Wed Apr 29 21:11:13 2015 UTC ()

Pullup ticket #4698 - requested by spz
Pullup ticket #4698 - requested by spz
sysutils/xenkernel41: security patch
sysutils/xenkernel42: security patch
sysutils/xenkernel45: security patch

Revisions pulled up:
- sysutils/xenkernel41/Makefile                                 1.45
- sysutils/xenkernel41/distinfo                                 1.36
- sysutils/xenkernel41/patches/patch-CVE-2015-2752              1.1
- sysutils/xenkernel41/patches/patch-CVE-2015-2756              1.1
- sysutils/xenkernel42/Makefile                                 1.15
- sysutils/xenkernel42/distinfo                                 1.13
- sysutils/xenkernel42/patches/patch-CVE-2015-2752              1.1
- sysutils/xenkernel42/patches/patch-CVE-2015-2756              1.1
- sysutils/xenkernel45/Makefile                                 1.6
- sysutils/xenkernel45/distinfo                                 1.5
- sysutils/xenkernel45/patches/patch-CVE-2015-2752              1.1
- sysutils/xenkernel45/patches/patch-CVE-2015-2756              1.1
- sysutils/xentools41/Makefile                                  1.50
- sysutils/xentools41/distinfo                                  1.38
- sysutils/xentools41/patches/patch-CVE-2015-2752               1.1
- sysutils/xentools41/patches/patch-CVE-2015-2756               1.1
- sysutils/xentools42/Makefile                                  1.27
- sysutils/xentools42/distinfo                                  1.16
- sysutils/xentools42/patches/patch-CVE-2015-2752               1.1
- sysutils/xentools42/patches/patch-CVE-2015-2756               1.1
- sysutils/xentools45/Makefile                                  1.6
- sysutils/xentools45/distinfo                                  1.6
- sysutils/xentools45/patches/patch-CVE-2015-2752               1.1
- sysutils/xentools45/patches/patch-CVE-2015-2756               1.1

---
   Module Name:	pkgsrc
   Committed By:	spz
   Date:		Sun Apr 19 13:13:21 UTC 2015

   Modified Files:
   	pkgsrc/sysutils/xenkernel41: Makefile distinfo
   	pkgsrc/sysutils/xenkernel42: Makefile distinfo
   	pkgsrc/sysutils/xenkernel45: Makefile distinfo
   	pkgsrc/sysutils/xentools41: Makefile distinfo
   	pkgsrc/sysutils/xentools42: Makefile distinfo
   	pkgsrc/sysutils/xentools45: Makefile distinfo
   Added Files:
   	pkgsrc/sysutils/xenkernel41/patches: patch-CVE-2015-2752
   	    patch-CVE-2015-2756
   	pkgsrc/sysutils/xenkernel42/patches: patch-CVE-2015-2752
   	    patch-CVE-2015-2756
   	pkgsrc/sysutils/xenkernel45/patches: patch-CVE-2015-2752
   	    patch-CVE-2015-2756
   	pkgsrc/sysutils/xentools41/patches: patch-CVE-2015-2752
   	    patch-CVE-2015-2756
   	pkgsrc/sysutils/xentools42/patches: patch-CVE-2015-2752
   	    patch-CVE-2015-2756
   	pkgsrc/sysutils/xentools45/patches: patch-CVE-2015-2752
   	    patch-CVE-2015-2756

   Log Message:
   apply fixes from upstream for
   XSA-125 Long latency MMIO mapping operations are not preemptible
   XSA-126 Unmediated PCI command register access in qemu


(tron)

--- pkgsrc/sysutils/xenkernel41/Attic/Makefile 2015/03/10 20:27:16 1.44
+++ pkgsrc/sysutils/xenkernel41/Attic/Makefile 2015/04/29 21:11:12 1.44.2.1

 @@ -1,19 +1,19 @@
-# $NetBSD: Makefile,v 1.44 2015/03/10 20:27:16 spz Exp $
+# $NetBSD: Makefile,v 1.44.2.1 2015/04/29 21:11:12 tron Exp $
 VERSION=	4.1.6.1
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel41-${VERSION}
-PKGREVISION=	15
+PKGREVISION=	16
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 MAINTAINER=	cegger@NetBSD.org
 HOMEPAGE=	http://xen.org/
 COMMENT=	Xen 4.1.x Kernel
 LICENSE=        gnu-gpl-v2
 ONLY_FOR_PLATFORM=	Linux-2.6*-i386 Linux-2.6*-x86_64
 ONLY_FOR_PLATFORM+=	NetBSD-[5-9].*-x86_64 NetBSD-[5-9].*-i386
 NO_CONFIGURE=	yes

--- pkgsrc/sysutils/xenkernel41/Attic/distinfo 2015/03/10 20:27:16 1.35
+++ pkgsrc/sysutils/xenkernel41/Attic/distinfo 2015/04/29 21:11:12 1.35.2.1

 @@ -1,14 +1,14 @@
-$NetBSD: distinfo,v 1.35 2015/03/10 20:27:16 spz Exp $
+$NetBSD: distinfo,v 1.35.2.1 2015/04/29 21:11:12 tron Exp $
 SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
 Size (xen-4.1.6.1.tar.gz) = 10428485 bytes
 SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1
 SHA1 (patch-CVE-2013-4355_1) = 56dde995d7df4f18576040007fd5532de61d9069
 SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509
 SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f
 SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8
 SHA1 (patch-CVE-2013-4361) = b9074af976ba98c02aeb84288a10527bf7693241
 SHA1 (patch-CVE-2013-4368) = 77caf392b472e5586eb2fa6a37d173cd856f6f15
 SHA1 (patch-CVE-2013-4494) = d74dfc898d1128f3c205bd178c8cf663935711e3
 SHA1 (patch-CVE-2013-4553) = 6708dcef1737b119a3fcf2e3414c22c115cbacc1
 @@ -18,20 +18,22 @@ SHA1 (patch-CVE-2014-1666) = acf27080799
 SHA1 (patch-CVE-2014-3124) = 59a48eed88abcda5de2fc7e398451a492e5d2145
 SHA1 (patch-CVE-2014-4021) = ee8ee800b35f7eaa242b06536c1ffa6568305b36
 SHA1 (patch-CVE-2014-7154) = 5f0541559d911778aa5267bb5c0e1e8a9a3904e2
 SHA1 (patch-CVE-2014-7155) = 0f1aa6a5d4fdb8403fc1e01b884491a63de501f8
 SHA1 (patch-CVE-2014-7156) = 85043bdcf2644227d135f725cb442aade565c9d6
 SHA1 (patch-CVE-2014-8594) = 39d9d220d89c2356fa745dad5bf8c7ef5e8f2516
 SHA1 (patch-CVE-2014-8595) = 46bd285b7eb8f2e23984f7917b12af2191bfef80
 SHA1 (patch-CVE-2014-8866) = ee0bc3afb767b50e973d6065b84adc7e51949def
 SHA1 (patch-CVE-2014-8867) = 576433746660f62b753088a66c5315a1a2ff8f76
 SHA1 (patch-CVE-2014-9030) = f52c302585b0f4b074f7562e6b8cddacb26deee4
 SHA1 (patch-CVE-2015-2044) = 00d32273d0a9f51927ff94a13f916382c3126e60
 SHA1 (patch-CVE-2015-2045) = e1874bbde0cce7db4ee9260440f5280d404027d7
 SHA1 (patch-CVE-2015-2151) = aed92f50d162febc3074f7edecaf6ca418d0b42c
 SHA1 (patch-CVE-2015-2752) = 37f44989a3b3c69dea8e9de9fc34ffd5c2e8b087
 SHA1 (patch-CVE-2015-2756) = b3b133d42229ecc8c308644b17e5317cd77f9a98
 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
 SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b
 SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
 SHA1 (patch-xen_arch_x86_cpu_mcheck_vmce.c) = 5afd01780a13654f1d21bf1562f6431c8370be0b
 SHA1 (patch-xen_arch_x86_time.c) = 1611959c08ad79e3f042ac70c8d9d57b60225289
 SHA1 (patch-xen_drivers_char_console_c) = 0fe186369602ccffaeec6f4bfbee8bb4298d3ff0
 SHA1 (patch-xen_include_xen_stdarg.h) = e9df974a9b783ed442ab17497198432cb9844b70

$NetBSD: patch-CVE-2015-2752,v 1.1.2.2 2015/04/29 21:11:12 tron Exp $

Patch for CVE-2015-2752 aka XSA-125 from
http://xenbits.xenproject.org/xsa/xsa125-4.2.patch

--- tools/libxc/xc_domain.c.orig	2013-09-10 06:42:18.000000000 +0000
+++ tools/libxc/xc_domain.c
@@ -1322,6 +1322,13 @@ int xc_domain_bind_pt_isa_irq(
                                   PT_IRQ_TYPE_ISA, 0, 0, 0, machine_irq));
 }
 
+#ifndef min
+#define min(X, Y) ({                             \
+            const typeof (X) _x = (X);           \
+            const typeof (Y) _y = (Y);           \
+            (void) (&_x == &_y);                 \
+            (_x < _y) ? _x : _y; })
+#endif
 int xc_domain_memory_mapping(
     xc_interface *xch,
     uint32_t domid,
@@ -1331,17 +1338,55 @@ int xc_domain_memory_mapping(
     uint32_t add_mapping)
 {
     DECLARE_DOMCTL;
+    int ret = 0, err;
+    unsigned long done = 0, nr, max_batch_sz;
+
+    if ( !nr_mfns )
+        return 0;
 
     domctl.cmd = XEN_DOMCTL_memory_mapping;
     domctl.domain = domid;
-    domctl.u.memory_mapping.first_gfn = first_gfn;
-    domctl.u.memory_mapping.first_mfn = first_mfn;
-    domctl.u.memory_mapping.nr_mfns = nr_mfns;
     domctl.u.memory_mapping.add_mapping = add_mapping;
+    max_batch_sz = nr_mfns;
+    do
+    {
+        nr = min(nr_mfns - done, max_batch_sz);
+        domctl.u.memory_mapping.nr_mfns = nr;
+        domctl.u.memory_mapping.first_gfn = first_gfn + done;
+        domctl.u.memory_mapping.first_mfn = first_mfn + done;
+        err = do_domctl(xch, &domctl);
+        if ( err && errno == E2BIG )
+        {
+            if ( max_batch_sz <= 1 )
+                break;
+            max_batch_sz >>= 1;
+            continue;
+        }
+        /* Save the first error... */
+        if ( !ret )
+            ret = err;
+        /* .. and ignore the rest of them when removing. */
+        if ( err && add_mapping != DPCI_REMOVE_MAPPING )
+            break;
+
+        done += nr;
+    } while ( done < nr_mfns );
+
+    /*
+     * Undo what we have done unless unmapping, by unmapping the entire region.
+     * Errors here are ignored.
+     */
+    if ( ret && add_mapping != DPCI_REMOVE_MAPPING )
+        xc_domain_memory_mapping(xch, domid, first_gfn, first_mfn, nr_mfns,
+                                 DPCI_REMOVE_MAPPING);
+
+    /* We might get E2BIG so many times that we never advance. */
+    if ( !done && !ret )
+        ret = -1;
 
-    return do_domctl(xch, &domctl);
+    return ret;
 }
-
+#undef min
 int xc_domain_ioport_mapping(
     xc_interface *xch,
     uint32_t domid,

--- xen/arch/x86/domctl.c.orig	2015-04-19 10:54:27.000000000 +0000
+++ xen/arch/x86/domctl.c
@@ -998,6 +998,11 @@ long arch_do_domctl(
              (gfn + nr_mfns - 1) < gfn ) /* wrap? */
             break;
 
+        ret = -E2BIG;
+        /* Must break hypercall up as this could take a while. */
+        if ( nr_mfns > 64 )
+            break;
+
         ret = -EPERM;
         if ( !IS_PRIV(current->domain) &&
              !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) )

--- xen/include/public/domctl.h.orig	2013-09-10 06:42:18.000000000 +0000
+++ xen/include/public/domctl.h
@@ -505,6 +505,7 @@ DEFINE_XEN_GUEST_HANDLE(xen_domctl_bind_
 
 
 /* Bind machine I/O address range -> HVM address range. */
+/* If this returns -E2BIG lower nr_mfns value. */
 /* XEN_DOMCTL_memory_mapping */
 #define DPCI_ADD_MAPPING         1
 #define DPCI_REMOVE_MAPPING      0

$NetBSD: patch-CVE-2015-2756,v 1.1.2.2 2015/04/29 21:11:12 tron Exp $

patch for CVE-2015-2756 aka XSA-126 from
http://xenbits.xenproject.org/xsa/xsa126-qemut.patch

--- tools/ioemu-qemu-xen/hw/pass-through.c.orig	2013-07-17 10:59:40.000000000 +0000
+++ tools/ioemu-qemu-xen/hw/pass-through.c
@@ -171,9 +171,6 @@ static int pt_word_reg_read(struct pt_de
 static int pt_long_reg_read(struct pt_dev *ptdev,
     struct pt_reg_tbl *cfg_entry,
     uint32_t *value, uint32_t valid_mask);
-static int pt_cmd_reg_read(struct pt_dev *ptdev,
-    struct pt_reg_tbl *cfg_entry,
-    uint16_t *value, uint16_t valid_mask);
 static int pt_bar_reg_read(struct pt_dev *ptdev,
     struct pt_reg_tbl *cfg_entry,
     uint32_t *value, uint32_t valid_mask);
@@ -277,9 +274,9 @@ static struct pt_reg_info_tbl pt_emu_reg
         .size       = 2,
         .init_val   = 0x0000,
         .ro_mask    = 0xF880,
-        .emu_mask   = 0x0740,
+        .emu_mask   = 0x0743,
         .init       = pt_common_reg_init,
-        .u.w.read   = pt_cmd_reg_read,
+        .u.w.read   = pt_word_reg_read,
         .u.w.write  = pt_cmd_reg_write,
         .u.w.restore  = pt_cmd_reg_restore,
     },
@@ -1865,7 +1862,7 @@ static int pt_dev_is_virtfn(struct pci_d
     return rc;
 }
 
-static int pt_register_regions(struct pt_dev *assigned_device)
+static int pt_register_regions(struct pt_dev *assigned_device, uint16_t *cmd)
 {
     int i = 0;
     uint32_t bar_data = 0;
@@ -1885,17 +1882,26 @@ static int pt_register_regions(struct pt
 
             /* Register current region */
             if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_IO )
+            {
                 pci_register_io_region((PCIDevice *)assigned_device, i,
                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_IO,
                     pt_ioport_map);
+                *cmd |= PCI_COMMAND_IO;
+            }
             else if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_MEM_PREFETCH )
+            {
                 pci_register_io_region((PCIDevice *)assigned_device, i,
                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM_PREFETCH,
                     pt_iomem_map);
+                *cmd |= PCI_COMMAND_MEMORY;
+            }
             else
+            {
                 pci_register_io_region((PCIDevice *)assigned_device, i,
                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM,
                     pt_iomem_map);
+                *cmd |= PCI_COMMAND_MEMORY;
+            }
 
             PT_LOG("IO region registered (size=0x%08x base_addr=0x%08x)\n",
                 (uint32_t)(pci_dev->size[i]),
@@ -3221,27 +3227,6 @@ static int pt_long_reg_read(struct pt_de
    return 0;
 }
 
-/* read Command register */
-static int pt_cmd_reg_read(struct pt_dev *ptdev,
-        struct pt_reg_tbl *cfg_entry,
-        uint16_t *value, uint16_t valid_mask)
-{
-    struct pt_reg_info_tbl *reg = cfg_entry->reg;
-    uint16_t valid_emu_mask = 0;
-    uint16_t emu_mask = reg->emu_mask;
-
-    if ( ptdev->is_virtfn )
-        emu_mask |= PCI_COMMAND_MEMORY;
-    if ( pt_is_iomul(ptdev) )
-        emu_mask |= PCI_COMMAND_IO;
-
-    /* emulate word register */
-    valid_emu_mask = emu_mask & valid_mask;
-    *value = PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask);
-
-    return 0;
-}
-
 /* read BAR */
 static int pt_bar_reg_read(struct pt_dev *ptdev,
         struct pt_reg_tbl *cfg_entry,
@@ -3376,19 +3361,13 @@ static int pt_cmd_reg_write(struct pt_de
     uint16_t writable_mask = 0;
     uint16_t throughable_mask = 0;
     uint16_t wr_value = *value;
-    uint16_t emu_mask = reg->emu_mask;
-
-    if ( ptdev->is_virtfn )
-        emu_mask |= PCI_COMMAND_MEMORY;
-    if ( pt_is_iomul(ptdev) )
-        emu_mask |= PCI_COMMAND_IO;
 
     /* modify emulate register */
     writable_mask = ~reg->ro_mask & valid_mask;
     cfg_entry->data = PT_MERGE_VALUE(*value, cfg_entry->data, writable_mask);
 
     /* create value for writing to I/O device register */
-    throughable_mask = ~emu_mask & valid_mask;
+    throughable_mask = ~reg->emu_mask & valid_mask;
 
     if (*value & PCI_COMMAND_DISABLE_INTx)
     {
@@ -4151,6 +4130,7 @@ static struct pt_dev * register_real_dev
     struct pt_dev *assigned_device = NULL;
     struct pci_dev *pci_dev;
     uint8_t e_device, e_intx;
+    uint16_t cmd = 0;
     char *key, *val;
     int msi_translate, power_mgmt;
 
@@ -4240,7 +4220,7 @@ static struct pt_dev * register_real_dev
         assigned_device->dev.config[i] = pci_read_byte(pci_dev, i);
 
     /* Handle real device's MMIO/PIO BARs */
-    pt_register_regions(assigned_device);
+    pt_register_regions(assigned_device, &cmd);
 
     /* Setup VGA bios for passthroughed gfx */
     if ( setup_vga_pt(assigned_device) < 0 )
@@ -4318,6 +4298,10 @@ static struct pt_dev * register_real_dev
     }
 
 out:
+    if (cmd)
+        pci_write_word(pci_dev, PCI_COMMAND,
+            *(uint16_t *)(&assigned_device->dev.config[PCI_COMMAND]) | cmd);
+
     PT_LOG("Real physical device %02x:%02x.%x registered successfuly!\n"
            "IRQ type = %s\n", r_bus, r_dev, r_func,
            assigned_device->msi_trans_en? "MSI-INTx":"INTx");

--- pkgsrc/sysutils/xenkernel42/Attic/Makefile 2015/03/18 15:05:51 1.14
+++ pkgsrc/sysutils/xenkernel42/Attic/Makefile 2015/04/29 21:11:12 1.14.2.1

 @@ -1,19 +1,19 @@
-# $NetBSD: Makefile,v 1.14 2015/03/18 15:05:51 joerg Exp $
+# $NetBSD: Makefile,v 1.14.2.1 2015/04/29 21:11:12 tron Exp $
 VERSION=	4.2.5
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel42-${VERSION}
-PKGREVISION=	5
+PKGREVISION=	6
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://xenproject.org/
 COMMENT=	Xen 4.2.x Kernel
 LICENSE=	gnu-gpl-v2
 ONLY_FOR_PLATFORM=	Linux-2.6*-i386 Linux-2.6*-x86_64
 ONLY_FOR_PLATFORM+=	NetBSD-[5-9].*-x86_64 NetBSD-[5-9].*-i386
 NO_CONFIGURE=	yes

--- pkgsrc/sysutils/xenkernel42/Attic/distinfo 2015/03/18 15:05:51 1.12
+++ pkgsrc/sysutils/xenkernel42/Attic/distinfo 2015/04/29 21:11:12 1.12.2.1

 @@ -1,25 +1,27 @@
-$NetBSD: distinfo,v 1.12 2015/03/18 15:05:51 joerg Exp $
+$NetBSD: distinfo,v 1.12.2.1 2015/04/29 21:11:12 tron Exp $
 SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a
 RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19
 Size (xen-4.2.5.tar.gz) = 15671925 bytes
 SHA1 (patch-CVE-2014-8594) = 8599e5007e8f15eddc1385aa1d90accf1690952e
 SHA1 (patch-CVE-2014-8595) = 46bd285b7eb8f2e23984f7917b12af2191bfef80
 SHA1 (patch-CVE-2014-8866) = 9888e9585364681dfaa43af953eb104715cc4f99
 SHA1 (patch-CVE-2014-8867) = 576433746660f62b753088a66c5315a1a2ff8f76
 SHA1 (patch-CVE-2014-9030) = f4646ab2b0d01ad2a3bf47839fe0ffd35479b4a6
 SHA1 (patch-CVE-2015-2044) = bcb7152da8d37902540cbfbdfd7309536cffa61e
 SHA1 (patch-CVE-2015-2045) = f70839fabd4ef9086c8fb808e4f3448a8e844c98
 SHA1 (patch-CVE-2015-2151) = df05750b86331b88102b41f065c314c38c6bc396
 SHA1 (patch-CVE-2015-2752) = 62547b55385aaf54af23270939fe086b996d5744
 SHA1 (patch-CVE-2015-2756) = cb1be46c28e6f88c13fc0d26ff0606bdb877283c
 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
 SHA1 (patch-xen_Makefile) = e0d1b74518b9675ddc64295d1523ded9a8757c0a
 SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
 SHA1 (patch-xen_arch_x86_hvm_hvm.c) = b6bac1d466ba5bc276bc3aea9d4c9df37f2b9b0f
 SHA1 (patch-xen_arch_x86_mm_shadow_common.c) = 89dce860cc6aef7d0ec31f3137616b592490e60a
 SHA1 (patch-xen_arch_x86_x86_emulate_x86_emulate.c) = 8b906e762c8f94a670398b4e033d50a2fb012f0a
 SHA1 (patch-xen_common_spinlock.c) = 06f06b5e9b098262ebaa8af0be4837005fb5b8b4
 SHA1 (patch-xen_include_asm-arm_spinlock.h) = fe2e35a5ebec4c551df5d1680c93e6ad19348d93
 SHA1 (patch-xen_include_asm-x86_atomic.h) = d406c6071ea3823c25113a801dd77ff32146d162
 SHA1 (patch-xen_include_asm-x86_spinlock.h) = fbaaf264e9aa4857635a81b63c4a77cba4bf560f
 SHA1 (patch-xen_include_xen_lib.h) = 36dcaf3874a1b1214babc45d7e19fe3b556c1044
 SHA1 (patch-xen_include_xen_spinlock.h) = 8e06de55c9b4bfc360e0b8ac5a605adedab8eb8f

$NetBSD: patch-CVE-2015-2752,v 1.1.2.2 2015/04/29 21:11:12 tron Exp $

Patch for CVE-2015-2752 aka XSA-125 from
http://xenbits.xenproject.org/xsa/xsa125-4.2.patch

--- tools/libxc/xc_domain.c.orig	2014-09-02 06:22:57.000000000 +0000
+++ tools/libxc/xc_domain.c
@@ -1352,6 +1352,13 @@ int xc_domain_bind_pt_isa_irq(
                                   PT_IRQ_TYPE_ISA, 0, 0, 0, machine_irq));
 }
 
+#ifndef min
+#define min(X, Y) ({                             \
+            const typeof (X) _x = (X);           \
+            const typeof (Y) _y = (Y);           \
+            (void) (&_x == &_y);                 \
+            (_x < _y) ? _x : _y; })
+#endif
 int xc_domain_memory_mapping(
     xc_interface *xch,
     uint32_t domid,
@@ -1361,17 +1368,55 @@ int xc_domain_memory_mapping(
     uint32_t add_mapping)
 {
     DECLARE_DOMCTL;
+    int ret = 0, err;
+    unsigned long done = 0, nr, max_batch_sz;
+
+    if ( !nr_mfns )
+        return 0;
 
     domctl.cmd = XEN_DOMCTL_memory_mapping;
     domctl.domain = domid;
-    domctl.u.memory_mapping.first_gfn = first_gfn;
-    domctl.u.memory_mapping.first_mfn = first_mfn;
-    domctl.u.memory_mapping.nr_mfns = nr_mfns;
     domctl.u.memory_mapping.add_mapping = add_mapping;
+    max_batch_sz = nr_mfns;
+    do
+    {
+        nr = min(nr_mfns - done, max_batch_sz);
+        domctl.u.memory_mapping.nr_mfns = nr;
+        domctl.u.memory_mapping.first_gfn = first_gfn + done;
+        domctl.u.memory_mapping.first_mfn = first_mfn + done;
+        err = do_domctl(xch, &domctl);
+        if ( err && errno == E2BIG )
+        {
+            if ( max_batch_sz <= 1 )
+                break;
+            max_batch_sz >>= 1;
+            continue;
+        }
+        /* Save the first error... */
+        if ( !ret )
+            ret = err;
+        /* .. and ignore the rest of them when removing. */
+        if ( err && add_mapping != DPCI_REMOVE_MAPPING )
+            break;
+
+        done += nr;
+    } while ( done < nr_mfns );
+
+    /*
+     * Undo what we have done unless unmapping, by unmapping the entire region.
+     * Errors here are ignored.
+     */
+    if ( ret && add_mapping != DPCI_REMOVE_MAPPING )
+        xc_domain_memory_mapping(xch, domid, first_gfn, first_mfn, nr_mfns,
+                                 DPCI_REMOVE_MAPPING);
+
+    /* We might get E2BIG so many times that we never advance. */
+    if ( !done && !ret )
+        ret = -1;
 
-    return do_domctl(xch, &domctl);
+    return ret;
 }
-
+#undef min
 int xc_domain_ioport_mapping(
     xc_interface *xch,
     uint32_t domid,

--- xen/arch/x86/domctl.c.orig	2014-09-02 06:22:57.000000000 +0000
+++ xen/arch/x86/domctl.c
@@ -865,6 +865,11 @@ long arch_do_domctl(
              (gfn + nr_mfns - 1) < gfn ) /* wrap? */
             break;
 
+        ret = -E2BIG;
+        /* Must break hypercall up as this could take a while. */
+        if ( nr_mfns > 64 )
+            break;
+
         ret = -EPERM;
         if ( !IS_PRIV(current->domain) &&
              !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) )

--- xen/include/public/domctl.h.orig	2014-09-02 06:22:57.000000000 +0000
+++ xen/include/public/domctl.h
@@ -507,6 +507,7 @@ DEFINE_XEN_GUEST_HANDLE(xen_domctl_bind_
 
 
 /* Bind machine I/O address range -> HVM address range. */
+/* If this returns -E2BIG lower nr_mfns value. */
 /* XEN_DOMCTL_memory_mapping */
 #define DPCI_ADD_MAPPING         1
 #define DPCI_REMOVE_MAPPING      0

$NetBSD: patch-CVE-2015-2756,v 1.1.2.2 2015/04/29 21:11:12 tron Exp $

patch for CVE-2015-2756 aka XSA-126 from
http://xenbits.xenproject.org/xsa/xsa126-qemut.patch

--- tools/qemu-xen-traditional/hw/pass-through.c.orig	2014-01-09 12:44:42.000000000 +0000
+++ tools/qemu-xen-traditional/hw/pass-through.c
@@ -172,9 +172,6 @@ static int pt_word_reg_read(struct pt_de
 static int pt_long_reg_read(struct pt_dev *ptdev,
     struct pt_reg_tbl *cfg_entry,
     uint32_t *value, uint32_t valid_mask);
-static int pt_cmd_reg_read(struct pt_dev *ptdev,
-    struct pt_reg_tbl *cfg_entry,
-    uint16_t *value, uint16_t valid_mask);
 static int pt_bar_reg_read(struct pt_dev *ptdev,
     struct pt_reg_tbl *cfg_entry,
     uint32_t *value, uint32_t valid_mask);
@@ -286,9 +283,9 @@ static struct pt_reg_info_tbl pt_emu_reg
         .size       = 2,
         .init_val   = 0x0000,
         .ro_mask    = 0xF880,
-        .emu_mask   = 0x0740,
+        .emu_mask   = 0x0743,
         .init       = pt_common_reg_init,
-        .u.w.read   = pt_cmd_reg_read,
+        .u.w.read   = pt_word_reg_read,
         .u.w.write  = pt_cmd_reg_write,
         .u.w.restore  = pt_cmd_reg_restore,
     },
@@ -1905,7 +1902,7 @@ static int pt_dev_is_virtfn(struct pci_d
     return rc;
 }
 
-static int pt_register_regions(struct pt_dev *assigned_device)
+static int pt_register_regions(struct pt_dev *assigned_device, uint16_t *cmd)
 {
     int i = 0;
     uint32_t bar_data = 0;
@@ -1925,17 +1922,26 @@ static int pt_register_regions(struct pt
 
             /* Register current region */
             if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_IO )
+            {
                 pci_register_io_region((PCIDevice *)assigned_device, i,
                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_IO,
                     pt_ioport_map);
+                *cmd |= PCI_COMMAND_IO;
+            }
             else if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_MEM_PREFETCH )
+            {
                 pci_register_io_region((PCIDevice *)assigned_device, i,
                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM_PREFETCH,
                     pt_iomem_map);
+                *cmd |= PCI_COMMAND_MEMORY;
+            }
             else
+            {
                 pci_register_io_region((PCIDevice *)assigned_device, i,
                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM,
                     pt_iomem_map);
+                *cmd |= PCI_COMMAND_MEMORY;
+            }
 
             PT_LOG("IO region registered (size=0x%08x base_addr=0x%08x)\n",
                 (uint32_t)(pci_dev->size[i]),
@@ -3263,27 +3269,6 @@ static int pt_long_reg_read(struct pt_de
    return 0;
 }
 
-/* read Command register */
-static int pt_cmd_reg_read(struct pt_dev *ptdev,
-        struct pt_reg_tbl *cfg_entry,
-        uint16_t *value, uint16_t valid_mask)
-{
-    struct pt_reg_info_tbl *reg = cfg_entry->reg;
-    uint16_t valid_emu_mask = 0;
-    uint16_t emu_mask = reg->emu_mask;
-
-    if ( ptdev->is_virtfn )
-        emu_mask |= PCI_COMMAND_MEMORY;
-    if ( pt_is_iomul(ptdev) )
-        emu_mask |= PCI_COMMAND_IO;
-
-    /* emulate word register */
-    valid_emu_mask = emu_mask & valid_mask;
-    *value = PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask);
-
-    return 0;
-}
-
 /* read BAR */
 static int pt_bar_reg_read(struct pt_dev *ptdev,
         struct pt_reg_tbl *cfg_entry,
@@ -3418,19 +3403,13 @@ static int pt_cmd_reg_write(struct pt_de
     uint16_t writable_mask = 0;
     uint16_t throughable_mask = 0;
     uint16_t wr_value = *value;
-    uint16_t emu_mask = reg->emu_mask;
-
-    if ( ptdev->is_virtfn )
-        emu_mask |= PCI_COMMAND_MEMORY;
-    if ( pt_is_iomul(ptdev) )
-        emu_mask |= PCI_COMMAND_IO;
 
     /* modify emulate register */
     writable_mask = ~reg->ro_mask & valid_mask;
     cfg_entry->data = PT_MERGE_VALUE(*value, cfg_entry->data, writable_mask);
 
     /* create value for writing to I/O device register */
-    throughable_mask = ~emu_mask & valid_mask;
+    throughable_mask = ~reg->emu_mask & valid_mask;
 
     if (*value & PCI_COMMAND_DISABLE_INTx)
     {
@@ -4205,6 +4184,7 @@ static struct pt_dev * register_real_dev
     struct pt_dev *assigned_device = NULL;
     struct pci_dev *pci_dev;
     uint8_t e_device, e_intx;
+    uint16_t cmd = 0;
     char *key, *val;
     int msi_translate, power_mgmt;
 
@@ -4294,7 +4274,7 @@ static struct pt_dev * register_real_dev
         assigned_device->dev.config[i] = pci_read_byte(pci_dev, i);
 
     /* Handle real device's MMIO/PIO BARs */
-    pt_register_regions(assigned_device);
+    pt_register_regions(assigned_device, &cmd);
 
     /* Setup VGA bios for passthroughed gfx */
     if ( setup_vga_pt(assigned_device) < 0 )
@@ -4372,6 +4352,10 @@ static struct pt_dev * register_real_dev
     }
 
 out:
+    if (cmd)
+        pci_write_word(pci_dev, PCI_COMMAND,
+            *(uint16_t *)(&assigned_device->dev.config[PCI_COMMAND]) | cmd);
+
     PT_LOG("Real physical device %02x:%02x.%x registered successfuly!\n"
            "IRQ type = %s\n", r_bus, r_dev, r_func,
            assigned_device->msi_trans_en? "MSI-INTx":"INTx");

--- pkgsrc/sysutils/xenkernel45/Attic/Makefile 2015/03/10 20:08:43 1.5
+++ pkgsrc/sysutils/xenkernel45/Attic/Makefile 2015/04/29 21:11:12 1.5.2.1

 @@ -1,19 +1,19 @@
-# $NetBSD: Makefile,v 1.5 2015/03/10 20:08:43 spz Exp $
+# $NetBSD: Makefile,v 1.5.2.1 2015/04/29 21:11:12 tron Exp $
 VERSION=	4.5.0
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel45-${VERSION}
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://xenproject.org/
 COMMENT=	Xen 4.5.x Kernel
 LICENSE=	gnu-gpl-v2
 ONLY_FOR_PLATFORM=	Linux-2.6*-i386 Linux-2.6*-x86_64
 ONLY_FOR_PLATFORM+=	NetBSD-[5-9].*-x86_64 NetBSD-[5-9].*-i386
 NO_CONFIGURE=	yes

--- pkgsrc/sysutils/xenkernel45/Attic/distinfo 2015/03/10 20:08:43 1.4
+++ pkgsrc/sysutils/xenkernel45/Attic/distinfo 2015/04/29 21:11:12 1.4.2.1

 @@ -1,13 +1,15 @@
-$NetBSD: distinfo,v 1.4 2015/03/10 20:08:43 spz Exp $
+$NetBSD: distinfo,v 1.4.2.1 2015/04/29 21:11:12 tron Exp $
 SHA1 (xen-4.5.0.tar.gz) = c4aab5fb366496ad1edc7fe0a935a0d604335637
 RMD160 (xen-4.5.0.tar.gz) = e35ba0cb484492c1a289218eb9bf53b57dbd3a45
 Size (xen-4.5.0.tar.gz) = 18404933 bytes
 SHA1 (patch-CVE-2015-2044) = 354fe44df0c3b464137f50e2b9de3930f3910c0d
 SHA1 (patch-CVE-2015-2045) = 98e3f8064b7c190b2ae69c7d4c8f71febf8fbf52
 SHA1 (patch-CVE-2015-2151) = 30344d233eade872fa7062493d754f8bccaf9d2a
 SHA1 (patch-CVE-2015-2752) = 390edab296a91c83197205dce7030cbdd60e0d78
 SHA1 (patch-CVE-2015-2756) = e76490b858e213d09d326b413004d29a7e177b20
 SHA1 (patch-Config.mk) = a2a104d023cea4e551a3ad40927d4884d6c610bf
 SHA1 (patch-xen_Makefile) = 750d0c8d4fea14d3ef3f872de5242a1f5104cbbe
 SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154
 SHA1 (patch-xen_include_asm-x86_current.h) = 8a21577be06383c0c7f53c15ba828f77fb6314ad
 SHA1 (patch-xen_include_xen_lib.h) = b9f5dff5b4cf11333d95d9835941c6bc19b776ad

$NetBSD: patch-CVE-2015-2752,v 1.1.2.2 2015/04/29 21:11:12 tron Exp $

Patch for CVE-2015-2752 aka XSA-125 from
http://xenbits.xenproject.org/xsa/xsa125-4.2.patch

--- tools/libxc/xc_domain.c.orig	2015-01-12 16:53:24.000000000 +0000
+++ tools/libxc/xc_domain.c
@@ -1992,6 +1992,8 @@ int xc_domain_memory_mapping(
 {
     DECLARE_DOMCTL;
     xc_dominfo_t info;
+    int ret = 0, err;
+    unsigned long done = 0, nr, max_batch_sz;
 
     if ( xc_domain_getinfo(xch, domid, 1, &info) != 1 ||
          info.domid != domid )
@@ -2002,14 +2004,50 @@ int xc_domain_memory_mapping(
     if ( !xc_core_arch_auto_translated_physmap(&info) )
         return 0;
 
+    if ( !nr_mfns )
+        return 0;
+
     domctl.cmd = XEN_DOMCTL_memory_mapping;
     domctl.domain = domid;
-    domctl.u.memory_mapping.first_gfn = first_gfn;
-    domctl.u.memory_mapping.first_mfn = first_mfn;
-    domctl.u.memory_mapping.nr_mfns = nr_mfns;
     domctl.u.memory_mapping.add_mapping = add_mapping;
+    max_batch_sz = nr_mfns;
+    do
+    {
+        nr = min(nr_mfns - done, max_batch_sz);
+        domctl.u.memory_mapping.nr_mfns = nr;
+        domctl.u.memory_mapping.first_gfn = first_gfn + done;
+        domctl.u.memory_mapping.first_mfn = first_mfn + done;
+        err = do_domctl(xch, &domctl);
+        if ( err && errno == E2BIG )
+        {
+            if ( max_batch_sz <= 1 )
+                break;
+            max_batch_sz >>= 1;
+            continue;
+        }
+        /* Save the first error... */
+        if ( !ret )
+            ret = err;
+        /* .. and ignore the rest of them when removing. */
+        if ( err && add_mapping != DPCI_REMOVE_MAPPING )
+            break;
+
+        done += nr;
+    } while ( done < nr_mfns );
+
+    /*
+     * Undo what we have done unless unmapping, by unmapping the entire region.
+     * Errors here are ignored.
+     */
+    if ( ret && add_mapping != DPCI_REMOVE_MAPPING )
+        xc_domain_memory_mapping(xch, domid, first_gfn, first_mfn, nr_mfns,
+                                 DPCI_REMOVE_MAPPING);
+
+    /* We might get E2BIG so many times that we never advance. */
+    if ( !done && !ret )
+        ret = -1;
 
-    return do_domctl(xch, &domctl);
+    return ret;
 }
 
 int xc_domain_ioport_mapping(

--- xen/common/domctl.c.orig	2015-01-12 16:53:24.000000000 +0000
+++ xen/common/domctl.c
@@ -1036,6 +1036,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe
              (gfn + nr_mfns - 1) < gfn ) /* wrap? */
             break;
 
+        ret = -E2BIG;
+        /* Must break hypercall up as this could take a while. */
+        if ( nr_mfns > 64 )
+            break;
+
         ret = -EPERM;
         if ( !iomem_access_permitted(current->domain, mfn, mfn_end) ||
              !iomem_access_permitted(d, mfn, mfn_end) )

--- xen/include/public/domctl.h.orig	2015-01-12 16:53:24.000000000 +0000
+++ xen/include/public/domctl.h
@@ -543,6 +543,7 @@ DEFINE_XEN_GUEST_HANDLE(xen_domctl_bind_
 
 
 /* Bind machine I/O address range -> HVM address range. */
+/* If this returns -E2BIG lower nr_mfns value. */
 /* XEN_DOMCTL_memory_mapping */
 #define DPCI_ADD_MAPPING         1
 #define DPCI_REMOVE_MAPPING      0

$NetBSD: patch-CVE-2015-2756,v 1.1.2.2 2015/04/29 21:11:12 tron Exp $

patch for CVE-2015-2756 aka XSA-126 from
http://xenbits.xenproject.org/xsa/xsa126-qemuu.patch
and
http://xenbits.xenproject.org/xsa/xsa126-qemut.patch

--- tools/qemu-xen/hw/xen/xen_pt.c.orig	2014-12-02 10:41:02.000000000 +0000
+++ tools/qemu-xen/hw/xen/xen_pt.c
@@ -388,7 +388,7 @@ static const MemoryRegionOps ops = {
     .write = xen_pt_bar_write,
 };
 
-static int xen_pt_register_regions(XenPCIPassthroughState *s)
+static int xen_pt_register_regions(XenPCIPassthroughState *s, uint16_t *cmd)
 {
     int i = 0;
     XenHostPCIDevice *d = &s->real_device;
@@ -406,6 +406,7 @@ static int xen_pt_register_regions(XenPC
 
         if (r->type & XEN_HOST_PCI_REGION_TYPE_IO) {
             type = PCI_BASE_ADDRESS_SPACE_IO;
+            *cmd |= PCI_COMMAND_IO;
         } else {
             type = PCI_BASE_ADDRESS_SPACE_MEMORY;
             if (r->type & XEN_HOST_PCI_REGION_TYPE_PREFETCH) {
@@ -414,6 +415,7 @@ static int xen_pt_register_regions(XenPC
             if (r->type & XEN_HOST_PCI_REGION_TYPE_MEM_64) {
                 type |= PCI_BASE_ADDRESS_MEM_TYPE_64;
             }
+            *cmd |= PCI_COMMAND_MEMORY;
         }
 
         memory_region_init_io(&s->bar[i], OBJECT(s), &ops, &s->dev,
@@ -657,6 +659,7 @@ static int xen_pt_initfn(PCIDevice *d)
     XenPCIPassthroughState *s = DO_UPCAST(XenPCIPassthroughState, dev, d);
     int rc = 0;
     uint8_t machine_irq = 0;
+    uint16_t cmd = 0;
     int pirq = XEN_PT_UNASSIGNED_PIRQ;
 
     /* register real device */
@@ -691,7 +694,7 @@ static int xen_pt_initfn(PCIDevice *d)
     s->io_listener = xen_pt_io_listener;
 
     /* Handle real device's MMIO/PIO BARs */
-    xen_pt_register_regions(s);
+    xen_pt_register_regions(s, &cmd);
 
     /* reinitialize each config register to be emulated */
     if (xen_pt_config_init(s)) {
@@ -755,6 +758,11 @@ static int xen_pt_initfn(PCIDevice *d)
     }
 
 out:
+    if (cmd) {
+        xen_host_pci_set_word(&s->real_device, PCI_COMMAND,
+                              pci_get_word(d->config + PCI_COMMAND) | cmd);
+    }
+
     memory_listener_register(&s->memory_listener, &address_space_memory);
     memory_listener_register(&s->io_listener, &address_space_io);
     XEN_PT_LOG(d,

--- tools/qemu-xen/hw/xen/xen_pt_config_init.c.orig	2014-12-02 10:41:02.000000000 +0000
+++ tools/qemu-xen/hw/xen/xen_pt_config_init.c
@@ -286,23 +286,6 @@ static int xen_pt_irqpin_reg_init(XenPCI
 }
 
 /* Command register */
-static int xen_pt_cmd_reg_read(XenPCIPassthroughState *s, XenPTReg *cfg_entry,
-                               uint16_t *value, uint16_t valid_mask)
-{
-    XenPTRegInfo *reg = cfg_entry->reg;
-    uint16_t valid_emu_mask = 0;
-    uint16_t emu_mask = reg->emu_mask;
-
-    if (s->is_virtfn) {
-        emu_mask |= PCI_COMMAND_MEMORY;
-    }
-
-    /* emulate word register */
-    valid_emu_mask = emu_mask & valid_mask;
-    *value = XEN_PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask);
-
-    return 0;
-}
 static int xen_pt_cmd_reg_write(XenPCIPassthroughState *s, XenPTReg *cfg_entry,
                                 uint16_t *val, uint16_t dev_value,
                                 uint16_t valid_mask)
@@ -310,18 +293,13 @@ static int xen_pt_cmd_reg_write(XenPCIPa
     XenPTRegInfo *reg = cfg_entry->reg;
     uint16_t writable_mask = 0;
     uint16_t throughable_mask = 0;
-    uint16_t emu_mask = reg->emu_mask;
-
-    if (s->is_virtfn) {
-        emu_mask |= PCI_COMMAND_MEMORY;
-    }
 
     /* modify emulate register */
     writable_mask = ~reg->ro_mask & valid_mask;
     cfg_entry->data = XEN_PT_MERGE_VALUE(*val, cfg_entry->data, writable_mask);
 
     /* create value for writing to I/O device register */
-    throughable_mask = ~emu_mask & valid_mask;
+    throughable_mask = ~reg->emu_mask & valid_mask;
 
     if (*val & PCI_COMMAND_INTX_DISABLE) {
         throughable_mask |= PCI_COMMAND_INTX_DISABLE;
@@ -605,9 +583,9 @@ static XenPTRegInfo xen_pt_emu_reg_heade
         .size       = 2,
         .init_val   = 0x0000,
         .ro_mask    = 0xF880,
-        .emu_mask   = 0x0740,
+        .emu_mask   = 0x0743,
         .init       = xen_pt_common_reg_init,
-        .u.w.read   = xen_pt_cmd_reg_read,
+        .u.w.read   = xen_pt_word_reg_read,
         .u.w.write  = xen_pt_cmd_reg_write,
     },
     /* Capabilities Pointer reg */

--- tools/qemu-xen-traditional/hw/pass-through.c.orig	2014-10-06 15:50:24.000000000 +0000
+++ tools/qemu-xen-traditional/hw/pass-through.c
@@ -172,9 +172,6 @@ static int pt_word_reg_read(struct pt_de
 static int pt_long_reg_read(struct pt_dev *ptdev,
     struct pt_reg_tbl *cfg_entry,
     uint32_t *value, uint32_t valid_mask);
-static int pt_cmd_reg_read(struct pt_dev *ptdev,
-    struct pt_reg_tbl *cfg_entry,
-    uint16_t *value, uint16_t valid_mask);
 static int pt_bar_reg_read(struct pt_dev *ptdev,
     struct pt_reg_tbl *cfg_entry,
     uint32_t *value, uint32_t valid_mask);
@@ -286,9 +283,9 @@ static struct pt_reg_info_tbl pt_emu_reg
         .size       = 2,
         .init_val   = 0x0000,
         .ro_mask    = 0xF880,
-        .emu_mask   = 0x0740,
+        .emu_mask   = 0x0743,
         .init       = pt_common_reg_init,
-        .u.w.read   = pt_cmd_reg_read,
+        .u.w.read   = pt_word_reg_read,
         .u.w.write  = pt_cmd_reg_write,
         .u.w.restore  = pt_cmd_reg_restore,
     },
@@ -1905,7 +1902,7 @@ static int pt_dev_is_virtfn(struct pci_d
     return rc;
 }
 
-static int pt_register_regions(struct pt_dev *assigned_device)
+static int pt_register_regions(struct pt_dev *assigned_device, uint16_t *cmd)
 {
     int i = 0;
     uint32_t bar_data = 0;
@@ -1925,17 +1922,26 @@ static int pt_register_regions(struct pt
 
             /* Register current region */
             if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_IO )
+            {
                 pci_register_io_region((PCIDevice *)assigned_device, i,
                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_IO,
                     pt_ioport_map);
+                *cmd |= PCI_COMMAND_IO;
+            }
             else if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_MEM_PREFETCH )
+            {
                 pci_register_io_region((PCIDevice *)assigned_device, i,
                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM_PREFETCH,
                     pt_iomem_map);
+                *cmd |= PCI_COMMAND_MEMORY;
+            }
             else
+            {
                 pci_register_io_region((PCIDevice *)assigned_device, i,
                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM,
                     pt_iomem_map);
+                *cmd |= PCI_COMMAND_MEMORY;
+            }
 
             PT_LOG("IO region registered (size=0x%08x base_addr=0x%08x)\n",
                 (uint32_t)(pci_dev->size[i]),
@@ -3263,27 +3269,6 @@ static int pt_long_reg_read(struct pt_de
    return 0;
 }
 
-/* read Command register */
-static int pt_cmd_reg_read(struct pt_dev *ptdev,
-        struct pt_reg_tbl *cfg_entry,
-        uint16_t *value, uint16_t valid_mask)
-{
-    struct pt_reg_info_tbl *reg = cfg_entry->reg;
-    uint16_t valid_emu_mask = 0;
-    uint16_t emu_mask = reg->emu_mask;
-
-    if ( ptdev->is_virtfn )
-        emu_mask |= PCI_COMMAND_MEMORY;
-    if ( pt_is_iomul(ptdev) )
-        emu_mask |= PCI_COMMAND_IO;
-
-    /* emulate word register */
-    valid_emu_mask = emu_mask & valid_mask;
-    *value = PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask);
-
-    return 0;
-}
-
 /* read BAR */
 static int pt_bar_reg_read(struct pt_dev *ptdev,
         struct pt_reg_tbl *cfg_entry,
@@ -3418,19 +3403,13 @@ static int pt_cmd_reg_write(struct pt_de
     uint16_t writable_mask = 0;
     uint16_t throughable_mask = 0;
     uint16_t wr_value = *value;
-    uint16_t emu_mask = reg->emu_mask;
-
-    if ( ptdev->is_virtfn )
-        emu_mask |= PCI_COMMAND_MEMORY;
-    if ( pt_is_iomul(ptdev) )
-        emu_mask |= PCI_COMMAND_IO;
 
     /* modify emulate register */
     writable_mask = ~reg->ro_mask & valid_mask;
     cfg_entry->data = PT_MERGE_VALUE(*value, cfg_entry->data, writable_mask);
 
     /* create value for writing to I/O device register */
-    throughable_mask = ~emu_mask & valid_mask;
+    throughable_mask = ~reg->emu_mask & valid_mask;
 
     if (*value & PCI_COMMAND_DISABLE_INTx)
     {
@@ -4211,6 +4190,7 @@ static struct pt_dev * register_real_dev
     struct pt_dev *assigned_device = NULL;
     struct pci_dev *pci_dev;
     uint8_t e_device, e_intx;
+    uint16_t cmd = 0;
     char *key, *val;
     int msi_translate, power_mgmt;
 
@@ -4300,7 +4280,7 @@ static struct pt_dev * register_real_dev
         assigned_device->dev.config[i] = pci_read_byte(pci_dev, i);
 
     /* Handle real device's MMIO/PIO BARs */
-    pt_register_regions(assigned_device);
+    pt_register_regions(assigned_device, &cmd);
 
     /* Setup VGA bios for passthroughed gfx */
     if ( setup_vga_pt(assigned_device) < 0 )
@@ -4378,6 +4358,10 @@ static struct pt_dev * register_real_dev
     }
 
 out:
+    if (cmd)
+        pci_write_word(pci_dev, PCI_COMMAND,
+            *(uint16_t *)(&assigned_device->dev.config[PCI_COMMAND]) | cmd);
+
     PT_LOG("Real physical device %02x:%02x.%x registered successfuly!\n"
            "IRQ type = %s\n", r_bus, r_dev, r_func,
            assigned_device->msi_trans_en? "MSI-INTx":"INTx");

--- pkgsrc/sysutils/xentools41/Attic/Makefile 2014/12/27 00:27:11 1.49
+++ pkgsrc/sysutils/xentools41/Attic/Makefile 2015/04/29 21:11:13 1.49.4.1

 @@ -1,21 +1,21 @@
-# $NetBSD: Makefile,v 1.49 2014/12/27 00:27:11 gdt Exp $
+# $NetBSD: Makefile,v 1.49.4.1 2015/04/29 21:11:13 tron Exp $
+#
 # VERSION is set in version.mk as it is shared with other packages
 .include		"version.mk"
 DISTNAME=		xen-${VERSION}
 PKGNAME=		xentools41-${VERSION}
-PKGREVISION=		6
+PKGREVISION=		7
 CATEGORIES=		sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 DISTFILES=		${DISTNAME}.tar.gz
 DISTFILES+=		ipxe-git-v${VERSION_IPXE}.tar.gz
 SITES.ipxe-git-v${VERSION_IPXE}.tar.gz +=	http://xenbits.xensource.com/xen-extfiles/
 MAINTAINER=		cegger@NetBSD.org
 HOMEPAGE=		http://xen.org/
 COMMENT=		Userland Tools for Xen 4.1.x
 LICENSE=		gnu-gpl-v2

--- pkgsrc/sysutils/xentools41/Attic/distinfo 2014/08/28 14:30:03 1.37
+++ pkgsrc/sysutils/xentools41/Attic/distinfo 2015/04/29 21:11:13 1.37.6.1

 @@ -1,26 +1,28 @@
-$NetBSD: distinfo,v 1.37 2014/08/28 14:30:03 bouyer Exp $
+$NetBSD: distinfo,v 1.37.6.1 2015/04/29 21:11:13 tron Exp $
 SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485
 RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547
 Size (ipxe-git-v1.0.0.tar.gz) = 1996881 bytes
 SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
 Size (xen-4.1.6.1.tar.gz) = 10428485 bytes
 SHA1 (patch-.._.._ipxe_src_arch_i386_include_librm.h) = 4549ac641b112321b4731a918d85219c3fce6808
 SHA1 (patch-.._.._ipxe_src_core_settings.c) = 240ff973757403b983f12b2cbed826584c4a8aba
 SHA1 (patch-.._.._ipxe_src_net_tls.c) = c0cfbc2ab2b92c659c146601c4f80d58c951ca62
 SHA1 (patch-.._Config.mk) = 9b971a41f67bb3974d3a4459bb9d96fbbd636c96
 SHA1 (patch-CVE-2014-1950) = b0d900722fd0f59a50f1e1eda1471105d5b557e5
 SHA1 (patch-CVE-2015-2752) = f9bca0b8744233e20ff97c3e8e2e404522e87f49
 SHA1 (patch-CVE-2015-2756) = 07aaac4bcd0dfc6d708c1823288b9fc789ebd125
 SHA1 (patch-aa) = 9b53ba4a809dad7a1de34c8fa0dbe493d7256ada
 SHA1 (patch-ab) = 0906a5ec3a7450fc987b01289e2560e60966d00d
 SHA1 (patch-ac) = c3cc5335a1d6b066307c5f03fe72f513a9eb2bdb
 SHA1 (patch-ad) = 5eb15470bff85d30b6d26d8fe094f59fc8e34175
 SHA1 (patch-ae) = 400bd6cac23af1e75f45c3e4e88e3130a3517129
 SHA1 (patch-af) = e866e7d96766b735a53432350275810803eeb510
 SHA1 (patch-ag) = 90893326dcce4e3e2ef273f22ec5ddf5af0f7cd8
 SHA1 (patch-ah) = ab91c41ef6bbdd7f7f3d992b9f81e43056a765e2
 SHA1 (patch-ai) = 8da6bba38bd7677ea829ca35058f7d2d1d7acad4
 SHA1 (patch-aj) = d0999d8dcbc1eef4de7037db0e54dcd8d2f706eb
 SHA1 (patch-ak) = 722a6b0541b036d84c703037134e25bc47f3eb65
 SHA1 (patch-al) = d9a310c16db708dd86170a13946f87e4cd21eb7a
 SHA1 (patch-am) = b89785a97208454eb3f2e1e43ba4674ad0828aa6

$NetBSD: patch-CVE-2015-2752,v 1.1.2.2 2015/04/29 21:11:13 tron Exp $

Patch for CVE-2015-2752 aka XSA-125 from
http://xenbits.xenproject.org/xsa/xsa125-4.2.patch

--- libxc/xc_domain.c.orig	2013-09-10 06:42:18.000000000 +0000
+++ libxc/xc_domain.c
@@ -1322,6 +1322,13 @@ int xc_domain_bind_pt_isa_irq(
                                   PT_IRQ_TYPE_ISA, 0, 0, 0, machine_irq));
 }
 
+#ifndef min
+#define min(X, Y) ({                             \
+            const typeof (X) _x = (X);           \
+            const typeof (Y) _y = (Y);           \
+            (void) (&_x == &_y);                 \
+            (_x < _y) ? _x : _y; })
+#endif
 int xc_domain_memory_mapping(
     xc_interface *xch,
     uint32_t domid,
@@ -1331,17 +1338,55 @@ int xc_domain_memory_mapping(
     uint32_t add_mapping)
 {
     DECLARE_DOMCTL;
+    int ret = 0, err;
+    unsigned long done = 0, nr, max_batch_sz;
+
+    if ( !nr_mfns )
+        return 0;
 
     domctl.cmd = XEN_DOMCTL_memory_mapping;
     domctl.domain = domid;
-    domctl.u.memory_mapping.first_gfn = first_gfn;
-    domctl.u.memory_mapping.first_mfn = first_mfn;
-    domctl.u.memory_mapping.nr_mfns = nr_mfns;
     domctl.u.memory_mapping.add_mapping = add_mapping;
+    max_batch_sz = nr_mfns;
+    do
+    {
+        nr = min(nr_mfns - done, max_batch_sz);
+        domctl.u.memory_mapping.nr_mfns = nr;
+        domctl.u.memory_mapping.first_gfn = first_gfn + done;
+        domctl.u.memory_mapping.first_mfn = first_mfn + done;
+        err = do_domctl(xch, &domctl);
+        if ( err && errno == E2BIG )
+        {
+            if ( max_batch_sz <= 1 )
+                break;
+            max_batch_sz >>= 1;
+            continue;
+        }
+        /* Save the first error... */
+        if ( !ret )
+            ret = err;
+        /* .. and ignore the rest of them when removing. */
+        if ( err && add_mapping != DPCI_REMOVE_MAPPING )
+            break;
+
+        done += nr;
+    } while ( done < nr_mfns );
+
+    /*
+     * Undo what we have done unless unmapping, by unmapping the entire region.
+     * Errors here are ignored.
+     */
+    if ( ret && add_mapping != DPCI_REMOVE_MAPPING )
+        xc_domain_memory_mapping(xch, domid, first_gfn, first_mfn, nr_mfns,
+                                 DPCI_REMOVE_MAPPING);
+
+    /* We might get E2BIG so many times that we never advance. */
+    if ( !done && !ret )
+        ret = -1;
 
-    return do_domctl(xch, &domctl);
+    return ret;
 }
-
+#undef min
 int xc_domain_ioport_mapping(
     xc_interface *xch,
     uint32_t domid,

$NetBSD: patch-CVE-2015-2756,v 1.1.2.2 2015/04/29 21:11:13 tron Exp $

patch for CVE-2015-2756 aka XSA-126 from
http://xenbits.xenproject.org/xsa/xsa126-qemut.patch

--- ioemu-qemu-xen/hw/pass-through.c.orig	2013-07-17 10:59:40.000000000 +0000
+++ ioemu-qemu-xen/hw/pass-through.c
@@ -171,9 +171,6 @@ static int pt_word_reg_read(struct pt_de
 static int pt_long_reg_read(struct pt_dev *ptdev,
     struct pt_reg_tbl *cfg_entry,
     uint32_t *value, uint32_t valid_mask);
-static int pt_cmd_reg_read(struct pt_dev *ptdev,
-    struct pt_reg_tbl *cfg_entry,
-    uint16_t *value, uint16_t valid_mask);
 static int pt_bar_reg_read(struct pt_dev *ptdev,
     struct pt_reg_tbl *cfg_entry,
     uint32_t *value, uint32_t valid_mask);
@@ -277,9 +274,9 @@ static struct pt_reg_info_tbl pt_emu_reg
         .size       = 2,
         .init_val   = 0x0000,
         .ro_mask    = 0xF880,
-        .emu_mask   = 0x0740,
+        .emu_mask   = 0x0743,
         .init       = pt_common_reg_init,
-        .u.w.read   = pt_cmd_reg_read,
+        .u.w.read   = pt_word_reg_read,
         .u.w.write  = pt_cmd_reg_write,
         .u.w.restore  = pt_cmd_reg_restore,
     },
@@ -1865,7 +1862,7 @@ static int pt_dev_is_virtfn(struct pci_d
     return rc;
 }
 
-static int pt_register_regions(struct pt_dev *assigned_device)
+static int pt_register_regions(struct pt_dev *assigned_device, uint16_t *cmd)
 {
     int i = 0;
     uint32_t bar_data = 0;
@@ -1885,17 +1882,26 @@ static int pt_register_regions(struct pt
 
             /* Register current region */
             if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_IO )
+            {
                 pci_register_io_region((PCIDevice *)assigned_device, i,
                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_IO,
                     pt_ioport_map);
+                *cmd |= PCI_COMMAND_IO;
+            }
             else if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_MEM_PREFETCH )
+            {
                 pci_register_io_region((PCIDevice *)assigned_device, i,
                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM_PREFETCH,
                     pt_iomem_map);
+                *cmd |= PCI_COMMAND_MEMORY;
+            }
             else
+            {
                 pci_register_io_region((PCIDevice *)assigned_device, i,
                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM,
                     pt_iomem_map);
+                *cmd |= PCI_COMMAND_MEMORY;
+            }
 
             PT_LOG("IO region registered (size=0x%08x base_addr=0x%08x)\n",
                 (uint32_t)(pci_dev->size[i]),
@@ -3221,27 +3227,6 @@ static int pt_long_reg_read(struct pt_de
    return 0;
 }
 
-/* read Command register */
-static int pt_cmd_reg_read(struct pt_dev *ptdev,
-        struct pt_reg_tbl *cfg_entry,
-        uint16_t *value, uint16_t valid_mask)
-{
-    struct pt_reg_info_tbl *reg = cfg_entry->reg;
-    uint16_t valid_emu_mask = 0;
-    uint16_t emu_mask = reg->emu_mask;
-
-    if ( ptdev->is_virtfn )
-        emu_mask |= PCI_COMMAND_MEMORY;
-    if ( pt_is_iomul(ptdev) )
-        emu_mask |= PCI_COMMAND_IO;
-
-    /* emulate word register */
-    valid_emu_mask = emu_mask & valid_mask;
-    *value = PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask);
-
-    return 0;
-}
-
 /* read BAR */
 static int pt_bar_reg_read(struct pt_dev *ptdev,
         struct pt_reg_tbl *cfg_entry,
@@ -3376,19 +3361,13 @@ static int pt_cmd_reg_write(struct pt_de
     uint16_t writable_mask = 0;
     uint16_t throughable_mask = 0;
     uint16_t wr_value = *value;
-    uint16_t emu_mask = reg->emu_mask;
-
-    if ( ptdev->is_virtfn )
-        emu_mask |= PCI_COMMAND_MEMORY;
-    if ( pt_is_iomul(ptdev) )
-        emu_mask |= PCI_COMMAND_IO;
 
     /* modify emulate register */
     writable_mask = ~reg->ro_mask & valid_mask;
     cfg_entry->data = PT_MERGE_VALUE(*value, cfg_entry->data, writable_mask);
 
     /* create value for writing to I/O device register */
-    throughable_mask = ~emu_mask & valid_mask;
+    throughable_mask = ~reg->emu_mask & valid_mask;
 
     if (*value & PCI_COMMAND_DISABLE_INTx)
     {
@@ -4151,6 +4130,7 @@ static struct pt_dev * register_real_dev
     struct pt_dev *assigned_device = NULL;
     struct pci_dev *pci_dev;
     uint8_t e_device, e_intx;
+    uint16_t cmd = 0;
     char *key, *val;
     int msi_translate, power_mgmt;
 
@@ -4240,7 +4220,7 @@ static struct pt_dev * register_real_dev
         assigned_device->dev.config[i] = pci_read_byte(pci_dev, i);
 
     /* Handle real device's MMIO/PIO BARs */
-    pt_register_regions(assigned_device);
+    pt_register_regions(assigned_device, &cmd);
 
     /* Setup VGA bios for passthroughed gfx */
     if ( setup_vga_pt(assigned_device) < 0 )
@@ -4318,6 +4298,10 @@ static struct pt_dev * register_real_dev
     }
 
 out:
+    if (cmd)
+        pci_write_word(pci_dev, PCI_COMMAND,
+            *(uint16_t *)(&assigned_device->dev.config[PCI_COMMAND]) | cmd);
+
     PT_LOG("Real physical device %02x:%02x.%x registered successfuly!\n"
            "IRQ type = %s\n", r_bus, r_dev, r_func,
            assigned_device->msi_trans_en? "MSI-INTx":"INTx");

--- pkgsrc/sysutils/xentools42/Attic/Makefile 2015/03/13 09:43:41 1.26
+++ pkgsrc/sysutils/xentools42/Attic/Makefile 2015/04/29 21:11:13 1.26.2.1

 @@ -1,21 +1,21 @@
-# $NetBSD: Makefile,v 1.26 2015/03/13 09:43:41 spz Exp $
+# $NetBSD: Makefile,v 1.26.2.1 2015/04/29 21:11:13 tron Exp $
 VERSION=	4.2.5
 VERSION_IPXE=	1.0.0
 DISTNAME=		xen-${VERSION}
 PKGNAME=		xentools42-${VERSION}
-PKGREVISION=		3
+PKGREVISION=		4
 CATEGORIES=		sysutils
 MASTER_SITES=		http://bits.xensource.com/oss-xen/release/${VERSION}/
 DISTFILES=		${DISTNAME}.tar.gz
 DISTFILES+=		ipxe-git-v${VERSION_IPXE}.tar.gz
 SITES.ipxe-git-v${VERSION_IPXE}.tar.gz +=	http://xenbits.xensource.com/xen-extfiles/
 MAINTAINER=		pkgsrc-users@NetBSD.org
 HOMEPAGE=		http://xen.org/
 COMMENT=		Userland Tools for Xen 4.2.x
 LICENSE=		gnu-gpl-v2
 # XXX add version check: Xen requires dev86 >= 0.16.14

--- pkgsrc/sysutils/xentools42/Attic/distinfo 2015/03/13 09:43:41 1.15
+++ pkgsrc/sysutils/xentools42/Attic/distinfo 2015/04/29 21:11:13 1.15.2.1

 @@ -1,40 +1,42 @@
-$NetBSD: distinfo,v 1.15 2015/03/13 09:43:41 spz Exp $
+$NetBSD: distinfo,v 1.15.2.1 2015/04/29 21:11:13 tron Exp $
 SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485
 RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547
 Size (ipxe-git-v1.0.0.tar.gz) = 1996881 bytes
 SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a
 RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19
 Size (xen-4.2.5.tar.gz) = 15671925 bytes
 SHA1 (patch-.._.._ipxe_src_Makefile.housekeeping) = 5ec8020a9705b2f64096c2942473a8de4db578bb
 SHA1 (patch-.._.._ipxe_src_arch_i386_include_librm.h) = 4549ac641b112321b4731a918d85219c3fce6808
 SHA1 (patch-.._.._ipxe_src_arch_i386_scripts_i386.lds) = 4c0cbb7f535be43e1b6f53c284340a8bafc37c0b
 SHA1 (patch-.._.._ipxe_src_core_settings.c) = 240ff973757403b983f12b2cbed826584c4a8aba
 SHA1 (patch-.._.._ipxe_src_drivers_net_ath5k_ath5k_qcu.c) = eb86106d05d5cc3300b7b57b0e0c2fdd338bbf43
 SHA1 (patch-.._.._ipxe_src_drivers_net_ns83820.c) = fbdfc47949f4946174b705d41d2b6c4405a68704
 SHA1 (patch-.._.._ipxe_src_drivers_net_tulip.c) = 0d9370c64e5e6bf15a5b87944e03333a10e4a299
 SHA1 (patch-.._.._ipxe_src_net_tls.c) = 893c70515bc4cb0d4d9319fd94eddc4945f6a0b3
 SHA1 (patch-.._Config.mk) = ec5ba76be10e43cb1b2d37686e35d5fb81d8de80
 SHA1 (patch-.._config_NetBSD.mk) = 90893326dcce4e3e2ef273f22ec5ddf5af0f7cd8
 SHA1 (patch-.._config_StdGNU.mk) = 3f93999038bd9d25277803cd1d969dc5733b593f
 SHA1 (patch-.._docs_man_xend-config.sxp.pod.5) = 36afc7b063f83adfe5b927ed0be586b102684020
 SHA1 (patch-.._docs_man_xl.cfg.pod.5) = 8f580bc91f346167999d91a279855c6e2710a8cc
 SHA1 (patch-.._docs_man_xl.conf.pod.5) = 4009ff6aefb0a770ed42d096117dc97f8f55997f
 SHA1 (patch-.._docs_man_xl.pod.1) = 740ad6f53e113b755bc6b04abce4ec9ba08eb815
 SHA1 (patch-.._docs_man_xlcpupool.cfg.pod.5) = a693a79a1f1c16548f62f7da1fa58fa28030990f
 SHA1 (patch-.._docs_man_xm.pod.1) = 975b7570da4bf9fd9cb79539fbd36b8dfbcbd571
 SHA1 (patch-.._docs_man_xmdomain.cfg.pod.5) = 5563a72e203e789a86f4166c71ddb3fcff5215c6
 SHA1 (patch-CVE-2015-2152) = 676339abef9e79595f6c40de31ca740f8284c7a2
 SHA1 (patch-CVE-2015-2752) = fdc83a758c34581d91586f24815952a4b7145af7
 SHA1 (patch-CVE-2015-2756) = 73223969ce65688e9226c485f0f444c69ee23bf3
 SHA1 (patch-Makefile) = 37fbcd6d2f0279d4c04c91085b0e7f5611a5b92a
 SHA1 (patch-Rules.mk) = 51a2804e9a2a509a428392c0eb11243884bb7f22
 SHA1 (patch-blktap_drivers_Makefile) = 0906a5ec3a7450fc987b01289e2560e60966d00d
 SHA1 (patch-configure) = 7bf4183efb76bded94a9519bf2737fb1240ab0e7
 SHA1 (patch-examples_Makefile) = 8e89fab7817785b32d79ec0cad3a2645c6981f01
 SHA1 (patch-examples_xend-config.sxp) = 5eb15470bff85d30b6d26d8fe094f59fc8e34175
 SHA1 (patch-firmware_etherboot_Makefile) = 1cb31183853c6069dafe47db8430e0577b21408e
 SHA1 (patch-firmware_etherboot_patches_boot__prompt__option.patch) = 7d14b60557b1e81de370b21544cd49643fa15f08
 SHA1 (patch-firmware_etherboot_patches_series) = cb653834fe14ff0b23fdfa525a20d3bcfe6e3819
 SHA1 (patch-firmware_hvmloader_Makefile) = 7d907fa33fa1f121b3d54116d905855529a020fd
 SHA1 (patch-firmware_hvmloader_util.h) = 6346ff8b33001dcecb7297b29c9df68be34af64d
 SHA1 (patch-hotplug_NetBSD_Makefile) = ab91c41ef6bbdd7f7f3d992b9f81e43056a765e2
 SHA1 (patch-hotplug_NetBSD_vif-bridge) = 663d0117612730960fd610b863d863d3abeea460

$NetBSD: patch-CVE-2015-2752,v 1.1.2.2 2015/04/29 21:11:13 tron Exp $

Patch for CVE-2015-2752 aka XSA-125 from
http://xenbits.xenproject.org/xsa/xsa125-4.2.patch

--- libxc/xc_domain.c.orig	2014-09-02 06:22:57.000000000 +0000
+++ libxc/xc_domain.c
@@ -1352,6 +1352,13 @@ int xc_domain_bind_pt_isa_irq(
                                   PT_IRQ_TYPE_ISA, 0, 0, 0, machine_irq));
 }
 
+#ifndef min
+#define min(X, Y) ({                             \
+            const typeof (X) _x = (X);           \
+            const typeof (Y) _y = (Y);           \
+            (void) (&_x == &_y);                 \
+            (_x < _y) ? _x : _y; })
+#endif
 int xc_domain_memory_mapping(
     xc_interface *xch,
     uint32_t domid,
@@ -1361,17 +1368,55 @@ int xc_domain_memory_mapping(
     uint32_t add_mapping)
 {
     DECLARE_DOMCTL;
+    int ret = 0, err;
+    unsigned long done = 0, nr, max_batch_sz;
+
+    if ( !nr_mfns )
+        return 0;
 
     domctl.cmd = XEN_DOMCTL_memory_mapping;
     domctl.domain = domid;
-    domctl.u.memory_mapping.first_gfn = first_gfn;
-    domctl.u.memory_mapping.first_mfn = first_mfn;
-    domctl.u.memory_mapping.nr_mfns = nr_mfns;
     domctl.u.memory_mapping.add_mapping = add_mapping;
+    max_batch_sz = nr_mfns;
+    do
+    {
+        nr = min(nr_mfns - done, max_batch_sz);
+        domctl.u.memory_mapping.nr_mfns = nr;
+        domctl.u.memory_mapping.first_gfn = first_gfn + done;
+        domctl.u.memory_mapping.first_mfn = first_mfn + done;
+        err = do_domctl(xch, &domctl);
+        if ( err && errno == E2BIG )
+        {
+            if ( max_batch_sz <= 1 )
+                break;
+            max_batch_sz >>= 1;
+            continue;
+        }
+        /* Save the first error... */
+        if ( !ret )
+            ret = err;
+        /* .. and ignore the rest of them when removing. */
+        if ( err && add_mapping != DPCI_REMOVE_MAPPING )
+            break;
+
+        done += nr;
+    } while ( done < nr_mfns );
+
+    /*
+     * Undo what we have done unless unmapping, by unmapping the entire region.
+     * Errors here are ignored.
+     */
+    if ( ret && add_mapping != DPCI_REMOVE_MAPPING )
+        xc_domain_memory_mapping(xch, domid, first_gfn, first_mfn, nr_mfns,
+                                 DPCI_REMOVE_MAPPING);
+
+    /* We might get E2BIG so many times that we never advance. */
+    if ( !done && !ret )
+        ret = -1;
 
-    return do_domctl(xch, &domctl);
+    return ret;
 }
-
+#undef min
 int xc_domain_ioport_mapping(
     xc_interface *xch,
     uint32_t domid,

$NetBSD: patch-CVE-2015-2756,v 1.1.2.2 2015/04/29 21:11:13 tron Exp $

patch for CVE-2015-2756 aka XSA-126 from
http://xenbits.xenproject.org/xsa/xsa126-qemut.patch

--- qemu-xen-traditional/hw/pass-through.c.orig	2014-01-09 12:44:42.000000000 +0000
+++ qemu-xen-traditional/hw/pass-through.c
@@ -172,9 +172,6 @@ static int pt_word_reg_read(struct pt_de
 static int pt_long_reg_read(struct pt_dev *ptdev,
     struct pt_reg_tbl *cfg_entry,
     uint32_t *value, uint32_t valid_mask);
-static int pt_cmd_reg_read(struct pt_dev *ptdev,
-    struct pt_reg_tbl *cfg_entry,
-    uint16_t *value, uint16_t valid_mask);
 static int pt_bar_reg_read(struct pt_dev *ptdev,
     struct pt_reg_tbl *cfg_entry,
     uint32_t *value, uint32_t valid_mask);
@@ -286,9 +283,9 @@ static struct pt_reg_info_tbl pt_emu_reg
         .size       = 2,
         .init_val   = 0x0000,
         .ro_mask    = 0xF880,
-        .emu_mask   = 0x0740,
+        .emu_mask   = 0x0743,
         .init       = pt_common_reg_init,
-        .u.w.read   = pt_cmd_reg_read,
+        .u.w.read   = pt_word_reg_read,
         .u.w.write  = pt_cmd_reg_write,
         .u.w.restore  = pt_cmd_reg_restore,
     },
@@ -1905,7 +1902,7 @@ static int pt_dev_is_virtfn(struct pci_d
     return rc;
 }
 
-static int pt_register_regions(struct pt_dev *assigned_device)
+static int pt_register_regions(struct pt_dev *assigned_device, uint16_t *cmd)
 {
     int i = 0;
     uint32_t bar_data = 0;
@@ -1925,17 +1922,26 @@ static int pt_register_regions(struct pt
 
             /* Register current region */
             if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_IO )
+            {
                 pci_register_io_region((PCIDevice *)assigned_device, i,
                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_IO,
                     pt_ioport_map);
+                *cmd |= PCI_COMMAND_IO;
+            }
             else if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_MEM_PREFETCH )
+            {
                 pci_register_io_region((PCIDevice *)assigned_device, i,
                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM_PREFETCH,
                     pt_iomem_map);
+                *cmd |= PCI_COMMAND_MEMORY;
+            }
             else
+            {
                 pci_register_io_region((PCIDevice *)assigned_device, i,
                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM,
                     pt_iomem_map);
+                *cmd |= PCI_COMMAND_MEMORY;
+            }
 
             PT_LOG("IO region registered (size=0x%08x base_addr=0x%08x)\n",
                 (uint32_t)(pci_dev->size[i]),
@@ -3263,27 +3269,6 @@ static int pt_long_reg_read(struct pt_de
    return 0;
 }
 
-/* read Command register */
-static int pt_cmd_reg_read(struct pt_dev *ptdev,
-        struct pt_reg_tbl *cfg_entry,
-        uint16_t *value, uint16_t valid_mask)
-{
-    struct pt_reg_info_tbl *reg = cfg_entry->reg;
-    uint16_t valid_emu_mask = 0;
-    uint16_t emu_mask = reg->emu_mask;
-
-    if ( ptdev->is_virtfn )
-        emu_mask |= PCI_COMMAND_MEMORY;
-    if ( pt_is_iomul(ptdev) )
-        emu_mask |= PCI_COMMAND_IO;
-
-    /* emulate word register */
-    valid_emu_mask = emu_mask & valid_mask;
-    *value = PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask);
-
-    return 0;
-}
-
 /* read BAR */
 static int pt_bar_reg_read(struct pt_dev *ptdev,
         struct pt_reg_tbl *cfg_entry,
@@ -3418,19 +3403,13 @@ static int pt_cmd_reg_write(struct pt_de
     uint16_t writable_mask = 0;
     uint16_t throughable_mask = 0;
     uint16_t wr_value = *value;
-    uint16_t emu_mask = reg->emu_mask;
-
-    if ( ptdev->is_virtfn )
-        emu_mask |= PCI_COMMAND_MEMORY;
-    if ( pt_is_iomul(ptdev) )
-        emu_mask |= PCI_COMMAND_IO;
 
     /* modify emulate register */
     writable_mask = ~reg->ro_mask & valid_mask;
     cfg_entry->data = PT_MERGE_VALUE(*value, cfg_entry->data, writable_mask);
 
     /* create value for writing to I/O device register */
-    throughable_mask = ~emu_mask & valid_mask;
+    throughable_mask = ~reg->emu_mask & valid_mask;
 
     if (*value & PCI_COMMAND_DISABLE_INTx)
     {
@@ -4205,6 +4184,7 @@ static struct pt_dev * register_real_dev
     struct pt_dev *assigned_device = NULL;
     struct pci_dev *pci_dev;
     uint8_t e_device, e_intx;
+    uint16_t cmd = 0;
     char *key, *val;
     int msi_translate, power_mgmt;
 
@@ -4294,7 +4274,7 @@ static struct pt_dev * register_real_dev
         assigned_device->dev.config[i] = pci_read_byte(pci_dev, i);
 
     /* Handle real device's MMIO/PIO BARs */
-    pt_register_regions(assigned_device);
+    pt_register_regions(assigned_device, &cmd);
 
     /* Setup VGA bios for passthroughed gfx */
     if ( setup_vga_pt(assigned_device) < 0 )
@@ -4372,6 +4352,10 @@ static struct pt_dev * register_real_dev
     }
 
 out:
+    if (cmd)
+        pci_write_word(pci_dev, PCI_COMMAND,
+            *(uint16_t *)(&assigned_device->dev.config[PCI_COMMAND]) | cmd);
+
     PT_LOG("Real physical device %02x:%02x.%x registered successfuly!\n"
            "IRQ type = %s\n", r_bus, r_dev, r_func,
            assigned_device->msi_trans_en? "MSI-INTx":"INTx");

--- pkgsrc/sysutils/xentools45/Attic/Makefile 2015/03/13 10:27:48 1.5
+++ pkgsrc/sysutils/xentools45/Attic/Makefile 2015/04/29 21:11:13 1.5.2.1

 @@ -1,21 +1,21 @@
-# $NetBSD: Makefile,v 1.5 2015/03/13 10:27:48 spz Exp $
+# $NetBSD: Makefile,v 1.5.2.1 2015/04/29 21:11:13 tron Exp $
 VERSION=	4.5.0
 VERSION_IPXE=	9a93db3f0947484e30e753bbd61a10b17336e20e
 DISTNAME=		xen-${VERSION}
 PKGNAME=		xentools45-${VERSION}
-PKGREVISION=		2
+PKGREVISION=		3
 CATEGORIES=		sysutils
 MASTER_SITES=		http://bits.xensource.com/oss-xen/release/${VERSION}/
 DISTFILES=		${DISTNAME}.tar.gz
 DISTFILES+=		ipxe-git-${VERSION_IPXE}.tar.gz
 SITES.ipxe-git-${VERSION_IPXE}.tar.gz +=	http://xenbits.xensource.com/xen-extfiles/
 MAINTAINER=		pkgsrc-users@NetBSD.org
 HOMEPAGE=		http://xen.org/
 COMMENT=		Userland Tools for Xen 4.5.x
 LICENSE=		gnu-gpl-v2
 # XXX add version check: Xen requires dev86 >= 0.16.14

--- pkgsrc/sysutils/xentools45/Attic/distinfo 2015/03/13 10:27:48 1.5
+++ pkgsrc/sysutils/xentools45/Attic/distinfo 2015/04/29 21:11:13 1.5.2.1

 @@ -1,31 +1,33 @@
-$NetBSD: distinfo,v 1.5 2015/03/13 10:27:48 spz Exp $
+$NetBSD: distinfo,v 1.5.2.1 2015/04/29 21:11:13 tron Exp $
 SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88
 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8
 Size (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 2867999 bytes
 SHA1 (xen-4.5.0.tar.gz) = c4aab5fb366496ad1edc7fe0a935a0d604335637
 RMD160 (xen-4.5.0.tar.gz) = e35ba0cb484492c1a289218eb9bf53b57dbd3a45
 Size (xen-4.5.0.tar.gz) = 18404933 bytes
 SHA1 (patch-.._.._ipxe_src_core_settings.c) = 9e053e5e9936f49c46af0d59382a67d5f28cb39d
 SHA1 (patch-.._.._ipxe_src_interface_efi_efi_snp.c) = 7cd8a2d2dbeff55624b5d3461d22cd8331221762
 SHA1 (patch-.._.._ipxe_src_net_fcels.c) = 7c13c87af5e38233f8b867503789f536394e7005
 SHA1 (patch-.._.._ipxe_src_net_tls.c) = c36b812c4c9a3aa7309219dfad2f7a24ba818e59
 SHA1 (patch-.._Config.mk) = 36a8942a9fc0f7d601c9b5f7fd1332db99f9ac4b
 SHA1 (patch-.._docs_man_xl.cfg.pod.5) = e2058495b6fe85af338e22560d46996d36aeedab
 SHA1 (patch-.._docs_man_xl.conf.pod.5) = 015da24a45388468d56f1ecfa60f6acf07bdfef8
 SHA1 (patch-.._docs_man_xl.pod.1) = b194f2c5608c6f0e80a4abd8655808cf91355cd5
 SHA1 (patch-.._docs_man_xlcpupool.cfg.pod.5) = b44813af965e4d9d0d51c18b22d286736a4663b2
 SHA1 (patch-CVE-2015-2152) = 5a1cabf330b3a1bd902adf2b33dd5c4c32b8ab9d
 SHA1 (patch-CVE-2015-2752) = 85bcb80dab938b85da3342e7001d95bacf7f49e5
 SHA1 (patch-CVE-2015-2756) = 350cfd57a77d90997b81c7186e320bb52fb62d75
 SHA1 (patch-Makefile) = 5d5b9678ed9764275ee95f49d24e8538a0e8a01c
 SHA1 (patch-Rules.mk) = e0dc4234c35dc2d78afad4a90b0af829a6a10b50
 SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7
 SHA1 (patch-configure) = d1a1b9c9e00dd79bb872190282006201510ce2c1
 SHA1 (patch-examples_Makefile) = 5fe7bb876d254cf0c4f774ed0f08dcaea5b355ff
 SHA1 (patch-firmware_etherboot_Makefile) = f55e14948b7191e533a82b8fc3575f1052f23c45
 SHA1 (patch-firmware_etherboot_patches_series) = 2fa1342c78094c6dd5d60a07c236c4a1c0599fc4
 SHA1 (patch-firmware_hvmloader_Makefile) = bc5e81ddfc5e95887c2af4bb32eced9c5748b3c6
 SHA1 (patch-hotplug_NetBSD_Makefile) = 5afbf8dc910c93fcc0904ba09164a441704e31a2
 SHA1 (patch-hotplug_NetBSD_vif-bridge) = ac4cc7446715330b504b8cce8cbd47c8035cf33c
 SHA1 (patch-hotplug_NetBSD_vif-ip) = ed23b0c16d87bd05230399d921e28860c5857b01
 SHA1 (patch-hotplug_common_Makefile) = 1c8af96a3d0d1d5e9c168b1eb75fabb3e2164a19
 SHA1 (patch-include_xen-sys_NetBSD_gntdev.h) = b1f60f46e606b7591d68d98655d1cb29df977c14

$NetBSD: patch-CVE-2015-2752,v 1.1.2.2 2015/04/29 21:11:13 tron Exp $

Patch for CVE-2015-2752 aka XSA-125 from
http://xenbits.xenproject.org/xsa/xsa125-4.2.patch

--- libxc/xc_domain.c.orig	2015-01-12 16:53:24.000000000 +0000
+++ libxc/xc_domain.c
@@ -1992,6 +1992,8 @@ int xc_domain_memory_mapping(
 {
     DECLARE_DOMCTL;
     xc_dominfo_t info;
+    int ret = 0, err;
+    unsigned long done = 0, nr, max_batch_sz;
 
     if ( xc_domain_getinfo(xch, domid, 1, &info) != 1 ||
          info.domid != domid )
@@ -2002,14 +2004,50 @@ int xc_domain_memory_mapping(
     if ( !xc_core_arch_auto_translated_physmap(&info) )
         return 0;
 
+    if ( !nr_mfns )
+        return 0;
+
     domctl.cmd = XEN_DOMCTL_memory_mapping;
     domctl.domain = domid;
-    domctl.u.memory_mapping.first_gfn = first_gfn;
-    domctl.u.memory_mapping.first_mfn = first_mfn;
-    domctl.u.memory_mapping.nr_mfns = nr_mfns;
     domctl.u.memory_mapping.add_mapping = add_mapping;
+    max_batch_sz = nr_mfns;
+    do
+    {
+        nr = min(nr_mfns - done, max_batch_sz);
+        domctl.u.memory_mapping.nr_mfns = nr;
+        domctl.u.memory_mapping.first_gfn = first_gfn + done;
+        domctl.u.memory_mapping.first_mfn = first_mfn + done;
+        err = do_domctl(xch, &domctl);
+        if ( err && errno == E2BIG )
+        {
+            if ( max_batch_sz <= 1 )
+                break;
+            max_batch_sz >>= 1;
+            continue;
+        }
+        /* Save the first error... */
+        if ( !ret )
+            ret = err;
+        /* .. and ignore the rest of them when removing. */
+        if ( err && add_mapping != DPCI_REMOVE_MAPPING )
+            break;
+
+        done += nr;
+    } while ( done < nr_mfns );
+
+    /*
+     * Undo what we have done unless unmapping, by unmapping the entire region.
+     * Errors here are ignored.
+     */
+    if ( ret && add_mapping != DPCI_REMOVE_MAPPING )
+        xc_domain_memory_mapping(xch, domid, first_gfn, first_mfn, nr_mfns,
+                                 DPCI_REMOVE_MAPPING);
+
+    /* We might get E2BIG so many times that we never advance. */
+    if ( !done && !ret )
+        ret = -1;
 
-    return do_domctl(xch, &domctl);
+    return ret;
 }
 
 int xc_domain_ioport_mapping(

$NetBSD: patch-CVE-2015-2756,v 1.1.2.2 2015/04/29 21:11:13 tron Exp $

patch for CVE-2015-2756 aka XSA-126 from
http://xenbits.xenproject.org/xsa/xsa126-qemuu.patch
and
http://xenbits.xenproject.org/xsa/xsa126-qemut.patch

--- qemu-xen/hw/xen/xen_pt.c.orig	2014-12-02 10:41:02.000000000 +0000
+++ qemu-xen/hw/xen/xen_pt.c
@@ -388,7 +388,7 @@ static const MemoryRegionOps ops = {
     .write = xen_pt_bar_write,
 };
 
-static int xen_pt_register_regions(XenPCIPassthroughState *s)
+static int xen_pt_register_regions(XenPCIPassthroughState *s, uint16_t *cmd)
 {
     int i = 0;
     XenHostPCIDevice *d = &s->real_device;
@@ -406,6 +406,7 @@ static int xen_pt_register_regions(XenPC
 
         if (r->type & XEN_HOST_PCI_REGION_TYPE_IO) {
             type = PCI_BASE_ADDRESS_SPACE_IO;
+            *cmd |= PCI_COMMAND_IO;
         } else {
             type = PCI_BASE_ADDRESS_SPACE_MEMORY;
             if (r->type & XEN_HOST_PCI_REGION_TYPE_PREFETCH) {
@@ -414,6 +415,7 @@ static int xen_pt_register_regions(XenPC
             if (r->type & XEN_HOST_PCI_REGION_TYPE_MEM_64) {
                 type |= PCI_BASE_ADDRESS_MEM_TYPE_64;
             }
+            *cmd |= PCI_COMMAND_MEMORY;
         }
 
         memory_region_init_io(&s->bar[i], OBJECT(s), &ops, &s->dev,
@@ -657,6 +659,7 @@ static int xen_pt_initfn(PCIDevice *d)
     XenPCIPassthroughState *s = DO_UPCAST(XenPCIPassthroughState, dev, d);
     int rc = 0;
     uint8_t machine_irq = 0;
+    uint16_t cmd = 0;
     int pirq = XEN_PT_UNASSIGNED_PIRQ;
 
     /* register real device */
@@ -691,7 +694,7 @@ static int xen_pt_initfn(PCIDevice *d)
     s->io_listener = xen_pt_io_listener;
 
     /* Handle real device's MMIO/PIO BARs */
-    xen_pt_register_regions(s);
+    xen_pt_register_regions(s, &cmd);
 
     /* reinitialize each config register to be emulated */
     if (xen_pt_config_init(s)) {
@@ -755,6 +758,11 @@ static int xen_pt_initfn(PCIDevice *d)
     }
 
 out:
+    if (cmd) {
+        xen_host_pci_set_word(&s->real_device, PCI_COMMAND,
+                              pci_get_word(d->config + PCI_COMMAND) | cmd);
+    }
+
     memory_listener_register(&s->memory_listener, &address_space_memory);
     memory_listener_register(&s->io_listener, &address_space_io);
     XEN_PT_LOG(d,

--- qemu-xen/hw/xen/xen_pt_config_init.c.orig	2014-12-02 10:41:02.000000000 +0000
+++ qemu-xen/hw/xen/xen_pt_config_init.c
@@ -286,23 +286,6 @@ static int xen_pt_irqpin_reg_init(XenPCI
 }
 
 /* Command register */
-static int xen_pt_cmd_reg_read(XenPCIPassthroughState *s, XenPTReg *cfg_entry,
-                               uint16_t *value, uint16_t valid_mask)
-{
-    XenPTRegInfo *reg = cfg_entry->reg;
-    uint16_t valid_emu_mask = 0;
-    uint16_t emu_mask = reg->emu_mask;
-
-    if (s->is_virtfn) {
-        emu_mask |= PCI_COMMAND_MEMORY;
-    }
-
-    /* emulate word register */
-    valid_emu_mask = emu_mask & valid_mask;
-    *value = XEN_PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask);
-
-    return 0;
-}
 static int xen_pt_cmd_reg_write(XenPCIPassthroughState *s, XenPTReg *cfg_entry,
                                 uint16_t *val, uint16_t dev_value,
                                 uint16_t valid_mask)
@@ -310,18 +293,13 @@ static int xen_pt_cmd_reg_write(XenPCIPa
     XenPTRegInfo *reg = cfg_entry->reg;
     uint16_t writable_mask = 0;
     uint16_t throughable_mask = 0;
-    uint16_t emu_mask = reg->emu_mask;
-
-    if (s->is_virtfn) {
-        emu_mask |= PCI_COMMAND_MEMORY;
-    }
 
     /* modify emulate register */
     writable_mask = ~reg->ro_mask & valid_mask;
     cfg_entry->data = XEN_PT_MERGE_VALUE(*val, cfg_entry->data, writable_mask);
 
     /* create value for writing to I/O device register */
-    throughable_mask = ~emu_mask & valid_mask;
+    throughable_mask = ~reg->emu_mask & valid_mask;
 
     if (*val & PCI_COMMAND_INTX_DISABLE) {
         throughable_mask |= PCI_COMMAND_INTX_DISABLE;
@@ -605,9 +583,9 @@ static XenPTRegInfo xen_pt_emu_reg_heade
         .size       = 2,
         .init_val   = 0x0000,
         .ro_mask    = 0xF880,
-        .emu_mask   = 0x0740,
+        .emu_mask   = 0x0743,
         .init       = xen_pt_common_reg_init,
-        .u.w.read   = xen_pt_cmd_reg_read,
+        .u.w.read   = xen_pt_word_reg_read,
         .u.w.write  = xen_pt_cmd_reg_write,
     },
     /* Capabilities Pointer reg */

--- qemu-xen-traditional/hw/pass-through.c.orig	2014-10-06 15:50:24.000000000 +0000
+++ qemu-xen-traditional/hw/pass-through.c
@@ -172,9 +172,6 @@ static int pt_word_reg_read(struct pt_de
 static int pt_long_reg_read(struct pt_dev *ptdev,
     struct pt_reg_tbl *cfg_entry,
     uint32_t *value, uint32_t valid_mask);
-static int pt_cmd_reg_read(struct pt_dev *ptdev,
-    struct pt_reg_tbl *cfg_entry,
-    uint16_t *value, uint16_t valid_mask);
 static int pt_bar_reg_read(struct pt_dev *ptdev,
     struct pt_reg_tbl *cfg_entry,
     uint32_t *value, uint32_t valid_mask);
@@ -286,9 +283,9 @@ static struct pt_reg_info_tbl pt_emu_reg
         .size       = 2,
         .init_val   = 0x0000,
         .ro_mask    = 0xF880,
-        .emu_mask   = 0x0740,
+        .emu_mask   = 0x0743,
         .init       = pt_common_reg_init,
-        .u.w.read   = pt_cmd_reg_read,
+        .u.w.read   = pt_word_reg_read,
         .u.w.write  = pt_cmd_reg_write,
         .u.w.restore  = pt_cmd_reg_restore,
     },
@@ -1905,7 +1902,7 @@ static int pt_dev_is_virtfn(struct pci_d
     return rc;
 }
 
-static int pt_register_regions(struct pt_dev *assigned_device)
+static int pt_register_regions(struct pt_dev *assigned_device, uint16_t *cmd)
 {
     int i = 0;
     uint32_t bar_data = 0;
@@ -1925,17 +1922,26 @@ static int pt_register_regions(struct pt
 
             /* Register current region */
             if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_IO )
+            {
                 pci_register_io_region((PCIDevice *)assigned_device, i,
                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_IO,
                     pt_ioport_map);
+                *cmd |= PCI_COMMAND_IO;
+            }
             else if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_MEM_PREFETCH )
+            {
                 pci_register_io_region((PCIDevice *)assigned_device, i,
                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM_PREFETCH,
                     pt_iomem_map);
+                *cmd |= PCI_COMMAND_MEMORY;
+            }
             else
+            {
                 pci_register_io_region((PCIDevice *)assigned_device, i,
                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM,
                     pt_iomem_map);
+                *cmd |= PCI_COMMAND_MEMORY;
+            }
 
             PT_LOG("IO region registered (size=0x%08x base_addr=0x%08x)\n",
                 (uint32_t)(pci_dev->size[i]),
@@ -3263,27 +3269,6 @@ static int pt_long_reg_read(struct pt_de
    return 0;
 }
 
-/* read Command register */
-static int pt_cmd_reg_read(struct pt_dev *ptdev,
-        struct pt_reg_tbl *cfg_entry,
-        uint16_t *value, uint16_t valid_mask)
-{
-    struct pt_reg_info_tbl *reg = cfg_entry->reg;
-    uint16_t valid_emu_mask = 0;
-    uint16_t emu_mask = reg->emu_mask;
-
-    if ( ptdev->is_virtfn )
-        emu_mask |= PCI_COMMAND_MEMORY;
-    if ( pt_is_iomul(ptdev) )
-        emu_mask |= PCI_COMMAND_IO;
-
-    /* emulate word register */
-    valid_emu_mask = emu_mask & valid_mask;
-    *value = PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask);
-
-    return 0;
-}
-
 /* read BAR */
 static int pt_bar_reg_read(struct pt_dev *ptdev,
         struct pt_reg_tbl *cfg_entry,
@@ -3418,19 +3403,13 @@ static int pt_cmd_reg_write(struct pt_de
     uint16_t writable_mask = 0;
     uint16_t throughable_mask = 0;
     uint16_t wr_value = *value;
-    uint16_t emu_mask = reg->emu_mask;
-
-    if ( ptdev->is_virtfn )
-        emu_mask |= PCI_COMMAND_MEMORY;
-    if ( pt_is_iomul(ptdev) )
-        emu_mask |= PCI_COMMAND_IO;
 
     /* modify emulate register */
     writable_mask = ~reg->ro_mask & valid_mask;
     cfg_entry->data = PT_MERGE_VALUE(*value, cfg_entry->data, writable_mask);
 
     /* create value for writing to I/O device register */
-    throughable_mask = ~emu_mask & valid_mask;
+    throughable_mask = ~reg->emu_mask & valid_mask;
 
     if (*value & PCI_COMMAND_DISABLE_INTx)
     {
@@ -4211,6 +4190,7 @@ static struct pt_dev * register_real_dev
     struct pt_dev *assigned_device = NULL;
     struct pci_dev *pci_dev;
     uint8_t e_device, e_intx;
+    uint16_t cmd = 0;
     char *key, *val;
     int msi_translate, power_mgmt;
 
@@ -4300,7 +4280,7 @@ static struct pt_dev * register_real_dev
         assigned_device->dev.config[i] = pci_read_byte(pci_dev, i);
 
     /* Handle real device's MMIO/PIO BARs */
-    pt_register_regions(assigned_device);
+    pt_register_regions(assigned_device, &cmd);
 
     /* Setup VGA bios for passthroughed gfx */
     if ( setup_vga_pt(assigned_device) < 0 )
@@ -4378,6 +4358,10 @@ static struct pt_dev * register_real_dev
     }
 
 out:
+    if (cmd)
+        pci_write_word(pci_dev, PCI_COMMAND,
+            *(uint16_t *)(&assigned_device->dev.config[PCI_COMMAND]) | cmd);
+
     PT_LOG("Real physical device %02x:%02x.%x registered successfuly!\n"
            "IRQ type = %s\n", r_bus, r_dev, r_func,
            assigned_device->msi_trans_en? "MSI-INTx":"INTx");