booted as an EFI application from the PE entry point
+the alignment check is already performed by
+efi_arch_load_addr_check(), and hence there's no need to add another
+check at the point where page tables get built in
+efi_arch_memory_setup().
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+master commit: 0946068e7faea22868c577d7afa54ba4970ff520
+master date: 2023-05-03 13:36:25 +0200
+---
+ xen/arch/x86/boot/head.S | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/xen/arch/x86/boot/head.S b/xen/arch/x86/boot/head.S
+index 245c859dd7..6bc64c9e86 100644
+--- a/xen/arch/x86/boot/head.S
++++ b/xen/arch/x86/boot/head.S
+@@ -1,3 +1,4 @@
++#include <xen/lib.h>
+ #include <xen/multiboot.h>
+ #include <xen/multiboot2.h>
+ #include <public/xen.h>
+@@ -121,6 +122,7 @@ multiboot2_header:
+ .Lbad_ldr_nst: .asciz "ERR: EFI SystemTable is not provided by bootloader!"
+ .Lbad_ldr_nih: .asciz "ERR: EFI ImageHandle is not provided by bootloader!"
+ .Lbad_efi_msg: .asciz "ERR: EFI IA-32 platforms are not supported!"
++.Lbad_alg_msg: .asciz "ERR: Xen must be loaded at a 2Mb boundary!"
+ 
+         .section .init.data, "aw", @progbits
+         .align 4
+@@ -146,6 +148,9 @@ bad_cpu:
+ not_multiboot:
+         mov     $sym_offs(.Lbad_ldr_msg), %ecx
+         jmp     .Lget_vtb
++.Lnot_aligned:
++        mov     $sym_offs(.Lbad_alg_msg), %ecx
++        jmp     .Lget_vtb
+ .Lmb2_no_st:
+         /*
+          * Here we are on EFI platform. vga_text_buffer was zapped earlier
+@@ -673,6 +678,15 @@ trampoline_setup:
+         cmp     %edi, %eax
+         jb      1b
+ 
++        .if !IS_ALIGNED(sym_offs(0), 1 << L2_PAGETABLE_SHIFT)
++        .error "Symbol offset calculation breaks alignment"
++        .endif
++
++        /* Check that the image base is aligned. */
++        lea     sym_esi(_start), %eax
++        test    $(1 << L2_PAGETABLE_SHIFT) - 1, %eax
++        jnz     .Lnot_aligned
++
+         /* Map Xen into the higher mappings using 2M superpages. */
+         lea     _PAGE_PSE + PAGE_HYPERVISOR_RWX + sym_esi(_start), %eax
+         mov     $sym_offs(_start),   %ecx   /* %eax = PTE to write ^      */
+-- 
+2.42.0
+

diff --git a/0017-tools-oxenstored-Implement-Domain.rebind_evtchn.patch b/0017-tools-oxenstored-Implement-Domain.rebind_evtchn.patch
deleted file mode 100644
index 72bcae0..0000000
--- a/0017-tools-oxenstored-Implement-Domain.rebind_evtchn.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From a20daa7ffda7ccc0e65abe77532a5dc8059bf128 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Wed, 30 Nov 2022 11:55:58 +0000
-Subject: [PATCH 17/89] tools/oxenstored: Implement Domain.rebind_evtchn
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Generally speaking, the event channel local/remote port is fixed for the
-lifetime of the associated domain object.  The exception to this is a
-secondary XS_INTRODUCE (defined to re-bind to a new event channel) which pokes
-around at the domain object's internal state.
-
-We need to refactor the evtchn handling to support live update, so start by
-moving the relevant manipulation into Domain.
-
-No practical change.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Edwin Török <edvin.torok@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit aecdc28d9538ca2a1028ef9bc6550cb171dbbed4)
----
- tools/ocaml/xenstored/domain.ml  | 12 ++++++++++++
- tools/ocaml/xenstored/process.ml |  3 +--
- 2 files changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/tools/ocaml/xenstored/domain.ml b/tools/ocaml/xenstored/domain.ml
-index ab08dcf37f..d59a9401e2 100644
---- a/tools/ocaml/xenstored/domain.ml
-+++ b/tools/ocaml/xenstored/domain.ml
-@@ -63,6 +63,18 @@ let string_of_port = function
- let dump d chan =
- 	fprintf chan "dom,%d,%nd,%d\n" d.id d.mfn d.remote_port
- 
-+let rebind_evtchn d remote_port =
-+	begin match d.port with
-+	| None -> ()
-+	| Some p -> Event.unbind d.eventchn p
-+	end;
-+	let local = Event.bind_interdomain d.eventchn d.id remote_port in
-+	debug "domain %d rebind (l %s, r %d) => (l %d, r %d)"
-+	      d.id (string_of_port d.port) d.remote_port
-+	      (Xeneventchn.to_int local) remote_port;
-+	d.remote_port <- remote_port;
-+	d.port <- Some (local)
-+
- let notify dom =
- 	match dom.port with
- 	| None -> warn "domain %d: attempt to notify on unknown port" dom.id
-diff --git a/tools/ocaml/xenstored/process.ml b/tools/ocaml/xenstored/process.ml
-index b2973aca2a..1c80e7198d 100644
---- a/tools/ocaml/xenstored/process.ml
-+++ b/tools/ocaml/xenstored/process.ml
-@@ -569,8 +569,7 @@ let do_introduce con t domains cons data =
- 			let edom = Domains.find domains domid in
- 			if (Domain.get_mfn edom) = mfn && (Connections.find_domain cons domid) != con then begin
- 				(* Use XS_INTRODUCE for recreating the xenbus event-channel. *)
--				edom.remote_port <- remote_port;
--				Domain.bind_interdomain edom;
-+				Domain.rebind_evtchn edom remote_port;
- 			end;
- 			edom
- 		else try
--- 
-2.40.0
-

diff --git a/0017-xenalyze-Handle-start-of-day-RUNNING-transitions.patch b/0017-xenalyze-Handle-start-of-day-RUNNING-transitions.patch
new file mode 100644
index 0000000..a4501a3
--- /dev/null
+++ b/0017-xenalyze-Handle-start-of-day-RUNNING-transitions.patch
@@ -0,0 +1,275 @@
+From f04295dd802fb6cd43a02ec59a5964b2c5950fe1 Mon Sep 17 00:00:00 2001
+From: George Dunlap <george.dunlap@cloud.com>
+Date: Tue, 5 Sep 2023 08:47:14 +0200
+Subject: [PATCH 17/55] xenalyze: Handle start-of-day ->RUNNING transitions
+
+A recent xentrace highlighted an unhandled corner case in the vcpu
+"start-of-day" logic, if the trace starts after the last running ->
+non-running transition, but before the first non-running -> running
+transition.  Because start-of-day wasn't handled, vcpu_next_update()
+was expecting p->current to be NULL, and tripping out with the
+following error message when it wasn't:
+
+vcpu_next_update: FATAL: p->current not NULL! (d32768dv$p, runstate RUNSTATE_INIT)
+
+where 32768 is the DEFAULT_DOMAIN, and $p is the pcpu number.
+
+Instead of calling vcpu_start() piecemeal throughout
+sched_runstate_process(), call it at the top of the function if the
+vcpu in question is still in RUNSTATE_INIT, so that we can handle all
+the cases in one place.
+
+Sketch out at the top of the function all cases which we need to
+handle, and what to do in those cases.  Some transitions tell us where
+v is running; some transitions tell us about what is (or is not)
+running on p; some transitions tell us neither.
+
+If a transition tells us where v is now running, update its state;
+otherwise leave it in INIT, in order to avoid having to deal with TSC
+skew on start-up.
+
+If a transition tells us what is or is not running on p, update
+p->current (either to v or NULL).  Otherwise leave it alone.
+
+If neither, do nothing.
+
+Reifying those rules:
+
+- If we're continuing to run, set v to RUNNING, and use p->first_tsc
+  as the runstate time.
+
+- If we're starting to run, set v to RUNNING, and use ri->tsc as the
+  runstate time.
+
+- If v is being deschedled, leave v in the INIT state to avoid dealing
+  with TSC skew; but set p->current to NULL so that whatever is
+  scheduled next won't trigger the assert in vcpu_next_update().
+
+- If a vcpu is waking up (switching from one non-runnable state to
+  another non-runnable state), leave v in INIT, and p in whatever
+  state it's in (which may be the default domain, or some other vcpu
+  which has already run).
+
+While here, fix the comment above vcpu_start; it's called when the
+vcpu state is INIT, not when current is the default domain.
+
+Signed-off-by: George Dunlap <george.dunlap@cloud.com>
+Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Anthony PERARD <anthony.perard@citrix.com>
+master commit: aab4b38b5d77e3c65f44bacd56427a85b7392a11
+master date: 2023-06-30 11:25:33 +0100
+---
+ tools/xentrace/xenalyze.c | 159 ++++++++++++++++++++++++--------------
+ 1 file changed, 101 insertions(+), 58 deletions(-)
+
+diff --git a/tools/xentrace/xenalyze.c b/tools/xentrace/xenalyze.c
+index e7ec284eea..9b4b62c82f 100644
+--- a/tools/xentrace/xenalyze.c
++++ b/tools/xentrace/xenalyze.c
+@@ -6885,39 +6885,86 @@ void vcpu_next_update(struct pcpu_info *p, struct vcpu_data *next, tsc_t tsc)
+     p->lost_record.seen_valid_schedule = 1;
+ }
+ 
+-/* If current is the default domain, we're fixing up from something
+- * like start-of-day.  Update what we can. */
+-void vcpu_start(struct pcpu_info *p, struct vcpu_data *v) {
+-    /* If vcpus are created, or first show up, in a "dead zone", this will
+-     * fail. */
+-    if( !p->current || p->current->d->did != DEFAULT_DOMAIN) {
+-        fprintf(stderr, "Strange, p->current not default domain!\n");
+-        error(ERR_FILE, NULL);
+-        return;
+-    }
++/* 
++ * If the vcpu in question is in state INIT, we're fixing up from something
++ * like start-of-day.  Update what we can.
++ */
++void vcpu_start(struct pcpu_info *p, struct vcpu_data *v,
++                int old_runstate, int new_runstate, tsc_t ri_tsc) {
++    tsc_t tsc;
++
++    /*
++     * 
++     * Cases:
++     * running -> running:
++     *  v -> running, using p->first_tsc
++     * {runnable, blocked} -> running:
++     *  v -> running, using ri->tsc
++     * running -> {runnable, blocked}:
++     *  Leave v INIT, but clear p->current in case another vcpu is scheduled
++     * blocked -> runnable:
++     *  Leave INIT, and also leave p->current, since we still don't know who's scheduled here
++     */
++
++    /* 
++     * NB that a vcpu won't come out of INIT until it starts running somewhere.  
++     * If this event is pcpu that has already seen a scheduling event, p->current
++     * should be null; if this is the first scheduling event on this pcpu, 
++     * p->current should be the default domain.
++     */
++    if( old_runstate == RUNSTATE_RUNNING ) {
++        if ( !p->current ||  p->current->d->did != DEFAULT_DOMAIN) {
++            fprintf(stderr, "Strange, p->current not default domain!\n");
++            error(ERR_FILE, NULL);
++            return;
+ 
+-    if(!p->first_tsc) {
+-        fprintf(stderr, "Strange, p%d first_tsc 0!\n", p->pid);
+-        error(ERR_FILE, NULL);
++        }
++        
++        if(!p->first_tsc) {
++            fprintf(stderr, "Strange, p%d first_tsc 0!\n", p->pid);
++            error(ERR_FILE, NULL);
++        }
++
++        if(p->first_tsc <= p->current->runstate.tsc) {
++            fprintf(stderr, "Strange, first_tsc %llx < default_domain runstate tsc %llx!\n",
++                    p->first_tsc,
++                    p->current->runstate.tsc);
++            error(ERR_FILE, NULL);
++        }
++    
++        /* Change default domain to 'queued' */
++        runstate_update(p->current, RUNSTATE_QUEUED, p->first_tsc);
++
++        /* 
++         * Set current to NULL, so that if another vcpu (not in INIT)
++         * is scheduled here, we don't trip over the check in
++         * vcpu_next_update()
++         */
++        p->current = NULL;
+     }
+ 
+-    if(p->first_tsc <= p->current->runstate.tsc) {
+-        fprintf(stderr, "Strange, first_tsc %llx < default_domain runstate tsc %llx!\n",
+-                p->first_tsc,
+-                p->current->runstate.tsc);
+-        error(ERR_FILE, NULL);
++    /* TSC skew at start-of-day is hard to deal with.  Don't
++     * bring a vcpu out of INIT until it's seen to be actually
++     * running somewhere. */
++    if ( new_runstate != RUNSTATE_RUNNING ) {
++        fprintf(warn, "First schedule for d%dv%d doesn't take us into a running state; leaving INIT\n",
++                v->d->did, v->vid);
++
++        return;
+     }
+ 
+-    /* Change default domain to 'queued' */
+-    runstate_update(p->current, RUNSTATE_QUEUED, p->first_tsc);
++    tsc = ri_tsc;
++    if ( old_runstate == RUNSTATE_RUNNING ) {
++        /* FIXME: Copy over data from the default domain this interval */
++        fprintf(warn, "Using first_tsc for d%dv%d (%lld cycles)\n",
++                v->d->did, v->vid, p->last_tsc - p->first_tsc);
+ 
+-    /* FIXME: Copy over data from the default domain this interval */
+-    fprintf(warn, "Using first_tsc for d%dv%d (%lld cycles)\n",
+-            v->d->did, v->vid, p->last_tsc - p->first_tsc);
++        tsc = p->first_tsc;
++    }
+ 
+     /* Simulate the time since the first tsc */
+-    runstate_update(v, RUNSTATE_RUNNING, p->first_tsc);
+-    p->time.tsc = p->first_tsc;
++    runstate_update(v, RUNSTATE_RUNNING, tsc);
++    p->time.tsc = tsc;
+     p->current = v;
+     pcpu_string_draw(p);
+     v->p = p;
+@@ -7021,6 +7068,13 @@ void sched_runstate_process(struct pcpu_info *p)
+     last_oldstate = v->runstate.last_oldstate;
+     v->runstate.last_oldstate.wrong = RUNSTATE_INIT;
+ 
++    /* Handle all "start-of-day" issues in one place.  This can be
++     * done before any of the other tracks or sanity checks. */
++    if ( v->runstate.state == RUNSTATE_INIT ) {
++        vcpu_start(p, v, sevt.old_runstate, sevt.new_runstate, ri->tsc);
++        return;
++    }
++
+     /* Close vmexits when the putative reason for blocking / &c stops.
+      * This way, we don't account cpu contention to some other overhead. */
+     if(sevt.new_runstate == RUNSTATE_RUNNABLE
+@@ -7190,32 +7244,27 @@ update:
+      * or stopping actually running on a physical cpu. */
+     if ( type == CONTINUE )
+     {
+-        if( v->runstate.state == RUNSTATE_INIT ) {
+-            /* Start-of-day; account first tsc -> now to v */
+-            vcpu_start(p, v);
+-        } else {
+-            /* Continue running.  First, do some sanity checks */
+-            if ( v->runstate.state == RUNSTATE_LOST ) {
+-                fprintf(warn, "WARNING: continue with d%dv%d in RUNSTATE_LOST.  Resetting current.\n",
+-                        v->d->did, v->vid);
+-                if ( p->current )
+-                    vcpu_prev_update(p, p->current, ri->tsc, RUNSTATE_LOST);
+-                vcpu_next_update(p, v, ri->tsc);
+-            }
+-            else if( v->runstate.state != RUNSTATE_RUNNING ) {
+-                /* This should never happen. */
+-                fprintf(warn, "FATAL: sevt.old_runstate running, but d%dv%d runstate %s!\n",
+-                        v->d->did, v->vid, runstate_name[v->runstate.state]);
+-                error(ERR_FILE, NULL);
+-            } else if ( v->p != p ) {
+-                fprintf(warn, "FATAL: continue on p%d, but d%dv%d p%d!\n",
+-                        p->pid, v->d->did, v->vid,
+-                        v->p ? v->p->pid : -1);
+-                error(ERR_FILE, NULL);
+-            }
+-
+-            runstate_update(v, RUNSTATE_RUNNING, ri->tsc);
++        /* Continue running.  First, do some sanity checks */
++        if ( v->runstate.state == RUNSTATE_LOST ) {
++            fprintf(warn, "WARNING: continue with d%dv%d in RUNSTATE_LOST.  Resetting current.\n",
++                    v->d->did, v->vid);
++            if ( p->current )
++                vcpu_prev_update(p, p->current, ri->tsc, RUNSTATE_LOST);
++            vcpu_next_update(p, v, ri->tsc);
++        }
++        else if( v->runstate.state != RUNSTATE_RUNNING ) {
++            /* This should never happen. */
++            fprintf(warn, "FATAL: sevt.old_runstate running, but d%dv%d runstate %s!\n",
++                    v->d->did, v->vid, runstate_name[v->runstate.state]);
++            error(ERR_FILE, NULL);
++        } else if ( v->p != p ) {
++            fprintf(warn, "FATAL: continue on p%d, but d%dv%d p%d!\n",
++                    p->pid, v->d->did, v->vid,
++                    v->p ? v->p->pid : -1);
++            error(ERR_FILE, NULL);
+         }
++
++        runstate_update(v, RUNSTATE_RUNNING, ri->tsc);
+     }
+     else if ( sevt.old_runstate == RUNSTATE_RUNNING
+               || v->runstate.state == RUNSTATE_RUNNING )
+@@ -7232,10 +7281,7 @@ update:
+          *   # (should never happen)
+          */
+         if( sevt.old_runstate == RUNSTATE_RUNNING ) {
+-            if( v->runstate.state == RUNSTATE_INIT ) {
+-                /* Start-of-day; account first tsc -> now to v */
+-                vcpu_start(p, v);
+-            } else if( v->runstate.state != RUNSTATE_RUNNING
++            if( v->runstate.state != RUNSTATE_RUNNING
+                        && v->runstate.state != RUNSTATE_LOST ) {
+                 /* This should never happen. */
+                 fprintf(warn, "FATAL: sevt.old_runstate running, but d%dv%d runstate %s!\n",
+@@ -7264,11 +7310,8 @@ update:
+ 
+         vcpu_next_update(p, v, ri->tsc);
+     }
+-    else if ( v->runstate.state != RUNSTATE_INIT )
++    else
+     {
+-        /* TSC skew at start-of-day is hard to deal with.  Don't
+-         * bring a vcpu out of INIT until it's seen to be actually
+-         * running somewhere. */
+         runstate_update(v, sevt.new_runstate, ri->tsc);
+     }
+ 
+-- 
+2.42.0
+

diff --git a/0018-tools-oxenstored-Rework-Domain-evtchn-handling-to-us.patch b/0018-tools-oxenstored-Rework-Domain-evtchn-handling-to-us.patch
deleted file mode 100644
index 1392b34..0000000
--- a/0018-tools-oxenstored-Rework-Domain-evtchn-handling-to-us.patch
+++ /dev/null
@@ -1,209 +0,0 @@
-From 4b418768ef4d75d0f70e4ce7cb5710404527bf47 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Wed, 30 Nov 2022 11:59:34 +0000
-Subject: [PATCH 18/89] tools/oxenstored: Rework Domain evtchn handling to use
- port_pair
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Inter-domain event channels are always a pair of local and remote ports.
-Right now the handling is asymmetric, caused by the fact that the evtchn is
-bound after the associated Domain object is constructed.
-
-First, move binding of the event channel into the Domain.make() constructor.
-This means the local port no longer needs to be an option.  It also removes
-the final callers of Domain.bind_interdomain.
-
-Next, introduce a new port_pair type to encapsulate the fact that these two
-should be updated together, and replace the previous port and remote_port
-fields.  This refactoring also changes the Domain.get_port interface (removing
-an option) so take the opportunity to name it get_local_port instead.
-
-Also, this fixes a use-after-free risk with Domain.close.  Once the evtchn has
-been unbound, the same local port number can be reused for a different
-purpose, so explicitly invalidate the ports to prevent their accidental misuse
-in the future.
-
-This also cleans up some of the debugging, to always print a port pair.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Edwin Török <edvin.torok@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit df2db174b36eba67c218763ef621c67912202fc6)
----
- tools/ocaml/xenstored/connections.ml |  9 +---
- tools/ocaml/xenstored/domain.ml      | 75 ++++++++++++++--------------
- tools/ocaml/xenstored/domains.ml     |  2 -
- 3 files changed, 39 insertions(+), 47 deletions(-)
-
-diff --git a/tools/ocaml/xenstored/connections.ml b/tools/ocaml/xenstored/connections.ml
-index 7d68c583b4..a80ae0bed2 100644
---- a/tools/ocaml/xenstored/connections.ml
-+++ b/tools/ocaml/xenstored/connections.ml
-@@ -48,9 +48,7 @@ let add_domain cons dom =
- 	let xbcon = Xenbus.Xb.open_mmap ~capacity (Domain.get_interface dom) (fun () -> Domain.notify dom) in
- 	let con = Connection.create xbcon (Some dom) in
- 	Hashtbl.add cons.domains (Domain.get_id dom) con;
--	match Domain.get_port dom with
--	| Some p -> Hashtbl.add cons.ports p con;
--	| None -> ()
-+	Hashtbl.add cons.ports (Domain.get_local_port dom) con
- 
- let select ?(only_if = (fun _ -> true)) cons =
- 	Hashtbl.fold (fun _ con (ins, outs) ->
-@@ -97,10 +95,7 @@ let del_domain cons id =
- 		let con = find_domain cons id in
- 		Hashtbl.remove cons.domains id;
- 		(match Connection.get_domain con with
--		 | Some d ->
--		   (match Domain.get_port d with
--		    | Some p -> Hashtbl.remove cons.ports p
--		    | None -> ())
-+		 | Some d -> Hashtbl.remove cons.ports (Domain.get_local_port d)
- 		 | None -> ());
- 		del_watches cons con;
- 		Connection.close con
-diff --git a/tools/ocaml/xenstored/domain.ml b/tools/ocaml/xenstored/domain.ml
-index d59a9401e2..481e10794d 100644
---- a/tools/ocaml/xenstored/domain.ml
-+++ b/tools/ocaml/xenstored/domain.ml
-@@ -19,14 +19,31 @@ open Printf
- let debug fmt = Logging.debug "domain" fmt
- let warn  fmt = Logging.warn  "domain" fmt
- 
-+(* A bound inter-domain event channel port pair.  The remote port, and the
-+   local port it is bound to. *)
-+type port_pair =
-+{
-+	local: Xeneventchn.t;
-+	remote: int;
-+}
-+
-+(* Sentinal port_pair with both set to EVTCHN_INVALID *)
-+let invalid_ports =
-+{
-+	local = Xeneventchn.of_int 0;
-+	remote = 0
-+}
-+
-+let string_of_port_pair p =
-+	sprintf "(l %d, r %d)" (Xeneventchn.to_int p.local) p.remote
-+
- type t =
- {
- 	id: Xenctrl.domid;
- 	mfn: nativeint;
- 	interface: Xenmmap.mmap_interface;
- 	eventchn: Event.t;
--	mutable remote_port: int;
--	mutable port: Xeneventchn.t option;
-+	mutable ports: port_pair;
- 	mutable bad_client: bool;
- 	mutable io_credit: int; (* the rounds of ring process left to do, default is 0,
- 	                           usually set to 1 when there is work detected, could
-@@ -41,8 +58,8 @@ let is_dom0 d = d.id = 0
- let get_id domain = domain.id
- let get_interface d = d.interface
- let get_mfn d = d.mfn
--let get_remote_port d = d.remote_port
--let get_port d = d.port
-+let get_remote_port d = d.ports.remote
-+let get_local_port d = d.ports.local
- 
- let is_bad_domain domain = domain.bad_client
- let mark_as_bad domain = domain.bad_client <- true
-@@ -56,54 +73,36 @@ let is_paused_for_conflict dom = dom.conflict_credit <= 0.0
- 
- let is_free_to_conflict = is_dom0
- 
--let string_of_port = function
--	| None -> "None"
--	| Some x -> string_of_int (Xeneventchn.to_int x)
--
- let dump d chan =
--	fprintf chan "dom,%d,%nd,%d\n" d.id d.mfn d.remote_port
-+	fprintf chan "dom,%d,%nd,%d\n" d.id d.mfn d.ports.remote
- 
- let rebind_evtchn d remote_port =
--	begin match d.port with
--	| None -> ()
--	| Some p -> Event.unbind d.eventchn p
--	end;
-+	Event.unbind d.eventchn d.ports.local;
- 	let local = Event.bind_interdomain d.eventchn d.id remote_port in
--	debug "domain %d rebind (l %s, r %d) => (l %d, r %d)"
--	      d.id (string_of_port d.port) d.remote_port
--	      (Xeneventchn.to_int local) remote_port;
--	d.remote_port <- remote_port;
--	d.port <- Some (local)
-+	let new_ports = { local; remote = remote_port } in
-+	debug "domain %d rebind %s => %s"
-+	      d.id (string_of_port_pair d.ports) (string_of_port_pair new_ports);
-+	d.ports <- new_ports
- 
- let notify dom =
--	match dom.port with
--	| None -> warn "domain %d: attempt to notify on unknown port" dom.id
--	| Some port -> Event.notify dom.eventchn port
--
--let bind_interdomain dom =
--	begin match dom.port with
--	| None -> ()
--	| Some port -> Event.unbind dom.eventchn port
--	end;
--	dom.port <- Some (Event.bind_interdomain dom.eventchn dom.id dom.remote_port);
--	debug "bound domain %d remote port %d to local port %s" dom.id dom.remote_port (string_of_port dom.port)
--
-+	Event.notify dom.eventchn dom.ports.local
- 
- let close dom =
--	debug "domain %d unbound port %s" dom.id (string_of_port dom.port);
--	begin match dom.port with
--	| None -> ()
--	| Some port -> Event.unbind dom.eventchn port
--	end;
-+	debug "domain %d unbind %s" dom.id (string_of_port_pair dom.ports);
-+	Event.unbind dom.eventchn dom.ports.local;
-+	dom.ports <- invalid_ports;
- 	Xenmmap.unmap dom.interface
- 
--let make id mfn remote_port interface eventchn = {
-+let make id mfn remote_port interface eventchn =
-+	let local = Event.bind_interdomain eventchn id remote_port in
-+	let ports = { local; remote = remote_port } in
-+	debug "domain %d bind %s" id (string_of_port_pair ports);
-+{
- 	id = id;
- 	mfn = mfn;
--	remote_port = remote_port;
-+	ports;
- 	interface = interface;
- 	eventchn = eventchn;
--	port = None;
- 	bad_client = false;
- 	io_credit = 0;
- 	conflict_credit = !Define.conflict_burst_limit;
-diff --git a/tools/ocaml/xenstored/domains.ml b/tools/ocaml/xenstored/domains.ml
-index 26018ac0dd..2ab0c5f4d8 100644
---- a/tools/ocaml/xenstored/domains.ml
-+++ b/tools/ocaml/xenstored/domains.ml
-@@ -126,7 +126,6 @@ let create doms domid mfn remote_port =
- 	let interface = Xenctrl.map_foreign_range xc domid (Xenmmap.getpagesize()) mfn in
- 	let dom = Domain.make domid mfn remote_port interface doms.eventchn in
- 	Hashtbl.add doms.table domid dom;
--	Domain.bind_interdomain dom;
- 	dom
- 
- let xenstored_kva = ref ""
-@@ -144,7 +143,6 @@ let create0 doms =
- 
- 	let dom = Domain.make 0 Nativeint.zero remote_port interface doms.eventchn in
- 	Hashtbl.add doms.table 0 dom;
--	Domain.bind_interdomain dom;
- 	Domain.notify dom;
- 	dom
- 
--- 
-2.40.0
-

diff --git a/0018-x86-ioapic-sanitize-IO-APIC-pins-before-enabling-lap.patch b/0018-x86-ioapic-sanitize-IO-APIC-pins-before-enabling-lap.patch
new file mode 100644
index 0000000..a03f86e
--- /dev/null
+++ b/0018-x86-ioapic-sanitize-IO-APIC-pins-before-enabling-lap.patch
@@ -0,0 +1,113 @@
+From d0cdd34dd815bf99c3f8a7bddfdde5ae59b0f0db Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 5 Sep 2023 08:47:34 +0200
+Subject: [PATCH 18/55] x86/ioapic: sanitize IO-APIC pins before enabling lapic
+ LVTERR/ESR
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The current logic to init the local APIC and the IO-APIC does init the
+local APIC LVTERR/ESR before doing any sanitization on the IO-APIC pin
+configuration.  It's already noted on enable_IO_APIC() that Xen
+shouldn't trust the IO-APIC being empty at bootup.
+
+At XenServer we have a system where the IO-APIC 0 is handed to Xen
+with pin 0 unmasked, set to Fixed delivery mode, edge triggered and
+with a vector of 0 (all fields of the RTE are zeroed).  Once the local
+APIC LVTERR/ESR is enabled periodic injections from such pin cause the
+local APIC to in turn inject periodic error vectors:
+
+APIC error on CPU0: 00(40), Received illegal vector
+APIC error on CPU0: 40(40), Received illegal vector
+APIC error on CPU0: 40(40), Received illegal vector
+APIC error on CPU0: 40(40), Received illegal vector
+APIC error on CPU0: 40(40), Received illegal vector
+APIC error on CPU0: 40(40), Received illegal vector
+
+That prevents Xen from booting.
+
+Move the masking of the IO-APIC pins ahead of the setup of the local
+APIC.  This has the side effect of also moving the detection of the
+pin where the i8259 is connected, as such detection must be done
+before masking any pins.
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+master commit: 813da5f0e73b8cbd2ac3c7922506e58c28cd736d
+master date: 2023-07-17 10:31:10 +0200
+---
+ xen/arch/x86/apic.c            | 4 ++++
+ xen/arch/x86/include/asm/irq.h | 1 +
+ xen/arch/x86/io_apic.c         | 4 +---
+ xen/arch/x86/smpboot.c         | 5 +++++
+ 4 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/apic.c b/xen/arch/x86/apic.c
+index 47e6e5fe41..33103d3e91 100644
+--- a/xen/arch/x86/apic.c
++++ b/xen/arch/x86/apic.c
+@@ -1491,6 +1491,10 @@ int __init APIC_init_uniprocessor (void)
+     physids_clear(phys_cpu_present_map);
+     physid_set(boot_cpu_physical_apicid, phys_cpu_present_map);
+ 
++    if ( !skip_ioapic_setup && nr_ioapics )
++        /* Sanitize the IO-APIC pins before enabling the lapic LVTERR/ESR. */
++        enable_IO_APIC();
++
+     setup_local_APIC(true);
+ 
+     if (nmi_watchdog == NMI_LOCAL_APIC)
+diff --git a/xen/arch/x86/include/asm/irq.h b/xen/arch/x86/include/asm/irq.h
+index 76e6ed6d60..f6a0207a80 100644
+--- a/xen/arch/x86/include/asm/irq.h
++++ b/xen/arch/x86/include/asm/irq.h
+@@ -122,6 +122,7 @@ bool bogus_8259A_irq(unsigned int irq);
+ int i8259A_suspend(void);
+ int i8259A_resume(void);
+ 
++void enable_IO_APIC(void);
+ void setup_IO_APIC(void);
+ void disable_IO_APIC(void);
+ void setup_ioapic_dest(void);
+diff --git a/xen/arch/x86/io_apic.c b/xen/arch/x86/io_apic.c
+index 9b8a972cf5..25a08b1ea6 100644
+--- a/xen/arch/x86/io_apic.c
++++ b/xen/arch/x86/io_apic.c
+@@ -1273,7 +1273,7 @@ static void cf_check _print_IO_APIC_keyhandler(unsigned char key)
+     __print_IO_APIC(0);
+ }
+ 
+-static void __init enable_IO_APIC(void)
++void __init enable_IO_APIC(void)
+ {
+     int i8259_apic, i8259_pin;
+     int i, apic;
+@@ -2067,8 +2067,6 @@ static void __init ioapic_pm_state_alloc(void)
+ 
+ void __init setup_IO_APIC(void)
+ {
+-    enable_IO_APIC();
+-
+     if (acpi_ioapic)
+         io_apic_irqs = ~0;	/* all IRQs go through IOAPIC */
+     else
+diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c
+index b46fd9ab18..41ec3211ac 100644
+--- a/xen/arch/x86/smpboot.c
++++ b/xen/arch/x86/smpboot.c
+@@ -1232,6 +1232,11 @@ void __init smp_prepare_cpus(void)
+     verify_local_APIC();
+ 
+     connect_bsp_APIC();
++
++    if ( !skip_ioapic_setup && nr_ioapics )
++        /* Sanitize the IO-APIC pins before enabling the lapic LVTERR/ESR. */
++        enable_IO_APIC();
++
+     setup_local_APIC(true);
+ 
+     if ( !skip_ioapic_setup && nr_ioapics )
+-- 
+2.42.0
+

diff --git a/0019-tools-oxenstored-Keep-dev-xen-evtchn-open-across-liv.patch b/0019-tools-oxenstored-Keep-dev-xen-evtchn-open-across-liv.patch
deleted file mode 100644
index f6ae3fe..0000000
--- a/0019-tools-oxenstored-Keep-dev-xen-evtchn-open-across-liv.patch
+++ /dev/null
@@ -1,367 +0,0 @@
-From f02171b663393e10d35123e5572c0f5b3e72c29d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edvin.torok@citrix.com>
-Date: Thu, 3 Nov 2022 15:31:39 +0000
-Subject: [PATCH 19/89] tools/oxenstored: Keep /dev/xen/evtchn open across live
- update
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Closing the evtchn handle will unbind and free all local ports.  The new
-xenstored would need to rebind all evtchns, which is work that we don't want
-or need to be doing during the critical handover period.
-
-However, it turns out that the Windows PV drivers also rebind their local port
-too across suspend/resume, leaving (o)xenstored with a stale idea of the
-remote port to use.  In this case, reusing the established connection is the
-only robust option.
-
-Therefore:
- * Have oxenstored open /dev/xen/evtchn without CLOEXEC at start of day.
- * Extend the handover information with the evtchn fd, domexc virq local port,
-   and the local port number for each domain connection.
- * Have (the new) oxenstored recover the open handle using Xeneventchn.fdopen,
-   and use the provided local ports rather than trying to rebind them.
-
-When this new information isn't present (i.e. live updating from an oxenstored
-prior to this change), the best-effort status quo will have to do.
-
-Signed-off-by: Edwin Török <edvin.torok@citrix.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit 9b224c25293a53fcbe32da68052d861dda71a6f4)
----
- tools/ocaml/xenstored/domain.ml    | 13 +++--
- tools/ocaml/xenstored/domains.ml   |  9 ++--
- tools/ocaml/xenstored/event.ml     | 20 +++++--
- tools/ocaml/xenstored/process.ml   |  2 +-
- tools/ocaml/xenstored/xenstored.ml | 85 ++++++++++++++++++++----------
- 5 files changed, 90 insertions(+), 39 deletions(-)
-
-diff --git a/tools/ocaml/xenstored/domain.ml b/tools/ocaml/xenstored/domain.ml
-index 481e10794d..5c15752a37 100644
---- a/tools/ocaml/xenstored/domain.ml
-+++ b/tools/ocaml/xenstored/domain.ml
-@@ -74,7 +74,8 @@ let is_paused_for_conflict dom = dom.conflict_credit <= 0.0
- let is_free_to_conflict = is_dom0
- 
- let dump d chan =
--	fprintf chan "dom,%d,%nd,%d\n" d.id d.mfn d.ports.remote
-+	fprintf chan "dom,%d,%nd,%d,%d\n"
-+		d.id d.mfn d.ports.remote (Xeneventchn.to_int d.ports.local)
- 
- let rebind_evtchn d remote_port =
- 	Event.unbind d.eventchn d.ports.local;
-@@ -93,8 +94,14 @@ let close dom =
- 	dom.ports <- invalid_ports;
- 	Xenmmap.unmap dom.interface
- 
--let make id mfn remote_port interface eventchn =
--	let local = Event.bind_interdomain eventchn id remote_port in
-+(* On clean start, local_port will be None, and we must bind the remote port
-+   given.  On Live Update, the event channel is already bound, and both the
-+   local and remote port numbers come from the transfer record. *)
-+let make ?local_port ~remote_port id mfn interface eventchn =
-+	let local = match local_port with
-+		| None -> Event.bind_interdomain eventchn id remote_port
-+		| Some p -> Xeneventchn.of_int p
-+	in
- 	let ports = { local; remote = remote_port } in
- 	debug "domain %d bind %s" id (string_of_port_pair ports);
- {
-diff --git a/tools/ocaml/xenstored/domains.ml b/tools/ocaml/xenstored/domains.ml
-index 2ab0c5f4d8..b6c075c838 100644
---- a/tools/ocaml/xenstored/domains.ml
-+++ b/tools/ocaml/xenstored/domains.ml
-@@ -56,6 +56,7 @@ let exist doms id = Hashtbl.mem doms.table id
- let find doms id = Hashtbl.find doms.table id
- let number doms = Hashtbl.length doms.table
- let iter doms fct = Hashtbl.iter (fun _ b -> fct b) doms.table
-+let eventchn doms = doms.eventchn
- 
- let rec is_empty_queue q =
- 	Queue.is_empty q ||
-@@ -122,16 +123,16 @@ let cleanup doms =
- let resume _doms _domid =
- 	()
- 
--let create doms domid mfn remote_port =
-+let create doms ?local_port ~remote_port domid mfn =
- 	let interface = Xenctrl.map_foreign_range xc domid (Xenmmap.getpagesize()) mfn in
--	let dom = Domain.make domid mfn remote_port interface doms.eventchn in
-+	let dom = Domain.make ?local_port ~remote_port domid mfn interface doms.eventchn in
- 	Hashtbl.add doms.table domid dom;
- 	dom
- 
- let xenstored_kva = ref ""
- let xenstored_port = ref ""
- 
--let create0 doms =
-+let create0 ?local_port doms =
- 	let remote_port = Utils.read_file_single_integer !xenstored_port in
- 
- 	let interface =
-@@ -141,7 +142,7 @@ let create0 doms =
- 		interface
- 	in
- 
--	let dom = Domain.make 0 Nativeint.zero remote_port interface doms.eventchn in
-+	let dom = Domain.make ?local_port ~remote_port 0 Nativeint.zero interface doms.eventchn in
- 	Hashtbl.add doms.table 0 dom;
- 	Domain.notify dom;
- 	dom
-diff --git a/tools/ocaml/xenstored/event.ml b/tools/ocaml/xenstored/event.ml
-index a3be296374..629dc6041b 100644
---- a/tools/ocaml/xenstored/event.ml
-+++ b/tools/ocaml/xenstored/event.ml
-@@ -20,9 +20,18 @@ type t = {
- 	domexc: Xeneventchn.t;
- }
- 
--let init () =
--	let handle = Xeneventchn.init () in
--	let domexc = Xeneventchn.bind_dom_exc_virq handle in
-+(* On clean start, both parameters will be None, and we must open the evtchn
-+   handle and bind the DOM_EXC VIRQ.  On Live Update, the fd is preserved
-+   across exec(), and the DOM_EXC VIRQ still bound. *)
-+let init ?fd ?domexc_port () =
-+	let handle = match fd with
-+		| None -> Xeneventchn.init ~cloexec:false ()
-+		| Some fd -> fd |> Utils.FD.of_int |> Xeneventchn.fdopen
-+	in
-+	let domexc = match domexc_port with
-+		| None -> Xeneventchn.bind_dom_exc_virq handle
-+		| Some p -> Xeneventchn.of_int p
-+	in
- 	{ handle; domexc }
- 
- let fd eventchn = Xeneventchn.fd eventchn.handle
-@@ -31,3 +40,8 @@ let unbind eventchn port = Xeneventchn.unbind eventchn.handle port
- let notify eventchn port = Xeneventchn.notify eventchn.handle port
- let pending eventchn = Xeneventchn.pending eventchn.handle
- let unmask eventchn port = Xeneventchn.unmask eventchn.handle port
-+
-+let dump e chan =
-+	Printf.fprintf chan "evtchn-dev,%d,%d\n"
-+		       (Utils.FD.to_int @@ Xeneventchn.fd e.handle)
-+		       (Xeneventchn.to_int e.domexc)
-diff --git a/tools/ocaml/xenstored/process.ml b/tools/ocaml/xenstored/process.ml
-index 1c80e7198d..02bd0f7d80 100644
---- a/tools/ocaml/xenstored/process.ml
-+++ b/tools/ocaml/xenstored/process.ml
-@@ -573,7 +573,7 @@ let do_introduce con t domains cons data =
- 			end;
- 			edom
- 		else try
--			let ndom = Domains.create domains domid mfn remote_port in
-+			let ndom = Domains.create ~remote_port domains domid mfn in
- 			Connections.add_domain cons ndom;
- 			Connections.fire_spec_watches (Transaction.get_root t) cons Store.Path.introduce_domain;
- 			ndom
-diff --git a/tools/ocaml/xenstored/xenstored.ml b/tools/ocaml/xenstored/xenstored.ml
-index 1f11f576b5..f526f4fb23 100644
---- a/tools/ocaml/xenstored/xenstored.ml
-+++ b/tools/ocaml/xenstored/xenstored.ml
-@@ -144,7 +144,7 @@ exception Bad_format of string
- 
- let dump_format_header = "$xenstored-dump-format"
- 
--let from_channel_f chan global_f socket_f domain_f watch_f store_f =
-+let from_channel_f chan global_f evtchn_f socket_f domain_f watch_f store_f =
- 	let unhexify s = Utils.unhexify s in
- 	let getpath s =
- 		let u = Utils.unhexify s in
-@@ -165,12 +165,19 @@ let from_channel_f chan global_f socket_f domain_f watch_f store_f =
- 					(* there might be more parameters here,
- 					   e.g. a RO socket from a previous version: ignore it *)
- 					global_f ~rw
-+				| "evtchn-dev" :: fd :: domexc_port :: [] ->
-+					evtchn_f ~fd:(int_of_string fd)
-+						 ~domexc_port:(int_of_string domexc_port)
- 				| "socket" :: fd :: [] ->
- 					socket_f ~fd:(int_of_string fd)
--				| "dom" :: domid :: mfn :: remote_port :: []->
--					domain_f (int_of_string domid)
--					         (Nativeint.of_string mfn)
--					         (int_of_string remote_port)
-+				| "dom" :: domid :: mfn :: remote_port :: rest ->
-+					let local_port = match rest with
-+						  | [] -> None (* backward compat: old version didn't have it *)
-+						  | local_port :: _ -> Some (int_of_string local_port) in
-+					domain_f ?local_port
-+						 ~remote_port:(int_of_string remote_port)
-+						 (int_of_string domid)
-+						 (Nativeint.of_string mfn)
- 				| "watch" :: domid :: path :: token :: [] ->
- 					watch_f (int_of_string domid)
- 					        (unhexify path) (unhexify token)
-@@ -189,10 +196,21 @@ let from_channel_f chan global_f socket_f domain_f watch_f store_f =
- 	done;
- 	info "Completed loading xenstore dump"
- 
--let from_channel store cons doms chan =
-+let from_channel store cons domains_init chan =
- 	(* don't let the permission get on our way, full perm ! *)
- 	let op = Store.get_ops store Perms.Connection.full_rights in
- 	let rwro = ref (None) in
-+	let doms = ref (None) in
-+
-+	let require_doms () =
-+		match !doms with
-+		| None ->
-+			warn "No event channel file descriptor available in dump!";
-+		        let domains = domains_init @@ Event.init () in
-+		        doms := Some domains;
-+		        domains
-+		| Some d -> d
-+	in
- 	let global_f ~rw =
- 		let get_listen_sock sockfd =
- 			let fd = sockfd |> int_of_string |> Utils.FD.of_int in
-@@ -201,6 +219,10 @@ let from_channel store cons doms chan =
- 		in
- 		rwro := get_listen_sock rw
- 	in
-+	let evtchn_f ~fd ~domexc_port =
-+		let evtchn = Event.init ~fd ~domexc_port () in
-+		doms := Some(domains_init evtchn)
-+	in
- 	let socket_f ~fd =
- 		let ufd = Utils.FD.of_int fd in
- 		let is_valid = try (Unix.fstat ufd).Unix.st_kind = Unix.S_SOCK with _ -> false in
-@@ -209,12 +231,13 @@ let from_channel store cons doms chan =
- 		else
- 			warn "Ignoring invalid socket FD %d" fd
- 	in
--	let domain_f domid mfn remote_port =
-+	let domain_f ?local_port ~remote_port domid mfn =
-+		let doms = require_doms () in
- 		let ndom =
- 			if domid > 0 then
--				Domains.create doms domid mfn remote_port
-+				Domains.create ?local_port ~remote_port doms domid mfn
- 			else
--				Domains.create0 doms
-+				Domains.create0 ?local_port doms
- 			in
- 		Connections.add_domain cons ndom;
- 		in
-@@ -229,8 +252,8 @@ let from_channel store cons doms chan =
- 		op.Store.write path value;
- 		op.Store.setperms path perms
- 		in
--	from_channel_f chan global_f socket_f domain_f watch_f store_f;
--	!rwro
-+	from_channel_f chan global_f evtchn_f socket_f domain_f watch_f store_f;
-+	!rwro, require_doms ()
- 
- let from_file store cons doms file =
- 	info "Loading xenstore dump from %s" file;
-@@ -238,7 +261,7 @@ let from_file store cons doms file =
- 	finally (fun () -> from_channel store doms cons channel)
- 	        (fun () -> close_in channel)
- 
--let to_channel store cons rw chan =
-+let to_channel store cons (rw, evtchn) chan =
- 	let hexify s = Utils.hexify s in
- 
- 	fprintf chan "%s\n" dump_format_header;
-@@ -248,6 +271,9 @@ let to_channel store cons rw chan =
- 		Utils.FD.to_int fd in
- 	fprintf chan "global,%d\n" (fdopt rw);
- 
-+	(* dump evtchn device info *)
-+	Event.dump evtchn chan;
-+
- 	(* dump connections related to domains: domid, mfn, eventchn port/ sockets, and watches *)
- 	Connections.iter cons (fun con -> Connection.dump con chan);
- 
-@@ -367,7 +393,6 @@ let _ =
- 	| None         -> () end;
- 
- 	let store = Store.create () in
--	let eventchn = Event.init () in
- 	let next_frequent_ops = ref 0. in
- 	let advance_next_frequent_ops () =
- 		next_frequent_ops := (Unix.gettimeofday () +. !Define.conflict_max_history_seconds)
-@@ -375,16 +400,8 @@ let _ =
- 	let delay_next_frequent_ops_by duration =
- 		next_frequent_ops := !next_frequent_ops +. duration
- 	in
--	let domains = Domains.init eventchn advance_next_frequent_ops in
-+	let domains_init eventchn = Domains.init eventchn advance_next_frequent_ops in
- 
--	(* For things that need to be done periodically but more often
--	 * than the periodic_ops function *)
--	let frequent_ops () =
--		if Unix.gettimeofday () > !next_frequent_ops then (
--			History.trim ();
--			Domains.incr_conflict_credit domains;
--			advance_next_frequent_ops ()
--		) in
- 	let cons = Connections.create () in
- 
- 	let quit = ref false in
-@@ -393,14 +410,15 @@ let _ =
- 	List.iter (fun path ->
- 		Store.write store Perms.Connection.full_rights path "") Store.Path.specials;
- 
--	let rw_sock =
-+	let rw_sock, domains =
- 	if cf.restart && Sys.file_exists Disk.xs_daemon_database then (
--		let rwro = DB.from_file store domains cons Disk.xs_daemon_database in
-+		let rw, domains = DB.from_file store domains_init cons Disk.xs_daemon_database in
- 		info "Live reload: database loaded";
- 		Process.LiveUpdate.completed ();
--		rwro
-+		rw, domains
- 	) else (
- 		info "No live reload: regular startup";
-+		let domains = domains_init @@ Event.init () in
- 		if !Disk.enable then (
- 			info "reading store from disk";
- 			Disk.read store
-@@ -413,9 +431,18 @@ let _ =
- 		if cf.domain_init then (
- 			Connections.add_domain cons (Domains.create0 domains);
- 		);
--		rw_sock
-+		rw_sock, domains
- 	) in
- 
-+	(* For things that need to be done periodically but more often
-+	 * than the periodic_ops function *)
-+	let frequent_ops () =
-+		if Unix.gettimeofday () > !next_frequent_ops then (
-+			History.trim ();
-+			Domains.incr_conflict_credit domains;
-+			advance_next_frequent_ops ()
-+		) in
-+
- 	(* required for xenstore-control to detect availability of live-update *)
- 	let tool_path = Store.Path.of_string "/tool" in
- 	if not (Store.path_exists store tool_path) then
-@@ -430,8 +457,10 @@ let _ =
- 	Sys.set_signal Sys.sigusr1 (Sys.Signal_handle (fun _ -> sigusr1_handler store));
- 	Sys.set_signal Sys.sigpipe Sys.Signal_ignore;
- 
-+	let eventchn = Domains.eventchn domains in
-+
- 	if cf.activate_access_log then begin
--		let post_rotate () = DB.to_file store cons (None) Disk.xs_daemon_database in
-+		let post_rotate () = DB.to_file store cons (None, eventchn) Disk.xs_daemon_database in
- 		Logging.init_access_log post_rotate
- 	end;
- 
-@@ -593,7 +622,7 @@ let _ =
- 			live_update := Process.LiveUpdate.should_run cons;
- 			if !live_update || !quit then begin
- 				(* don't initiate live update if saving state fails *)
--				DB.to_file store cons (rw_sock) Disk.xs_daemon_database;
-+				DB.to_file store cons (rw_sock, eventchn) Disk.xs_daemon_database;
- 				quit := true;
- 			end
- 		with exc ->
--- 
-2.40.0
-

diff --git a/0019-x86-ioapic-add-a-raw-field-to-RTE-struct.patch b/0019-x86-ioapic-add-a-raw-field-to-RTE-struct.patch
new file mode 100644
index 0000000..10e5946
--- /dev/null
+++ b/0019-x86-ioapic-add-a-raw-field-to-RTE-struct.patch
@@ -0,0 +1,147 @@
+From a885649098e06432939907eee84f735a644883e6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 5 Sep 2023 08:48:43 +0200
+Subject: [PATCH 19/55] x86/ioapic: add a raw field to RTE struct
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Further changes will require access to the full RTE as a single value
+in order to pass it to IOMMU interrupt remapping handlers.
+
+No functional change intended.
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+master commit: cdc48cb5a74b10c2b07a09d2f554756d730bfee3
+master date: 2023-07-28 09:39:44 +0200
+---
+ xen/arch/x86/include/asm/io_apic.h       | 57 +++++++++++++-----------
+ xen/arch/x86/io_apic.c                   |  2 +-
+ xen/drivers/passthrough/amd/iommu_intr.c |  4 +-
+ xen/drivers/passthrough/vtd/intremap.c   |  4 +-
+ 4 files changed, 35 insertions(+), 32 deletions(-)
+
+diff --git a/xen/arch/x86/include/asm/io_apic.h b/xen/arch/x86/include/asm/io_apic.h
+index ef0878b09e..a558bb063c 100644
+--- a/xen/arch/x86/include/asm/io_apic.h
++++ b/xen/arch/x86/include/asm/io_apic.h
+@@ -89,35 +89,38 @@ enum ioapic_irq_destination_types {
+ };
+ 
+ struct IO_APIC_route_entry {
+-    unsigned int vector:8;
+-    unsigned int delivery_mode:3; /*
+-                                   * 000: FIXED
+-                                   * 001: lowest prio
+-                                   * 111: ExtINT
+-                                   */
+-    unsigned int dest_mode:1;     /* 0: physical, 1: logical */
+-    unsigned int delivery_status:1;
+-    unsigned int polarity:1;      /* 0: low, 1: high */
+-    unsigned int irr:1;
+-    unsigned int trigger:1;       /* 0: edge, 1: level */
+-    unsigned int mask:1;          /* 0: enabled, 1: disabled */
+-    unsigned int __reserved_2:15;
+-
+     union {
+         struct {
+-            unsigned int __reserved_1:24;
+-            unsigned int physical_dest:4;
+-            unsigned int __reserved_2:4;
+-        } physical;
+-
+-        struct {
+-            unsigned int __reserved_1:24;
+-            unsigned int logical_dest:8;
+-        } logical;
+-
+-        /* used when Interrupt Remapping with EIM is enabled */
+-        unsigned int dest32;
+-    } dest;
++            unsigned int vector:8;
++            unsigned int delivery_mode:3; /*
++                                           * 000: FIXED
++                                           * 001: lowest prio
++                                           * 111: ExtINT
++                                           */
++            unsigned int dest_mode:1;     /* 0: physical, 1: logical */
++            unsigned int delivery_status:1;
++            unsigned int polarity:1;      /* 0: low, 1: high */
++            unsigned int irr:1;
++            unsigned int trigger:1;       /* 0: edge, 1: level */
++            unsigned int mask:1;          /* 0: enabled, 1: disabled */
++            unsigned int __reserved_2:15;
++
++            union {
++                struct {
++                    unsigned int __reserved_1:24;
++                    unsigned int physical_dest:4;
++                    unsigned int __reserved_2:4;
++                } physical;
++
++                struct {
++                    unsigned int __reserved_1:24;
++                    unsigned int logical_dest:8;
++                } logical;
++                unsigned int dest32;
++            } dest;
++        };
++        uint64_t raw;
++    };
+ };
+ 
+ /*
+diff --git a/xen/arch/x86/io_apic.c b/xen/arch/x86/io_apic.c
+index 25a08b1ea6..aada2ef96c 100644
+--- a/xen/arch/x86/io_apic.c
++++ b/xen/arch/x86/io_apic.c
+@@ -2360,7 +2360,7 @@ int ioapic_guest_read(unsigned long physbase, unsigned int reg, u32 *pval)
+ int ioapic_guest_write(unsigned long physbase, unsigned int reg, u32 val)
+ {
+     int apic, pin, irq, ret, pirq;
+-    struct IO_APIC_route_entry rte = { 0 };
++    struct IO_APIC_route_entry rte = { };
+     unsigned long flags;
+     struct irq_desc *desc;
+ 
+diff --git a/xen/drivers/passthrough/amd/iommu_intr.c b/xen/drivers/passthrough/amd/iommu_intr.c
+index f4de09f431..9e6be3be35 100644
+--- a/xen/drivers/passthrough/amd/iommu_intr.c
++++ b/xen/drivers/passthrough/amd/iommu_intr.c
+@@ -352,8 +352,8 @@ static int update_intremap_entry_from_ioapic(
+ void cf_check amd_iommu_ioapic_update_ire(
+     unsigned int apic, unsigned int reg, unsigned int value)
+ {
+-    struct IO_APIC_route_entry old_rte = { 0 };
+-    struct IO_APIC_route_entry new_rte = { 0 };
++    struct IO_APIC_route_entry old_rte = { };
++    struct IO_APIC_route_entry new_rte = { };
+     unsigned int rte_lo = (reg & 1) ? reg - 1 : reg;
+     unsigned int pin = (reg - 0x10) / 2;
+     int seg, bdf, rc;
+diff --git a/xen/drivers/passthrough/vtd/intremap.c b/xen/drivers/passthrough/vtd/intremap.c
+index 1512e4866b..019c21c556 100644
+--- a/xen/drivers/passthrough/vtd/intremap.c
++++ b/xen/drivers/passthrough/vtd/intremap.c
+@@ -419,7 +419,7 @@ unsigned int cf_check io_apic_read_remap_rte(
+ {
+     unsigned int ioapic_pin = (reg - 0x10) / 2;
+     int index;
+-    struct IO_xAPIC_route_entry old_rte = { 0 };
++    struct IO_xAPIC_route_entry old_rte = { };
+     int rte_upper = (reg & 1) ? 1 : 0;
+     struct vtd_iommu *iommu = ioapic_to_iommu(IO_APIC_ID(apic));
+ 
+@@ -442,7 +442,7 @@ void cf_check io_apic_write_remap_rte(
+     unsigned int apic, unsigned int reg, unsigned int value)
+ {
+     unsigned int ioapic_pin = (reg - 0x10) / 2;
+-    struct IO_xAPIC_route_entry old_rte = { 0 };
++    struct IO_xAPIC_route_entry old_rte = { };
+     struct IO_APIC_route_remap_entry *remap_rte;
+     unsigned int rte_upper = (reg & 1) ? 1 : 0;
+     struct vtd_iommu *iommu = ioapic_to_iommu(IO_APIC_ID(apic));
+-- 
+2.42.0
+

diff --git a/0020-tools-oxenstored-Log-live-update-issues-at-warning-l.patch b/0020-tools-oxenstored-Log-live-update-issues-at-warning-l.patch
deleted file mode 100644
index 533e3e7..0000000
--- a/0020-tools-oxenstored-Log-live-update-issues-at-warning-l.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 991b512f5f69dde3c923804f887be9df56b03a74 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edvin.torok@citrix.com>
-Date: Tue, 8 Nov 2022 08:57:47 +0000
-Subject: [PATCH 20/89] tools/oxenstored: Log live update issues at warning
- level
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-During live update, oxenstored tries a best effort approach to recover as many
-domains and information as possible even if it encounters errors restoring
-some domains.
-
-However, logging about misunderstood input is more severe than simply info.
-Log it at warning instead.
-
-Signed-off-by: Edwin Török <edvin.torok@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit 3f02e0a70fe9f8143454b742563433958d4a87f8)
----
- tools/ocaml/xenstored/xenstored.ml | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/tools/ocaml/xenstored/xenstored.ml b/tools/ocaml/xenstored/xenstored.ml
-index f526f4fb23..35b8cbd43f 100644
---- a/tools/ocaml/xenstored/xenstored.ml
-+++ b/tools/ocaml/xenstored/xenstored.ml
-@@ -186,9 +186,9 @@ let from_channel_f chan global_f evtchn_f socket_f domain_f watch_f store_f =
- 					        (Perms.Node.of_string (unhexify perms ^ "\000"))
- 					        (unhexify value)
- 				| _ ->
--					info "restoring: ignoring unknown line: %s" line
-+					warn "restoring: ignoring unknown line: %s" line
- 			with exn ->
--				info "restoring: ignoring unknown line: %s (exception: %s)"
-+				warn "restoring: ignoring unknown line: %s (exception: %s)"
- 				     line (Printexc.to_string exn);
- 				()
- 		with End_of_file ->
--- 
-2.40.0
-

diff --git a/0020-x86-ioapic-RTE-modifications-must-use-ioapic_write_e.patch b/0020-x86-ioapic-RTE-modifications-must-use-ioapic_write_e.patch
new file mode 100644
index 0000000..43faeeb
--- /dev/null
+++ b/0020-x86-ioapic-RTE-modifications-must-use-ioapic_write_e.patch
@@ -0,0 +1,180 @@
+From 1bd4523d696d26976f64a919df8c7a1b3ea32f6f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 5 Sep 2023 08:49:37 +0200
+Subject: [PATCH 20/55] x86/ioapic: RTE modifications must use
+ ioapic_write_entry
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Do not allow to write to RTE registers using io_apic_write and instead
+require changes to RTE to be performed using ioapic_write_entry.
+
+This is in preparation for passing the full contents of the RTE to the
+IOMMU interrupt remapping handlers, so remapping entries for IO-APIC
+RTEs can be updated atomically when possible.
+
+While immediately this commit might expand the number of MMIO accesses
+in order to update an IO-APIC RTE, further changes will benefit from
+getting the full RTE value passed to the IOMMU handlers, as the logic
+is greatly simplified when the IOMMU handlers can get the complete RTE
+value in one go.
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+master commit: ef7995ed1bcd7eac37fb3c3fe56eaa54ea9baf6c
+master date: 2023-07-28 09:40:20 +0200
+---
+ xen/arch/x86/include/asm/io_apic.h       |  8 ++---
+ xen/arch/x86/io_apic.c                   | 43 ++++++++++++------------
+ xen/drivers/passthrough/amd/iommu_intr.c |  6 ----
+ 3 files changed, 25 insertions(+), 32 deletions(-)
+
+diff --git a/xen/arch/x86/include/asm/io_apic.h b/xen/arch/x86/include/asm/io_apic.h
+index a558bb063c..6b514b4e3d 100644
+--- a/xen/arch/x86/include/asm/io_apic.h
++++ b/xen/arch/x86/include/asm/io_apic.h
+@@ -161,8 +161,8 @@ static inline void __io_apic_write(unsigned int apic, unsigned int reg, unsigned
+ 
+ static inline void io_apic_write(unsigned int apic, unsigned int reg, unsigned int value)
+ {
+-    if ( ioapic_reg_remapped(reg) )
+-        return iommu_update_ire_from_apic(apic, reg, value);
++    /* RTE writes must use ioapic_write_entry. */
++    BUG_ON(reg >= 0x10);
+     __io_apic_write(apic, reg, value);
+ }
+ 
+@@ -172,8 +172,8 @@ static inline void io_apic_write(unsigned int apic, unsigned int reg, unsigned i
+  */
+ static inline void io_apic_modify(unsigned int apic, unsigned int reg, unsigned int value)
+ {
+-    if ( ioapic_reg_remapped(reg) )
+-        return iommu_update_ire_from_apic(apic, reg, value);
++    /* RTE writes must use ioapic_write_entry. */
++    BUG_ON(reg >= 0x10);
+     *(IO_APIC_BASE(apic) + 4) = value;
+ }
+ 
+diff --git a/xen/arch/x86/io_apic.c b/xen/arch/x86/io_apic.c
+index aada2ef96c..041233b9b7 100644
+--- a/xen/arch/x86/io_apic.c
++++ b/xen/arch/x86/io_apic.c
+@@ -237,15 +237,15 @@ struct IO_APIC_route_entry __ioapic_read_entry(
+ {
+     union entry_union eu;
+ 
+-    if ( raw )
++    if ( raw || !iommu_intremap )
+     {
+         eu.w1 = __io_apic_read(apic, 0x10 + 2 * pin);
+         eu.w2 = __io_apic_read(apic, 0x11 + 2 * pin);
+     }
+     else
+     {
+-        eu.w1 = io_apic_read(apic, 0x10 + 2 * pin);
+-        eu.w2 = io_apic_read(apic, 0x11 + 2 * pin);
++        eu.w1 = iommu_read_apic_from_ire(apic, 0x10 + 2 * pin);
++        eu.w2 = iommu_read_apic_from_ire(apic, 0x11 + 2 * pin);
+     }
+ 
+     return eu.entry;
+@@ -269,15 +269,15 @@ void __ioapic_write_entry(
+ {
+     union entry_union eu = { .entry = e };
+ 
+-    if ( raw )
++    if ( raw || !iommu_intremap )
+     {
+         __io_apic_write(apic, 0x11 + 2 * pin, eu.w2);
+         __io_apic_write(apic, 0x10 + 2 * pin, eu.w1);
+     }
+     else
+     {
+-        io_apic_write(apic, 0x11 + 2 * pin, eu.w2);
+-        io_apic_write(apic, 0x10 + 2 * pin, eu.w1);
++        iommu_update_ire_from_apic(apic, 0x11 + 2 * pin, eu.w2);
++        iommu_update_ire_from_apic(apic, 0x10 + 2 * pin, eu.w1);
+     }
+ }
+ 
+@@ -433,16 +433,17 @@ static void modify_IO_APIC_irq(unsigned int irq, unsigned int enable,
+                                unsigned int disable)
+ {
+     struct irq_pin_list *entry = irq_2_pin + irq;
+-    unsigned int pin, reg;
+ 
+     for (;;) {
+-        pin = entry->pin;
++        unsigned int pin = entry->pin;
++        struct IO_APIC_route_entry rte;
++
+         if (pin == -1)
+             break;
+-        reg = io_apic_read(entry->apic, 0x10 + pin*2);
+-        reg &= ~disable;
+-        reg |= enable;
+-        io_apic_modify(entry->apic, 0x10 + pin*2, reg);
++        rte = __ioapic_read_entry(entry->apic, pin, false);
++        rte.raw &= ~(uint64_t)disable;
++        rte.raw |= enable;
++        __ioapic_write_entry(entry->apic, pin, false, rte);
+         if (!entry->next)
+             break;
+         entry = irq_2_pin + entry->next;
+@@ -584,16 +585,16 @@ set_ioapic_affinity_irq(struct irq_desc *desc, const cpumask_t *mask)
+             dest = SET_APIC_LOGICAL_ID(dest);
+         entry = irq_2_pin + irq;
+         for (;;) {
+-            unsigned int data;
++            struct IO_APIC_route_entry rte;
++
+             pin = entry->pin;
+             if (pin == -1)
+                 break;
+ 
+-            io_apic_write(entry->apic, 0x10 + 1 + pin*2, dest);
+-            data = io_apic_read(entry->apic, 0x10 + pin*2);
+-            data &= ~IO_APIC_REDIR_VECTOR_MASK;
+-            data |= MASK_INSR(desc->arch.vector, IO_APIC_REDIR_VECTOR_MASK);
+-            io_apic_modify(entry->apic, 0x10 + pin*2, data);
++            rte = __ioapic_read_entry(entry->apic, pin, false);
++            rte.dest.dest32 = dest;
++            rte.vector = desc->arch.vector;
++            __ioapic_write_entry(entry->apic, pin, false, rte);
+ 
+             if (!entry->next)
+                 break;
+@@ -2127,10 +2128,8 @@ void ioapic_resume(void)
+             reg_00.bits.ID = mp_ioapics[apic].mpc_apicid;
+             __io_apic_write(apic, 0, reg_00.raw);
+         }
+-        for (i = 0; i < nr_ioapic_entries[apic]; i++, entry++) {
+-            __io_apic_write(apic, 0x11+2*i, *(((int *)entry)+1));
+-            __io_apic_write(apic, 0x10+2*i, *(((int *)entry)+0));
+-        }
++        for (i = 0; i < nr_ioapic_entries[apic]; i++, entry++)
++            __ioapic_write_entry(apic, i, true, *entry);
+     }
+     spin_unlock_irqrestore(&ioapic_lock, flags);
+ }
+diff --git a/xen/drivers/passthrough/amd/iommu_intr.c b/xen/drivers/passthrough/amd/iommu_intr.c
+index 9e6be3be35..f32c418a7e 100644
+--- a/xen/drivers/passthrough/amd/iommu_intr.c
++++ b/xen/drivers/passthrough/amd/iommu_intr.c
+@@ -361,12 +361,6 @@ void cf_check amd_iommu_ioapic_update_ire(
+     struct amd_iommu *iommu;
+     unsigned int idx;
+ 
+-    if ( !iommu_intremap )
+-    {
+-        __io_apic_write(apic, reg, value);
+-        return;
+-    }
+-
+     idx = ioapic_id_to_index(IO_APIC_ID(apic));
+     if ( idx == MAX_IO_APICS )
+         return;
+-- 
+2.42.0
+

diff --git a/0021-iommu-vtd-rename-io_apic_read_remap_rte-local-variab.patch b/0021-iommu-vtd-rename-io_apic_read_remap_rte-local-variab.patch
new file mode 100644
index 0000000..6560452
--- /dev/null
+++ b/0021-iommu-vtd-rename-io_apic_read_remap_rte-local-variab.patch
@@ -0,0 +1,64 @@
+From e08e7330c58b7ee1efb00e348521a6afc524dc38 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 5 Sep 2023 08:50:05 +0200
+Subject: [PATCH 21/55] iommu/vtd: rename io_apic_read_remap_rte() local
+ variable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Preparatory change to unify the IO-APIC pin variable name between
+io_apic_read_remap_rte() and amd_iommu_ioapic_update_ire(), so that
+the local variable can be made a function parameter with the same name
+across vendors.
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+master commit: a478b38c01b65fa030303f0324a3380d872eb165
+master date: 2023-07-28 09:40:42 +0200
+---
+ xen/drivers/passthrough/vtd/intremap.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/xen/drivers/passthrough/vtd/intremap.c b/xen/drivers/passthrough/vtd/intremap.c
+index 019c21c556..53c9de9a75 100644
+--- a/xen/drivers/passthrough/vtd/intremap.c
++++ b/xen/drivers/passthrough/vtd/intremap.c
+@@ -441,14 +441,14 @@ unsigned int cf_check io_apic_read_remap_rte(
+ void cf_check io_apic_write_remap_rte(
+     unsigned int apic, unsigned int reg, unsigned int value)
+ {
+-    unsigned int ioapic_pin = (reg - 0x10) / 2;
++    unsigned int pin = (reg - 0x10) / 2;
+     struct IO_xAPIC_route_entry old_rte = { };
+     struct IO_APIC_route_remap_entry *remap_rte;
+     unsigned int rte_upper = (reg & 1) ? 1 : 0;
+     struct vtd_iommu *iommu = ioapic_to_iommu(IO_APIC_ID(apic));
+     int saved_mask;
+ 
+-    old_rte = __ioapic_read_entry(apic, ioapic_pin, true);
++    old_rte = __ioapic_read_entry(apic, pin, true);
+ 
+     remap_rte = (struct IO_APIC_route_remap_entry *) &old_rte;
+ 
+@@ -458,7 +458,7 @@ void cf_check io_apic_write_remap_rte(
+     __io_apic_write(apic, reg & ~1, *(u32 *)&old_rte);
+     remap_rte->mask = saved_mask;
+ 
+-    if ( ioapic_rte_to_remap_entry(iommu, apic, ioapic_pin,
++    if ( ioapic_rte_to_remap_entry(iommu, apic, pin,
+                                    &old_rte, rte_upper, value) )
+     {
+         __io_apic_write(apic, reg, value);
+@@ -468,7 +468,7 @@ void cf_check io_apic_write_remap_rte(
+             __io_apic_write(apic, reg & ~1, *(u32 *)&old_rte);
+     }
+     else
+-        __ioapic_write_entry(apic, ioapic_pin, true, old_rte);
++        __ioapic_write_entry(apic, pin, true, old_rte);
+ }
+ 
+ static void set_msi_source_id(struct pci_dev *pdev, struct iremap_entry *ire)
+-- 
+2.42.0
+

diff --git a/0021-tools-oxenstored-Set-uncaught-exception-handler.patch b/0021-tools-oxenstored-Set-uncaught-exception-handler.patch
deleted file mode 100644
index 8a42fcc..0000000
--- a/0021-tools-oxenstored-Set-uncaught-exception-handler.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From e13a9a2146952859c21c0a0c7b8b07757c2aba9d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edvin.torok@citrix.com>
-Date: Mon, 7 Nov 2022 17:41:36 +0000
-Subject: [PATCH 21/89] tools/oxenstored: Set uncaught exception handler
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Unhandled exceptions go to stderr by default, but this doesn't typically work
-for oxenstored because:
- * daemonize reopens stderr as /dev/null
- * systemd redirects stderr to /dev/null too
-
-Debugging an unhandled exception requires reproducing the issue locally when
-using --no-fork, and is not conducive to figuring out what went wrong on a
-remote system.
-
-Install a custom handler which also tries to render the backtrace to the
-configured syslog facility, and DAEMON|ERR otherwise.
-
-Signed-off-by: Edwin Török <edvin.torok@citrix.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit ee7815f49faf743e960dac9e72809eb66393bc6d)
----
- tools/ocaml/xenstored/logging.ml   | 29 +++++++++++++++++++++++++++++
- tools/ocaml/xenstored/xenstored.ml |  3 ++-
- 2 files changed, 31 insertions(+), 1 deletion(-)
-
-diff --git a/tools/ocaml/xenstored/logging.ml b/tools/ocaml/xenstored/logging.ml
-index 39c3036155..255051437d 100644
---- a/tools/ocaml/xenstored/logging.ml
-+++ b/tools/ocaml/xenstored/logging.ml
-@@ -342,3 +342,32 @@ let xb_answer ~tid ~con ~ty data =
- let watch_not_fired ~con perms path =
- 	let data = Printf.sprintf "EPERM perms=[%s] path=%s" perms path in
- 	access_logging ~tid:0 ~con ~data Watch_not_fired ~level:Info
-+
-+let msg_of exn bt =
-+	Printf.sprintf "Fatal exception: %s\n%s\n" (Printexc.to_string exn)
-+		(Printexc.raw_backtrace_to_string bt)
-+
-+let fallback_exception_handler exn bt =
-+	(* stderr goes to /dev/null, so use the logger where possible,
-+	   but always print to stderr too, in case everything else fails,
-+	   e.g. this can be used to debug with --no-fork
-+
-+	   this function should try not to raise exceptions, but if it does
-+	   the ocaml runtime should still print the exception, both the original,
-+	   and the one from this function, but to stderr this time
-+	 *)
-+	let msg = msg_of exn bt in
-+	prerr_endline msg;
-+	(* See Printexc.set_uncaught_exception_handler, need to flush,
-+	   so has to call stop and flush *)
-+	match !xenstored_logger with
-+	| Some l -> error "xenstored-fallback" "%s" msg; l.stop ()
-+	| None ->
-+		(* Too early, no logger set yet.
-+		   We normally try to use the configured logger so we don't flood syslog
-+		   during development for example, or if the user has a file set
-+		 *)
-+		try Syslog.log Syslog.Daemon Syslog.Err msg
-+		with e ->
-+			let bt = Printexc.get_raw_backtrace () in
-+			prerr_endline @@ msg_of e bt
-diff --git a/tools/ocaml/xenstored/xenstored.ml b/tools/ocaml/xenstored/xenstored.ml
-index 35b8cbd43f..4d5851c5cb 100644
---- a/tools/ocaml/xenstored/xenstored.ml
-+++ b/tools/ocaml/xenstored/xenstored.ml
-@@ -355,7 +355,8 @@ let tweak_gc () =
- 	Gc.set { (Gc.get ()) with Gc.max_overhead = !Define.gc_max_overhead }
- 
- 
--let _ =
-+let () =
-+	Printexc.set_uncaught_exception_handler Logging.fallback_exception_handler;
- 	let cf = do_argv in
- 	let pidfile =
- 		if Sys.file_exists (config_filename cf) then
--- 
-2.40.0
-

diff --git a/0022-tools-oxenstored-syslog-Avoid-potential-NULL-derefer.patch b/0022-tools-oxenstored-syslog-Avoid-potential-NULL-derefer.patch
deleted file mode 100644
index eb6d42e..0000000
--- a/0022-tools-oxenstored-syslog-Avoid-potential-NULL-derefer.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 91a9ac6e9be5aa94020f5c482e6c51b581e2ea39 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edvin.torok@citrix.com>
-Date: Tue, 8 Nov 2022 14:24:19 +0000
-Subject: [PATCH 22/89] tools/oxenstored/syslog: Avoid potential NULL
- dereference
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-strdup() may return NULL.  Check for this before passing to syslog().
-
-Drop const from c_msg.  It is bogus, as demonstrated by the need to cast to
-void * in order to free the memory.
-
-Signed-off-by: Edwin Török <edvin.torok@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit acd3fb6d65905f8a185dcb9fe6a330a591b96203)
----
- tools/ocaml/xenstored/syslog_stubs.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/tools/ocaml/xenstored/syslog_stubs.c b/tools/ocaml/xenstored/syslog_stubs.c
-index 875d48ad57..e16c3a9491 100644
---- a/tools/ocaml/xenstored/syslog_stubs.c
-+++ b/tools/ocaml/xenstored/syslog_stubs.c
-@@ -14,6 +14,7 @@
- 
- #include <syslog.h>
- #include <string.h>
-+#include <caml/fail.h>
- #include <caml/mlvalues.h>
- #include <caml/memory.h>
- #include <caml/alloc.h>
-@@ -35,14 +36,16 @@ static int __syslog_facility_table[] = {
- value stub_syslog(value facility, value level, value msg)
- {
- 	CAMLparam3(facility, level, msg);
--	const char *c_msg = strdup(String_val(msg));
-+	char *c_msg = strdup(String_val(msg));
- 	int c_facility = __syslog_facility_table[Int_val(facility)]
- 	               | __syslog_level_table[Int_val(level)];
- 
-+	if ( !c_msg )
-+		caml_raise_out_of_memory();
- 	caml_enter_blocking_section();
- 	syslog(c_facility, "%s", c_msg);
- 	caml_leave_blocking_section();
- 
--	free((void*)c_msg);
-+	free(c_msg);
- 	CAMLreturn(Val_unit);
- }
--- 
-2.40.0
-

diff --git a/0022-x86-iommu-pass-full-IO-APIC-RTE-for-remapping-table-.patch b/0022-x86-iommu-pass-full-IO-APIC-RTE-for-remapping-table-.patch
new file mode 100644
index 0000000..e06714e
--- /dev/null
+++ b/0022-x86-iommu-pass-full-IO-APIC-RTE-for-remapping-table-.patch
@@ -0,0 +1,462 @@
+From 5116fe12d8238cc7d6582ceefd3f7e944bff9a1d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 5 Sep 2023 08:50:39 +0200
+Subject: [PATCH 22/55] x86/iommu: pass full IO-APIC RTE for remapping table
+ update
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+So that the remapping entry can be updated atomically when possible.
+
+Doing such update atomically will avoid Xen having to mask the IO-APIC
+pin prior to performing any interrupt movements (ie: changing the
+destination and vector fields), as the interrupt remapping entry is
+always consistent.
+
+This also simplifies some of the logic on both VT-d and AMD-Vi
+implementations, as having the full RTE available instead of half of
+it avoids to possibly read and update the missing other half from
+hardware.
+
+While there remove the explicit zeroing of new_ire fields in
+ioapic_rte_to_remap_entry() and initialize the variable at definition
+so all fields are zeroed.  Note fields could be also initialized with
+final values at definition, but I found that likely too much to be
+done at this time.
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+master commit: 3e033172b0250446bfe119f31c7f0f51684b0472
+master date: 2023-08-01 11:48:39 +0200
+---
+ xen/arch/x86/include/asm/iommu.h         |   3 +-
+ xen/arch/x86/io_apic.c                   |   5 +-
+ xen/drivers/passthrough/amd/iommu.h      |   2 +-
+ xen/drivers/passthrough/amd/iommu_intr.c | 100 ++---------------
+ xen/drivers/passthrough/vtd/extern.h     |   2 +-
+ xen/drivers/passthrough/vtd/intremap.c   | 131 +++++++++++------------
+ xen/drivers/passthrough/x86/iommu.c      |   4 +-
+ xen/include/xen/iommu.h                  |   3 +-
+ 8 files changed, 82 insertions(+), 168 deletions(-)
+
+diff --git a/xen/arch/x86/include/asm/iommu.h b/xen/arch/x86/include/asm/iommu.h
+index fc0afe35bf..c0d4ad3742 100644
+--- a/xen/arch/x86/include/asm/iommu.h
++++ b/xen/arch/x86/include/asm/iommu.h
+@@ -97,7 +97,8 @@ struct iommu_init_ops {
+ 
+ extern const struct iommu_init_ops *iommu_init_ops;
+ 
+-void iommu_update_ire_from_apic(unsigned int apic, unsigned int reg, unsigned int value);
++void iommu_update_ire_from_apic(unsigned int apic, unsigned int pin,
++                                uint64_t rte);
+ unsigned int iommu_read_apic_from_ire(unsigned int apic, unsigned int reg);
+ int iommu_setup_hpet_msi(struct msi_desc *);
+ 
+diff --git a/xen/arch/x86/io_apic.c b/xen/arch/x86/io_apic.c
+index 041233b9b7..b3afef8933 100644
+--- a/xen/arch/x86/io_apic.c
++++ b/xen/arch/x86/io_apic.c
+@@ -275,10 +275,7 @@ void __ioapic_write_entry(
+         __io_apic_write(apic, 0x10 + 2 * pin, eu.w1);
+     }
+     else
+-    {
+-        iommu_update_ire_from_apic(apic, 0x11 + 2 * pin, eu.w2);
+-        iommu_update_ire_from_apic(apic, 0x10 + 2 * pin, eu.w1);
+-    }
++        iommu_update_ire_from_apic(apic, pin, e.raw);
+ }
+ 
+ static void ioapic_write_entry(
+diff --git a/xen/drivers/passthrough/amd/iommu.h b/xen/drivers/passthrough/amd/iommu.h
+index 8bc3c35b1b..5429ada58e 100644
+--- a/xen/drivers/passthrough/amd/iommu.h
++++ b/xen/drivers/passthrough/amd/iommu.h
+@@ -300,7 +300,7 @@ int cf_check amd_iommu_free_intremap_table(
+ unsigned int amd_iommu_intremap_table_order(
+     const void *irt, const struct amd_iommu *iommu);
+ void cf_check amd_iommu_ioapic_update_ire(
+-    unsigned int apic, unsigned int reg, unsigned int value);
++    unsigned int apic, unsigned int pin, uint64_t rte);
+ unsigned int cf_check amd_iommu_read_ioapic_from_ire(
+     unsigned int apic, unsigned int reg);
+ int cf_check amd_iommu_msi_msg_update_ire(
+diff --git a/xen/drivers/passthrough/amd/iommu_intr.c b/xen/drivers/passthrough/amd/iommu_intr.c
+index f32c418a7e..e83a2a932a 100644
+--- a/xen/drivers/passthrough/amd/iommu_intr.c
++++ b/xen/drivers/passthrough/amd/iommu_intr.c
+@@ -247,11 +247,6 @@ static void update_intremap_entry(const struct amd_iommu *iommu,
+     }
+ }
+ 
+-static inline int get_rte_index(const struct IO_APIC_route_entry *rte)
+-{
+-    return rte->vector | (rte->delivery_mode << 8);
+-}
+-
+ static inline void set_rte_index(struct IO_APIC_route_entry *rte, int offset)
+ {
+     rte->vector = (u8)offset;
+@@ -267,7 +262,6 @@ static int update_intremap_entry_from_ioapic(
+     int bdf,
+     struct amd_iommu *iommu,
+     struct IO_APIC_route_entry *rte,
+-    bool_t lo_update,
+     u16 *index)
+ {
+     unsigned long flags;
+@@ -315,31 +309,6 @@ static int update_intremap_entry_from_ioapic(
+         spin_lock(lock);
+     }
+ 
+-    if ( fresh )
+-        /* nothing */;
+-    else if ( !lo_update )
+-    {
+-        /*
+-         * Low half of incoming RTE is already in remapped format,
+-         * so need to recover vector and delivery mode from IRTE.
+-         */
+-        ASSERT(get_rte_index(rte) == offset);
+-        if ( iommu->ctrl.ga_en )
+-            vector = entry.ptr128->full.vector;
+-        else
+-            vector = entry.ptr32->flds.vector;
+-        /* The IntType fields match for both formats. */
+-        delivery_mode = entry.ptr32->flds.int_type;
+-    }
+-    else if ( x2apic_enabled )
+-    {
+-        /*
+-         * High half of incoming RTE was read from the I/O APIC and hence may
+-         * not hold the full destination, so need to recover full destination
+-         * from IRTE.
+-         */
+-        dest = get_full_dest(entry.ptr128);
+-    }
+     update_intremap_entry(iommu, entry, vector, delivery_mode, dest_mode, dest);
+ 
+     spin_unlock_irqrestore(lock, flags);
+@@ -350,14 +319,11 @@ static int update_intremap_entry_from_ioapic(
+ }
+ 
+ void cf_check amd_iommu_ioapic_update_ire(
+-    unsigned int apic, unsigned int reg, unsigned int value)
++    unsigned int apic, unsigned int pin, uint64_t rte)
+ {
+-    struct IO_APIC_route_entry old_rte = { };
+-    struct IO_APIC_route_entry new_rte = { };
+-    unsigned int rte_lo = (reg & 1) ? reg - 1 : reg;
+-    unsigned int pin = (reg - 0x10) / 2;
++    struct IO_APIC_route_entry old_rte;
++    struct IO_APIC_route_entry new_rte = { .raw = rte };
+     int seg, bdf, rc;
+-    bool saved_mask, fresh = false;
+     struct amd_iommu *iommu;
+     unsigned int idx;
+ 
+@@ -373,58 +339,23 @@ void cf_check amd_iommu_ioapic_update_ire(
+     {
+         AMD_IOMMU_WARN("failed to find IOMMU for IO-APIC @ %04x:%04x\n",
+                        seg, bdf);
+-        __io_apic_write(apic, reg, value);
++        __ioapic_write_entry(apic, pin, true, new_rte);
+         return;
+     }
+ 
+-    /* save io-apic rte lower 32 bits */
+-    *((u32 *)&old_rte) =  __io_apic_read(apic, rte_lo);
+-    saved_mask = old_rte.mask;
+-
+-    if ( reg == rte_lo )
+-    {
+-        *((u32 *)&new_rte) = value;
+-        /* read upper 32 bits from io-apic rte */
+-        *(((u32 *)&new_rte) + 1) = __io_apic_read(apic, reg + 1);
+-    }
+-    else
+-    {
+-        *((u32 *)&new_rte) = *((u32 *)&old_rte);
+-        *(((u32 *)&new_rte) + 1) = value;
+-    }
+-
+-    if ( ioapic_sbdf[idx].pin_2_idx[pin] >= INTREMAP_MAX_ENTRIES )
+-    {
+-        ASSERT(saved_mask);
+-
+-        /*
+-         * There's nowhere except the IRTE to store a full 32-bit destination,
+-         * so we may not bypass entry allocation and updating of the low RTE
+-         * half in the (usual) case of the high RTE half getting written first.
+-         */
+-        if ( new_rte.mask && !x2apic_enabled )
+-        {
+-            __io_apic_write(apic, reg, value);
+-            return;
+-        }
+-
+-        fresh = true;
+-    }
+-
++    old_rte = __ioapic_read_entry(apic, pin, true);
+     /* mask the interrupt while we change the intremap table */
+-    if ( !saved_mask )
++    if ( !old_rte.mask )
+     {
+         old_rte.mask = 1;
+-        __io_apic_write(apic, rte_lo, *((u32 *)&old_rte));
++        __ioapic_write_entry(apic, pin, true, old_rte);
+     }
+ 
+     /* Update interrupt remapping entry */
+     rc = update_intremap_entry_from_ioapic(
+-             bdf, iommu, &new_rte, reg == rte_lo,
++             bdf, iommu, &new_rte,
+              &ioapic_sbdf[idx].pin_2_idx[pin]);
+ 
+-    __io_apic_write(apic, reg, ((u32 *)&new_rte)[reg != rte_lo]);
+-
+     if ( rc )
+     {
+         /* Keep the entry masked. */
+@@ -433,20 +364,7 @@ void cf_check amd_iommu_ioapic_update_ire(
+         return;
+     }
+ 
+-    /* For lower bits access, return directly to avoid double writes */
+-    if ( reg == rte_lo )
+-        return;
+-
+-    /*
+-     * Unmask the interrupt after we have updated the intremap table. Also
+-     * write the low half if a fresh entry was allocated for a high half
+-     * update in x2APIC mode.
+-     */
+-    if ( !saved_mask || (x2apic_enabled && fresh) )
+-    {
+-        old_rte.mask = saved_mask;
+-        __io_apic_write(apic, rte_lo, *((u32 *)&old_rte));
+-    }
++    __ioapic_write_entry(apic, pin, true, new_rte);
+ }
+ 
+ unsigned int cf_check amd_iommu_read_ioapic_from_ire(
+diff --git a/xen/drivers/passthrough/vtd/extern.h b/xen/drivers/passthrough/vtd/extern.h
+index 39602d1f88..d49e40c5ce 100644
+--- a/xen/drivers/passthrough/vtd/extern.h
++++ b/xen/drivers/passthrough/vtd/extern.h
+@@ -92,7 +92,7 @@ int cf_check intel_iommu_get_reserved_device_memory(
+ unsigned int cf_check io_apic_read_remap_rte(
+     unsigned int apic, unsigned int reg);
+ void cf_check io_apic_write_remap_rte(
+-    unsigned int apic, unsigned int reg, unsigned int value);
++    unsigned int apic, unsigned int pin, uint64_t rte);
+ 
+ struct msi_desc;
+ struct msi_msg;
+diff --git a/xen/drivers/passthrough/vtd/intremap.c b/xen/drivers/passthrough/vtd/intremap.c
+index 53c9de9a75..78d7bc139a 100644
+--- a/xen/drivers/passthrough/vtd/intremap.c
++++ b/xen/drivers/passthrough/vtd/intremap.c
+@@ -328,15 +328,14 @@ static int remap_entry_to_ioapic_rte(
+ 
+ static int ioapic_rte_to_remap_entry(struct vtd_iommu *iommu,
+     int apic, unsigned int ioapic_pin, struct IO_xAPIC_route_entry *old_rte,
+-    unsigned int rte_upper, unsigned int value)
++    struct IO_xAPIC_route_entry new_rte)
+ {
+     struct iremap_entry *iremap_entry = NULL, *iremap_entries;
+     struct iremap_entry new_ire;
+     struct IO_APIC_route_remap_entry *remap_rte;
+-    struct IO_xAPIC_route_entry new_rte;
+     int index;
+     unsigned long flags;
+-    bool init = false;
++    bool init = false, masked = old_rte->mask;
+ 
+     remap_rte = (struct IO_APIC_route_remap_entry *) old_rte;
+     spin_lock_irqsave(&iommu->intremap.lock, flags);
+@@ -364,48 +363,40 @@ static int ioapic_rte_to_remap_entry(struct vtd_iommu *iommu,
+ 
+     new_ire = *iremap_entry;
+ 
+-    if ( rte_upper )
+-    {
+-        if ( x2apic_enabled )
+-            new_ire.remap.dst = value;
+-        else
+-            new_ire.remap.dst = (value >> 24) << 8;
+-    }
++    if ( x2apic_enabled )
++        new_ire.remap.dst = new_rte.dest.dest32;
+     else
+-    {
+-        *(((u32 *)&new_rte) + 0) = value;
+-        new_ire.remap.fpd = 0;
+-        new_ire.remap.dm = new_rte.dest_mode;
+-        new_ire.remap.tm = new_rte.trigger;
+-        new_ire.remap.dlm = new_rte.delivery_mode;
+-        /* Hardware require RH = 1 for LPR delivery mode */
+-        new_ire.remap.rh = (new_ire.remap.dlm == dest_LowestPrio);
+-        new_ire.remap.avail = 0;
+-        new_ire.remap.res_1 = 0;
+-        new_ire.remap.vector = new_rte.vector;
+-        new_ire.remap.res_2 = 0;
+-
+-        set_ioapic_source_id(IO_APIC_ID(apic), &new_ire);
+-        new_ire.remap.res_3 = 0;
+-        new_ire.remap.res_4 = 0;
+-        new_ire.remap.p = 1;     /* finally, set present bit */
+-
+-        /* now construct new ioapic rte entry */
+-        remap_rte->vector = new_rte.vector;
+-        remap_rte->delivery_mode = 0;    /* has to be 0 for remap format */
+-        remap_rte->index_15 = (index >> 15) & 0x1;
+-        remap_rte->index_0_14 = index & 0x7fff;
+-
+-        remap_rte->delivery_status = new_rte.delivery_status;
+-        remap_rte->polarity = new_rte.polarity;
+-        remap_rte->irr = new_rte.irr;
+-        remap_rte->trigger = new_rte.trigger;
+-        remap_rte->mask = new_rte.mask;
+-        remap_rte->reserved = 0;
+-        remap_rte->format = 1;    /* indicate remap format */
+-    }
+-
+-    update_irte(iommu, iremap_entry, &new_ire, !init);
++        new_ire.remap.dst = GET_xAPIC_ID(new_rte.dest.dest32) << 8;
++
++    new_ire.remap.dm = new_rte.dest_mode;
++    new_ire.remap.tm = new_rte.trigger;
++    new_ire.remap.dlm = new_rte.delivery_mode;
++    /* Hardware require RH = 1 for LPR delivery mode. */
++    new_ire.remap.rh = (new_ire.remap.dlm == dest_LowestPrio);
++    new_ire.remap.vector = new_rte.vector;
++
++    set_ioapic_source_id(IO_APIC_ID(apic), &new_ire);
++    /* Finally, set present bit. */
++    new_ire.remap.p = 1;
++
++    /* Now construct new ioapic rte entry. */
++    remap_rte->vector = new_rte.vector;
++    /* Has to be 0 for remap format. */
++    remap_rte->delivery_mode = 0;
++    remap_rte->index_15 = (index >> 15) & 0x1;
++    remap_rte->index_0_14 = index & 0x7fff;
++
++    remap_rte->delivery_status = new_rte.delivery_status;
++    remap_rte->polarity = new_rte.polarity;
++    remap_rte->irr = new_rte.irr;
++    remap_rte->trigger = new_rte.trigger;
++    remap_rte->mask = new_rte.mask;
++    remap_rte->reserved = 0;
++    /* Indicate remap format. */
++    remap_rte->format = 1;
++
++    /* If cmpxchg16b is not available the caller must mask the IO-APIC pin. */
++    update_irte(iommu, iremap_entry, &new_ire, !init && !masked);
+     iommu_sync_cache(iremap_entry, sizeof(*iremap_entry));
+     iommu_flush_iec_index(iommu, 0, index);
+ 
+@@ -439,36 +430,42 @@ unsigned int cf_check io_apic_read_remap_rte(
+ }
+ 
+ void cf_check io_apic_write_remap_rte(
+-    unsigned int apic, unsigned int reg, unsigned int value)
++    unsigned int apic, unsigned int pin, uint64_t rte)
+ {
+-    unsigned int pin = (reg - 0x10) / 2;
++    struct IO_xAPIC_route_entry new_rte = { .raw = rte };
+     struct IO_xAPIC_route_entry old_rte = { };
+-    struct IO_APIC_route_remap_entry *remap_rte;
+-    unsigned int rte_upper = (reg & 1) ? 1 : 0;
+     struct vtd_iommu *iommu = ioapic_to_iommu(IO_APIC_ID(apic));
+-    int saved_mask;
+-
+-    old_rte = __ioapic_read_entry(apic, pin, true);
+-
+-    remap_rte = (struct IO_APIC_route_remap_entry *) &old_rte;
+-
+-    /* mask the interrupt while we change the intremap table */
+-    saved_mask = remap_rte->mask;
+-    remap_rte->mask = 1;
+-    __io_apic_write(apic, reg & ~1, *(u32 *)&old_rte);
+-    remap_rte->mask = saved_mask;
++    bool masked = true;
++    int rc;
+ 
+-    if ( ioapic_rte_to_remap_entry(iommu, apic, pin,
+-                                   &old_rte, rte_upper, value) )
++    if ( !cpu_has_cx16 )
+     {
+-        __io_apic_write(apic, reg, value);
++       /*
++        * Cannot atomically update the IRTE entry: mask the IO-APIC pin to
++        * avoid interrupts seeing an inconsistent IRTE entry.
++        */
++        old_rte = __ioapic_read_entry(apic, pin, true);
++        if ( !old_rte.mask )
++        {
++            masked = false;
++            old_rte.mask = 1;
++            __ioapic_write_entry(apic, pin, true, old_rte);
++        }
++    }
+ 
+-        /* Recover the original value of 'mask' bit */
+-        if ( rte_upper )
+-            __io_apic_write(apic, reg & ~1, *(u32 *)&old_rte);
++    rc = ioapic_rte_to_remap_entry(iommu, apic, pin, &old_rte, new_rte);
++    if ( rc )
++    {
++        if ( !masked )
++        {
++            /* Recover the original value of 'mask' bit */
++            old_rte.mask = 0;
++            __ioapic_write_entry(apic, pin, true, old_rte);
++        }
++        return;
+     }
+-    else
+-        __ioapic_write_entry(apic, pin, true, old_rte);
++    /* old_rte will contain the updated IO-APIC RTE on success. */
++    __ioapic_write_entry(apic, pin, true, old_rte);
+ }
+ 
+ static void set_msi_source_id(struct pci_dev *pdev, struct iremap_entry *ire)
+diff --git a/xen/drivers/passthrough/x86/iommu.c b/xen/drivers/passthrough/x86/iommu.c
+index f671b0f2bb..8bd0ccb2e9 100644
+--- a/xen/drivers/passthrough/x86/iommu.c
++++ b/xen/drivers/passthrough/x86/iommu.c
+@@ -142,9 +142,9 @@ int iommu_enable_x2apic(void)
+ }
+ 
+ void iommu_update_ire_from_apic(
+-    unsigned int apic, unsigned int reg, unsigned int value)
++    unsigned int apic, unsigned int pin, uint64_t rte)
+ {
+-    iommu_vcall(&iommu_ops, update_ire_from_apic, apic, reg, value);
++    iommu_vcall(&iommu_ops, update_ire_from_apic, apic, pin, rte);
+ }
+ 
+ unsigned int iommu_read_apic_from_ire(unsigned int apic, unsigned int reg)
+diff --git a/xen/include/xen/iommu.h b/xen/include/xen/iommu.h
+index 4f22fc1bed..f8a52627f7 100644
+--- a/xen/include/xen/iommu.h
++++ b/xen/include/xen/iommu.h
+@@ -274,7 +274,8 @@ struct iommu_ops {
+     int (*enable_x2apic)(void);
+     void (*disable_x2apic)(void);
+ 
+-    void (*update_ire_from_apic)(unsigned int apic, unsigned int reg, unsigned int value);
++    void (*update_ire_from_apic)(unsigned int apic, unsigned int pin,
++                                 uint64_t rte);
+     unsigned int (*read_apic_from_ire)(unsigned int apic, unsigned int reg);
+ 
+     int (*setup_hpet_msi)(struct msi_desc *);
+-- 
+2.42.0
+

diff --git a/0023-build-correct-gas-noexecstack-check.patch b/0023-build-correct-gas-noexecstack-check.patch
new file mode 100644
index 0000000..245d631
--- /dev/null
+++ b/0023-build-correct-gas-noexecstack-check.patch
@@ -0,0 +1,34 @@
+From ba360fbb6413231f84a7d68f5cb34858f81d4d23 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Tue, 5 Sep 2023 08:51:50 +0200
+Subject: [PATCH 23/55] build: correct gas --noexecstack check
+
+The check was missing an escape for the inner $, thus breaking things
+in the unlikely event that the underlying assembler doesn't support this
+option.
+
+Fixes: 62d22296a95d ("build: silence GNU ld warning about executable stacks")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
+master commit: d1f6a58dfdc508c43a51c1865c826d519bf16493
+master date: 2023-08-14 09:58:19 +0200
+---
+ xen/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xen/Makefile b/xen/Makefile
+index 7bb9de7bdc..455916c757 100644
+--- a/xen/Makefile
++++ b/xen/Makefile
+@@ -405,7 +405,7 @@ endif
+ 
+ AFLAGS += -D__ASSEMBLY__
+ 
+-$(call cc-option-add,AFLAGS,CC,-Wa$(comma)--noexecstack)
++$(call cc-option-add,AFLAGS,CC,-Wa$$(comma)--noexecstack)
+ 
+ LDFLAGS-$(call ld-option,--warn-rwx-segments) += --no-warn-rwx-segments
+ 
+-- 
+2.42.0
+

diff --git a/0023-tools-oxenstored-Render-backtraces-more-nicely-in-Sy.patch b/0023-tools-oxenstored-Render-backtraces-more-nicely-in-Sy.patch
deleted file mode 100644
index c0343d0..0000000
--- a/0023-tools-oxenstored-Render-backtraces-more-nicely-in-Sy.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From c4972a4272690384b15d5706f2a833aed636895e Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Thu, 1 Dec 2022 21:06:25 +0000
-Subject: [PATCH 23/89] tools/oxenstored: Render backtraces more nicely in
- Syslog
-
-fallback_exception_handler feeds a string with embedded newlines directly into
-syslog().  While this is an improvement on getting nothing, syslogd escapes
-all control characters it gets, and emits one (long) log line.
-
-Fix the problem generally in the syslog stub.  As we already have a local copy
-of the string, split it in place and emit one syslog() call per line.
-
-Also tweak Logging.msg_of to avoid putting an extra newline on a string which
-already ends with one.
-
-Fixes: ee7815f49faf ("tools/oxenstored: Set uncaught exception handler")
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit d2162d884cba0ff7b2ac0d832f4e044444bda2e1)
----
- tools/ocaml/xenstored/logging.ml     |  2 +-
- tools/ocaml/xenstored/syslog_stubs.c | 26 +++++++++++++++++++++++---
- 2 files changed, 24 insertions(+), 4 deletions(-)
-
-diff --git a/tools/ocaml/xenstored/logging.ml b/tools/ocaml/xenstored/logging.ml
-index 255051437d..f233bc9a39 100644
---- a/tools/ocaml/xenstored/logging.ml
-+++ b/tools/ocaml/xenstored/logging.ml
-@@ -344,7 +344,7 @@ let watch_not_fired ~con perms path =
- 	access_logging ~tid:0 ~con ~data Watch_not_fired ~level:Info
- 
- let msg_of exn bt =
--	Printf.sprintf "Fatal exception: %s\n%s\n" (Printexc.to_string exn)
-+	Printf.sprintf "Fatal exception: %s\n%s" (Printexc.to_string exn)
- 		(Printexc.raw_backtrace_to_string bt)
- 
- let fallback_exception_handler exn bt =
-diff --git a/tools/ocaml/xenstored/syslog_stubs.c b/tools/ocaml/xenstored/syslog_stubs.c
-index e16c3a9491..760e78ff73 100644
---- a/tools/ocaml/xenstored/syslog_stubs.c
-+++ b/tools/ocaml/xenstored/syslog_stubs.c
-@@ -37,14 +37,34 @@ value stub_syslog(value facility, value level, value msg)
- {
- 	CAMLparam3(facility, level, msg);
- 	char *c_msg = strdup(String_val(msg));
-+	char *s = c_msg, *ss;
- 	int c_facility = __syslog_facility_table[Int_val(facility)]
- 	               | __syslog_level_table[Int_val(level)];
- 
- 	if ( !c_msg )
- 		caml_raise_out_of_memory();
--	caml_enter_blocking_section();
--	syslog(c_facility, "%s", c_msg);
--	caml_leave_blocking_section();
-+
-+	/*
-+	 * syslog() doesn't like embedded newlines, and c_msg generally
-+	 * contains them.
-+	 *
-+	 * Split the message in place by converting \n to \0, and issue one
-+	 * syslog() call per line, skipping the final iteration if c_msg ends
-+	 * with a newline anyway.
-+	 */
-+	do {
-+		ss = strchr(s, '\n');
-+		if ( ss )
-+			*ss = '\0';
-+		else if ( *s == '\0' )
-+			break;
-+
-+		caml_enter_blocking_section();
-+		syslog(c_facility, "%s", s);
-+		caml_leave_blocking_section();
-+
-+		s = ss + 1;
-+	} while ( ss );
- 
- 	free(c_msg);
- 	CAMLreturn(Val_unit);
--- 
-2.40.0
-

diff --git a/0024-Revert-tools-xenstore-simplify-loop-handling-connect.patch b/0024-Revert-tools-xenstore-simplify-loop-handling-connect.patch
deleted file mode 100644
index 81481fc..0000000
--- a/0024-Revert-tools-xenstore-simplify-loop-handling-connect.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-From 2f8851c37f88e4eb4858e16626fcb2379db71a4f Mon Sep 17 00:00:00 2001
-From: Jason Andryuk <jandryuk@gmail.com>
-Date: Thu, 26 Jan 2023 11:00:24 +0100
-Subject: [PATCH 24/89] Revert "tools/xenstore: simplify loop handling
- connection I/O"
-
-I'm observing guest kexec trigger xenstored to abort on a double free.
-
-gdb output:
-Program received signal SIGABRT, Aborted.
-__pthread_kill_implementation (no_tid=0, signo=6, threadid=140645614258112) at ./nptl/pthread_kill.c:44
-44    ./nptl/pthread_kill.c: No such file or directory.
-(gdb) bt
-    at ./nptl/pthread_kill.c:44
-    at ./nptl/pthread_kill.c:78
-    at ./nptl/pthread_kill.c:89
-    at ../sysdeps/posix/raise.c:26
-    at talloc.c:119
-    ptr=ptr@entry=0x559fae724290) at talloc.c:232
-    at xenstored_core.c:2945
-(gdb) frame 5
-    at talloc.c:119
-119            TALLOC_ABORT("Bad talloc magic value - double free");
-(gdb) frame 7
-    at xenstored_core.c:2945
-2945                talloc_increase_ref_count(conn);
-(gdb) p conn
-$1 = (struct connection *) 0x559fae724290
-
-Looking at a xenstore trace, we have:
-IN 0x559fae71f250 20230120 17:40:53 READ (/local/domain/3/image/device-model-dom
-id )
-wrl: dom    0      1  msec      10000 credit     1000000 reserve        100 disc
-ard
-wrl: dom    3      1  msec      10000 credit     1000000 reserve        100 disc
-ard
-wrl: dom    0      0  msec      10000 credit     1000000 reserve          0 disc
-ard
-wrl: dom    3      0  msec      10000 credit     1000000 reserve          0 disc
-ard
-OUT 0x559fae71f250 20230120 17:40:53 ERROR (ENOENT )
-wrl: dom    0      1  msec      10000 credit     1000000 reserve        100 disc
-ard
-wrl: dom    3      1  msec      10000 credit     1000000 reserve        100 disc
-ard
-IN 0x559fae71f250 20230120 17:40:53 RELEASE (3 )
-DESTROY watch 0x559fae73f630
-DESTROY watch 0x559fae75ddf0
-DESTROY watch 0x559fae75ec30
-DESTROY watch 0x559fae75ea60
-DESTROY watch 0x559fae732c00
-DESTROY watch 0x559fae72cea0
-DESTROY watch 0x559fae728fc0
-DESTROY watch 0x559fae729570
-DESTROY connection 0x559fae724290
-orphaned node /local/domain/3/device/suspend/event-channel deleted
-orphaned node /local/domain/3/device/vbd/51712 deleted
-orphaned node /local/domain/3/device/vkbd/0 deleted
-orphaned node /local/domain/3/device/vif/0 deleted
-orphaned node /local/domain/3/control/shutdown deleted
-orphaned node /local/domain/3/control/feature-poweroff deleted
-orphaned node /local/domain/3/control/feature-reboot deleted
-orphaned node /local/domain/3/control/feature-suspend deleted
-orphaned node /local/domain/3/control/feature-s3 deleted
-orphaned node /local/domain/3/control/feature-s4 deleted
-orphaned node /local/domain/3/control/sysrq deleted
-orphaned node /local/domain/3/data deleted
-orphaned node /local/domain/3/drivers deleted
-orphaned node /local/domain/3/feature deleted
-orphaned node /local/domain/3/attr deleted
-orphaned node /local/domain/3/error deleted
-orphaned node /local/domain/3/console/backend-id deleted
-
-and no further output.
-
-The trace shows that DESTROY was called for connection 0x559fae724290,
-but that is the same pointer (conn) main() was looping through from
-connections.  So it wasn't actually removed from the connections list?
-
-Reverting commit e8e6e42279a5 "tools/xenstore: simplify loop handling
-connection I/O" fixes the abort/double free.  I think the use of
-list_for_each_entry_safe is incorrect.  list_for_each_entry_safe makes
-traversal safe for deleting the current iterator, but RELEASE/do_release
-will delete some other entry in the connections list.  I think the
-observed abort is because list_for_each_entry has next pointing to the
-deleted connection, and it is used in the subsequent iteration.
-
-Add a comment explaining the unsuitability of list_for_each_entry_safe.
-Also notice that the old code takes a reference on next which would
-prevents a use-after-free.
-
-This reverts commit e8e6e42279a5723239c5c40ba4c7f579a979465d.
-
-This is XSA-425/CVE-2022-42330.
-
-Fixes: e8e6e42279a5 ("tools/xenstore: simplify loop handling connection I/O")
-Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
-Reviewed-by: Juergen Gross <jgross@suse.com>
-Reviewed-by: Julien Grall <jgrall@amazon.com>
----
- tools/xenstore/xenstored_core.c | 19 +++++++++++++++++--
- 1 file changed, 17 insertions(+), 2 deletions(-)
-
-diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
-index 476d5c6d51..56dbdc2530 100644
---- a/tools/xenstore/xenstored_core.c
-+++ b/tools/xenstore/xenstored_core.c
-@@ -2935,8 +2935,23 @@ int main(int argc, char *argv[])
- 			}
- 		}
- 
--		list_for_each_entry_safe(conn, next, &connections, list) {
--			talloc_increase_ref_count(conn);
-+		/*
-+		 * list_for_each_entry_safe is not suitable here because
-+		 * handle_input may delete entries besides the current one, but
-+		 * those may be in the temporary next which would trigger a
-+		 * use-after-free.  list_for_each_entry_safe is only safe for
-+		 * deleting the current entry.
-+		 */
-+		next = list_entry(connections.next, typeof(*conn), list);
-+		if (&next->list != &connections)
-+			talloc_increase_ref_count(next);
-+		while (&next->list != &connections) {
-+			conn = next;
-+
-+			next = list_entry(conn->list.next,
-+					  typeof(*conn), list);
-+			if (&next->list != &connections)
-+				talloc_increase_ref_count(next);
- 
- 			if (conn_can_read(conn))
- 				handle_input(conn);
--- 
-2.40.0
-

diff --git a/0024-libxl-slightly-correct-JSON-generation-of-CPU-policy.patch b/0024-libxl-slightly-correct-JSON-generation-of-CPU-policy.patch
new file mode 100644
index 0000000..1ec7335
--- /dev/null
+++ b/0024-libxl-slightly-correct-JSON-generation-of-CPU-policy.patch
@@ -0,0 +1,38 @@
+From 042982297802e7b746dc2fac95a453cc88d0aa83 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Tue, 5 Sep 2023 08:52:15 +0200
+Subject: [PATCH 24/55] libxl: slightly correct JSON generation of CPU policy
+
+The "cpuid_empty" label is also (in principle; maybe only for rubbish
+input) reachable in the "cpuid_only" case. Hence the label needs to live
+ahead of the check of the variable.
+
+Fixes: 5b80cecb747b ("libxl: introduce MSR data in libxl_cpuid_policy")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
+master commit: ebce4e3a146c39e57bb7a890e059e89c32b6d547
+master date: 2023-08-17 16:24:17 +0200
+---
+ tools/libs/light/libxl_cpuid.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/libs/light/libxl_cpuid.c b/tools/libs/light/libxl_cpuid.c
+index 849722541c..5c66d094b2 100644
+--- a/tools/libs/light/libxl_cpuid.c
++++ b/tools/libs/light/libxl_cpuid.c
+@@ -710,10 +710,11 @@ parse_cpuid:
+                     libxl__strdup(NOGC, libxl__json_object_get_string(r));
+         }
+     }
++
++cpuid_empty:
+     if (cpuid_only)
+         return 0;
+ 
+-cpuid_empty:
+     co = libxl__json_map_get("msr", o, JSON_ARRAY);
+     if (!libxl__json_object_is_array(co))
+         return ERROR_FAIL;
+-- 
+2.42.0
+

diff --git a/0025-tboot-Disable-CET-at-shutdown.patch b/0025-tboot-Disable-CET-at-shutdown.patch
new file mode 100644
index 0000000..f06db61
--- /dev/null
+++ b/0025-tboot-Disable-CET-at-shutdown.patch
@@ -0,0 +1,53 @@
+From 7ca58fbef489fcb17631872a2bdc929823a2a494 Mon Sep 17 00:00:00 2001
+From: Jason Andryuk <jandryuk@gmail.com>
+Date: Tue, 5 Sep 2023 08:52:33 +0200
+Subject: [PATCH 25/55] tboot: Disable CET at shutdown
+
+tboot_shutdown() calls into tboot to perform the actual system shutdown.
+tboot isn't built with endbr annotations, and Xen has CET-IBT enabled on
+newer hardware.  shutdown_entry isn't annotated with endbr and Xen
+faults:
+
+Panic on CPU 0:
+CONTROL-FLOW PROTECTION FAULT: #CP[0003] endbranch
+
+And Xen hangs at this point.
+
+Disabling CET-IBT let Xen and tboot power off, but reboot was
+perfoming a poweroff instead of a warm reboot.  Disabling all of CET,
+i.e. shadow stacks as well, lets tboot reboot properly.
+
+Fixes: cdbe2b0a1aec ("x86: Enable CET Indirect Branch Tracking")
+Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
+Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
+master commit: 0801868f550539d417d46f82c49307480947ccaa
+master date: 2023-08-17 16:24:49 +0200
+---
+ xen/arch/x86/tboot.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/xen/arch/x86/tboot.c b/xen/arch/x86/tboot.c
+index fe1abfdf08..a2e9e97ed7 100644
+--- a/xen/arch/x86/tboot.c
++++ b/xen/arch/x86/tboot.c
+@@ -398,6 +398,16 @@ void tboot_shutdown(uint32_t shutdown_type)
+         tboot_gen_xenheap_integrity(g_tboot_shared->s3_key, &xenheap_mac);
+     }
+ 
++    /*
++     * Disable CET - tboot may not be built with endbr, and it doesn't support
++     * shadow stacks.
++     */
++    if ( read_cr4() & X86_CR4_CET )
++    {
++        wrmsrl(MSR_S_CET, 0);
++        write_cr4(read_cr4() & ~X86_CR4_CET);
++    }
++
+     /*
+      * During early boot, we can be called by panic before idle_vcpu[0] is
+      * setup, but in that case we don't need to change page tables.
+-- 
+2.42.0
+

diff --git a/0025-x86-S3-Restore-Xen-s-MSR_PAT-value-on-S3-resume.patch b/0025-x86-S3-Restore-Xen-s-MSR_PAT-value-on-S3-resume.patch
deleted file mode 100644
index 142280f..0000000
--- a/0025-x86-S3-Restore-Xen-s-MSR_PAT-value-on-S3-resume.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From a470a83c36c07b56d90957ae1e6e9ebc458d3686 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Tue, 7 Feb 2023 16:56:14 +0100
-Subject: [PATCH 25/89] x86/S3: Restore Xen's MSR_PAT value on S3 resume
-
-There are two paths in the trampoline, and Xen's PAT needs setting up in both,
-not just the boot path.
-
-Fixes: 4304ff420e51 ("x86/S3: Drop {save,restore}_rest_processor_state() completely")
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: 4d975798e11579fdf405b348543061129e01b0fb
-master date: 2023-01-10 21:21:30 +0000
----
- xen/arch/x86/boot/wakeup.S | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/xen/arch/x86/boot/wakeup.S b/xen/arch/x86/boot/wakeup.S
-index c17d613b61..08447e1934 100644
---- a/xen/arch/x86/boot/wakeup.S
-+++ b/xen/arch/x86/boot/wakeup.S
-@@ -130,6 +130,11 @@ wakeup_32:
-         and     %edi, %edx
-         wrmsr
- 1:
-+        /* Set up PAT before enabling paging. */
-+        mov     $XEN_MSR_PAT & 0xffffffff, %eax
-+        mov     $XEN_MSR_PAT >> 32, %edx
-+        mov     $MSR_IA32_CR_PAT, %ecx
-+        wrmsr
- 
-         /* Set up EFER (Extended Feature Enable Register). */
-         movl    $MSR_EFER,%ecx
--- 
-2.40.0
-

diff --git a/0026-tools-Fix-build-with-recent-QEMU-use-enable-trace-ba.patch b/0026-tools-Fix-build-with-recent-QEMU-use-enable-trace-ba.patch
deleted file mode 100644
index 5d937d5..0000000
--- a/0026-tools-Fix-build-with-recent-QEMU-use-enable-trace-ba.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 1d7a388e7b9711cbd7e14b2020b168b6789772af Mon Sep 17 00:00:00 2001
-From: Anthony PERARD <anthony.perard@citrix.com>
-Date: Tue, 7 Feb 2023 16:57:22 +0100
-Subject: [PATCH 26/89] tools: Fix build with recent QEMU, use
- "--enable-trace-backends"
-
-The configure option "--enable-trace-backend" isn't accepted anymore
-and we should use "--enable-trace-backends" instead which was
-introduce in 2014 and allow multiple backends.
-
-"--enable-trace-backends" was introduced by:
-    5b808275f3bb ("trace: Multi-backend tracing")
-The backward compatible option "--enable-trace-backend" is removed by
-    10229ec3b0ff ("configure: remove backwards-compatibility and obsolete options")
-
-As we already use ./configure options that wouldn't be accepted by
-older version of QEMU's configure, we will simply use the new spelling
-for the option and avoid trying to detect which spelling to use.
-
-We already make use if "--firmwarepath=" which was introduced by
-    3d5eecab4a5a ("Add --firmwarepath to configure")
-which already include the new spelling for "--enable-trace-backends".
-
-Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
-Reviewed-by: Jason Andryuk <jandryuk@gmail.com>
-master commit: e66d450b6e0ffec635639df993ab43ce28b3383f
-master date: 2023-01-11 10:45:29 +0100
----
- tools/Makefile | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/tools/Makefile b/tools/Makefile
-index 9e28027835..4906fdbc23 100644
---- a/tools/Makefile
-+++ b/tools/Makefile
-@@ -218,9 +218,9 @@ subdir-all-qemu-xen-dir: qemu-xen-dir-find
- 	mkdir -p qemu-xen-build; \
- 	cd qemu-xen-build; \
- 	if $$source/scripts/tracetool.py --check-backend --backend log ; then \
--		enable_trace_backend='--enable-trace-backend=log'; \
-+		enable_trace_backend="--enable-trace-backends=log"; \
- 	elif $$source/scripts/tracetool.py --check-backend --backend stderr ; then \
--		enable_trace_backend='--enable-trace-backend=stderr'; \
-+		enable_trace_backend='--enable-trace-backends=stderr'; \
- 	else \
- 		enable_trace_backend='' ; \
- 	fi ; \
--- 
-2.40.0
-

diff --git a/0026-x86-svm-Fix-valid-condition-in-svm_get_pending_event.patch b/0026-x86-svm-Fix-valid-condition-in-svm_get_pending_event.patch
new file mode 100644
index 0000000..10aa14f
--- /dev/null
+++ b/0026-x86-svm-Fix-valid-condition-in-svm_get_pending_event.patch
@@ -0,0 +1,29 @@
+From a939e953cdd522da3d8f0efeaea84448b5b570f9 Mon Sep 17 00:00:00 2001
+From: Jinoh Kang <jinoh.kang.kr@gmail.com>
+Date: Tue, 5 Sep 2023 08:53:01 +0200
+Subject: [PATCH 26/55] x86/svm: Fix valid condition in svm_get_pending_event()
+
+Fixes: 9864841914c2 ("x86/vm_event: add support for VM_EVENT_REASON_INTERRUPT")
+Signed-off-by: Jinoh Kang <jinoh.kang.kr@gmail.com>
+master commit: b2865c2b6f164d2c379177cdd1cb200e4eaba549
+master date: 2023-08-18 20:21:44 +0100
+---
+ xen/arch/x86/hvm/svm/svm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c
+index 5fa945c526..e8f50e7c5e 100644
+--- a/xen/arch/x86/hvm/svm/svm.c
++++ b/xen/arch/x86/hvm/svm/svm.c
+@@ -2490,7 +2490,7 @@ static bool cf_check svm_get_pending_event(
+ {
+     const struct vmcb_struct *vmcb = v->arch.hvm.svm.vmcb;
+ 
+-    if ( vmcb->event_inj.v )
++    if ( !vmcb->event_inj.v )
+         return false;
+ 
+     info->vector = vmcb->event_inj.vector;
+-- 
+2.42.0
+

diff --git a/0027-include-compat-produce-stubs-for-headers-not-otherwi.patch b/0027-include-compat-produce-stubs-for-headers-not-otherwi.patch
deleted file mode 100644
index 3528bd6..0000000
--- a/0027-include-compat-produce-stubs-for-headers-not-otherwi.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From c871e05e138aae2ac75e9b4ccebe6cf3fd1a775b Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Tue, 7 Feb 2023 16:57:52 +0100
-Subject: [PATCH 27/89] include/compat: produce stubs for headers not otherwise
- generated
-
-Public headers can include other public headers. Such interdependencies
-are retained in their compat counterparts. Since some compat headers are
-generated only in certain configurations, the referenced headers still
-need to exist. The lack thereof was observed with hvm/hvm_op.h needing
-trace.h, where generation of the latter depends on TRACEBUFFER=y. Make
-empty stubs in such cases (as generating the extra headers is relatively
-slow and hence better to avoid). Changes to .config and incrementally
-(re-)building is covered by the respective .*.cmd then no longer
-matching the command to be used, resulting in the necessary re-creation
-of the (possibly stub) header.
-
-Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
-master commit: 6bec713f871f21c6254a5783c1e39867ea828256
-master date: 2023-01-12 16:17:54 +0100
----
- xen/include/Makefile | 14 +++++++++++++-
- 1 file changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/xen/include/Makefile b/xen/include/Makefile
-index 65be310eca..cfd7851614 100644
---- a/xen/include/Makefile
-+++ b/xen/include/Makefile
-@@ -34,6 +34,8 @@ headers-$(CONFIG_TRACEBUFFER) += compat/trace.h
- headers-$(CONFIG_XENOPROF) += compat/xenoprof.h
- headers-$(CONFIG_XSM_FLASK) += compat/xsm/flask_op.h
- 
-+headers-n := $(filter-out $(headers-y),$(headers-n) $(headers-))
-+
- cppflags-y                := -include public/xen-compat.h -DXEN_GENERATING_COMPAT_HEADERS
- cppflags-$(CONFIG_X86)    += -m32
- 
-@@ -43,13 +45,16 @@ public-$(CONFIG_X86) := $(wildcard $(srcdir)/public/arch-x86/*.h $(srcdir)/publi
- public-$(CONFIG_ARM) := $(wildcard $(srcdir)/public/arch-arm/*.h $(srcdir)/public/arch-arm/*/*.h)
- 
- .PHONY: all
--all: $(addprefix $(obj)/,$(headers-y))
-+all: $(addprefix $(obj)/,$(headers-y) $(headers-n))
- 
- quiet_cmd_compat_h = GEN     $@
- cmd_compat_h = \
-     $(PYTHON) $(srctree)/tools/compat-build-header.py <$< $(patsubst $(obj)/%,%,$@) >>$@.new; \
-     mv -f $@.new $@
- 
-+quiet_cmd_stub_h = GEN     $@
-+cmd_stub_h = echo '/* empty */' >$@
-+
- quiet_cmd_compat_i = CPP     $@
- cmd_compat_i = $(CPP) $(filter-out -Wa$(comma)% -include %/include/xen/config.h,$(XEN_CFLAGS)) $(cppflags-y) -o $@ $<
- 
-@@ -69,6 +74,13 @@ targets += $(headers-y)
- $(obj)/compat/%.h: $(obj)/compat/%.i $(srctree)/tools/compat-build-header.py FORCE
- 	$(call if_changed,compat_h)
- 
-+# Placeholders may be needed in case files in $(headers-y) include files we
-+# don't otherwise generate.  Real dependencies would need spelling out explicitly,
-+# for them to appear in $(headers-y) instead.
-+targets += $(headers-n)
-+$(addprefix $(obj)/,$(headers-n)): FORCE
-+	$(call if_changed,stub_h)
-+
- .PRECIOUS: $(obj)/compat/%.i
- targets += $(patsubst %.h, %.i, $(headers-y))
- $(obj)/compat/%.i: $(obj)/compat/%.c FORCE
--- 
-2.40.0
-

diff --git a/0027-x86-vmx-Revert-x86-VMX-sanitize-rIP-before-re-enteri.patch b/0027-x86-vmx-Revert-x86-VMX-sanitize-rIP-before-re-enteri.patch
new file mode 100644
index 0000000..a022066
--- /dev/null
+++ b/0027-x86-vmx-Revert-x86-VMX-sanitize-rIP-before-re-enteri.patch
@@ -0,0 +1,100 @@
+From 8be85d8c0df2445c012fac42117396b483db5db0 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 5 Sep 2023 08:53:31 +0200
+Subject: [PATCH 27/55] x86/vmx: Revert "x86/VMX: sanitize rIP before
+ re-entering guest"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+At the time of XSA-170, the x86 instruction emulator was genuinely broken.  It
+would load arbitrary values into %rip and putting a check here probably was
+the best stopgap security fix.  It should have been reverted following c/s
+81d3a0b26c1 "x86emul: limit-check branch targets" which corrected the emulator
+behaviour.
+
+However, everyone involved in XSA-170, myself included, failed to read the SDM
+correctly.  On the subject of %rip consistency checks, the SDM stated:
+
+  If the processor supports N < 64 linear-address bits, bits 63:N must be
+  identical
+
+A non-canonical %rip (and SSP more recently) is an explicitly legal state in
+x86, and the VMEntry consistency checks are intentionally off-by-one from a
+regular canonical check.
+
+The consequence of this bug is that Xen will currently take a legal x86 state
+which would successfully VMEnter, and corrupt it into having non-architectural
+behaviour.
+
+Furthermore, in the time this bugfix has been pending in public, I
+successfully persuaded Intel to clarify the SDM, adding the following
+clarification:
+
+  The guest RIP value is not required to be canonical; the value of bit N-1
+  may differ from that of bit N.
+
+Fixes: ffbbfda377 ("x86/VMX: sanitize rIP before re-entering guest")
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Roger Pau Monné <roger.pau@citrix.com>
+master commit: 10c83bb0f5d158d101d983883741b76f927e54a3
+master date: 2023-08-23 18:44:59 +0100
+---
+ xen/arch/x86/hvm/vmx/vmx.c | 34 +---------------------------------
+ 1 file changed, 1 insertion(+), 33 deletions(-)
+
+diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
+index f256dc2635..072288a5ef 100644
+--- a/xen/arch/x86/hvm/vmx/vmx.c
++++ b/xen/arch/x86/hvm/vmx/vmx.c
+@@ -3975,7 +3975,7 @@ static void undo_nmis_unblocked_by_iret(void)
+ void vmx_vmexit_handler(struct cpu_user_regs *regs)
+ {
+     unsigned long exit_qualification, exit_reason, idtv_info, intr_info = 0;
+-    unsigned int vector = 0, mode;
++    unsigned int vector = 0;
+     struct vcpu *v = current;
+     struct domain *currd = v->domain;
+ 
+@@ -4650,38 +4650,6 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs)
+ out:
+     if ( nestedhvm_vcpu_in_guestmode(v) )
+         nvmx_idtv_handling();
+-
+-    /*
+-     * VM entry will fail (causing the guest to get crashed) if rIP (and
+-     * rFLAGS, but we don't have an issue there) doesn't meet certain
+-     * criteria. As we must not allow less than fully privileged mode to have
+-     * such an effect on the domain, we correct rIP in that case (accepting
+-     * this not being architecturally correct behavior, as the injected #GP
+-     * fault will then not see the correct [invalid] return address).
+-     * And since we know the guest will crash, we crash it right away if it
+-     * already is in most privileged mode.
+-     */
+-    mode = vmx_guest_x86_mode(v);
+-    if ( mode == 8 ? !is_canonical_address(regs->rip)
+-                   : regs->rip != regs->eip )
+-    {
+-        gprintk(XENLOG_WARNING, "Bad rIP %lx for mode %u\n", regs->rip, mode);
+-
+-        if ( vmx_get_cpl() )
+-        {
+-            __vmread(VM_ENTRY_INTR_INFO, &intr_info);
+-            if ( !(intr_info & INTR_INFO_VALID_MASK) )
+-                hvm_inject_hw_exception(TRAP_gp_fault, 0);
+-            /* Need to fix rIP nevertheless. */
+-            if ( mode == 8 )
+-                regs->rip = (long)(regs->rip << (64 - VADDR_BITS)) >>
+-                            (64 - VADDR_BITS);
+-            else
+-                regs->rip = regs->eip;
+-        }
+-        else
+-            domain_crash(v->domain);
+-    }
+ }
+ 
+ static void lbr_tsx_fixup(void)
+-- 
+2.42.0
+

diff --git a/0028-x86-irq-fix-reporting-of-spurious-i8259-interrupts.patch b/0028-x86-irq-fix-reporting-of-spurious-i8259-interrupts.patch
new file mode 100644
index 0000000..2fcfd68
--- /dev/null
+++ b/0028-x86-irq-fix-reporting-of-spurious-i8259-interrupts.patch
@@ -0,0 +1,41 @@
+From 699de512748d8e3bdcb3225b3b2a77c10cfd2408 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 5 Sep 2023 08:53:57 +0200
+Subject: [PATCH 28/55] x86/irq: fix reporting of spurious i8259 interrupts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The return value of bogus_8259A_irq() is wrong: the function will
+return `true` when the IRQ is real and `false` when it's a spurious
+IRQ.  This causes the "No irq handler for vector ..." message in
+do_IRQ() to be printed for spurious i8259 interrupts which is not
+intended (and not helpful).
+
+Fix by inverting the return value of bogus_8259A_irq().
+
+Fixes: 132906348a14 ('x86/i8259: Handle bogus spurious interrupts more quietly')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+master commit: 709f6c8ce6422475c372e67507606170a31ccb65
+master date: 2023-08-30 10:03:53 +0200
+---
+ xen/arch/x86/i8259.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xen/arch/x86/i8259.c b/xen/arch/x86/i8259.c
+index 6b35be10f0..ed9f55abe5 100644
+--- a/xen/arch/x86/i8259.c
++++ b/xen/arch/x86/i8259.c
+@@ -37,7 +37,7 @@ static bool _mask_and_ack_8259A_irq(unsigned int irq);
+ 
+ bool bogus_8259A_irq(unsigned int irq)
+ {
+-    return _mask_and_ack_8259A_irq(irq);
++    return !_mask_and_ack_8259A_irq(irq);
+ }
+ 
+ static void cf_check mask_and_ack_8259A_irq(struct irq_desc *desc)
+-- 
+2.42.0
+

diff --git a/0028-x86-vmx-Calculate-model-specific-LBRs-once-at-start-.patch b/0028-x86-vmx-Calculate-model-specific-LBRs-once-at-start-.patch
deleted file mode 100644
index 8185bee..0000000
--- a/0028-x86-vmx-Calculate-model-specific-LBRs-once-at-start-.patch
+++ /dev/null
@@ -1,342 +0,0 @@
-From 5e3250258afbace3e5dc3f31ac99c1eebf60f238 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Tue, 7 Feb 2023 16:58:25 +0100
-Subject: [PATCH 28/89] x86/vmx: Calculate model-specific LBRs once at start of
- day
-
-There is no point repeating this calculation at runtime, especially as it is
-in the fallback path of the WRSMR/RDMSR handlers.
-
-Move the infrastructure higher in vmx.c to avoid forward declarations,
-renaming last_branch_msr_get() to get_model_specific_lbr() to highlight that
-these are model-specific only.
-
-No practical change.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Kevin Tian <kevin.tian@intel.com>
-master commit: e94af0d58f86c3a914b9cbbf4d9ed3d43b974771
-master date: 2023-01-12 18:42:00 +0000
----
- xen/arch/x86/hvm/vmx/vmx.c | 276 +++++++++++++++++++------------------
- 1 file changed, 139 insertions(+), 137 deletions(-)
-
-diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
-index 7c81b80710..ad91464103 100644
---- a/xen/arch/x86/hvm/vmx/vmx.c
-+++ b/xen/arch/x86/hvm/vmx/vmx.c
-@@ -396,6 +396,142 @@ void vmx_pi_hooks_deassign(struct domain *d)
-     domain_unpause(d);
- }
- 
-+static const struct lbr_info {
-+    u32 base, count;
-+} p4_lbr[] = {
-+    { MSR_P4_LER_FROM_LIP,          1 },
-+    { MSR_P4_LER_TO_LIP,            1 },
-+    { MSR_P4_LASTBRANCH_TOS,        1 },
-+    { MSR_P4_LASTBRANCH_0_FROM_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO },
-+    { MSR_P4_LASTBRANCH_0_TO_LIP,   NUM_MSR_P4_LASTBRANCH_FROM_TO },
-+    { 0, 0 }
-+}, c2_lbr[] = {
-+    { MSR_IA32_LASTINTFROMIP,       1 },
-+    { MSR_IA32_LASTINTTOIP,         1 },
-+    { MSR_C2_LASTBRANCH_TOS,        1 },
-+    { MSR_C2_LASTBRANCH_0_FROM_IP,  NUM_MSR_C2_LASTBRANCH_FROM_TO },
-+    { MSR_C2_LASTBRANCH_0_TO_IP,    NUM_MSR_C2_LASTBRANCH_FROM_TO },
-+    { 0, 0 }
-+}, nh_lbr[] = {
-+    { MSR_IA32_LASTINTFROMIP,       1 },
-+    { MSR_IA32_LASTINTTOIP,         1 },
-+    { MSR_NHL_LBR_SELECT,           1 },
-+    { MSR_NHL_LASTBRANCH_TOS,       1 },
-+    { MSR_P4_LASTBRANCH_0_FROM_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO },
-+    { MSR_P4_LASTBRANCH_0_TO_LIP,   NUM_MSR_P4_LASTBRANCH_FROM_TO },
-+    { 0, 0 }
-+}, sk_lbr[] = {
-+    { MSR_IA32_LASTINTFROMIP,       1 },
-+    { MSR_IA32_LASTINTTOIP,         1 },
-+    { MSR_NHL_LBR_SELECT,           1 },
-+    { MSR_NHL_LASTBRANCH_TOS,       1 },
-+    { MSR_SKL_LASTBRANCH_0_FROM_IP, NUM_MSR_SKL_LASTBRANCH },
-+    { MSR_SKL_LASTBRANCH_0_TO_IP,   NUM_MSR_SKL_LASTBRANCH },
-+    { MSR_SKL_LASTBRANCH_0_INFO,    NUM_MSR_SKL_LASTBRANCH },
-+    { 0, 0 }
-+}, at_lbr[] = {
-+    { MSR_IA32_LASTINTFROMIP,       1 },
-+    { MSR_IA32_LASTINTTOIP,         1 },
-+    { MSR_C2_LASTBRANCH_TOS,        1 },
-+    { MSR_C2_LASTBRANCH_0_FROM_IP,  NUM_MSR_ATOM_LASTBRANCH_FROM_TO },
-+    { MSR_C2_LASTBRANCH_0_TO_IP,    NUM_MSR_ATOM_LASTBRANCH_FROM_TO },
-+    { 0, 0 }
-+}, sm_lbr[] = {
-+    { MSR_IA32_LASTINTFROMIP,       1 },
-+    { MSR_IA32_LASTINTTOIP,         1 },
-+    { MSR_SM_LBR_SELECT,            1 },
-+    { MSR_SM_LASTBRANCH_TOS,        1 },
-+    { MSR_C2_LASTBRANCH_0_FROM_IP,  NUM_MSR_ATOM_LASTBRANCH_FROM_TO },
-+    { MSR_C2_LASTBRANCH_0_TO_IP,    NUM_MSR_ATOM_LASTBRANCH_FROM_TO },
-+    { 0, 0 }
-+}, gm_lbr[] = {
-+    { MSR_IA32_LASTINTFROMIP,       1 },
-+    { MSR_IA32_LASTINTTOIP,         1 },
-+    { MSR_SM_LBR_SELECT,            1 },
-+    { MSR_SM_LASTBRANCH_TOS,        1 },
-+    { MSR_GM_LASTBRANCH_0_FROM_IP,  NUM_MSR_GM_LASTBRANCH_FROM_TO },
-+    { MSR_GM_LASTBRANCH_0_TO_IP,    NUM_MSR_GM_LASTBRANCH_FROM_TO },
-+    { 0, 0 }
-+};
-+static const struct lbr_info *__ro_after_init model_specific_lbr;
-+
-+static const struct lbr_info *__init get_model_specific_lbr(void)
-+{
-+    switch ( boot_cpu_data.x86 )
-+    {
-+    case 6:
-+        switch ( boot_cpu_data.x86_model )
-+        {
-+        /* Core2 Duo */
-+        case 0x0f:
-+        /* Enhanced Core */
-+        case 0x17:
-+        /* Xeon 7400 */
-+        case 0x1d:
-+            return c2_lbr;
-+        /* Nehalem */
-+        case 0x1a: case 0x1e: case 0x1f: case 0x2e:
-+        /* Westmere */
-+        case 0x25: case 0x2c: case 0x2f:
-+        /* Sandy Bridge */
-+        case 0x2a: case 0x2d:
-+        /* Ivy Bridge */
-+        case 0x3a: case 0x3e:
-+        /* Haswell */
-+        case 0x3c: case 0x3f: case 0x45: case 0x46:
-+        /* Broadwell */
-+        case 0x3d: case 0x47: case 0x4f: case 0x56:
-+            return nh_lbr;
-+        /* Skylake */
-+        case 0x4e: case 0x5e:
-+        /* Xeon Scalable */
-+        case 0x55:
-+        /* Cannon Lake */
-+        case 0x66:
-+        /* Goldmont Plus */
-+        case 0x7a:
-+        /* Ice Lake */
-+        case 0x6a: case 0x6c: case 0x7d: case 0x7e:
-+        /* Tiger Lake */
-+        case 0x8c: case 0x8d:
-+        /* Tremont */
-+        case 0x86:
-+        /* Kaby Lake */
-+        case 0x8e: case 0x9e:
-+        /* Comet Lake */
-+        case 0xa5: case 0xa6:
-+            return sk_lbr;
-+        /* Atom */
-+        case 0x1c: case 0x26: case 0x27: case 0x35: case 0x36:
-+            return at_lbr;
-+        /* Silvermont */
-+        case 0x37: case 0x4a: case 0x4d: case 0x5a: case 0x5d:
-+        /* Xeon Phi Knights Landing */
-+        case 0x57:
-+        /* Xeon Phi Knights Mill */
-+        case 0x85:
-+        /* Airmont */
-+        case 0x4c:
-+            return sm_lbr;
-+        /* Goldmont */
-+        case 0x5c: case 0x5f:
-+            return gm_lbr;
-+        }
-+        break;
-+
-+    case 15:
-+        switch ( boot_cpu_data.x86_model )
-+        {
-+        /* Pentium4/Xeon with em64t */
-+        case 3: case 4: case 6:
-+            return p4_lbr;
-+        }
-+        break;
-+    }
-+
-+    return NULL;
-+}
-+
- static int cf_check vmx_domain_initialise(struct domain *d)
- {
-     static const struct arch_csw csw = {
-@@ -2837,6 +2973,7 @@ const struct hvm_function_table * __init start_vmx(void)
-         vmx_function_table.tsc_scaling.setup = vmx_setup_tsc_scaling;
-     }
- 
-+    model_specific_lbr = get_model_specific_lbr();
-     lbr_tsx_fixup_check();
-     ler_to_fixup_check();
- 
-@@ -2983,141 +3120,6 @@ static int vmx_cr_access(cr_access_qual_t qual)
-     return X86EMUL_OKAY;
- }
- 
--static const struct lbr_info {
--    u32 base, count;
--} p4_lbr[] = {
--    { MSR_P4_LER_FROM_LIP,          1 },
--    { MSR_P4_LER_TO_LIP,            1 },
--    { MSR_P4_LASTBRANCH_TOS,        1 },
--    { MSR_P4_LASTBRANCH_0_FROM_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO },
--    { MSR_P4_LASTBRANCH_0_TO_LIP,   NUM_MSR_P4_LASTBRANCH_FROM_TO },
--    { 0, 0 }
--}, c2_lbr[] = {
--    { MSR_IA32_LASTINTFROMIP,       1 },
--    { MSR_IA32_LASTINTTOIP,         1 },
--    { MSR_C2_LASTBRANCH_TOS,        1 },
--    { MSR_C2_LASTBRANCH_0_FROM_IP,  NUM_MSR_C2_LASTBRANCH_FROM_TO },
--    { MSR_C2_LASTBRANCH_0_TO_IP,    NUM_MSR_C2_LASTBRANCH_FROM_TO },
--    { 0, 0 }
--}, nh_lbr[] = {
--    { MSR_IA32_LASTINTFROMIP,       1 },
--    { MSR_IA32_LASTINTTOIP,         1 },
--    { MSR_NHL_LBR_SELECT,           1 },
--    { MSR_NHL_LASTBRANCH_TOS,       1 },
--    { MSR_P4_LASTBRANCH_0_FROM_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO },
--    { MSR_P4_LASTBRANCH_0_TO_LIP,   NUM_MSR_P4_LASTBRANCH_FROM_TO },
--    { 0, 0 }
--}, sk_lbr[] = {
--    { MSR_IA32_LASTINTFROMIP,       1 },
--    { MSR_IA32_LASTINTTOIP,         1 },
--    { MSR_NHL_LBR_SELECT,           1 },
--    { MSR_NHL_LASTBRANCH_TOS,       1 },
--    { MSR_SKL_LASTBRANCH_0_FROM_IP, NUM_MSR_SKL_LASTBRANCH },
--    { MSR_SKL_LASTBRANCH_0_TO_IP,   NUM_MSR_SKL_LASTBRANCH },
--    { MSR_SKL_LASTBRANCH_0_INFO,    NUM_MSR_SKL_LASTBRANCH },
--    { 0, 0 }
--}, at_lbr[] = {
--    { MSR_IA32_LASTINTFROMIP,       1 },
--    { MSR_IA32_LASTINTTOIP,         1 },
--    { MSR_C2_LASTBRANCH_TOS,        1 },
--    { MSR_C2_LASTBRANCH_0_FROM_IP,  NUM_MSR_ATOM_LASTBRANCH_FROM_TO },
--    { MSR_C2_LASTBRANCH_0_TO_IP,    NUM_MSR_ATOM_LASTBRANCH_FROM_TO },
--    { 0, 0 }
--}, sm_lbr[] = {
--    { MSR_IA32_LASTINTFROMIP,       1 },
--    { MSR_IA32_LASTINTTOIP,         1 },
--    { MSR_SM_LBR_SELECT,            1 },
--    { MSR_SM_LASTBRANCH_TOS,        1 },
--    { MSR_C2_LASTBRANCH_0_FROM_IP,  NUM_MSR_ATOM_LASTBRANCH_FROM_TO },
--    { MSR_C2_LASTBRANCH_0_TO_IP,    NUM_MSR_ATOM_LASTBRANCH_FROM_TO },
--    { 0, 0 }
--}, gm_lbr[] = {
--    { MSR_IA32_LASTINTFROMIP,       1 },
--    { MSR_IA32_LASTINTTOIP,         1 },
--    { MSR_SM_LBR_SELECT,            1 },
--    { MSR_SM_LASTBRANCH_TOS,        1 },
--    { MSR_GM_LASTBRANCH_0_FROM_IP,  NUM_MSR_GM_LASTBRANCH_FROM_TO },
--    { MSR_GM_LASTBRANCH_0_TO_IP,    NUM_MSR_GM_LASTBRANCH_FROM_TO },
--    { 0, 0 }
--};
--
--static const struct lbr_info *last_branch_msr_get(void)
--{
--    switch ( boot_cpu_data.x86 )
--    {
--    case 6:
--        switch ( boot_cpu_data.x86_model )
--        {
--        /* Core2 Duo */
--        case 0x0f:
--        /* Enhanced Core */
--        case 0x17:
--        /* Xeon 7400 */
--        case 0x1d:
--            return c2_lbr;
--        /* Nehalem */
--        case 0x1a: case 0x1e: case 0x1f: case 0x2e:
--        /* Westmere */
--        case 0x25: case 0x2c: case 0x2f:
--        /* Sandy Bridge */
--        case 0x2a: case 0x2d:
--        /* Ivy Bridge */
--        case 0x3a: case 0x3e:
--        /* Haswell */
--        case 0x3c: case 0x3f: case 0x45: case 0x46:
--        /* Broadwell */
--        case 0x3d: case 0x47: case 0x4f: case 0x56:
--            return nh_lbr;
--        /* Skylake */
--        case 0x4e: case 0x5e:
--        /* Xeon Scalable */
--        case 0x55:
--        /* Cannon Lake */
--        case 0x66:
--        /* Goldmont Plus */
--        case 0x7a:
--        /* Ice Lake */
--        case 0x6a: case 0x6c: case 0x7d: case 0x7e:
--        /* Tiger Lake */
--        case 0x8c: case 0x8d:
--        /* Tremont */
--        case 0x86:
--        /* Kaby Lake */
--        case 0x8e: case 0x9e:
--        /* Comet Lake */
--        case 0xa5: case 0xa6:
--            return sk_lbr;
--        /* Atom */
--        case 0x1c: case 0x26: case 0x27: case 0x35: case 0x36:
--            return at_lbr;
--        /* Silvermont */
--        case 0x37: case 0x4a: case 0x4d: case 0x5a: case 0x5d:
--        /* Xeon Phi Knights Landing */
--        case 0x57:
--        /* Xeon Phi Knights Mill */
--        case 0x85:
--        /* Airmont */
--        case 0x4c:
--            return sm_lbr;
--        /* Goldmont */
--        case 0x5c: case 0x5f:
--            return gm_lbr;
--        }
--        break;
--
--    case 15:
--        switch ( boot_cpu_data.x86_model )
--        {
--        /* Pentium4/Xeon with em64t */
--        case 3: case 4: case 6:
--            return p4_lbr;
--        }
--        break;
--    }
--
--    return NULL;
--}
--
- enum
- {
-     LBR_FORMAT_32                 = 0x0, /* 32-bit record format */
-@@ -3224,7 +3226,7 @@ static void __init ler_to_fixup_check(void)
- 
- static int is_last_branch_msr(u32 ecx)
- {
--    const struct lbr_info *lbr = last_branch_msr_get();
-+    const struct lbr_info *lbr = model_specific_lbr;
- 
-     if ( lbr == NULL )
-         return 0;
-@@ -3563,7 +3565,7 @@ static int cf_check vmx_msr_write_intercept(
-         if ( !(v->arch.hvm.vmx.lbr_flags & LBR_MSRS_INSERTED) &&
-              (msr_content & IA32_DEBUGCTLMSR_LBR) )
-         {
--            const struct lbr_info *lbr = last_branch_msr_get();
-+            const struct lbr_info *lbr = model_specific_lbr;
- 
-             if ( unlikely(!lbr) )
-             {
--- 
-2.40.0
-

diff --git a/0029-x86-vmx-Support-for-CPUs-without-model-specific-LBR.patch b/0029-x86-vmx-Support-for-CPUs-without-model-specific-LBR.patch
deleted file mode 100644
index 2f87b83..0000000
--- a/0029-x86-vmx-Support-for-CPUs-without-model-specific-LBR.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From e904d8ae01a0be53368c8c388f13bf4ffcbcdf6c Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Tue, 7 Feb 2023 16:59:14 +0100
-Subject: [PATCH 29/89] x86/vmx: Support for CPUs without model-specific LBR
-
-Ice Lake (server at least) has both architectural LBR and model-specific LBR.
-Sapphire Rapids does not have model-specific LBR at all.  I.e. On SPR and
-later, model_specific_lbr will always be NULL, so we must make changes to
-avoid reliably hitting the domain_crash().
-
-The Arch LBR spec states that CPUs without model-specific LBR implement
-MSR_DBG_CTL.LBR by discarding writes and always returning 0.
-
-Do this for any CPU for which we lack model-specific LBR information.
-
-Adjust the now-stale comment, now that the Arch LBR spec has created a way to
-signal "no model specific LBR" to guests.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Kevin Tian <kevin.tian@intel.com>
-master commit: 3edca52ce736297d7fcf293860cd94ef62638052
-master date: 2023-01-12 18:42:00 +0000
----
- xen/arch/x86/hvm/vmx/vmx.c | 31 ++++++++++++++++---------------
- 1 file changed, 16 insertions(+), 15 deletions(-)
-
-diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
-index ad91464103..861f91f2af 100644
---- a/xen/arch/x86/hvm/vmx/vmx.c
-+++ b/xen/arch/x86/hvm/vmx/vmx.c
-@@ -3545,18 +3545,26 @@ static int cf_check vmx_msr_write_intercept(
-         if ( msr_content & rsvd )
-             goto gp_fault;
- 
-+        /*
-+         * The Arch LBR spec (new in Ice Lake) states that CPUs with no
-+         * model-specific LBRs implement MSR_DBG_CTL.LBR by discarding writes
-+         * and always returning 0.
-+         *
-+         * Use this property in all cases where we don't know any
-+         * model-specific LBR information, as it matches real hardware
-+         * behaviour on post-Ice Lake systems.
-+         */
-+        if ( !model_specific_lbr )
-+            msr_content &= ~IA32_DEBUGCTLMSR_LBR;
-+
-         /*
-          * When a guest first enables LBR, arrange to save and restore the LBR
-          * MSRs and allow the guest direct access.
-          *
--         * MSR_DEBUGCTL and LBR has existed almost as long as MSRs have
--         * existed, and there is no architectural way to hide the feature, or
--         * fail the attempt to enable LBR.
--         *
--         * Unknown host LBR MSRs or hitting -ENOSPC with the guest load/save
--         * list are definitely hypervisor bugs, whereas -ENOMEM for allocating
--         * the load/save list is simply unlucky (and shouldn't occur with
--         * sensible management by the toolstack).
-+         * Hitting -ENOSPC with the guest load/save list is definitely a
-+         * hypervisor bug, whereas -ENOMEM for allocating the load/save list
-+         * is simply unlucky (and shouldn't occur with sensible management by
-+         * the toolstack).
-          *
-          * Either way, there is nothing we can do right now to recover, and
-          * the guest won't execute correctly either.  Simply crash the domain
-@@ -3567,13 +3575,6 @@ static int cf_check vmx_msr_write_intercept(
-         {
-             const struct lbr_info *lbr = model_specific_lbr;
- 
--            if ( unlikely(!lbr) )
--            {
--                gprintk(XENLOG_ERR, "Unknown Host LBR MSRs\n");
--                domain_crash(v->domain);
--                return X86EMUL_OKAY;
--            }
--
-             for ( ; lbr->count; lbr++ )
-             {
-                 unsigned int i;
--- 
-2.40.0
-

diff --git a/0029-xen-arm-page-Handle-cache-flush-of-an-element-at-the.patch b/0029-xen-arm-page-Handle-cache-flush-of-an-element-at-the.patch
new file mode 100644
index 0000000..bc866d0
--- /dev/null
+++ b/0029-xen-arm-page-Handle-cache-flush-of-an-element-at-the.patch
@@ -0,0 +1,111 @@
+From d31e5b2a9c39816a954d1088d4cfc782f0006f39 Mon Sep 17 00:00:00 2001
+From: Stefano Stabellini <stefano.stabellini@amd.com>
+Date: Tue, 5 Sep 2023 14:33:29 +0200
+Subject: [PATCH 29/55] xen/arm: page: Handle cache flush of an element at the
+ top of the address space
+
+The region that needs to be cleaned/invalidated may be at the top
+of the address space. This means that 'end' (i.e. 'p + size') will
+be 0 and therefore nothing will be cleaned/invalidated as the check
+in the loop will always be false.
+
+On Arm64, we only support we only support up to 48-bit Virtual
+address space. So this is not a concern there. However, for 32-bit,
+the mapcache is using the last 2GB of the address space. Therefore
+we may not clean/invalidate properly some pages. This could lead
+to memory corruption or data leakage (the scrubbed value may
+still sit in the cache when the guest could read directly the memory
+and therefore read the old content).
+
+Rework invalidate_dcache_va_range(), clean_dcache_va_range(),
+clean_and_invalidate_dcache_va_range() to handle a cache flush
+with an element at the top of the address space.
+
+This is CVE-2023-34321 / XSA-437.
+
+Reported-by: Julien Grall <jgrall@amazon.com>
+Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com>
+Signed-off-by: Julien Grall <jgrall@amazon.com>
+Acked-by: Bertrand Marquis <bertrand.marquis@arm.com>
+master commit: 9a216e92de9f9011097e4f1fb55ff67ba0a21704
+master date: 2023-09-05 14:30:08 +0200
+---
+ xen/arch/arm/include/asm/page.h | 33 ++++++++++++++++++++-------------
+ 1 file changed, 20 insertions(+), 13 deletions(-)
+
+diff --git a/xen/arch/arm/include/asm/page.h b/xen/arch/arm/include/asm/page.h
+index e7cd62190c..d7fe770a5e 100644
+--- a/xen/arch/arm/include/asm/page.h
++++ b/xen/arch/arm/include/asm/page.h
+@@ -160,26 +160,25 @@ static inline size_t read_dcache_line_bytes(void)
+ 
+ static inline int invalidate_dcache_va_range(const void *p, unsigned long size)
+ {
+-    const void *end = p + size;
+     size_t cacheline_mask = dcache_line_bytes - 1;
+ 
+     dsb(sy);           /* So the CPU issues all writes to the range */
+ 
+     if ( (uintptr_t)p & cacheline_mask )
+     {
++        size -= dcache_line_bytes - ((uintptr_t)p & cacheline_mask);
+         p = (void *)((uintptr_t)p & ~cacheline_mask);
+         asm volatile (__clean_and_invalidate_dcache_one(0) : : "r" (p));
+         p += dcache_line_bytes;
+     }
+-    if ( (uintptr_t)end & cacheline_mask )
+-    {
+-        end = (void *)((uintptr_t)end & ~cacheline_mask);
+-        asm volatile (__clean_and_invalidate_dcache_one(0) : : "r" (end));
+-    }
+ 
+-    for ( ; p < end; p += dcache_line_bytes )
++    for ( ; size >= dcache_line_bytes;
++            p += dcache_line_bytes, size -= dcache_line_bytes )
+         asm volatile (__invalidate_dcache_one(0) : : "r" (p));
+ 
++    if ( size > 0 )
++        asm volatile (__clean_and_invalidate_dcache_one(0) : : "r" (p));
++
+     dsb(sy);           /* So we know the flushes happen before continuing */
+ 
+     return 0;
+@@ -187,10 +186,14 @@ static inline int invalidate_dcache_va_range(const void *p, unsigned long size)
+ 
+ static inline int clean_dcache_va_range(const void *p, unsigned long size)
+ {
+-    const void *end = p + size;
++    size_t cacheline_mask = dcache_line_bytes - 1;
++
+     dsb(sy);           /* So the CPU issues all writes to the range */
+-    p = (void *)((uintptr_t)p & ~(dcache_line_bytes - 1));
+-    for ( ; p < end; p += dcache_line_bytes )
++    size += (uintptr_t)p & cacheline_mask;
++    size = (size + cacheline_mask) & ~cacheline_mask;
++    p = (void *)((uintptr_t)p & ~cacheline_mask);
++    for ( ; size >= dcache_line_bytes;
++            p += dcache_line_bytes, size -= dcache_line_bytes )
+         asm volatile (__clean_dcache_one(0) : : "r" (p));
+     dsb(sy);           /* So we know the flushes happen before continuing */
+     /* ARM callers assume that dcache_* functions cannot fail. */
+@@ -200,10 +203,14 @@ static inline int clean_dcache_va_range(const void *p, unsigned long size)
+ static inline int clean_and_invalidate_dcache_va_range
+     (const void *p, unsigned long size)
+ {
+-    const void *end = p + size;
++    size_t cacheline_mask = dcache_line_bytes - 1;
++
+     dsb(sy);         /* So the CPU issues all writes to the range */
+-    p = (void *)((uintptr_t)p & ~(dcache_line_bytes - 1));
+-    for ( ; p < end; p += dcache_line_bytes )
++    size += (uintptr_t)p & cacheline_mask;
++    size = (size + cacheline_mask) & ~cacheline_mask;
++    p = (void *)((uintptr_t)p & ~cacheline_mask);
++    for ( ; size >= dcache_line_bytes;
++            p += dcache_line_bytes, size -= dcache_line_bytes )
+         asm volatile (__clean_and_invalidate_dcache_one(0) : : "r" (p));
+     dsb(sy);         /* So we know the flushes happen before continuing */
+     /* ARM callers assume that dcache_* functions cannot fail. */
+-- 
+2.42.0
+

diff --git a/0030-x86-AMD-extend-Zenbleed-check-to-models-good-ucode-i.patch b/0030-x86-AMD-extend-Zenbleed-check-to-models-good-ucode-i.patch
new file mode 100644
index 0000000..4581d03
--- /dev/null
+++ b/0030-x86-AMD-extend-Zenbleed-check-to-models-good-ucode-i.patch
@@ -0,0 +1,48 @@
+From d2d2dcae879c6cc05227c9620f0a772f35fe6886 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Wed, 23 Aug 2023 09:26:36 +0200
+Subject: [PATCH 30/55] x86/AMD: extend Zenbleed check to models "good" ucode
+ isn't known for
+
+Reportedly the AMD Custom APU 0405 found on SteamDeck, models 0x90 and
+0x91, (quoting the respective Linux commit) is similarly affected. Put
+another instance of our Zen1 vs Zen2 distinction checks in
+amd_check_zenbleed(), forcing use of the chickenbit irrespective of
+ucode version (building upon real hardware never surfacing a version of
+0xffffffff).
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+(cherry picked from commit 145a69c0944ac70cfcf9d247c85dee9e99d9d302)
+---
+ xen/arch/x86/cpu/amd.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c
+index 3ea214fc2e..1bb3044be1 100644
+--- a/xen/arch/x86/cpu/amd.c
++++ b/xen/arch/x86/cpu/amd.c
+@@ -909,10 +909,17 @@ void amd_check_zenbleed(void)
+ 	case 0xa0 ... 0xaf: good_rev = 0x08a00008; break;
+ 	default:
+ 		/*
+-		 * With the Fam17h check above, parts getting here are Zen1.
+-		 * They're not affected.
++		 * With the Fam17h check above, most parts getting here are
++		 * Zen1.  They're not affected.  Assume Zen2 ones making it
++		 * here are affected regardless of microcode version.
++		 *
++		 * Zen1 vs Zen2 isn't a simple model number comparison, so use
++		 * STIBP as a heuristic to distinguish.
+ 		 */
+-		return;
++		if (!boot_cpu_has(X86_FEATURE_AMD_STIBP))
++			return;
++		good_rev = ~0U;
++		break;
+ 	}
+ 
+ 	rdmsrl(MSR_AMD64_DE_CFG, val);
+-- 
+2.42.0
+

diff --git a/0030-x86-shadow-fix-PAE-check-for-top-level-table-unshado.patch b/0030-x86-shadow-fix-PAE-check-for-top-level-table-unshado.patch
deleted file mode 100644
index e2bb8df..0000000
--- a/0030-x86-shadow-fix-PAE-check-for-top-level-table-unshado.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 2d74e7035bd060d662f1c4f8522377be8021be92 Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Tue, 7 Feb 2023 16:59:54 +0100
-Subject: [PATCH 30/89] x86/shadow: fix PAE check for top-level table
- unshadowing
-
-Clearly within the for_each_vcpu() the vCPU of this loop is meant, not
-the (loop invariant) one the fault occurred on.
-
-Fixes: 3d5e6a3ff383 ("x86 hvm: implement HVMOP_pagetable_dying")
-Fixes: ef3b0d8d2c39 ("x86/shadow: shadow_table[] needs only one entry for PV-only configs")
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
-master commit: f8fdceefbb1193ec81667eb40b83bc525cb71204
-master date: 2023-01-20 09:23:42 +0100
----
- xen/arch/x86/mm/shadow/multi.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
-index 2370b30602..671bf8c228 100644
---- a/xen/arch/x86/mm/shadow/multi.c
-+++ b/xen/arch/x86/mm/shadow/multi.c
-@@ -2672,10 +2672,10 @@ static int cf_check sh_page_fault(
- #if GUEST_PAGING_LEVELS == 3
-             unsigned int i;
- 
--            for_each_shadow_table(v, i)
-+            for_each_shadow_table(tmp, i)
-             {
-                 mfn_t smfn = pagetable_get_mfn(
--                                 v->arch.paging.shadow.shadow_table[i]);
-+                                 tmp->arch.paging.shadow.shadow_table[i]);
- 
-                 if ( mfn_valid(smfn) && (mfn_x(smfn) != 0) )
-                 {
--- 
-2.40.0
-

diff --git a/0031-build-fix-building-flask-headers-before-descending-i.patch b/0031-build-fix-building-flask-headers-before-descending-i.patch
deleted file mode 100644
index 273e795..0000000
--- a/0031-build-fix-building-flask-headers-before-descending-i.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 819a5d4ed8b79e21843d5960a7ab8fbd16f28233 Mon Sep 17 00:00:00 2001
-From: Anthony PERARD <anthony.perard@citrix.com>
-Date: Tue, 7 Feb 2023 17:00:29 +0100
-Subject: [PATCH 31/89] build: fix building flask headers before descending in
- flask/ss/
-
-Unfortunatly, adding prerequisite to "$(obj)/ss/built_in.o" doesn't
-work because we have "$(obj)/%/built_in.o: $(obj)/% ;" in Rules.mk.
-So, make is allow to try to build objects in "xsm/flask/ss/" before
-generating the headers.
-
-Adding a prerequisite on "$(obj)/ss" instead will fix the issue as
-that's the target used to run make in this subdirectory.
-
-Unfortunatly, that target is also used when running `make clean`, so
-we want to ignore it in this case. $(MAKECMDGOALS) can't be used in
-this case as it is empty, but we can guess which operation is done by
-looking at the list of loaded makefiles.
-
-Fixes: 7a3bcd2babcc ("build: build everything from the root dir, use obj=$subdir")
-Reported-by: "Daniel P. Smith" <dpsmith@apertussolutions.com>
-Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
-Acked-by: Daniel P. Smith <dpsmith@apertussolutions.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: d60324d8af9404014cfcc37bba09e9facfd02fcf
-master date: 2023-01-23 15:03:58 +0100
----
- xen/xsm/flask/Makefile | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/xen/xsm/flask/Makefile b/xen/xsm/flask/Makefile
-index d25312f4fa..3fdcf7727e 100644
---- a/xen/xsm/flask/Makefile
-+++ b/xen/xsm/flask/Makefile
-@@ -16,7 +16,11 @@ FLASK_H_FILES := flask.h class_to_string.h initial_sid_to_string.h
- AV_H_FILES := av_perm_to_string.h av_permissions.h
- ALL_H_FILES := $(addprefix include/,$(FLASK_H_FILES) $(AV_H_FILES))
- 
--$(addprefix $(obj)/,$(obj-y)) $(obj)/ss/built_in.o: $(addprefix $(obj)/,$(ALL_H_FILES))
-+# Adding prerequisite to descending into ss/ folder only when not running
-+# `make *clean`.
-+ifeq ($(filter %/Makefile.clean,$(MAKEFILE_LIST)),)
-+$(addprefix $(obj)/,$(obj-y)) $(obj)/ss: $(addprefix $(obj)/,$(ALL_H_FILES))
-+endif
- extra-y += $(ALL_H_FILES)
- 
- mkflask := $(srcdir)/policy/mkflask.sh
--- 
-2.40.0
-

diff --git a/0031-x86-spec-ctrl-Fix-confusion-between-SPEC_CTRL_EXIT_T.patch b/0031-x86-spec-ctrl-Fix-confusion-between-SPEC_CTRL_EXIT_T.patch
new file mode 100644
index 0000000..10417ae
--- /dev/null
+++ b/0031-x86-spec-ctrl-Fix-confusion-between-SPEC_CTRL_EXIT_T.patch
@@ -0,0 +1,74 @@
+From dc28aba565f226f9bec24cfde993e78478acfb4e Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 12 Sep 2023 15:06:49 +0100
+Subject: [PATCH 31/55] x86/spec-ctrl: Fix confusion between
+ SPEC_CTRL_EXIT_TO_XEN{,_IST}
+
+c/s 3fffaf9c13e9 ("x86/entry: Avoid using alternatives in NMI/#MC paths")
+dropped the only user, leaving behind the (incorrect) implication that Xen had
+split exit paths.
+
+Delete the unused SPEC_CTRL_EXIT_TO_XEN and rename SPEC_CTRL_EXIT_TO_XEN_IST
+to SPEC_CTRL_EXIT_TO_XEN for consistency.
+
+No functional change.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 1c18d73774533a55ba9d1cbee8bdace03efdb5e7)
+---
+ xen/arch/x86/include/asm/spec_ctrl_asm.h | 10 ++--------
+ xen/arch/x86/x86_64/entry.S              |  2 +-
+ 2 files changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+index f23bb105c5..e8fd01243c 100644
+--- a/xen/arch/x86/include/asm/spec_ctrl_asm.h
++++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+@@ -79,7 +79,6 @@
+  *  - SPEC_CTRL_ENTRY_FROM_PV
+  *  - SPEC_CTRL_ENTRY_FROM_INTR
+  *  - SPEC_CTRL_ENTRY_FROM_INTR_IST
+- *  - SPEC_CTRL_EXIT_TO_XEN_IST
+  *  - SPEC_CTRL_EXIT_TO_XEN
+  *  - SPEC_CTRL_EXIT_TO_PV
+  *
+@@ -268,11 +267,6 @@
+     ALTERNATIVE "", __stringify(DO_SPEC_CTRL_ENTRY maybexen=1),         \
+         X86_FEATURE_SC_MSR_PV
+ 
+-/* Use when exiting to Xen context. */
+-#define SPEC_CTRL_EXIT_TO_XEN                                           \
+-    ALTERNATIVE "",                                                     \
+-        DO_SPEC_CTRL_EXIT_TO_XEN, X86_FEATURE_SC_MSR_PV
+-
+ /* Use when exiting to PV guest context. */
+ #define SPEC_CTRL_EXIT_TO_PV                                            \
+     ALTERNATIVE "",                                                     \
+@@ -339,8 +333,8 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise):
+     UNLIKELY_END(\@_serialise)
+ .endm
+ 
+-/* Use when exiting to Xen in IST context. */
+-.macro SPEC_CTRL_EXIT_TO_XEN_IST
++/* Use when exiting to Xen context. */
++.macro SPEC_CTRL_EXIT_TO_XEN
+ /*
+  * Requires %rbx=stack_end
+  * Clobbers %rax, %rcx, %rdx
+diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
+index 7675a59ff0..b45a09823a 100644
+--- a/xen/arch/x86/x86_64/entry.S
++++ b/xen/arch/x86/x86_64/entry.S
+@@ -673,7 +673,7 @@ UNLIKELY_START(ne, exit_cr3)
+ UNLIKELY_END(exit_cr3)
+ 
+         /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */
+-        SPEC_CTRL_EXIT_TO_XEN_IST /* Req: %rbx=end, Clob: acd */
++        SPEC_CTRL_EXIT_TO_XEN     /* Req: %rbx=end, Clob: acd */
+ 
+         RESTORE_ALL adj=8
+         iretq
+-- 
+2.42.0
+

diff --git a/0032-ns16550-fix-an-incorrect-assignment-to-uart-io_size.patch b/0032-ns16550-fix-an-incorrect-assignment-to-uart-io_size.patch
deleted file mode 100644
index 8b3a410..0000000
--- a/0032-ns16550-fix-an-incorrect-assignment-to-uart-io_size.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From d0127881376baeea1e4eb71d0f7b56d942147124 Mon Sep 17 00:00:00 2001
-From: Ayan Kumar Halder <ayan.kumar.halder@amd.com>
-Date: Tue, 7 Feb 2023 17:00:47 +0100
-Subject: [PATCH 32/89] ns16550: fix an incorrect assignment to uart->io_size
-
-uart->io_size represents the size in bytes. Thus, when serial_port.bit_width
-is assigned to it, it should be converted to size in bytes.
-
-Fixes: 17b516196c ("ns16550: add ACPI support for ARM only")
-Reported-by: Jan Beulich <jbeulich@suse.com>
-Signed-off-by: Ayan Kumar Halder <ayan.kumar.halder@amd.com>
-Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
-master commit: 352c89f72ddb67b8d9d4e492203f8c77f85c8df1
-master date: 2023-01-24 16:54:38 +0100
----
- xen/drivers/char/ns16550.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/xen/drivers/char/ns16550.c b/xen/drivers/char/ns16550.c
-index 01a05c9aa8..ce013fb6a5 100644
---- a/xen/drivers/char/ns16550.c
-+++ b/xen/drivers/char/ns16550.c
-@@ -1875,7 +1875,7 @@ static int __init ns16550_acpi_uart_init(const void *data)
-     uart->parity = spcr->parity;
-     uart->stop_bits = spcr->stop_bits;
-     uart->io_base = spcr->serial_port.address;
--    uart->io_size = spcr->serial_port.bit_width;
-+    uart->io_size = DIV_ROUND_UP(spcr->serial_port.bit_width, BITS_PER_BYTE);
-     uart->reg_shift = spcr->serial_port.bit_offset;
-     uart->reg_width = spcr->serial_port.access_width;
- 
--- 
-2.40.0
-

diff --git a/0032-x86-spec-ctrl-Fold-DO_SPEC_CTRL_EXIT_TO_XEN-into-it-.patch b/0032-x86-spec-ctrl-Fold-DO_SPEC_CTRL_EXIT_TO_XEN-into-it-.patch
new file mode 100644
index 0000000..a0c83da
--- /dev/null
+++ b/0032-x86-spec-ctrl-Fold-DO_SPEC_CTRL_EXIT_TO_XEN-into-it-.patch
@@ -0,0 +1,85 @@
+From 84690fb82c4f4aecb72a6789d8994efa74841e09 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 12 Sep 2023 17:03:16 +0100
+Subject: [PATCH 32/55] x86/spec-ctrl: Fold DO_SPEC_CTRL_EXIT_TO_XEN into it's
+ single user
+
+With the SPEC_CTRL_EXIT_TO_XEN{,_IST} confusion fixed, it's now obvious that
+there's only a single EXIT_TO_XEN path.  Fold DO_SPEC_CTRL_EXIT_TO_XEN into
+SPEC_CTRL_EXIT_TO_XEN to simplify further fixes.
+
+When merging labels, switch the name to .L\@_skip_sc_msr as "skip" on its own
+is going to be too generic shortly.
+
+No functional change.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 694bb0f280fd08a4377e36e32b84b5062def4de2)
+---
+ xen/arch/x86/include/asm/spec_ctrl_asm.h | 40 ++++++++++--------------
+ 1 file changed, 16 insertions(+), 24 deletions(-)
+
+diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+index e8fd01243c..d5f65d80ea 100644
+--- a/xen/arch/x86/include/asm/spec_ctrl_asm.h
++++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+@@ -211,27 +211,6 @@
+     wrmsr
+ .endm
+ 
+-.macro DO_SPEC_CTRL_EXIT_TO_XEN
+-/*
+- * Requires %rbx=stack_end
+- * Clobbers %rax, %rcx, %rdx
+- *
+- * When returning to Xen context, look to see whether SPEC_CTRL shadowing is
+- * in effect, and reload the shadow value.  This covers race conditions which
+- * exist with an NMI/MCE/etc hitting late in the return-to-guest path.
+- */
+-    xor %edx, %edx
+-
+-    testb $SCF_use_shadow, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%rbx)
+-    jz .L\@_skip
+-
+-    mov STACK_CPUINFO_FIELD(shadow_spec_ctrl)(%rbx), %eax
+-    mov $MSR_SPEC_CTRL, %ecx
+-    wrmsr
+-
+-.L\@_skip:
+-.endm
+-
+ .macro DO_SPEC_CTRL_EXIT_TO_GUEST
+ /*
+  * Requires %eax=spec_ctrl, %rsp=regs/cpuinfo
+@@ -340,11 +319,24 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise):
+  * Clobbers %rax, %rcx, %rdx
+  */
+     testb $SCF_ist_sc_msr, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%rbx)
+-    jz .L\@_skip
++    jz .L\@_skip_sc_msr
+ 
+-    DO_SPEC_CTRL_EXIT_TO_XEN
++    /*
++     * When returning to Xen context, look to see whether SPEC_CTRL shadowing
++     * is in effect, and reload the shadow value.  This covers race conditions
++     * which exist with an NMI/MCE/etc hitting late in the return-to-guest
++     * path.
++     */
++    xor %edx, %edx
+ 
+-.L\@_skip:
++    testb $SCF_use_shadow, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%rbx)
++    jz .L\@_skip_sc_msr
++
++    mov STACK_CPUINFO_FIELD(shadow_spec_ctrl)(%rbx), %eax
++    mov $MSR_SPEC_CTRL, %ecx
++    wrmsr
++
++.L\@_skip_sc_msr:
+ .endm
+ 
+ #endif /* __ASSEMBLY__ */
+-- 
+2.42.0
+

diff --git a/0033-libxl-fix-guest-kexec-skip-cpuid-policy.patch b/0033-libxl-fix-guest-kexec-skip-cpuid-policy.patch
deleted file mode 100644
index 7eb3779..0000000
--- a/0033-libxl-fix-guest-kexec-skip-cpuid-policy.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 3dae50283d9819c691a97f15b133124c00d39a2f Mon Sep 17 00:00:00 2001
-From: Jason Andryuk <jandryuk@gmail.com>
-Date: Tue, 7 Feb 2023 17:01:49 +0100
-Subject: [PATCH 33/89] libxl: fix guest kexec - skip cpuid policy
-
-When a domain performs a kexec (soft reset), libxl__build_pre() is
-called with the existing domid.  Calling libxl__cpuid_legacy() on the
-existing domain fails since the cpuid policy has already been set, and
-the guest isn't rebuilt and doesn't kexec.
-
-xc: error: Failed to set d1's policy (err leaf 0xffffffff, subleaf 0xffffffff, msr 0xffffffff) (17 = File exists): Internal error
-libxl: error: libxl_cpuid.c:494:libxl__cpuid_legacy: Domain 1:Failed to apply CPUID policy: File exists
-libxl: error: libxl_create.c:1641:domcreate_rebuild_done: Domain 1:cannot (re-)build domain: -3
-libxl: error: libxl_xshelp.c:201:libxl__xs_read_mandatory: xenstore read failed: `/libxl/1/type': No such file or directory
-libxl: warning: libxl_dom.c:49:libxl__domain_type: unable to get domain type for domid=1, assuming HVM
-
-During a soft_reset, skip calling libxl__cpuid_legacy() to avoid the
-issue.  Before commit 34990446ca91, the libxl__cpuid_legacy() failure
-would have been ignored, so kexec would continue.
-
-Fixes: 34990446ca91 ("libxl: don't ignore the return value from xc_cpuid_apply_policy")
-Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
-Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
-master commit: 1e454c2b5b1172e0fc7457e411ebaba61db8fc87
-master date: 2023-01-26 10:58:23 +0100
----
- tools/libs/light/libxl_create.c   | 2 ++
- tools/libs/light/libxl_dom.c      | 2 +-
- tools/libs/light/libxl_internal.h | 1 +
- 3 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/tools/libs/light/libxl_create.c b/tools/libs/light/libxl_create.c
-index 612eacfc7f..dbee32b7b7 100644
---- a/tools/libs/light/libxl_create.c
-+++ b/tools/libs/light/libxl_create.c
-@@ -2203,6 +2203,8 @@ static int do_domain_soft_reset(libxl_ctx *ctx,
-                               aop_console_how);
-     cdcs->domid_out = &domid_out;
- 
-+    state->soft_reset = true;
-+
-     dom_path = libxl__xs_get_dompath(gc, domid);
-     if (!dom_path) {
-         LOGD(ERROR, domid, "failed to read domain path");
-diff --git a/tools/libs/light/libxl_dom.c b/tools/libs/light/libxl_dom.c
-index b454f988fb..f6311eea6e 100644
---- a/tools/libs/light/libxl_dom.c
-+++ b/tools/libs/light/libxl_dom.c
-@@ -382,7 +382,7 @@ int libxl__build_pre(libxl__gc *gc, uint32_t domid,
-     /* Construct a CPUID policy, but only for brand new domains.  Domains
-      * being migrated-in/restored have CPUID handled during the
-      * static_data_done() callback. */
--    if (!state->restore)
-+    if (!state->restore && !state->soft_reset)
-         rc = libxl__cpuid_legacy(ctx, domid, false, info);
- 
- out:
-diff --git a/tools/libs/light/libxl_internal.h b/tools/libs/light/libxl_internal.h
-index a7c447c10e..cae160351f 100644
---- a/tools/libs/light/libxl_internal.h
-+++ b/tools/libs/light/libxl_internal.h
-@@ -1406,6 +1406,7 @@ typedef struct {
-     /* Whether this domain is being migrated/restored, or booting fresh.  Only
-      * applicable to the primary domain, not support domains (e.g. stub QEMU). */
-     bool restore;
-+    bool soft_reset;
- } libxl__domain_build_state;
- 
- _hidden void libxl__domain_build_state_init(libxl__domain_build_state *s);
--- 
-2.40.0
-

diff --git a/0033-x86-spec-ctrl-Turn-the-remaining-SPEC_CTRL_-ENTRY-EX.patch b/0033-x86-spec-ctrl-Turn-the-remaining-SPEC_CTRL_-ENTRY-EX.patch
new file mode 100644
index 0000000..a278c5f
--- /dev/null
+++ b/0033-x86-spec-ctrl-Turn-the-remaining-SPEC_CTRL_-ENTRY-EX.patch
@@ -0,0 +1,83 @@
+From 3952c73bdbd05f0e666986fce633a591237b3c88 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Fri, 1 Sep 2023 11:38:44 +0100
+Subject: [PATCH 33/55] x86/spec-ctrl: Turn the remaining
+ SPEC_CTRL_{ENTRY,EXIT}_* into asm macros
+
+These have grown more complex over time, with some already having been
+converted.
+
+Provide full Requires/Clobbers comments, otherwise missing at this level of
+indirection.
+
+No functional change.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 7125429aafb9e3c9c88fc93001fc2300e0ac2cc8)
+---
+ xen/arch/x86/include/asm/spec_ctrl_asm.h | 37 ++++++++++++++++++------
+ 1 file changed, 28 insertions(+), 9 deletions(-)
+
+diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+index d5f65d80ea..c6d5f2ad01 100644
+--- a/xen/arch/x86/include/asm/spec_ctrl_asm.h
++++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+@@ -231,26 +231,45 @@
+ .endm
+ 
+ /* Use after an entry from PV context (syscall/sysenter/int80/int82/etc). */
+-#define SPEC_CTRL_ENTRY_FROM_PV                                         \
++.macro SPEC_CTRL_ENTRY_FROM_PV
++/*
++ * Requires %rsp=regs/cpuinfo, %rdx=0
++ * Clobbers %rax, %rcx, %rdx
++ */
+     ALTERNATIVE "", __stringify(DO_SPEC_CTRL_COND_IBPB maybexen=0),     \
+-        X86_FEATURE_IBPB_ENTRY_PV;                                      \
+-    ALTERNATIVE "", DO_OVERWRITE_RSB, X86_FEATURE_SC_RSB_PV;            \
++        X86_FEATURE_IBPB_ENTRY_PV
++
++    ALTERNATIVE "", DO_OVERWRITE_RSB, X86_FEATURE_SC_RSB_PV
++
+     ALTERNATIVE "", __stringify(DO_SPEC_CTRL_ENTRY maybexen=0),         \
+         X86_FEATURE_SC_MSR_PV
++.endm
+ 
+ /* Use in interrupt/exception context.  May interrupt Xen or PV context. */
+-#define SPEC_CTRL_ENTRY_FROM_INTR                                       \
++.macro SPEC_CTRL_ENTRY_FROM_INTR
++/*
++ * Requires %rsp=regs, %r14=stack_end, %rdx=0
++ * Clobbers %rax, %rcx, %rdx
++ */
+     ALTERNATIVE "", __stringify(DO_SPEC_CTRL_COND_IBPB maybexen=1),     \
+-        X86_FEATURE_IBPB_ENTRY_PV;                                      \
+-    ALTERNATIVE "", DO_OVERWRITE_RSB, X86_FEATURE_SC_RSB_PV;            \
++        X86_FEATURE_IBPB_ENTRY_PV
++
++    ALTERNATIVE "", DO_OVERWRITE_RSB, X86_FEATURE_SC_RSB_PV
++
+     ALTERNATIVE "", __stringify(DO_SPEC_CTRL_ENTRY maybexen=1),         \
+         X86_FEATURE_SC_MSR_PV
++.endm
+ 
+ /* Use when exiting to PV guest context. */
+-#define SPEC_CTRL_EXIT_TO_PV                                            \
+-    ALTERNATIVE "",                                                     \
+-        DO_SPEC_CTRL_EXIT_TO_GUEST, X86_FEATURE_SC_MSR_PV;              \
++.macro SPEC_CTRL_EXIT_TO_PV
++/*
++ * Requires %rax=spec_ctrl, %rsp=regs/info
++ * Clobbers %rcx, %rdx
++ */
++    ALTERNATIVE "", DO_SPEC_CTRL_EXIT_TO_GUEST, X86_FEATURE_SC_MSR_PV
++
+     DO_SPEC_CTRL_COND_VERW
++.endm
+ 
+ /*
+  * Use in IST interrupt/exception context.  May interrupt Xen or PV context.
+-- 
+2.42.0
+

diff --git a/0034-tools-ocaml-xenctrl-Make-domain_getinfolist-tail-rec.patch b/0034-tools-ocaml-xenctrl-Make-domain_getinfolist-tail-rec.patch
deleted file mode 100644
index 8f57d4e..0000000
--- a/0034-tools-ocaml-xenctrl-Make-domain_getinfolist-tail-rec.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 03f545b6cf3220b4647677b588e5525a781a4813 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edvin.torok@citrix.com>
-Date: Tue, 1 Nov 2022 17:59:16 +0000
-Subject: [PATCH 34/89] tools/ocaml/xenctrl: Make domain_getinfolist tail
- recursive
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-domain_getinfolist() is quadratic with the number of domains, because of the
-behaviour of the underlying hypercall.  xenopsd was further observed to be
-wasting excessive quantites of time manipulating the list of already-obtained
-domains.
-
-Implement a tail recursive `rev_concat` equivalent to `concat |> rev`, and use
-it instead of calling `@` multiple times.
-
-An incidental benefit is that the list of domains will now be in domid order,
-instead of having pairs of 2 domains changing direction every time.
-
-In a scalability testing scenario with ~1000 VMs, a combination of this and
-the subsequent change takes xenopsd's wallclock time in domain_getinfolist()
-down from 88% to 0.02%
-
-Signed-off-by: Edwin Török <edvin.torok@citrix.com>
-Tested-by: Pau Ruiz Safont <pau.safont@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit c3b6be714c64aa62b56d0bce96f4b6a10b5c2078)
----
- tools/ocaml/libs/xc/xenctrl.ml | 23 +++++++++++++++++------
- 1 file changed, 17 insertions(+), 6 deletions(-)
-
-diff --git a/tools/ocaml/libs/xc/xenctrl.ml b/tools/ocaml/libs/xc/xenctrl.ml
-index 83e39a8616..85b73a7f6f 100644
---- a/tools/ocaml/libs/xc/xenctrl.ml
-+++ b/tools/ocaml/libs/xc/xenctrl.ml
-@@ -222,14 +222,25 @@ external domain_shutdown: handle -> domid -> shutdown_reason -> unit
- external _domain_getinfolist: handle -> domid -> int -> domaininfo list
-        = "stub_xc_domain_getinfolist"
- 
-+let rev_append_fold acc e = List.rev_append e acc
-+
-+(**
-+ * [rev_concat lst] is equivalent to [lst |> List.concat |> List.rev]
-+ * except it is tail recursive, whereas [List.concat] isn't.
-+ * Example:
-+ * rev_concat [[10;9;8];[7;6];[5]]] = [5; 6; 7; 8; 9; 10]
-+ *)
-+let rev_concat lst = List.fold_left rev_append_fold [] lst
-+
- let domain_getinfolist handle first_domain =
- 	let nb = 2 in
--	let last_domid l = (List.hd l).domid + 1 in
--	let rec __getlist from =
--		let l = _domain_getinfolist handle from nb in
--		(if List.length l = nb then __getlist (last_domid l) else []) @ l
--		in
--	List.rev (__getlist first_domain)
-+	let rec __getlist lst from =
-+		(* _domain_getinfolist returns domains in reverse order, largest first *)
-+		match _domain_getinfolist handle from nb with
-+		| [] -> rev_concat lst
-+		| (hd :: _) as l -> __getlist (l :: lst) (hd.domid + 1)
-+	in
-+	__getlist [] first_domain
- 
- external domain_getinfo: handle -> domid -> domaininfo= "stub_xc_domain_getinfo"
- 
--- 
-2.40.0
-

diff --git a/0034-x86-spec-ctrl-Improve-all-SPEC_CTRL_-ENTER-EXIT-_-co.patch b/0034-x86-spec-ctrl-Improve-all-SPEC_CTRL_-ENTER-EXIT-_-co.patch
new file mode 100644
index 0000000..f360cbd
--- /dev/null
+++ b/0034-x86-spec-ctrl-Improve-all-SPEC_CTRL_-ENTER-EXIT-_-co.patch
@@ -0,0 +1,106 @@
+From ba023e93d0b1e60b80251bf080bab694efb9f8e3 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Wed, 30 Aug 2023 20:11:50 +0100
+Subject: [PATCH 34/55] x86/spec-ctrl: Improve all SPEC_CTRL_{ENTER,EXIT}_*
+ comments
+
+... to better explain how they're used.
+
+Doing so highlights that SPEC_CTRL_EXIT_TO_XEN is missing a VERW flush for the
+corner case when e.g. an NMI hits late in an exit-to-guest path.
+
+Leave a TODO, which will be addressed in subsequent patches which arrange for
+VERW flushing to be safe within SPEC_CTRL_EXIT_TO_XEN.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 45f00557350dc7d0756551069803fc49c29184ca)
+---
+ xen/arch/x86/include/asm/spec_ctrl_asm.h | 36 ++++++++++++++++++++----
+ 1 file changed, 31 insertions(+), 5 deletions(-)
+
+diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+index c6d5f2ad01..97c4db31cd 100644
+--- a/xen/arch/x86/include/asm/spec_ctrl_asm.h
++++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+@@ -230,7 +230,10 @@
+     wrmsr
+ .endm
+ 
+-/* Use after an entry from PV context (syscall/sysenter/int80/int82/etc). */
++/*
++ * Used after an entry from PV context: SYSCALL, SYSENTER, INT,
++ * etc.  There is always a guest speculation state in context.
++ */
+ .macro SPEC_CTRL_ENTRY_FROM_PV
+ /*
+  * Requires %rsp=regs/cpuinfo, %rdx=0
+@@ -245,7 +248,11 @@
+         X86_FEATURE_SC_MSR_PV
+ .endm
+ 
+-/* Use in interrupt/exception context.  May interrupt Xen or PV context. */
++/*
++ * Used after an exception or maskable interrupt, hitting Xen or PV context.
++ * There will either be a guest speculation context, or (barring fatal
++ * exceptions) a well-formed Xen speculation context.
++ */
+ .macro SPEC_CTRL_ENTRY_FROM_INTR
+ /*
+  * Requires %rsp=regs, %r14=stack_end, %rdx=0
+@@ -260,7 +267,10 @@
+         X86_FEATURE_SC_MSR_PV
+ .endm
+ 
+-/* Use when exiting to PV guest context. */
++/*
++ * Used when exiting from any entry context, back to PV context.  This
++ * includes from an IST entry which moved onto the primary stack.
++ */
+ .macro SPEC_CTRL_EXIT_TO_PV
+ /*
+  * Requires %rax=spec_ctrl, %rsp=regs/info
+@@ -272,7 +282,13 @@
+ .endm
+ 
+ /*
+- * Use in IST interrupt/exception context.  May interrupt Xen or PV context.
++ * Used after an IST entry hitting Xen or PV context.  Special care is needed,
++ * because when hitting Xen context, there may not be a well-formed
++ * speculation context.  (i.e. it can hit in the middle of
++ * SPEC_CTRL_{ENTRY,EXIT}_* regions.)
++ *
++ * An IST entry which hits PV context moves onto the primary stack and leaves
++ * via SPEC_CTRL_EXIT_TO_PV, *not* SPEC_CTRL_EXIT_TO_XEN.
+  */
+ .macro SPEC_CTRL_ENTRY_FROM_INTR_IST
+ /*
+@@ -331,7 +347,14 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise):
+     UNLIKELY_END(\@_serialise)
+ .endm
+ 
+-/* Use when exiting to Xen context. */
++/*
++ * Use when exiting from any entry context, back to Xen context.  This
++ * includes returning to other SPEC_CTRL_{ENTRY,EXIT}_* regions with an
++ * incomplete speculation context.
++ *
++ * Because we might have interrupted Xen beyond SPEC_CTRL_EXIT_TO_$GUEST, we
++ * need to treat this as if it were an EXIT_TO_$GUEST case too.
++ */
+ .macro SPEC_CTRL_EXIT_TO_XEN
+ /*
+  * Requires %rbx=stack_end
+@@ -356,6 +379,9 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise):
+     wrmsr
+ 
+ .L\@_skip_sc_msr:
++
++    /* TODO VERW */
++
+ .endm
+ 
+ #endif /* __ASSEMBLY__ */
+-- 
+2.42.0
+

diff --git a/0035-tools-ocaml-xenctrl-Use-larger-chunksize-in-domain_g.patch b/0035-tools-ocaml-xenctrl-Use-larger-chunksize-in-domain_g.patch
deleted file mode 100644
index 6c64355..0000000
--- a/0035-tools-ocaml-xenctrl-Use-larger-chunksize-in-domain_g.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 5d8f9cfa166c55a308856e7b021d778350edbd6c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edvin.torok@citrix.com>
-Date: Tue, 1 Nov 2022 17:59:17 +0000
-Subject: [PATCH 35/89] tools/ocaml/xenctrl: Use larger chunksize in
- domain_getinfolist
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-domain_getinfolist() is quadratic with the number of domains, because of the
-behaviour of the underlying hypercall.  Nevertheless, getting domain info in
-blocks of 1024 is far more efficient than blocks of 2.
-
-In a scalability testing scenario with ~1000 VMs, a combination of this and
-the previous change takes xenopsd's wallclock time in domain_getinfolist()
-down from 88% to 0.02%
-
-Signed-off-by: Edwin Török <edvin.torok@citrix.com>
-Tested-by: Pau Ruiz Safont <pau.safont@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit 95db09b1b154fb72fad861815ceae1f3fa49fc4e)
----
- tools/ocaml/libs/xc/xenctrl.ml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tools/ocaml/libs/xc/xenctrl.ml b/tools/ocaml/libs/xc/xenctrl.ml
-index 85b73a7f6f..aa650533f7 100644
---- a/tools/ocaml/libs/xc/xenctrl.ml
-+++ b/tools/ocaml/libs/xc/xenctrl.ml
-@@ -233,7 +233,7 @@ let rev_append_fold acc e = List.rev_append e acc
- let rev_concat lst = List.fold_left rev_append_fold [] lst
- 
- let domain_getinfolist handle first_domain =
--	let nb = 2 in
-+	let nb = 1024 in
- 	let rec __getlist lst from =
- 		(* _domain_getinfolist returns domains in reverse order, largest first *)
- 		match _domain_getinfolist handle from nb with
--- 
-2.40.0
-

diff --git a/0035-x86-entry-Adjust-restore_all_xen-to-hold-stack_end-i.patch b/0035-x86-entry-Adjust-restore_all_xen-to-hold-stack_end-i.patch
new file mode 100644
index 0000000..fe2acaf
--- /dev/null
+++ b/0035-x86-entry-Adjust-restore_all_xen-to-hold-stack_end-i.patch
@@ -0,0 +1,74 @@
+From 5f7efd47c8273fde972637d0360851802f76eca9 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Wed, 13 Sep 2023 13:48:16 +0100
+Subject: [PATCH 35/55] x86/entry: Adjust restore_all_xen to hold stack_end in
+ %r14
+
+All other SPEC_CTRL_{ENTRY,EXIT}_* helpers hold stack_end in %r14.  Adjust it
+for consistency.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 7aa28849a1155d856e214e9a80a7e65fffdc3e58)
+---
+ xen/arch/x86/include/asm/spec_ctrl_asm.h | 8 ++++----
+ xen/arch/x86/x86_64/entry.S              | 8 ++++----
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+index 97c4db31cd..66c706496f 100644
+--- a/xen/arch/x86/include/asm/spec_ctrl_asm.h
++++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+@@ -357,10 +357,10 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise):
+  */
+ .macro SPEC_CTRL_EXIT_TO_XEN
+ /*
+- * Requires %rbx=stack_end
++ * Requires %r14=stack_end
+  * Clobbers %rax, %rcx, %rdx
+  */
+-    testb $SCF_ist_sc_msr, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%rbx)
++    testb $SCF_ist_sc_msr, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14)
+     jz .L\@_skip_sc_msr
+ 
+     /*
+@@ -371,10 +371,10 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise):
+      */
+     xor %edx, %edx
+ 
+-    testb $SCF_use_shadow, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%rbx)
++    testb $SCF_use_shadow, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14)
+     jz .L\@_skip_sc_msr
+ 
+-    mov STACK_CPUINFO_FIELD(shadow_spec_ctrl)(%rbx), %eax
++    mov STACK_CPUINFO_FIELD(shadow_spec_ctrl)(%r14), %eax
+     mov $MSR_SPEC_CTRL, %ecx
+     wrmsr
+ 
+diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
+index b45a09823a..92279a225d 100644
+--- a/xen/arch/x86/x86_64/entry.S
++++ b/xen/arch/x86/x86_64/entry.S
+@@ -665,15 +665,15 @@ restore_all_xen:
+          * Check whether we need to switch to the per-CPU page tables, in
+          * case we return to late PV exit code (from an NMI or #MC).
+          */
+-        GET_STACK_END(bx)
+-        cmpb  $0, STACK_CPUINFO_FIELD(use_pv_cr3)(%rbx)
++        GET_STACK_END(14)
++        cmpb  $0, STACK_CPUINFO_FIELD(use_pv_cr3)(%r14)
+ UNLIKELY_START(ne, exit_cr3)
+-        mov   STACK_CPUINFO_FIELD(pv_cr3)(%rbx), %rax
++        mov   STACK_CPUINFO_FIELD(pv_cr3)(%r14), %rax
+         mov   %rax, %cr3
+ UNLIKELY_END(exit_cr3)
+ 
+         /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */
+-        SPEC_CTRL_EXIT_TO_XEN     /* Req: %rbx=end, Clob: acd */
++        SPEC_CTRL_EXIT_TO_XEN     /* Req: %r14=end, Clob: acd */
+ 
+         RESTORE_ALL adj=8
+         iretq
+-- 
+2.42.0
+

diff --git a/0036-tools-ocaml-xb-mmap-Use-Data_abstract_val-wrapper.patch b/0036-tools-ocaml-xb-mmap-Use-Data_abstract_val-wrapper.patch
deleted file mode 100644
index d6a324a..0000000
--- a/0036-tools-ocaml-xb-mmap-Use-Data_abstract_val-wrapper.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 7d516fc87637dc551494f8eca08f106f578f7112 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edvin.torok@citrix.com>
-Date: Fri, 16 Dec 2022 18:25:10 +0000
-Subject: [PATCH 36/89] tools/ocaml/xb,mmap: Use Data_abstract_val wrapper
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is not strictly necessary since it is essentially a no-op currently: a
-cast to void * and value *, even in OCaml 5.0.
-
-However it does make it clearer that what we have here is not a regular OCaml
-value, but one allocated with Abstract_tag or Custom_tag, and follows the
-example from the manual more closely:
-https://v2.ocaml.org/manual/intfc.html#ss:c-outside-head
-
-It also makes it clearer that these modules have been reviewed for
-compat with OCaml 5.0.
-
-We cannot use OCaml finalizers here, because we want exact control over when
-to unmap these pages from remote domains.
-
-No functional change.
-
-Signed-off-by: Edwin Török <edvin.torok@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit d2ccc637111d6dbcf808aaffeec7a46f0b1e1c81)
----
- tools/ocaml/libs/mmap/mmap_stubs.h    | 4 ++++
- tools/ocaml/libs/mmap/xenmmap_stubs.c | 2 +-
- tools/ocaml/libs/xb/xs_ring_stubs.c   | 2 +-
- 3 files changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/tools/ocaml/libs/mmap/mmap_stubs.h b/tools/ocaml/libs/mmap/mmap_stubs.h
-index 65e4239890..f4784e4715 100644
---- a/tools/ocaml/libs/mmap/mmap_stubs.h
-+++ b/tools/ocaml/libs/mmap/mmap_stubs.h
-@@ -30,4 +30,8 @@ struct mmap_interface
- 	int len;
- };
- 
-+#ifndef Data_abstract_val
-+#define Data_abstract_val(x) ((void *)Op_val(x))
-+#endif
-+
- #endif
-diff --git a/tools/ocaml/libs/mmap/xenmmap_stubs.c b/tools/ocaml/libs/mmap/xenmmap_stubs.c
-index e2ce088e25..e03951d781 100644
---- a/tools/ocaml/libs/mmap/xenmmap_stubs.c
-+++ b/tools/ocaml/libs/mmap/xenmmap_stubs.c
-@@ -28,7 +28,7 @@
- #include <caml/fail.h>
- #include <caml/callback.h>
- 
--#define Intf_val(a) ((struct mmap_interface *) a)
-+#define Intf_val(a) ((struct mmap_interface *)Data_abstract_val(a))
- 
- static int mmap_interface_init(struct mmap_interface *intf,
-                                int fd, int pflag, int mflag,
-diff --git a/tools/ocaml/libs/xb/xs_ring_stubs.c b/tools/ocaml/libs/xb/xs_ring_stubs.c
-index 7a91fdee75..1f58524535 100644
---- a/tools/ocaml/libs/xb/xs_ring_stubs.c
-+++ b/tools/ocaml/libs/xb/xs_ring_stubs.c
-@@ -35,7 +35,7 @@
- #include <sys/mman.h>
- #include "mmap_stubs.h"
- 
--#define GET_C_STRUCT(a) ((struct mmap_interface *) a)
-+#define GET_C_STRUCT(a) ((struct mmap_interface *)Data_abstract_val(a))
- 
- /*
-  * Bytes_val has been introduced by Ocaml 4.06.1. So define our own version
--- 
-2.40.0
-

diff --git a/0036-x86-entry-Track-the-IST-ness-of-an-entry-for-the-exi.patch b/0036-x86-entry-Track-the-IST-ness-of-an-entry-for-the-exi.patch
new file mode 100644
index 0000000..ba7ea21
--- /dev/null
+++ b/0036-x86-entry-Track-the-IST-ness-of-an-entry-for-the-exi.patch
@@ -0,0 +1,109 @@
+From e4a71bc0da0baf7464bb0d8e33053f330e5ea366 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Wed, 13 Sep 2023 12:20:12 +0100
+Subject: [PATCH 36/55] x86/entry: Track the IST-ness of an entry for the exit
+ paths
+
+Use %r12 to hold an ist_exit boolean.  This register is zero elsewhere in the
+entry/exit asm, so it only needs setting in the IST path.
+
+As this is subtle and fragile, add check_ist_exit() to be used in debugging
+builds to cross-check that the ist_exit boolean matches the entry vector.
+
+Write check_ist_exit() it in C, because it's debug only and the logic more
+complicated than I care to maintain in asm.
+
+For now, we only need to use this signal in the exit-to-Xen path, but some
+exit-to-guest paths happen in IST context too.  Check the correctness in all
+exit paths to avoid the logic bit-rotting.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 21bdc25b05a0f8ab6bc73520a9ca01327360732c)
+
+x86/entry: Partially revert IST-exit checks
+
+The patch adding check_ist_exit() didn't account for the fact that
+reset_stack_and_jump() is not an ABI-preserving boundary.  The IST-ness in
+%r12 doesn't survive into the next context, and is a stale value C.
+
+This shows up in Gitlab CI for the Clang build:
+
+  https://gitlab.com/xen-project/people/andyhhp/xen/-/jobs/5112783827
+
+and in OSSTest for GCC 8:
+
+  http://logs.test-lab.xenproject.org/osstest/logs/183045/test-amd64-amd64-xl-qemuu-debianhvm-amd64/serial-pinot0.log
+
+There's no straightforward way to reconstruct the IST-exit-ness on the
+exit-to-guest path after a context switch.  For now, we only need IST-exit on
+the return-to-Xen path.
+
+Fixes: 21bdc25b05a0 ("x86/entry: Track the IST-ness of an entry for the exit paths")
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 9b57c800b79b96769ea3dcd6468578fa664d19f9)
+---
+ xen/arch/x86/traps.c        | 13 +++++++++++++
+ xen/arch/x86/x86_64/entry.S | 13 ++++++++++++-
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
+index d12004b1c6..e65cc60041 100644
+--- a/xen/arch/x86/traps.c
++++ b/xen/arch/x86/traps.c
+@@ -2315,6 +2315,19 @@ void asm_domain_crash_synchronous(unsigned long addr)
+         do_softirq();
+ }
+ 
++#ifdef CONFIG_DEBUG
++void check_ist_exit(const struct cpu_user_regs *regs, bool ist_exit)
++{
++    const unsigned int ist_mask =
++        (1U << X86_EXC_NMI) | (1U << X86_EXC_DB) |
++        (1U << X86_EXC_DF)  | (1U << X86_EXC_MC);
++    uint8_t ev = regs->entry_vector;
++    bool is_ist = (ev < TRAP_nr) && ((1U << ev) & ist_mask);
++
++    ASSERT(is_ist == ist_exit);
++}
++#endif
++
+ /*
+  * Local variables:
+  * mode: C
+diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
+index 92279a225d..4cebc4fbe3 100644
+--- a/xen/arch/x86/x86_64/entry.S
++++ b/xen/arch/x86/x86_64/entry.S
+@@ -659,8 +659,15 @@ ENTRY(early_page_fault)
+         .section .text.entry, "ax", @progbits
+ 
+         ALIGN
+-/* No special register assumptions. */
++/* %r12=ist_exit */
+ restore_all_xen:
++
++#ifdef CONFIG_DEBUG
++        mov   %rsp, %rdi
++        mov   %r12, %rsi
++        call  check_ist_exit
++#endif
++
+         /*
+          * Check whether we need to switch to the per-CPU page tables, in
+          * case we return to late PV exit code (from an NMI or #MC).
+@@ -1091,6 +1098,10 @@ handle_ist_exception:
+ .L_ist_dispatch_done:
+         mov   %r15, STACK_CPUINFO_FIELD(xen_cr3)(%r14)
+         mov   %bl, STACK_CPUINFO_FIELD(use_pv_cr3)(%r14)
++
++        /* This is an IST exit */
++        mov   $1, %r12d
++
+         cmpb  $TRAP_nmi,UREGS_entry_vector(%rsp)
+         jne   ret_from_intr
+ 
+-- 
+2.42.0
+

diff --git a/0037-tools-ocaml-xb-Drop-Xs_ring.write.patch b/0037-tools-ocaml-xb-Drop-Xs_ring.write.patch
deleted file mode 100644
index 226ae52..0000000
--- a/0037-tools-ocaml-xb-Drop-Xs_ring.write.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From f0e653fb4aea77210b8096c170e82de3c2039d89 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edvin.torok@citrix.com>
-Date: Fri, 16 Dec 2022 18:25:20 +0000
-Subject: [PATCH 37/89] tools/ocaml/xb: Drop Xs_ring.write
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This function is unusued (only Xs_ring.write_substring is used), and the
-bytes/string conversion here is backwards: the C stub implements the bytes
-version and then we use a Bytes.unsafe_of_string to convert a string into
-bytes.
-
-However the operation here really is read-only: we read from the string and
-write it to the ring, so the C stub should implement the read-only string
-version, and if needed we could use Bytes.unsafe_to_string to be able to send
-'bytes'. However that is not necessary as the 'bytes' version is dropped above.
-
-Signed-off-by: Edwin Török <edvin.torok@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit 01f139215e678c2dc7d4bb3f9f2777069bb1b091)
----
- tools/ocaml/libs/xb/xs_ring.ml      | 5 +----
- tools/ocaml/libs/xb/xs_ring_stubs.c | 2 +-
- 2 files changed, 2 insertions(+), 5 deletions(-)
-
-diff --git a/tools/ocaml/libs/xb/xs_ring.ml b/tools/ocaml/libs/xb/xs_ring.ml
-index db7f86bd27..dd5e014a33 100644
---- a/tools/ocaml/libs/xb/xs_ring.ml
-+++ b/tools/ocaml/libs/xb/xs_ring.ml
-@@ -25,14 +25,11 @@ module Server_features = Set.Make(struct
- end)
- 
- external read: Xenmmap.mmap_interface -> bytes -> int -> int = "ml_interface_read"
--external write: Xenmmap.mmap_interface -> bytes -> int -> int = "ml_interface_write"
-+external write_substring: Xenmmap.mmap_interface -> string -> int -> int = "ml_interface_write"
- 
- external _internal_set_server_features: Xenmmap.mmap_interface -> int -> unit = "ml_interface_set_server_features" [@@noalloc]
- external _internal_get_server_features: Xenmmap.mmap_interface -> int = "ml_interface_get_server_features" [@@noalloc]
- 
--let write_substring mmap buff len =
--	write mmap (Bytes.unsafe_of_string buff) len
--
- let get_server_features mmap =
- 	(* NB only one feature currently defined above *)
- 	let x = _internal_get_server_features mmap in
-diff --git a/tools/ocaml/libs/xb/xs_ring_stubs.c b/tools/ocaml/libs/xb/xs_ring_stubs.c
-index 1f58524535..1243c63f03 100644
---- a/tools/ocaml/libs/xb/xs_ring_stubs.c
-+++ b/tools/ocaml/libs/xb/xs_ring_stubs.c
-@@ -112,7 +112,7 @@ CAMLprim value ml_interface_write(value ml_interface,
- 	CAMLlocal1(ml_result);
- 
- 	struct mmap_interface *interface = GET_C_STRUCT(ml_interface);
--	const unsigned char *buffer = Bytes_val(ml_buffer);
-+	const char *buffer = String_val(ml_buffer);
- 	int len = Int_val(ml_len);
- 	int result;
- 
--- 
-2.40.0
-

diff --git a/0037-x86-spec-ctrl-Issue-VERW-during-IST-exit-to-Xen.patch b/0037-x86-spec-ctrl-Issue-VERW-during-IST-exit-to-Xen.patch
new file mode 100644
index 0000000..6580907
--- /dev/null
+++ b/0037-x86-spec-ctrl-Issue-VERW-during-IST-exit-to-Xen.patch
@@ -0,0 +1,89 @@
+From 2e2c3efcfc9f183674a8de6ed954ffbe7188b70d Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Wed, 13 Sep 2023 13:53:33 +0100
+Subject: [PATCH 37/55] x86/spec-ctrl: Issue VERW during IST exit to Xen
+
+There is a corner case where e.g. an NMI hitting an exit-to-guest path after
+SPEC_CTRL_EXIT_TO_* would have run the entire NMI handler *after* the VERW
+flush to scrub potentially sensitive data from uarch buffers.
+
+In order to compensate, issue VERW when exiting to Xen from an IST entry.
+
+SPEC_CTRL_EXIT_TO_XEN already has two reads of spec_ctrl_flags off the stack,
+and we're about to add a third.  Load the field into %ebx, and list the
+register as clobbered.
+
+%r12 has been arranged to be the ist_exit signal, so add this as an input
+dependency and use it to identify when to issue a VERW.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 3ee6066bcd737756b0990d417d94eddc0b0d2585)
+---
+ xen/arch/x86/include/asm/spec_ctrl_asm.h | 20 +++++++++++++++-----
+ xen/arch/x86/x86_64/entry.S              |  2 +-
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+index 66c706496f..28a75796e6 100644
+--- a/xen/arch/x86/include/asm/spec_ctrl_asm.h
++++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+@@ -357,10 +357,12 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise):
+  */
+ .macro SPEC_CTRL_EXIT_TO_XEN
+ /*
+- * Requires %r14=stack_end
+- * Clobbers %rax, %rcx, %rdx
++ * Requires %r12=ist_exit, %r14=stack_end
++ * Clobbers %rax, %rbx, %rcx, %rdx
+  */
+-    testb $SCF_ist_sc_msr, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14)
++    movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %ebx
++
++    testb $SCF_ist_sc_msr, %bl
+     jz .L\@_skip_sc_msr
+ 
+     /*
+@@ -371,7 +373,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise):
+      */
+     xor %edx, %edx
+ 
+-    testb $SCF_use_shadow, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14)
++    testb $SCF_use_shadow, %bl
+     jz .L\@_skip_sc_msr
+ 
+     mov STACK_CPUINFO_FIELD(shadow_spec_ctrl)(%r14), %eax
+@@ -380,8 +382,16 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise):
+ 
+ .L\@_skip_sc_msr:
+ 
+-    /* TODO VERW */
++    test %r12, %r12
++    jz .L\@_skip_ist_exit
++
++    /* Logically DO_SPEC_CTRL_COND_VERW but without the %rsp=cpuinfo dependency */
++    testb $SCF_verw, %bl
++    jz .L\@_skip_verw
++    verw STACK_CPUINFO_FIELD(verw_sel)(%r14)
++.L\@_skip_verw:
+ 
++.L\@_skip_ist_exit:
+ .endm
+ 
+ #endif /* __ASSEMBLY__ */
+diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
+index 4cebc4fbe3..c12e011b4d 100644
+--- a/xen/arch/x86/x86_64/entry.S
++++ b/xen/arch/x86/x86_64/entry.S
+@@ -680,7 +680,7 @@ UNLIKELY_START(ne, exit_cr3)
+ UNLIKELY_END(exit_cr3)
+ 
+         /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */
+-        SPEC_CTRL_EXIT_TO_XEN     /* Req: %r14=end, Clob: acd */
++        SPEC_CTRL_EXIT_TO_XEN     /* Req: %r12=ist_exit %r14=end, Clob: abcd */
+ 
+         RESTORE_ALL adj=8
+         iretq
+-- 
+2.42.0
+

diff --git a/0038-tools-oxenstored-validate-config-file-before-live-up.patch b/0038-tools-oxenstored-validate-config-file-before-live-up.patch
deleted file mode 100644
index 5b7f58a..0000000
--- a/0038-tools-oxenstored-validate-config-file-before-live-up.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-From e74d868b48d55dfb20f5a41ec20fbec93d8e5deb Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edvin.torok@citrix.com>
-Date: Tue, 11 May 2021 15:56:50 +0000
-Subject: [PATCH 38/89] tools/oxenstored: validate config file before live
- update
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The configuration file can contain typos or various errors that could prevent
-live update from succeeding (e.g. a flag only valid on a different version).
-Unknown entries in the config file would be ignored on startup normally,
-add a strict --config-test that live-update can use to check that the config file
-is valid *for the new binary*.
-
-For compatibility with running old code during live update recognize
---live --help as an equivalent to --config-test.
-
-Signed-off-by: Edwin Török <edvin.torok@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit e6f07052ce4a0f0b7d4dc522d87465efb2d9ee86)
----
- tools/ocaml/xenstored/parse_arg.ml | 26 ++++++++++++++++++++++++++
- tools/ocaml/xenstored/xenstored.ml | 11 +++++++++--
- 2 files changed, 35 insertions(+), 2 deletions(-)
-
-diff --git a/tools/ocaml/xenstored/parse_arg.ml b/tools/ocaml/xenstored/parse_arg.ml
-index 7c0478e76a..5e4ca6f1f7 100644
---- a/tools/ocaml/xenstored/parse_arg.ml
-+++ b/tools/ocaml/xenstored/parse_arg.ml
-@@ -26,8 +26,14 @@ type config =
- 	restart: bool;
- 	live_reload: bool;
- 	disable_socket: bool;
-+	config_test: bool;
- }
- 
-+let get_config_filename config_file =
-+	match config_file with
-+	| Some name -> name
-+	| None	    -> Define.default_config_dir ^ "/oxenstored.conf"
-+
- let do_argv =
- 	let pidfile = ref "" and tracefile = ref "" (* old xenstored compatibility *)
- 	and domain_init = ref true
-@@ -38,6 +44,8 @@ let do_argv =
- 	and restart = ref false
- 	and live_reload = ref false
- 	and disable_socket = ref false
-+	and config_test = ref false
-+	and help = ref false
- 	in
- 
- 	let speclist =
-@@ -55,10 +63,27 @@ let do_argv =
- 		  ("-T", Arg.Set_string tracefile, ""); (* for compatibility *)
- 		  ("--restart", Arg.Set restart, "Read database on starting");
- 		  ("--live", Arg.Set live_reload, "Read live dump on startup");
-+		  ("--config-test", Arg.Set config_test, "Test validity of config file");
- 		  ("--disable-socket", Arg.Unit (fun () -> disable_socket := true), "Disable socket");
-+		  ("--help", Arg.Set help, "Display this list of options")
- 		] in
- 	let usage_msg = "usage : xenstored [--config-file <filename>] [--no-domain-init] [--help] [--no-fork] [--reraise-top-level] [--restart] [--disable-socket]" in
- 	Arg.parse speclist (fun _ -> ()) usage_msg;
-+	let () =
-+		if !help then begin
-+			if !live_reload then
-+				(*
-+				 * Transform --live --help into --config-test for backward compat with
-+				 * running code during live update.
-+				 * Caller will validate config and exit
-+				 *)
-+				config_test := true
-+			else begin
-+				Arg.usage_string speclist usage_msg |> print_endline;
-+				exit 0
-+			end
-+		end
-+	in
- 	{
- 		domain_init = !domain_init;
- 		activate_access_log = !activate_access_log;
-@@ -70,4 +95,5 @@ let do_argv =
- 		restart = !restart;
- 		live_reload = !live_reload;
- 		disable_socket = !disable_socket;
-+		config_test = !config_test;
- 	}
-diff --git a/tools/ocaml/xenstored/xenstored.ml b/tools/ocaml/xenstored/xenstored.ml
-index 4d5851c5cb..e2638a5af2 100644
---- a/tools/ocaml/xenstored/xenstored.ml
-+++ b/tools/ocaml/xenstored/xenstored.ml
-@@ -88,7 +88,7 @@ let default_pidfile = Paths.xen_run_dir ^ "/xenstored.pid"
- 
- let ring_scan_interval = ref 20
- 
--let parse_config filename =
-+let parse_config ?(strict=false) filename =
- 	let pidfile = ref default_pidfile in
- 	let options = [
- 		("merge-activate", Config.Set_bool Transaction.do_coalesce);
-@@ -129,11 +129,12 @@ let parse_config filename =
- 		("xenstored-port", Config.Set_string Domains.xenstored_port); ] in
- 	begin try Config.read filename options (fun _ _ -> raise Not_found)
- 	with
--	| Config.Error err -> List.iter (fun (k, e) ->
-+	| Config.Error err as e -> List.iter (fun (k, e) ->
- 		match e with
- 		| "unknown key" -> eprintf "config: unknown key %s\n" k
- 		| _             -> eprintf "config: %s: %s\n" k e
- 		) err;
-+		if strict then raise e
- 	| Sys_error m -> eprintf "error: config: %s\n" m;
- 	end;
- 	!pidfile
-@@ -358,6 +359,12 @@ let tweak_gc () =
- let () =
- 	Printexc.set_uncaught_exception_handler Logging.fallback_exception_handler;
- 	let cf = do_argv in
-+	if cf.config_test then begin
-+		let path = config_filename cf in
-+		let _pidfile:string = parse_config ~strict:true path in
-+		Printf.printf "Configuration valid at %s\n%!" path;
-+		exit 0
-+	end;
- 	let pidfile =
- 		if Sys.file_exists (config_filename cf) then
- 			parse_config (config_filename cf)
--- 
-2.40.0
-

diff --git a/0038-x86-amd-Introduce-is_zen-1-2-_uarch-predicates.patch b/0038-x86-amd-Introduce-is_zen-1-2-_uarch-predicates.patch
new file mode 100644
index 0000000..6f2cdcb
--- /dev/null
+++ b/0038-x86-amd-Introduce-is_zen-1-2-_uarch-predicates.patch
@@ -0,0 +1,91 @@
+From 19ee1e1faa32b79274b3484cb1170a5970f1e602 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Fri, 15 Sep 2023 12:13:51 +0100
+Subject: [PATCH 38/55] x86/amd: Introduce is_zen{1,2}_uarch() predicates
+
+We already have 3 cases using STIBP as a Zen1/2 heuristic, and are about to
+introduce a 4th.  Wrap the heuristic into a pair of predicates rather than
+opencoding it, and the explanation of the heuristic, at each usage site.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit de1d265001397f308c5c3c5d3ffc30e7ef8c0705)
+---
+ xen/arch/x86/cpu/amd.c         | 18 ++++--------------
+ xen/arch/x86/include/asm/amd.h | 11 +++++++++++
+ 2 files changed, 15 insertions(+), 14 deletions(-)
+
+diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c
+index 1bb3044be1..e94ba5a0e0 100644
+--- a/xen/arch/x86/cpu/amd.c
++++ b/xen/arch/x86/cpu/amd.c
+@@ -855,15 +855,13 @@ void amd_set_legacy_ssbd(bool enable)
+  * non-branch instructions to be ignored.  It is to be set unilaterally in
+  * newer microcode.
+  *
+- * This chickenbit is something unrelated on Zen1, and Zen1 vs Zen2 isn't a
+- * simple model number comparison, so use STIBP as a heuristic to separate the
+- * two uarches in Fam17h(AMD)/18h(Hygon).
++ * This chickenbit is something unrelated on Zen1.
+  */
+ void amd_init_spectral_chicken(void)
+ {
+ 	uint64_t val, chickenbit = 1 << 1;
+ 
+-	if (cpu_has_hypervisor || !boot_cpu_has(X86_FEATURE_AMD_STIBP))
++	if (cpu_has_hypervisor || !is_zen2_uarch())
+ 		return;
+ 
+ 	if (rdmsr_safe(MSR_AMD64_DE_CFG2, val) == 0 && !(val & chickenbit))
+@@ -912,11 +910,8 @@ void amd_check_zenbleed(void)
+ 		 * With the Fam17h check above, most parts getting here are
+ 		 * Zen1.  They're not affected.  Assume Zen2 ones making it
+ 		 * here are affected regardless of microcode version.
+-		 *
+-		 * Zen1 vs Zen2 isn't a simple model number comparison, so use
+-		 * STIBP as a heuristic to distinguish.
+ 		 */
+-		if (!boot_cpu_has(X86_FEATURE_AMD_STIBP))
++		if (is_zen1_uarch())
+ 			return;
+ 		good_rev = ~0U;
+ 		break;
+@@ -1277,12 +1272,7 @@ static int __init cf_check zen2_c6_errata_check(void)
+ 	 */
+ 	s_time_t delta;
+ 
+-	/*
+-	 * Zen1 vs Zen2 isn't a simple model number comparison, so use STIBP as
+-	 * a heuristic to separate the two uarches in Fam17h.
+-	 */
+-	if (cpu_has_hypervisor || boot_cpu_data.x86 != 0x17 ||
+-	    !boot_cpu_has(X86_FEATURE_AMD_STIBP))
++	if (cpu_has_hypervisor || boot_cpu_data.x86 != 0x17 || !is_zen2_uarch())
+ 		return 0;
+ 
+ 	/*
+diff --git a/xen/arch/x86/include/asm/amd.h b/xen/arch/x86/include/asm/amd.h
+index a975d3de26..82324110ab 100644
+--- a/xen/arch/x86/include/asm/amd.h
++++ b/xen/arch/x86/include/asm/amd.h
+@@ -140,6 +140,17 @@
+                        AMD_MODEL_RANGE(0x11, 0x0, 0x0, 0xff, 0xf),	\
+                        AMD_MODEL_RANGE(0x12, 0x0, 0x0, 0xff, 0xf))
+ 
++/*
++ * The Zen1 and Zen2 microarchitectures are implemented by AMD (Fam17h) and
++ * Hygon (Fam18h) but without simple model number rules.  Instead, use STIBP
++ * as a heuristic that distinguishes the two.
++ *
++ * The caller is required to perform the appropriate vendor/family checks
++ * first.
++ */
++#define is_zen1_uarch() (!boot_cpu_has(X86_FEATURE_AMD_STIBP))
++#define is_zen2_uarch()   boot_cpu_has(X86_FEATURE_AMD_STIBP)
++
+ struct cpuinfo_x86;
+ int cpu_has_amd_erratum(const struct cpuinfo_x86 *, int, ...);
+ 
+-- 
+2.42.0
+

diff --git a/0039-tools-ocaml-libs-Don-t-declare-stubs-as-taking-void.patch b/0039-tools-ocaml-libs-Don-t-declare-stubs-as-taking-void.patch
deleted file mode 100644
index c967391..0000000
--- a/0039-tools-ocaml-libs-Don-t-declare-stubs-as-taking-void.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 2c21e1bee6d62cbd523069e839086addf35da9f2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edwin.torok@cloud.com>
-Date: Thu, 12 Jan 2023 11:28:29 +0000
-Subject: [PATCH 39/89] tools/ocaml/libs: Don't declare stubs as taking void
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-There is no such thing as an Ocaml function (C stub or otherwise) taking no
-parameters.  In the absence of any other parameters, unit is still passed.
-
-This doesn't explode with any ABI we care about, but would malfunction for an
-ABI environment such as stdcall.
-
-Fixes: c3afd398ba7f ("ocaml: Add XS bindings.")
-Fixes: 8b7ce06a2d34 ("ocaml: Add XC bindings.")
-Signed-off-by: Edwin Török <edwin.torok@cloud.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit ff8b560be80b9211c303d74df7e4b3921d2bb8ca)
----
- tools/ocaml/libs/xb/xenbus_stubs.c  | 5 ++---
- tools/ocaml/libs/xc/xenctrl_stubs.c | 4 ++--
- 2 files changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/tools/ocaml/libs/xb/xenbus_stubs.c b/tools/ocaml/libs/xb/xenbus_stubs.c
-index 3065181a55..97116b0782 100644
---- a/tools/ocaml/libs/xb/xenbus_stubs.c
-+++ b/tools/ocaml/libs/xb/xenbus_stubs.c
-@@ -30,10 +30,9 @@
- #include <xenctrl.h>
- #include <xen/io/xs_wire.h>
- 
--CAMLprim value stub_header_size(void)
-+CAMLprim value stub_header_size(value unit)
- {
--	CAMLparam0();
--	CAMLreturn(Val_int(sizeof(struct xsd_sockmsg)));
-+	return Val_int(sizeof(struct xsd_sockmsg));
- }
- 
- CAMLprim value stub_header_of_string(value s)
-diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c b/tools/ocaml/libs/xc/xenctrl_stubs.c
-index f37848ae0b..6eb0ea69da 100644
---- a/tools/ocaml/libs/xc/xenctrl_stubs.c
-+++ b/tools/ocaml/libs/xc/xenctrl_stubs.c
-@@ -67,9 +67,9 @@ static void Noreturn failwith_xc(xc_interface *xch)
- 	caml_raise_with_string(*caml_named_value("xc.error"), error_str);
- }
- 
--CAMLprim value stub_xc_interface_open(void)
-+CAMLprim value stub_xc_interface_open(value unit)
- {
--	CAMLparam0();
-+	CAMLparam1(unit);
-         xc_interface *xch;
- 
- 	/* Don't assert XC_OPENFLAG_NON_REENTRANT because these bindings
--- 
-2.40.0
-

diff --git a/0039-x86-spec-ctrl-Mitigate-the-Zen1-DIV-leakage.patch b/0039-x86-spec-ctrl-Mitigate-the-Zen1-DIV-leakage.patch
new file mode 100644
index 0000000..4b23d12
--- /dev/null
+++ b/0039-x86-spec-ctrl-Mitigate-the-Zen1-DIV-leakage.patch
@@ -0,0 +1,228 @@
+From 9ac2f49f5fa3a5159409241d4f74fb0d721dd4c5 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Wed, 30 Aug 2023 20:24:25 +0100
+Subject: [PATCH 39/55] x86/spec-ctrl: Mitigate the Zen1 DIV leakage
+
+In the Zen1 microarchitecure, there is one divider in the pipeline which
+services uops from both threads.  In the case of #DE, the latched result from
+the previous DIV to execute will be forwarded speculatively.
+
+This is an interesting covert channel that allows two threads to communicate
+without any system calls.  In also allows userspace to obtain the result of
+the most recent DIV instruction executed (even speculatively) in the core,
+which can be from a higher privilege context.
+
+Scrub the result from the divider by executing a non-faulting divide.  This
+needs performing on the exit-to-guest paths, and ist_exit-to-Xen.
+
+Alternatives in IST context is believed safe now that it's done in NMI
+context.
+
+This is XSA-439 / CVE-2023-20588.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit b5926c6ecf05c28ee99c6248c42d691ccbf0c315)
+---
+ docs/misc/xen-command-line.pandoc        |  6 ++-
+ xen/arch/x86/hvm/svm/entry.S             |  1 +
+ xen/arch/x86/include/asm/cpufeatures.h   |  2 +-
+ xen/arch/x86/include/asm/spec_ctrl_asm.h | 17 +++++++++
+ xen/arch/x86/spec_ctrl.c                 | 48 +++++++++++++++++++++++-
+ 5 files changed, 71 insertions(+), 3 deletions(-)
+
+diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
+index d9dae740cc..b92c8f969c 100644
+--- a/docs/misc/xen-command-line.pandoc
++++ b/docs/misc/xen-command-line.pandoc
+@@ -2315,7 +2315,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`).
+ >              {msr-sc,rsb,md-clear,ibpb-entry}=<bool>|{pv,hvm}=<bool>,
+ >              bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd,
+ >              eager-fpu,l1d-flush,branch-harden,srb-lock,
+->              unpriv-mmio,gds-mit}=<bool> ]`
++>              unpriv-mmio,gds-mit,div-scrub}=<bool> ]`
+ 
+ Controls for speculative execution sidechannel mitigations.  By default, Xen
+ will pick the most appropriate mitigations based on compiled in support,
+@@ -2437,6 +2437,10 @@ has elected not to lock the configuration, Xen will use GDS_CTRL to mitigate
+ GDS with.  Otherwise, Xen will mitigate by disabling AVX, which blocks the use
+ of the AVX2 Gather instructions.
+ 
++On all hardware, the `div-scrub=` option can be used to force or prevent Xen
++from mitigating the DIV-leakage vulnerability.  By default, Xen will mitigate
++DIV-leakage on hardware believed to be vulnerable.
++
+ ### sync_console
+ > `= <boolean>`
+ 
+diff --git a/xen/arch/x86/hvm/svm/entry.S b/xen/arch/x86/hvm/svm/entry.S
+index 981cd82e7c..934f12cf5c 100644
+--- a/xen/arch/x86/hvm/svm/entry.S
++++ b/xen/arch/x86/hvm/svm/entry.S
+@@ -74,6 +74,7 @@ __UNLIKELY_END(nsvm_hap)
+ 1:          /* No Spectre v1 concerns.  Execution will hit VMRUN imminently. */
+         .endm
+         ALTERNATIVE "", svm_vmentry_spec_ctrl, X86_FEATURE_SC_MSR_HVM
++        ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV
+ 
+         pop  %r15
+         pop  %r14
+diff --git a/xen/arch/x86/include/asm/cpufeatures.h b/xen/arch/x86/include/asm/cpufeatures.h
+index da0593de85..c3aad21c3b 100644
+--- a/xen/arch/x86/include/asm/cpufeatures.h
++++ b/xen/arch/x86/include/asm/cpufeatures.h
+@@ -35,7 +35,7 @@ XEN_CPUFEATURE(SC_RSB_HVM,        X86_SYNTH(19)) /* RSB overwrite needed for HVM
+ XEN_CPUFEATURE(XEN_SELFSNOOP,     X86_SYNTH(20)) /* SELFSNOOP gets used by Xen itself */
+ XEN_CPUFEATURE(SC_MSR_IDLE,       X86_SYNTH(21)) /* Clear MSR_SPEC_CTRL on idle */
+ XEN_CPUFEATURE(XEN_LBR,           X86_SYNTH(22)) /* Xen uses MSR_DEBUGCTL.LBR */
+-/* Bits 23 unused. */
++XEN_CPUFEATURE(SC_DIV,            X86_SYNTH(23)) /* DIV scrub needed */
+ XEN_CPUFEATURE(SC_RSB_IDLE,       X86_SYNTH(24)) /* RSB overwrite needed for idle. */
+ XEN_CPUFEATURE(SC_VERW_IDLE,      X86_SYNTH(25)) /* VERW used by Xen for idle */
+ XEN_CPUFEATURE(XEN_SHSTK,         X86_SYNTH(26)) /* Xen uses CET Shadow Stacks */
+diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+index 28a75796e6..f4b8b9d956 100644
+--- a/xen/arch/x86/include/asm/spec_ctrl_asm.h
++++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+@@ -177,6 +177,19 @@
+ .L\@_verw_skip:
+ .endm
+ 
++.macro DO_SPEC_CTRL_DIV
++/*
++ * Requires nothing
++ * Clobbers %rax
++ *
++ * Issue a DIV for its flushing side effect (Zen1 uarch specific).  Any
++ * non-faulting DIV will do; a byte DIV has least latency, and doesn't clobber
++ * %rdx.
++ */
++    mov $1, %eax
++    div %al
++.endm
++
+ .macro DO_SPEC_CTRL_ENTRY maybexen:req
+ /*
+  * Requires %rsp=regs (also cpuinfo if !maybexen)
+@@ -279,6 +292,8 @@
+     ALTERNATIVE "", DO_SPEC_CTRL_EXIT_TO_GUEST, X86_FEATURE_SC_MSR_PV
+ 
+     DO_SPEC_CTRL_COND_VERW
++
++    ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV
+ .endm
+ 
+ /*
+@@ -391,6 +406,8 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise):
+     verw STACK_CPUINFO_FIELD(verw_sel)(%r14)
+ .L\@_skip_verw:
+ 
++    ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV
++
+ .L\@_skip_ist_exit:
+ .endm
+ 
+diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
+index 79b98f0fe7..0ff3c895ac 100644
+--- a/xen/arch/x86/spec_ctrl.c
++++ b/xen/arch/x86/spec_ctrl.c
+@@ -79,6 +79,7 @@ static int8_t __initdata opt_srb_lock = -1;
+ static bool __initdata opt_unpriv_mmio;
+ static bool __ro_after_init opt_fb_clear_mmio;
+ static int8_t __initdata opt_gds_mit = -1;
++static int8_t __initdata opt_div_scrub = -1;
+ 
+ static int __init cf_check parse_spec_ctrl(const char *s)
+ {
+@@ -133,6 +134,7 @@ static int __init cf_check parse_spec_ctrl(const char *s)
+             opt_srb_lock = 0;
+             opt_unpriv_mmio = false;
+             opt_gds_mit = 0;
++            opt_div_scrub = 0;
+         }
+         else if ( val > 0 )
+             rc = -EINVAL;
+@@ -285,6 +287,8 @@ static int __init cf_check parse_spec_ctrl(const char *s)
+             opt_unpriv_mmio = val;
+         else if ( (val = parse_boolean("gds-mit", s, ss)) >= 0 )
+             opt_gds_mit = val;
++        else if ( (val = parse_boolean("div-scrub", s, ss)) >= 0 )
++            opt_div_scrub = val;
+         else
+             rc = -EINVAL;
+ 
+@@ -485,7 +489,7 @@ static void __init print_details(enum ind_thunk thunk)
+                "\n");
+ 
+     /* Settings for Xen's protection, irrespective of guests. */
+-    printk("  Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s\n",
++    printk("  Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n",
+            thunk == THUNK_NONE      ? "N/A" :
+            thunk == THUNK_RETPOLINE ? "RETPOLINE" :
+            thunk == THUNK_LFENCE    ? "LFENCE" :
+@@ -510,6 +514,7 @@ static void __init print_details(enum ind_thunk thunk)
+            opt_l1d_flush                             ? " L1D_FLUSH" : "",
+            opt_md_clear_pv || opt_md_clear_hvm ||
+            opt_fb_clear_mmio                         ? " VERW"  : "",
++           opt_div_scrub                             ? " DIV" : "",
+            opt_branch_harden                         ? " BRANCH_HARDEN" : "");
+ 
+     /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */
+@@ -967,6 +972,45 @@ static void __init srso_calculations(bool hw_smt_enabled)
+         setup_force_cpu_cap(X86_FEATURE_SRSO_NO);
+ }
+ 
++/*
++ * The Div leakage issue is specific to the AMD Zen1 microarchitecure.
++ *
++ * However, there's no $FOO_NO bit defined, so if we're virtualised we have no
++ * hope of spotting the case where we might move to vulnerable hardware.  We
++ * also can't make any useful conclusion about SMT-ness.
++ *
++ * Don't check the hypervisor bit, so at least we do the safe thing when
++ * booting on something that looks like a Zen1 CPU.
++ */
++static bool __init has_div_vuln(void)
++{
++    if ( !(boot_cpu_data.x86_vendor &
++           (X86_VENDOR_AMD | X86_VENDOR_HYGON)) )
++        return false;
++
++    if ( boot_cpu_data.x86 != 0x17 && boot_cpu_data.x86 != 0x18 )
++        return false;
++
++    return is_zen1_uarch();
++}
++
++static void __init div_calculations(bool hw_smt_enabled)
++{
++    bool cpu_bug_div = has_div_vuln();
++
++    if ( opt_div_scrub == -1 )
++        opt_div_scrub = cpu_bug_div;
++
++    if ( opt_div_scrub )
++        setup_force_cpu_cap(X86_FEATURE_SC_DIV);
++
++    if ( opt_smt == -1 && !cpu_has_hypervisor && cpu_bug_div && hw_smt_enabled )
++        warning_add(
++            "Booted on leaky-DIV hardware with SMT/Hyperthreading\n"
++            "enabled.  Please assess your configuration and choose an\n"
++            "explicit 'smt=<bool>' setting.  See XSA-439.\n");
++}
++
+ static void __init ibpb_calculations(void)
+ {
+     bool def_ibpb_entry = false;
+@@ -1726,6 +1770,8 @@ void __init init_speculation_mitigations(void)
+ 
+     ibpb_calculations();
+ 
++    div_calculations(hw_smt_enabled);
++
+     /* Check whether Eager FPU should be enabled by default. */
+     if ( opt_eager_fpu == -1 )
+         opt_eager_fpu = should_use_eager_fpu();
+-- 
+2.42.0
+

diff --git a/0040-tools-ocaml-libs-Allocate-the-correct-amount-of-memo.patch b/0040-tools-ocaml-libs-Allocate-the-correct-amount-of-memo.patch
deleted file mode 100644
index 5a26683..0000000
--- a/0040-tools-ocaml-libs-Allocate-the-correct-amount-of-memo.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 5797b798a542a7e5be34698463152cb92f18776f Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Tue, 31 Jan 2023 10:59:42 +0000
-Subject: [PATCH 40/89] tools/ocaml/libs: Allocate the correct amount of memory
- for Abstract_tag
-
-caml_alloc() takes units of Wsize (word size), not bytes.  As a consequence,
-we're allocating 4 or 8 times too much memory.
-
-Ocaml has a helper, Wsize_bsize(), but it truncates cases which aren't an
-exact multiple.  Use a BUILD_BUG_ON() to cover the potential for truncation,
-as there's no rounding-up form of the helper.
-
-Fixes: 8b7ce06a2d34 ("ocaml: Add XC bindings.")
-Fixes: d3e649277a13 ("ocaml: add mmap bindings implementation.")
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit 36eb2de31b6ecb8787698fb1a701bd708c8971b2)
----
- tools/ocaml/libs/mmap/Makefile        | 2 ++
- tools/ocaml/libs/mmap/xenmmap_stubs.c | 6 +++++-
- tools/ocaml/libs/xc/xenctrl_stubs.c   | 5 ++++-
- 3 files changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/tools/ocaml/libs/mmap/Makefile b/tools/ocaml/libs/mmap/Makefile
-index a621537135..855b8b2c98 100644
---- a/tools/ocaml/libs/mmap/Makefile
-+++ b/tools/ocaml/libs/mmap/Makefile
-@@ -2,6 +2,8 @@ OCAML_TOPLEVEL=$(CURDIR)/../..
- XEN_ROOT=$(OCAML_TOPLEVEL)/../..
- include $(OCAML_TOPLEVEL)/common.make
- 
-+CFLAGS += $(CFLAGS_xeninclude)
-+
- OBJS = xenmmap
- INTF = $(foreach obj, $(OBJS),$(obj).cmi)
- LIBS = xenmmap.cma xenmmap.cmxa
-diff --git a/tools/ocaml/libs/mmap/xenmmap_stubs.c b/tools/ocaml/libs/mmap/xenmmap_stubs.c
-index e03951d781..d623ad390e 100644
---- a/tools/ocaml/libs/mmap/xenmmap_stubs.c
-+++ b/tools/ocaml/libs/mmap/xenmmap_stubs.c
-@@ -21,6 +21,8 @@
- #include <errno.h>
- #include "mmap_stubs.h"
- 
-+#include <xen-tools/libs.h>
-+
- #include <caml/mlvalues.h>
- #include <caml/memory.h>
- #include <caml/alloc.h>
-@@ -59,7 +61,9 @@ CAMLprim value stub_mmap_init(value fd, value pflag, value mflag,
- 	default: caml_invalid_argument("maptype");
- 	}
- 
--	result = caml_alloc(sizeof(struct mmap_interface), Abstract_tag);
-+	BUILD_BUG_ON((sizeof(struct mmap_interface) % sizeof(value)) != 0);
-+	result = caml_alloc(Wsize_bsize(sizeof(struct mmap_interface)),
-+			    Abstract_tag);
- 
- 	if (mmap_interface_init(Intf_val(result), Int_val(fd),
- 	                        c_pflag, c_mflag,
-diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c b/tools/ocaml/libs/xc/xenctrl_stubs.c
-index 6eb0ea69da..e25367531b 100644
---- a/tools/ocaml/libs/xc/xenctrl_stubs.c
-+++ b/tools/ocaml/libs/xc/xenctrl_stubs.c
-@@ -956,7 +956,10 @@ CAMLprim value stub_map_foreign_range(value xch, value dom,
- 	uint32_t c_dom;
- 	unsigned long c_mfn;
- 
--	result = caml_alloc(sizeof(struct mmap_interface), Abstract_tag);
-+	BUILD_BUG_ON((sizeof(struct mmap_interface) % sizeof(value)) != 0);
-+	result = caml_alloc(Wsize_bsize(sizeof(struct mmap_interface)),
-+			    Abstract_tag);
-+
- 	intf = (struct mmap_interface *) result;
- 
- 	intf->len = Int_val(size);
--- 
-2.40.0
-

diff --git a/0040-x86-shadow-defer-releasing-of-PV-s-top-level-shadow-.patch b/0040-x86-shadow-defer-releasing-of-PV-s-top-level-shadow-.patch
new file mode 100644
index 0000000..21fb16f
--- /dev/null
+++ b/0040-x86-shadow-defer-releasing-of-PV-s-top-level-shadow-.patch
@@ -0,0 +1,455 @@
+From 90c540c58985dc774cf0a1d2dc423473d3f37267 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <JBeulich@suse.com>
+Date: Wed, 20 Sep 2023 10:33:26 +0100
+Subject: [PATCH 40/55] x86/shadow: defer releasing of PV's top-level shadow
+ reference
+
+sh_set_toplevel_shadow() re-pinning the top-level shadow we may be
+running on is not enough (and at the same time unnecessary when the
+shadow isn't what we're running on): That shadow becomes eligible for
+blowing away (from e.g. shadow_prealloc()) immediately after the
+paging lock was dropped. Yet it needs to remain valid until the actual
+page table switch occurred.
+
+Propagate up the call chain the shadow entry that needs releasing
+eventually, and carry out the release immediately after switching page
+tables. Handle update_cr3() failures by switching to idle pagetables.
+Note that various further uses of update_cr3() are HVM-only or only act
+on paused vCPU-s, in which case sh_set_toplevel_shadow() will not defer
+releasing of the reference.
+
+While changing the update_cr3() hook, also convert the "do_locking"
+parameter to boolean.
+
+This is CVE-2023-34322 / XSA-438.
+
+Reported-by: Tim Deegan <tim@xen.org>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: George Dunlap <george.dunlap@cloud.com>
+(cherry picked from commit fb0ff49fe9f784bfee0370c2a3c5f20e39d7a1cb)
+---
+ xen/arch/x86/include/asm/mm.h     |  2 +-
+ xen/arch/x86/include/asm/paging.h |  6 ++--
+ xen/arch/x86/include/asm/shadow.h |  8 +++++
+ xen/arch/x86/mm.c                 | 27 +++++++++++----
+ xen/arch/x86/mm/hap/hap.c         |  6 ++--
+ xen/arch/x86/mm/shadow/common.c   | 55 ++++++++++++++++++++-----------
+ xen/arch/x86/mm/shadow/multi.c    | 33 ++++++++++++-------
+ xen/arch/x86/mm/shadow/none.c     |  4 ++-
+ xen/arch/x86/mm/shadow/private.h  | 14 ++++----
+ xen/arch/x86/pv/domain.c          | 25 ++++++++++++--
+ 10 files changed, 127 insertions(+), 53 deletions(-)
+
+diff --git a/xen/arch/x86/include/asm/mm.h b/xen/arch/x86/include/asm/mm.h
+index d723c7c38f..a5d7fdd32e 100644
+--- a/xen/arch/x86/include/asm/mm.h
++++ b/xen/arch/x86/include/asm/mm.h
+@@ -552,7 +552,7 @@ void audit_domains(void);
+ #endif
+ 
+ void make_cr3(struct vcpu *v, mfn_t mfn);
+-void update_cr3(struct vcpu *v);
++pagetable_t update_cr3(struct vcpu *v);
+ int vcpu_destroy_pagetables(struct vcpu *);
+ void *do_page_walk(struct vcpu *v, unsigned long addr);
+ 
+diff --git a/xen/arch/x86/include/asm/paging.h b/xen/arch/x86/include/asm/paging.h
+index 6f7000d5f4..94c590f31a 100644
+--- a/xen/arch/x86/include/asm/paging.h
++++ b/xen/arch/x86/include/asm/paging.h
+@@ -138,7 +138,7 @@ struct paging_mode {
+                                             paddr_t ga, uint32_t *pfec,
+                                             unsigned int *page_order);
+ #endif
+-    void          (*update_cr3            )(struct vcpu *v, int do_locking,
++    pagetable_t   (*update_cr3            )(struct vcpu *v, bool do_locking,
+                                             bool noflush);
+     void          (*update_paging_modes   )(struct vcpu *v);
+     bool          (*flush_tlb             )(const unsigned long *vcpu_bitmap);
+@@ -310,9 +310,9 @@ static inline unsigned long paging_ga_to_gfn_cr3(struct vcpu *v,
+ /* Update all the things that are derived from the guest's CR3.
+  * Called when the guest changes CR3; the caller can then use v->arch.cr3
+  * as the value to load into the host CR3 to schedule this vcpu */
+-static inline void paging_update_cr3(struct vcpu *v, bool noflush)
++static inline pagetable_t paging_update_cr3(struct vcpu *v, bool noflush)
+ {
+-    paging_get_hostmode(v)->update_cr3(v, 1, noflush);
++    return paging_get_hostmode(v)->update_cr3(v, 1, noflush);
+ }
+ 
+ /* Update all the things that are derived from the guest's CR0/CR3/CR4.
+diff --git a/xen/arch/x86/include/asm/shadow.h b/xen/arch/x86/include/asm/shadow.h
+index dad876d294..0b72c9eda8 100644
+--- a/xen/arch/x86/include/asm/shadow.h
++++ b/xen/arch/x86/include/asm/shadow.h
+@@ -99,6 +99,9 @@ int shadow_set_allocation(struct domain *d, unsigned int pages,
+ 
+ int shadow_get_allocation_bytes(struct domain *d, uint64_t *size);
+ 
++/* Helper to invoke for deferred releasing of a top-level shadow's reference. */
++void shadow_put_top_level(struct domain *d, pagetable_t old);
++
+ #else /* !CONFIG_SHADOW_PAGING */
+ 
+ #define shadow_vcpu_teardown(v) ASSERT(is_pv_vcpu(v))
+@@ -121,6 +124,11 @@ static inline void shadow_prepare_page_type_change(struct domain *d,
+ 
+ static inline void shadow_blow_tables_per_domain(struct domain *d) {}
+ 
++static inline void shadow_put_top_level(struct domain *d, pagetable_t old)
++{
++    ASSERT_UNREACHABLE();
++}
++
+ static inline int shadow_domctl(struct domain *d,
+                                 struct xen_domctl_shadow_op *sc,
+                                 XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
+diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
+index b46eee1332..e884a6fdbd 100644
+--- a/xen/arch/x86/mm.c
++++ b/xen/arch/x86/mm.c
+@@ -567,15 +567,12 @@ void write_ptbase(struct vcpu *v)
+  *
+  * Update ref counts to shadow tables appropriately.
+  */
+-void update_cr3(struct vcpu *v)
++pagetable_t update_cr3(struct vcpu *v)
+ {
+     mfn_t cr3_mfn;
+ 
+     if ( paging_mode_enabled(v->domain) )
+-    {
+-        paging_update_cr3(v, false);
+-        return;
+-    }
++        return paging_update_cr3(v, false);
+ 
+     if ( !(v->arch.flags & TF_kernel_mode) )
+         cr3_mfn = pagetable_get_mfn(v->arch.guest_table_user);
+@@ -583,6 +580,8 @@ void update_cr3(struct vcpu *v)
+         cr3_mfn = pagetable_get_mfn(v->arch.guest_table);
+ 
+     make_cr3(v, cr3_mfn);
++
++    return pagetable_null();
+ }
+ 
+ static inline void set_tlbflush_timestamp(struct page_info *page)
+@@ -3285,6 +3284,7 @@ int new_guest_cr3(mfn_t mfn)
+     struct domain *d = curr->domain;
+     int rc;
+     mfn_t old_base_mfn;
++    pagetable_t old_shadow;
+ 
+     if ( is_pv_32bit_domain(d) )
+     {
+@@ -3352,9 +3352,22 @@ int new_guest_cr3(mfn_t mfn)
+     if ( !VM_ASSIST(d, m2p_strict) )
+         fill_ro_mpt(mfn);
+     curr->arch.guest_table = pagetable_from_mfn(mfn);
+-    update_cr3(curr);
++    old_shadow = update_cr3(curr);
++
++    /*
++     * In shadow mode update_cr3() can fail, in which case here we're still
++     * running on the prior top-level shadow (which we're about to release).
++     * Switch to the idle page tables in such an event; the guest will have
++     * been crashed already.
++     */
++    if ( likely(!mfn_eq(pagetable_get_mfn(old_shadow),
++                        maddr_to_mfn(curr->arch.cr3 & ~X86_CR3_NOFLUSH))) )
++        write_ptbase(curr);
++    else
++        write_ptbase(idle_vcpu[curr->processor]);
+ 
+-    write_ptbase(curr);
++    if ( !pagetable_is_null(old_shadow) )
++        shadow_put_top_level(d, old_shadow);
+ 
+     if ( likely(mfn_x(old_base_mfn) != 0) )
+     {
+diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
+index 0fc1b1d9ac..57a19c3d59 100644
+--- a/xen/arch/x86/mm/hap/hap.c
++++ b/xen/arch/x86/mm/hap/hap.c
+@@ -739,11 +739,13 @@ static bool cf_check hap_invlpg(struct vcpu *v, unsigned long linear)
+     return 1;
+ }
+ 
+-static void cf_check hap_update_cr3(
+-    struct vcpu *v, int do_locking, bool noflush)
++static pagetable_t cf_check hap_update_cr3(
++    struct vcpu *v, bool do_locking, bool noflush)
+ {
+     v->arch.hvm.hw_cr[3] = v->arch.hvm.guest_cr[3];
+     hvm_update_guest_cr3(v, noflush);
++
++    return pagetable_null();
+ }
+ 
+ static bool flush_vcpu(const struct vcpu *v, const unsigned long *vcpu_bitmap)
+diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c
+index cf5e181f74..c0940f939e 100644
+--- a/xen/arch/x86/mm/shadow/common.c
++++ b/xen/arch/x86/mm/shadow/common.c
+@@ -2590,13 +2590,13 @@ void cf_check shadow_update_paging_modes(struct vcpu *v)
+ }
+ 
+ /* Set up the top-level shadow and install it in slot 'slot' of shadow_table */
+-void sh_set_toplevel_shadow(struct vcpu *v,
+-                            unsigned int slot,
+-                            mfn_t gmfn,
+-                            unsigned int root_type,
+-                            mfn_t (*make_shadow)(struct vcpu *v,
+-                                                 mfn_t gmfn,
+-                                                 uint32_t shadow_type))
++pagetable_t sh_set_toplevel_shadow(struct vcpu *v,
++                                   unsigned int slot,
++                                   mfn_t gmfn,
++                                   unsigned int root_type,
++                                   mfn_t (*make_shadow)(struct vcpu *v,
++                                                        mfn_t gmfn,
++                                                        uint32_t shadow_type))
+ {
+     mfn_t smfn;
+     pagetable_t old_entry, new_entry;
+@@ -2653,20 +2653,37 @@ void sh_set_toplevel_shadow(struct vcpu *v,
+                   mfn_x(gmfn), mfn_x(pagetable_get_mfn(new_entry)));
+     v->arch.paging.shadow.shadow_table[slot] = new_entry;
+ 
+-    /* Decrement the refcount of the old contents of this slot */
+-    if ( !pagetable_is_null(old_entry) )
++    /*
++     * Decrement the refcount of the old contents of this slot, unless
++     * we're still running on that shadow - in that case it'll need holding
++     * on to until the actual page table switch did occur.
++     */
++    if ( !pagetable_is_null(old_entry) && (v != current || !is_pv_domain(d)) )
+     {
+-        mfn_t old_smfn = pagetable_get_mfn(old_entry);
+-        /* Need to repin the old toplevel shadow if it's been unpinned
+-         * by shadow_prealloc(): in PV mode we're still running on this
+-         * shadow and it's not safe to free it yet. */
+-        if ( !mfn_to_page(old_smfn)->u.sh.pinned && !sh_pin(d, old_smfn) )
+-        {
+-            printk(XENLOG_G_ERR "can't re-pin %"PRI_mfn"\n", mfn_x(old_smfn));
+-            domain_crash(d);
+-        }
+-        sh_put_ref(d, old_smfn, 0);
++        sh_put_ref(d, pagetable_get_mfn(old_entry), 0);
++        old_entry = pagetable_null();
+     }
++
++    /*
++     * 2- and 3-level shadow mode is used for HVM only. Therefore we never run
++     * on such a shadow, so only call sites requesting an L4 shadow need to pay
++     * attention to the returned value.
++     */
++    ASSERT(pagetable_is_null(old_entry) || root_type == SH_type_l4_64_shadow);
++
++    return old_entry;
++}
++
++/*
++ * Helper invoked when releasing of a top-level shadow's reference was
++ * deferred in sh_set_toplevel_shadow() above.
++ */
++void shadow_put_top_level(struct domain *d, pagetable_t old_entry)
++{
++    ASSERT(!pagetable_is_null(old_entry));
++    paging_lock(d);
++    sh_put_ref(d, pagetable_get_mfn(old_entry), 0);
++    paging_unlock(d);
+ }
+ 
+ /**************************************************************************/
+diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
+index 671bf8c228..c92b354a78 100644
+--- a/xen/arch/x86/mm/shadow/multi.c
++++ b/xen/arch/x86/mm/shadow/multi.c
+@@ -3224,7 +3224,8 @@ static void cf_check sh_detach_old_tables(struct vcpu *v)
+     }
+ }
+ 
+-static void cf_check sh_update_cr3(struct vcpu *v, int do_locking, bool noflush)
++static pagetable_t cf_check sh_update_cr3(struct vcpu *v, bool do_locking,
++                                          bool noflush)
+ /* Updates vcpu->arch.cr3 after the guest has changed CR3.
+  * Paravirtual guests should set v->arch.guest_table (and guest_table_user,
+  * if appropriate).
+@@ -3238,6 +3239,7 @@ static void cf_check sh_update_cr3(struct vcpu *v, int do_locking, bool noflush)
+ {
+     struct domain *d = v->domain;
+     mfn_t gmfn;
++    pagetable_t old_entry = pagetable_null();
+ #if GUEST_PAGING_LEVELS == 3
+     const guest_l3e_t *gl3e;
+     unsigned int i, guest_idx;
+@@ -3247,7 +3249,7 @@ static void cf_check sh_update_cr3(struct vcpu *v, int do_locking, bool noflush)
+     if ( !is_hvm_domain(d) && !v->is_initialised )
+     {
+         ASSERT(v->arch.cr3 == 0);
+-        return;
++        return old_entry;
+     }
+ 
+     if ( do_locking ) paging_lock(v->domain);
+@@ -3320,11 +3322,12 @@ static void cf_check sh_update_cr3(struct vcpu *v, int do_locking, bool noflush)
+ #if GUEST_PAGING_LEVELS == 4
+     if ( sh_remove_write_access(d, gmfn, 4, 0) != 0 )
+         guest_flush_tlb_mask(d, d->dirty_cpumask);
+-    sh_set_toplevel_shadow(v, 0, gmfn, SH_type_l4_shadow, sh_make_shadow);
++    old_entry = sh_set_toplevel_shadow(v, 0, gmfn, SH_type_l4_shadow,
++                                       sh_make_shadow);
+     if ( unlikely(pagetable_is_null(v->arch.paging.shadow.shadow_table[0])) )
+     {
+         ASSERT(d->is_dying || d->is_shutting_down);
+-        return;
++        return old_entry;
+     }
+     if ( !shadow_mode_external(d) && !is_pv_32bit_domain(d) )
+     {
+@@ -3368,24 +3371,30 @@ static void cf_check sh_update_cr3(struct vcpu *v, int do_locking, bool noflush)
+                 gl2gfn = guest_l3e_get_gfn(gl3e[i]);
+                 gl2mfn = get_gfn_query_unlocked(d, gfn_x(gl2gfn), &p2mt);
+                 if ( p2m_is_ram(p2mt) )
+-                    sh_set_toplevel_shadow(v, i, gl2mfn, SH_type_l2_shadow,
+-                                           sh_make_shadow);
++                    old_entry = sh_set_toplevel_shadow(v, i, gl2mfn,
++                                                       SH_type_l2_shadow,
++                                                       sh_make_shadow);
+                 else
+-                    sh_set_toplevel_shadow(v, i, INVALID_MFN, 0,
+-                                           sh_make_shadow);
++                    old_entry = sh_set_toplevel_shadow(v, i, INVALID_MFN, 0,
++                                                       sh_make_shadow);
+             }
+             else
+-                sh_set_toplevel_shadow(v, i, INVALID_MFN, 0, sh_make_shadow);
++                old_entry = sh_set_toplevel_shadow(v, i, INVALID_MFN, 0,
++                                                   sh_make_shadow);
++
++            ASSERT(pagetable_is_null(old_entry));
+         }
+     }
+ #elif GUEST_PAGING_LEVELS == 2
+     if ( sh_remove_write_access(d, gmfn, 2, 0) != 0 )
+         guest_flush_tlb_mask(d, d->dirty_cpumask);
+-    sh_set_toplevel_shadow(v, 0, gmfn, SH_type_l2_shadow, sh_make_shadow);
++    old_entry = sh_set_toplevel_shadow(v, 0, gmfn, SH_type_l2_shadow,
++                                       sh_make_shadow);
++    ASSERT(pagetable_is_null(old_entry));
+     if ( unlikely(pagetable_is_null(v->arch.paging.shadow.shadow_table[0])) )
+     {
+         ASSERT(d->is_dying || d->is_shutting_down);
+-        return;
++        return old_entry;
+     }
+ #else
+ #error This should never happen
+@@ -3473,6 +3482,8 @@ static void cf_check sh_update_cr3(struct vcpu *v, int do_locking, bool noflush)
+ 
+     /* Release the lock, if we took it (otherwise it's the caller's problem) */
+     if ( do_locking ) paging_unlock(v->domain);
++
++    return old_entry;
+ }
+ 
+ 
+diff --git a/xen/arch/x86/mm/shadow/none.c b/xen/arch/x86/mm/shadow/none.c
+index eaaa874b11..743c0ffb85 100644
+--- a/xen/arch/x86/mm/shadow/none.c
++++ b/xen/arch/x86/mm/shadow/none.c
+@@ -52,9 +52,11 @@ static unsigned long cf_check _gva_to_gfn(
+ }
+ #endif
+ 
+-static void cf_check _update_cr3(struct vcpu *v, int do_locking, bool noflush)
++static pagetable_t cf_check _update_cr3(struct vcpu *v, bool do_locking,
++                                        bool noflush)
+ {
+     ASSERT_UNREACHABLE();
++    return pagetable_null();
+ }
+ 
+ static void cf_check _update_paging_modes(struct vcpu *v)
+diff --git a/xen/arch/x86/mm/shadow/private.h b/xen/arch/x86/mm/shadow/private.h
+index c2bb1ed3c3..91f798c5aa 100644
+--- a/xen/arch/x86/mm/shadow/private.h
++++ b/xen/arch/x86/mm/shadow/private.h
+@@ -391,13 +391,13 @@ mfn_t shadow_alloc(struct domain *d,
+ void  shadow_free(struct domain *d, mfn_t smfn);
+ 
+ /* Set up the top-level shadow and install it in slot 'slot' of shadow_table */
+-void sh_set_toplevel_shadow(struct vcpu *v,
+-                            unsigned int slot,
+-                            mfn_t gmfn,
+-                            unsigned int root_type,
+-                            mfn_t (*make_shadow)(struct vcpu *v,
+-                                                 mfn_t gmfn,
+-                                                 uint32_t shadow_type));
++pagetable_t sh_set_toplevel_shadow(struct vcpu *v,
++                                   unsigned int slot,
++                                   mfn_t gmfn,
++                                   unsigned int root_type,
++                                   mfn_t (*make_shadow)(struct vcpu *v,
++                                                        mfn_t gmfn,
++                                                        uint32_t shadow_type));
+ 
+ /* Update the shadows in response to a pagetable write from Xen */
+ int sh_validate_guest_entry(struct vcpu *v, mfn_t gmfn, void *entry, u32 size);
+diff --git a/xen/arch/x86/pv/domain.c b/xen/arch/x86/pv/domain.c
+index 5c92812dc6..2a445bb17b 100644
+--- a/xen/arch/x86/pv/domain.c
++++ b/xen/arch/x86/pv/domain.c
+@@ -424,10 +424,13 @@ bool __init xpti_pcid_enabled(void)
+ 
+ static void _toggle_guest_pt(struct vcpu *v)
+ {
++    bool guest_update;
++    pagetable_t old_shadow;
+     unsigned long cr3;
+ 
+     v->arch.flags ^= TF_kernel_mode;
+-    update_cr3(v);
++    guest_update = v->arch.flags & TF_kernel_mode;
++    old_shadow = update_cr3(v);
+ 
+     /*
+      * Don't flush user global mappings from the TLB. Don't tick TLB clock.
+@@ -436,13 +439,31 @@ static void _toggle_guest_pt(struct vcpu *v)
+      * TLB flush (for just the incoming PCID), as the top level page table may
+      * have changed behind our backs. To be on the safe side, suppress the
+      * no-flush unconditionally in this case.
++     *
++     * Furthermore in shadow mode update_cr3() can fail, in which case here
++     * we're still running on the prior top-level shadow (which we're about
++     * to release). Switch to the idle page tables in such an event; the
++     * guest will have been crashed already.
+      */
+     cr3 = v->arch.cr3;
+     if ( shadow_mode_enabled(v->domain) )
++    {
+         cr3 &= ~X86_CR3_NOFLUSH;
++
++        if ( unlikely(mfn_eq(pagetable_get_mfn(old_shadow),
++                             maddr_to_mfn(cr3))) )
++        {
++            cr3 = idle_vcpu[v->processor]->arch.cr3;
++            /* Also suppress runstate/time area updates below. */
++            guest_update = false;
++        }
++    }
+     write_cr3(cr3);
+ 
+-    if ( !(v->arch.flags & TF_kernel_mode) )
++    if ( !pagetable_is_null(old_shadow) )
++        shadow_put_top_level(v->domain, old_shadow);
++
++    if ( !guest_update )
+         return;
+ 
+     if ( v->arch.pv.need_update_runstate_area && update_runstate_area(v) )
+-- 
+2.42.0
+

diff --git a/0041-tools-ocaml-evtchn-Don-t-reference-Custom-objects-wi.patch b/0041-tools-ocaml-evtchn-Don-t-reference-Custom-objects-wi.patch
deleted file mode 100644
index cabcdd0..0000000
--- a/0041-tools-ocaml-evtchn-Don-t-reference-Custom-objects-wi.patch
+++ /dev/null
@@ -1,213 +0,0 @@
-From 021b82cc0c71ba592439f175c1ededa800b172a9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edwin.torok@cloud.com>
-Date: Thu, 12 Jan 2023 17:48:29 +0000
-Subject: [PATCH 41/89] tools/ocaml/evtchn: Don't reference Custom objects with
- the GC lock released
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The modification to the _H() macro for Ocaml 5 support introduced a subtle
-bug.  From the manual:
-
-  https://ocaml.org/manual/intfc.html#ss:parallel-execution-long-running-c-code
-
-"After caml_release_runtime_system() was called and until
-caml_acquire_runtime_system() is called, the C code must not access any OCaml
-data, nor call any function of the run-time system, nor call back into OCaml
-code."
-
-Previously, the value was a naked C pointer, so dereferencing it wasn't
-"accessing any Ocaml data", but the fix to avoid naked C pointers added a
-layer of indirection through an Ocaml Custom object, meaning that the common
-pattern of using _H() in a blocking section is unsafe.
-
-In order to fix:
-
- * Drop the _H() macro and replace it with a static inline xce_of_val().
- * Opencode the assignment into Data_custom_val() in the two constructors.
- * Rename "value xce" parameters to "value xce_val" so we can consistently
-   have "xenevtchn_handle *xce" on the stack, and obtain the pointer with the
-   GC lock still held.
-
-Fixes: 22d5affdf0ce ("tools/ocaml/evtchn: OCaml 5 support, fix potential resource leak")
-Signed-off-by: Edwin Török <edwin.torok@cloud.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit 2636d8ff7a670c4d2485757dbe966e36c259a960)
----
- tools/ocaml/libs/eventchn/xeneventchn_stubs.c | 60 +++++++++++--------
- 1 file changed, 35 insertions(+), 25 deletions(-)
-
-diff --git a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c
-index aa8a69cc1e..d7881ca95f 100644
---- a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c
-+++ b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c
-@@ -33,11 +33,14 @@
- #include <caml/fail.h>
- #include <caml/signals.h>
- 
--#define _H(__h) (*((xenevtchn_handle **)Data_custom_val(__h)))
-+static inline xenevtchn_handle *xce_of_val(value v)
-+{
-+	return *(xenevtchn_handle **)Data_custom_val(v);
-+}
- 
- static void stub_evtchn_finalize(value v)
- {
--	xenevtchn_close(_H(v));
-+	xenevtchn_close(xce_of_val(v));
- }
- 
- static struct custom_operations xenevtchn_ops = {
-@@ -68,7 +71,7 @@ CAMLprim value stub_eventchn_init(value cloexec)
- 		caml_failwith("open failed");
- 
- 	result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1);
--	_H(result) = xce;
-+	*(xenevtchn_handle **)Data_custom_val(result) = xce;
- 
- 	CAMLreturn(result);
- }
-@@ -87,18 +90,19 @@ CAMLprim value stub_eventchn_fdopen(value fdval)
- 		caml_failwith("evtchn fdopen failed");
- 
- 	result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1);
--	_H(result) = xce;
-+	*(xenevtchn_handle **)Data_custom_val(result) = xce;
- 
- 	CAMLreturn(result);
- }
- 
--CAMLprim value stub_eventchn_fd(value xce)
-+CAMLprim value stub_eventchn_fd(value xce_val)
- {
--	CAMLparam1(xce);
-+	CAMLparam1(xce_val);
- 	CAMLlocal1(result);
-+	xenevtchn_handle *xce = xce_of_val(xce_val);
- 	int fd;
- 
--	fd = xenevtchn_fd(_H(xce));
-+	fd = xenevtchn_fd(xce);
- 	if (fd == -1)
- 		caml_failwith("evtchn fd failed");
- 
-@@ -107,13 +111,14 @@ CAMLprim value stub_eventchn_fd(value xce)
- 	CAMLreturn(result);
- }
- 
--CAMLprim value stub_eventchn_notify(value xce, value port)
-+CAMLprim value stub_eventchn_notify(value xce_val, value port)
- {
--	CAMLparam2(xce, port);
-+	CAMLparam2(xce_val, port);
-+	xenevtchn_handle *xce = xce_of_val(xce_val);
- 	int rc;
- 
- 	caml_enter_blocking_section();
--	rc = xenevtchn_notify(_H(xce), Int_val(port));
-+	rc = xenevtchn_notify(xce, Int_val(port));
- 	caml_leave_blocking_section();
- 
- 	if (rc == -1)
-@@ -122,15 +127,16 @@ CAMLprim value stub_eventchn_notify(value xce, value port)
- 	CAMLreturn(Val_unit);
- }
- 
--CAMLprim value stub_eventchn_bind_interdomain(value xce, value domid,
-+CAMLprim value stub_eventchn_bind_interdomain(value xce_val, value domid,
-                                               value remote_port)
- {
--	CAMLparam3(xce, domid, remote_port);
-+	CAMLparam3(xce_val, domid, remote_port);
- 	CAMLlocal1(port);
-+	xenevtchn_handle *xce = xce_of_val(xce_val);
- 	xenevtchn_port_or_error_t rc;
- 
- 	caml_enter_blocking_section();
--	rc = xenevtchn_bind_interdomain(_H(xce), Int_val(domid), Int_val(remote_port));
-+	rc = xenevtchn_bind_interdomain(xce, Int_val(domid), Int_val(remote_port));
- 	caml_leave_blocking_section();
- 
- 	if (rc == -1)
-@@ -140,14 +146,15 @@ CAMLprim value stub_eventchn_bind_interdomain(value xce, value domid,
- 	CAMLreturn(port);
- }
- 
--CAMLprim value stub_eventchn_bind_virq(value xce, value virq_type)
-+CAMLprim value stub_eventchn_bind_virq(value xce_val, value virq_type)
- {
--	CAMLparam2(xce, virq_type);
-+	CAMLparam2(xce_val, virq_type);
- 	CAMLlocal1(port);
-+	xenevtchn_handle *xce = xce_of_val(xce_val);
- 	xenevtchn_port_or_error_t rc;
- 
- 	caml_enter_blocking_section();
--	rc = xenevtchn_bind_virq(_H(xce), Int_val(virq_type));
-+	rc = xenevtchn_bind_virq(xce, Int_val(virq_type));
- 	caml_leave_blocking_section();
- 
- 	if (rc == -1)
-@@ -157,13 +164,14 @@ CAMLprim value stub_eventchn_bind_virq(value xce, value virq_type)
- 	CAMLreturn(port);
- }
- 
--CAMLprim value stub_eventchn_unbind(value xce, value port)
-+CAMLprim value stub_eventchn_unbind(value xce_val, value port)
- {
--	CAMLparam2(xce, port);
-+	CAMLparam2(xce_val, port);
-+	xenevtchn_handle *xce = xce_of_val(xce_val);
- 	int rc;
- 
- 	caml_enter_blocking_section();
--	rc = xenevtchn_unbind(_H(xce), Int_val(port));
-+	rc = xenevtchn_unbind(xce, Int_val(port));
- 	caml_leave_blocking_section();
- 
- 	if (rc == -1)
-@@ -172,14 +180,15 @@ CAMLprim value stub_eventchn_unbind(value xce, value port)
- 	CAMLreturn(Val_unit);
- }
- 
--CAMLprim value stub_eventchn_pending(value xce)
-+CAMLprim value stub_eventchn_pending(value xce_val)
- {
--	CAMLparam1(xce);
-+	CAMLparam1(xce_val);
- 	CAMLlocal1(result);
-+	xenevtchn_handle *xce = xce_of_val(xce_val);
- 	xenevtchn_port_or_error_t port;
- 
- 	caml_enter_blocking_section();
--	port = xenevtchn_pending(_H(xce));
-+	port = xenevtchn_pending(xce);
- 	caml_leave_blocking_section();
- 
- 	if (port == -1)
-@@ -189,16 +198,17 @@ CAMLprim value stub_eventchn_pending(value xce)
- 	CAMLreturn(result);
- }
- 
--CAMLprim value stub_eventchn_unmask(value xce, value _port)
-+CAMLprim value stub_eventchn_unmask(value xce_val, value _port)
- {
--	CAMLparam2(xce, _port);
-+	CAMLparam2(xce_val, _port);
-+	xenevtchn_handle *xce = xce_of_val(xce_val);
- 	evtchn_port_t port;
- 	int rc;
- 
- 	port = Int_val(_port);
- 
- 	caml_enter_blocking_section();
--	rc = xenevtchn_unmask(_H(xce), port);
-+	rc = xenevtchn_unmask(xce, port);
- 	caml_leave_blocking_section();
- 
- 	if (rc)
--- 
-2.40.0
-

diff --git a/0041-tools-xenstored-domain_entry_fix-Handle-conflicting-.patch b/0041-tools-xenstored-domain_entry_fix-Handle-conflicting-.patch
new file mode 100644
index 0000000..1edecc8
--- /dev/null
+++ b/0041-tools-xenstored-domain_entry_fix-Handle-conflicting-.patch
@@ -0,0 +1,64 @@
+From c4e05c97f57d236040d1da5c1fbf6e3699dc86ea Mon Sep 17 00:00:00 2001
+From: Julien Grall <jgrall@amazon.com>
+Date: Fri, 22 Sep 2023 11:32:16 +0100
+Subject: [PATCH 41/55] tools/xenstored: domain_entry_fix(): Handle conflicting
+ transaction
+
+The function domain_entry_fix() will be initially called to check if the
+quota is correct before attempt to commit any nodes. So it would be
+possible that accounting is temporarily negative. This is the case
+in the following sequence:
+
+  1) Create 50 nodes
+  2) Start two transactions
+  3) Delete all the nodes in each transaction
+  4) Commit the two transactions
+
+Because the first transaction will have succeed and updated the
+accounting, there is no guarantee that 'd->nbentry + num' will still
+be above 0. So the assert() would be triggered.
+The assert() was introduced in dbef1f748289 ("tools/xenstore: simplify
+and fix per domain node accounting") with the assumption that the
+value can't be negative. As this is not true revert to the original
+check but restricted to the path where we don't update. Take the
+opportunity to explain the rationale behind the check.
+
+This CVE-2023-34323 / XSA-440.
+
+Fixes: dbef1f748289 ("tools/xenstore: simplify and fix per domain node accounting")
+Signed-off-by: Julien Grall <jgrall@amazon.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+---
+ tools/xenstore/xenstored_domain.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
+index aa86892fed..6074df210c 100644
+--- a/tools/xenstore/xenstored_domain.c
++++ b/tools/xenstore/xenstored_domain.c
+@@ -1094,10 +1094,20 @@ int domain_entry_fix(unsigned int domid, int num, bool update)
+ 	}
+ 
+ 	cnt = d->nbentry + num;
+-	assert(cnt >= 0);
+ 
+-	if (update)
++	if (update) {
++		assert(cnt >= 0);
+ 		d->nbentry = cnt;
++	} else if (cnt < 0) {
++		/*
++		 * In a transaction when a node is being added/removed AND
++		 * the same node has been added/removed outside the
++		 * transaction in parallel, the result value may be negative.
++		 * This is no problem, as the transaction will fail due to
++		 * the resulting conflict. So override 'cnt'.
++		 */
++		cnt = 0;
++	}
+ 
+ 	return domid_is_unprivileged(domid) ? cnt : 0;
+ }
+-- 
+2.42.0
+

diff --git a/0042-iommu-amd-vi-flush-IOMMU-TLB-when-flushing-the-DTE.patch b/0042-iommu-amd-vi-flush-IOMMU-TLB-when-flushing-the-DTE.patch
new file mode 100644
index 0000000..66597c2
--- /dev/null
+++ b/0042-iommu-amd-vi-flush-IOMMU-TLB-when-flushing-the-DTE.patch
@@ -0,0 +1,186 @@
+From 0d8f9f7f2706e8ad8dfff203173693b631339b86 Mon Sep 17 00:00:00 2001
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Tue, 13 Jun 2023 15:01:05 +0200
+Subject: [PATCH 42/55] iommu/amd-vi: flush IOMMU TLB when flushing the DTE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The caching invalidation guidelines from the AMD-Vi specification (48882—Rev
+3.07-PUB—Oct 2022) seem to be misleading on some hardware, as devices will
+malfunction (see stale DMA mappings) if some fields of the DTE are updated but
+the IOMMU TLB is not flushed. This has been observed in practice on AMD
+systems.  Due to the lack of guidance from the currently published
+specification this patch aims to increase the flushing done in order to prevent
+device malfunction.
+
+In order to fix, issue an INVALIDATE_IOMMU_PAGES command from
+amd_iommu_flush_device(), flushing all the address space.  Note this requires
+callers to be adjusted in order to pass the DomID on the DTE previous to the
+modification.
+
+Some call sites don't provide a valid DomID to amd_iommu_flush_device() in
+order to avoid the flush.  That's because the device had address translations
+disabled and hence the previous DomID on the DTE is not valid.  Note the
+current logic relies on the entity disabling address translations to also flush
+the TLB of the in use DomID.
+
+Device I/O TLB flushing when ATS are enabled is not covered by the current
+change, as ATS usage is not security supported.
+
+This is XSA-442 / CVE-2023-34326
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 5fc98b97084a46884acef9320e643faf40d42212)
+---
+ xen/drivers/passthrough/amd/iommu.h         |  3 ++-
+ xen/drivers/passthrough/amd/iommu_cmd.c     | 10 +++++++++-
+ xen/drivers/passthrough/amd/iommu_guest.c   |  5 +++--
+ xen/drivers/passthrough/amd/iommu_init.c    |  6 +++++-
+ xen/drivers/passthrough/amd/pci_amd_iommu.c | 14 ++++++++++----
+ 5 files changed, 29 insertions(+), 9 deletions(-)
+
+diff --git a/xen/drivers/passthrough/amd/iommu.h b/xen/drivers/passthrough/amd/iommu.h
+index 5429ada58e..a58be28bf9 100644
+--- a/xen/drivers/passthrough/amd/iommu.h
++++ b/xen/drivers/passthrough/amd/iommu.h
+@@ -283,7 +283,8 @@ void amd_iommu_flush_pages(struct domain *d, unsigned long dfn,
+                            unsigned int order);
+ void amd_iommu_flush_iotlb(u8 devfn, const struct pci_dev *pdev,
+                            uint64_t gaddr, unsigned int order);
+-void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf);
++void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf,
++                            domid_t domid);
+ void amd_iommu_flush_intremap(struct amd_iommu *iommu, uint16_t bdf);
+ void amd_iommu_flush_all_caches(struct amd_iommu *iommu);
+ 
+diff --git a/xen/drivers/passthrough/amd/iommu_cmd.c b/xen/drivers/passthrough/amd/iommu_cmd.c
+index 40ddf366bb..cb28b36abc 100644
+--- a/xen/drivers/passthrough/amd/iommu_cmd.c
++++ b/xen/drivers/passthrough/amd/iommu_cmd.c
+@@ -363,10 +363,18 @@ void amd_iommu_flush_pages(struct domain *d,
+     _amd_iommu_flush_pages(d, __dfn_to_daddr(dfn), order);
+ }
+ 
+-void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf)
++void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf,
++                            domid_t domid)
+ {
+     invalidate_dev_table_entry(iommu, bdf);
+     flush_command_buffer(iommu, 0);
++
++    /* Also invalidate IOMMU TLB entries when flushing the DTE. */
++    if ( domid != DOMID_INVALID )
++    {
++        invalidate_iommu_pages(iommu, INV_IOMMU_ALL_PAGES_ADDRESS, domid, 0);
++        flush_command_buffer(iommu, 0);
++    }
+ }
+ 
+ void amd_iommu_flush_intremap(struct amd_iommu *iommu, uint16_t bdf)
+diff --git a/xen/drivers/passthrough/amd/iommu_guest.c b/xen/drivers/passthrough/amd/iommu_guest.c
+index 80a331f546..be86bce6fb 100644
+--- a/xen/drivers/passthrough/amd/iommu_guest.c
++++ b/xen/drivers/passthrough/amd/iommu_guest.c
+@@ -385,7 +385,7 @@ static int do_completion_wait(struct domain *d, cmd_entry_t *cmd)
+ 
+ static int do_invalidate_dte(struct domain *d, cmd_entry_t *cmd)
+ {
+-    uint16_t gbdf, mbdf, req_id, gdom_id, hdom_id;
++    uint16_t gbdf, mbdf, req_id, gdom_id, hdom_id, prev_domid;
+     struct amd_iommu_dte *gdte, *mdte, *dte_base;
+     struct amd_iommu *iommu = NULL;
+     struct guest_iommu *g_iommu;
+@@ -445,13 +445,14 @@ static int do_invalidate_dte(struct domain *d, cmd_entry_t *cmd)
+     req_id = get_dma_requestor_id(iommu->seg, mbdf);
+     dte_base = iommu->dev_table.buffer;
+     mdte = &dte_base[req_id];
++    prev_domid = mdte->domain_id;
+ 
+     spin_lock_irqsave(&iommu->lock, flags);
+     dte_set_gcr3_table(mdte, hdom_id, gcr3_mfn << PAGE_SHIFT, gv, glx);
+ 
+     spin_unlock_irqrestore(&iommu->lock, flags);
+ 
+-    amd_iommu_flush_device(iommu, req_id);
++    amd_iommu_flush_device(iommu, req_id, prev_domid);
+ 
+     return 0;
+ }
+diff --git a/xen/drivers/passthrough/amd/iommu_init.c b/xen/drivers/passthrough/amd/iommu_init.c
+index 166570648d..101a60ce17 100644
+--- a/xen/drivers/passthrough/amd/iommu_init.c
++++ b/xen/drivers/passthrough/amd/iommu_init.c
+@@ -1547,7 +1547,11 @@ static int cf_check _invalidate_all_devices(
+         req_id = ivrs_mappings[bdf].dte_requestor_id;
+         if ( iommu )
+         {
+-            amd_iommu_flush_device(iommu, req_id);
++            /*
++             * IOMMU TLB flush performed separately (see
++             * invalidate_all_domain_pages()).
++             */
++            amd_iommu_flush_device(iommu, req_id, DOMID_INVALID);
+             amd_iommu_flush_intremap(iommu, req_id);
+         }
+     }
+diff --git a/xen/drivers/passthrough/amd/pci_amd_iommu.c b/xen/drivers/passthrough/amd/pci_amd_iommu.c
+index 94e3775506..8641b84712 100644
+--- a/xen/drivers/passthrough/amd/pci_amd_iommu.c
++++ b/xen/drivers/passthrough/amd/pci_amd_iommu.c
+@@ -192,10 +192,13 @@ static int __must_check amd_iommu_setup_domain_device(
+ 
+         spin_unlock_irqrestore(&iommu->lock, flags);
+ 
+-        amd_iommu_flush_device(iommu, req_id);
++        /* DTE didn't have DMA translations enabled, do not flush the TLB. */
++        amd_iommu_flush_device(iommu, req_id, DOMID_INVALID);
+     }
+     else if ( dte->pt_root != mfn_x(page_to_mfn(root_pg)) )
+     {
++        domid_t prev_domid = dte->domain_id;
++
+         /*
+          * Strictly speaking if the device is the only one with this requestor
+          * ID, it could be allowed to be re-assigned regardless of unity map
+@@ -252,7 +255,7 @@ static int __must_check amd_iommu_setup_domain_device(
+ 
+         spin_unlock_irqrestore(&iommu->lock, flags);
+ 
+-        amd_iommu_flush_device(iommu, req_id);
++        amd_iommu_flush_device(iommu, req_id, prev_domid);
+     }
+     else
+         spin_unlock_irqrestore(&iommu->lock, flags);
+@@ -421,6 +424,8 @@ static void amd_iommu_disable_domain_device(const struct domain *domain,
+     spin_lock_irqsave(&iommu->lock, flags);
+     if ( dte->tv || dte->v )
+     {
++        domid_t prev_domid = dte->domain_id;
++
+         /* See the comment in amd_iommu_setup_device_table(). */
+         dte->int_ctl = IOMMU_DEV_TABLE_INT_CONTROL_ABORTED;
+         smp_wmb();
+@@ -439,7 +444,7 @@ static void amd_iommu_disable_domain_device(const struct domain *domain,
+ 
+         spin_unlock_irqrestore(&iommu->lock, flags);
+ 
+-        amd_iommu_flush_device(iommu, req_id);
++        amd_iommu_flush_device(iommu, req_id, prev_domid);
+ 
+         AMD_IOMMU_DEBUG("Disable: device id = %#x, "
+                         "domain = %d, paging mode = %d\n",
+@@ -610,7 +615,8 @@ static int cf_check amd_iommu_add_device(u8 devfn, struct pci_dev *pdev)
+ 
+         spin_unlock_irqrestore(&iommu->lock, flags);
+ 
+-        amd_iommu_flush_device(iommu, bdf);
++        /* DTE didn't have DMA translations enabled, do not flush the TLB. */
++        amd_iommu_flush_device(iommu, bdf, DOMID_INVALID);
+     }
+ 
+     if ( amd_iommu_reserve_domain_unity_map(
+-- 
+2.42.0
+

diff --git a/0042-tools-ocaml-xc-Fix-binding-for-xc_domain_assign_devi.patch b/0042-tools-ocaml-xc-Fix-binding-for-xc_domain_assign_devi.patch
deleted file mode 100644
index ac3e86d..0000000
--- a/0042-tools-ocaml-xc-Fix-binding-for-xc_domain_assign_devi.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From afdcc108566e5a4ee352b6427c98ebad6885a81d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edwin.torok@cloud.com>
-Date: Thu, 12 Jan 2023 11:38:38 +0000
-Subject: [PATCH 42/89] tools/ocaml/xc: Fix binding for
- xc_domain_assign_device()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The patch adding this binding was plain broken, and unreviewed.  It modified
-the C stub to add a 4th parameter without an equivalent adjustment in the
-Ocaml side of the bindings.
-
-In 64bit builds, this causes us to dereference whatever dead value is in %rcx
-when trying to interpret the rflags parameter.
-
-This has gone unnoticed because Xapi doesn't use this binding (it has its
-own), but unbreak the binding by passing RDM_RELAXED unconditionally for
-now (matching the libxl default behaviour).
-
-Fixes: 9b34056cb4 ("tools: extend xc_assign_device() to support rdm reservation policy")
-Signed-off-by: Edwin Török <edwin.torok@cloud.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit 4250683842104f02996428f93927a035c8e19266)
----
- tools/ocaml/libs/xc/xenctrl_stubs.c | 17 +++++------------
- 1 file changed, 5 insertions(+), 12 deletions(-)
-
-diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c b/tools/ocaml/libs/xc/xenctrl_stubs.c
-index e25367531b..f376d94334 100644
---- a/tools/ocaml/libs/xc/xenctrl_stubs.c
-+++ b/tools/ocaml/libs/xc/xenctrl_stubs.c
-@@ -1139,17 +1139,12 @@ CAMLprim value stub_xc_domain_test_assign_device(value xch, value domid, value d
- 	CAMLreturn(Val_bool(ret == 0));
- }
- 
--static int domain_assign_device_rdm_flag_table[] = {
--    XEN_DOMCTL_DEV_RDM_RELAXED,
--};
--
--CAMLprim value stub_xc_domain_assign_device(value xch, value domid, value desc,
--                                            value rflag)
-+CAMLprim value stub_xc_domain_assign_device(value xch, value domid, value desc)
- {
--	CAMLparam4(xch, domid, desc, rflag);
-+	CAMLparam3(xch, domid, desc);
- 	int ret;
- 	int domain, bus, dev, func;
--	uint32_t sbdf, flag;
-+	uint32_t sbdf;
- 
- 	domain = Int_val(Field(desc, 0));
- 	bus = Int_val(Field(desc, 1));
-@@ -1157,10 +1152,8 @@ CAMLprim value stub_xc_domain_assign_device(value xch, value domid, value desc,
- 	func = Int_val(Field(desc, 3));
- 	sbdf = encode_sbdf(domain, bus, dev, func);
- 
--	ret = Int_val(Field(rflag, 0));
--	flag = domain_assign_device_rdm_flag_table[ret];
--
--	ret = xc_assign_device(_H(xch), _D(domid), sbdf, flag);
-+	ret = xc_assign_device(_H(xch), _D(domid), sbdf,
-+			       XEN_DOMCTL_DEV_RDM_RELAXED);
- 
- 	if (ret < 0)
- 		failwith_xc(_H(xch));
--- 
-2.40.0
-

diff --git a/0043-libfsimage-xfs-Remove-dead-code.patch b/0043-libfsimage-xfs-Remove-dead-code.patch
new file mode 100644
index 0000000..cbb9ad4
--- /dev/null
+++ b/0043-libfsimage-xfs-Remove-dead-code.patch
@@ -0,0 +1,71 @@
+From d665c6690eb3c2c86cb2c7dac09804211481f926 Mon Sep 17 00:00:00 2001
+From: Alejandro Vallejo <alejandro.vallejo@cloud.com>
+Date: Thu, 14 Sep 2023 13:22:50 +0100
+Subject: [PATCH 43/55] libfsimage/xfs: Remove dead code
+
+xfs_info.agnolog (and related code) and XFS_INO_AGBNO_BITS are dead code
+that serve no purpose.
+
+This is part of XSA-443 / CVE-2023-34325
+
+Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 37fc1e6c1c5c63aafd9cfd76a37728d5baea7d71)
+---
+ tools/libfsimage/xfs/fsys_xfs.c | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c
+index d735a88e55..2800699f59 100644
+--- a/tools/libfsimage/xfs/fsys_xfs.c
++++ b/tools/libfsimage/xfs/fsys_xfs.c
+@@ -37,7 +37,6 @@ struct xfs_info {
+ 	int blklog;
+ 	int inopblog;
+ 	int agblklog;
+-	int agnolog;
+ 	unsigned int nextents;
+ 	xfs_daddr_t next;
+ 	xfs_daddr_t daddr;
+@@ -65,9 +64,7 @@ static struct xfs_info xfs;
+ 
+ #define	XFS_INO_MASK(k)		((xfs_uint32_t)((1ULL << (k)) - 1))
+ #define	XFS_INO_OFFSET_BITS	xfs.inopblog
+-#define	XFS_INO_AGBNO_BITS	xfs.agblklog
+ #define	XFS_INO_AGINO_BITS	(xfs.agblklog + xfs.inopblog)
+-#define	XFS_INO_AGNO_BITS	xfs.agnolog
+ 
+ static inline xfs_agblock_t
+ agino2agbno (xfs_agino_t agino)
+@@ -149,20 +146,6 @@ xt_len (xfs_bmbt_rec_32_t *r)
+ 	return le32(r->l3) & mask32lo(21);
+ }
+ 
+-static inline int
+-xfs_highbit32(xfs_uint32_t v)
+-{
+-	int i;
+-
+-	if (--v) {
+-		for (i = 0; i < 31; i++, v >>= 1) {
+-			if (v == 0)
+-				return i;
+-		}
+-	}
+-	return 0;
+-}
+-
+ static int
+ isinxt (xfs_fileoff_t key, xfs_fileoff_t offset, xfs_filblks_t len)
+ {
+@@ -472,7 +455,6 @@ xfs_mount (fsi_file_t *ffi, const char *options)
+ 
+ 	xfs.inopblog = super.sb_inopblog;
+ 	xfs.agblklog = super.sb_agblklog;
+-	xfs.agnolog = xfs_highbit32 (le32(super.sb_agcount));
+ 
+ 	xfs.btnode_ptr0_off =
+ 		((xfs.bsize - sizeof(xfs_btree_block_t)) /
+-- 
+2.42.0
+

diff --git a/0043-tools-ocaml-xc-Don-t-reference-Abstract_Tag-objects-.patch b/0043-tools-ocaml-xc-Don-t-reference-Abstract_Tag-objects-.patch
deleted file mode 100644
index b7fec46..0000000
--- a/0043-tools-ocaml-xc-Don-t-reference-Abstract_Tag-objects-.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From bf935b1ff7cc76b2d25f877e56a359afaafcac1f Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Tue, 31 Jan 2023 17:19:30 +0000
-Subject: [PATCH 43/89] tools/ocaml/xc: Don't reference Abstract_Tag objects
- with the GC lock released
-
-The intf->{addr,len} references in the xc_map_foreign_range() call are unsafe.
-From the manual:
-
-  https://ocaml.org/manual/intfc.html#ss:parallel-execution-long-running-c-code
-
-"After caml_release_runtime_system() was called and until
-caml_acquire_runtime_system() is called, the C code must not access any OCaml
-data, nor call any function of the run-time system, nor call back into OCaml
-code."
-
-More than what the manual says, the intf pointer is (potentially) invalidated
-by caml_enter_blocking_section() if another thread happens to perform garbage
-collection at just the right (wrong) moment.
-
-Rewrite the logic.  There's no need to stash data in the Ocaml object until
-the success path at the very end.
-
-Fixes: 8b7ce06a2d34 ("ocaml: Add XC bindings.")
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit 9e7c74e6f9fd2e44df1212643b80af9032b45b07)
----
- tools/ocaml/libs/xc/xenctrl_stubs.c | 23 +++++++++++------------
- 1 file changed, 11 insertions(+), 12 deletions(-)
-
-diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c b/tools/ocaml/libs/xc/xenctrl_stubs.c
-index f376d94334..facb561577 100644
---- a/tools/ocaml/libs/xc/xenctrl_stubs.c
-+++ b/tools/ocaml/libs/xc/xenctrl_stubs.c
-@@ -953,26 +953,25 @@ CAMLprim value stub_map_foreign_range(value xch, value dom,
- 	CAMLparam4(xch, dom, size, mfn);
- 	CAMLlocal1(result);
- 	struct mmap_interface *intf;
--	uint32_t c_dom;
--	unsigned long c_mfn;
-+	unsigned long c_mfn = Nativeint_val(mfn);
-+	int len = Int_val(size);
-+	void *ptr;
- 
- 	BUILD_BUG_ON((sizeof(struct mmap_interface) % sizeof(value)) != 0);
- 	result = caml_alloc(Wsize_bsize(sizeof(struct mmap_interface)),
- 			    Abstract_tag);
- 
--	intf = (struct mmap_interface *) result;
--
--	intf->len = Int_val(size);
--
--	c_dom = _D(dom);
--	c_mfn = Nativeint_val(mfn);
- 	caml_enter_blocking_section();
--	intf->addr = xc_map_foreign_range(_H(xch), c_dom,
--	                                  intf->len, PROT_READ|PROT_WRITE,
--	                                  c_mfn);
-+	ptr = xc_map_foreign_range(_H(xch), _D(dom), len,
-+				   PROT_READ|PROT_WRITE, c_mfn);
- 	caml_leave_blocking_section();
--	if (!intf->addr)
-+
-+	if (!ptr)
- 		caml_failwith("xc_map_foreign_range error");
-+
-+	intf = Data_abstract_val(result);
-+	*intf = (struct mmap_interface){ ptr, len };
-+
- 	CAMLreturn(result);
- }
- 
--- 
-2.40.0
-

diff --git a/0044-libfsimage-xfs-Amend-mask32lo-to-allow-the-value-32.patch b/0044-libfsimage-xfs-Amend-mask32lo-to-allow-the-value-32.patch
new file mode 100644
index 0000000..880ff83
--- /dev/null
+++ b/0044-libfsimage-xfs-Amend-mask32lo-to-allow-the-value-32.patch
@@ -0,0 +1,33 @@
+From f1cd620cc3572c858e276463e05f695d949362c5 Mon Sep 17 00:00:00 2001
+From: Alejandro Vallejo <alejandro.vallejo@cloud.com>
+Date: Thu, 14 Sep 2023 13:22:51 +0100
+Subject: [PATCH 44/55] libfsimage/xfs: Amend mask32lo() to allow the value 32
+
+agblklog could plausibly be 32, but that would overflow this shift.
+Perform the shift as ULL and cast to u32 at the end instead.
+
+This is part of XSA-443 / CVE-2023-34325
+
+Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit ddc45e4eea946bb373a4b4a60c84bf9339cf413b)
+---
+ tools/libfsimage/xfs/fsys_xfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c
+index 2800699f59..4720bb4505 100644
+--- a/tools/libfsimage/xfs/fsys_xfs.c
++++ b/tools/libfsimage/xfs/fsys_xfs.c
+@@ -60,7 +60,7 @@ static struct xfs_info xfs;
+ #define inode		((xfs_dinode_t *)((char *)FSYS_BUF + 8192))
+ #define icore		(inode->di_core)
+ 
+-#define	mask32lo(n)	(((xfs_uint32_t)1 << (n)) - 1)
++#define	mask32lo(n)	((xfs_uint32_t)((1ull << (n)) - 1))
+ 
+ #define	XFS_INO_MASK(k)		((xfs_uint32_t)((1ULL << (k)) - 1))
+ #define	XFS_INO_OFFSET_BITS	xfs.inopblog
+-- 
+2.42.0
+

diff --git a/0044-tools-ocaml-libs-Fix-memory-resource-leaks-with-caml.patch b/0044-tools-ocaml-libs-Fix-memory-resource-leaks-with-caml.patch
deleted file mode 100644
index 8876ab7..0000000
--- a/0044-tools-ocaml-libs-Fix-memory-resource-leaks-with-caml.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 587823eca162d063027faf1826ec3544f0a06e78 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Wed, 1 Feb 2023 11:27:42 +0000
-Subject: [PATCH 44/89] tools/ocaml/libs: Fix memory/resource leaks with
- caml_alloc_custom()
-
-All caml_alloc_*() functions can throw exceptions, and longjump out of
-context.  If this happens, we leak the xch/xce handle.
-
-Reorder the logic to allocate the the Ocaml object first.
-
-Fixes: 8b3c06a3e545 ("tools/ocaml/xenctrl: OCaml 5 support, fix use-after-free")
-Fixes: 22d5affdf0ce ("tools/ocaml/evtchn: OCaml 5 support, fix potential resource leak")
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Christian Lindig <christian.lindig@citrix.com>
-(cherry picked from commit d69ccf52ad467ccc22029172a8e61dc621187889)
----
- tools/ocaml/libs/eventchn/xeneventchn_stubs.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c
-index d7881ca95f..de2fc29292 100644
---- a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c
-+++ b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c
-@@ -63,6 +63,8 @@ CAMLprim value stub_eventchn_init(value cloexec)
- 	if ( !Bool_val(cloexec) )
- 		flags |= XENEVTCHN_NO_CLOEXEC;
- 
-+	result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1);
-+
- 	caml_enter_blocking_section();
- 	xce = xenevtchn_open(NULL, flags);
- 	caml_leave_blocking_section();
-@@ -70,7 +72,6 @@ CAMLprim value stub_eventchn_init(value cloexec)
- 	if (xce == NULL)
- 		caml_failwith("open failed");
- 
--	result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1);
- 	*(xenevtchn_handle **)Data_custom_val(result) = xce;
- 
- 	CAMLreturn(result);
-@@ -82,6 +83,8 @@ CAMLprim value stub_eventchn_fdopen(value fdval)
- 	CAMLlocal1(result);
- 	xenevtchn_handle *xce;
- 
-+	result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1);
-+
- 	caml_enter_blocking_section();
- 	xce = xenevtchn_fdopen(NULL, Int_val(fdval), 0);
- 	caml_leave_blocking_section();
-@@ -89,7 +92,6 @@ CAMLprim value stub_eventchn_fdopen(value fdval)
- 	if (xce == NULL)
- 		caml_failwith("evtchn fdopen failed");
- 
--	result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1);
- 	*(xenevtchn_handle **)Data_custom_val(result) = xce;
- 
- 	CAMLreturn(result);
--- 
-2.40.0
-

diff --git a/0045-libfsimage-xfs-Sanity-check-the-superblock-during-mo.patch b/0045-libfsimage-xfs-Sanity-check-the-superblock-during-mo.patch
new file mode 100644
index 0000000..01ae52a
--- /dev/null
+++ b/0045-libfsimage-xfs-Sanity-check-the-superblock-during-mo.patch
@@ -0,0 +1,137 @@
+From 78143c5336c8316bcc648e964d65a07f216cf77f Mon Sep 17 00:00:00 2001
+From: Alejandro Vallejo <alejandro.vallejo@cloud.com>
+Date: Thu, 14 Sep 2023 13:22:52 +0100
+Subject: [PATCH 45/55] libfsimage/xfs: Sanity-check the superblock during
+ mounts
+
+Sanity-check the XFS superblock for wellformedness at the mount handler.
+This forces pygrub to abort parsing a potentially malformed filesystem and
+ensures the invariants assumed throughout the rest of the code hold.
+
+Also, derive parameters from previously sanitized parameters where possible
+(rather than reading them off the superblock)
+
+The code doesn't try to avoid overflowing the end of the disk, because
+that's an unlikely and benign error. Parameters used in calculations of
+xfs_daddr_t (like the root inode index) aren't in critical need of being
+sanitized.
+
+The sanitization of agblklog is basically checking that no obvious
+overflows happen on agblklog, and then ensuring agblocks is contained in
+the range (2^(sb_agblklog-1), 2^sb_agblklog].
+
+This is part of XSA-443 / CVE-2023-34325
+
+Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 620500dd1baf33347dfde5e7fde7cf7fe347da5c)
+---
+ tools/libfsimage/xfs/fsys_xfs.c | 48 ++++++++++++++++++++++++++-------
+ tools/libfsimage/xfs/xfs.h      | 12 +++++++++
+ 2 files changed, 50 insertions(+), 10 deletions(-)
+
+diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c
+index 4720bb4505..e4eb7e1ee2 100644
+--- a/tools/libfsimage/xfs/fsys_xfs.c
++++ b/tools/libfsimage/xfs/fsys_xfs.c
+@@ -17,6 +17,7 @@
+  *  along with this program; If not, see <http://www.gnu.org/licenses/>.
+  */
+ 
++#include <stdbool.h>
+ #include <xenfsimage_grub.h>
+ #include "xfs.h"
+ 
+@@ -433,29 +434,56 @@ first_dentry (fsi_file_t *ffi, xfs_ino_t *ino)
+ 	return next_dentry (ffi, ino);
+ }
+ 
++static bool
++xfs_sb_is_invalid (const xfs_sb_t *super)
++{
++	return (le32(super->sb_magicnum) != XFS_SB_MAGIC)
++	    || ((le16(super->sb_versionnum) & XFS_SB_VERSION_NUMBITS) !=
++	        XFS_SB_VERSION_4)
++	    || (super->sb_inodelog < XFS_SB_INODELOG_MIN)
++	    || (super->sb_inodelog > XFS_SB_INODELOG_MAX)
++	    || (super->sb_blocklog < XFS_SB_BLOCKLOG_MIN)
++	    || (super->sb_blocklog > XFS_SB_BLOCKLOG_MAX)
++	    || (super->sb_blocklog < super->sb_inodelog)
++	    || (super->sb_agblklog > XFS_SB_AGBLKLOG_MAX)
++	    || ((1ull << super->sb_agblklog) < le32(super->sb_agblocks))
++	    || (((1ull << super->sb_agblklog) >> 1) >=
++	        le32(super->sb_agblocks))
++	    || ((super->sb_blocklog + super->sb_dirblklog) >=
++	        XFS_SB_DIRBLK_NUMBITS);
++}
++
+ static int
+ xfs_mount (fsi_file_t *ffi, const char *options)
+ {
+ 	xfs_sb_t super;
+ 
+ 	if (!devread (ffi, 0, 0, sizeof(super), (char *)&super)
+-	    || (le32(super.sb_magicnum) != XFS_SB_MAGIC)
+-	    || ((le16(super.sb_versionnum) 
+-		& XFS_SB_VERSION_NUMBITS) != XFS_SB_VERSION_4) ) {
++	    || xfs_sb_is_invalid(&super)) {
+ 		return 0;
+ 	}
+ 
+-	xfs.bsize = le32 (super.sb_blocksize);
+-	xfs.blklog = super.sb_blocklog;
+-	xfs.bdlog = xfs.blklog - SECTOR_BITS;
++	/*
++	 * Not sanitized. It's exclusively used to generate disk addresses,
++	 * so it's not important from a security standpoint.
++	 */
+ 	xfs.rootino = le64 (super.sb_rootino);
+-	xfs.isize = le16 (super.sb_inodesize);
+-	xfs.agblocks = le32 (super.sb_agblocks);
+-	xfs.dirbsize = xfs.bsize << super.sb_dirblklog;
+ 
+-	xfs.inopblog = super.sb_inopblog;
++	/*
++	 * Sanitized to be consistent with each other, only used to
++	 * generate disk addresses, so it's safe
++	 */
++	xfs.agblocks = le32 (super.sb_agblocks);
+ 	xfs.agblklog = super.sb_agblklog;
+ 
++	/* Derived from sanitized parameters */
++	xfs.bsize = 1 << super.sb_blocklog;
++	xfs.blklog = super.sb_blocklog;
++	xfs.bdlog = super.sb_blocklog - SECTOR_BITS;
++	xfs.isize = 1 << super.sb_inodelog;
++	xfs.dirbsize = 1 << (super.sb_blocklog + super.sb_dirblklog);
++	xfs.inopblog = super.sb_blocklog - super.sb_inodelog;
++
+ 	xfs.btnode_ptr0_off =
+ 		((xfs.bsize - sizeof(xfs_btree_block_t)) /
+ 		(sizeof (xfs_bmbt_key_t) + sizeof (xfs_bmbt_ptr_t)))
+diff --git a/tools/libfsimage/xfs/xfs.h b/tools/libfsimage/xfs/xfs.h
+index 40699281e4..b87e37d3d7 100644
+--- a/tools/libfsimage/xfs/xfs.h
++++ b/tools/libfsimage/xfs/xfs.h
+@@ -134,6 +134,18 @@ typedef struct xfs_sb
+         xfs_uint8_t       sb_dummy[7];    /* padding */
+ } xfs_sb_t;
+ 
++/* Bound taken from xfs.c in GRUB2. It doesn't exist in the spec */
++#define	XFS_SB_DIRBLK_NUMBITS	27
++/* Implied by the XFS specification. The minimum block size is 512 octets */
++#define	XFS_SB_BLOCKLOG_MIN	9
++/* Implied by the XFS specification. The maximum block size is 65536 octets */
++#define	XFS_SB_BLOCKLOG_MAX	16
++/* Implied by the XFS specification. The minimum inode size is 256 octets */
++#define	XFS_SB_INODELOG_MIN	8
++/* Implied by the XFS specification. The maximum inode size is 2048 octets */
++#define	XFS_SB_INODELOG_MAX	11
++/* High bound for sb_agblklog */
++#define	XFS_SB_AGBLKLOG_MAX	32
+ 
+ /* those are from xfs_btree.h */
+ 
+-- 
+2.42.0
+

diff --git a/0045-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-P.patch b/0045-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-P.patch
deleted file mode 100644
index 1720bdd..0000000
--- a/0045-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-P.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From 3685e754e6017c616769b28133286d06bf07b613 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Thu, 8 Sep 2022 21:27:58 +0100
-Subject: [PATCH 45/89] x86/spec-ctrl: Mitigate Cross-Thread Return Address
- Predictions
-
-This is XSA-426 / CVE-2022-27672
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-(cherry picked from commit 63305e5392ec2d17b85e7996a97462744425db80)
----
- docs/misc/xen-command-line.pandoc      |  2 +-
- xen/arch/x86/include/asm/cpufeatures.h |  3 ++-
- xen/arch/x86/include/asm/spec_ctrl.h   | 15 +++++++++++++
- xen/arch/x86/spec_ctrl.c               | 31 +++++++++++++++++++++++---
- 4 files changed, 46 insertions(+), 5 deletions(-)
-
-diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
-index 424b12cfb2..e7fe8b0cc9 100644
---- a/docs/misc/xen-command-line.pandoc
-+++ b/docs/misc/xen-command-line.pandoc
-@@ -2343,7 +2343,7 @@ guests to use.
-   on entry and exit.  These blocks are necessary to virtualise support for
-   guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc.
- * `rsb=` offers control over whether to overwrite the Return Stack Buffer /
--  Return Address Stack on entry to Xen.
-+  Return Address Stack on entry to Xen and on idle.
- * `md-clear=` offers control over whether to use VERW to flush
-   microarchitectural buffers on idle and exit from Xen.  *Note: For
-   compatibility with development versions of this fix, `mds=` is also accepted
-diff --git a/xen/arch/x86/include/asm/cpufeatures.h b/xen/arch/x86/include/asm/cpufeatures.h
-index 865f110986..da0593de85 100644
---- a/xen/arch/x86/include/asm/cpufeatures.h
-+++ b/xen/arch/x86/include/asm/cpufeatures.h
-@@ -35,7 +35,8 @@ XEN_CPUFEATURE(SC_RSB_HVM,        X86_SYNTH(19)) /* RSB overwrite needed for HVM
- XEN_CPUFEATURE(XEN_SELFSNOOP,     X86_SYNTH(20)) /* SELFSNOOP gets used by Xen itself */
- XEN_CPUFEATURE(SC_MSR_IDLE,       X86_SYNTH(21)) /* Clear MSR_SPEC_CTRL on idle */
- XEN_CPUFEATURE(XEN_LBR,           X86_SYNTH(22)) /* Xen uses MSR_DEBUGCTL.LBR */
--/* Bits 23,24 unused. */
-+/* Bits 23 unused. */
-+XEN_CPUFEATURE(SC_RSB_IDLE,       X86_SYNTH(24)) /* RSB overwrite needed for idle. */
- XEN_CPUFEATURE(SC_VERW_IDLE,      X86_SYNTH(25)) /* VERW used by Xen for idle */
- XEN_CPUFEATURE(XEN_SHSTK,         X86_SYNTH(26)) /* Xen uses CET Shadow Stacks */
- XEN_CPUFEATURE(XEN_IBT,           X86_SYNTH(27)) /* Xen uses CET Indirect Branch Tracking */
-diff --git a/xen/arch/x86/include/asm/spec_ctrl.h b/xen/arch/x86/include/asm/spec_ctrl.h
-index 6a77c39378..391973ef6a 100644
---- a/xen/arch/x86/include/asm/spec_ctrl.h
-+++ b/xen/arch/x86/include/asm/spec_ctrl.h
-@@ -159,6 +159,21 @@ static always_inline void spec_ctrl_enter_idle(struct cpu_info *info)
-      */
-     alternative_input("", "verw %[sel]", X86_FEATURE_SC_VERW_IDLE,
-                       [sel] "m" (info->verw_sel));
-+
-+    /*
-+     * Cross-Thread Return Address Predictions:
-+     *
-+     * On vulnerable systems, the return predictions (RSB/RAS) are statically
-+     * partitioned between active threads.  When entering idle, our entries
-+     * are re-partitioned to allow the other threads to use them.
-+     *
-+     * In some cases, we might still have guest entries in the RAS, so flush
-+     * them before injecting them sideways to our sibling thread.
-+     *
-+     * (ab)use alternative_input() to specify clobbers.
-+     */
-+    alternative_input("", "DO_OVERWRITE_RSB", X86_FEATURE_SC_RSB_IDLE,
-+                      : "rax", "rcx");
- }
- 
- /* WARNING! `ret`, `call *`, `jmp *` not safe before this call. */
-diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
-index a320b81947..e80e2a5ed1 100644
---- a/xen/arch/x86/spec_ctrl.c
-+++ b/xen/arch/x86/spec_ctrl.c
-@@ -1327,13 +1327,38 @@ void __init init_speculation_mitigations(void)
-      * 3) Some CPUs have RSBs which are not full width, which allow the
-      *    attacker's entries to alias Xen addresses.
-      *
-+     * 4) Some CPUs have RSBs which are re-partitioned based on thread
-+     *    idleness, which allows an attacker to inject entries into the other
-+     *    thread.  We still active the optimisation in this case, and mitigate
-+     *    in the idle path which has lower overhead.
-+     *
-      * It is safe to turn off RSB stuffing when Xen is using SMEP itself, and
-      * 32bit PV guests are disabled, and when the RSB is full width.
-      */
-     BUILD_BUG_ON(RO_MPT_VIRT_START != PML4_ADDR(256));
--    if ( opt_rsb_pv == -1 && boot_cpu_has(X86_FEATURE_XEN_SMEP) &&
--         !opt_pv32 && rsb_is_full_width() )
--        opt_rsb_pv = 0;
-+    if ( opt_rsb_pv == -1 )
-+    {
-+        opt_rsb_pv = (opt_pv32 || !boot_cpu_has(X86_FEATURE_XEN_SMEP) ||
-+                      !rsb_is_full_width());
-+
-+        /*
-+         * Cross-Thread Return Address Predictions.
-+         *
-+         * Vulnerable systems are Zen1/Zen2 uarch, which is AMD Fam17 / Hygon
-+         * Fam18, when SMT is active.
-+         *
-+         * To mitigate, we must flush the RSB/RAS/RAP once between entering
-+         * Xen and going idle.
-+         *
-+         * Most cases flush on entry to Xen anyway.  The one case where we
-+         * don't is when using the SMEP optimisation for PV guests.  Flushing
-+         * before going idle is less overhead than flushing on PV entry.
-+         */
-+        if ( !opt_rsb_pv && hw_smt_enabled &&
-+             (boot_cpu_data.x86_vendor & (X86_VENDOR_AMD|X86_VENDOR_HYGON)) &&
-+             (boot_cpu_data.x86 == 0x17 || boot_cpu_data.x86 == 0x18) )
-+            setup_force_cpu_cap(X86_FEATURE_SC_RSB_IDLE);
-+    }
- 
-     if ( opt_rsb_pv )
-     {
--- 
-2.40.0
-

diff --git a/0046-automation-Remove-clang-8-from-Debian-unstable-conta.patch b/0046-automation-Remove-clang-8-from-Debian-unstable-conta.patch
deleted file mode 100644
index 6fc3323..0000000
--- a/0046-automation-Remove-clang-8-from-Debian-unstable-conta.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From aaf74a532c02017998492c0bf60a9c6be3332f20 Mon Sep 17 00:00:00 2001
-From: Anthony PERARD <anthony.perard@citrix.com>
-Date: Tue, 21 Feb 2023 16:55:38 +0000
-Subject: [PATCH 46/89] automation: Remove clang-8 from Debian unstable
- container
-
-First, apt complain that it isn't the right way to add keys anymore,
-but hopefully that's just a warning.
-
-Second, we can't install clang-8:
-The following packages have unmet dependencies:
- clang-8 : Depends: libstdc++-8-dev but it is not installable
-           Depends: libgcc-8-dev but it is not installable
-           Depends: libobjc-8-dev but it is not installable
-           Recommends: llvm-8-dev but it is not going to be installed
-           Recommends: libomp-8-dev but it is not going to be installed
- libllvm8 : Depends: libffi7 (>= 3.3~20180313) but it is not installable
-E: Unable to correct problems, you have held broken packages.
-
-clang on Debian unstable is now version 14.0.6.
-
-Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
-Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
-(cherry picked from commit a6b1e2b80fe2053b1c9c9843fb086a668513ea36)
----
- automation/build/debian/unstable-llvm-8.list |  3 ---
- automation/build/debian/unstable.dockerfile  | 12 ------------
- automation/gitlab-ci/build.yaml              | 10 ----------
- 3 files changed, 25 deletions(-)
- delete mode 100644 automation/build/debian/unstable-llvm-8.list
-
-diff --git a/automation/build/debian/unstable-llvm-8.list b/automation/build/debian/unstable-llvm-8.list
-deleted file mode 100644
-index dc119fa0b4..0000000000
---- a/automation/build/debian/unstable-llvm-8.list
-+++ /dev/null
-@@ -1,3 +0,0 @@
--# Unstable LLVM 8 repos
--deb http://apt.llvm.org/unstable/ llvm-toolchain-8 main
--deb-src http://apt.llvm.org/unstable/ llvm-toolchain-8 main
-diff --git a/automation/build/debian/unstable.dockerfile b/automation/build/debian/unstable.dockerfile
-index 9de766d596..b560337b7a 100644
---- a/automation/build/debian/unstable.dockerfile
-+++ b/automation/build/debian/unstable.dockerfile
-@@ -51,15 +51,3 @@ RUN apt-get update && \
-         apt-get autoremove -y && \
-         apt-get clean && \
-         rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/*
--
--RUN wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key|apt-key add -
--COPY unstable-llvm-8.list /etc/apt/sources.list.d/
--
--RUN apt-get update && \
--    apt-get --quiet --yes install \
--        clang-8 \
--        lld-8 \
--        && \
--        apt-get autoremove -y && \
--        apt-get clean && \
--        rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/*
-diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml
-index 716ee0b1e4..bed161b471 100644
---- a/automation/gitlab-ci/build.yaml
-+++ b/automation/gitlab-ci/build.yaml
-@@ -312,16 +312,6 @@ debian-unstable-clang-debug:
-   variables:
-     CONTAINER: debian:unstable
- 
--debian-unstable-clang-8:
--  extends: .clang-8-x86-64-build
--  variables:
--    CONTAINER: debian:unstable
--
--debian-unstable-clang-8-debug:
--  extends: .clang-8-x86-64-build-debug
--  variables:
--    CONTAINER: debian:unstable
--
- debian-unstable-gcc:
-   extends: .gcc-x86-64-build
-   variables:
--- 
-2.40.0
-

diff --git a/0046-libfsimage-xfs-Add-compile-time-check-to-libfsimage.patch b/0046-libfsimage-xfs-Add-compile-time-check-to-libfsimage.patch
new file mode 100644
index 0000000..0c32745
--- /dev/null
+++ b/0046-libfsimage-xfs-Add-compile-time-check-to-libfsimage.patch
@@ -0,0 +1,62 @@
+From eb4efdac4cc7121f832ee156f39761312878f3a5 Mon Sep 17 00:00:00 2001
+From: Alejandro Vallejo <alejandro.vallejo@cloud.com>
+Date: Thu, 14 Sep 2023 13:22:53 +0100
+Subject: [PATCH 46/55] libfsimage/xfs: Add compile-time check to libfsimage
+
+Adds the common tools include folder to the -I compile flags
+of libfsimage. This allows us to use:
+  xen-tools/common-macros.h:BUILD_BUG_ON()
+
+With it, statically assert a sanitized "blocklog - SECTOR_BITS" cannot
+underflow.
+
+This is part of XSA-443 / CVE-2023-34325
+
+Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 7d85c70431593550e32022e3a19a37f306f49e00)
+---
+ tools/libfsimage/common.mk      | 2 +-
+ tools/libfsimage/xfs/fsys_xfs.c | 4 +++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/tools/libfsimage/common.mk b/tools/libfsimage/common.mk
+index 4fc8c66795..e4336837d0 100644
+--- a/tools/libfsimage/common.mk
++++ b/tools/libfsimage/common.mk
+@@ -1,7 +1,7 @@
+ include $(XEN_ROOT)/tools/Rules.mk
+ 
+ FSDIR := $(libdir)/xenfsimage
+-CFLAGS += -Wno-unknown-pragmas -I$(XEN_ROOT)/tools/libfsimage/common/ -DFSIMAGE_FSDIR=\"$(FSDIR)\"
++CFLAGS += -Wno-unknown-pragmas -I$(XEN_ROOT)/tools/libfsimage/common/ $(CFLAGS_xeninclude) -DFSIMAGE_FSDIR=\"$(FSDIR)\"
+ CFLAGS += -D_GNU_SOURCE
+ LDFLAGS += -L../common/
+ 
+diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c
+index e4eb7e1ee2..4a8dd6f239 100644
+--- a/tools/libfsimage/xfs/fsys_xfs.c
++++ b/tools/libfsimage/xfs/fsys_xfs.c
+@@ -19,6 +19,7 @@
+ 
+ #include <stdbool.h>
+ #include <xenfsimage_grub.h>
++#include <xen-tools/libs.h>
+ #include "xfs.h"
+ 
+ #define MAX_LINK_COUNT	8
+@@ -477,9 +478,10 @@ xfs_mount (fsi_file_t *ffi, const char *options)
+ 	xfs.agblklog = super.sb_agblklog;
+ 
+ 	/* Derived from sanitized parameters */
++	BUILD_BUG_ON(XFS_SB_BLOCKLOG_MIN < SECTOR_BITS);
++	xfs.bdlog = super.sb_blocklog - SECTOR_BITS;
+ 	xfs.bsize = 1 << super.sb_blocklog;
+ 	xfs.blklog = super.sb_blocklog;
+-	xfs.bdlog = super.sb_blocklog - SECTOR_BITS;
+ 	xfs.isize = 1 << super.sb_inodelog;
+ 	xfs.dirbsize = 1 << (super.sb_blocklog + super.sb_dirblklog);
+ 	xfs.inopblog = super.sb_blocklog - super.sb_inodelog;
+-- 
+2.42.0
+

diff --git a/0047-libs-util-Fix-parallel-build-between-flex-bison-and-.patch b/0047-libs-util-Fix-parallel-build-between-flex-bison-and-.patch
deleted file mode 100644
index f3e6d36..0000000
--- a/0047-libs-util-Fix-parallel-build-between-flex-bison-and-.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From c622b8ace93cc38c73f47f5044dc3663ef93f815 Mon Sep 17 00:00:00 2001
-From: Anthony PERARD <anthony.perard@citrix.com>
-Date: Fri, 3 Mar 2023 07:55:24 +0100
-Subject: [PATCH 47/89] libs/util: Fix parallel build between flex/bison and CC
- rules
-
-flex/bison generate two targets, and when those targets are
-prerequisite of other rules they are considered independently by make.
-
-We can have a situation where the .c file is out-of-date but not the
-.h, git checkout for example. In this case, if a rule only have the .h
-file as prerequiste, make will procced and start to build the object.
-In parallel, another target can have the .c file as prerequisite and
-make will find out it need re-generating and do so, changing the .h at
-the same time. This parallel task breaks the first one.
-
-To avoid this scenario, we put both the header and the source as
-prerequisite for all object even if they only need the header.
-
-Reported-by: Andrew Cooper <Andrew.Cooper3@citrix.com>
-Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
-Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
-master commit: bf652a50fb3bb3b1b3d93db6fb79bc28f978fe75
-master date: 2023-02-09 18:26:17 +0000
----
- tools/libs/util/Makefile | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/tools/libs/util/Makefile b/tools/libs/util/Makefile
-index 493d2e00be..fee4ea0dc7 100644
---- a/tools/libs/util/Makefile
-+++ b/tools/libs/util/Makefile
-@@ -40,6 +40,14 @@ include $(XEN_ROOT)/tools/libs/libs.mk
- 
- $(OBJS-y) $(PIC_OBJS): $(AUTOINCS)
- 
-+# Adding the .c conterparts of the headers generated by flex/bison as
-+# prerequisite of all objects.
-+# This is to tell make that if only the .c file is out-of-date but not the
-+# header, it should still wait for the .c file to be rebuilt.
-+# Otherwise, make doesn't considered "%.c %.h" as grouped targets, and will run
-+# the flex/bison rules in parallel of CC rules which only need the header.
-+$(OBJS-y) $(PIC_OBJS): libxlu_cfg_l.c libxlu_cfg_y.c libxlu_disk_l.c
-+
- %.c %.h:: %.y
- 	@rm -f $*.[ch]
- 	$(BISON) --output=$*.c $<
--- 
-2.40.0
-

diff --git a/0047-tools-pygrub-Remove-unnecessary-hypercall.patch b/0047-tools-pygrub-Remove-unnecessary-hypercall.patch
new file mode 100644
index 0000000..6bdd9bb
--- /dev/null
+++ b/0047-tools-pygrub-Remove-unnecessary-hypercall.patch
@@ -0,0 +1,60 @@
+From 8a584126eae53a44cefb0acdbca201233a557fa5 Mon Sep 17 00:00:00 2001
+From: Alejandro Vallejo <alejandro.vallejo@cloud.com>
+Date: Mon, 25 Sep 2023 18:32:21 +0100
+Subject: [PATCH 47/55] tools/pygrub: Remove unnecessary hypercall
+
+There's a hypercall being issued in order to determine whether PV64 is
+supported, but since Xen 4.3 that's strictly true so it's not required.
+
+Plus, this way we can avoid mapping the privcmd interface altogether in the
+depriv pygrub.
+
+This is part of XSA-443 / CVE-2023-34325
+
+Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+(cherry picked from commit f4b504c6170c446e61055cbd388ae4e832a9deca)
+---
+ tools/pygrub/src/pygrub | 12 +-----------
+ 1 file changed, 1 insertion(+), 11 deletions(-)
+
+diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub
+index ce7ab0eb8c..ce4e07d3e8 100755
+--- a/tools/pygrub/src/pygrub
++++ b/tools/pygrub/src/pygrub
+@@ -18,7 +18,6 @@ import os, sys, string, struct, tempfile, re, traceback, stat, errno
+ import copy
+ import logging
+ import platform
+-import xen.lowlevel.xc
+ 
+ import curses, _curses, curses.textpad, curses.ascii
+ import getopt
+@@ -668,14 +667,6 @@ def run_grub(file, entry, fs, cfg_args):
+ 
+     return grubcfg
+ 
+-def supports64bitPVguest():
+-    xc = xen.lowlevel.xc.xc()
+-    caps = xc.xeninfo()['xen_caps'].split(" ")
+-    for cap in caps:
+-        if cap == "xen-3.0-x86_64":
+-            return True
+-    return False
+-
+ # If nothing has been specified, look for a Solaris domU. If found, perform the
+ # necessary tweaks.
+ def sniff_solaris(fs, cfg):
+@@ -684,8 +675,7 @@ def sniff_solaris(fs, cfg):
+         return cfg
+ 
+     if not cfg["kernel"]:
+-        if supports64bitPVguest() and \
+-          fs.file_exists("/platform/i86xpv/kernel/amd64/unix"):
++        if fs.file_exists("/platform/i86xpv/kernel/amd64/unix"):
+             cfg["kernel"] = "/platform/i86xpv/kernel/amd64/unix"
+             cfg["ramdisk"] = "/platform/i86pc/amd64/boot_archive"
+         elif fs.file_exists("/platform/i86xpv/kernel/unix"):
+-- 
+2.42.0
+

diff --git a/0048-tools-pygrub-Small-refactors.patch b/0048-tools-pygrub-Small-refactors.patch
new file mode 100644
index 0000000..55b238c
--- /dev/null
+++ b/0048-tools-pygrub-Small-refactors.patch
@@ -0,0 +1,65 @@
+From e7059f16f7c2b99fea30b9671fec74c0375eee8f Mon Sep 17 00:00:00 2001
+From: Alejandro Vallejo <alejandro.vallejo@cloud.com>
+Date: Mon, 25 Sep 2023 18:32:22 +0100
+Subject: [PATCH 48/55] tools/pygrub: Small refactors
+
+Small tidy up to ensure output_directory always has a trailing '/' to ease
+concatenating paths and that `output` can only be a filename or None.
+
+This is part of XSA-443 / CVE-2023-34325
+
+Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
+(cherry picked from commit 9f2ff9a7c9b3ac734ae99f17f0134ed0343dcccf)
+---
+ tools/pygrub/src/pygrub | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub
+index ce4e07d3e8..1042c05b86 100755
+--- a/tools/pygrub/src/pygrub
++++ b/tools/pygrub/src/pygrub
+@@ -793,7 +793,7 @@ if __name__ == "__main__":
+     debug = False
+     not_really = False
+     output_format = "sxp"
+-    output_directory = "/var/run/xen/pygrub"
++    output_directory = "/var/run/xen/pygrub/"
+ 
+     # what was passed in
+     incfg = { "kernel": None, "ramdisk": None, "args": "" }
+@@ -815,7 +815,8 @@ if __name__ == "__main__":
+             usage()
+             sys.exit()
+         elif o in ("--output",):
+-            output = a
++            if a != "-":
++                output = a
+         elif o in ("--kernel",):
+             incfg["kernel"] = a
+         elif o in ("--ramdisk",):
+@@ -847,12 +848,11 @@ if __name__ == "__main__":
+             if not os.path.isdir(a):
+                 print("%s is not an existing directory" % a)
+                 sys.exit(1)
+-            output_directory = a
++            output_directory = a + '/'
+ 
+     if debug:
+         logging.basicConfig(level=logging.DEBUG)
+ 
+-
+     try:
+         os.makedirs(output_directory, 0o700)
+     except OSError as e:
+@@ -861,7 +861,7 @@ if __name__ == "__main__":
+         else:
+             raise
+ 
+-    if output is None or output == "-":
++    if output is None:
+         fd = sys.stdout.fileno()
+     else:
+         fd = os.open(output, os.O_WRONLY)
+-- 
+2.42.0
+

diff --git a/0048-x86-cpuid-Infrastructure-for-leaves-7-1-ecx-edx.patch b/0048-x86-cpuid-Infrastructure-for-leaves-7-1-ecx-edx.patch
deleted file mode 100644
index 46c48de..0000000
--- a/0048-x86-cpuid-Infrastructure-for-leaves-7-1-ecx-edx.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From cdc23d47ad85e756540eaa8655ebc2a0445612ed Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Fri, 3 Mar 2023 07:55:54 +0100
-Subject: [PATCH 48/89] x86/cpuid: Infrastructure for leaves 7:1{ecx,edx}
-
-We don't actually need ecx yet, but adding it in now will reduce the amount to
-which leaf 7 is out of order in a featureset.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: b4a23bf6293aadecfd03bf9e83974443e2eac9cb
-master date: 2023-02-09 18:26:17 +0000
----
- tools/misc/xen-cpuid.c                      | 10 ++++++++++
- xen/arch/x86/cpu/common.c                   |  3 ++-
- xen/include/public/arch-x86/cpufeatureset.h |  4 ++++
- xen/include/xen/lib/x86/cpuid.h             | 15 ++++++++++++++-
- 4 files changed, 30 insertions(+), 2 deletions(-)
-
-diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c
-index d5833e9ce8..addb3a39a1 100644
---- a/tools/misc/xen-cpuid.c
-+++ b/tools/misc/xen-cpuid.c
-@@ -202,6 +202,14 @@ static const char *const str_7b1[32] =
-     [ 0] = "ppin",
- };
- 
-+static const char *const str_7c1[32] =
-+{
-+};
-+
-+static const char *const str_7d1[32] =
-+{
-+};
-+
- static const char *const str_7d2[32] =
- {
-     [ 0] = "intel-psfd",
-@@ -229,6 +237,8 @@ static const struct {
-     { "0x80000021.eax",  "e21a", str_e21a },
-     { "0x00000007:1.ebx", "7b1", str_7b1 },
-     { "0x00000007:2.edx", "7d2", str_7d2 },
-+    { "0x00000007:1.ecx", "7c1", str_7c1 },
-+    { "0x00000007:1.edx", "7d1", str_7d1 },
- };
- 
- #define COL_ALIGN "18"
-diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c
-index 0412dbc915..b3fcf4680f 100644
---- a/xen/arch/x86/cpu/common.c
-+++ b/xen/arch/x86/cpu/common.c
-@@ -450,7 +450,8 @@ static void generic_identify(struct cpuinfo_x86 *c)
- 			cpuid_count(7, 1,
- 				    &c->x86_capability[FEATURESET_7a1],
- 				    &c->x86_capability[FEATURESET_7b1],
--				    &tmp, &tmp);
-+				    &c->x86_capability[FEATURESET_7c1],
-+				    &c->x86_capability[FEATURESET_7d1]);
- 		if (max_subleaf >= 2)
- 			cpuid_count(7, 2,
- 				    &tmp, &tmp, &tmp,
-diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h
-index 7915f5826f..f43cdcd0f9 100644
---- a/xen/include/public/arch-x86/cpufeatureset.h
-+++ b/xen/include/public/arch-x86/cpufeatureset.h
-@@ -295,6 +295,10 @@ XEN_CPUFEATURE(RRSBA_CTRL,         13*32+ 2) /*   MSR_SPEC_CTRL.RRSBA_DIS_* */
- XEN_CPUFEATURE(BHI_CTRL,           13*32+ 4) /*   MSR_SPEC_CTRL.BHI_DIS_S */
- XEN_CPUFEATURE(MCDT_NO,            13*32+ 5) /*A  MCDT_NO */
- 
-+/* Intel-defined CPU features, CPUID level 0x00000007:1.ecx, word 14 */
-+
-+/* Intel-defined CPU features, CPUID level 0x00000007:1.edx, word 15 */
-+
- #endif /* XEN_CPUFEATURE */
- 
- /* Clean up from a default include.  Close the enum (for C). */
-diff --git a/xen/include/xen/lib/x86/cpuid.h b/xen/include/xen/lib/x86/cpuid.h
-index 73a5c33036..fa98b371ee 100644
---- a/xen/include/xen/lib/x86/cpuid.h
-+++ b/xen/include/xen/lib/x86/cpuid.h
-@@ -18,6 +18,8 @@
- #define FEATURESET_e21a  11 /* 0x80000021.eax      */
- #define FEATURESET_7b1   12 /* 0x00000007:1.ebx    */
- #define FEATURESET_7d2   13 /* 0x00000007:2.edx    */
-+#define FEATURESET_7c1   14 /* 0x00000007:1.ecx    */
-+#define FEATURESET_7d1   15 /* 0x00000007:1.edx    */
- 
- struct cpuid_leaf
- {
-@@ -194,7 +196,14 @@ struct cpuid_policy
-                 uint32_t _7b1;
-                 struct { DECL_BITFIELD(7b1); };
-             };
--            uint32_t /* c */:32, /* d */:32;
-+            union {
-+                uint32_t _7c1;
-+                struct { DECL_BITFIELD(7c1); };
-+            };
-+            union {
-+                uint32_t _7d1;
-+                struct { DECL_BITFIELD(7d1); };
-+            };
- 
-             /* Subleaf 2. */
-             uint32_t /* a */:32, /* b */:32, /* c */:32;
-@@ -343,6 +352,8 @@ static inline void cpuid_policy_to_featureset(
-     fs[FEATURESET_e21a] = p->extd.e21a;
-     fs[FEATURESET_7b1] = p->feat._7b1;
-     fs[FEATURESET_7d2] = p->feat._7d2;
-+    fs[FEATURESET_7c1] = p->feat._7c1;
-+    fs[FEATURESET_7d1] = p->feat._7d1;
- }
- 
- /* Fill in a CPUID policy from a featureset bitmap. */
-@@ -363,6 +374,8 @@ static inline void cpuid_featureset_to_policy(
-     p->extd.e21a  = fs[FEATURESET_e21a];
-     p->feat._7b1  = fs[FEATURESET_7b1];
-     p->feat._7d2  = fs[FEATURESET_7d2];
-+    p->feat._7c1  = fs[FEATURESET_7c1];
-+    p->feat._7d1  = fs[FEATURESET_7d1];
- }
- 
- static inline uint64_t cpuid_policy_xcr0_max(const struct cpuid_policy *p)
--- 
-2.40.0
-

diff --git a/0049-tools-pygrub-Open-the-output-files-earlier.patch b/0049-tools-pygrub-Open-the-output-files-earlier.patch
new file mode 100644
index 0000000..c3b00b1
--- /dev/null
+++ b/0049-tools-pygrub-Open-the-output-files-earlier.patch
@@ -0,0 +1,105 @@
+From 37977420670c65db220349510599d3fe47600ad8 Mon Sep 17 00:00:00 2001
+From: Alejandro Vallejo <alejandro.vallejo@cloud.com>
+Date: Mon, 25 Sep 2023 18:32:23 +0100
+Subject: [PATCH 49/55] tools/pygrub: Open the output files earlier
+
+This patch allows pygrub to get ahold of every RW file descriptor it needs
+early on. A later patch will clamp the filesystem it can access so it can't
+obtain any others.
+
+This is part of XSA-443 / CVE-2023-34325
+
+Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
+(cherry picked from commit 0710d7d44586251bfca9758890616dc3d6de8a74)
+---
+ tools/pygrub/src/pygrub | 37 ++++++++++++++++++++++---------------
+ 1 file changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub
+index 1042c05b86..91e2ec2ab1 100755
+--- a/tools/pygrub/src/pygrub
++++ b/tools/pygrub/src/pygrub
+@@ -738,8 +738,7 @@ if __name__ == "__main__":
+     def usage():
+         print("Usage: %s [-q|--quiet] [-i|--interactive] [-l|--list-entries] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] [--offset=] <image>" %(sys.argv[0],), file=sys.stderr)
+ 
+-    def copy_from_image(fs, file_to_read, file_type, output_directory,
+-                        not_really):
++    def copy_from_image(fs, file_to_read, file_type, fd_dst, path_dst, not_really):
+         if not_really:
+             if fs.file_exists(file_to_read):
+                 return "<%s:%s>" % (file_type, file_to_read)
+@@ -750,21 +749,18 @@ if __name__ == "__main__":
+         except Exception as e:
+             print(e, file=sys.stderr)
+             sys.exit("Error opening %s in guest" % file_to_read)
+-        (tfd, ret) = tempfile.mkstemp(prefix="boot_"+file_type+".",
+-                                      dir=output_directory)
+         dataoff = 0
+         while True:
+             data = datafile.read(FS_READ_MAX, dataoff)
+             if len(data) == 0:
+-                os.close(tfd)
++                os.close(fd_dst)
+                 del datafile
+-                return ret
++                return
+             try:
+-                os.write(tfd, data)
++                os.write(fd_dst, data)
+             except Exception as e:
+                 print(e, file=sys.stderr)
+-                os.close(tfd)
+-                os.unlink(ret)
++                os.unlink(path_dst)
+                 del datafile
+                 sys.exit("Error writing temporary copy of "+file_type)
+             dataoff += len(data)
+@@ -861,6 +857,14 @@ if __name__ == "__main__":
+         else:
+             raise
+ 
++    if not_really:
++        fd_kernel =  path_kernel = fd_ramdisk = path_ramdisk = None
++    else:
++        (fd_kernel, path_kernel) = tempfile.mkstemp(prefix="boot_kernel.",
++                                                    dir=output_directory)
++        (fd_ramdisk, path_ramdisk) = tempfile.mkstemp(prefix="boot_ramdisk.",
++                                                      dir=output_directory)
++
+     if output is None:
+         fd = sys.stdout.fileno()
+     else:
+@@ -920,20 +924,23 @@ if __name__ == "__main__":
+     if fs is None:
+         raise RuntimeError("Unable to find partition containing kernel")
+ 
+-    bootcfg["kernel"] = copy_from_image(fs, chosencfg["kernel"], "kernel",
+-                                        output_directory, not_really)
++    copy_from_image(fs, chosencfg["kernel"], "kernel",
++                    fd_kernel, path_kernel, not_really)
++    bootcfg["kernel"] = path_kernel
+ 
+     if chosencfg["ramdisk"]:
+         try:
+-            bootcfg["ramdisk"] = copy_from_image(fs, chosencfg["ramdisk"],
+-                                                 "ramdisk", output_directory,
+-                                                 not_really)
++            copy_from_image(fs, chosencfg["ramdisk"], "ramdisk",
++                            fd_ramdisk, path_ramdisk, not_really)
+         except:
+             if not not_really:
+-                os.unlink(bootcfg["kernel"])
++                os.unlink(path_kernel)
+             raise
++        bootcfg["ramdisk"] = path_ramdisk
+     else:
+         initrd = None
++        if not not_really:
++            os.unlink(path_ramdisk)
+ 
+     args = None
+     if chosencfg["args"]:
+-- 
+2.42.0
+

diff --git a/0049-x86-shskt-Disable-CET-SS-on-parts-susceptible-to-fra.patch b/0049-x86-shskt-Disable-CET-SS-on-parts-susceptible-to-fra.patch
deleted file mode 100644
index a34217e..0000000
--- a/0049-x86-shskt-Disable-CET-SS-on-parts-susceptible-to-fra.patch
+++ /dev/null
@@ -1,195 +0,0 @@
-From 8202b9cf84674c5b23a89c4b8722afbb9787f917 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Fri, 3 Mar 2023 07:56:16 +0100
-Subject: [PATCH 49/89] x86/shskt: Disable CET-SS on parts susceptible to
- fractured updates
-
-Refer to Intel SDM Rev 70 (Dec 2022), Vol3 17.2.3 "Supervisor Shadow Stack
-Token".
-
-Architecturally, an event delivery which starts in CPL<3 and switches shadow
-stack will first validate the Supervisor Shadow Stack Token (setting the busy
-bit), then pushes CS/LIP/SSP.  One example of this is an NMI interrupting Xen.
-
-Some CPUs suffer from an issue called fracturing, whereby a fault/vmexit/etc
-between setting the busy bit and completing the event injection renders the
-action non-restartable, because when it comes time to restart, the busy bit is
-found to be already set.
-
-This is far more easily encountered under virt, yet it is not the fault of the
-hypervisor, nor the fault of the guest kernel.  The fault lies somewhere
-between the architectural specification, and the uarch behaviour.
-
-Intel have allocated CPUID.7[1].ecx[18] CET_SSS to enumerate that supervisor
-shadow stacks are safe to use.  Because of how Xen lays out its shadow stacks,
-fracturing is not expected to be a problem on native.
-
-Detect this case on boot and default to not using shstk if virtualised.
-Specifying `cet=shstk` on the command line will override this heuristic and
-enable shadow stacks irrespective.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: 01e7477d1b081cff4288ff9f51ec59ee94c03ee0
-master date: 2023-02-09 18:26:17 +0000
----
- docs/misc/xen-command-line.pandoc           |  7 +++-
- tools/libs/light/libxl_cpuid.c              |  2 +
- tools/misc/xen-cpuid.c                      |  1 +
- xen/arch/x86/cpu/common.c                   | 11 ++++-
- xen/arch/x86/setup.c                        | 46 +++++++++++++++++----
- xen/include/public/arch-x86/cpufeatureset.h |  1 +
- 6 files changed, 57 insertions(+), 11 deletions(-)
-
-diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
-index e7fe8b0cc9..807ca51fb2 100644
---- a/docs/misc/xen-command-line.pandoc
-+++ b/docs/misc/xen-command-line.pandoc
-@@ -287,10 +287,15 @@ can be maintained with the pv-shim mechanism.
-     protection.
- 
-     The option is available when `CONFIG_XEN_SHSTK` is compiled in, and
--    defaults to `true` on hardware supporting CET-SS.  Specifying
-+    generally defaults to `true` on hardware supporting CET-SS.  Specifying
-     `cet=no-shstk` will cause Xen not to use Shadow Stacks even when support
-     is available in hardware.
- 
-+    Some hardware suffers from an issue known as Supervisor Shadow Stack
-+    Fracturing.  On such hardware, Xen will default to not using Shadow Stacks
-+    when virtualised.  Specifying `cet=shstk` will override this heuristic and
-+    enable Shadow Stacks unilaterally.
-+
- *   The `ibt=` boolean controls whether Xen uses Indirect Branch Tracking for
-     its own protection.
- 
-diff --git a/tools/libs/light/libxl_cpuid.c b/tools/libs/light/libxl_cpuid.c
-index 2aa23225f4..d97a2f3338 100644
---- a/tools/libs/light/libxl_cpuid.c
-+++ b/tools/libs/light/libxl_cpuid.c
-@@ -235,6 +235,8 @@ int libxl_cpuid_parse_config(libxl_cpuid_policy_list *cpuid, const char* str)
-         {"fsrs",         0x00000007,  1, CPUID_REG_EAX, 11,  1},
-         {"fsrcs",        0x00000007,  1, CPUID_REG_EAX, 12,  1},
- 
-+        {"cet-sss",      0x00000007,  1, CPUID_REG_EDX, 18,  1},
-+
-         {"intel-psfd",   0x00000007,  2, CPUID_REG_EDX,  0,  1},
-         {"mcdt-no",      0x00000007,  2, CPUID_REG_EDX,  5,  1},
- 
-diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c
-index addb3a39a1..0248eaef44 100644
---- a/tools/misc/xen-cpuid.c
-+++ b/tools/misc/xen-cpuid.c
-@@ -208,6 +208,7 @@ static const char *const str_7c1[32] =
- 
- static const char *const str_7d1[32] =
- {
-+    [18] = "cet-sss",
- };
- 
- static const char *const str_7d2[32] =
-diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c
-index b3fcf4680f..27f73d3bbe 100644
---- a/xen/arch/x86/cpu/common.c
-+++ b/xen/arch/x86/cpu/common.c
-@@ -346,11 +346,18 @@ void __init early_cpu_init(void)
- 	       x86_cpuid_vendor_to_str(c->x86_vendor), c->x86, c->x86,
- 	       c->x86_model, c->x86_model, c->x86_mask, eax);
- 
--	if (c->cpuid_level >= 7)
--		cpuid_count(7, 0, &eax, &ebx,
-+	if (c->cpuid_level >= 7) {
-+		uint32_t max_subleaf;
-+
-+		cpuid_count(7, 0, &max_subleaf, &ebx,
- 			    &c->x86_capability[FEATURESET_7c0],
- 			    &c->x86_capability[FEATURESET_7d0]);
- 
-+		if (max_subleaf >= 1)
-+			cpuid_count(7, 1, &eax, &ebx, &ecx,
-+				    &c->x86_capability[FEATURESET_7d1]);
-+	}
-+
- 	eax = cpuid_eax(0x80000000);
- 	if ((eax >> 16) == 0x8000 && eax >= 0x80000008) {
- 		ebx = eax >= 0x8000001f ? cpuid_ebx(0x8000001f) : 0;
-diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
-index e05189f649..09c17b1016 100644
---- a/xen/arch/x86/setup.c
-+++ b/xen/arch/x86/setup.c
-@@ -95,11 +95,7 @@ unsigned long __initdata highmem_start;
- size_param("highmem-start", highmem_start);
- #endif
- 
--#ifdef CONFIG_XEN_SHSTK
--static bool __initdata opt_xen_shstk = true;
--#else
--#define opt_xen_shstk false
--#endif
-+static int8_t __initdata opt_xen_shstk = -IS_ENABLED(CONFIG_XEN_SHSTK);
- 
- #ifdef CONFIG_XEN_IBT
- static bool __initdata opt_xen_ibt = true;
-@@ -1104,11 +1100,45 @@ void __init noreturn __start_xen(unsigned long mbi_p)
-     early_cpu_init();
- 
-     /* Choose shadow stack early, to set infrastructure up appropriately. */
--    if ( opt_xen_shstk && boot_cpu_has(X86_FEATURE_CET_SS) )
-+    if ( !boot_cpu_has(X86_FEATURE_CET_SS) )
-+        opt_xen_shstk = 0;
-+
-+    if ( opt_xen_shstk )
-     {
--        printk("Enabling Supervisor Shadow Stacks\n");
-+        /*
-+         * Some CPUs suffer from Shadow Stack Fracturing, an issue whereby a
-+         * fault/VMExit/etc between setting a Supervisor Busy bit and the
-+         * event delivery completing renders the operation non-restartable.
-+         * On restart, event delivery will find the Busy bit already set.
-+         *
-+         * This is a problem on bare metal, but outside of synthetic cases or
-+         * a very badly timed #MC, it's not believed to be a problem.  It is a
-+         * much bigger problem under virt, because we can VMExit for a number
-+         * of legitimate reasons and tickle this bug.
-+         *
-+         * CPUs with this addressed enumerate CET-SSS to indicate that
-+         * supervisor shadow stacks are now safe to use.
-+         */
-+        bool cpu_has_bug_shstk_fracture =
-+            boot_cpu_data.x86_vendor == X86_VENDOR_INTEL &&
-+            !boot_cpu_has(X86_FEATURE_CET_SSS);
- 
--        setup_force_cpu_cap(X86_FEATURE_XEN_SHSTK);
-+        /*
-+         * On bare metal, assume that Xen won't be impacted by shstk
-+         * fracturing problems.  Under virt, be more conservative and disable
-+         * shstk by default.
-+         */
-+        if ( opt_xen_shstk == -1 )
-+            opt_xen_shstk =
-+                cpu_has_hypervisor ? !cpu_has_bug_shstk_fracture
-+                                   : true;
-+
-+        if ( opt_xen_shstk )
-+        {
-+            printk("Enabling Supervisor Shadow Stacks\n");
-+
-+            setup_force_cpu_cap(X86_FEATURE_XEN_SHSTK);
-+        }
-     }
- 
-     if ( opt_xen_ibt && boot_cpu_has(X86_FEATURE_CET_IBT) )
-diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h
-index f43cdcd0f9..08600cfdc7 100644
---- a/xen/include/public/arch-x86/cpufeatureset.h
-+++ b/xen/include/public/arch-x86/cpufeatureset.h
-@@ -298,6 +298,7 @@ XEN_CPUFEATURE(MCDT_NO,            13*32+ 5) /*A  MCDT_NO */
- /* Intel-defined CPU features, CPUID level 0x00000007:1.ecx, word 14 */
- 
- /* Intel-defined CPU features, CPUID level 0x00000007:1.edx, word 15 */
-+XEN_CPUFEATURE(CET_SSS,            15*32+18) /*   CET Supervisor Shadow Stacks safe to use */
- 
- #endif /* XEN_CPUFEATURE */
- 
--- 
-2.40.0
-

diff --git a/0050-credit2-respect-credit2_runqueue-all-when-arranging-.patch b/0050-credit2-respect-credit2_runqueue-all-when-arranging-.patch
deleted file mode 100644
index 0444aa9..0000000
--- a/0050-credit2-respect-credit2_runqueue-all-when-arranging-.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 74b76704fd4059e9133e84c1384501858e9663b7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
- <marmarek@invisiblethingslab.com>
-Date: Fri, 3 Mar 2023 07:57:39 +0100
-Subject: [PATCH 50/89] credit2: respect credit2_runqueue=all when arranging
- runqueues
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Documentation for credit2_runqueue=all says it should create one queue
-for all pCPUs on the host. But since introduction
-sched_credit2_max_cpus_runqueue, it actually created separate runqueue
-per socket, even if the CPUs count is below
-sched_credit2_max_cpus_runqueue.
-
-Adjust the condition to skip syblink check in case of
-credit2_runqueue=all.
-
-Fixes: 8e2aa76dc167 ("xen: credit2: limit the max number of CPUs in a runqueue")
-Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
-Reviewed-by: Juergen Gross <jgross@suse.com>
-master commit: 1f5747ee929fbbcae58d7234c6c38a77495d0cfe
-master date: 2023-02-15 16:12:42 +0100
----
- docs/misc/xen-command-line.pandoc | 5 +++++
- xen/common/sched/credit2.c        | 9 +++++++--
- 2 files changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
-index 807ca51fb2..5be5ce10c6 100644
---- a/docs/misc/xen-command-line.pandoc
-+++ b/docs/misc/xen-command-line.pandoc
-@@ -726,6 +726,11 @@ Available alternatives, with their meaning, are:
- * `all`: just one runqueue shared by all the logical pCPUs of
-          the host
- 
-+Regardless of the above choice, Xen attempts to respect
-+`sched_credit2_max_cpus_runqueue` limit, which may mean more than one runqueue
-+for the `all` value. If that isn't intended, raise
-+the `sched_credit2_max_cpus_runqueue` value.
-+
- ### dbgp
- > `= ehci[ <integer> | @pci<bus>:<slot>.<func> ]`
- > `= xhci[ <integer> | @pci<bus>:<slot>.<func> ][,share=<bool>|hwdom]`
-diff --git a/xen/common/sched/credit2.c b/xen/common/sched/credit2.c
-index 0e3f89e537..ae55feea34 100644
---- a/xen/common/sched/credit2.c
-+++ b/xen/common/sched/credit2.c
-@@ -996,9 +996,14 @@ cpu_add_to_runqueue(const struct scheduler *ops, unsigned int cpu)
-              *
-              * Otherwise, let's try to make sure that siblings stay in the
-              * same runqueue, pretty much under any cinrcumnstances.
-+             *
-+             * Furthermore, try to respect credit2_runqueue=all, as long as
-+             * max_cpus_runq isn't violated.
-              */
--            if ( rqd->refcnt < max_cpus_runq && (ops->cpupool->gran != SCHED_GRAN_cpu ||
--                  cpu_runqueue_siblings_match(rqd, cpu, max_cpus_runq)) )
-+            if ( rqd->refcnt < max_cpus_runq &&
-+                 (ops->cpupool->gran != SCHED_GRAN_cpu ||
-+                  cpu_runqueue_siblings_match(rqd, cpu, max_cpus_runq) ||
-+                  opt_runqueue == OPT_RUNQUEUE_ALL) )
-             {
-                 /*
-                  * This runqueue is ok, but as we said, we also want an even
--- 
-2.40.0
-

diff --git a/0050-tools-libfsimage-Export-a-new-function-to-preload-al.patch b/0050-tools-libfsimage-Export-a-new-function-to-preload-al.patch
new file mode 100644
index 0000000..949528d
--- /dev/null
+++ b/0050-tools-libfsimage-Export-a-new-function-to-preload-al.patch
@@ -0,0 +1,126 @@
+From 8ee19246ad2c1d0ce241a52683f56b144a4f0b0e Mon Sep 17 00:00:00 2001
+From: Alejandro Vallejo <alejandro.vallejo@cloud.com>
+Date: Mon, 25 Sep 2023 18:32:24 +0100
+Subject: [PATCH 50/55] tools/libfsimage: Export a new function to preload all
+ plugins
+
+This is work required in order to let pygrub operate in highly deprivileged
+chroot mode. This patch adds a function that preloads every plugin, hence
+ensuring that a on function exit, every shared library is loaded in memory.
+
+The new "init" function is supposed to be used before depriv, but that's
+fine because it's not acting on untrusted data.
+
+This is part of XSA-443 / CVE-2023-34325
+
+Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
+(cherry picked from commit 990e65c3ad9ac08642ce62a92852c80be6c83e96)
+---
+ tools/libfsimage/common/fsimage_plugin.c |  4 ++--
+ tools/libfsimage/common/mapfile-GNU      |  1 +
+ tools/libfsimage/common/mapfile-SunOS    |  1 +
+ tools/libfsimage/common/xenfsimage.h     |  8 ++++++++
+ tools/pygrub/src/fsimage/fsimage.c       | 15 +++++++++++++++
+ 5 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/tools/libfsimage/common/fsimage_plugin.c b/tools/libfsimage/common/fsimage_plugin.c
+index de1412b423..d0cb9e96a6 100644
+--- a/tools/libfsimage/common/fsimage_plugin.c
++++ b/tools/libfsimage/common/fsimage_plugin.c
+@@ -119,7 +119,7 @@ fail:
+ 	return (-1);
+ }
+ 
+-static int load_plugins(void)
++int fsi_init(void)
+ {
+ 	const char *fsdir = getenv("XEN_FSIMAGE_FSDIR");
+ 	struct dirent *dp = NULL;
+@@ -180,7 +180,7 @@ int find_plugin(fsi_t *fsi, const char *path, const char *options)
+ 	fsi_plugin_t *fp;
+ 	int ret = 0;
+ 
+-	if (plugins == NULL && (ret = load_plugins()) != 0)
++	if (plugins == NULL && (ret = fsi_init()) != 0)
+ 		goto out;
+ 
+ 	for (fp = plugins; fp != NULL; fp = fp->fp_next) {
+diff --git a/tools/libfsimage/common/mapfile-GNU b/tools/libfsimage/common/mapfile-GNU
+index 26d4d7a69e..2d54d527d7 100644
+--- a/tools/libfsimage/common/mapfile-GNU
++++ b/tools/libfsimage/common/mapfile-GNU
+@@ -1,6 +1,7 @@
+ VERSION {
+ 	libfsimage.so.1.0 {
+ 		global:
++			fsi_init;
+ 			fsi_open_fsimage;
+ 			fsi_close_fsimage;
+ 			fsi_file_exists;
+diff --git a/tools/libfsimage/common/mapfile-SunOS b/tools/libfsimage/common/mapfile-SunOS
+index e99b90b650..48deedb425 100644
+--- a/tools/libfsimage/common/mapfile-SunOS
++++ b/tools/libfsimage/common/mapfile-SunOS
+@@ -1,5 +1,6 @@
+ libfsimage.so.1.0 {
+ 	global:
++		fsi_init;
+ 		fsi_open_fsimage;
+ 		fsi_close_fsimage;
+ 		fsi_file_exists;
+diff --git a/tools/libfsimage/common/xenfsimage.h b/tools/libfsimage/common/xenfsimage.h
+index 201abd54f2..341883b2d7 100644
+--- a/tools/libfsimage/common/xenfsimage.h
++++ b/tools/libfsimage/common/xenfsimage.h
+@@ -35,6 +35,14 @@ extern C {
+ typedef struct fsi fsi_t;
+ typedef struct fsi_file fsi_file_t;
+ 
++/*
++ * Optional initialization function. If invoked it loads the associated
++ * dynamic libraries for the backends ahead of time. This is required if
++ * the library is to run as part of a highly deprivileged executable, as
++ * the libraries may not be reachable after depriv.
++ */
++int fsi_init(void);
++
+ fsi_t *fsi_open_fsimage(const char *, uint64_t, const char *);
+ void fsi_close_fsimage(fsi_t *);
+ 
+diff --git a/tools/pygrub/src/fsimage/fsimage.c b/tools/pygrub/src/fsimage/fsimage.c
+index 2ebbbe35df..92fbf2851f 100644
+--- a/tools/pygrub/src/fsimage/fsimage.c
++++ b/tools/pygrub/src/fsimage/fsimage.c
+@@ -286,6 +286,15 @@ fsimage_getbootstring(PyObject *o, PyObject *args)
+ 	return Py_BuildValue("s", bootstring);
+ }
+ 
++static PyObject *
++fsimage_init(PyObject *o, PyObject *args)
++{
++	if (!PyArg_ParseTuple(args, ""))
++		return (NULL);
++
++	return Py_BuildValue("i", fsi_init());
++}
++
+ PyDoc_STRVAR(fsimage_open__doc__,
+     "open(name, [offset=off]) - Open the given file as a filesystem image.\n"
+     "\n"
+@@ -297,7 +306,13 @@ PyDoc_STRVAR(fsimage_getbootstring__doc__,
+     "getbootstring(fs) - Return the boot string needed for this file system "
+     "or NULL if none is needed.\n");
+ 
++PyDoc_STRVAR(fsimage_init__doc__,
++    "init() - Loads every dynamic library contained in xenfsimage "
++    "into memory so that it can be used in chrooted environments.\n");
++
+ static struct PyMethodDef fsimage_module_methods[] = {
++	{ "init", (PyCFunction)fsimage_init,
++	    METH_VARARGS, fsimage_init__doc__ },
+ 	{ "open", (PyCFunction)fsimage_open,
+ 	    METH_VARARGS|METH_KEYWORDS, fsimage_open__doc__ },
+ 	{ "getbootstring", (PyCFunction)fsimage_getbootstring,
+-- 
+2.42.0
+

diff --git a/0051-build-make-FILE-symbol-paths-consistent.patch b/0051-build-make-FILE-symbol-paths-consistent.patch
deleted file mode 100644
index 47528c2..0000000
--- a/0051-build-make-FILE-symbol-paths-consistent.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 46c104cce0bf340193cb1eacaee5dcd75e264c8f Mon Sep 17 00:00:00 2001
-From: Ross Lagerwall <ross.lagerwall@citrix.com>
-Date: Fri, 3 Mar 2023 07:58:12 +0100
-Subject: [PATCH 51/89] build: make FILE symbol paths consistent
-
-The FILE symbols in out-of-tree builds may be either a relative path to
-the object dir or an absolute path depending on how the build is
-invoked. Fix the paths for C files so that they are consistent with
-in-tree builds - the path is relative to the "xen" directory (e.g.
-common/irq.c).
-
-This fixes livepatch builds when the original Xen build was out-of-tree
-since livepatch-build always does in-tree builds. Note that this doesn't
-fix the behaviour for Clang < 6 which always embeds full paths.
-
-Fixes: 7115fa562fe7 ("build: adding out-of-tree support to the xen build")
-Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: 5b9bb91abba7c983def3b4bef71ab08ad360a242
-master date: 2023-02-15 16:13:49 +0100
----
- xen/Rules.mk | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/xen/Rules.mk b/xen/Rules.mk
-index 70b7489ea8..d6b7cec0a8 100644
---- a/xen/Rules.mk
-+++ b/xen/Rules.mk
-@@ -228,8 +228,9 @@ quiet_cmd_cc_o_c = CC      $@
- ifeq ($(CONFIG_ENFORCE_UNIQUE_SYMBOLS),y)
-     cmd_cc_o_c = $(CC) $(c_flags) -c $< -o $(dot-target).tmp -MQ $@
-     ifneq ($(CONFIG_CC_IS_CLANG)$(call clang-ifversion,-lt,600,y),yy)
-+        rel-path = $(patsubst $(abs_srctree)/%,%,$(call realpath,$(1)))
-         cmd_objcopy_fix_sym = \
--	    $(OBJCOPY) --redefine-sym $(<F)=$< $(dot-target).tmp $@ && rm -f $(dot-target).tmp
-+           $(OBJCOPY) --redefine-sym $(<F)=$(call rel-path,$<) $(dot-target).tmp $@ && rm -f $(dot-target).tmp
-     else
-         cmd_objcopy_fix_sym = mv -f $(dot-target).tmp $@
-     endif
--- 
-2.40.0
-

diff --git a/0051-tools-pygrub-Deprivilege-pygrub.patch b/0051-tools-pygrub-Deprivilege-pygrub.patch
new file mode 100644
index 0000000..1d89191
--- /dev/null
+++ b/0051-tools-pygrub-Deprivilege-pygrub.patch
@@ -0,0 +1,307 @@
+From f5e211654e5fbb7f1fc5cfea7f9c7ab525edb9e7 Mon Sep 17 00:00:00 2001
+From: Alejandro Vallejo <alejandro.vallejo@cloud.com>
+Date: Mon, 25 Sep 2023 18:32:25 +0100
+Subject: [PATCH 51/55] tools/pygrub: Deprivilege pygrub
+
+Introduce a --runas=<uid> flag to deprivilege pygrub on Linux and *BSDs. It
+also implicitly creates a chroot env where it drops a deprivileged forked
+process. The chroot itself is cleaned up at the end.
+
+If the --runas arg is present, then pygrub forks, leaving the child to
+deprivilege itself, and waiting for it to complete. When the child exists,
+the parent performs cleanup and exits with the same error code.
+
+This is roughly what the child does:
+  1. Initialize libfsimage (this loads every .so in memory so the chroot
+     can avoid bind-mounting /{,usr}/lib*
+  2. Create a temporary empty chroot directory
+  3. Mount tmpfs in it
+  4. Bind mount the disk inside, because libfsimage expects a path, not a
+     file descriptor.
+  5. Remount the root tmpfs to be stricter (ro,nosuid,nodev)
+  6. Set RLIMIT_FSIZE to a sensibly high amount (128 MiB)
+  7. Depriv gid, groups and uid
+
+With this scheme in place, the "output" files are writable (up to
+RLIMIT_FSIZE octets) and the exposed filesystem is immutable and contains
+the single only file we can't easily get rid of (the disk).
+
+If running on Linux, the child process also unshares mount, IPC, and
+network namespaces before dropping its privileges.
+
+This is part of XSA-443 / CVE-2023-34325
+
+Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
+(cherry picked from commit e0342ae5556f2b6e2db50701b8a0679a45822ca6)
+---
+ tools/pygrub/setup.py   |   2 +-
+ tools/pygrub/src/pygrub | 162 +++++++++++++++++++++++++++++++++++++---
+ 2 files changed, 154 insertions(+), 10 deletions(-)
+
+diff --git a/tools/pygrub/setup.py b/tools/pygrub/setup.py
+index 0e4e3d02d3..06b96733d0 100644
+--- a/tools/pygrub/setup.py
++++ b/tools/pygrub/setup.py
+@@ -17,7 +17,7 @@ xenfsimage = Extension("xenfsimage",
+ pkgs = [ 'grub' ]
+ 
+ setup(name='pygrub',
+-      version='0.6',
++      version='0.7',
+       description='Boot loader that looks a lot like grub for Xen',
+       author='Jeremy Katz',
+       author_email='katzj@redhat.com',
+diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub
+index 91e2ec2ab1..7cea496ade 100755
+--- a/tools/pygrub/src/pygrub
++++ b/tools/pygrub/src/pygrub
+@@ -16,8 +16,11 @@ from __future__ import print_function
+ 
+ import os, sys, string, struct, tempfile, re, traceback, stat, errno
+ import copy
++import ctypes, ctypes.util
+ import logging
+ import platform
++import resource
++import subprocess
+ 
+ import curses, _curses, curses.textpad, curses.ascii
+ import getopt
+@@ -27,10 +30,135 @@ import grub.GrubConf
+ import grub.LiloConf
+ import grub.ExtLinuxConf
+ 
+-PYGRUB_VER = 0.6
++PYGRUB_VER = 0.7
+ FS_READ_MAX = 1024 * 1024
+ SECTOR_SIZE = 512
+ 
++# Unless provided through the env variable PYGRUB_MAX_FILE_SIZE_MB, then
++# this is the maximum filesize allowed for files written by the depriv
++# pygrub
++LIMIT_FSIZE = 128 << 20
++
++CLONE_NEWNS = 0x00020000 # mount namespace
++CLONE_NEWNET = 0x40000000 # network namespace
++CLONE_NEWIPC = 0x08000000 # IPC namespace
++
++def unshare(flags):
++    if not sys.platform.startswith("linux"):
++        print("skip_unshare reason=not_linux platform=%s", sys.platform, file=sys.stderr)
++        return
++
++    libc = ctypes.CDLL(ctypes.util.find_library('c'), use_errno=True)
++    unshare_prototype = ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_int, use_errno=True)
++    unshare = unshare_prototype(('unshare', libc))
++
++    if unshare(flags) < 0:
++        raise OSError(ctypes.get_errno(), os.strerror(ctypes.get_errno()))
++
++def bind_mount(src, dst, options):
++    open(dst, "a").close() # touch
++
++    rc = subprocess.call(["mount", "--bind", "-o", options, src, dst])
++    if rc != 0:
++        raise RuntimeError("bad_mount: src=%s dst=%s opts=%s" %
++                           (src, dst, options))
++
++def downgrade_rlimits():
++    # Wipe the authority to use unrequired resources
++    resource.setrlimit(resource.RLIMIT_NPROC,    (0, 0))
++    resource.setrlimit(resource.RLIMIT_CORE,     (0, 0))
++    resource.setrlimit(resource.RLIMIT_MEMLOCK,  (0, 0))
++
++    # py2's resource module doesn't know about resource.RLIMIT_MSGQUEUE
++    #
++    # TODO: Use resource.RLIMIT_MSGQUEUE after python2 is deprecated
++    if sys.platform.startswith('linux'):
++        RLIMIT_MSGQUEUE = 12
++        resource.setrlimit(RLIMIT_MSGQUEUE, (0, 0))
++
++    # The final look of the filesystem for this process is fully RO, but
++    # note we have some file descriptor already open (notably, kernel and
++    # ramdisk). In order to avoid a compromised pygrub from filling up the
++    # filesystem we set RLIMIT_FSIZE to a high bound, so that the file
++    # write permissions are bound.
++    fsize = LIMIT_FSIZE
++    if "PYGRUB_MAX_FILE_SIZE_MB" in os.environ.keys():
++        fsize = os.environ["PYGRUB_MAX_FILE_SIZE_MB"] << 20
++
++    resource.setrlimit(resource.RLIMIT_FSIZE, (fsize, fsize))
++
++def depriv(output_directory, output, device, uid, path_kernel, path_ramdisk):
++    # The only point of this call is to force the loading of libfsimage.
++    # That way, we don't need to bind-mount it into the chroot
++    rc = xenfsimage.init()
++    if rc != 0:
++        os.unlink(path_ramdisk)
++        os.unlink(path_kernel)
++        raise RuntimeError("bad_xenfsimage: rc=%d" % rc)
++
++    # Create a temporary directory for the chroot
++    chroot = tempfile.mkdtemp(prefix=str(uid)+'-', dir=output_directory) + '/'
++    device_path = '/device'
++
++    pid = os.fork()
++    if pid:
++        # parent
++        _, rc = os.waitpid(pid, 0)
++
++        for path in [path_kernel, path_ramdisk]:
++            # If the child didn't write anything, just get rid of it,
++            # otherwise we end up consuming a 0-size file when parsing
++            # systems without a ramdisk that the ultimate caller of pygrub
++            # may just be unaware of
++            if rc != 0 or os.path.getsize(path) == 0:
++                os.unlink(path)
++
++        # Normally, unshare(CLONE_NEWNS) will ensure this is not required.
++        # However, this syscall doesn't exist in *BSD systems and doesn't
++        # auto-unmount everything on older Linux kernels (At least as of
++        # Linux 4.19, but it seems fixed in 5.15). Either way,
++        # recursively unmount everything if needed. Quietly.
++        with open('/dev/null', 'w') as devnull:
++            subprocess.call(["umount", "-f", chroot + device_path],
++                            stdout=devnull, stderr=devnull)
++            subprocess.call(["umount", "-f", chroot],
++                            stdout=devnull, stderr=devnull)
++        os.rmdir(chroot)
++
++        sys.exit(rc)
++
++    # By unsharing the namespace we're making sure it's all bulk-released
++    # at the end, when the namespaces disappear. This means the kernel does
++    # (almost) all the cleanup for us and the parent just has to remove the
++    # temporary directory.
++    unshare(CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWNET)
++
++    # Set sensible limits using the setrlimit interface
++    downgrade_rlimits()
++
++    # We'll mount tmpfs on the chroot to ensure the deprivileged child
++    # cannot affect the persistent state. It's RW now in order to
++    # bind-mount the device, but note it's remounted RO after that.
++    rc = subprocess.call(["mount", "-t", "tmpfs", "none", chroot])
++    if rc != 0:
++        raise RuntimeError("mount_tmpfs rc=%d dst=\"%s\"" % (rc, chroot))
++
++    # Bind the untrusted device RO
++    bind_mount(device, chroot + device_path, "ro,nosuid,noexec")
++
++    rc = subprocess.call(["mount", "-t", "tmpfs", "-o", "remount,ro,nosuid,noexec,nodev", "none", chroot])
++    if rc != 0:
++        raise RuntimeError("remount_tmpfs rc=%d dst=\"%s\"" % (rc, chroot))
++
++    # Drop superpowers!
++    os.chroot(chroot)
++    os.chdir('/')
++    os.setgid(uid)
++    os.setgroups([uid])
++    os.setuid(uid)
++
++    return device_path
++
+ def read_size_roundup(fd, size):
+     if platform.system() != 'FreeBSD':
+         return size
+@@ -736,7 +864,7 @@ if __name__ == "__main__":
+     sel = None
+     
+     def usage():
+-        print("Usage: %s [-q|--quiet] [-i|--interactive] [-l|--list-entries] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] [--offset=] <image>" %(sys.argv[0],), file=sys.stderr)
++        print("Usage: %s [-q|--quiet] [-i|--interactive] [-l|--list-entries] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] [--runas=] [--offset=] <image>" %(sys.argv[0],), file=sys.stderr)
+ 
+     def copy_from_image(fs, file_to_read, file_type, fd_dst, path_dst, not_really):
+         if not_really:
+@@ -760,7 +888,8 @@ if __name__ == "__main__":
+                 os.write(fd_dst, data)
+             except Exception as e:
+                 print(e, file=sys.stderr)
+-                os.unlink(path_dst)
++                if path_dst:
++                    os.unlink(path_dst)
+                 del datafile
+                 sys.exit("Error writing temporary copy of "+file_type)
+             dataoff += len(data)
+@@ -769,7 +898,7 @@ if __name__ == "__main__":
+         opts, args = getopt.gnu_getopt(sys.argv[1:], 'qilnh::',
+                                    ["quiet", "interactive", "list-entries", "not-really", "help",
+                                     "output=", "output-format=", "output-directory=", "offset=",
+-                                    "entry=", "kernel=", 
++                                    "runas=", "entry=", "kernel=",
+                                     "ramdisk=", "args=", "isconfig", "debug"])
+     except getopt.GetoptError:
+         usage()
+@@ -790,6 +919,7 @@ if __name__ == "__main__":
+     not_really = False
+     output_format = "sxp"
+     output_directory = "/var/run/xen/pygrub/"
++    uid = None
+ 
+     # what was passed in
+     incfg = { "kernel": None, "ramdisk": None, "args": "" }
+@@ -813,6 +943,13 @@ if __name__ == "__main__":
+         elif o in ("--output",):
+             if a != "-":
+                 output = a
++        elif o in ("--runas",):
++            try:
++                uid = int(a)
++            except ValueError:
++                print("runas value must be an integer user id")
++                usage()
++                sys.exit(1)
+         elif o in ("--kernel",):
+             incfg["kernel"] = a
+         elif o in ("--ramdisk",):
+@@ -849,6 +986,10 @@ if __name__ == "__main__":
+     if debug:
+         logging.basicConfig(level=logging.DEBUG)
+ 
++    if interactive and uid:
++        print("In order to use --runas, you must also set --entry or -q", file=sys.stderr)
++        sys.exit(1)
++
+     try:
+         os.makedirs(output_directory, 0o700)
+     except OSError as e:
+@@ -870,6 +1011,9 @@ if __name__ == "__main__":
+     else:
+         fd = os.open(output, os.O_WRONLY)
+ 
++    if uid:
++        file = depriv(output_directory, output, file, uid, path_kernel, path_ramdisk)
++
+     # debug
+     if isconfig:
+         chosencfg = run_grub(file, entry, fs, incfg["args"])
+@@ -925,21 +1069,21 @@ if __name__ == "__main__":
+         raise RuntimeError("Unable to find partition containing kernel")
+ 
+     copy_from_image(fs, chosencfg["kernel"], "kernel",
+-                    fd_kernel, path_kernel, not_really)
++                    fd_kernel, None if uid else path_kernel, not_really)
+     bootcfg["kernel"] = path_kernel
+ 
+     if chosencfg["ramdisk"]:
+         try:
+             copy_from_image(fs, chosencfg["ramdisk"], "ramdisk",
+-                            fd_ramdisk, path_ramdisk, not_really)
++                            fd_ramdisk, None if uid else path_ramdisk, not_really)
+         except:
+-            if not not_really:
+-                os.unlink(path_kernel)
++            if not uid and not not_really:
++                    os.unlink(path_kernel)
+             raise
+         bootcfg["ramdisk"] = path_ramdisk
+     else:
+         initrd = None
+-        if not not_really:
++        if not uid and not not_really:
+             os.unlink(path_ramdisk)
+ 
+     args = None
+-- 
+2.42.0
+

diff --git a/0052-libxl-add-support-for-running-bootloader-in-restrict.patch b/0052-libxl-add-support-for-running-bootloader-in-restrict.patch
new file mode 100644
index 0000000..08691b9
--- /dev/null
+++ b/0052-libxl-add-support-for-running-bootloader-in-restrict.patch
@@ -0,0 +1,251 @@
+From 42bf49d74b711ca7fef37bcde12928220c8e9700 Mon Sep 17 00:00:00 2001
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Mon, 25 Sep 2023 14:30:20 +0200
+Subject: [PATCH 52/55] libxl: add support for running bootloader in restricted
+ mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Much like the device model depriv mode, add the same kind of support for the
+bootloader.  Such feature allows passing a UID as a parameter for the
+bootloader to run as, together with the bootloader itself taking the necessary
+actions to isolate.
+
+Note that the user to run the bootloader as must have the right permissions to
+access the guest disk image (in read mode only), and that the bootloader will
+be run in non-interactive mode when restricted.
+
+If enabled bootloader restrict mode will attempt to re-use the user(s) from the
+QEMU depriv implementation if no user is provided on the configuration file or
+the environment.  See docs/features/qemu-deprivilege.pandoc for more
+information about how to setup those users.
+
+Bootloader restrict mode is not enabled by default as it requires certain
+setup to be done first (setup of the user(s) to use in restrict mode).
+
+This is part of XSA-443 / CVE-2023-34325
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
+(cherry picked from commit 1f762642d2cad1a40634e3280361928109d902f1)
+---
+ docs/man/xl.1.pod.in                | 33 +++++++++++
+ tools/libs/light/libxl_bootloader.c | 89 ++++++++++++++++++++++++++++-
+ tools/libs/light/libxl_dm.c         |  8 +--
+ tools/libs/light/libxl_internal.h   |  8 +++
+ 4 files changed, 131 insertions(+), 7 deletions(-)
+
+diff --git a/docs/man/xl.1.pod.in b/docs/man/xl.1.pod.in
+index 101e14241d..4831e12242 100644
+--- a/docs/man/xl.1.pod.in
++++ b/docs/man/xl.1.pod.in
+@@ -1957,6 +1957,39 @@ ignored:
+ 
+ =back
+ 
++=head1 ENVIRONMENT VARIABLES
++
++The following environment variables shall affect the execution of xl:
++
++=over 4
++
++=item LIBXL_BOOTLOADER_RESTRICT
++
++Attempt to restrict the bootloader after startup, to limit the
++consequences of security vulnerabilities due to parsing guest
++owned image files.
++
++See docs/features/qemu-deprivilege.pandoc for more information
++on how to setup the unprivileged users.
++
++Note that running the bootloader in restricted mode also implies using
++non-interactive mode, and the disk image must be readable by the
++restricted user.
++
++Having this variable set is equivalent to enabling the option, even if the
++value is 0.
++
++=item LIBXL_BOOTLOADER_USER
++
++When using bootloader_restrict, run the bootloader as this user.  If
++not set the default QEMU restrict users will be used.
++
++NOTE: Each domain MUST have a SEPARATE username.
++
++See docs/features/qemu-deprivilege.pandoc for more information.
++
++=back
++
+ =head1 SEE ALSO
+ 
+ The following man pages:
+diff --git a/tools/libs/light/libxl_bootloader.c b/tools/libs/light/libxl_bootloader.c
+index 108329b4a5..23c0ef3e89 100644
+--- a/tools/libs/light/libxl_bootloader.c
++++ b/tools/libs/light/libxl_bootloader.c
+@@ -14,6 +14,7 @@
+ 
+ #include "libxl_osdeps.h" /* must come before any other headers */
+ 
++#include <pwd.h>
+ #include <termios.h>
+ #ifdef HAVE_UTMP_H
+ #include <utmp.h>
+@@ -42,8 +43,71 @@ static void bootloader_arg(libxl__bootloader_state *bl, const char *arg)
+     bl->args[bl->nargs++] = arg;
+ }
+ 
+-static void make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl,
+-                                 const char *bootloader_path)
++static int bootloader_uid(libxl__gc *gc, domid_t guest_domid,
++                          const char *user, uid_t *intended_uid)
++{
++    struct passwd *user_base, user_pwbuf;
++    int rc;
++
++    if (user) {
++        rc = userlookup_helper_getpwnam(gc, user, &user_pwbuf, &user_base);
++        if (rc) return rc;
++
++        if (!user_base) {
++            LOGD(ERROR, guest_domid, "Couldn't find user %s", user);
++            return ERROR_INVAL;
++        }
++
++        *intended_uid = user_base->pw_uid;
++        return 0;
++    }
++
++    /* Re-use QEMU user range for the bootloader. */
++    rc = userlookup_helper_getpwnam(gc, LIBXL_QEMU_USER_RANGE_BASE,
++                                    &user_pwbuf, &user_base);
++    if (rc) return rc;
++
++    if (user_base) {
++        struct passwd *user_clash, user_clash_pwbuf;
++        uid_t temp_uid = user_base->pw_uid + guest_domid;
++
++        rc = userlookup_helper_getpwuid(gc, temp_uid, &user_clash_pwbuf,
++                                        &user_clash);
++        if (rc) return rc;
++
++        if (user_clash) {
++            LOGD(ERROR, guest_domid,
++                 "wanted to use uid %ld (%s + %d) but that is user %s !",
++                 (long)temp_uid, LIBXL_QEMU_USER_RANGE_BASE,
++                 guest_domid, user_clash->pw_name);
++            return ERROR_INVAL;
++        }
++
++        *intended_uid = temp_uid;
++        return 0;
++    }
++
++    rc = userlookup_helper_getpwnam(gc, LIBXL_QEMU_USER_SHARED, &user_pwbuf,
++                                    &user_base);
++    if (rc) return rc;
++
++    if (user_base) {
++        LOGD(WARN, guest_domid, "Could not find user %s, falling back to %s",
++             LIBXL_QEMU_USER_RANGE_BASE, LIBXL_QEMU_USER_SHARED);
++        *intended_uid = user_base->pw_uid;
++
++        return 0;
++    }
++
++    LOGD(ERROR, guest_domid,
++    "Could not find user %s or range base pseudo-user %s, cannot restrict",
++         LIBXL_QEMU_USER_SHARED, LIBXL_QEMU_USER_RANGE_BASE);
++
++    return ERROR_INVAL;
++}
++
++static int make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl,
++                                const char *bootloader_path)
+ {
+     const libxl_domain_build_info *info = bl->info;
+ 
+@@ -61,6 +125,23 @@ static void make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl,
+         ARG(GCSPRINTF("--ramdisk=%s", info->ramdisk));
+     if (info->cmdline && *info->cmdline != '\0')
+         ARG(GCSPRINTF("--args=%s", info->cmdline));
++    if (getenv("LIBXL_BOOTLOADER_RESTRICT") ||
++        getenv("LIBXL_BOOTLOADER_USER")) {
++        uid_t uid = -1;
++        int rc = bootloader_uid(gc, bl->domid, getenv("LIBXL_BOOTLOADER_USER"),
++                                &uid);
++
++        if (rc) return rc;
++
++        assert(uid != -1);
++        if (!uid) {
++            LOGD(ERROR, bl->domid, "bootloader restrict UID is 0 (root)!");
++            return ERROR_INVAL;
++        }
++        LOGD(DEBUG, bl->domid, "using uid %ld", (long)uid);
++        ARG(GCSPRINTF("--runas=%ld", (long)uid));
++        ARG("--quiet");
++    }
+ 
+     ARG(GCSPRINTF("--output=%s", bl->outputpath));
+     ARG("--output-format=simple0");
+@@ -79,6 +160,7 @@ static void make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl,
+     /* Sentinel for execv */
+     ARG(NULL);
+ 
++    return 0;
+ #undef ARG
+ }
+ 
+@@ -443,7 +525,8 @@ static void bootloader_disk_attached_cb(libxl__egc *egc,
+             bootloader = bltmp;
+     }
+ 
+-    make_bootloader_args(gc, bl, bootloader);
++    rc = make_bootloader_args(gc, bl, bootloader);
++    if (rc) goto out;
+ 
+     bl->openpty.ao = ao;
+     bl->openpty.callback = bootloader_gotptys;
+diff --git a/tools/libs/light/libxl_dm.c b/tools/libs/light/libxl_dm.c
+index fc264a3a13..14b593110f 100644
+--- a/tools/libs/light/libxl_dm.c
++++ b/tools/libs/light/libxl_dm.c
+@@ -80,10 +80,10 @@ static int libxl__create_qemu_logfile(libxl__gc *gc, char *name)
+  *  On error, return a libxl-style error code.
+  */
+ #define DEFINE_USERLOOKUP_HELPER(NAME,SPEC_TYPE,STRUCTNAME,SYSCONF)     \
+-    static int userlookup_helper_##NAME(libxl__gc *gc,                  \
+-                                        SPEC_TYPE spec,                 \
+-                                        struct STRUCTNAME *resultbuf,   \
+-                                        struct STRUCTNAME **out)        \
++    int userlookup_helper_##NAME(libxl__gc *gc,                         \
++                                 SPEC_TYPE spec,                        \
++                                 struct STRUCTNAME *resultbuf,          \
++                                 struct STRUCTNAME **out)               \
+     {                                                                   \
+         struct STRUCTNAME *resultp = NULL;                              \
+         char *buf = NULL;                                               \
+diff --git a/tools/libs/light/libxl_internal.h b/tools/libs/light/libxl_internal.h
+index 7ad38de30e..f1e3a9a15b 100644
+--- a/tools/libs/light/libxl_internal.h
++++ b/tools/libs/light/libxl_internal.h
+@@ -4873,6 +4873,14 @@ struct libxl__cpu_policy {
+     struct xc_msr *msr;
+ };
+ 
++struct passwd;
++_hidden int userlookup_helper_getpwnam(libxl__gc*, const char *user,
++                                       struct passwd *res,
++                                       struct passwd **out);
++_hidden int userlookup_helper_getpwuid(libxl__gc*, uid_t uid,
++                                       struct passwd *res,
++                                       struct passwd **out);
++
+ #endif
+ 
+ /*
+-- 
+2.42.0
+

diff --git a/0052-x86-ucode-AMD-apply-the-patch-early-on-every-logical.patch b/0052-x86-ucode-AMD-apply-the-patch-early-on-every-logical.patch
deleted file mode 100644
index 22a214b..0000000
--- a/0052-x86-ucode-AMD-apply-the-patch-early-on-every-logical.patch
+++ /dev/null
@@ -1,154 +0,0 @@
-From e9a7942f6c1638c668605fbf6d6e02bc7bff2582 Mon Sep 17 00:00:00 2001
-From: Sergey Dyasli <sergey.dyasli@citrix.com>
-Date: Fri, 3 Mar 2023 07:58:35 +0100
-Subject: [PATCH 52/89] x86/ucode/AMD: apply the patch early on every logical
- thread
-
-The original issue has been reported on AMD Bulldozer-based CPUs where
-ucode loading loses the LWP feature bit in order to gain the IBPB bit.
-LWP disabling is per-SMT/CMT core modification and needs to happen on
-each sibling thread despite the shared microcode engine. Otherwise,
-logical CPUs will end up with different cpuid capabilities.
-Link: https://bugzilla.kernel.org/show_bug.cgi?id=216211
-
-Guests running under Xen happen to be not affected because of levelling
-logic for the feature masking/override MSRs which causes the LWP bit to
-fall out and hides the issue. The latest recommendation from AMD, after
-discussing this bug, is to load ucode on every logical CPU.
-
-In Linux kernel this issue has been addressed by e7ad18d1169c
-("x86/microcode/AMD: Apply the patch early on every logical thread").
-Follow the same approach in Xen.
-
-Introduce SAME_UCODE match result and use it for early AMD ucode
-loading. Take this opportunity and move opt_ucode_allow_same out of
-compare_revisions() to the relevant callers and also modify the warning
-message based on it. Intel's side of things is modified for consistency
-but provides no functional change.
-
-Signed-off-by: Sergey Dyasli <sergey.dyasli@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: f4ef8a41b80831db2136bdaff9f946a1a4b051e7
-master date: 2023-02-21 15:08:05 +0100
----
- xen/arch/x86/cpu/microcode/amd.c     | 11 ++++++++---
- xen/arch/x86/cpu/microcode/core.c    | 26 +++++++++++++++++---------
- xen/arch/x86/cpu/microcode/intel.c   | 10 +++++++---
- xen/arch/x86/cpu/microcode/private.h |  3 ++-
- 4 files changed, 34 insertions(+), 16 deletions(-)
-
-diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/amd.c
-index 8195707ee1..ded8fe90e6 100644
---- a/xen/arch/x86/cpu/microcode/amd.c
-+++ b/xen/arch/x86/cpu/microcode/amd.c
-@@ -176,8 +176,8 @@ static enum microcode_match_result compare_revisions(
-     if ( new_rev > old_rev )
-         return NEW_UCODE;
- 
--    if ( opt_ucode_allow_same && new_rev == old_rev )
--        return NEW_UCODE;
-+    if ( new_rev == old_rev )
-+        return SAME_UCODE;
- 
-     return OLD_UCODE;
- }
-@@ -220,8 +220,13 @@ static int cf_check apply_microcode(const struct microcode_patch *patch)
-     unsigned int cpu = smp_processor_id();
-     struct cpu_signature *sig = &per_cpu(cpu_sig, cpu);
-     uint32_t rev, old_rev = sig->rev;
-+    enum microcode_match_result result = microcode_fits(patch);
- 
--    if ( microcode_fits(patch) != NEW_UCODE )
-+    /*
-+     * Allow application of the same revision to pick up SMT-specific changes
-+     * even if the revision of the other SMT thread is already up-to-date.
-+     */
-+    if ( result != NEW_UCODE && result != SAME_UCODE )
-         return -EINVAL;
- 
-     if ( check_final_patch_levels(sig) )
-diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode/core.c
-index 452a7ca773..57ecc5358b 100644
---- a/xen/arch/x86/cpu/microcode/core.c
-+++ b/xen/arch/x86/cpu/microcode/core.c
-@@ -610,17 +610,25 @@ static long cf_check microcode_update_helper(void *data)
-      * that ucode revision.
-      */
-     spin_lock(&microcode_mutex);
--    if ( microcode_cache &&
--         alternative_call(ucode_ops.compare_patch,
--                          patch, microcode_cache) != NEW_UCODE )
-+    if ( microcode_cache )
-     {
--        spin_unlock(&microcode_mutex);
--        printk(XENLOG_WARNING "microcode: couldn't find any newer revision "
--                              "in the provided blob!\n");
--        microcode_free_patch(patch);
--        ret = -ENOENT;
-+        enum microcode_match_result result;
- 
--        goto put;
-+        result = alternative_call(ucode_ops.compare_patch, patch,
-+                                  microcode_cache);
-+
-+        if ( result != NEW_UCODE &&
-+             !(opt_ucode_allow_same && result == SAME_UCODE) )
-+        {
-+            spin_unlock(&microcode_mutex);
-+            printk(XENLOG_WARNING
-+                   "microcode: couldn't find any newer%s revision in the provided blob!\n",
-+                   opt_ucode_allow_same ? " (or the same)" : "");
-+            microcode_free_patch(patch);
-+            ret = -ENOENT;
-+
-+            goto put;
-+        }
-     }
-     spin_unlock(&microcode_mutex);
- 
-diff --git a/xen/arch/x86/cpu/microcode/intel.c b/xen/arch/x86/cpu/microcode/intel.c
-index f5ba6d76d7..cb08f63d2e 100644
---- a/xen/arch/x86/cpu/microcode/intel.c
-+++ b/xen/arch/x86/cpu/microcode/intel.c
-@@ -232,8 +232,8 @@ static enum microcode_match_result compare_revisions(
-     if ( new_rev > old_rev )
-         return NEW_UCODE;
- 
--    if ( opt_ucode_allow_same && new_rev == old_rev )
--        return NEW_UCODE;
-+    if ( new_rev == old_rev )
-+        return SAME_UCODE;
- 
-     /*
-      * Treat pre-production as always applicable - anyone using pre-production
-@@ -290,8 +290,12 @@ static int cf_check apply_microcode(const struct microcode_patch *patch)
-     unsigned int cpu = smp_processor_id();
-     struct cpu_signature *sig = &this_cpu(cpu_sig);
-     uint32_t rev, old_rev = sig->rev;
-+    enum microcode_match_result result;
-+
-+    result = microcode_update_match(patch);
- 
--    if ( microcode_update_match(patch) != NEW_UCODE )
-+    if ( result != NEW_UCODE &&
-+         !(opt_ucode_allow_same && result == SAME_UCODE) )
-         return -EINVAL;
- 
-     wbinvd();
-diff --git a/xen/arch/x86/cpu/microcode/private.h b/xen/arch/x86/cpu/microcode/private.h
-index c085a10268..feafab0677 100644
---- a/xen/arch/x86/cpu/microcode/private.h
-+++ b/xen/arch/x86/cpu/microcode/private.h
-@@ -6,7 +6,8 @@
- extern bool opt_ucode_allow_same;
- 
- enum microcode_match_result {
--    OLD_UCODE, /* signature matched, but revision id is older or equal */
-+    OLD_UCODE, /* signature matched, but revision id is older */
-+    SAME_UCODE, /* signature matched, but revision id is the same */
-     NEW_UCODE, /* signature matched, but revision id is newer */
-     MIS_UCODE, /* signature mismatched */
- };
--- 
-2.40.0
-

diff --git a/0053-libxl-limit-bootloader-execution-in-restricted-mode.patch b/0053-libxl-limit-bootloader-execution-in-restricted-mode.patch
new file mode 100644
index 0000000..8c790d3
--- /dev/null
+++ b/0053-libxl-limit-bootloader-execution-in-restricted-mode.patch
@@ -0,0 +1,158 @@
+From 46d00dbf4c22b28910f73f66a03e5cabe50b5395 Mon Sep 17 00:00:00 2001
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Thu, 28 Sep 2023 12:22:35 +0200
+Subject: [PATCH 53/55] libxl: limit bootloader execution in restricted mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Introduce a timeout for bootloader execution when running in restricted mode.
+
+Allow overwriting the default time out with an environment provided value.
+
+This is part of XSA-443 / CVE-2023-34325
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
+(cherry picked from commit 9c114178ffd700112e91f5ec66cf5151b9c9a8cc)
+---
+ docs/man/xl.1.pod.in                |  8 ++++++
+ tools/libs/light/libxl_bootloader.c | 40 +++++++++++++++++++++++++++++
+ tools/libs/light/libxl_internal.h   |  2 ++
+ 3 files changed, 50 insertions(+)
+
+diff --git a/docs/man/xl.1.pod.in b/docs/man/xl.1.pod.in
+index 4831e12242..c3eb6570ab 100644
+--- a/docs/man/xl.1.pod.in
++++ b/docs/man/xl.1.pod.in
+@@ -1988,6 +1988,14 @@ NOTE: Each domain MUST have a SEPARATE username.
+ 
+ See docs/features/qemu-deprivilege.pandoc for more information.
+ 
++=item LIBXL_BOOTLOADER_TIMEOUT
++
++Timeout in seconds for bootloader execution when running in restricted mode.
++Otherwise the build time default in LIBXL_BOOTLOADER_TIMEOUT will be used.
++
++If defined the value must be an unsigned integer between 0 and INT_MAX,
++otherwise behavior is undefined.  Setting to 0 disables the timeout.
++
+ =back
+ 
+ =head1 SEE ALSO
+diff --git a/tools/libs/light/libxl_bootloader.c b/tools/libs/light/libxl_bootloader.c
+index 23c0ef3e89..ee26d08f37 100644
+--- a/tools/libs/light/libxl_bootloader.c
++++ b/tools/libs/light/libxl_bootloader.c
+@@ -30,6 +30,8 @@ static void bootloader_keystrokes_copyfail(libxl__egc *egc,
+        libxl__datacopier_state *dc, int rc, int onwrite, int errnoval);
+ static void bootloader_display_copyfail(libxl__egc *egc,
+        libxl__datacopier_state *dc, int rc, int onwrite, int errnoval);
++static void bootloader_timeout(libxl__egc *egc, libxl__ev_time *ev,
++                               const struct timeval *requested_abs, int rc);
+ static void bootloader_domaindeath(libxl__egc*, libxl__domaindeathcheck *dc,
+                                    int rc);
+ static void bootloader_finished(libxl__egc *egc, libxl__ev_child *child,
+@@ -297,6 +299,7 @@ void libxl__bootloader_init(libxl__bootloader_state *bl)
+     bl->ptys[0].master = bl->ptys[0].slave = 0;
+     bl->ptys[1].master = bl->ptys[1].slave = 0;
+     libxl__ev_child_init(&bl->child);
++    libxl__ev_time_init(&bl->time);
+     libxl__domaindeathcheck_init(&bl->deathcheck);
+     bl->keystrokes.ao = bl->ao;  libxl__datacopier_init(&bl->keystrokes);
+     bl->display.ao = bl->ao;     libxl__datacopier_init(&bl->display);
+@@ -314,6 +317,7 @@ static void bootloader_cleanup(libxl__egc *egc, libxl__bootloader_state *bl)
+     libxl__domaindeathcheck_stop(gc,&bl->deathcheck);
+     libxl__datacopier_kill(&bl->keystrokes);
+     libxl__datacopier_kill(&bl->display);
++    libxl__ev_time_deregister(gc, &bl->time);
+     for (i=0; i<2; i++) {
+         libxl__carefd_close(bl->ptys[i].master);
+         libxl__carefd_close(bl->ptys[i].slave);
+@@ -375,6 +379,7 @@ static void bootloader_stop(libxl__egc *egc,
+ 
+     libxl__datacopier_kill(&bl->keystrokes);
+     libxl__datacopier_kill(&bl->display);
++    libxl__ev_time_deregister(gc, &bl->time);
+     if (libxl__ev_child_inuse(&bl->child)) {
+         r = kill(bl->child.pid, SIGTERM);
+         if (r) LOGED(WARN, bl->domid, "%sfailed to kill bootloader [%lu]",
+@@ -637,6 +642,25 @@ static void bootloader_gotptys(libxl__egc *egc, libxl__openpty_state *op)
+ 
+     struct termios termattr;
+ 
++    if (getenv("LIBXL_BOOTLOADER_RESTRICT") ||
++        getenv("LIBXL_BOOTLOADER_USER")) {
++        const char *timeout_env = getenv("LIBXL_BOOTLOADER_TIMEOUT");
++        int timeout = timeout_env ? atoi(timeout_env)
++                                  : LIBXL_BOOTLOADER_TIMEOUT;
++
++        if (timeout) {
++            /* Set execution timeout */
++            rc = libxl__ev_time_register_rel(ao, &bl->time,
++                                            bootloader_timeout,
++                                            timeout * 1000);
++            if (rc) {
++                LOGED(ERROR, bl->domid,
++                      "unable to register timeout for bootloader execution");
++                goto out;
++            }
++        }
++    }
++
+     pid_t pid = libxl__ev_child_fork(gc, &bl->child, bootloader_finished);
+     if (pid == -1) {
+         rc = ERROR_FAIL;
+@@ -702,6 +726,21 @@ static void bootloader_display_copyfail(libxl__egc *egc,
+     libxl__bootloader_state *bl = CONTAINER_OF(dc, *bl, display);
+     bootloader_copyfail(egc, "bootloader output", bl, 1, rc,onwrite,errnoval);
+ }
++static void bootloader_timeout(libxl__egc *egc, libxl__ev_time *ev,
++                               const struct timeval *requested_abs, int rc)
++{
++    libxl__bootloader_state *bl = CONTAINER_OF(ev, *bl, time);
++    STATE_AO_GC(bl->ao);
++
++    libxl__ev_time_deregister(gc, &bl->time);
++
++    assert(libxl__ev_child_inuse(&bl->child));
++    LOGD(ERROR, bl->domid, "killing bootloader because of timeout");
++
++    libxl__ev_child_kill_deregister(ao, &bl->child, SIGKILL);
++
++    bootloader_callback(egc, bl, rc);
++}
+ 
+ static void bootloader_domaindeath(libxl__egc *egc,
+                                    libxl__domaindeathcheck *dc,
+@@ -718,6 +757,7 @@ static void bootloader_finished(libxl__egc *egc, libxl__ev_child *child,
+     STATE_AO_GC(bl->ao);
+     int rc;
+ 
++    libxl__ev_time_deregister(gc, &bl->time);
+     libxl__datacopier_kill(&bl->keystrokes);
+     libxl__datacopier_kill(&bl->display);
+ 
+diff --git a/tools/libs/light/libxl_internal.h b/tools/libs/light/libxl_internal.h
+index f1e3a9a15b..d05783617f 100644
+--- a/tools/libs/light/libxl_internal.h
++++ b/tools/libs/light/libxl_internal.h
+@@ -102,6 +102,7 @@
+ #define LIBXL_QMP_CMD_TIMEOUT 10
+ #define LIBXL_STUBDOM_START_TIMEOUT 30
+ #define LIBXL_QEMU_BODGE_TIMEOUT 2
++#define LIBXL_BOOTLOADER_TIMEOUT 120
+ #define LIBXL_XENCONSOLE_LIMIT 1048576
+ #define LIBXL_XENCONSOLE_PROTOCOL "vt100"
+ #define LIBXL_MAXMEM_CONSTANT 1024
+@@ -3744,6 +3745,7 @@ struct libxl__bootloader_state {
+     libxl__openpty_state openpty;
+     libxl__openpty_result ptys[2];  /* [0] is for bootloader */
+     libxl__ev_child child;
++    libxl__ev_time time;
+     libxl__domaindeathcheck deathcheck;
+     int nargs, argsspace;
+     const char **args;
+-- 
+2.42.0
+

diff --git a/0053-x86-perform-mem_sharing-teardown-before-paging-teard.patch b/0053-x86-perform-mem_sharing-teardown-before-paging-teard.patch
deleted file mode 100644
index 934c0f5..0000000
--- a/0053-x86-perform-mem_sharing-teardown-before-paging-teard.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From e8f28e129d23c940749c66150a89c4ed683a0fb9 Mon Sep 17 00:00:00 2001
-From: Tamas K Lengyel <tamas@tklengyel.com>
-Date: Fri, 3 Mar 2023 07:59:08 +0100
-Subject: [PATCH 53/89] x86: perform mem_sharing teardown before paging
- teardown
-
-An assert failure has been observed in p2m_teardown when performing vm
-forking and then destroying the forked VM (p2m-basic.c:173). The assert
-checks whether the domain's shared pages counter is 0. According to the
-patch that originally added the assert (7bedbbb5c31) the p2m_teardown
-should only happen after mem_sharing already relinquished all shared pages.
-
-In this patch we flip the order in which relinquish ops are called to avoid
-tripping the assert. Conceptually sharing being torn down makes sense to
-happen before paging is torn down.
-
-Fixes: e7aa55c0aab3 ("x86/p2m: free the paging memory pool preemptively")
-Signed-off-by: Tamas K Lengyel <tamas@tklengyel.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: 2869349f0cb3a89dcbf1f1b30371f58df6309312
-master date: 2023-02-23 12:35:48 +0100
----
- xen/arch/x86/domain.c | 56 ++++++++++++++++++++++---------------------
- 1 file changed, 29 insertions(+), 27 deletions(-)
-
-diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
-index 5a119eec3a..e546c98322 100644
---- a/xen/arch/x86/domain.c
-+++ b/xen/arch/x86/domain.c
-@@ -2347,9 +2347,9 @@ int domain_relinquish_resources(struct domain *d)
- 
-         enum {
-             PROG_iommu_pagetables = 1,
-+            PROG_shared,
-             PROG_paging,
-             PROG_vcpu_pagetables,
--            PROG_shared,
-             PROG_xen,
-             PROG_l4,
-             PROG_l3,
-@@ -2368,6 +2368,34 @@ int domain_relinquish_resources(struct domain *d)
-         if ( ret )
-             return ret;
- 
-+#ifdef CONFIG_MEM_SHARING
-+    PROGRESS(shared):
-+
-+        if ( is_hvm_domain(d) )
-+        {
-+            /*
-+             * If the domain has shared pages, relinquish them allowing
-+             * for preemption.
-+             */
-+            ret = relinquish_shared_pages(d);
-+            if ( ret )
-+                return ret;
-+
-+            /*
-+             * If the domain is forked, decrement the parent's pause count
-+             * and release the domain.
-+             */
-+            if ( mem_sharing_is_fork(d) )
-+            {
-+                struct domain *parent = d->parent;
-+
-+                d->parent = NULL;
-+                domain_unpause(parent);
-+                put_domain(parent);
-+            }
-+        }
-+#endif
-+
-     PROGRESS(paging):
- 
-         /* Tear down paging-assistance stuff. */
-@@ -2408,32 +2436,6 @@ int domain_relinquish_resources(struct domain *d)
-             d->arch.auto_unmask = 0;
-         }
- 
--#ifdef CONFIG_MEM_SHARING
--    PROGRESS(shared):
--
--        if ( is_hvm_domain(d) )
--        {
--            /* If the domain has shared pages, relinquish them allowing
--             * for preemption. */
--            ret = relinquish_shared_pages(d);
--            if ( ret )
--                return ret;
--
--            /*
--             * If the domain is forked, decrement the parent's pause count
--             * and release the domain.
--             */
--            if ( mem_sharing_is_fork(d) )
--            {
--                struct domain *parent = d->parent;
--
--                d->parent = NULL;
--                domain_unpause(parent);
--                put_domain(parent);
--            }
--        }
--#endif
--
-         spin_lock(&d->page_alloc_lock);
-         page_list_splice(&d->arch.relmem_list, &d->page_list);
-         INIT_PAGE_LIST_HEAD(&d->arch.relmem_list);
--- 
-2.40.0
-

diff --git a/0054-x86-svm-Fix-asymmetry-with-AMD-DR-MASK-context-switc.patch b/0054-x86-svm-Fix-asymmetry-with-AMD-DR-MASK-context-switc.patch
new file mode 100644
index 0000000..af72c9a
--- /dev/null
+++ b/0054-x86-svm-Fix-asymmetry-with-AMD-DR-MASK-context-switc.patch
@@ -0,0 +1,104 @@
+From 3f8b444072fd8615288d9d11e53fbf0b6a8a7750 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 26 Sep 2023 20:03:36 +0100
+Subject: [PATCH 54/55] x86/svm: Fix asymmetry with AMD DR MASK context
+ switching
+
+The handling of MSR_DR{0..3}_MASK is asymmetric between PV and HVM guests.
+
+HVM guests context switch in based on the guest view of DBEXT, whereas PV
+guest switch in base on the host capability.  Both guest types leave the
+context dirty for the next vCPU.
+
+This leads to the following issue:
+
+ * PV or HVM vCPU has debugging active (%dr7 + mask)
+ * Switch out deactivates %dr7 but leaves other state stale in hardware
+ * HVM vCPU with debugging activate but can't see DBEXT is switched in
+ * Switch in loads %dr7 but leaves the mask MSRs alone
+
+Now, the HVM vCPU is operating in the context of the prior vCPU's mask MSR,
+and furthermore in a case where it genuinely expects there to be no masking
+MSRs.
+
+As a stopgap, adjust the HVM path to switch in/out the masks based on host
+capabilities rather than guest visibility (i.e. like the PV path).  Adjustment
+of the of the intercepts still needs to be dependent on the guest visibility
+of DBEXT.
+
+This is part of XSA-444 / CVE-2023-34327
+
+Fixes: c097f54912d3 ("x86/SVM: support data breakpoint extension registers")
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+(cherry picked from commit 5d54282f984bb9a7a65b3d12208584f9fdf1c8e1)
+---
+ xen/arch/x86/hvm/svm/svm.c | 24 ++++++++++++++++++------
+ xen/arch/x86/traps.c       |  5 +++++
+ 2 files changed, 23 insertions(+), 6 deletions(-)
+
+diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c
+index e8f50e7c5e..fd32600ae3 100644
+--- a/xen/arch/x86/hvm/svm/svm.c
++++ b/xen/arch/x86/hvm/svm/svm.c
+@@ -339,6 +339,10 @@ static void svm_save_dr(struct vcpu *v)
+     v->arch.hvm.flag_dr_dirty = 0;
+     vmcb_set_dr_intercepts(vmcb, ~0u);
+ 
++    /*
++     * The guest can only have changed the mask MSRs if we previous dropped
++     * intercepts.  Re-read them from hardware.
++     */
+     if ( v->domain->arch.cpuid->extd.dbext )
+     {
+         svm_intercept_msr(v, MSR_AMD64_DR0_ADDRESS_MASK, MSR_INTERCEPT_RW);
+@@ -370,17 +374,25 @@ static void __restore_debug_registers(struct vmcb_struct *vmcb, struct vcpu *v)
+ 
+     ASSERT(v == current);
+ 
+-    if ( v->domain->arch.cpuid->extd.dbext )
++    /*
++     * Both the PV and HVM paths leave stale DR_MASK values in hardware on
++     * context-switch-out.  If we're activating %dr7 for the guest, we must
++     * sync the DR_MASKs too, whether or not the guest can see them.
++     */
++    if ( boot_cpu_has(X86_FEATURE_DBEXT) )
+     {
+-        svm_intercept_msr(v, MSR_AMD64_DR0_ADDRESS_MASK, MSR_INTERCEPT_NONE);
+-        svm_intercept_msr(v, MSR_AMD64_DR1_ADDRESS_MASK, MSR_INTERCEPT_NONE);
+-        svm_intercept_msr(v, MSR_AMD64_DR2_ADDRESS_MASK, MSR_INTERCEPT_NONE);
+-        svm_intercept_msr(v, MSR_AMD64_DR3_ADDRESS_MASK, MSR_INTERCEPT_NONE);
+-
+         wrmsrl(MSR_AMD64_DR0_ADDRESS_MASK, v->arch.msrs->dr_mask[0]);
+         wrmsrl(MSR_AMD64_DR1_ADDRESS_MASK, v->arch.msrs->dr_mask[1]);
+         wrmsrl(MSR_AMD64_DR2_ADDRESS_MASK, v->arch.msrs->dr_mask[2]);
+         wrmsrl(MSR_AMD64_DR3_ADDRESS_MASK, v->arch.msrs->dr_mask[3]);
++
++        if ( v->domain->arch.cpuid->extd.dbext )
++        {
++            svm_intercept_msr(v, MSR_AMD64_DR0_ADDRESS_MASK, MSR_INTERCEPT_NONE);
++            svm_intercept_msr(v, MSR_AMD64_DR1_ADDRESS_MASK, MSR_INTERCEPT_NONE);
++            svm_intercept_msr(v, MSR_AMD64_DR2_ADDRESS_MASK, MSR_INTERCEPT_NONE);
++            svm_intercept_msr(v, MSR_AMD64_DR3_ADDRESS_MASK, MSR_INTERCEPT_NONE);
++        }
+     }
+ 
+     write_debugreg(0, v->arch.dr[0]);
+diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
+index e65cc60041..06c4f3868b 100644
+--- a/xen/arch/x86/traps.c
++++ b/xen/arch/x86/traps.c
+@@ -2281,6 +2281,11 @@ void activate_debugregs(const struct vcpu *curr)
+     if ( curr->arch.dr7 & DR7_ACTIVE_MASK )
+         write_debugreg(7, curr->arch.dr7);
+ 
++    /*
++     * Both the PV and HVM paths leave stale DR_MASK values in hardware on
++     * context-switch-out.  If we're activating %dr7 for the guest, we must
++     * sync the DR_MASKs too, whether or not the guest can see them.
++     */
+     if ( boot_cpu_has(X86_FEATURE_DBEXT) )
+     {
+         wrmsrl(MSR_AMD64_DR0_ADDRESS_MASK, curr->arch.msrs->dr_mask[0]);
+-- 
+2.42.0
+

diff --git a/0054-xen-Work-around-Clang-IAS-macro-expansion-bug.patch b/0054-xen-Work-around-Clang-IAS-macro-expansion-bug.patch
deleted file mode 100644
index 525dc49..0000000
--- a/0054-xen-Work-around-Clang-IAS-macro-expansion-bug.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From 837bdc6eb2df796e832302347f363afc820694fe Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Fri, 3 Mar 2023 08:00:04 +0100
-Subject: [PATCH 54/89] xen: Work around Clang-IAS macro \@ expansion bug
-
-https://github.com/llvm/llvm-project/issues/60792
-
-It turns out that Clang-IAS does not expand \@ uniquely in a translaition
-unit, and the XSA-426 change tickles this bug:
-
-  <instantiation>:4:1: error: invalid symbol redefinition
-  .L1_fill_rsb_loop:
-  ^
-  make[3]: *** [Rules.mk:247: arch/x86/acpi/cpu_idle.o] Error 1
-
-Extend DO_OVERWRITE_RSB with an optional parameter so C callers can mix %= in
-too, which Clang does seem to expand properly.
-
-Fixes: 63305e5392ec ("x86/spec-ctrl: Mitigate Cross-Thread Return Address Predictions")
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: a2adacff0b91cc7b977abb209dc419a2ef15963f
-master date: 2023-02-24 17:44:29 +0000
----
- xen/arch/x86/include/asm/spec_ctrl.h     |  4 ++--
- xen/arch/x86/include/asm/spec_ctrl_asm.h | 19 ++++++++++++-------
- 2 files changed, 14 insertions(+), 9 deletions(-)
-
-diff --git a/xen/arch/x86/include/asm/spec_ctrl.h b/xen/arch/x86/include/asm/spec_ctrl.h
-index 391973ef6a..a431fea587 100644
---- a/xen/arch/x86/include/asm/spec_ctrl.h
-+++ b/xen/arch/x86/include/asm/spec_ctrl.h
-@@ -83,7 +83,7 @@ static always_inline void spec_ctrl_new_guest_context(void)
-     wrmsrl(MSR_PRED_CMD, PRED_CMD_IBPB);
- 
-     /* (ab)use alternative_input() to specify clobbers. */
--    alternative_input("", "DO_OVERWRITE_RSB", X86_BUG_IBPB_NO_RET,
-+    alternative_input("", "DO_OVERWRITE_RSB xu=%=", X86_BUG_IBPB_NO_RET,
-                       : "rax", "rcx");
- }
- 
-@@ -172,7 +172,7 @@ static always_inline void spec_ctrl_enter_idle(struct cpu_info *info)
-      *
-      * (ab)use alternative_input() to specify clobbers.
-      */
--    alternative_input("", "DO_OVERWRITE_RSB", X86_FEATURE_SC_RSB_IDLE,
-+    alternative_input("", "DO_OVERWRITE_RSB xu=%=", X86_FEATURE_SC_RSB_IDLE,
-                       : "rax", "rcx");
- }
- 
-diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h
-index fab27ff553..f23bb105c5 100644
---- a/xen/arch/x86/include/asm/spec_ctrl_asm.h
-+++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h
-@@ -117,11 +117,16 @@
- .L\@_done:
- .endm
- 
--.macro DO_OVERWRITE_RSB tmp=rax
-+.macro DO_OVERWRITE_RSB tmp=rax xu
- /*
-  * Requires nothing
-  * Clobbers \tmp (%rax by default), %rcx
-  *
-+ * xu is an optional parameter to add eXtra Uniqueness.  It is intended for
-+ * passing %= in from an asm() block, in order to work around
-+ * https://github.com/llvm/llvm-project/issues/60792 where Clang-IAS doesn't
-+ * expand \@ uniquely.
-+ *
-  * Requires 256 bytes of {,shadow}stack space, but %rsp/SSP has no net
-  * change. Based on Google's performance numbers, the loop is unrolled to 16
-  * iterations and two calls per iteration.
-@@ -136,27 +141,27 @@
-     mov $16, %ecx                   /* 16 iterations, two calls per loop */
-     mov %rsp, %\tmp                 /* Store the current %rsp */
- 
--.L\@_fill_rsb_loop:
-+.L\@_fill_rsb_loop\xu:
- 
-     .irp n, 1, 2                    /* Unrolled twice. */
--    call .L\@_insert_rsb_entry_\n   /* Create an RSB entry. */
-+    call .L\@_insert_rsb_entry\xu\n /* Create an RSB entry. */
-     int3                            /* Halt rogue speculation. */
- 
--.L\@_insert_rsb_entry_\n:
-+.L\@_insert_rsb_entry\xu\n:
-     .endr
- 
-     sub $1, %ecx
--    jnz .L\@_fill_rsb_loop
-+    jnz .L\@_fill_rsb_loop\xu
-     mov %\tmp, %rsp                 /* Restore old %rsp */
- 
- #ifdef CONFIG_XEN_SHSTK
-     mov $1, %ecx
-     rdsspd %ecx
-     cmp $1, %ecx
--    je .L\@_shstk_done
-+    je .L\@_shstk_done\xu
-     mov $64, %ecx                   /* 64 * 4 bytes, given incsspd */
-     incsspd %ecx                    /* Restore old SSP */
--.L\@_shstk_done:
-+.L\@_shstk_done\xu:
- #endif
- .endm
- 
--- 
-2.40.0
-

diff --git a/0055-x86-pv-Correct-the-auditing-of-guest-breakpoint-addr.patch b/0055-x86-pv-Correct-the-auditing-of-guest-breakpoint-addr.patch
new file mode 100644
index 0000000..5838e7f
--- /dev/null
+++ b/0055-x86-pv-Correct-the-auditing-of-guest-breakpoint-addr.patch
@@ -0,0 +1,86 @@
+From 0b56bed864ca9b572473957f0254aefa797216f2 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 26 Sep 2023 20:03:36 +0100
+Subject: [PATCH 55/55] x86/pv: Correct the auditing of guest breakpoint
+ addresses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The use of access_ok() is buggy, because it permits access to the compat
+translation area.  64bit PV guests don't use the XLAT area, but on AMD
+hardware, the DBEXT feature allows a breakpoint to match up to a 4G aligned
+region, allowing the breakpoint to reach outside of the XLAT area.
+
+Prior to c/s cda16c1bb223 ("x86: mirror compat argument translation area for
+32-bit PV"), the live GDT was within 4G of the XLAT area.
+
+All together, this allowed a malicious 64bit PV guest on AMD hardware to place
+a breakpoint over the live GDT, and trigger a #DB livelock (CVE-2015-8104).
+
+Introduce breakpoint_addr_ok() and explain why __addr_ok() happens to be an
+appropriate check in this case.
+
+For Xen 4.14 and later, this is a latent bug because the XLAT area has moved
+to be on its own with nothing interesting adjacent.  For Xen 4.13 and older on
+AMD hardware, this fixes a PV-trigger-able DoS.
+
+This is part of XSA-444 / CVE-2023-34328.
+
+Fixes: 65e355490817 ("x86/PV: support data breakpoint extension registers")
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit dc9d9aa62ddeb14abd5672690d30789829f58f7e)
+---
+ xen/arch/x86/include/asm/debugreg.h | 20 ++++++++++++++++++++
+ xen/arch/x86/pv/misc-hypercalls.c   |  2 +-
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/xen/arch/x86/include/asm/debugreg.h b/xen/arch/x86/include/asm/debugreg.h
+index c57914efc6..cc29826524 100644
+--- a/xen/arch/x86/include/asm/debugreg.h
++++ b/xen/arch/x86/include/asm/debugreg.h
+@@ -77,6 +77,26 @@
+     asm volatile ( "mov %%db" #reg ",%0" : "=r" (__val) );  \
+     __val;                                                  \
+ })
++
++/*
++ * Architecturally, %dr{0..3} can have any arbitrary value.  However, Xen
++ * can't allow the guest to breakpoint the Xen address range, so we limit the
++ * guest to the lower canonical half, or above the Xen range in the higher
++ * canonical half.
++ *
++ * Breakpoint lengths are specified to mask the low order address bits,
++ * meaning all breakpoints are naturally aligned.  With %dr7, the widest
++ * breakpoint is 8 bytes.  With DBEXT, the widest breakpoint is 4G.  Both of
++ * the Xen boundaries have >4G alignment.
++ *
++ * In principle we should account for HYPERVISOR_COMPAT_VIRT_START(d), but
++ * 64bit Xen has never enforced this for compat guests, and there's no problem
++ * (to Xen) if the guest breakpoints it's alias of the M2P.  Skipping this
++ * aspect simplifies the logic, and causes us not to reject a migrating guest
++ * which operated fine on prior versions of Xen.
++ */
++#define breakpoint_addr_ok(a) __addr_ok(a)
++
+ long set_debugreg(struct vcpu *, unsigned int reg, unsigned long value);
+ void activate_debugregs(const struct vcpu *);
+ 
+diff --git a/xen/arch/x86/pv/misc-hypercalls.c b/xen/arch/x86/pv/misc-hypercalls.c
+index aaaf70eb63..f8636de907 100644
+--- a/xen/arch/x86/pv/misc-hypercalls.c
++++ b/xen/arch/x86/pv/misc-hypercalls.c
+@@ -72,7 +72,7 @@ long set_debugreg(struct vcpu *v, unsigned int reg, unsigned long value)
+     switch ( reg )
+     {
+     case 0 ... 3:
+-        if ( !access_ok(value, sizeof(long)) )
++        if ( !breakpoint_addr_ok(value) )
+             return -EPERM;
+ 
+         v->arch.dr[reg] = value;
+-- 
+2.42.0
+

diff --git a/0055-xen-Fix-Clang-Wunicode-diagnostic-when-building-asm-.patch b/0055-xen-Fix-Clang-Wunicode-diagnostic-when-building-asm-.patch
deleted file mode 100644
index 02755a9..0000000
--- a/0055-xen-Fix-Clang-Wunicode-diagnostic-when-building-asm-.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From b10cf1561a638c835481ae923b571cb8f7350a89 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Fri, 3 Mar 2023 08:01:21 +0100
-Subject: [PATCH 55/89] xen: Fix Clang -Wunicode diagnostic when building
- asm-macros
-
-While trying to work around a different Clang-IAS bug (parent changeset), I
-stumbled onto:
-
-  In file included from arch/x86/asm-macros.c:3:
-  ./arch/x86/include/asm/spec_ctrl_asm.h:144:19: error: \u used with
-  no following hex digits; treating as '\' followed by identifier [-Werror,-Wunicode]
-  .L\@_fill_rsb_loop\uniq:
-                    ^
-
-It turns out that Clang -E is sensitive to the file extension of the source
-file it is processing.  Furthermore, C explicitly permits the use of \u
-escapes in identifier names, so the diagnostic would be reasonable in
-principle if we trying to compile the result.
-
-asm-macros should really have been .S from the outset, as it is ultimately
-generating assembly, not C.  Rename it, which causes Clang not to complain.
-
-We need to introduce rules for generating a .i file from .S, and substituting
-c_flags for a_flags lets us drop the now-redundant -D__ASSEMBLY__.
-
-No functional change.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: 53f0d02040b1df08f0589f162790ca376e1c2040
-master date: 2023-02-24 17:44:29 +0000
----
- xen/Rules.mk                                | 6 ++++++
- xen/arch/x86/Makefile                       | 2 +-
- xen/arch/x86/{asm-macros.c => asm-macros.S} | 0
- 3 files changed, 7 insertions(+), 1 deletion(-)
- rename xen/arch/x86/{asm-macros.c => asm-macros.S} (100%)
-
-diff --git a/xen/Rules.mk b/xen/Rules.mk
-index d6b7cec0a8..59072ae8df 100644
---- a/xen/Rules.mk
-+++ b/xen/Rules.mk
-@@ -273,6 +273,9 @@ $(filter %.init.o,$(obj-y) $(obj-bin-y) $(extra-y)): $(obj)/%.init.o: $(obj)/%.o
- quiet_cmd_cpp_i_c = CPP     $@
- cmd_cpp_i_c = $(CPP) $(call cpp_flags,$(c_flags)) -MQ $@ -o $@ $<
- 
-+quiet_cmd_cpp_i_S = CPP     $@
-+cmd_cpp_i_S = $(CPP) $(call cpp_flags,$(a_flags)) -MQ $@ -o $@ $<
-+
- quiet_cmd_cc_s_c = CC      $@
- cmd_cc_s_c = $(CC) $(filter-out -Wa$(comma)%,$(c_flags)) -S $< -o $@
- 
-@@ -282,6 +285,9 @@ cmd_cpp_s_S = $(CPP) $(call cpp_flags,$(a_flags)) -MQ $@ -o $@ $<
- $(obj)/%.i: $(src)/%.c FORCE
- 	$(call if_changed_dep,cpp_i_c)
- 
-+$(obj)/%.i: $(src)/%.S FORCE
-+	$(call if_changed_dep,cpp_i_S)
-+
- $(obj)/%.s: $(src)/%.c FORCE
- 	$(call if_changed_dep,cc_s_c)
- 
-diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile
-index 177a2ff742..5accbe4c67 100644
---- a/xen/arch/x86/Makefile
-+++ b/xen/arch/x86/Makefile
-@@ -240,7 +240,7 @@ $(obj)/efi/buildid.o $(obj)/efi/relocs-dummy.o: ;
- .PHONY: include
- include: $(objtree)/arch/x86/include/asm/asm-macros.h
- 
--$(obj)/asm-macros.i: CFLAGS-y += -D__ASSEMBLY__ -P
-+$(obj)/asm-macros.i: CFLAGS-y += -P
- 
- $(objtree)/arch/x86/include/asm/asm-macros.h: $(obj)/asm-macros.i $(src)/Makefile
- 	$(call filechk,asm-macros.h)
-diff --git a/xen/arch/x86/asm-macros.c b/xen/arch/x86/asm-macros.S
-similarity index 100%
-rename from xen/arch/x86/asm-macros.c
-rename to xen/arch/x86/asm-macros.S
--- 
-2.40.0
-

diff --git a/0056-tools-Use-PKG_CONFIG_FILE-instead-of-PKG_CONFIG-vari.patch b/0056-tools-Use-PKG_CONFIG_FILE-instead-of-PKG_CONFIG-vari.patch
deleted file mode 100644
index 59cc172..0000000
--- a/0056-tools-Use-PKG_CONFIG_FILE-instead-of-PKG_CONFIG-vari.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 53bd16bcc0d0f5ed5d1ac6d6dc14bf6ecf2e2c43 Mon Sep 17 00:00:00 2001
-From: Bertrand Marquis <bertrand.marquis@arm.com>
-Date: Fri, 3 Mar 2023 08:02:30 +0100
-Subject: [PATCH 56/89] tools: Use PKG_CONFIG_FILE instead of PKG_CONFIG
- variable
-
-Replace PKG_CONFIG variable name with PKG_CONFIG_FILE for the name of
-the pkg-config file.
-This is preventing a conflict in some build systems where PKG_CONFIG
-actually contains the path to the pkg-config executable to use, as the
-default assignment in libs.mk is using a weak assignment (?=).
-
-This problem has been found when trying to build the latest version of
-Xen tools using buildroot.
-
-Fixes: d400dc5729e4 ("tools: tweak tools/libs/libs.mk for being able to support libxenctrl")
-Signed-off-by: Bertrand Marquis <bertrand.marquis@arm.com>
-Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
-master commit: b97e2fe7b9e1f4706693552697239ac2b71efee4
-master date: 2023-02-24 17:44:29 +0000
----
- tools/libs/ctrl/Makefile |  2 +-
- tools/libs/libs.mk       | 16 ++++++++--------
- 2 files changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/tools/libs/ctrl/Makefile b/tools/libs/ctrl/Makefile
-index 93442ab389..15d0ae8e4e 100644
---- a/tools/libs/ctrl/Makefile
-+++ b/tools/libs/ctrl/Makefile
-@@ -4,7 +4,7 @@ include $(XEN_ROOT)/tools/Rules.mk
- include Makefile.common
- 
- LIBHEADER := xenctrl.h xenctrl_compat.h
--PKG_CONFIG := xencontrol.pc
-+PKG_CONFIG_FILE := xencontrol.pc
- PKG_CONFIG_NAME := Xencontrol
- 
- NO_HEADERS_CHK := y
-diff --git a/tools/libs/libs.mk b/tools/libs/libs.mk
-index 3eb91fc8f3..3fab5aecff 100644
---- a/tools/libs/libs.mk
-+++ b/tools/libs/libs.mk
-@@ -1,7 +1,7 @@
- # Common Makefile for building a lib.
- #
- # Variables taken as input:
--#   PKG_CONFIG: name of pkg-config file (xen$(LIBNAME).pc if empty)
-+#   PKG_CONFIG_FILE: name of pkg-config file (xen$(LIBNAME).pc if empty)
- #   MAJOR:   major version of lib (Xen version if empty)
- #   MINOR:   minor version of lib (0 if empty)
- 
-@@ -26,7 +26,7 @@ ifneq ($(nosharedlibs),y)
- TARGETS += lib$(LIB_FILE_NAME).so
- endif
- 
--PKG_CONFIG ?= $(LIB_FILE_NAME).pc
-+PKG_CONFIG_FILE ?= $(LIB_FILE_NAME).pc
- PKG_CONFIG_NAME ?= Xen$(LIBNAME)
- PKG_CONFIG_DESC ?= The $(PKG_CONFIG_NAME) library for Xen hypervisor
- PKG_CONFIG_VERSION := $(MAJOR).$(MINOR)
-@@ -35,13 +35,13 @@ PKG_CONFIG_LIB := $(LIB_FILE_NAME)
- PKG_CONFIG_REQPRIV := $(subst $(space),$(comma),$(strip $(foreach lib,$(patsubst ctrl,control,$(USELIBS_$(LIBNAME))),xen$(lib))))
- 
- ifneq ($(CONFIG_LIBXC_MINIOS),y)
--TARGETS += $(PKG_CONFIG)
--$(PKG_CONFIG): PKG_CONFIG_PREFIX = $(prefix)
--$(PKG_CONFIG): PKG_CONFIG_INCDIR = $(includedir)
--$(PKG_CONFIG): PKG_CONFIG_LIBDIR = $(libdir)
-+TARGETS += $(PKG_CONFIG_FILE)
-+$(PKG_CONFIG_FILE): PKG_CONFIG_PREFIX = $(prefix)
-+$(PKG_CONFIG_FILE): PKG_CONFIG_INCDIR = $(includedir)
-+$(PKG_CONFIG_FILE): PKG_CONFIG_LIBDIR = $(libdir)
- endif
- 
--PKG_CONFIG_LOCAL := $(PKG_CONFIG_DIR)/$(PKG_CONFIG)
-+PKG_CONFIG_LOCAL := $(PKG_CONFIG_DIR)/$(PKG_CONFIG_FILE)
- 
- LIBHEADER ?= $(LIB_FILE_NAME).h
- LIBHEADERS = $(foreach h, $(LIBHEADER), $(XEN_INCLUDE)/$(h))
-@@ -103,7 +103,7 @@ install:: all
- 	$(SYMLINK_SHLIB) lib$(LIB_FILE_NAME).so.$(MAJOR).$(MINOR) $(DESTDIR)$(libdir)/lib$(LIB_FILE_NAME).so.$(MAJOR)
- 	$(SYMLINK_SHLIB) lib$(LIB_FILE_NAME).so.$(MAJOR) $(DESTDIR)$(libdir)/lib$(LIB_FILE_NAME).so
- 	for i in $(LIBHEADERS); do $(INSTALL_DATA) $$i $(DESTDIR)$(includedir); done
--	$(INSTALL_DATA) $(PKG_CONFIG) $(DESTDIR)$(PKG_INSTALLDIR)
-+	$(INSTALL_DATA) $(PKG_CONFIG_FILE) $(DESTDIR)$(PKG_INSTALLDIR)
- 
- .PHONY: uninstall
- uninstall::
--- 
-2.40.0
-

diff --git a/0057-libs-guest-Fix-resource-leaks-in-xc_core_arch_map_p2.patch b/0057-libs-guest-Fix-resource-leaks-in-xc_core_arch_map_p2.patch
deleted file mode 100644
index ea80bd0..0000000
--- a/0057-libs-guest-Fix-resource-leaks-in-xc_core_arch_map_p2.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 01f85d835bb10d18bdab2cc780ea5ad47004516d Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Fri, 3 Mar 2023 08:02:59 +0100
-Subject: [PATCH 57/89] libs/guest: Fix resource leaks in
- xc_core_arch_map_p2m_tree_rw()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Edwin, with the help of GCC's -fanalyzer, identified that p2m_frame_list_list
-gets leaked.  What fanalyzer can't see is that the live_p2m_frame_list_list
-and live_p2m_frame_list foreign mappings are leaked too.
-
-Rework the logic so the out path is executed unconditionally, which cleans up
-all the intermediate allocations/mappings appropriately.
-
-Fixes: bd7a29c3d0b9 ("tools/libs/ctrl: fix xc_core_arch_map_p2m() to support linear p2m table")
-Reported-by: Edwin Török <edwin.torok@cloud.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Juergen Gross <jgross@suse.com>
-master commit: 1868d7f22660c8980bd0a7e53f044467e8b63bb5
-master date: 2023-02-27 15:51:23 +0000
----
- tools/libs/guest/xg_core_x86.c | 8 +++-----
- 1 file changed, 3 insertions(+), 5 deletions(-)
-
-diff --git a/tools/libs/guest/xg_core_x86.c b/tools/libs/guest/xg_core_x86.c
-index 61106b98b8..c5e4542ccc 100644
---- a/tools/libs/guest/xg_core_x86.c
-+++ b/tools/libs/guest/xg_core_x86.c
-@@ -229,11 +229,11 @@ xc_core_arch_map_p2m_tree_rw(xc_interface *xch, struct domain_info_context *dinf
-                              uint32_t dom, shared_info_any_t *live_shinfo)
- {
-     /* Double and single indirect references to the live P2M table */
--    xen_pfn_t *live_p2m_frame_list_list;
-+    xen_pfn_t *live_p2m_frame_list_list = NULL;
-     xen_pfn_t *live_p2m_frame_list = NULL;
-     /* Copies of the above. */
-     xen_pfn_t *p2m_frame_list_list = NULL;
--    xen_pfn_t *p2m_frame_list;
-+    xen_pfn_t *p2m_frame_list = NULL;
- 
-     int err;
-     int i;
-@@ -297,8 +297,6 @@ xc_core_arch_map_p2m_tree_rw(xc_interface *xch, struct domain_info_context *dinf
- 
-     dinfo->p2m_frames = P2M_FL_ENTRIES;
- 
--    return p2m_frame_list;
--
-  out:
-     err = errno;
- 
-@@ -312,7 +310,7 @@ xc_core_arch_map_p2m_tree_rw(xc_interface *xch, struct domain_info_context *dinf
- 
-     errno = err;
- 
--    return NULL;
-+    return p2m_frame_list;
- }
- 
- static int
--- 
-2.40.0
-

diff --git a/0058-libs-guest-Fix-leak-on-realloc-failure-in-backup_pte.patch b/0058-libs-guest-Fix-leak-on-realloc-failure-in-backup_pte.patch
deleted file mode 100644
index d55c095..0000000
--- a/0058-libs-guest-Fix-leak-on-realloc-failure-in-backup_pte.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From fa8250f1920413f02b63551a6a4d8ef0b47891a8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edwin.torok@cloud.com>
-Date: Fri, 3 Mar 2023 08:03:19 +0100
-Subject: [PATCH 58/89] libs/guest: Fix leak on realloc failure in
- backup_ptes()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From `man 2 realloc`:
-
-  If realloc() fails, the original block is left untouched; it is not freed or moved.
-
-Found using GCC -fanalyzer:
-
-  |  184 |         backup->entries = realloc(backup->entries,
-  |      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-  |      |         |               | |
-  |      |         |               | (91) when ‘realloc’ fails
-  |      |         |               (92) ‘old_ptes.entries’ leaks here; was allocated at (44)
-  |      |         (90) ...to here
-
-Signed-off-by: Edwin Török <edwin.torok@cloud.com>
-Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
-master commit: 275d13184cfa52ebe4336ed66526ce93716adbe0
-master date: 2023-02-27 15:51:23 +0000
----
- tools/libs/guest/xg_offline_page.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/tools/libs/guest/xg_offline_page.c b/tools/libs/guest/xg_offline_page.c
-index c594fdba41..ccd0299f0f 100644
---- a/tools/libs/guest/xg_offline_page.c
-+++ b/tools/libs/guest/xg_offline_page.c
-@@ -181,10 +181,16 @@ static int backup_ptes(xen_pfn_t table_mfn, int offset,
- 
-     if (backup->max == backup->cur)
-     {
--        backup->entries = realloc(backup->entries,
--                            backup->max * 2 * sizeof(struct pte_backup_entry));
-+        void *orig = backup->entries;
-+
-+        backup->entries = realloc(
-+            orig, backup->max * 2 * sizeof(struct pte_backup_entry));
-+
-         if (backup->entries == NULL)
-+        {
-+            free(orig);
-             return -1;
-+        }
-         else
-             backup->max *= 2;
-     }
--- 
-2.40.0
-

diff --git a/0059-x86-ucode-AMD-late-load-the-patch-on-every-logical-t.patch b/0059-x86-ucode-AMD-late-load-the-patch-on-every-logical-t.patch
deleted file mode 100644
index 292a61a..0000000
--- a/0059-x86-ucode-AMD-late-load-the-patch-on-every-logical-t.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From ec5b058d2a6436a2e180315522fcf1645a8153b4 Mon Sep 17 00:00:00 2001
-From: Sergey Dyasli <sergey.dyasli@citrix.com>
-Date: Fri, 3 Mar 2023 08:03:43 +0100
-Subject: [PATCH 59/89] x86/ucode/AMD: late load the patch on every logical
- thread
-
-Currently late ucode loading is performed only on the first core of CPU
-siblings.  But according to the latest recommendation from AMD, late
-ucode loading should happen on every logical thread/core on AMD CPUs.
-
-To achieve that, introduce is_cpu_primary() helper which will consider
-every logical cpu as "primary" when running on AMD CPUs.  Also include
-Hygon in the check for future-proofing.
-
-Signed-off-by: Sergey Dyasli <sergey.dyasli@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: f1315e48a03a42f78f9b03c0a384165baf02acae
-master date: 2023-02-28 14:51:28 +0100
----
- xen/arch/x86/cpu/microcode/core.c | 24 +++++++++++++++++++-----
- 1 file changed, 19 insertions(+), 5 deletions(-)
-
-diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode/core.c
-index 57ecc5358b..2497630bbe 100644
---- a/xen/arch/x86/cpu/microcode/core.c
-+++ b/xen/arch/x86/cpu/microcode/core.c
-@@ -274,6 +274,20 @@ static bool microcode_update_cache(struct microcode_patch *patch)
-     return true;
- }
- 
-+/* Returns true if ucode should be loaded on a given cpu */
-+static bool is_cpu_primary(unsigned int cpu)
-+{
-+    if ( boot_cpu_data.x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON) )
-+        /* Load ucode on every logical thread/core */
-+        return true;
-+
-+    /* Intel CPUs should load ucode only on the first core of SMT siblings */
-+    if ( cpu == cpumask_first(per_cpu(cpu_sibling_mask, cpu)) )
-+        return true;
-+
-+    return false;
-+}
-+
- /* Wait for a condition to be met with a timeout (us). */
- static int wait_for_condition(bool (*func)(unsigned int data),
-                               unsigned int data, unsigned int timeout)
-@@ -380,7 +394,7 @@ static int primary_thread_work(const struct microcode_patch *patch)
- static int cf_check microcode_nmi_callback(
-     const struct cpu_user_regs *regs, int cpu)
- {
--    unsigned int primary = cpumask_first(this_cpu(cpu_sibling_mask));
-+    bool primary_cpu = is_cpu_primary(cpu);
-     int ret;
- 
-     /* System-generated NMI, leave to main handler */
-@@ -393,10 +407,10 @@ static int cf_check microcode_nmi_callback(
-      * ucode_in_nmi.
-      */
-     if ( cpu == cpumask_first(&cpu_online_map) ||
--         (!ucode_in_nmi && cpu == primary) )
-+         (!ucode_in_nmi && primary_cpu) )
-         return 0;
- 
--    if ( cpu == primary )
-+    if ( primary_cpu )
-         ret = primary_thread_work(nmi_patch);
-     else
-         ret = secondary_nmi_work();
-@@ -547,7 +561,7 @@ static int cf_check do_microcode_update(void *patch)
-      */
-     if ( cpu == cpumask_first(&cpu_online_map) )
-         ret = control_thread_fn(patch);
--    else if ( cpu == cpumask_first(this_cpu(cpu_sibling_mask)) )
-+    else if ( is_cpu_primary(cpu) )
-         ret = primary_thread_fn(patch);
-     else
-         ret = secondary_thread_fn();
-@@ -640,7 +654,7 @@ static long cf_check microcode_update_helper(void *data)
-     /* Calculate the number of online CPU core */
-     nr_cores = 0;
-     for_each_online_cpu(cpu)
--        if ( cpu == cpumask_first(per_cpu(cpu_sibling_mask, cpu)) )
-+        if ( is_cpu_primary(cpu) )
-             nr_cores++;
- 
-     printk(XENLOG_INFO "%u cores are to update their microcode\n", nr_cores);
--- 
-2.40.0
-

diff --git a/0060-x86-shadow-account-for-log-dirty-mode-when-pre-alloc.patch b/0060-x86-shadow-account-for-log-dirty-mode-when-pre-alloc.patch
deleted file mode 100644
index fd397b0..0000000
--- a/0060-x86-shadow-account-for-log-dirty-mode-when-pre-alloc.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From f8f8f07880d3817fc7b0472420eca9fecaa55358 Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Tue, 21 Mar 2023 11:58:50 +0000
-Subject: [PATCH 60/89] x86/shadow: account for log-dirty mode when
- pre-allocating
-
-Pre-allocation is intended to ensure that in the course of constructing
-or updating shadows there won't be any risk of just made shadows or
-shadows being acted upon can disappear under our feet. The amount of
-pages pre-allocated then, however, needs to account for all possible
-subsequent allocations. While the use in sh_page_fault() accounts for
-all shadows which may need making, so far it didn't account for
-allocations coming from log-dirty tracking (which piggybacks onto the
-P2M allocation functions).
-
-Since shadow_prealloc() takes a count of shadows (or other data
-structures) rather than a count of pages, putting the adjustment at the
-call site of this function won't work very well: We simply can't express
-the correct count that way in all cases. Instead take care of this in
-the function itself, by "snooping" for L1 type requests. (While not
-applicable right now, future new request sites of L1 tables would then
-also be covered right away.)
-
-It is relevant to note here that pre-allocations like the one done from
-shadow_alloc_p2m_page() are benign when they fall in the "scope" of an
-earlier pre-alloc which already included that count: The inner call will
-simply find enough pages available then; it'll bail right away.
-
-This is CVE-2022-42332 / XSA-427.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Tim Deegan <tim@xen.org>
-(cherry picked from commit 91767a71061035ae42be93de495cd976f863a41a)
----
- xen/arch/x86/include/asm/paging.h |  4 ++++
- xen/arch/x86/mm/paging.c          |  1 +
- xen/arch/x86/mm/shadow/common.c   | 12 +++++++++++-
- 3 files changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/xen/arch/x86/include/asm/paging.h b/xen/arch/x86/include/asm/paging.h
-index b2b243a4ff..635ccc83b1 100644
---- a/xen/arch/x86/include/asm/paging.h
-+++ b/xen/arch/x86/include/asm/paging.h
-@@ -190,6 +190,10 @@ bool paging_mfn_is_dirty(const struct domain *d, mfn_t gmfn);
- #define L4_LOGDIRTY_IDX(pfn) ((pfn_x(pfn) >> (PAGE_SHIFT + 3 + PAGETABLE_ORDER * 2)) & \
-                               (LOGDIRTY_NODE_ENTRIES-1))
- 
-+#define paging_logdirty_levels() \
-+    (DIV_ROUND_UP(PADDR_BITS - PAGE_SHIFT - (PAGE_SHIFT + 3), \
-+                  PAGE_SHIFT - ilog2(sizeof(mfn_t))) + 1)
-+
- #ifdef CONFIG_HVM
- /* VRAM dirty tracking support */
- struct sh_dirty_vram {
-diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c
-index 8d579fa9a3..308d44bce7 100644
---- a/xen/arch/x86/mm/paging.c
-+++ b/xen/arch/x86/mm/paging.c
-@@ -282,6 +282,7 @@ void paging_mark_pfn_dirty(struct domain *d, pfn_t pfn)
-     if ( unlikely(!VALID_M2P(pfn_x(pfn))) )
-         return;
- 
-+    BUILD_BUG_ON(paging_logdirty_levels() != 4);
-     i1 = L1_LOGDIRTY_IDX(pfn);
-     i2 = L2_LOGDIRTY_IDX(pfn);
-     i3 = L3_LOGDIRTY_IDX(pfn);
-diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c
-index a8404f97f6..cf5e181f74 100644
---- a/xen/arch/x86/mm/shadow/common.c
-+++ b/xen/arch/x86/mm/shadow/common.c
-@@ -1015,7 +1015,17 @@ bool shadow_prealloc(struct domain *d, unsigned int type, unsigned int count)
-     if ( unlikely(d->is_dying) )
-        return false;
- 
--    ret = _shadow_prealloc(d, shadow_size(type) * count);
-+    count *= shadow_size(type);
-+    /*
-+     * Log-dirty handling may result in allocations when populating its
-+     * tracking structures.  Tie this to the caller requesting space for L1
-+     * shadows.
-+     */
-+    if ( paging_mode_log_dirty(d) &&
-+         ((SHF_L1_ANY | SHF_FL1_ANY) & (1u << type)) )
-+        count += paging_logdirty_levels();
-+
-+    ret = _shadow_prealloc(d, count);
-     if ( !ret && (!d->is_shutting_down || d->shutdown_code != SHUTDOWN_crash) )
-         /*
-          * Failing to allocate memory required for shadow usage can only result in
--- 
-2.40.0
-

diff --git a/0061-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch b/0061-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch
deleted file mode 100644
index b638eca..0000000
--- a/0061-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From d0cb66d59a956ccba3dbe794f4ec01e4a4269ee9 Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Tue, 21 Mar 2023 12:01:01 +0000
-Subject: [PATCH 61/89] x86/HVM: bound number of pinned cache attribute regions
-
-This is exposed via DMOP, i.e. to potentially not fully privileged
-device models. With that we may not permit registration of an (almost)
-unbounded amount of such regions.
-
-This is CVE-2022-42333 / part of XSA-428.
-
-Fixes: 642123c5123f ("x86/hvm: provide XEN_DMOP_pin_memory_cacheattr")
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
-(cherry picked from commit a5e768640f786b681063f4e08af45d0c4e91debf)
----
- xen/arch/x86/hvm/mtrr.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/xen/arch/x86/hvm/mtrr.c b/xen/arch/x86/hvm/mtrr.c
-index 4d2aa6def8..714911dd7f 100644
---- a/xen/arch/x86/hvm/mtrr.c
-+++ b/xen/arch/x86/hvm/mtrr.c
-@@ -595,6 +595,7 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start,
-                                  uint64_t gfn_end, uint32_t type)
- {
-     struct hvm_mem_pinned_cacheattr_range *range;
-+    unsigned int nr = 0;
-     int rc = 1;
- 
-     if ( !is_hvm_domain(d) )
-@@ -666,11 +667,15 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start,
-             rc = -EBUSY;
-             break;
-         }
-+        ++nr;
-     }
-     rcu_read_unlock(&pinned_cacheattr_rcu_lock);
-     if ( rc <= 0 )
-         return rc;
- 
-+    if ( nr >= 64 /* The limit is arbitrary. */ )
-+        return -ENOSPC;
-+
-     range = xzalloc(struct hvm_mem_pinned_cacheattr_range);
-     if ( range == NULL )
-         return -ENOMEM;
--- 
-2.40.0
-

diff --git a/0062-x86-HVM-serialize-pinned-cache-attribute-list-manipu.patch b/0062-x86-HVM-serialize-pinned-cache-attribute-list-manipu.patch
deleted file mode 100644
index a0f6efc..0000000
--- a/0062-x86-HVM-serialize-pinned-cache-attribute-list-manipu.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From a2a915b3960e6ab060d8be2c36e6e697700ea87c Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Tue, 21 Mar 2023 12:01:01 +0000
-Subject: [PATCH 62/89] x86/HVM: serialize pinned cache attribute list
- manipulation
-
-While the RCU variants of list insertion and removal allow lockless list
-traversal (with RCU just read-locked), insertions and removals still
-need serializing amongst themselves. To keep things simple, use the
-domain lock for this purpose.
-
-This is CVE-2022-42334 / part of XSA-428.
-
-Fixes: 642123c5123f ("x86/hvm: provide XEN_DMOP_pin_memory_cacheattr")
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Julien Grall <jgrall@amazon.com>
-(cherry picked from commit 829ec245cf66560e3b50d140ccb3168e7fb7c945)
----
- xen/arch/x86/hvm/mtrr.c | 51 +++++++++++++++++++++++++----------------
- 1 file changed, 31 insertions(+), 20 deletions(-)
-
-diff --git a/xen/arch/x86/hvm/mtrr.c b/xen/arch/x86/hvm/mtrr.c
-index 714911dd7f..bd5cc42ef4 100644
---- a/xen/arch/x86/hvm/mtrr.c
-+++ b/xen/arch/x86/hvm/mtrr.c
-@@ -594,7 +594,7 @@ static void cf_check free_pinned_cacheattr_entry(struct rcu_head *rcu)
- int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start,
-                                  uint64_t gfn_end, uint32_t type)
- {
--    struct hvm_mem_pinned_cacheattr_range *range;
-+    struct hvm_mem_pinned_cacheattr_range *range, *newr;
-     unsigned int nr = 0;
-     int rc = 1;
- 
-@@ -608,14 +608,15 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start,
-     {
-     case XEN_DOMCTL_DELETE_MEM_CACHEATTR:
-         /* Remove the requested range. */
--        rcu_read_lock(&pinned_cacheattr_rcu_lock);
--        list_for_each_entry_rcu ( range,
--                                  &d->arch.hvm.pinned_cacheattr_ranges,
--                                  list )
-+        domain_lock(d);
-+        list_for_each_entry ( range,
-+                              &d->arch.hvm.pinned_cacheattr_ranges,
-+                              list )
-             if ( range->start == gfn_start && range->end == gfn_end )
-             {
--                rcu_read_unlock(&pinned_cacheattr_rcu_lock);
-                 list_del_rcu(&range->list);
-+                domain_unlock(d);
-+
-                 type = range->type;
-                 call_rcu(&range->rcu, free_pinned_cacheattr_entry);
-                 p2m_memory_type_changed(d);
-@@ -636,7 +637,7 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start,
-                 }
-                 return 0;
-             }
--        rcu_read_unlock(&pinned_cacheattr_rcu_lock);
-+        domain_unlock(d);
-         return -ENOENT;
- 
-     case PAT_TYPE_UC_MINUS:
-@@ -651,7 +652,10 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start,
-         return -EINVAL;
-     }
- 
--    rcu_read_lock(&pinned_cacheattr_rcu_lock);
-+    newr = xzalloc(struct hvm_mem_pinned_cacheattr_range);
-+
-+    domain_lock(d);
-+
-     list_for_each_entry_rcu ( range,
-                               &d->arch.hvm.pinned_cacheattr_ranges,
-                               list )
-@@ -669,27 +673,34 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start,
-         }
-         ++nr;
-     }
--    rcu_read_unlock(&pinned_cacheattr_rcu_lock);
-+
-     if ( rc <= 0 )
--        return rc;
-+        /* nothing */;
-+    else if ( nr >= 64 /* The limit is arbitrary. */ )
-+        rc = -ENOSPC;
-+    else if ( !newr )
-+        rc = -ENOMEM;
-+    else
-+    {
-+        newr->start = gfn_start;
-+        newr->end = gfn_end;
-+        newr->type = type;
- 
--    if ( nr >= 64 /* The limit is arbitrary. */ )
--        return -ENOSPC;
-+        list_add_rcu(&newr->list, &d->arch.hvm.pinned_cacheattr_ranges);
- 
--    range = xzalloc(struct hvm_mem_pinned_cacheattr_range);
--    if ( range == NULL )
--        return -ENOMEM;
-+        newr = NULL;
-+        rc = 0;
-+    }
-+
-+    domain_unlock(d);
- 
--    range->start = gfn_start;
--    range->end = gfn_end;
--    range->type = type;
-+    xfree(newr);
- 
--    list_add_rcu(&range->list, &d->arch.hvm.pinned_cacheattr_ranges);
-     p2m_memory_type_changed(d);
-     if ( type != PAT_TYPE_WRBACK )
-         flush_all(FLUSH_CACHE);
- 
--    return 0;
-+    return rc;
- }
- 
- static int cf_check hvm_save_mtrr_msr(struct vcpu *v, hvm_domain_context_t *h)
--- 
-2.40.0
-

diff --git a/0063-x86-spec-ctrl-Defer-CR4_PV32_RESTORE-on-the-cstar_en.patch b/0063-x86-spec-ctrl-Defer-CR4_PV32_RESTORE-on-the-cstar_en.patch
deleted file mode 100644
index fa97a41..0000000
--- a/0063-x86-spec-ctrl-Defer-CR4_PV32_RESTORE-on-the-cstar_en.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From a730e4d1190594102784222f76a984d10bbc88a9 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Fri, 10 Feb 2023 21:11:14 +0000
-Subject: [PATCH 63/89] x86/spec-ctrl: Defer CR4_PV32_RESTORE on the
- cstar_enter path
-
-As stated (correctly) by the comment next to SPEC_CTRL_ENTRY_FROM_PV, between
-the two hunks visible in the patch, RET's are not safe prior to this point.
-
-CR4_PV32_RESTORE hides a CALL/RET pair in certain configurations (PV32
-compiled in, SMEP or SMAP active), and the RET can be attacked with one of
-several known speculative issues.
-
-Furthermore, CR4_PV32_RESTORE also hides a reference to the cr4_pv32_mask
-global variable, which is not safe when XPTI is active before restoring Xen's
-full pagetables.
-
-This crash has gone unnoticed because it is only AMD CPUs which permit the
-SYSCALL instruction in compatibility mode, and these are not vulnerable to
-Meltdown so don't activate XPTI by default.
-
-This is XSA-429 / CVE-2022-42331
-
-Fixes: 5e7962901131 ("x86/entry: Organise the use of MSR_SPEC_CTRL at each entry/exit point")
-Fixes: 5784de3e2067 ("x86: Meltdown band-aid against malicious 64-bit PV guests")
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-(cherry picked from commit df5b055b12116d9e63ced59ae5389e69a2a3de48)
----
- xen/arch/x86/x86_64/entry.S | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
-index ae01285181..7675a59ff0 100644
---- a/xen/arch/x86/x86_64/entry.S
-+++ b/xen/arch/x86/x86_64/entry.S
-@@ -288,7 +288,6 @@ ENTRY(cstar_enter)
-         ALTERNATIVE "", "setssbsy", X86_FEATURE_XEN_SHSTK
- #endif
-         push  %rax          /* Guest %rsp */
--        CR4_PV32_RESTORE
-         movq  8(%rsp), %rax /* Restore guest %rax. */
-         movq  $FLAT_USER_SS32, 8(%rsp) /* Assume a 64bit domain.  Compat handled lower. */
-         pushq %r11
-@@ -312,6 +311,8 @@ ENTRY(cstar_enter)
- .Lcstar_cr3_okay:
-         sti
- 
-+        CR4_PV32_RESTORE
-+
-         movq  STACK_CPUINFO_FIELD(current_vcpu)(%rbx), %rbx
- 
- #ifdef CONFIG_PV32
--- 
-2.40.0
-

diff --git a/0064-x86-vmx-implement-VMExit-based-guest-Bus-Lock-detect.patch b/0064-x86-vmx-implement-VMExit-based-guest-Bus-Lock-detect.patch
deleted file mode 100644
index cebb501..0000000
--- a/0064-x86-vmx-implement-VMExit-based-guest-Bus-Lock-detect.patch
+++ /dev/null
@@ -1,175 +0,0 @@
-From 83f12e4eafdc4b034501adf4847a09a1293fdf8b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
-Date: Tue, 21 Mar 2023 13:40:41 +0100
-Subject: [PATCH 64/89] x86/vmx: implement VMExit based guest Bus Lock
- detection
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add support for enabling guest Bus Lock Detection on Intel systems.
-Such detection works by triggering a vmexit, which ought to be enough
-of a pause to prevent a guest from abusing of the Bus Lock.
-
-Add an extra Xen perf counter to track the number of Bus Locks detected.
-This is done because Bus Locks can also be reported by setting the bit
-26 in the exit reason field, so also account for those.
-
-Note EXIT_REASON_BUS_LOCK VMExits will always have bit 26 set in
-exit_reason, and hence the performance counter doesn't need to be
-increased for EXIT_REASON_BUS_LOCK handling.
-
-Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
-Reviewed-by: Kevin Tian <kevin.tian@intel.com>
-master commit: f7d07619d2ae0382e2922e287fbfbb27722f3f0b
-master date: 2022-12-19 11:22:43 +0100
----
- xen/arch/x86/hvm/vmx/vmcs.c             |  4 +++-
- xen/arch/x86/hvm/vmx/vmx.c              | 15 +++++++++++++++
- xen/arch/x86/hvm/vmx/vvmx.c             |  3 ++-
- xen/arch/x86/include/asm/hvm/vmx/vmcs.h |  3 +++
- xen/arch/x86/include/asm/hvm/vmx/vmx.h  |  2 ++
- xen/arch/x86/include/asm/perfc_defn.h   |  4 +++-
- 6 files changed, 28 insertions(+), 3 deletions(-)
-
-diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
-index 84dbb88d33..a0d5e8d6ab 100644
---- a/xen/arch/x86/hvm/vmx/vmcs.c
-+++ b/xen/arch/x86/hvm/vmx/vmcs.c
-@@ -209,6 +209,7 @@ static void __init vmx_display_features(void)
-     P(cpu_has_vmx_virt_exceptions, "Virtualisation Exceptions");
-     P(cpu_has_vmx_pml, "Page Modification Logging");
-     P(cpu_has_vmx_tsc_scaling, "TSC Scaling");
-+    P(cpu_has_vmx_bus_lock_detection, "Bus Lock Detection");
- #undef P
- 
-     if ( !printed )
-@@ -318,7 +319,8 @@ static int vmx_init_vmcs_config(bool bsp)
-                SECONDARY_EXEC_ENABLE_VM_FUNCTIONS |
-                SECONDARY_EXEC_ENABLE_VIRT_EXCEPTIONS |
-                SECONDARY_EXEC_XSAVES |
--               SECONDARY_EXEC_TSC_SCALING);
-+               SECONDARY_EXEC_TSC_SCALING |
-+               SECONDARY_EXEC_BUS_LOCK_DETECTION);
-         if ( _vmx_misc_cap & VMX_MISC_VMWRITE_ALL )
-             opt |= SECONDARY_EXEC_ENABLE_VMCS_SHADOWING;
-         if ( opt_vpid_enabled )
-diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
-index 861f91f2af..d0f0f2e429 100644
---- a/xen/arch/x86/hvm/vmx/vmx.c
-+++ b/xen/arch/x86/hvm/vmx/vmx.c
-@@ -4084,6 +4084,12 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs)
-             return;
-     }
- 
-+    if ( unlikely(exit_reason & VMX_EXIT_REASONS_BUS_LOCK) )
-+    {
-+        perfc_incr(buslock);
-+        exit_reason &= ~VMX_EXIT_REASONS_BUS_LOCK;
-+    }
-+
-     /* XXX: This looks ugly, but we need a mechanism to ensure
-      * any pending vmresume has really happened
-      */
-@@ -4593,6 +4599,15 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs)
-         vmx_handle_descriptor_access(exit_reason);
-         break;
- 
-+    case EXIT_REASON_BUS_LOCK:
-+        /*
-+         * Nothing to do: just taking a vmexit should be enough of a pause to
-+         * prevent a VM from crippling the host with bus locks.  Note
-+         * EXIT_REASON_BUS_LOCK will always have bit 26 set in exit_reason, and
-+         * hence the perf counter is already increased.
-+         */
-+        break;
-+
-     case EXIT_REASON_VMX_PREEMPTION_TIMER_EXPIRED:
-     case EXIT_REASON_INVPCID:
-     /* fall through */
-diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c
-index 5f54451475..2095c1e612 100644
---- a/xen/arch/x86/hvm/vmx/vvmx.c
-+++ b/xen/arch/x86/hvm/vmx/vvmx.c
-@@ -2405,7 +2405,7 @@ void nvmx_idtv_handling(void)
-      * be reinjected, otherwise, pass to L1.
-      */
-     __vmread(VM_EXIT_REASON, &reason);
--    if ( reason != EXIT_REASON_EPT_VIOLATION ?
-+    if ( (uint16_t)reason != EXIT_REASON_EPT_VIOLATION ?
-          !(nvmx->intr.intr_info & INTR_INFO_VALID_MASK) :
-          !nvcpu->nv_vmexit_pending )
-     {
-@@ -2486,6 +2486,7 @@ int nvmx_n2_vmexit_handler(struct cpu_user_regs *regs,
-     case EXIT_REASON_EPT_VIOLATION:
-     case EXIT_REASON_EPT_MISCONFIG:
-     case EXIT_REASON_EXTERNAL_INTERRUPT:
-+    case EXIT_REASON_BUS_LOCK:
-         /* pass to L0 handler */
-         break;
-     case VMX_EXIT_REASONS_FAILED_VMENTRY:
-diff --git a/xen/arch/x86/include/asm/hvm/vmx/vmcs.h b/xen/arch/x86/include/asm/hvm/vmx/vmcs.h
-index 75f9928abf..f3df5113d4 100644
---- a/xen/arch/x86/include/asm/hvm/vmx/vmcs.h
-+++ b/xen/arch/x86/include/asm/hvm/vmx/vmcs.h
-@@ -267,6 +267,7 @@ extern u32 vmx_vmentry_control;
- #define SECONDARY_EXEC_ENABLE_VIRT_EXCEPTIONS   0x00040000
- #define SECONDARY_EXEC_XSAVES                   0x00100000
- #define SECONDARY_EXEC_TSC_SCALING              0x02000000
-+#define SECONDARY_EXEC_BUS_LOCK_DETECTION       0x40000000
- extern u32 vmx_secondary_exec_control;
- 
- #define VMX_EPT_EXEC_ONLY_SUPPORTED                         0x00000001
-@@ -346,6 +347,8 @@ extern u64 vmx_ept_vpid_cap;
-     (vmx_secondary_exec_control & SECONDARY_EXEC_XSAVES)
- #define cpu_has_vmx_tsc_scaling \
-     (vmx_secondary_exec_control & SECONDARY_EXEC_TSC_SCALING)
-+#define cpu_has_vmx_bus_lock_detection \
-+    (vmx_secondary_exec_control & SECONDARY_EXEC_BUS_LOCK_DETECTION)
- 
- #define VMCS_RID_TYPE_MASK              0x80000000
- 
-diff --git a/xen/arch/x86/include/asm/hvm/vmx/vmx.h b/xen/arch/x86/include/asm/hvm/vmx/vmx.h
-index 8eedf59155..03995701a1 100644
---- a/xen/arch/x86/include/asm/hvm/vmx/vmx.h
-+++ b/xen/arch/x86/include/asm/hvm/vmx/vmx.h
-@@ -159,6 +159,7 @@ static inline void pi_clear_sn(struct pi_desc *pi_desc)
-  * Exit Reasons
-  */
- #define VMX_EXIT_REASONS_FAILED_VMENTRY 0x80000000
-+#define VMX_EXIT_REASONS_BUS_LOCK       (1u << 26)
- 
- #define EXIT_REASON_EXCEPTION_NMI       0
- #define EXIT_REASON_EXTERNAL_INTERRUPT  1
-@@ -219,6 +220,7 @@ static inline void pi_clear_sn(struct pi_desc *pi_desc)
- #define EXIT_REASON_PML_FULL            62
- #define EXIT_REASON_XSAVES              63
- #define EXIT_REASON_XRSTORS             64
-+#define EXIT_REASON_BUS_LOCK            74
- /* Remember to also update VMX_PERF_EXIT_REASON_SIZE! */
- 
- /*
-diff --git a/xen/arch/x86/include/asm/perfc_defn.h b/xen/arch/x86/include/asm/perfc_defn.h
-index 509afc516b..6fce21e85a 100644
---- a/xen/arch/x86/include/asm/perfc_defn.h
-+++ b/xen/arch/x86/include/asm/perfc_defn.h
-@@ -6,7 +6,7 @@ PERFCOUNTER_ARRAY(exceptions,           "exceptions", 32)
- 
- #ifdef CONFIG_HVM
- 
--#define VMX_PERF_EXIT_REASON_SIZE 65
-+#define VMX_PERF_EXIT_REASON_SIZE 75
- #define VMEXIT_NPF_PERFC 143
- #define SVM_PERF_EXIT_REASON_SIZE (VMEXIT_NPF_PERFC + 1)
- PERFCOUNTER_ARRAY(vmexits,              "vmexits",
-@@ -128,4 +128,6 @@ PERFCOUNTER(pauseloop_exits, "vmexits from Pause-Loop Detection")
- PERFCOUNTER(iommu_pt_shatters,    "IOMMU page table shatters")
- PERFCOUNTER(iommu_pt_coalesces,   "IOMMU page table coalesces")
- 
-+PERFCOUNTER(buslock, "Bus Locks Detected")
-+
- /*#endif*/ /* __XEN_PERFC_DEFN_H__ */
--- 
-2.40.0
-

diff --git a/0065-x86-vmx-introduce-helper-to-set-VMX_INTR_SHADOW_NMI.patch b/0065-x86-vmx-introduce-helper-to-set-VMX_INTR_SHADOW_NMI.patch
deleted file mode 100644
index 847ee99..0000000
--- a/0065-x86-vmx-introduce-helper-to-set-VMX_INTR_SHADOW_NMI.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From 27abea1ba6fa68f81b98de31cf9b9ebb594ff238 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
-Date: Tue, 21 Mar 2023 13:41:49 +0100
-Subject: [PATCH 65/89] x86/vmx: introduce helper to set VMX_INTR_SHADOW_NMI
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Introduce a small helper to OR VMX_INTR_SHADOW_NMI in
-GUEST_INTERRUPTIBILITY_INFO in order to help dealing with the NMI
-unblocked by IRET case.  Replace the existing usage in handling
-EXIT_REASON_EXCEPTION_NMI and also add such handling to EPT violations
-and page-modification log-full events.
-
-Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Kevin Tian <kevin.tian@intel.com>
-master commit: d329b37d12132164c3894d0b6284be72576ef950
-master date: 2022-12-19 11:23:34 +0100
----
- xen/arch/x86/hvm/vmx/vmx.c             | 28 +++++++++++++++++++-------
- xen/arch/x86/include/asm/hvm/vmx/vmx.h |  3 +++
- 2 files changed, 24 insertions(+), 7 deletions(-)
-
-diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
-index d0f0f2e429..456726e897 100644
---- a/xen/arch/x86/hvm/vmx/vmx.c
-+++ b/xen/arch/x86/hvm/vmx/vmx.c
-@@ -3967,6 +3967,15 @@ static int vmx_handle_apic_write(void)
-     return vlapic_apicv_write(current, exit_qualification & 0xfff);
- }
- 
-+static void undo_nmis_unblocked_by_iret(void)
-+{
-+    unsigned long guest_info;
-+
-+    __vmread(GUEST_INTERRUPTIBILITY_INFO, &guest_info);
-+    __vmwrite(GUEST_INTERRUPTIBILITY_INFO,
-+              guest_info | VMX_INTR_SHADOW_NMI);
-+}
-+
- void vmx_vmexit_handler(struct cpu_user_regs *regs)
- {
-     unsigned long exit_qualification, exit_reason, idtv_info, intr_info = 0;
-@@ -4167,13 +4176,7 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs)
-         if ( unlikely(intr_info & INTR_INFO_NMI_UNBLOCKED_BY_IRET) &&
-              !(idtv_info & INTR_INFO_VALID_MASK) &&
-              (vector != TRAP_double_fault) )
--        {
--            unsigned long guest_info;
--
--            __vmread(GUEST_INTERRUPTIBILITY_INFO, &guest_info);
--            __vmwrite(GUEST_INTERRUPTIBILITY_INFO,
--                      guest_info | VMX_INTR_SHADOW_NMI);
--        }
-+            undo_nmis_unblocked_by_iret();
- 
-         perfc_incra(cause_vector, vector);
- 
-@@ -4539,6 +4542,11 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs)
- 
-         __vmread(GUEST_PHYSICAL_ADDRESS, &gpa);
-         __vmread(EXIT_QUALIFICATION, &exit_qualification);
-+
-+        if ( unlikely(exit_qualification & INTR_INFO_NMI_UNBLOCKED_BY_IRET) &&
-+             !(idtv_info & INTR_INFO_VALID_MASK) )
-+            undo_nmis_unblocked_by_iret();
-+
-         ept_handle_violation(exit_qualification, gpa);
-         break;
-     }
-@@ -4583,6 +4591,12 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs)
-         break;
- 
-     case EXIT_REASON_PML_FULL:
-+        __vmread(EXIT_QUALIFICATION, &exit_qualification);
-+
-+        if ( unlikely(exit_qualification & INTR_INFO_NMI_UNBLOCKED_BY_IRET) &&
-+             !(idtv_info & INTR_INFO_VALID_MASK) )
-+            undo_nmis_unblocked_by_iret();
-+
-         vmx_vcpu_flush_pml_buffer(v);
-         break;
- 
-diff --git a/xen/arch/x86/include/asm/hvm/vmx/vmx.h b/xen/arch/x86/include/asm/hvm/vmx/vmx.h
-index 03995701a1..eae39365aa 100644
---- a/xen/arch/x86/include/asm/hvm/vmx/vmx.h
-+++ b/xen/arch/x86/include/asm/hvm/vmx/vmx.h
-@@ -225,6 +225,9 @@ static inline void pi_clear_sn(struct pi_desc *pi_desc)
- 
- /*
-  * Interruption-information format
-+ *
-+ * Note INTR_INFO_NMI_UNBLOCKED_BY_IRET is also used with Exit Qualification
-+ * field for EPT violations, PML full and SPP-related event vmexits.
-  */
- #define INTR_INFO_VECTOR_MASK           0xff            /* 7:0 */
- #define INTR_INFO_INTR_TYPE_MASK        0x700           /* 10:8 */
--- 
-2.40.0
-

diff --git a/0066-x86-vmx-implement-Notify-VM-Exit.patch b/0066-x86-vmx-implement-Notify-VM-Exit.patch
deleted file mode 100644
index bc54d18..0000000
--- a/0066-x86-vmx-implement-Notify-VM-Exit.patch
+++ /dev/null
@@ -1,243 +0,0 @@
-From b745ff30113d2bd91e2d34cf56437b2fe2e2ea35 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
-Date: Tue, 21 Mar 2023 13:42:43 +0100
-Subject: [PATCH 66/89] x86/vmx: implement Notify VM Exit
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Under certain conditions guests can get the CPU stuck in an unbounded
-loop without the possibility of an interrupt window to occur on
-instruction boundary.  This was the case with the scenarios described
-in XSA-156.
-
-Make use of the Notify VM Exit mechanism, that will trigger a VM Exit
-if no interrupt window occurs for a specified amount of time.  Note
-that using the Notify VM Exit avoids having to trap #AC and #DB
-exceptions, as Xen is guaranteed to get a VM Exit even if the guest
-puts the CPU in a loop without an interrupt window, as such disable
-the intercepts if the feature is available and enabled.
-
-Setting the notify VM exit window to 0 is safe because there's a
-threshold added by the hardware in order to have a sane window value.
-
-Note the handling of EXIT_REASON_NOTIFY in the nested virtualization
-case is passed to L0, and hence a nested guest being able to trigger a
-notify VM exit with an invalid context would be able to crash the L1
-hypervisor (by L0 destroying the domain).  Since we don't expose VM
-Notify support to L1 it should already enable the required
-protections in order to prevent VM Notify from triggering in the first
-place.
-
-Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
-Reviewed-by: Kevin Tian <kevin.tian@intel.com>
-
-x86/vmx: Partially revert "x86/vmx: implement Notify VM Exit"
-
-The original patch tried to do two things - implement VMNotify, and
-re-optimise VT-x to not intercept #DB/#AC by default.
-
-The second part is buggy in multiple ways.  Both GDBSX and Introspection need
-to conditionally intercept #DB, which was not accounted for.  Also, #DB
-interception has nothing at all to do with cpu_has_monitor_trap_flag.
-
-Revert the second half, leaving #DB/#AC intercepted unilaterally, but with
-VMNotify active by default when available.
-
-Fixes: 573279cde1c4 ("x86/vmx: implement Notify VM Exit")
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Kevin Tian <kevin.tian@intel.com>
-master commit: 573279cde1c4e752d4df34bc65ffafa17573148e
-master date: 2022-12-19 11:24:14 +0100
-master commit: 5f08bc9404c7cfa8131e262c7dbcb4d96c752686
-master date: 2023-01-20 19:39:32 +0000
----
- docs/misc/xen-command-line.pandoc       | 11 +++++++++++
- xen/arch/x86/hvm/vmx/vmcs.c             | 10 ++++++++++
- xen/arch/x86/hvm/vmx/vmx.c              | 16 ++++++++++++++++
- xen/arch/x86/hvm/vmx/vvmx.c             |  1 +
- xen/arch/x86/include/asm/hvm/vmx/vmcs.h |  4 ++++
- xen/arch/x86/include/asm/hvm/vmx/vmx.h  |  6 ++++++
- xen/arch/x86/include/asm/perfc_defn.h   |  3 ++-
- 7 files changed, 50 insertions(+), 1 deletion(-)
-
-diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
-index 5be5ce10c6..d601120faa 100644
---- a/docs/misc/xen-command-line.pandoc
-+++ b/docs/misc/xen-command-line.pandoc
-@@ -2634,6 +2634,17 @@ guest will notify Xen that it has failed to acquire a spinlock.
- <major>, <minor> and <build> must be integers. The values will be
- encoded in guest CPUID 0x40000002 if viridian enlightenments are enabled.
- 
-+### vm-notify-window (Intel)
-+> `= <integer>`
-+
-+> Default: `0`
-+
-+Specify the value of the VM Notify window used to detect locked VMs. Set to -1
-+to disable the feature.  Value is in units of crystal clock cycles.
-+
-+Note the hardware might add a threshold to the provided value in order to make
-+it safe, and hence using 0 is fine.
-+
- ### vpid (Intel)
- > `= <boolean>`
- 
-diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
-index a0d5e8d6ab..7912053bda 100644
---- a/xen/arch/x86/hvm/vmx/vmcs.c
-+++ b/xen/arch/x86/hvm/vmx/vmcs.c
-@@ -67,6 +67,9 @@ integer_param("ple_gap", ple_gap);
- static unsigned int __read_mostly ple_window = 4096;
- integer_param("ple_window", ple_window);
- 
-+static unsigned int __ro_after_init vm_notify_window;
-+integer_param("vm-notify-window", vm_notify_window);
-+
- static bool __read_mostly opt_ept_pml = true;
- static s8 __read_mostly opt_ept_ad = -1;
- int8_t __read_mostly opt_ept_exec_sp = -1;
-@@ -210,6 +213,7 @@ static void __init vmx_display_features(void)
-     P(cpu_has_vmx_pml, "Page Modification Logging");
-     P(cpu_has_vmx_tsc_scaling, "TSC Scaling");
-     P(cpu_has_vmx_bus_lock_detection, "Bus Lock Detection");
-+    P(cpu_has_vmx_notify_vm_exiting, "Notify VM Exit");
- #undef P
- 
-     if ( !printed )
-@@ -329,6 +333,8 @@ static int vmx_init_vmcs_config(bool bsp)
-             opt |= SECONDARY_EXEC_UNRESTRICTED_GUEST;
-         if ( opt_ept_pml )
-             opt |= SECONDARY_EXEC_ENABLE_PML;
-+        if ( vm_notify_window != ~0u )
-+            opt |= SECONDARY_EXEC_NOTIFY_VM_EXITING;
- 
-         /*
-          * "APIC Register Virtualization" and "Virtual Interrupt Delivery"
-@@ -1290,6 +1296,10 @@ static int construct_vmcs(struct vcpu *v)
-     v->arch.hvm.vmx.exception_bitmap = HVM_TRAP_MASK
-               | (paging_mode_hap(d) ? 0 : (1U << TRAP_page_fault))
-               | (v->arch.fully_eager_fpu ? 0 : (1U << TRAP_no_device));
-+
-+    if ( cpu_has_vmx_notify_vm_exiting )
-+        __vmwrite(NOTIFY_WINDOW, vm_notify_window);
-+
-     vmx_update_exception_bitmap(v);
- 
-     v->arch.hvm.guest_cr[0] = X86_CR0_PE | X86_CR0_ET;
-diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
-index 456726e897..f0e759eeaf 100644
---- a/xen/arch/x86/hvm/vmx/vmx.c
-+++ b/xen/arch/x86/hvm/vmx/vmx.c
-@@ -4622,6 +4622,22 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs)
-          */
-         break;
- 
-+    case EXIT_REASON_NOTIFY:
-+        __vmread(EXIT_QUALIFICATION, &exit_qualification);
-+
-+        if ( unlikely(exit_qualification & NOTIFY_VM_CONTEXT_INVALID) )
-+        {
-+            perfc_incr(vmnotify_crash);
-+            gprintk(XENLOG_ERR, "invalid VM context after notify vmexit\n");
-+            domain_crash(v->domain);
-+            break;
-+        }
-+
-+        if ( unlikely(exit_qualification & INTR_INFO_NMI_UNBLOCKED_BY_IRET) )
-+            undo_nmis_unblocked_by_iret();
-+
-+        break;
-+
-     case EXIT_REASON_VMX_PREEMPTION_TIMER_EXPIRED:
-     case EXIT_REASON_INVPCID:
-     /* fall through */
-diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c
-index 2095c1e612..f8fe8d0c14 100644
---- a/xen/arch/x86/hvm/vmx/vvmx.c
-+++ b/xen/arch/x86/hvm/vmx/vvmx.c
-@@ -2487,6 +2487,7 @@ int nvmx_n2_vmexit_handler(struct cpu_user_regs *regs,
-     case EXIT_REASON_EPT_MISCONFIG:
-     case EXIT_REASON_EXTERNAL_INTERRUPT:
-     case EXIT_REASON_BUS_LOCK:
-+    case EXIT_REASON_NOTIFY:
-         /* pass to L0 handler */
-         break;
-     case VMX_EXIT_REASONS_FAILED_VMENTRY:
-diff --git a/xen/arch/x86/include/asm/hvm/vmx/vmcs.h b/xen/arch/x86/include/asm/hvm/vmx/vmcs.h
-index f3df5113d4..78404e42b3 100644
---- a/xen/arch/x86/include/asm/hvm/vmx/vmcs.h
-+++ b/xen/arch/x86/include/asm/hvm/vmx/vmcs.h
-@@ -268,6 +268,7 @@ extern u32 vmx_vmentry_control;
- #define SECONDARY_EXEC_XSAVES                   0x00100000
- #define SECONDARY_EXEC_TSC_SCALING              0x02000000
- #define SECONDARY_EXEC_BUS_LOCK_DETECTION       0x40000000
-+#define SECONDARY_EXEC_NOTIFY_VM_EXITING        0x80000000
- extern u32 vmx_secondary_exec_control;
- 
- #define VMX_EPT_EXEC_ONLY_SUPPORTED                         0x00000001
-@@ -349,6 +350,8 @@ extern u64 vmx_ept_vpid_cap;
-     (vmx_secondary_exec_control & SECONDARY_EXEC_TSC_SCALING)
- #define cpu_has_vmx_bus_lock_detection \
-     (vmx_secondary_exec_control & SECONDARY_EXEC_BUS_LOCK_DETECTION)
-+#define cpu_has_vmx_notify_vm_exiting \
-+    (vmx_secondary_exec_control & SECONDARY_EXEC_NOTIFY_VM_EXITING)
- 
- #define VMCS_RID_TYPE_MASK              0x80000000
- 
-@@ -456,6 +459,7 @@ enum vmcs_field {
-     SECONDARY_VM_EXEC_CONTROL       = 0x0000401e,
-     PLE_GAP                         = 0x00004020,
-     PLE_WINDOW                      = 0x00004022,
-+    NOTIFY_WINDOW                   = 0x00004024,
-     VM_INSTRUCTION_ERROR            = 0x00004400,
-     VM_EXIT_REASON                  = 0x00004402,
-     VM_EXIT_INTR_INFO               = 0x00004404,
-diff --git a/xen/arch/x86/include/asm/hvm/vmx/vmx.h b/xen/arch/x86/include/asm/hvm/vmx/vmx.h
-index eae39365aa..8e1e42ac47 100644
---- a/xen/arch/x86/include/asm/hvm/vmx/vmx.h
-+++ b/xen/arch/x86/include/asm/hvm/vmx/vmx.h
-@@ -221,6 +221,7 @@ static inline void pi_clear_sn(struct pi_desc *pi_desc)
- #define EXIT_REASON_XSAVES              63
- #define EXIT_REASON_XRSTORS             64
- #define EXIT_REASON_BUS_LOCK            74
-+#define EXIT_REASON_NOTIFY              75
- /* Remember to also update VMX_PERF_EXIT_REASON_SIZE! */
- 
- /*
-@@ -236,6 +237,11 @@ static inline void pi_clear_sn(struct pi_desc *pi_desc)
- #define INTR_INFO_VALID_MASK            0x80000000      /* 31 */
- #define INTR_INFO_RESVD_BITS_MASK       0x7ffff000
- 
-+/*
-+ * Exit Qualifications for NOTIFY VM EXIT
-+ */
-+#define NOTIFY_VM_CONTEXT_INVALID       1u
-+
- /*
-  * Exit Qualifications for MOV for Control Register Access
-  */
-diff --git a/xen/arch/x86/include/asm/perfc_defn.h b/xen/arch/x86/include/asm/perfc_defn.h
-index 6fce21e85a..487e20dc97 100644
---- a/xen/arch/x86/include/asm/perfc_defn.h
-+++ b/xen/arch/x86/include/asm/perfc_defn.h
-@@ -6,7 +6,7 @@ PERFCOUNTER_ARRAY(exceptions,           "exceptions", 32)
- 
- #ifdef CONFIG_HVM
- 
--#define VMX_PERF_EXIT_REASON_SIZE 75
-+#define VMX_PERF_EXIT_REASON_SIZE 76
- #define VMEXIT_NPF_PERFC 143
- #define SVM_PERF_EXIT_REASON_SIZE (VMEXIT_NPF_PERFC + 1)
- PERFCOUNTER_ARRAY(vmexits,              "vmexits",
-@@ -129,5 +129,6 @@ PERFCOUNTER(iommu_pt_shatters,    "IOMMU page table shatters")
- PERFCOUNTER(iommu_pt_coalesces,   "IOMMU page table coalesces")
- 
- PERFCOUNTER(buslock, "Bus Locks Detected")
-+PERFCOUNTER(vmnotify_crash, "domain crashes by Notify VM Exit")
- 
- /*#endif*/ /* __XEN_PERFC_DEFN_H__ */
--- 
-2.40.0
-

diff --git a/0067-tools-python-change-s-size-type-for-Python-3.10.patch b/0067-tools-python-change-s-size-type-for-Python-3.10.patch
deleted file mode 100644
index 0671c67..0000000
--- a/0067-tools-python-change-s-size-type-for-Python-3.10.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 651ffe2c7847cb9922d22980984a3bea6f47bea7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
- <marmarek@invisiblethingslab.com>
-Date: Tue, 21 Mar 2023 13:43:44 +0100
-Subject: [PATCH 67/89] tools/python: change 's#' size type for Python >= 3.10
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Python < 3.10 by default uses 'int' type for data+size string types
-(s#), unless PY_SSIZE_T_CLEAN is defined - in which case it uses
-Py_ssize_t. The former behavior was removed in Python 3.10 and now it's
-required to define PY_SSIZE_T_CLEAN before including Python.h, and using
-Py_ssize_t for the length argument. The PY_SSIZE_T_CLEAN behavior is
-supported since Python 2.5.
-
-Adjust bindings accordingly.
-
-Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
-Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
-master commit: 897257ba49d0a6ddcf084960fd792ccce9c40f94
-master date: 2023-02-06 08:50:13 +0100
----
- tools/python/xen/lowlevel/xc/xc.c | 3 ++-
- tools/python/xen/lowlevel/xs/xs.c | 3 ++-
- 2 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c
-index fd00861032..cfb2734a99 100644
---- a/tools/python/xen/lowlevel/xc/xc.c
-+++ b/tools/python/xen/lowlevel/xc/xc.c
-@@ -4,6 +4,7 @@
-  * Copyright (c) 2003-2004, K A Fraser (University of Cambridge)
-  */
- 
-+#define PY_SSIZE_T_CLEAN
- #include <Python.h>
- #define XC_WANT_COMPAT_MAP_FOREIGN_API
- #include <xenctrl.h>
-@@ -1774,7 +1775,7 @@ static PyObject *pyflask_load(PyObject *self, PyObject *args, PyObject *kwds)
- {
-     xc_interface *xc_handle;
-     char *policy;
--    uint32_t len;
-+    Py_ssize_t len;
-     int ret;
- 
-     static char *kwd_list[] = { "policy", NULL };
-diff --git a/tools/python/xen/lowlevel/xs/xs.c b/tools/python/xen/lowlevel/xs/xs.c
-index 0dad7fa5f2..3ba5a8b893 100644
---- a/tools/python/xen/lowlevel/xs/xs.c
-+++ b/tools/python/xen/lowlevel/xs/xs.c
-@@ -18,6 +18,7 @@
-  * Copyright (C) 2005 XenSource Ltd.
-  */
- 
-+#define PY_SSIZE_T_CLEAN
- #include <Python.h>
- 
- #include <stdbool.h>
-@@ -141,7 +142,7 @@ static PyObject *xspy_write(XsHandle *self, PyObject *args)
-     char *thstr;
-     char *path;
-     char *data;
--    int data_n;
-+    Py_ssize_t data_n;
-     bool result;
- 
-     if (!xh)
--- 
-2.40.0
-

diff --git a/0068-tools-xenmon-Fix-xenmon.py-for-with-python3.x.patch b/0068-tools-xenmon-Fix-xenmon.py-for-with-python3.x.patch
deleted file mode 100644
index a47812b..0000000
--- a/0068-tools-xenmon-Fix-xenmon.py-for-with-python3.x.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 244d39fb13abae6c2da341b76363f169d8bbc93b Mon Sep 17 00:00:00 2001
-From: Bernhard Kaindl <bernhard.kaindl@citrix.com>
-Date: Tue, 21 Mar 2023 13:44:04 +0100
-Subject: [PATCH 68/89] tools/xenmon: Fix xenmon.py for with python3.x
-
-Fixes for Py3:
-* class Delayed(): file not defined; also an error for pylint -E.  Inherit
-  object instead for Py2 compatibility.  Fix DomainInfo() too.
-* Inconsistent use of tabs and spaces for indentation (in one block)
-
-Signed-off-by: Bernhard Kaindl <bernhard.kaindl@citrix.com>
-Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
-master commit: 3a59443c1d5ae0677a792c660ccd3796ce036732
-master date: 2023-02-06 10:22:12 +0000
----
- tools/xenmon/xenmon.py | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/tools/xenmon/xenmon.py b/tools/xenmon/xenmon.py
-index 175eacd2cb..977ada6887 100644
---- a/tools/xenmon/xenmon.py
-+++ b/tools/xenmon/xenmon.py
-@@ -117,7 +117,7 @@ def setup_cmdline_parser():
-     return parser
- 
- # encapsulate information about a domain
--class DomainInfo:
-+class DomainInfo(object):
-     def __init__(self):
-         self.allocated_sum = 0
-         self.gotten_sum = 0
-@@ -533,7 +533,7 @@ def show_livestats(cpu):
- # simple functions to allow initialization of log files without actually
- # physically creating files that are never used; only on the first real
- # write does the file get created
--class Delayed(file):
-+class Delayed(object):
-     def __init__(self, filename, mode):
-         self.filename = filename
-         self.saved_mode = mode
-@@ -677,8 +677,8 @@ def main():
- 
-     if os.uname()[0] == "SunOS":
-         xenbaked_cmd = "/usr/lib/xenbaked"
--	stop_cmd = "/usr/bin/pkill -INT -z global xenbaked"
--	kill_cmd = "/usr/bin/pkill -KILL -z global xenbaked"
-+        stop_cmd = "/usr/bin/pkill -INT -z global xenbaked"
-+        kill_cmd = "/usr/bin/pkill -KILL -z global xenbaked"
-     else:
-         # assumes that xenbaked is in your path
-         xenbaked_cmd = "xenbaked"
--- 
-2.40.0
-

diff --git a/0069-x86-spec-ctrl-Add-BHI-controls-to-userspace-componen.patch b/0069-x86-spec-ctrl-Add-BHI-controls-to-userspace-componen.patch
deleted file mode 100644
index 734a2e5..0000000
--- a/0069-x86-spec-ctrl-Add-BHI-controls-to-userspace-componen.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From b4dad09bb23c439f2e67ed2eb6d7bdd640b8bbae Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Tue, 21 Mar 2023 13:44:27 +0100
-Subject: [PATCH 69/89] x86/spec-ctrl: Add BHI controls to userspace components
-
-This was an oversight when adding the Xen parts.
-
-Fixes: cea9ae062295 ("x86/spec-ctrl: Enumeration for new Intel BHI controls")
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: 9276e832aef60437da13d91e66fc259fd94d6f91
-master date: 2023-03-13 11:26:26 +0000
----
- tools/libs/light/libxl_cpuid.c | 3 +++
- tools/misc/xen-cpuid.c         | 6 +++---
- 2 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/tools/libs/light/libxl_cpuid.c b/tools/libs/light/libxl_cpuid.c
-index d97a2f3338..55cfbc8f23 100644
---- a/tools/libs/light/libxl_cpuid.c
-+++ b/tools/libs/light/libxl_cpuid.c
-@@ -238,6 +238,9 @@ int libxl_cpuid_parse_config(libxl_cpuid_policy_list *cpuid, const char* str)
-         {"cet-sss",      0x00000007,  1, CPUID_REG_EDX, 18,  1},
- 
-         {"intel-psfd",   0x00000007,  2, CPUID_REG_EDX,  0,  1},
-+        {"ipred-ctrl",   0x00000007,  2, CPUID_REG_EDX,  1,  1},
-+        {"rrsba-ctrl",   0x00000007,  2, CPUID_REG_EDX,  2,  1},
-+        {"bhi-ctrl",     0x00000007,  2, CPUID_REG_EDX,  4,  1},
-         {"mcdt-no",      0x00000007,  2, CPUID_REG_EDX,  5,  1},
- 
-         {"lahfsahf",     0x80000001, NA, CPUID_REG_ECX,  0,  1},
-diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c
-index 0248eaef44..45e443f5d9 100644
---- a/tools/misc/xen-cpuid.c
-+++ b/tools/misc/xen-cpuid.c
-@@ -213,9 +213,9 @@ static const char *const str_7d1[32] =
- 
- static const char *const str_7d2[32] =
- {
--    [ 0] = "intel-psfd",
--
--    /* 4 */                 [ 5] = "mcdt-no",
-+    [ 0] = "intel-psfd",    [ 1] = "ipred-ctrl",
-+    [ 2] = "rrsba-ctrl",
-+    [ 4] = "bhi-ctrl",      [ 5] = "mcdt-no",
- };
- 
- static const struct {
--- 
-2.40.0
-

diff --git a/0070-core-parking-fix-build-with-gcc12-and-NR_CPUS-1.patch b/0070-core-parking-fix-build-with-gcc12-and-NR_CPUS-1.patch
deleted file mode 100644
index 0b2c2b4..0000000
--- a/0070-core-parking-fix-build-with-gcc12-and-NR_CPUS-1.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From b5409f4e4d0722e8669123d59f15f784903d153f Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Tue, 21 Mar 2023 13:44:53 +0100
-Subject: [PATCH 70/89] core-parking: fix build with gcc12 and NR_CPUS=1
-
-Gcc12 takes issue with core_parking_remove()'s
-
-    for ( ; i < cur_idle_nums; ++i )
-        core_parking_cpunum[i] = core_parking_cpunum[i + 1];
-
-complaining that the right hand side array access is past the bounds of
-1. Clearly the compiler can't know that cur_idle_nums can only ever be
-zero in this case (as the sole CPU cannot be parked).
-
-Arrange for core_parking.c's contents to not be needed altogether, and
-then disable its building when NR_CPUS == 1.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
-master commit: 4b0422f70feb4b1cd04598ffde805fc224f3812e
-master date: 2023-03-13 15:15:42 +0100
----
- xen/arch/x86/Kconfig              |  2 +-
- xen/arch/x86/platform_hypercall.c | 11 ++++++++---
- xen/arch/x86/sysctl.c             |  3 +++
- xen/common/Kconfig                |  1 +
- 4 files changed, 13 insertions(+), 4 deletions(-)
-
-diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig
-index 6a7825f4ba..2a5c3304e2 100644
---- a/xen/arch/x86/Kconfig
-+++ b/xen/arch/x86/Kconfig
-@@ -10,7 +10,7 @@ config X86
- 	select ALTERNATIVE_CALL
- 	select ARCH_MAP_DOMAIN_PAGE
- 	select ARCH_SUPPORTS_INT128
--	select CORE_PARKING
-+	imply CORE_PARKING
- 	select HAS_ALTERNATIVE
- 	select HAS_COMPAT
- 	select HAS_CPUFREQ
-diff --git a/xen/arch/x86/platform_hypercall.c b/xen/arch/x86/platform_hypercall.c
-index a7341dc3d7..e7deee2268 100644
---- a/xen/arch/x86/platform_hypercall.c
-+++ b/xen/arch/x86/platform_hypercall.c
-@@ -727,12 +727,17 @@ ret_t do_platform_op(
-         case XEN_CORE_PARKING_SET:
-             idle_nums = min_t(uint32_t,
-                     op->u.core_parking.idle_nums, num_present_cpus() - 1);
--            ret = continue_hypercall_on_cpu(
--                    0, core_parking_helper, (void *)(unsigned long)idle_nums);
-+            if ( CONFIG_NR_CPUS > 1 )
-+                ret = continue_hypercall_on_cpu(
-+                        0, core_parking_helper,
-+                        (void *)(unsigned long)idle_nums);
-+            else if ( idle_nums )
-+                ret = -EINVAL;
-             break;
- 
-         case XEN_CORE_PARKING_GET:
--            op->u.core_parking.idle_nums = get_cur_idle_nums();
-+            op->u.core_parking.idle_nums = CONFIG_NR_CPUS > 1
-+                                           ? get_cur_idle_nums() : 0;
-             ret = __copy_field_to_guest(u_xenpf_op, op, u.core_parking) ?
-                   -EFAULT : 0;
-             break;
-diff --git a/xen/arch/x86/sysctl.c b/xen/arch/x86/sysctl.c
-index f82abc2488..f8f8d79755 100644
---- a/xen/arch/x86/sysctl.c
-+++ b/xen/arch/x86/sysctl.c
-@@ -179,6 +179,9 @@ long arch_do_sysctl(
-                 ret = -EBUSY;
-                 break;
-             }
-+            if ( CONFIG_NR_CPUS <= 1 )
-+                /* Mimic behavior of smt_up_down_helper(). */
-+                return 0;
-             plug = op == XEN_SYSCTL_CPU_HOTPLUG_SMT_ENABLE;
-             fn = smt_up_down_helper;
-             hcpu = _p(plug);
-diff --git a/xen/common/Kconfig b/xen/common/Kconfig
-index f1ea3199c8..855c843113 100644
---- a/xen/common/Kconfig
-+++ b/xen/common/Kconfig
-@@ -10,6 +10,7 @@ config COMPAT
- 
- config CORE_PARKING
- 	bool
-+	depends on NR_CPUS > 1
- 
- config GRANT_TABLE
- 	bool "Grant table support" if EXPERT
--- 
-2.40.0
-

diff --git a/0071-x86-altp2m-help-gcc13-to-avoid-it-emitting-a-warning.patch b/0071-x86-altp2m-help-gcc13-to-avoid-it-emitting-a-warning.patch
deleted file mode 100644
index b33bd11..0000000
--- a/0071-x86-altp2m-help-gcc13-to-avoid-it-emitting-a-warning.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-From d84612ecab00ab31c09a7c5a5892906edbacaf5b Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Tue, 21 Mar 2023 13:45:47 +0100
-Subject: [PATCH 71/89] x86/altp2m: help gcc13 to avoid it emitting a warning
-
-Switches of altp2m-s always expect a valid altp2m to be in place (and
-indeed altp2m_vcpu_initialise() sets the active one to be at index 0).
-The compiler, however, cannot know that, and hence it cannot eliminate
-p2m_get_altp2m()'s case of returnin (literal) NULL. If then the compiler
-decides to special case that code path in the caller, the dereference in
-instances of
-
-    atomic_dec(&p2m_get_altp2m(v)->active_vcpus);
-
-can, to the code generator, appear to be NULL dereferences, leading to
-
-In function 'atomic_dec',
-    inlined from '...' at ...:
-./arch/x86/include/asm/atomic.h:182:5: error: array subscript 0 is outside array bounds of 'int[0]' [-Werror=array-bounds=]
-
-Aid the compiler by adding a BUG_ON() checking the return value of the
-problematic p2m_get_altp2m(). Since with the use of the local variable
-the 2nd p2m_get_altp2m() each will look questionable at the first glance
-(Why is the local variable not used here?), open-code the only relevant
-piece of p2m_get_altp2m() there.
-
-To avoid repeatedly doing these transformations, and also to limit how
-"bad" the open-coding really is, convert the entire operation to an
-inline helper, used by all three instances (and accepting the redundant
-BUG_ON(idx >= MAX_ALTP2M) in two of the three cases).
-
-Reported-by: Charles Arnold <carnold@suse.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
-master commit: be62b1fc2aa7375d553603fca07299da765a89fe
-master date: 2023-03-13 15:16:21 +0100
----
- xen/arch/x86/hvm/vmx/vmx.c     |  8 +-------
- xen/arch/x86/include/asm/p2m.h | 20 ++++++++++++++++++++
- xen/arch/x86/mm/p2m.c          | 14 ++------------
- 3 files changed, 23 insertions(+), 19 deletions(-)
-
-diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
-index f0e759eeaf..a8fb4365ad 100644
---- a/xen/arch/x86/hvm/vmx/vmx.c
-+++ b/xen/arch/x86/hvm/vmx/vmx.c
-@@ -4072,13 +4072,7 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs)
-             }
-         }
- 
--        if ( idx != vcpu_altp2m(v).p2midx )
--        {
--            BUG_ON(idx >= MAX_ALTP2M);
--            atomic_dec(&p2m_get_altp2m(v)->active_vcpus);
--            vcpu_altp2m(v).p2midx = idx;
--            atomic_inc(&p2m_get_altp2m(v)->active_vcpus);
--        }
-+        p2m_set_altp2m(v, idx);
-     }
- 
-     if ( unlikely(currd->arch.monitor.vmexit_enabled) )
-diff --git a/xen/arch/x86/include/asm/p2m.h b/xen/arch/x86/include/asm/p2m.h
-index bd684d02f3..cd43d8621a 100644
---- a/xen/arch/x86/include/asm/p2m.h
-+++ b/xen/arch/x86/include/asm/p2m.h
-@@ -879,6 +879,26 @@ static inline struct p2m_domain *p2m_get_altp2m(struct vcpu *v)
-     return v->domain->arch.altp2m_p2m[index];
- }
- 
-+/* set current alternate p2m table */
-+static inline bool p2m_set_altp2m(struct vcpu *v, unsigned int idx)
-+{
-+    struct p2m_domain *orig;
-+
-+    BUG_ON(idx >= MAX_ALTP2M);
-+
-+    if ( idx == vcpu_altp2m(v).p2midx )
-+        return false;
-+
-+    orig = p2m_get_altp2m(v);
-+    BUG_ON(!orig);
-+    atomic_dec(&orig->active_vcpus);
-+
-+    vcpu_altp2m(v).p2midx = idx;
-+    atomic_inc(&v->domain->arch.altp2m_p2m[idx]->active_vcpus);
-+
-+    return true;
-+}
-+
- /* Switch alternate p2m for a single vcpu */
- bool_t p2m_switch_vcpu_altp2m_by_id(struct vcpu *v, unsigned int idx);
- 
-diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
-index a405ee5fde..b28c899b5e 100644
---- a/xen/arch/x86/mm/p2m.c
-+++ b/xen/arch/x86/mm/p2m.c
-@@ -1787,13 +1787,8 @@ bool_t p2m_switch_vcpu_altp2m_by_id(struct vcpu *v, unsigned int idx)
- 
-     if ( d->arch.altp2m_eptp[idx] != mfn_x(INVALID_MFN) )
-     {
--        if ( idx != vcpu_altp2m(v).p2midx )
--        {
--            atomic_dec(&p2m_get_altp2m(v)->active_vcpus);
--            vcpu_altp2m(v).p2midx = idx;
--            atomic_inc(&p2m_get_altp2m(v)->active_vcpus);
-+        if ( p2m_set_altp2m(v, idx) )
-             altp2m_vcpu_update_p2m(v);
--        }
-         rc = 1;
-     }
- 
-@@ -2070,13 +2065,8 @@ int p2m_switch_domain_altp2m_by_id(struct domain *d, unsigned int idx)
-     if ( d->arch.altp2m_visible_eptp[idx] != mfn_x(INVALID_MFN) )
-     {
-         for_each_vcpu( d, v )
--            if ( idx != vcpu_altp2m(v).p2midx )
--            {
--                atomic_dec(&p2m_get_altp2m(v)->active_vcpus);
--                vcpu_altp2m(v).p2midx = idx;
--                atomic_inc(&p2m_get_altp2m(v)->active_vcpus);
-+            if ( p2m_set_altp2m(v, idx) )
-                 altp2m_vcpu_update_p2m(v);
--            }
- 
-         rc = 0;
-     }
--- 
-2.40.0
-

diff --git a/0072-VT-d-constrain-IGD-check.patch b/0072-VT-d-constrain-IGD-check.patch
deleted file mode 100644
index 497b04b..0000000
--- a/0072-VT-d-constrain-IGD-check.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From f971f5c531ce6a5fd6c1ff1f525f2c6837eeb78d Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Tue, 21 Mar 2023 13:46:39 +0100
-Subject: [PATCH 72/89] VT-d: constrain IGD check
-
-Marking a DRHD as controlling an IGD isn't very sensible without
-checking that at the very least it's a graphics device that lives at
-0000:00:02.0. Re-use the reading of the class-code to control both the
-clearing of "gfx_only" and the setting of "igd_drhd_address".
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Kevin Tian <kevin.tian@intel.com>
-master commit: f8c4317295fa1cde1a81779b7e362651c084efb8
-master date: 2023-03-14 10:44:08 +0100
----
- xen/drivers/passthrough/vtd/dmar.c | 9 +++------
- 1 file changed, 3 insertions(+), 6 deletions(-)
-
-diff --git a/xen/drivers/passthrough/vtd/dmar.c b/xen/drivers/passthrough/vtd/dmar.c
-index 78c8bad151..78d4526446 100644
---- a/xen/drivers/passthrough/vtd/dmar.c
-+++ b/xen/drivers/passthrough/vtd/dmar.c
-@@ -391,15 +391,12 @@ static int __init acpi_parse_dev_scope(
- 
-             if ( drhd )
-             {
--                if ( (seg == 0) && (bus == 0) && (path->dev == 2) &&
--                     (path->fn == 0) )
--                    igd_drhd_address = drhd->address;
--
--                if ( gfx_only &&
--                     pci_conf_read8(PCI_SBDF(seg, bus, path->dev, path->fn),
-+                if ( pci_conf_read8(PCI_SBDF(seg, bus, path->dev, path->fn),
-                                     PCI_CLASS_DEVICE + 1) != 0x03
-                                     /* PCI_BASE_CLASS_DISPLAY */ )
-                     gfx_only = false;
-+                else if ( !seg && !bus && path->dev == 2 && !path->fn )
-+                    igd_drhd_address = drhd->address;
-             }
- 
-             break;
--- 
-2.40.0
-

diff --git a/0073-bunzip-work-around-gcc13-warning.patch b/0073-bunzip-work-around-gcc13-warning.patch
deleted file mode 100644
index c7ec163..0000000
--- a/0073-bunzip-work-around-gcc13-warning.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 7082d656ae9bcd26392caf72e50e0f7a61c8f285 Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Tue, 21 Mar 2023 13:47:11 +0100
-Subject: [PATCH 73/89] bunzip: work around gcc13 warning
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-While provable that length[0] is always initialized (because symCount
-cannot be zero), upcoming gcc13 fails to recognize this and warns about
-the unconditional use of the value immediately following the loop.
-
-See also https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106511.
-
-Reported-by: Martin Liška <martin.liska@suse.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
-master commit: 402195e56de0aacf97e05c80ed367d464ca6938b
-master date: 2023-03-14 10:45:28 +0100
----
- xen/common/bunzip2.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/xen/common/bunzip2.c b/xen/common/bunzip2.c
-index 61b80aff1b..4466426941 100644
---- a/xen/common/bunzip2.c
-+++ b/xen/common/bunzip2.c
-@@ -233,6 +233,11 @@ static int __init get_next_block(struct bunzip_data *bd)
- 		   becomes negative, so an unsigned inequality catches
- 		   it.) */
- 		t = get_bits(bd, 5)-1;
-+		/* GCC 13 has apparently improved use-before-set detection, but
-+		   it can't figure out that length[0] is always intialized by
-+		   virtue of symCount always being positive when making it here.
-+		   See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106511. */
-+		length[0] = 0;
- 		for (i = 0; i < symCount; i++) {
- 			for (;;) {
- 				if (((unsigned)t) > (MAX_HUFCODE_BITS-1))
--- 
-2.40.0
-

diff --git a/0074-libacpi-fix-PCI-hotplug-AML.patch b/0074-libacpi-fix-PCI-hotplug-AML.patch
deleted file mode 100644
index 3583849..0000000
--- a/0074-libacpi-fix-PCI-hotplug-AML.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 3eac216e6e60860bbc030602c401d3ef8efce8d9 Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Tue, 21 Mar 2023 13:47:52 +0100
-Subject: [PATCH 74/89] libacpi: fix PCI hotplug AML
-
-The emulated PIIX3 uses a nybble for the status of each PCI function,
-so the status for e.g. slot 0 functions 0 and 1 respectively can be
-read as (\_GPE.PH00 & 0x0F), and (\_GPE.PH00 >> 0x04).
-
-The AML that Xen gives to a guest gets the operand order for the odd-
-numbered functions the wrong way round, returning (0x04 >> \_GPE.PH00)
-instead.
-
-As far as I can tell, this was the wrong way round in Xen from the
-moment that PCI hotplug was first introduced in commit 83d82e6f35a8:
-
-+                    ShiftRight (0x4, \_GPE.PH00, Local1)
-+                    Return (Local1) /* IN status as the _STA */
-
-Or maybe there's bizarre AML operand ordering going on there, like
-Intel's wrong-way-round assembler, and it only broke later when it was
-changed to being generated?
-
-Either way, it's definitely wrong now, and instrumenting a Linux guest
-shows that it correctly sees _STA being 0x00 in function 0 of an empty
-slot, but then the loop in acpiphp_glue.c::get_slot_status() goes on to
-look at function 1 and sees that _STA evaluates to 0x04. Thus reporting
-an adapter is present in every slot in /sys/bus/pci/slots/*
-
-Quite why Linux wants to look for function 1 being physically present
-when function 0 isn't... I don't want to think about right now.
-
-Fixes: 83d82e6f35a8 ("hvmloader: pass-through: multi-function PCI hot-plug")
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: b190af7d3e90f58da5f58044b8dea7261b8b483d
-master date: 2023-03-20 17:12:34 +0100
----
- tools/libacpi/mk_dsdt.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tools/libacpi/mk_dsdt.c b/tools/libacpi/mk_dsdt.c
-index 1176da80ef..1d27809116 100644
---- a/tools/libacpi/mk_dsdt.c
-+++ b/tools/libacpi/mk_dsdt.c
-@@ -431,7 +431,7 @@ int main(int argc, char **argv)
-                 stmt("Store", "0x89, \\_GPE.DPT2");
-             }
-             if ( slot & 1 )
--                stmt("ShiftRight", "0x4, \\_GPE.PH%02X, Local1", slot & ~1);
-+                stmt("ShiftRight", "\\_GPE.PH%02X, 0x04, Local1", slot & ~1);
-             else
-                 stmt("And", "\\_GPE.PH%02X, 0x0f, Local1", slot & ~1);
-             stmt("Return", "Local1"); /* IN status as the _STA */
--- 
-2.40.0
-

diff --git a/0075-AMD-IOMMU-without-XT-x2APIC-needs-to-be-forced-into-.patch b/0075-AMD-IOMMU-without-XT-x2APIC-needs-to-be-forced-into-.patch
deleted file mode 100644
index 5decf2c..0000000
--- a/0075-AMD-IOMMU-without-XT-x2APIC-needs-to-be-forced-into-.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 3c85fb7b65d6a8b0fa993bc1cb67eea9b4a64aca Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Fri, 31 Mar 2023 08:28:56 +0200
-Subject: [PATCH 75/89] AMD/IOMMU: without XT, x2APIC needs to be forced into
- physical mode
-
-An earlier change with the same title (commit 1ba66a870eba) altered only
-the path where x2apic_phys was already set to false (perhaps from the
-command line). The same of course needs applying when the variable
-wasn't modified yet from its initial value.
-
-Reported-by: Elliott Mitchell <ehem+xen@m5p.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
-master commit: 0d2686f6b66b4b1b3c72c3525083b0ce02830054
-master date: 2023-03-21 09:23:25 +0100
----
- xen/arch/x86/genapic/x2apic.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/xen/arch/x86/genapic/x2apic.c b/xen/arch/x86/genapic/x2apic.c
-index 7dfc793514..d512c50fc5 100644
---- a/xen/arch/x86/genapic/x2apic.c
-+++ b/xen/arch/x86/genapic/x2apic.c
-@@ -236,11 +236,11 @@ const struct genapic *__init apic_x2apic_probe(void)
-     if ( x2apic_phys < 0 )
-     {
-         /*
--         * Force physical mode if there's no interrupt remapping support: The
--         * ID in clustered mode requires a 32 bit destination field due to
-+         * Force physical mode if there's no (full) interrupt remapping support:
-+         * The ID in clustered mode requires a 32 bit destination field due to
-          * the usage of the high 16 bits to hold the cluster ID.
-          */
--        x2apic_phys = !iommu_intremap ||
-+        x2apic_phys = iommu_intremap != iommu_intremap_full ||
-                       (acpi_gbl_FADT.flags & ACPI_FADT_APIC_PHYSICAL) ||
-                       (IS_ENABLED(CONFIG_X2APIC_PHYSICAL) &&
-                        !(acpi_gbl_FADT.flags & ACPI_FADT_APIC_CLUSTER));
--- 
-2.40.0
-

diff --git a/0076-VT-d-fix-iommu-no-igfx-if-the-IOMMU-scope-contains-f.patch b/0076-VT-d-fix-iommu-no-igfx-if-the-IOMMU-scope-contains-f.patch
deleted file mode 100644
index d897da6..0000000
--- a/0076-VT-d-fix-iommu-no-igfx-if-the-IOMMU-scope-contains-f.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 33b1c8cd86bd6c311131b8dff32bd45581e2fbc1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
- <marmarek@invisiblethingslab.com>
-Date: Fri, 31 Mar 2023 08:29:55 +0200
-Subject: [PATCH 76/89] VT-d: fix iommu=no-igfx if the IOMMU scope contains
- fake device(s)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If the scope for IGD's IOMMU contains additional device that doesn't
-actually exist, iommu=no-igfx would not disable that IOMMU. In this
-particular case (Thinkpad x230) it included 00:02.1, but there is no
-such device on this platform. Consider only existing devices for the
-"gfx only" check as well as the establishing of IGD DRHD address
-(underlying is_igd_drhd(), which is used to determine applicability of
-two workarounds).
-
-Fixes: 2d7f191b392e ("VT-d: generalize and correct "iommu=no-igfx" handling")
-Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Kevin Tian <kevin.tian@intel.com>
-master commit: 49de6749baa8d0addc3048defd4ef3e85cb135e9
-master date: 2023-03-23 09:16:41 +0100
----
- xen/drivers/passthrough/vtd/dmar.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/xen/drivers/passthrough/vtd/dmar.c b/xen/drivers/passthrough/vtd/dmar.c
-index 78d4526446..4936c20952 100644
---- a/xen/drivers/passthrough/vtd/dmar.c
-+++ b/xen/drivers/passthrough/vtd/dmar.c
-@@ -389,7 +389,7 @@ static int __init acpi_parse_dev_scope(
-                 printk(VTDPREFIX " endpoint: %pp\n",
-                        &PCI_SBDF(seg, bus, path->dev, path->fn));
- 
--            if ( drhd )
-+            if ( drhd && pci_device_detect(seg, bus, path->dev, path->fn) )
-             {
-                 if ( pci_conf_read8(PCI_SBDF(seg, bus, path->dev, path->fn),
-                                     PCI_CLASS_DEVICE + 1) != 0x03
--- 
-2.40.0
-

diff --git a/0077-x86-shadow-fix-and-improve-sh_page_has_multiple_shad.patch b/0077-x86-shadow-fix-and-improve-sh_page_has_multiple_shad.patch
deleted file mode 100644
index 3486ccd..0000000
--- a/0077-x86-shadow-fix-and-improve-sh_page_has_multiple_shad.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 6f2d89d68175e74aca9c67761aa87ffc8f5ffed1 Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Fri, 31 Mar 2023 08:30:41 +0200
-Subject: [PATCH 77/89] x86/shadow: fix and improve
- sh_page_has_multiple_shadows()
-
-While no caller currently invokes the function without first making sure
-there is at least one shadow [1], we'd better eliminate UB here:
-find_first_set_bit() requires input to be non-zero to return a well-
-defined result.
-
-Further, using find_first_set_bit() isn't very efficient in the first
-place for the intended purpose.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
-[1] The function has exactly two uses, and both are from OOS code, which
-    is HVM-only. For HVM (but not for PV) sh_mfn_is_a_page_table(),
-    guarding the call to sh_unsync(), guarantees at least one shadow.
-    Hence even if sh_page_has_multiple_shadows() returned a bogus value
-    when invoked for a PV domain, the subsequent is_hvm_vcpu() and
-    oos_active checks (the former being redundant with the latter) will
-    compensate. (Arguably that oos_active check should come first, for
-    both clarity and efficiency reasons.)
-master commit: 2896224a4e294652c33f487b603d20bd30955f21
-master date: 2023-03-24 11:07:08 +0100
----
- xen/arch/x86/mm/shadow/private.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/xen/arch/x86/mm/shadow/private.h b/xen/arch/x86/mm/shadow/private.h
-index 85bb26c7ea..c2bb1ed3c3 100644
---- a/xen/arch/x86/mm/shadow/private.h
-+++ b/xen/arch/x86/mm/shadow/private.h
-@@ -324,7 +324,7 @@ static inline int sh_page_has_multiple_shadows(struct page_info *pg)
-         return 0;
-     shadows = pg->shadow_flags & SHF_page_type_mask;
-     /* More than one type bit set in shadow-flags? */
--    return ( (shadows & ~(1UL << find_first_set_bit(shadows))) != 0 );
-+    return shadows && (shadows & (shadows - 1));
- }
- 
- #if (SHADOW_OPTIMIZATIONS & SHOPT_OUT_OF_SYNC)
--- 
-2.40.0
-

diff --git a/0078-x86-nospec-Fix-evaluate_nospec-code-generation-under.patch b/0078-x86-nospec-Fix-evaluate_nospec-code-generation-under.patch
deleted file mode 100644
index 62de15a..0000000
--- a/0078-x86-nospec-Fix-evaluate_nospec-code-generation-under.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 00aa5c93d14c6561a69fe204cbe29f7519830782 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Fri, 31 Mar 2023 08:31:20 +0200
-Subject: [PATCH 78/89] x86/nospec: Fix evaluate_nospec() code generation under
- Clang
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-It turns out that evaluate_nospec() code generation is not safe under Clang.
-Given:
-
-  void eval_nospec_test(int x)
-  {
-      if ( evaluate_nospec(x) )
-          asm volatile ("nop #true" ::: "memory");
-      else
-          asm volatile ("nop #false" ::: "memory");
-  }
-
-Clang emits:
-
-  <eval_nospec_test>:
-         0f ae e8                lfence
-         85 ff                   test   %edi,%edi
-         74 02                   je     <eval_nospec_test+0x9>
-         90                      nop
-         c3                      ret
-         90                      nop
-         c3                      ret
-
-which is not safe because the lfence has been hoisted above the conditional
-jump.  Clang concludes that both barrier_nospec_true()'s have identical side
-effects and can safely be merged.
-
-Clang can be persuaded that the side effects are different if there are
-different comments in the asm blocks.  This is fragile, but no more fragile
-that other aspects of this construct.
-
-Introduce barrier_nospec_false() with a separate internal comment to prevent
-Clang merging it with barrier_nospec_true() despite the otherwise-identical
-content.  The generated code now becomes:
-
-  <eval_nospec_test>:
-         85 ff                   test   %edi,%edi
-         74 05                   je     <eval_nospec_test+0x9>
-         0f ae e8                lfence
-         90                      nop
-         c3                      ret
-         0f ae e8                lfence
-         90                      nop
-         c3                      ret
-
-which has the correct number of lfence's, and in the correct place.
-
-Link: https://github.com/llvm/llvm-project/issues/55084
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: bc3c133841435829ba5c0a48427e2a77633502ab
-master date: 2023-03-24 12:16:31 +0000
----
- xen/arch/x86/include/asm/nospec.h | 15 +++++++++++++--
- 1 file changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/xen/arch/x86/include/asm/nospec.h b/xen/arch/x86/include/asm/nospec.h
-index 5312ae4c6f..7150e76b87 100644
---- a/xen/arch/x86/include/asm/nospec.h
-+++ b/xen/arch/x86/include/asm/nospec.h
-@@ -10,15 +10,26 @@
- static always_inline bool barrier_nospec_true(void)
- {
- #ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH
--    alternative("lfence", "", X86_FEATURE_SC_NO_BRANCH_HARDEN);
-+    alternative("lfence #nospec-true", "", X86_FEATURE_SC_NO_BRANCH_HARDEN);
- #endif
-     return true;
- }
- 
-+static always_inline bool barrier_nospec_false(void)
-+{
-+#ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH
-+    alternative("lfence #nospec-false", "", X86_FEATURE_SC_NO_BRANCH_HARDEN);
-+#endif
-+    return false;
-+}
-+
- /* Allow to protect evaluation of conditionals with respect to speculation */
- static always_inline bool evaluate_nospec(bool condition)
- {
--    return condition ? barrier_nospec_true() : !barrier_nospec_true();
-+    if ( condition )
-+        return barrier_nospec_true();
-+    else
-+        return barrier_nospec_false();
- }
- 
- /* Allow to block speculative execution in generic code */
--- 
-2.40.0
-

diff --git a/0079-x86-shadow-Fix-build-with-no-PG_log_dirty.patch b/0079-x86-shadow-Fix-build-with-no-PG_log_dirty.patch
deleted file mode 100644
index f7652a4..0000000
--- a/0079-x86-shadow-Fix-build-with-no-PG_log_dirty.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 11c8ef59b9024849c0fc224354904615d5579628 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Fri, 31 Mar 2023 08:32:11 +0200
-Subject: [PATCH 79/89] x86/shadow: Fix build with no PG_log_dirty
-
-Gitlab Randconfig found:
-
-  arch/x86/mm/shadow/common.c: In function 'shadow_prealloc':
-  arch/x86/mm/shadow/common.c:1023:18: error: implicit declaration of function
-      'paging_logdirty_levels'; did you mean 'paging_log_dirty_init'? [-Werror=implicit-function-declaration]
-   1023 |         count += paging_logdirty_levels();
-        |                  ^~~~~~~~~~~~~~~~~~~~~~
-        |                  paging_log_dirty_init
-  arch/x86/mm/shadow/common.c:1023:18: error: nested extern declaration of 'paging_logdirty_levels' [-Werror=nested-externs]
-
-The '#if PG_log_dirty' expression is currently SHADOW_PAGING && !HVM &&
-PV_SHIM_EXCLUSIVE.  Move the declaration outside.
-
-Fixes: 33fb3a661223 ("x86/shadow: account for log-dirty mode when pre-allocating")
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: 6d14cb105b1c54ad7b4228d858ae85aa8a672bbd
-master date: 2023-03-24 12:16:31 +0000
----
- xen/arch/x86/include/asm/paging.h | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/xen/arch/x86/include/asm/paging.h b/xen/arch/x86/include/asm/paging.h
-index 635ccc83b1..6f7000d5f4 100644
---- a/xen/arch/x86/include/asm/paging.h
-+++ b/xen/arch/x86/include/asm/paging.h
-@@ -152,6 +152,10 @@ struct paging_mode {
- /*****************************************************************************
-  * Log dirty code */
- 
-+#define paging_logdirty_levels() \
-+    (DIV_ROUND_UP(PADDR_BITS - PAGE_SHIFT - (PAGE_SHIFT + 3), \
-+                  PAGE_SHIFT - ilog2(sizeof(mfn_t))) + 1)
-+
- #if PG_log_dirty
- 
- /* get the dirty bitmap for a specific range of pfns */
-@@ -190,10 +194,6 @@ bool paging_mfn_is_dirty(const struct domain *d, mfn_t gmfn);
- #define L4_LOGDIRTY_IDX(pfn) ((pfn_x(pfn) >> (PAGE_SHIFT + 3 + PAGETABLE_ORDER * 2)) & \
-                               (LOGDIRTY_NODE_ENTRIES-1))
- 
--#define paging_logdirty_levels() \
--    (DIV_ROUND_UP(PADDR_BITS - PAGE_SHIFT - (PAGE_SHIFT + 3), \
--                  PAGE_SHIFT - ilog2(sizeof(mfn_t))) + 1)
--
- #ifdef CONFIG_HVM
- /* VRAM dirty tracking support */
- struct sh_dirty_vram {
--- 
-2.40.0
-

diff --git a/0080-x86-vmx-Don-t-spuriously-crash-the-domain-when-INIT-.patch b/0080-x86-vmx-Don-t-spuriously-crash-the-domain-when-INIT-.patch
deleted file mode 100644
index 539401f..0000000
--- a/0080-x86-vmx-Don-t-spuriously-crash-the-domain-when-INIT-.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From f6a3e93b3788aa009e9b86d9cb14c243b958daa9 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Fri, 31 Mar 2023 08:32:57 +0200
-Subject: [PATCH 80/89] x86/vmx: Don't spuriously crash the domain when INIT is
- received
-
-In VMX operation, the handling of INIT IPIs is changed.  Instead of the CPU
-resetting, the next VMEntry fails with EXIT_REASON_INIT.  From the TXT spec,
-the intent of this behaviour is so that an entity which cares can scrub
-secrets from RAM before participating in an orderly shutdown.
-
-Right now, Xen's behaviour is that when an INIT arrives, the HVM VM which
-schedules next is killed (citing an unknown VMExit), *and* we ignore the INIT
-and continue blindly onwards anyway.
-
-This patch addresses only the first of these two problems by ignoring the INIT
-and continuing without crashing the VM in question.
-
-The second wants addressing too, just as soon as we've figured out something
-better to do...
-
-Discovered as collateral damage from when an AP triple faults on S3 resume on
-Intel TigerLake platforms.
-
-Link: https://github.com/QubesOS/qubes-issues/issues/7283
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Kevin Tian <kevin.tian@intel.com>
-master commit: b1f11273d5a774cc88a3685c96c2e7cf6385e3b6
-master date: 2023-03-24 22:49:58 +0000
----
- xen/arch/x86/hvm/vmx/vmx.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
-index a8fb4365ad..64dbd50197 100644
---- a/xen/arch/x86/hvm/vmx/vmx.c
-+++ b/xen/arch/x86/hvm/vmx/vmx.c
-@@ -4038,6 +4038,10 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs)
-     case EXIT_REASON_MCE_DURING_VMENTRY:
-         do_machine_check(regs);
-         break;
-+
-+    case EXIT_REASON_INIT:
-+        printk(XENLOG_ERR "Error: INIT received - ignoring\n");
-+        return; /* Renter the guest without further processing */
-     }
- 
-     /* Now enable interrupts so it's safe to take locks. */
--- 
-2.40.0
-

diff --git a/0081-x86-ucode-Fix-error-paths-control_thread_fn.patch b/0081-x86-ucode-Fix-error-paths-control_thread_fn.patch
deleted file mode 100644
index 765fa84..0000000
--- a/0081-x86-ucode-Fix-error-paths-control_thread_fn.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 7f55774489d2f12a23f2ac0f516b62e2709cea99 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Fri, 31 Mar 2023 08:33:28 +0200
-Subject: [PATCH 81/89] x86/ucode: Fix error paths control_thread_fn()
-
-These two early exits skipped re-enabling the watchdog, restoring the NMI
-callback, and clearing the nmi_patch global pointer.  Always execute the tail
-of the function on the way out.
-
-Fixes: 8dd4dfa92d62 ("x86/microcode: Synchronize late microcode loading")
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Sergey Dyasli <sergey.dyasli@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: fc2e1f3aad602a66c14b8285a1bd38a82f8fd02d
-master date: 2023-03-28 11:57:56 +0100
----
- xen/arch/x86/cpu/microcode/core.c | 9 +++------
- 1 file changed, 3 insertions(+), 6 deletions(-)
-
-diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode/core.c
-index 2497630bbe..c760723e4f 100644
---- a/xen/arch/x86/cpu/microcode/core.c
-+++ b/xen/arch/x86/cpu/microcode/core.c
-@@ -490,10 +490,7 @@ static int control_thread_fn(const struct microcode_patch *patch)
-     ret = wait_for_condition(wait_cpu_callin, num_online_cpus(),
-                              MICROCODE_CALLIN_TIMEOUT_US);
-     if ( ret )
--    {
--        set_state(LOADING_EXIT);
--        return ret;
--    }
-+        goto out;
- 
-     /* Control thread loads ucode first while others are in NMI handler. */
-     ret = alternative_call(ucode_ops.apply_microcode, patch);
-@@ -505,8 +502,7 @@ static int control_thread_fn(const struct microcode_patch *patch)
-     {
-         printk(XENLOG_ERR
-                "Late loading aborted: CPU%u failed to update ucode\n", cpu);
--        set_state(LOADING_EXIT);
--        return ret;
-+        goto out;
-     }
- 
-     /* Let primary threads load the given ucode update */
-@@ -537,6 +533,7 @@ static int control_thread_fn(const struct microcode_patch *patch)
-         }
-     }
- 
-+ out:
-     /* Mark loading is done to unblock other threads */
-     set_state(LOADING_EXIT);
- 
--- 
-2.40.0
-

diff --git a/0082-include-don-t-mention-stub-headers-more-than-once-in.patch b/0082-include-don-t-mention-stub-headers-more-than-once-in.patch
deleted file mode 100644
index cc0a914..0000000
--- a/0082-include-don-t-mention-stub-headers-more-than-once-in.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 350693582427887387f21a6eeedaa0ac48aecc3f Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Fri, 31 Mar 2023 08:34:04 +0200
-Subject: [PATCH 82/89] include: don't mention stub headers more than once in a
- make rule
-
-When !GRANT_TABLE and !PV_SHIM headers-n contains grant_table.h twice,
-causing make to complain "target '...' given more than once in the same
-rule" for the rule generating the stub headers. We don't need duplicate
-entries in headers-n anywhere, so zap them (by using $(sort ...)) right
-where the final value of the variable is constructed.
-
-Fixes: 6bec713f871f ("include/compat: produce stubs for headers not otherwise generated")
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
-master commit: 231ab79704cbb5b9be7700287c3b185225d34f1b
-master date: 2023-03-28 14:20:16 +0200
----
- xen/include/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/xen/include/Makefile b/xen/include/Makefile
-index cfd7851614..e19f9464fd 100644
---- a/xen/include/Makefile
-+++ b/xen/include/Makefile
-@@ -34,7 +34,7 @@ headers-$(CONFIG_TRACEBUFFER) += compat/trace.h
- headers-$(CONFIG_XENOPROF) += compat/xenoprof.h
- headers-$(CONFIG_XSM_FLASK) += compat/xsm/flask_op.h
- 
--headers-n := $(filter-out $(headers-y),$(headers-n) $(headers-))
-+headers-n := $(sort $(filter-out $(headers-y),$(headers-n) $(headers-)))
- 
- cppflags-y                := -include public/xen-compat.h -DXEN_GENERATING_COMPAT_HEADERS
- cppflags-$(CONFIG_X86)    += -m32
--- 
-2.40.0
-

diff --git a/0083-vpci-msix-handle-accesses-adjacent-to-the-MSI-X-tabl.patch b/0083-vpci-msix-handle-accesses-adjacent-to-the-MSI-X-tabl.patch
deleted file mode 100644
index 8a1f412..0000000
--- a/0083-vpci-msix-handle-accesses-adjacent-to-the-MSI-X-tabl.patch
+++ /dev/null
@@ -1,540 +0,0 @@
-From 85100ed78ca18f188b1ca495f132db7df705f1a4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
-Date: Fri, 31 Mar 2023 08:34:26 +0200
-Subject: [PATCH 83/89] vpci/msix: handle accesses adjacent to the MSI-X table
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The handling of the MSI-X table accesses by Xen requires that any
-pages part of the MSI-X related tables are not mapped into the domain
-physmap.  As a result, any device registers in the same pages as the
-start or the end of the MSIX or PBA tables is not currently
-accessible, as the accesses are just dropped.
-
-Note the spec forbids such placing of registers, as the MSIX and PBA
-tables must be 4K isolated from any other registers:
-
-"If a Base Address register that maps address space for the MSI-X
-Table or MSI-X PBA also maps other usable address space that is not
-associated with MSI-X structures, locations (e.g., for CSRs) used in
-the other address space must not share any naturally aligned 4-KB
-address range with one where either MSI-X structure resides."
-
-Yet the 'Intel Wi-Fi 6 AX201' device on one of my boxes has registers
-in the same page as the MSIX tables, and thus won't work on a PVH dom0
-without this fix.
-
-In order to cope with the behavior passthrough any accesses that fall
-on the same page as the MSIX tables (but don't fall in between) to the
-underlying hardware.  Such forwarding also takes care of the PBA
-accesses, so it allows to remove the code doing this handling in
-msix_{read,write}.  Note that as a result accesses to the PBA array
-are no longer limited to 4 and 8 byte sizes, there's no access size
-restriction for PBA accesses documented in the specification.
-
-Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-
-vpci/msix: restore PBA access length and alignment restrictions
-
-Accesses to the PBA array have the same length and alignment
-limitations as accesses to the MSI-X table:
-
-"For all accesses to MSI-X Table and MSI-X PBA fields, software must
-use aligned full DWORD or aligned full QWORD transactions; otherwise,
-the result is undefined."
-
-Introduce such length and alignment checks into the handling of PBA
-accesses for vPCI.  This was a mistake of mine for not reading the
-specification correctly.
-
-Note that accesses must now be aligned, and hence there's no longer a
-need to check that the end of the access falls into the PBA region as
-both the access and the region addresses must be aligned.
-
-Fixes: b177892d2d ('vpci/msix: handle accesses adjacent to the MSI-X table')
-Reported-by: Jan Beulich <jbeulich@suse.com>
-Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-master commit: b177892d2d0e8a31122c218989f43130aeba5282
-master date: 2023-03-28 14:20:35 +0200
-master commit: 7a502b4fbc339e9d3d3d45fb37f09da06bc3081c
-master date: 2023-03-29 14:56:33 +0200
----
- xen/drivers/vpci/msix.c | 353 +++++++++++++++++++++++++++++-----------
- xen/drivers/vpci/vpci.c |   7 +-
- xen/include/xen/vpci.h  |   8 +-
- 3 files changed, 273 insertions(+), 95 deletions(-)
-
-diff --git a/xen/drivers/vpci/msix.c b/xen/drivers/vpci/msix.c
-index bea0cc7aed..cafddcf305 100644
---- a/xen/drivers/vpci/msix.c
-+++ b/xen/drivers/vpci/msix.c
-@@ -27,6 +27,11 @@
-     ((addr) >= vmsix_table_addr(vpci, nr) &&                              \
-      (addr) < vmsix_table_addr(vpci, nr) + vmsix_table_size(vpci, nr))
- 
-+#define VMSIX_ADDR_SAME_PAGE(addr, vpci, nr)                              \
-+    (PFN_DOWN(addr) >= PFN_DOWN(vmsix_table_addr(vpci, nr)) &&            \
-+     PFN_DOWN(addr) <= PFN_DOWN(vmsix_table_addr(vpci, nr) +              \
-+                                vmsix_table_size(vpci, nr) - 1))
-+
- static uint32_t cf_check control_read(
-     const struct pci_dev *pdev, unsigned int reg, void *data)
- {
-@@ -149,7 +154,7 @@ static struct vpci_msix *msix_find(const struct domain *d, unsigned long addr)
- 
-         for ( i = 0; i < ARRAY_SIZE(msix->tables); i++ )
-             if ( bars[msix->tables[i] & PCI_MSIX_BIRMASK].enabled &&
--                 VMSIX_ADDR_IN_RANGE(addr, msix->pdev->vpci, i) )
-+                 VMSIX_ADDR_SAME_PAGE(addr, msix->pdev->vpci, i) )
-                 return msix;
-     }
- 
-@@ -182,36 +187,172 @@ static struct vpci_msix_entry *get_entry(struct vpci_msix *msix,
-     return &msix->entries[(addr - start) / PCI_MSIX_ENTRY_SIZE];
- }
- 
--static void __iomem *get_pba(struct vpci *vpci)
-+static void __iomem *get_table(struct vpci *vpci, unsigned int slot)
- {
-     struct vpci_msix *msix = vpci->msix;
-+    paddr_t addr = 0;
-+
-+    ASSERT(spin_is_locked(&vpci->lock));
-+
-+    if ( likely(msix->table[slot]) )
-+        return msix->table[slot];
-+
-+    switch ( slot )
-+    {
-+    case VPCI_MSIX_TBL_TAIL:
-+        addr = vmsix_table_size(vpci, VPCI_MSIX_TABLE);
-+        fallthrough;
-+    case VPCI_MSIX_TBL_HEAD:
-+        addr += vmsix_table_addr(vpci, VPCI_MSIX_TABLE);
-+        break;
-+
-+    case VPCI_MSIX_PBA_TAIL:
-+        addr = vmsix_table_size(vpci, VPCI_MSIX_PBA);
-+        fallthrough;
-+    case VPCI_MSIX_PBA_HEAD:
-+        addr += vmsix_table_addr(vpci, VPCI_MSIX_PBA);
-+        break;
-+
-+    default:
-+        ASSERT_UNREACHABLE();
-+        return NULL;
-+    }
-+
-+    msix->table[slot] = ioremap(round_pgdown(addr), PAGE_SIZE);
-+
-+    return msix->table[slot];
-+}
-+
-+unsigned int get_slot(const struct vpci *vpci, unsigned long addr)
-+{
-+    unsigned long pfn = PFN_DOWN(addr);
-+
-     /*
--     * PBA will only be unmapped when the device is deassigned, so access it
--     * without holding the vpci lock.
-+     * The logic below relies on having the tables identity mapped to the guest
-+     * address space, or for the `addr` parameter to be translated into its
-+     * host physical memory address equivalent.
-      */
--    void __iomem *pba = read_atomic(&msix->pba);
- 
--    if ( likely(pba) )
--        return pba;
-+    if ( pfn == PFN_DOWN(vmsix_table_addr(vpci, VPCI_MSIX_TABLE)) )
-+        return VPCI_MSIX_TBL_HEAD;
-+    if ( pfn == PFN_DOWN(vmsix_table_addr(vpci, VPCI_MSIX_TABLE) +
-+                         vmsix_table_size(vpci, VPCI_MSIX_TABLE) - 1) )
-+        return VPCI_MSIX_TBL_TAIL;
-+    if ( pfn == PFN_DOWN(vmsix_table_addr(vpci, VPCI_MSIX_PBA)) )
-+        return VPCI_MSIX_PBA_HEAD;
-+    if ( pfn == PFN_DOWN(vmsix_table_addr(vpci, VPCI_MSIX_PBA) +
-+                         vmsix_table_size(vpci, VPCI_MSIX_PBA) - 1) )
-+        return VPCI_MSIX_PBA_TAIL;
-+
-+    ASSERT_UNREACHABLE();
-+    return -1;
-+}
-+
-+static bool adjacent_handle(const struct vpci_msix *msix, unsigned long addr)
-+{
-+    unsigned int i;
-+
-+    if ( VMSIX_ADDR_IN_RANGE(addr, msix->pdev->vpci, VPCI_MSIX_PBA) )
-+        return true;
-+
-+    if ( VMSIX_ADDR_IN_RANGE(addr, msix->pdev->vpci, VPCI_MSIX_TABLE) )
-+        return false;
-+
-+    for ( i = 0; i < ARRAY_SIZE(msix->tables); i++ )
-+        if ( VMSIX_ADDR_SAME_PAGE(addr, msix->pdev->vpci, i) )
-+            return true;
-+
-+    return false;
-+}
- 
--    pba = ioremap(vmsix_table_addr(vpci, VPCI_MSIX_PBA),
--                  vmsix_table_size(vpci, VPCI_MSIX_PBA));
--    if ( !pba )
--        return read_atomic(&msix->pba);
-+static int adjacent_read(const struct domain *d, const struct vpci_msix *msix,
-+                         unsigned long addr, unsigned int len,
-+                         unsigned long *data)
-+{
-+    const void __iomem *mem;
-+    struct vpci *vpci = msix->pdev->vpci;
-+    unsigned int slot;
-+
-+    *data = ~0ul;
-+
-+    if ( !adjacent_handle(msix, addr + len - 1) )
-+        return X86EMUL_OKAY;
-+
-+    if ( VMSIX_ADDR_IN_RANGE(addr, vpci, VPCI_MSIX_PBA) &&
-+         !access_allowed(msix->pdev, addr, len) )
-+        /* PBA accesses must be aligned and 4 or 8 bytes in size. */
-+        return X86EMUL_OKAY;
-+
-+    slot = get_slot(vpci, addr);
-+    if ( slot >= ARRAY_SIZE(msix->table) )
-+        return X86EMUL_OKAY;
-+
-+    if ( unlikely(!IS_ALIGNED(addr, len)) )
-+    {
-+        unsigned int i;
-+
-+        gprintk(XENLOG_DEBUG, "%pp: unaligned read to MSI-X related page\n",
-+                &msix->pdev->sbdf);
-+
-+        /*
-+         * Split unaligned accesses into byte sized ones. Shouldn't happen in
-+         * the first place, but devices shouldn't have registers in the same 4K
-+         * page as the MSIX tables either.
-+         *
-+         * It's unclear whether this could cause issues if a guest expects
-+         * registers to be accessed atomically, it better use an aligned access
-+         * if it has such expectations.
-+         */
-+        for ( i = 0; i < len; i++ )
-+        {
-+            unsigned long partial = ~0ul;
-+            int rc = adjacent_read(d, msix, addr + i, 1, &partial);
-+
-+            if ( rc != X86EMUL_OKAY )
-+                return rc;
-+
-+            *data &= ~(0xfful << (i * 8));
-+            *data |= (partial & 0xff) << (i * 8);
-+        }
-+
-+        return X86EMUL_OKAY;
-+    }
- 
-     spin_lock(&vpci->lock);
--    if ( !msix->pba )
-+    mem = get_table(vpci, slot);
-+    if ( !mem )
-     {
--        write_atomic(&msix->pba, pba);
-         spin_unlock(&vpci->lock);
-+        gprintk(XENLOG_WARNING,
-+                "%pp: unable to map MSI-X page, returning all bits set\n",
-+                &msix->pdev->sbdf);
-+        return X86EMUL_OKAY;
-     }
--    else
-+
-+    switch ( len )
-     {
--        spin_unlock(&vpci->lock);
--        iounmap(pba);
-+    case 1:
-+        *data = readb(mem + PAGE_OFFSET(addr));
-+        break;
-+
-+    case 2:
-+        *data = readw(mem + PAGE_OFFSET(addr));
-+        break;
-+
-+    case 4:
-+        *data = readl(mem + PAGE_OFFSET(addr));
-+        break;
-+
-+    case 8:
-+        *data = readq(mem + PAGE_OFFSET(addr));
-+        break;
-+
-+    default:
-+        ASSERT_UNREACHABLE();
-     }
-+    spin_unlock(&vpci->lock);
- 
--    return read_atomic(&msix->pba);
-+    return X86EMUL_OKAY;
- }
- 
- static int cf_check msix_read(
-@@ -227,47 +368,11 @@ static int cf_check msix_read(
-     if ( !msix )
-         return X86EMUL_RETRY;
- 
--    if ( !access_allowed(msix->pdev, addr, len) )
--        return X86EMUL_OKAY;
--
--    if ( VMSIX_ADDR_IN_RANGE(addr, msix->pdev->vpci, VPCI_MSIX_PBA) )
--    {
--        struct vpci *vpci = msix->pdev->vpci;
--        unsigned int idx = addr - vmsix_table_addr(vpci, VPCI_MSIX_PBA);
--        const void __iomem *pba = get_pba(vpci);
--
--        /*
--         * Access to PBA.
--         *
--         * TODO: note that this relies on having the PBA identity mapped to the
--         * guest address space. If this changes the address will need to be
--         * translated.
--         */
--        if ( !pba )
--        {
--            gprintk(XENLOG_WARNING,
--                    "%pp: unable to map MSI-X PBA, report all pending\n",
--                    &msix->pdev->sbdf);
--            return X86EMUL_OKAY;
--        }
--
--        switch ( len )
--        {
--        case 4:
--            *data = readl(pba + idx);
--            break;
--
--        case 8:
--            *data = readq(pba + idx);
--            break;
--
--        default:
--            ASSERT_UNREACHABLE();
--            break;
--        }
-+    if ( adjacent_handle(msix, addr) )
-+        return adjacent_read(d, msix, addr, len, data);
- 
-+    if ( !access_allowed(msix->pdev, addr, len) )
-         return X86EMUL_OKAY;
--    }
- 
-     spin_lock(&msix->pdev->vpci->lock);
-     entry = get_entry(msix, addr);
-@@ -303,56 +408,102 @@ static int cf_check msix_read(
-     return X86EMUL_OKAY;
- }
- 
--static int cf_check msix_write(
--    struct vcpu *v, unsigned long addr, unsigned int len, unsigned long data)
-+static int adjacent_write(const struct domain *d, const struct vpci_msix *msix,
-+                          unsigned long addr, unsigned int len,
-+                          unsigned long data)
- {
--    const struct domain *d = v->domain;
--    struct vpci_msix *msix = msix_find(d, addr);
--    struct vpci_msix_entry *entry;
--    unsigned int offset;
-+    void __iomem *mem;
-+    struct vpci *vpci = msix->pdev->vpci;
-+    unsigned int slot;
- 
--    if ( !msix )
--        return X86EMUL_RETRY;
-+    if ( !adjacent_handle(msix, addr + len - 1) )
-+        return X86EMUL_OKAY;
- 
--    if ( !access_allowed(msix->pdev, addr, len) )
-+    /*
-+     * Only check start and end of the access because the size of the PBA is
-+     * assumed to be equal or bigger (8 bytes) than the length of any access
-+     * handled here.
-+     */
-+    if ( VMSIX_ADDR_IN_RANGE(addr, vpci, VPCI_MSIX_PBA) &&
-+         (!access_allowed(msix->pdev, addr, len) || !is_hardware_domain(d)) )
-+        /* Ignore writes to PBA for DomUs, it's undefined behavior. */
-         return X86EMUL_OKAY;
- 
--    if ( VMSIX_ADDR_IN_RANGE(addr, msix->pdev->vpci, VPCI_MSIX_PBA) )
-+    slot = get_slot(vpci, addr);
-+    if ( slot >= ARRAY_SIZE(msix->table) )
-+        return X86EMUL_OKAY;
-+
-+    if ( unlikely(!IS_ALIGNED(addr, len)) )
-     {
--        struct vpci *vpci = msix->pdev->vpci;
--        unsigned int idx = addr - vmsix_table_addr(vpci, VPCI_MSIX_PBA);
--        const void __iomem *pba = get_pba(vpci);
-+        unsigned int i;
- 
--        if ( !is_hardware_domain(d) )
--            /* Ignore writes to PBA for DomUs, it's behavior is undefined. */
--            return X86EMUL_OKAY;
-+        gprintk(XENLOG_DEBUG, "%pp: unaligned write to MSI-X related page\n",
-+                &msix->pdev->sbdf);
- 
--        if ( !pba )
-+        for ( i = 0; i < len; i++ )
-         {
--            /* Unable to map the PBA, ignore write. */
--            gprintk(XENLOG_WARNING,
--                    "%pp: unable to map MSI-X PBA, write ignored\n",
--                    &msix->pdev->sbdf);
--            return X86EMUL_OKAY;
-+            int rc = adjacent_write(d, msix, addr + i, 1, data >> (i * 8));
-+
-+            if ( rc != X86EMUL_OKAY )
-+                return rc;
-         }
- 
--        switch ( len )
--        {
--        case 4:
--            writel(data, pba + idx);
--            break;
-+        return X86EMUL_OKAY;
-+    }
- 
--        case 8:
--            writeq(data, pba + idx);
--            break;
-+    spin_lock(&vpci->lock);
-+    mem = get_table(vpci, slot);
-+    if ( !mem )
-+    {
-+        spin_unlock(&vpci->lock);
-+        gprintk(XENLOG_WARNING,
-+                "%pp: unable to map MSI-X page, dropping write\n",
-+                &msix->pdev->sbdf);
-+        return X86EMUL_OKAY;
-+    }
- 
--        default:
--            ASSERT_UNREACHABLE();
--            break;
--        }
-+    switch ( len )
-+    {
-+    case 1:
-+        writeb(data, mem + PAGE_OFFSET(addr));
-+        break;
- 
--        return X86EMUL_OKAY;
-+    case 2:
-+        writew(data, mem + PAGE_OFFSET(addr));
-+        break;
-+
-+    case 4:
-+        writel(data, mem + PAGE_OFFSET(addr));
-+        break;
-+
-+    case 8:
-+        writeq(data, mem + PAGE_OFFSET(addr));
-+        break;
-+
-+    default:
-+        ASSERT_UNREACHABLE();
-     }
-+    spin_unlock(&vpci->lock);
-+
-+    return X86EMUL_OKAY;
-+}
-+
-+static int cf_check msix_write(
-+    struct vcpu *v, unsigned long addr, unsigned int len, unsigned long data)
-+{
-+    const struct domain *d = v->domain;
-+    struct vpci_msix *msix = msix_find(d, addr);
-+    struct vpci_msix_entry *entry;
-+    unsigned int offset;
-+
-+    if ( !msix )
-+        return X86EMUL_RETRY;
-+
-+    if ( adjacent_handle(msix, addr) )
-+        return adjacent_write(d, msix, addr, len, data);
-+
-+    if ( !access_allowed(msix->pdev, addr, len) )
-+        return X86EMUL_OKAY;
- 
-     spin_lock(&msix->pdev->vpci->lock);
-     entry = get_entry(msix, addr);
-@@ -482,6 +633,26 @@ int vpci_make_msix_hole(const struct pci_dev *pdev)
-         }
-     }
- 
-+    if ( is_hardware_domain(d) )
-+    {
-+        /*
-+         * For dom0 only: remove any hypervisor mappings of the MSIX or PBA
-+         * related areas, as dom0 is capable of moving the position of the BARs
-+         * in the host address space.
-+         *
-+         * We rely on being called with the vPCI lock held once the domain is
-+         * running, so the maps are not in use.
-+         */
-+        for ( i = 0; i < ARRAY_SIZE(pdev->vpci->msix->table); i++ )
-+            if ( pdev->vpci->msix->table[i] )
-+            {
-+                /* If there are any maps, the domain must be running. */
-+                ASSERT(spin_is_locked(&pdev->vpci->lock));
-+                iounmap(pdev->vpci->msix->table[i]);
-+                pdev->vpci->msix->table[i] = NULL;
-+            }
-+    }
-+
-     return 0;
- }
- 
-diff --git a/xen/drivers/vpci/vpci.c b/xen/drivers/vpci/vpci.c
-index 6d48d496bb..652807a4a4 100644
---- a/xen/drivers/vpci/vpci.c
-+++ b/xen/drivers/vpci/vpci.c
-@@ -54,9 +54,12 @@ void vpci_remove_device(struct pci_dev *pdev)
-     spin_unlock(&pdev->vpci->lock);
-     if ( pdev->vpci->msix )
-     {
-+        unsigned int i;
-+
-         list_del(&pdev->vpci->msix->next);
--        if ( pdev->vpci->msix->pba )
--            iounmap(pdev->vpci->msix->pba);
-+        for ( i = 0; i < ARRAY_SIZE(pdev->vpci->msix->table); i++ )
-+            if ( pdev->vpci->msix->table[i] )
-+                iounmap(pdev->vpci->msix->table[i]);
-     }
-     xfree(pdev->vpci->msix);
-     xfree(pdev->vpci->msi);
-diff --git a/xen/include/xen/vpci.h b/xen/include/xen/vpci.h
-index d8acfeba8a..0b8a2a3c74 100644
---- a/xen/include/xen/vpci.h
-+++ b/xen/include/xen/vpci.h
-@@ -133,8 +133,12 @@ struct vpci {
-         bool enabled         : 1;
-         /* Masked? */
-         bool masked          : 1;
--        /* PBA map */
--        void __iomem *pba;
-+        /* Partial table map. */
-+#define VPCI_MSIX_TBL_HEAD 0
-+#define VPCI_MSIX_TBL_TAIL 1
-+#define VPCI_MSIX_PBA_HEAD 2
-+#define VPCI_MSIX_PBA_TAIL 3
-+        void __iomem *table[4];
-         /* Entries. */
-         struct vpci_msix_entry {
-             uint64_t addr;
--- 
-2.40.0
-

diff --git a/0084-ns16550-correct-name-value-pair-parsing-for-PCI-port.patch b/0084-ns16550-correct-name-value-pair-parsing-for-PCI-port.patch
deleted file mode 100644
index 6ab5c69..0000000
--- a/0084-ns16550-correct-name-value-pair-parsing-for-PCI-port.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 7758cd57e002c5096b2296ede67c59fca68724d7 Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Fri, 31 Mar 2023 08:35:15 +0200
-Subject: [PATCH 84/89] ns16550: correct name/value pair parsing for PCI
- port/bridge
-
-First of all these were inverted: "bridge=" caused the port coordinates
-to be established, while "port=" controlled the bridge coordinates. And
-then the error messages being identical also wasn't helpful. While
-correcting this also move both case blocks close together.
-
-Fixes: 97fd49a7e074 ("ns16550: add support for UART parameters to be specifed with name-value pairs")
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
-master commit: e692b22230b411d762ac9e278a398e28df474eae
-master date: 2023-03-29 14:55:37 +0200
----
- xen/drivers/char/ns16550.c | 16 ++++++++--------
- 1 file changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/xen/drivers/char/ns16550.c b/xen/drivers/char/ns16550.c
-index ce013fb6a5..97b3d8d269 100644
---- a/xen/drivers/char/ns16550.c
-+++ b/xen/drivers/char/ns16550.c
-@@ -1631,13 +1631,6 @@ static bool __init parse_namevalue_pairs(char *str, struct ns16550 *uart)
-             break;
- 
- #ifdef CONFIG_HAS_PCI
--        case bridge_bdf:
--            if ( !parse_pci(param_value, NULL, &uart->ps_bdf[0],
--                            &uart->ps_bdf[1], &uart->ps_bdf[2]) )
--                PARSE_ERR_RET("Bad port PCI coordinates\n");
--            uart->ps_bdf_enable = true;
--            break;
--
-         case device:
-             if ( strncmp(param_value, "pci", 3) == 0 )
-             {
-@@ -1652,9 +1645,16 @@ static bool __init parse_namevalue_pairs(char *str, struct ns16550 *uart)
-             break;
- 
-         case port_bdf:
-+            if ( !parse_pci(param_value, NULL, &uart->ps_bdf[0],
-+                            &uart->ps_bdf[1], &uart->ps_bdf[2]) )
-+                PARSE_ERR_RET("Bad port PCI coordinates\n");
-+            uart->ps_bdf_enable = true;
-+            break;
-+
-+        case bridge_bdf:
-             if ( !parse_pci(param_value, NULL, &uart->pb_bdf[0],
-                             &uart->pb_bdf[1], &uart->pb_bdf[2]) )
--                PARSE_ERR_RET("Bad port PCI coordinates\n");
-+                PARSE_ERR_RET("Bad bridge PCI coordinates\n");
-             uart->pb_bdf_enable = true;
-             break;
- #endif
--- 
-2.40.0
-

diff --git a/0085-CI-Drop-automation-configs.patch b/0085-CI-Drop-automation-configs.patch
deleted file mode 100644
index bfed25a..0000000
--- a/0085-CI-Drop-automation-configs.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From 4c0d792675f0843c6dd52acdae38e5c0e112b09e Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Thu, 29 Dec 2022 15:39:13 +0000
-Subject: [PATCH 85/89] CI: Drop automation/configs/
-
-Having 3 extra hypervisor builds on the end of a full build is deeply
-confusing to debug if one of them fails, because the .config file presented in
-the artefacts is not the one which caused a build failure.  Also, the log
-tends to be truncated in the UI.
-
-PV-only is tested as part of PV-Shim in a full build anyway, so doesn't need
-repeating.  HVM-only and neither appear frequently in randconfig, so drop all
-the logic here to simplify things.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Michal Orzel <michal.orzel@amd.com>
-Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
-(cherry picked from commit 7b20009a812f26e74bdbde2ab96165376b3dad34)
----
- automation/configs/x86/hvm_only_config  |  3 ---
- automation/configs/x86/no_hvm_pv_config |  3 ---
- automation/configs/x86/pv_only_config   |  3 ---
- automation/scripts/build                | 21 ---------------------
- 4 files changed, 30 deletions(-)
- delete mode 100644 automation/configs/x86/hvm_only_config
- delete mode 100644 automation/configs/x86/no_hvm_pv_config
- delete mode 100644 automation/configs/x86/pv_only_config
-
-diff --git a/automation/configs/x86/hvm_only_config b/automation/configs/x86/hvm_only_config
-deleted file mode 100644
-index 9efbddd535..0000000000
---- a/automation/configs/x86/hvm_only_config
-+++ /dev/null
-@@ -1,3 +0,0 @@
--CONFIG_HVM=y
--# CONFIG_PV is not set
--# CONFIG_DEBUG is not set
-diff --git a/automation/configs/x86/no_hvm_pv_config b/automation/configs/x86/no_hvm_pv_config
-deleted file mode 100644
-index 0bf6a8e468..0000000000
---- a/automation/configs/x86/no_hvm_pv_config
-+++ /dev/null
-@@ -1,3 +0,0 @@
--# CONFIG_HVM is not set
--# CONFIG_PV is not set
--# CONFIG_DEBUG is not set
-diff --git a/automation/configs/x86/pv_only_config b/automation/configs/x86/pv_only_config
-deleted file mode 100644
-index e9d8b4a7c7..0000000000
---- a/automation/configs/x86/pv_only_config
-+++ /dev/null
-@@ -1,3 +0,0 @@
--CONFIG_PV=y
--# CONFIG_HVM is not set
--# CONFIG_DEBUG is not set
-diff --git a/automation/scripts/build b/automation/scripts/build
-index a593419063..5dafa72ba5 100755
---- a/automation/scripts/build
-+++ b/automation/scripts/build
-@@ -85,24 +85,3 @@ if [[ "${XEN_TARGET_ARCH}" != "x86_32" ]]; then
-         cp -r dist binaries/
-     fi
- fi
--
--if [[ "${hypervisor_only}" == "y" ]]; then
--    # If we are build testing a specific Kconfig exit now, there's no point in
--    # testing all the possible configs.
--    exit 0
--fi
--
--# Build all the configs we care about
--case ${XEN_TARGET_ARCH} in
--    x86_64) arch=x86 ;;
--    *) exit 0 ;;
--esac
--
--cfg_dir="automation/configs/${arch}"
--for cfg in `ls ${cfg_dir}`; do
--    echo "Building $cfg"
--    make -j$(nproc) -C xen clean
--    rm -f xen/.config
--    make -C xen KBUILD_DEFCONFIG=../../../../${cfg_dir}/${cfg} defconfig
--    make -j$(nproc) -C xen
--done
--- 
-2.40.0
-

diff --git a/0086-automation-Switch-arm32-cross-builds-to-run-on-arm64.patch b/0086-automation-Switch-arm32-cross-builds-to-run-on-arm64.patch
deleted file mode 100644
index a200cab..0000000
--- a/0086-automation-Switch-arm32-cross-builds-to-run-on-arm64.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From e3b23da4a10fafdabce22e2eba225d9404fc646f Mon Sep 17 00:00:00 2001
-From: Michal Orzel <michal.orzel@amd.com>
-Date: Tue, 14 Feb 2023 16:38:38 +0100
-Subject: [PATCH 86/89] automation: Switch arm32 cross builds to run on arm64
-
-Due to the limited x86 CI resources slowing down the whole pipeline,
-switch the arm32 cross builds to be executed on arm64 which is much more
-capable. For that, rename the existing debian container dockerfile
-from unstable-arm32-gcc to unstable-arm64v8-arm32-gcc and use
-arm64v8/debian:unstable as an image. Note, that we cannot use the same
-container name as we have to keep the backwards compatibility.
-Take the opportunity to remove extra empty line at the end of a file.
-
-Modify the tag of .arm32-cross-build-tmpl to arm64 and update the build
-jobs accordingly.
-
-Signed-off-by: Michal Orzel <michal.orzel@amd.com>
-Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
-(cherry picked from commit a35fccc8df93de7154dba87db6e7bcf391e9d51c)
----
- ...ockerfile => unstable-arm64v8-arm32-gcc.dockerfile} |  3 +--
- automation/gitlab-ci/build.yaml                        | 10 +++++-----
- 2 files changed, 6 insertions(+), 7 deletions(-)
- rename automation/build/debian/{unstable-arm32-gcc.dockerfile => unstable-arm64v8-arm32-gcc.dockerfile} (94%)
-
-diff --git a/automation/build/debian/unstable-arm32-gcc.dockerfile b/automation/build/debian/unstable-arm64v8-arm32-gcc.dockerfile
-similarity index 94%
-rename from automation/build/debian/unstable-arm32-gcc.dockerfile
-rename to automation/build/debian/unstable-arm64v8-arm32-gcc.dockerfile
-index b41a57f197..11860425a6 100644
---- a/automation/build/debian/unstable-arm32-gcc.dockerfile
-+++ b/automation/build/debian/unstable-arm64v8-arm32-gcc.dockerfile
-@@ -1,4 +1,4 @@
--FROM debian:unstable
-+FROM arm64v8/debian:unstable
- LABEL maintainer.name="The Xen Project" \
-       maintainer.email="xen-devel@lists.xenproject.org"
- 
-@@ -21,4 +21,3 @@ RUN apt-get update && \
-         apt-get autoremove -y && \
-         apt-get clean && \
-         rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/*
--
-diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml
-index bed161b471..b4caf159f9 100644
---- a/automation/gitlab-ci/build.yaml
-+++ b/automation/gitlab-ci/build.yaml
-@@ -123,7 +123,7 @@
-   variables:
-     XEN_TARGET_ARCH: arm32
-   tags:
--    - x86_64
-+    - arm64
- 
- .arm32-cross-build:
-   extends: .arm32-cross-build-tmpl
-@@ -505,23 +505,23 @@ alpine-3.12-clang-debug:
- debian-unstable-gcc-arm32:
-   extends: .gcc-arm32-cross-build
-   variables:
--    CONTAINER: debian:unstable-arm32-gcc
-+    CONTAINER: debian:unstable-arm64v8-arm32-gcc
- 
- debian-unstable-gcc-arm32-debug:
-   extends: .gcc-arm32-cross-build-debug
-   variables:
--    CONTAINER: debian:unstable-arm32-gcc
-+    CONTAINER: debian:unstable-arm64v8-arm32-gcc
- 
- debian-unstable-gcc-arm32-randconfig:
-   extends: .gcc-arm32-cross-build
-   variables:
--    CONTAINER: debian:unstable-arm32-gcc
-+    CONTAINER: debian:unstable-arm64v8-arm32-gcc
-     RANDCONFIG: y
- 
- debian-unstable-gcc-arm32-debug-randconfig:
-   extends: .gcc-arm32-cross-build-debug
-   variables:
--    CONTAINER: debian:unstable-arm32-gcc
-+    CONTAINER: debian:unstable-arm64v8-arm32-gcc
-     RANDCONFIG: y
- 
- # Arm builds
--- 
-2.40.0
-

diff --git a/0087-automation-Remove-CentOS-7.2-containers-and-builds.patch b/0087-automation-Remove-CentOS-7.2-containers-and-builds.patch
deleted file mode 100644
index b5d629d..0000000
--- a/0087-automation-Remove-CentOS-7.2-containers-and-builds.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From 8c414bab3092bb68ab4eaaba39b61e3804c45f0a Mon Sep 17 00:00:00 2001
-From: Anthony PERARD <anthony.perard@citrix.com>
-Date: Tue, 21 Feb 2023 16:55:36 +0000
-Subject: [PATCH 87/89] automation: Remove CentOS 7.2 containers and builds
-
-We already have a container which track the latest CentOS 7, no need
-for this one as well.
-
-Also, 7.2 have outdated root certificate which prevent connection to
-website which use Let's Encrypt.
-
-Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
-Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
-(cherry picked from commit ba512629f76dfddb39ea9133ee51cdd9e392a927)
----
- automation/build/centos/7.2.dockerfile  | 52 -------------------------
- automation/build/centos/CentOS-7.2.repo | 35 -----------------
- automation/gitlab-ci/build.yaml         | 10 -----
- 3 files changed, 97 deletions(-)
- delete mode 100644 automation/build/centos/7.2.dockerfile
- delete mode 100644 automation/build/centos/CentOS-7.2.repo
-
-diff --git a/automation/build/centos/7.2.dockerfile b/automation/build/centos/7.2.dockerfile
-deleted file mode 100644
-index 4baa097e31..0000000000
---- a/automation/build/centos/7.2.dockerfile
-+++ /dev/null
-@@ -1,52 +0,0 @@
--FROM centos:7.2.1511
--LABEL maintainer.name="The Xen Project" \
--      maintainer.email="xen-devel@lists.xenproject.org"
--
--# ensure we only get bits from the vault for
--# the version we want
--COPY CentOS-7.2.repo /etc/yum.repos.d/CentOS-Base.repo
--
--# install EPEL for dev86, xz-devel and possibly other packages
--RUN yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
--        yum clean all
--
--RUN mkdir /build
--WORKDIR /build
--
--# work around https://github.com/moby/moby/issues/10180
--# and install Xen depends
--RUN rpm --rebuilddb && \
--    yum -y install \
--        yum-plugin-ovl \
--        gcc \
--        gcc-c++ \
--        ncurses-devel \
--        zlib-devel \
--        openssl-devel \
--        python-devel \
--        libuuid-devel \
--        pkgconfig \
--        # gettext for Xen < 4.13
--        gettext \
--        flex \
--        bison \
--        libaio-devel \
--        glib2-devel \
--        yajl-devel \
--        pixman-devel \
--        glibc-devel \
--        # glibc-devel.i686 for Xen < 4.15
--        glibc-devel.i686 \
--        make \
--        binutils \
--        git \
--        wget \
--        acpica-tools \
--        python-markdown \
--        patch \
--        checkpolicy \
--        dev86 \
--        xz-devel \
--        bzip2 \
--        nasm \
--    && yum clean all
-diff --git a/automation/build/centos/CentOS-7.2.repo b/automation/build/centos/CentOS-7.2.repo
-deleted file mode 100644
-index 4da27faeb5..0000000000
---- a/automation/build/centos/CentOS-7.2.repo
-+++ /dev/null
-@@ -1,35 +0,0 @@
--# CentOS-Base.repo
--#
--# This is a replacement file that pins things to just use CentOS 7.2
--# from the CentOS Vault.
--#
--
--[base]
--name=CentOS-7.2.1511 - Base
--baseurl=http://vault.centos.org/7.2.1511/os/$basearch/
--gpgcheck=1
--gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
--
--#released updates 
--[updates]
--name=CentOS-7.2.1511 - Updates
--baseurl=http://vault.centos.org/7.2.1511/updates/$basearch/
--gpgcheck=1
--gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
--
--#additional packages that may be useful
--[extras]
--name=CentOS-7.2.1511 - Extras
--baseurl=http://vault.centos.org/7.2.1511/extras/$basearch/
--gpgcheck=1
--gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
--
--#additional packages that extend functionality of existing packages
--[centosplus]
--name=CentOS-7.2.1511 - Plus
--baseurl=http://vault.centos.org/7.2.1511/centosplus/$basearch/
--gpgcheck=1
--gpgcheck=1
--enabled=0
--gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
--
-diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml
-index b4caf159f9..ff6df1cfc2 100644
---- a/automation/gitlab-ci/build.yaml
-+++ b/automation/gitlab-ci/build.yaml
-@@ -184,16 +184,6 @@ archlinux-gcc-debug:
-   variables:
-     CONTAINER: archlinux:current
- 
--centos-7-2-gcc:
--  extends: .gcc-x86-64-build
--  variables:
--    CONTAINER: centos:7.2
--
--centos-7-2-gcc-debug:
--  extends: .gcc-x86-64-build-debug
--  variables:
--    CONTAINER: centos:7.2
--
- centos-7-gcc:
-   extends: .gcc-x86-64-build
-   variables:
--- 
-2.40.0
-

diff --git a/0088-automation-Remove-non-debug-x86_32-build-jobs.patch b/0088-automation-Remove-non-debug-x86_32-build-jobs.patch
deleted file mode 100644
index d16014e..0000000
--- a/0088-automation-Remove-non-debug-x86_32-build-jobs.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 435a1e5e8fd6fbd52cc16570dcff5982bdbec351 Mon Sep 17 00:00:00 2001
-From: Anthony PERARD <anthony.perard@citrix.com>
-Date: Fri, 24 Feb 2023 17:29:15 +0000
-Subject: [PATCH 88/89] automation: Remove non-debug x86_32 build jobs
-
-In the interest of having less jobs, we remove the x86_32 build jobs
-that do release build. Debug build is very likely to be enough to find
-32bit build issues.
-
-Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
-Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
-(cherry picked from commit 7b66792ea7f77fb9e587e1e9c530a7c869eecba1)
----
- automation/gitlab-ci/build.yaml | 20 --------------------
- 1 file changed, 20 deletions(-)
-
-diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml
-index ff6df1cfc2..eea517aa0a 100644
---- a/automation/gitlab-ci/build.yaml
-+++ b/automation/gitlab-ci/build.yaml
-@@ -264,21 +264,11 @@ debian-stretch-gcc-debug:
-   variables:
-     CONTAINER: debian:stretch
- 
--debian-stretch-32-clang:
--  extends: .clang-x86-32-build
--  variables:
--    CONTAINER: debian:stretch-i386
--
- debian-stretch-32-clang-debug:
-   extends: .clang-x86-32-build-debug
-   variables:
-     CONTAINER: debian:stretch-i386
- 
--debian-stretch-32-gcc:
--  extends: .gcc-x86-32-build
--  variables:
--    CONTAINER: debian:stretch-i386
--
- debian-stretch-32-gcc-debug:
-   extends: .gcc-x86-32-build-debug
-   variables:
-@@ -324,21 +314,11 @@ debian-unstable-gcc-debug-randconfig:
-     CONTAINER: debian:unstable
-     RANDCONFIG: y
- 
--debian-unstable-32-clang:
--  extends: .clang-x86-32-build
--  variables:
--    CONTAINER: debian:unstable-i386
--
- debian-unstable-32-clang-debug:
-   extends: .clang-x86-32-build-debug
-   variables:
-     CONTAINER: debian:unstable-i386
- 
--debian-unstable-32-gcc:
--  extends: .gcc-x86-32-build
--  variables:
--    CONTAINER: debian:unstable-i386
--
- debian-unstable-32-gcc-debug:
-   extends: .gcc-x86-32-build-debug
-   variables:
--- 
-2.40.0
-

diff --git a/0089-CI-Remove-llvm-8-from-the-Debian-Stretch-container.patch b/0089-CI-Remove-llvm-8-from-the-Debian-Stretch-container.patch
deleted file mode 100644
index c0294ec..0000000
--- a/0089-CI-Remove-llvm-8-from-the-Debian-Stretch-container.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From e4a5fb9227889bec99ab212b839680f4d5b51e60 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Fri, 24 Mar 2023 17:59:56 +0000
-Subject: [PATCH 89/89] CI: Remove llvm-8 from the Debian Stretch container
-
-For similar reasons to c/s a6b1e2b80fe20.  While this container is still
-build-able for now, all the other problems with explicitly-versioned compilers
-remain.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
-(cherry picked from commit 7a298375721636290a57f31bb0f7c2a5a38956a4)
----
- automation/build/debian/stretch-llvm-8.list |  3 ---
- automation/build/debian/stretch.dockerfile  | 12 ---------
- automation/gitlab-ci/build.yaml             | 27 ---------------------
- 3 files changed, 42 deletions(-)
- delete mode 100644 automation/build/debian/stretch-llvm-8.list
-
-diff --git a/automation/build/debian/stretch-llvm-8.list b/automation/build/debian/stretch-llvm-8.list
-deleted file mode 100644
-index 09fe843fb2..0000000000
---- a/automation/build/debian/stretch-llvm-8.list
-+++ /dev/null
-@@ -1,3 +0,0 @@
--# Strech LLVM 8 repos
--deb http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
--deb-src http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
-diff --git a/automation/build/debian/stretch.dockerfile b/automation/build/debian/stretch.dockerfile
-index da6aa874dd..9861acbcc3 100644
---- a/automation/build/debian/stretch.dockerfile
-+++ b/automation/build/debian/stretch.dockerfile
-@@ -53,15 +53,3 @@ RUN apt-get update && \
-         apt-get autoremove -y && \
-         apt-get clean && \
-         rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/*
--
--RUN wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -
--COPY stretch-llvm-8.list /etc/apt/sources.list.d/
--
--RUN apt-get update && \
--    apt-get --quiet --yes install \
--        clang-8 \
--        lld-8 \
--        && \
--        apt-get autoremove -y && \
--        apt-get clean && \
--        rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/*
-diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml
-index eea517aa0a..802449cb96 100644
---- a/automation/gitlab-ci/build.yaml
-+++ b/automation/gitlab-ci/build.yaml
-@@ -27,13 +27,6 @@
-     CXX: clang++
-     clang: y
- 
--.clang-8-tmpl:
--  variables: &clang-8
--    CC: clang-8
--    CXX: clang++-8
--    LD: ld.lld-8
--    clang: y
--
- .x86-64-build-tmpl:
-   <<: *build
-   variables:
-@@ -98,16 +91,6 @@
-   variables:
-     <<: *clang
- 
--.clang-8-x86-64-build:
--  extends: .x86-64-build
--  variables:
--    <<: *clang-8
--
--.clang-8-x86-64-build-debug:
--  extends: .x86-64-build-debug
--  variables:
--    <<: *clang-8
--
- .clang-x86-32-build:
-   extends: .x86-32-build
-   variables:
-@@ -244,16 +227,6 @@ debian-stretch-clang-debug:
-   variables:
-     CONTAINER: debian:stretch
- 
--debian-stretch-clang-8:
--  extends: .clang-8-x86-64-build
--  variables:
--    CONTAINER: debian:stretch
--
--debian-stretch-clang-8-debug:
--  extends: .clang-8-x86-64-build-debug
--  variables:
--    CONTAINER: debian:stretch
--
- debian-stretch-gcc:
-   extends: .gcc-x86-64-build
-   variables:
--- 
-2.40.0
-

diff --git a/info.txt b/info.txt
index 45b2f7f..26a1905 100644
--- a/info.txt
+++ b/info.txt
@@ -1,6 +1,6 @@
-Xen upstream patchset #0 for 4.17.1-pre
+Xen upstream patchset #0 for 4.17.3-pre
 
 Containing patches from
-RELEASE-4.17.0 (5556ac9bf224ed6b977f214653b234de45dcdfbf)
+RELEASE-4.17.2 (b86c313a4a9c3ec4c9f825d9b99131753296485f)
 to
-staging-4.17 (e4a5fb9227889bec99ab212b839680f4d5b51e60)
+staging-4.17 (0b56bed864ca9b572473957f0254aefa797216f2)


             reply	other threads:[~2023-10-18 18:31 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-18 18:31 Tomáš Mózes [this message]
  -- strict thread matches above, loose matches on Subject: below --
2024-11-22 15:42 [gentoo-commits] proj/xen-upstream-patches:main commit in: / Tomáš Mózes
2024-10-02  5:59 Tomáš Mózes
2024-08-01 13:03 Tomáš Mózes
2024-04-05  7:00 Tomáš Mózes
2024-02-03 18:12 Tomáš Mózes
2023-04-17  8:16 Florian Schmaus
2023-04-14 16:04 Tomáš Mózes
2022-11-09  8:53 Florian Schmaus
2022-10-19  9:04 Florian Schmaus
2022-07-14  8:16 Florian Schmaus
2022-07-12 19:34 Florian Schmaus

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1697653808.ffe00bc5becaed2dbaed9fdcadb6eea0bd4f9dd4.hydrapolic@gentoo \
    --to=hydrapolic@gmail.com \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox