main/xen: various sec fixes (xsa109 - xsa116)

ref #3704

XSA-116 CVE-2015-0361	xen crash due to use after free on hvm guest
			teardown

XSA-114	CVE-2014-9065 CVE-2014-9066
			p2m lock starvation

XSA-113	CVE-2014-9030	Guest effectable page reference leak in
			MMU_MACHPHYS_UPDATE handling

XSA-112	CVE-2014-8867	Insufficient bounding of "REP MOVS" to MMIO
			emulated inside the hypervisor

XSA-111	CVE-2014-8866	Excessive checking in compatibility mode
			hypercall argument translation

XSA-110	CVE-2014-8595	Missing privilege level checks in x86 emulation
			of far branches

XSA-109	CVE-2014-8594	Insufficient restrictions on certain MMU
			update hypercalls

1 files changed, 33 insertions, 0 deletions

diff --git a/main/xen/xsa116.patch b/main/xen/xsa116.patch
new file mode 100644
index 0000000000..816a9bd84e
--- /dev/null
+++ b/main/xen/xsa116.patch
@@ -0,0 +1,33 @@
+x86/HVM: prevent use-after-free when destroying a domain
+
+hvm_domain_relinquish_resources() can free certain domain resources
+which can still be accessed, e.g. by HVMOP_set_param, while the domain
+is being cleaned up.
+
+Signed-off-by: Mihai Donțu <mdontu@bitdefender.com>
+Tested-by: Răzvan Cojocaru <rcojocaru@bitdefender.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -1487,9 +1487,6 @@ int hvm_domain_initialise(struct domain 
+ 
+ void hvm_domain_relinquish_resources(struct domain *d)
+ {
+-    xfree(d->arch.hvm_domain.io_handler);
+-    xfree(d->arch.hvm_domain.params);
+-
+     if ( is_pvh_domain(d) )
+         return;
+ 
+@@ -1511,6 +1508,9 @@ void hvm_domain_relinquish_resources(str
+ 
+ void hvm_domain_destroy(struct domain *d)
+ {
++    xfree(d->arch.hvm_domain.io_handler);
++    xfree(d->arch.hvm_domain.params);
++
+     hvm_destroy_cacheattr_region_list(d);
+ 
+     if ( is_pvh_domain(d) )