version 4.14.74-1

(cherry picked from commit 853ff4cc62)

config-base

@@ -1,4 +1,4 @@
-# Base config based on Fedora's config (kernel-core-4.14.11-300.fc27.x86_64.rpm)
+# Base config based on Fedora's config (kernel-core-4.14.18-300.fc27.x86_64.rpm)
 # Only modification is `yes '' | make oldconfig` to drop config settings which
 # depend on Fedora patches and adjust for the small version difference.
 
@@ -230,6 +230,7 @@ CONFIG_SIGNALFD=y
 CONFIG_TIMERFD=y
 CONFIG_EVENTFD=y
 CONFIG_BPF_SYSCALL=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_SHMEM=y
 CONFIG_AIO=y
 CONFIG_ADVISE_SYSCALLS=y
@@ -463,6 +464,7 @@ CONFIG_X86_FAST_FEATURE_TESTS=y
 CONFIG_X86_X2APIC=y
 CONFIG_X86_MPPARSE=y
 # CONFIG_GOLDFISH is not set
+CONFIG_RETPOLINE=y
 CONFIG_INTEL_RDT=y
 CONFIG_X86_EXTENDED_PLATFORM=y
 CONFIG_X86_NUMACHIP=y
@@ -1845,6 +1847,7 @@ CONFIG_TEST_ASYNC_DRIVER_PROBE=m
 CONFIG_SYS_HYPERVISOR=y
 # CONFIG_GENERIC_CPU_DEVICES is not set
 CONFIG_GENERIC_CPU_AUTOPROBE=y
+CONFIG_GENERIC_CPU_VULNERABILITIES=y
 CONFIG_REGMAP=y
 CONFIG_REGMAP_I2C=y
 CONFIG_REGMAP_SPI=y
@@ -7199,7 +7202,7 @@ CONFIG_EFI_RUNTIME_WRAPPERS=y
 # CONFIG_EFI_CAPSULE_LOADER is not set
 # CONFIG_EFI_TEST is not set
 CONFIG_APPLE_PROPERTIES=y
-CONFIG_RESET_ATTACK_MITIGATION=y
+# CONFIG_RESET_ATTACK_MITIGATION is not set
 CONFIG_UEFI_CPER=y
 CONFIG_EFI_DEV_PATH_PARSER=y
 

config-qubes

@@ -87,8 +87,6 @@ CONFIG_SECURITY_YAMA=y
 # CONFIG_DEFAULT_SECURITY_SELINUX is not set
 CONFIG_DEFAULT_SECURITY_DAC=y
 
-CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
-
 
 ################################################################################
 ## Enable paravirt spinlocks. This should be more performant.
@@ -129,6 +127,13 @@ CONFIG_USB_CONFIGFS_MASS_STORAGE=y
 CONFIG_USB_DUMMY_HCD=m
 
 
+################################################################################
+## Enable AppArmor
+## It's optionally used by Whonix (https://www.whonix.org/wiki/AppArmor).
+
+CONFIG_SECURITY_APPARMOR=y
+
+
 ################################################################################
 ## TODO: from diff to old config
 
@@ -139,7 +144,6 @@ CONFIG_USB_DUMMY_HCD=m
 ##
 ## CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
 ##
-## CONFIG_SECURITY_APPARMOR=y
 ## sensors from 0f976d972a1671a303fad30a5e690304b0b82ee0
 ##
 ## Intel ME driver e0f8e9ca81b80d897b190f48a4af80eff3198cb1

kernel.spec

@@ -53,6 +53,14 @@ BuildRequires:  bc
 BuildRequires:  openssl-devel
 BuildRequires:  gcc-plugin-devel
 BuildRequires:  elfutils-libelf-devel
+
+# gcc with support for BTI mitigation
+%if 0%{?fedora} == 23
+BuildRequires:  gcc >= 5.3.1-6.qubes1
+%else
+BuildRequires:  gcc >= 6.4.1-1.qubes1
+%endif
+
 Provides:       multiversion(kernel)
 Provides:       %name = %kernelrelease
 

patches.xen/xen-Fix-set-clear-_foreign_p2m_mapping-on-autotransl.patch

@@ -1,40 +0,0 @@
-From c71b9388cef5106ad8aa4f8db3d03388e74e5b89 Mon Sep 17 00:00:00 2001
-From: Simon Gaiser <simon@invisiblethingslab.com>
-Date: Fri, 5 Jan 2018 18:28:39 +0100
-Subject: [PATCH] xen: Fix {set,clear}_foreign_p2m_mapping on autotranslating
- guests
-
-Commit 82616f9599a7 ("xen: remove tests for pvh mode in pure pv paths")
-removed the check for autotranslation from {set,clear}_foreign_p2m_mapping
-but those are called by grant-table.c also on PVH/HVM guests.
----
- arch/x86/xen/p2m.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/arch/x86/xen/p2m.c b/arch/x86/xen/p2m.c
-index 6083ba462f35..15812e553b95 100644
---- a/arch/x86/xen/p2m.c
-+++ b/arch/x86/xen/p2m.c
-@@ -694,6 +694,9 @@ int set_foreign_p2m_mapping(struct gnttab_map_grant_ref *map_ops,
- 	int i, ret = 0;
- 	pte_t *pte;
- 
-+	if (xen_feature(XENFEAT_auto_translated_physmap))
-+		return 0;
-+
- 	if (kmap_ops) {
- 		ret = HYPERVISOR_grant_table_op(GNTTABOP_map_grant_ref,
- 						kmap_ops, count);
-@@ -736,6 +739,9 @@ int clear_foreign_p2m_mapping(struct gnttab_unmap_grant_ref *unmap_ops,
- {
- 	int i, ret = 0;
- 
-+	if (xen_feature(XENFEAT_auto_translated_physmap))
-+		return 0;
-+
- 	for (i = 0; i < count; i++) {
- 		unsigned long mfn = __pfn_to_mfn(page_to_pfn(pages[i]));
- 		unsigned long pfn = page_to_pfn(pages[i]);
--- 
-2.15.1
-

patches.xen/xsa155-linux-0008-xen-Add-RING_COPY_RESPONSE.patch

@@ -1,13 +1,11 @@
-From 8322f4eddaf1fe5a9bdf5252c8140daa8bad60fd Mon Sep 17 00:00:00 2001
+From bf0b3f33476360b5d72f87d749409b0a2b1a57cb Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
  <marmarek@invisiblethingslab.com>
 Date: Tue, 15 Dec 2015 21:35:14 +0100
-Subject: [PATCH 08/13] xen: Add RING_COPY_RESPONSE()
+Subject: [PATCH] xen: Add RING_COPY_RESPONSE()
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
-Organization: Invisible Things Lab
-Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 
 Using RING_GET_RESPONSE() on a shared ring is easy to use incorrectly
 (i.e., by not considering that the other end may alter the data in the
@@ -31,10 +29,10 @@ Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
  1 file changed, 14 insertions(+)
 
 diff --git a/include/xen/interface/io/ring.h b/include/xen/interface/io/ring.h
-index 7dc685b..312415c 100644
+index 3f40501fc60b..03702f6874df 100644
 --- a/include/xen/interface/io/ring.h
 +++ b/include/xen/interface/io/ring.h
-@@ -198,6 +198,20 @@ struct __name##_back_ring {						\
+@@ -201,6 +201,20 @@ struct __name##_back_ring {						\
  #define RING_GET_RESPONSE(_r, _idx)					\
      (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp))
  
@@ -56,5 +54,5 @@ index 7dc685b..312415c 100644
  #define RING_REQUEST_CONS_OVERFLOW(_r, _cons)				\
      (((_cons) - (_r)->rsp_prod_pvt) >= RING_SIZE(_r))
 -- 
-2.1.0
+2.17.1
 

patches.xen/xsa155-linux-0011-xen-netfront-add-range-check-for-Tx-response-id.patch

@@ -1,13 +1,11 @@
-From 76a020d3b2023ca02961eab38318ef2d6f1338d9 Mon Sep 17 00:00:00 2001
+From f8bc4b3be49e47dcf005ce12ef25071fe16bd45b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
  <marmarek@invisiblethingslab.com>
 Date: Wed, 16 Dec 2015 05:22:24 +0100
-Subject: [PATCH 11/13] xen-netfront: add range check for Tx response id
+Subject: [PATCH] xen-netfront: add range check for Tx response id
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
-Organization: Invisible Things Lab
-Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 
 Tx response ID is fetched from shared page, so make sure it is sane
 before using it as an array index.
@@ -21,10 +19,10 @@ Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
-index 959e479..94309e6 100644
+index 026d39702217..4150128ab893 100644
 --- a/drivers/net/xen-netfront.c
 +++ b/drivers/net/xen-netfront.c
-@@ -379,6 +379,7 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue)
+@@ -395,6 +395,7 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue)
  				continue;
  
  			id  = txrsp.id;
@@ -33,5 +31,5 @@ index 959e479..94309e6 100644
  			if (unlikely(gnttab_query_foreign_access(
  				queue->grant_tx_ref[id]) != 0)) {
 -- 
-2.1.0
+2.17.1
 

patches.xen/xsa155-linux312-0012-xen-blkfront-make-local-copy-of-response-before-usin.patch

@@ -1,14 +1,11 @@
-From ef0d243bfeaf1da8854c26f89536dc1b69c56602 Mon Sep 17 00:00:00 2001
+From 26baa3367516dac7e376e2595d187dd9887bf0e0 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
  <marmarek@invisiblethingslab.com>
 Date: Wed, 16 Dec 2015 05:51:10 +0100
-Subject: [PATCH 12/13] xen-blkfront: make local copy of response before using
- it
+Subject: [PATCH] xen-blkfront: make local copy of response before using it
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
-Organization: Invisible Things Lab
-Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 
 Data on the shared page can be changed at any time by the backend. Make
 a local copy, which is no longer controlled by the backend. And only
@@ -23,10 +20,10 @@ Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
  1 file changed, 17 insertions(+), 17 deletions(-)
 
 diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c
-index 2fee2ee..5d7eb04 100644
+index b5cedccb5d7d..87781c076733 100644
 --- a/drivers/block/xen-blkfront.c
 +++ b/drivers/block/xen-blkfront.c
-@@ -1552,7 +1552,7 @@ static bool blkif_completion(unsigned long *id,
+@@ -1548,7 +1548,7 @@ static bool blkif_completion(unsigned long *id,
  static irqreturn_t blkif_interrupt(int irq, void *dev_id)
  {
  	struct request *req;
@@ -35,7 +32,7 @@ index 2fee2ee..5d7eb04 100644
  	RING_IDX i, rp;
  	unsigned long flags;
  	struct blkfront_ring_info *rinfo = (struct blkfront_ring_info *)dev_id;
-@@ -1569,8 +1569,8 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
+@@ -1565,8 +1565,8 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
  	for (i = rinfo->ring.rsp_cons; i != rp; i++) {
  		unsigned long id;
  
@@ -46,7 +43,7 @@ index 2fee2ee..5d7eb04 100644
  		/*
  		 * The backend has messed up and given us an id that we would
  		 * never have given to it (we stamp it up to BLK_RING_SIZE -
-@@ -1578,39 +1578,39 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
+@@ -1574,39 +1574,39 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
  		 */
  		if (id >= BLK_RING_SIZE(info)) {
  			WARN(1, "%s: response to %s has incorrect id (%ld)\n",
@@ -94,7 +91,7 @@ index 2fee2ee..5d7eb04 100644
  				blkif_req(req)->error = BLK_STS_NOTSUPP;
  				info->feature_discard = 0;
  				info->feature_secdiscard = 0;
-@@ -1620,15 +1620,15 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
+@@ -1616,15 +1616,15 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
  			break;
  		case BLKIF_OP_FLUSH_DISKCACHE:
  		case BLKIF_OP_WRITE_BARRIER:
@@ -114,7 +111,7 @@ index 2fee2ee..5d7eb04 100644
  				blkif_req(req)->error = BLK_STS_NOTSUPP;
  			}
  			if (unlikely(blkif_req(req)->error)) {
-@@ -1641,9 +1641,9 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
+@@ -1637,9 +1637,9 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
  			/* fall through */
  		case BLKIF_OP_READ:
  		case BLKIF_OP_WRITE:
@@ -127,5 +124,5 @@ index 2fee2ee..5d7eb04 100644
  			break;
  		default:
 -- 
-2.1.0
+2.17.1
 

patches.xen/xsa155-linux44-0009-xen-netfront-copy-response-out-of-shared-buffer-befo.patch

@@ -1,14 +1,12 @@
-From 3a1006355114da4b8fc4b935a64928b7f6ae374f Mon Sep 17 00:00:00 2001
+From c7c1661d1b265ea620939bb5da4958eb0fb1385b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
  <marmarek@invisiblethingslab.com>
 Date: Wed, 16 Dec 2015 05:09:55 +0100
-Subject: [PATCH 09/13] xen-netfront: copy response out of shared buffer before
+Subject: [PATCH] xen-netfront: copy response out of shared buffer before
  accessing it
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
-Organization: Invisible Things Lab
-Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 
 Make local copy of the response, otherwise backend might modify it while
 frontend is already processing it - leading to time of check / time of
@@ -16,14 +14,14 @@ use issue.
 
 Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 ---
- drivers/net/xen-netfront.c | 51 +++++++++++++++++++++++-----------------------
+ drivers/net/xen-netfront.c | 51 +++++++++++++++++++-------------------
  1 file changed, 25 insertions(+), 26 deletions(-)
 
 diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
-index d6abf19..2af5100 100644
+index 9dd2ca62d84a..1b6c319d74f1 100644
 --- a/drivers/net/xen-netfront.c
 +++ b/drivers/net/xen-netfront.c
-@@ -372,13 +372,13 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue)
+@@ -388,13 +388,13 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue)
  		rmb(); /* Ensure we see responses up to 'rp'. */
  
  		for (cons = queue->tx.rsp_cons; cons != prod; cons++) {
@@ -41,7 +39,7 @@ index d6abf19..2af5100 100644
  			skb = queue->tx_skbs[id].skb;
  			if (unlikely(gnttab_query_foreign_access(
  				queue->grant_tx_ref[id]) != 0)) {
-@@ -721,7 +721,7 @@ static int xennet_get_extras(struct netfront_queue *queue,
+@@ -742,7 +742,7 @@ static int xennet_get_extras(struct netfront_queue *queue,
  			     RING_IDX rp)
  
  {
@@ -50,7 +48,7 @@ index d6abf19..2af5100 100644
  	struct device *dev = &queue->info->netdev->dev;
  	RING_IDX cons = queue->rx.rsp_cons;
  	int err = 0;
-@@ -737,24 +737,23 @@ static int xennet_get_extras(struct netfront_queue *queue,
+@@ -758,24 +758,23 @@ static int xennet_get_extras(struct netfront_queue *queue,
  			break;
  		}
  
@@ -82,7 +80,7 @@ index d6abf19..2af5100 100644
  
  	queue->rx.rsp_cons = cons;
  	return err;
-@@ -764,28 +763,28 @@ static int xennet_get_responses(struct netfront_queue *queue,
+@@ -785,28 +784,28 @@ static int xennet_get_responses(struct netfront_queue *queue,
  				struct netfront_rx_info *rinfo, RING_IDX rp,
  				struct sk_buff_head *list)
  {
@@ -93,8 +91,8 @@ index d6abf19..2af5100 100644
  	RING_IDX cons = queue->rx.rsp_cons;
  	struct sk_buff *skb = xennet_get_rx_skb(queue, cons);
  	grant_ref_t ref = xennet_get_rx_ref(queue, cons);
--	int max = MAX_SKB_FRAGS + (rx->status <= RX_COPY_THRESHOLD);
-+	int max = MAX_SKB_FRAGS + (rx.status <= RX_COPY_THRESHOLD);
+-	int max = XEN_NETIF_NR_SLOTS_MIN + (rx->status <= RX_COPY_THRESHOLD);
++	int max = XEN_NETIF_NR_SLOTS_MIN + (rx.status <= RX_COPY_THRESHOLD);
  	int slots = 1;
  	int err = 0;
  	unsigned long ret;
@@ -117,7 +115,7 @@ index d6abf19..2af5100 100644
  			xennet_move_rx_slot(queue, skb, ref);
  			err = -EINVAL;
  			goto next;
-@@ -799,7 +798,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
+@@ -820,7 +819,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
  		if (ref == GRANT_INVALID_REF) {
  			if (net_ratelimit())
  				dev_warn(dev, "Bad rx response id %d.\n",
@@ -126,7 +124,7 @@ index d6abf19..2af5100 100644
  			err = -EINVAL;
  			goto next;
  		}
-@@ -812,7 +811,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
+@@ -833,7 +832,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
  		__skb_queue_tail(list, skb);
  
  next:
@@ -135,7 +133,7 @@ index d6abf19..2af5100 100644
  			break;
  
  		if (cons + slots == rp) {
-@@ -822,7 +821,7 @@ next:
+@@ -843,7 +842,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
  			break;
  		}
  
@@ -144,7 +142,7 @@ index d6abf19..2af5100 100644
  		skb = xennet_get_rx_skb(queue, cons + slots);
  		ref = xennet_get_rx_ref(queue, cons + slots);
  		slots++;
-@@ -878,9 +877,9 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
+@@ -898,9 +897,9 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
  	struct sk_buff *nskb;
  
  	while ((nskb = __skb_dequeue(list))) {
@@ -154,18 +152,18 @@ index d6abf19..2af5100 100644
  		skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0];
 +		RING_COPY_RESPONSE(&queue->rx, ++cons, &rx);
  
- 		if (shinfo->nr_frags == MAX_SKB_FRAGS) {
+ 		if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) {
  			unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
-@@ -891,7 +890,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
- 		BUG_ON(shinfo->nr_frags >= MAX_SKB_FRAGS);
+@@ -912,7 +911,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
  
- 		skb_add_rx_frag(skb, shinfo->nr_frags, skb_frag_page(nfrag),
+ 		skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
+ 				skb_frag_page(nfrag),
 -				rx->offset, rx->status, PAGE_SIZE);
 +				rx.offset, rx.status, PAGE_SIZE);
  
  		skb_shinfo(nskb)->nr_frags = 0;
  		kfree_skb(nskb);
-@@ -987,7 +986,7 @@ static int xennet_poll(struct napi_struct *napi, int budget)
+@@ -1008,7 +1007,7 @@ static int xennet_poll(struct napi_struct *napi, int budget)
  	i = queue->rx.rsp_cons;
  	work_done = 0;
  	while ((i != rp) && (work_done < budget)) {
@@ -175,5 +173,5 @@ index d6abf19..2af5100 100644
  
  		err = xennet_get_responses(queue, &rinfo, rp, &tmpq);
 -- 
-2.1.0
+2.17.1
 

patches.xen/xsa155-linux44-0010-xen-netfront-do-not-use-data-already-exposed-to-back.patch

@@ -1,14 +1,11 @@
-From 2adc557330dde5b474d885518d2663180d3c8f45 Mon Sep 17 00:00:00 2001
+From 11b753cc107f41aca56ba0698a1bd6b806cd6795 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
  <marmarek@invisiblethingslab.com>
 Date: Wed, 16 Dec 2015 05:19:37 +0100
-Subject: [PATCH 10/13] xen-netfront: do not use data already exposed to
- backend
+Subject: [PATCH] xen-netfront: do not use data already exposed to backend
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
-Organization: Invisible Things Lab
-Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 
 Backend may freely modify anything on shared page, so use data which was
 supposed to be written there, instead of reading it back from the shared
@@ -19,14 +16,14 @@ This is part of XSA155.
 CC: stable@vger.kernel.org
 Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 ---
- drivers/net/xen-netfront.c | 32 +++++++++++---------------------
- 1 file changed, 11 insertions(+), 21 deletions(-)
+ drivers/net/xen-netfront.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
 
 diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
-index 2af5100..959e479 100644
+index 1b6c319d74f1..026d39702217 100644
 --- a/drivers/net/xen-netfront.c
 +++ b/drivers/net/xen-netfront.c
-@@ -453,7 +453,7 @@ static void xennet_tx_setup_grant(unsign
+@@ -459,7 +459,7 @@ static void xennet_tx_setup_grant(unsigned long gfn, unsigned int offset,
  	tx->flags = 0;
  
  	info->tx = tx;
@@ -35,7 +32,7 @@ index 2af5100..959e479 100644
  }
  
  static struct xen_netif_tx_request *xennet_make_first_txreq(
-@@ -522,7 +524,7 @@ static int xennet_start_xmit(struct sk_b
+@@ -575,7 +575,7 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev
  	int slots;
  	struct page *page;
  	unsigned int offset;
@@ -44,7 +41,7 @@ index 2af5100..959e479 100644
  	unsigned long flags;
  	struct netfront_queue *queue = NULL;
  	unsigned int num_queues = dev->real_num_tx_queues;
-@@ -614,14 +614,15 @@ static int xennet_start_xmit(struct sk_b
+@@ -635,14 +635,15 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev
  	}
  
  	/* First request for the linear area. */
@@ -62,3 +59,6 @@ index 2af5100..959e479 100644
  
  	if (skb->ip_summed == CHECKSUM_PARTIAL)
  		/* local packet? */
+-- 
+2.17.1
+

patches.xen/xsa155-linux44-0013-xen-blkfront-prepare-request-locally-only-then-put-i.patch

@@ -1,14 +1,12 @@
-From 74aaa42e1f25309a163acd00083ecbbc186fbb47 Mon Sep 17 00:00:00 2001
+From 5c574ee1c388258969b2c66d46db20be16c3aeb3 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
  <marmarek@invisiblethingslab.com>
 Date: Wed, 16 Dec 2015 06:07:14 +0100
-Subject: [PATCH 13/13] xen-blkfront: prepare request locally, only then put it
- on the shared ring
+Subject: [PATCH] xen-blkfront: prepare request locally, only then put it on
+ the shared ring
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
-Organization: Invisible Things Lab
-Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 
 Do not reuse data which theoretically might be already modified by the
 backend. This is mostly about private copy of the request
@@ -20,14 +18,14 @@ This is part of XSA155.
 CC: stable@vger.kernel.org
 Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 ---
- drivers/block/xen-blkfront.c | 56 ++++++++++++++++++++++++--------------------
- 1 file changed, 30 insertions(+), 26 deletions(-)
+ drivers/block/xen-blkfront.c | 76 +++++++++++++++++++++---------------
+ 1 file changed, 44 insertions(+), 32 deletions(-)
 
 diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c
-index e99ea22..7191800 100644
+index 87781c076733..3da0f6be24c9 100644
 --- a/drivers/block/xen-blkfront.c
 +++ b/drivers/block/xen-blkfront.c
-@@ -528,19 +528,16 @@ static int blkif_ioctl(struct block_device *bdev, fmode_t mode,
+@@ -524,19 +524,16 @@ static int blkif_ioctl(struct block_device *bdev, fmode_t mode,
  
  static unsigned long blkif_ring_get_request(struct blkfront_ring_info *rinfo,
  					    struct request *req,
@@ -49,7 +47,7 @@ index e99ea22..7191800 100644
  
  	return id;
  }
-@@ -548,23 +545,28 @@ static unsigned long blkif_ring_get_request(struct blkfront_ring_info *rinfo,
+@@ -544,23 +541,28 @@ static unsigned long blkif_ring_get_request(struct blkfront_ring_info *rinfo,
  static int blkif_queue_discard_req(struct request *req, struct blkfront_ring_info *rinfo)
  {
  	struct blkfront_info *info = rinfo->dev_info;
@@ -86,7 +84,7 @@ index e99ea22..7191800 100644
  
  	return 0;
  }
-@@ -696,7 +698,7 @@ static void blkif_setup_extra_req(struct blkif_request *first,
+@@ -692,7 +694,7 @@ static void blkif_setup_extra_req(struct blkif_request *first,
  static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *rinfo)
  {
  	struct blkfront_info *info = rinfo->dev_info;
@@ -95,7 +93,7 @@ index e99ea22..7191800 100644
  	unsigned long id, extra_id = NO_ASSOCIATED_ID;
  	bool require_extra_req = false;
  	int i;
-@@ -761,16 +763,16 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
+@@ -757,16 +759,16 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
  		 * BLKIF_OP_WRITE
  		 */
  		BUG_ON(req_op(req) == REQ_OP_FLUSH || req->cmd_flags & REQ_FUA);
@@ -120,7 +118,7 @@ index e99ea22..7191800 100644
  			BLKIF_OP_WRITE : BLKIF_OP_READ;
  		if (req_op(req) == REQ_OP_FLUSH || req->cmd_flags & REQ_FUA) {
  			/*
-@@ -781,15 +783,15 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
+@@ -777,15 +779,15 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
  			 * since it is guaranteed ordered WRT previous writes.)
  			 */
  			if (info->feature_flush && info->feature_fua)
@@ -140,7 +138,7 @@ index e99ea22..7191800 100644
  		if (unlikely(require_extra_req)) {
  			extra_id = blkif_ring_get_request(rinfo, req,
  							  &extra_ring_req);
-@@ -799,7 +801,7 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
+@@ -795,7 +797,7 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
  			 */
  			rinfo->shadow[extra_id].num_sg = 0;
  
@@ -149,7 +147,7 @@ index e99ea22..7191800 100644
  
  			/* Link the 2 requests together */
  			rinfo->shadow[extra_id].associated_id = id;
-@@ -807,12 +809,12 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
+@@ -803,12 +805,12 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
  		}
  	}
  
@@ -164,7 +162,7 @@ index e99ea22..7191800 100644
  
  	for_each_sg(rinfo->shadow[id].sg, sg, num_sg, i) {
  		BUG_ON(sg->offset + sg->length > PAGE_SIZE);
-@@ -834,10 +836,20 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
+@@ -830,10 +832,20 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
  	if (setup.segments)
  		kunmap_atomic(setup.segments);
  
@@ -188,3 +186,6 @@ index e99ea22..7191800 100644
  
  	if (new_persistent_gnts)
  		gnttab_free_grant_references(setup.gref_head);
+-- 
+2.17.1
+

patches.xen/xsa270.patch

@@ -0,0 +1,49 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: xen-netback: fix input validation in xenvif_set_hash_mapping()
+
+Both len and off are frontend specified values, so we need to make
+sure there's no overflow when adding the two for the bounds check. We
+also want to avoid undefined behavior and hence use off to index into
+->hash.mapping[] only after bounds checking. This at the same time
+allows to take care of not applying off twice for the bounds checking
+against vif->num_queues.
+
+It is also insufficient to bounds check copy_op.len, as this is len
+truncated to 16 bits.
+
+This is XSA-270.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
+Tested-by: Paul Durrant <paul.durrant@citrix.com>
+
+--- a/drivers/net/xen-netback/hash.c
++++ b/drivers/net/xen-netback/hash.c
+@@ -332,20 +332,22 @@ u32 xenvif_set_hash_mapping_size(struct
+ u32 xenvif_set_hash_mapping(struct xenvif *vif, u32 gref, u32 len,
+ 			    u32 off)
+ {
+-	u32 *mapping = &vif->hash.mapping[off];
++	u32 *mapping = vif->hash.mapping;
+ 	struct gnttab_copy copy_op = {
+ 		.source.u.ref = gref,
+ 		.source.domid = vif->domid,
+-		.dest.u.gmfn = virt_to_gfn(mapping),
+ 		.dest.domid = DOMID_SELF,
+-		.dest.offset = xen_offset_in_page(mapping),
+-		.len = len * sizeof(u32),
++		.len = len * sizeof(*mapping),
+ 		.flags = GNTCOPY_source_gref
+ 	};
+ 
+-	if ((off + len > vif->hash.size) || copy_op.len > XEN_PAGE_SIZE)
++	if ((off + len < off) || (off + len > vif->hash.size) ||
++	    len > XEN_PAGE_SIZE / sizeof(*mapping))
+ 		return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER;
+ 
++	copy_op.dest.u.gmfn = virt_to_gfn(mapping + off);
++	copy_op.dest.offset = xen_offset_in_page(mapping + off);
++
+ 	while (len-- != 0)
+ 		if (mapping[off++] >= vif->num_queues)
+ 			return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER;

series.conf

@@ -18,12 +18,10 @@ patches.xen/xsa155-linux44-0010-xen-netfront-do-not-use-data-already-exposed-to-
 patches.xen/xsa155-linux-0011-xen-netfront-add-range-check-for-Tx-response-id.patch
 patches.xen/xsa155-linux312-0012-xen-blkfront-make-local-copy-of-response-before-usin.patch
 patches.xen/xsa155-linux44-0013-xen-blkfront-prepare-request-locally-only-then-put-i.patch
+patches.xen/xsa270.patch
 
 # MSI-X enabled device passthrough fix (#1734)
 patches.xen/pci_op-cleanup.patch
 
 # Fix for MSI support with stubdoms
 patches.xen/xen-pciback-add-attribute-to-allow-MSI-enable-flag-w.patch
-
-# Fix for grant-table in PVH/HVM in 4.14
-patches.xen/xen-Fix-set-clear-_foreign_p2m_mapping-on-autotransl.patch

suffix

@@ -1 +1 @@
--latest
+

version

@@ -1 +1 @@
-4.14.12
+4.14.74