main/xen: sec fixes (CVE-2016-7092, CVE-2016-7093, CVE-2016-7094)

fixes:
XSA-185 (CVE-2016-7092)
XSA-186 (CVE-2016-7093)
XSA-187 (CVE-2016-7094)

fixes #6151

6 files changed, 359 insertions, 1 deletions

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index dfb40dde2e..f633c36513 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.7.0
-pkgrel=0
+pkgrel=1
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64 armhf"
@@ -20,6 +20,10 @@ makedepends="$depends_dev autoconf automake libtool "
 #     - CVE-2016-6258 XSA-182
 #     - CVE-2016-6259 XSA-183
 #     - CVE-2016-5403 XSA-184
+#   4.7.0-r1:
+#     - CVE-2016-7092 XSA-185
+#     - CVE-2016-7093 XSA-186
+#     - CVE-2016-7094 XSA-187
 
 case "$CARCH" in
 x86*)
@@ -63,6 +67,11 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	xsa183-unstable.patch
 	xsa184-qemut-master.patch
 	xsa184-qemuu-master.patch
+	xsa185.patch
+	xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
+	xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
+	xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
+	xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
 
 	qemu-coroutine-gthread.patch
 	qemu-xen_paths.patch
@@ -290,6 +299,11 @@ d162fdb5a2def649a18e377dfb8c618e  xsa182-unstable.patch
 4e89035687d1fcdabe34610f947871ae  xsa183-unstable.patch
 95bc220677fc2bb9a3df4dc14a0b31f6  xsa184-qemut-master.patch
 cc0904605d03a9e4f6f21d16824e41c9  xsa184-qemuu-master.patch
+8ae22c70681f3daf97ee7ef8ad947e76  xsa185.patch
+9a2b74f2079ba0b7a6e2420e6887cc3a  xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
+7849473e564a01b348d9f60a53fefe65  xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
+c426383254acdcbb9466bbec2d6f8d9b  xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
+ed2ad5eaaa275dd64f9fdca3ef8a5ca7  xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
 de1a3db370b87cfb0bddb51796b50315  qemu-coroutine-gthread.patch
 08bfdf8caff5d631f53660bf3fd4edaf  qemu-xen_paths.patch
 e449bb3359b490804ffc7b0ae08d62a0  hotplug-vif-vtrill.patch
@@ -338,6 +352,11 @@ f60ae61cfbd5da1d849d0beaa21f593c38dac9359f0b3ddc612f447408265b24  pciutils-2.2.9
 ea0ea4b294332814330f222e6d78eea3b19c394eac8ae22feb4a5bd21e90331f  xsa183-unstable.patch
 88c939c64b8f9fc9f86d0a30517d5455462d1ff837aa4285a9cb189b54c0cf20  xsa184-qemut-master.patch
 3877e19992c4532b8b2a37e151fe6a6187a1bbee2b54c1718b995260bb0fcf65  xsa184-qemuu-master.patch
+3328a1953ecdf4de35462ea8396b0927171d718e95f73a87a7f651427bd8f8b4  xsa185.patch
+f2082a36d968a47e477bb5082d0e0aaa58e6cb3dc20b26389f043a9b7b595fa6  xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
+5a826a32763d82ac83c924f8c89d12aae5f069a4cbc7d5193aa8413a02b6dc05  xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
+be9fe85d36c2c1fbca246c1f4d834c3ef11b6ab3d5467da0ac8c079aa5a68de9  xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
+36b22d6a168be39f31a1c1304f708269a2a10fe5105f7da4a06877d6059f1cd6  xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
 3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe  qemu-coroutine-gthread.patch
 e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98  qemu-xen_paths.patch
 dd1e784bc455eb62cb85b3fa24bfc34f575ceaab9597ef6a2f1ee7ff7b3cae0a  hotplug-vif-vtrill.patch
@@ -386,6 +405,11 @@ e0a195ca377be7e4d584eff451d7b077406f54ca64c94b1515a4b23318fed33880da759144237de3
 a5c23c5ecc6c01875da2c0791c3d62334f3709dff12cb6a1b7a486778da7604994b610a6fc1fb12a46aca409b833c1f37ca704006cd52a283f1ead66a4d9af2a  xsa183-unstable.patch
 14c07d077a9d60a03859ca1b92347517c93faf88db06f8cb0515e486a3919afa8401203161ff671dda8fbdb64e6ca5e86120f1b8f65e6bfaa63a8c6a33211bad  xsa184-qemut-master.patch
 862e00d9cd126f8323f9c9706bf6ce7896d97e68e647416c699d9f2e01b88083a5fea346b13403577311384946912123f64bf5a568f1a6f92077d28923df54c6  xsa184-qemuu-master.patch
+6b774cfef049d457d89149a973b5a5af674b995726c88ce09278f4a64cb94f5b3c2c2380a6273475a13eb9cdd972f5429f393247ecca6463f6068d606ea74886  xsa185.patch
+bf899dde20cee730598b90e0a07941155b20e0ea17b9a3017a53bd0e1495fb6e5dc251934e01d02937b56ad65faf3accecf695b4fd7f6dcc0bae91290bd87b19  xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
+8e2a6c32aeb7cfb6ffa4395709ea849850d4c356dce139857a6783310b2efb47a01b1cf946b890264f7db543c5304830f64b5e40563c72318391569986146ab7  xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
+d85bc3c56805ff5b3df6b85b2b34ff97d15fe254fc5a873b5c43c2c15564eea42753723a6296292a543e7b7dc83ad71f0fafe01fa6a6ebf82fa0a7268fc67486  xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
+f60b51de992225ea6f48ad108c18717fb84a6f3c7cc3a3d567a1799403eefdc965c1ec4ccb9190affa58f81c48f13525a86144b04674b42732c8bdcad6084ff2  xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
 c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562  qemu-coroutine-gthread.patch
 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3  qemu-xen_paths.patch
 f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3  hotplug-vif-vtrill.patch
diff --git a/main/xen/xsa185.patch b/main/xen/xsa185.patch
new file mode 100644
index 0000000000..a4c133ee19
--- /dev/null
+++ b/main/xen/xsa185.patch
@@ -0,0 +1,38 @@
+From 30aba4992b18245c436f16df7326a16c01a51570 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Mon, 8 Aug 2016 10:58:12 +0100
+Subject: x86/32on64: don't allow recursive page tables from L3
+
+L3 entries are special in PAE mode, and hence can't reasonably be used
+for setting up recursive (and hence linear) page table mappings. Since
+abuse is possible when the guest in fact gets run on 4-level page
+tables, this needs to be excluded explicitly.
+
+This is XSA-185.
+
+Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com>
+Reported-by: 栾尚聪(好风) <shangcong.lsc@alibaba-inc.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+---
+ xen/arch/x86/mm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
+index 109b8be..69b8b8d 100644
+--- a/xen/arch/x86/mm.c
++++ b/xen/arch/x86/mm.c
+@@ -1122,7 +1122,9 @@ get_page_from_l3e(
+ 
+     rc = get_page_and_type_from_pagenr(
+         l3e_get_pfn(l3e), PGT_l2_page_table, d, partial, 1);
+-    if ( unlikely(rc == -EINVAL) && get_l3_linear_pagetable(l3e, pfn, d) )
++    if ( unlikely(rc == -EINVAL) &&
++         !is_pv_32bit_domain(d) &&
++         get_l3_linear_pagetable(l3e, pfn, d) )
+         rc = 0;
+ 
+     return rc;
+-- 
+2.1.4
+
diff --git a/main/xen/xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch b/main/xen/xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
new file mode 100644
index 0000000000..b257497085
--- /dev/null
+++ b/main/xen/xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
@@ -0,0 +1,73 @@
+From e938be013ba73ff08fa4f1d8670501aacefde7fb Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Fri, 22 Jul 2016 16:02:54 +0000
+Subject: [PATCH 1/2] x86/emulate: Correct boundary interactions of emulated
+ instructions
+
+This reverts most of c/s 0640ffb6 "x86emul: fix rIP handling".
+
+Experimentally, in long mode processors will execute an instruction stream
+which crosses the 64bit -1 -> 0 virtual boundary, whether the instruction
+boundary is aligned on the virtual boundary, or is misaligned.
+
+In compatibility mode, Intel processors will execute an instruction stream
+which crosses the 32bit -1 -> 0 virtual boundary, while AMD processors raise a
+segmentation fault.  Xen's segmentation behaviour matches AMD.
+
+For 16bit code, hardware does not ever truncated %ip.  %eip is always used and
+behaves normally as a 32bit register, including in 16bit protected mode
+segments, as well as in Real and Unreal mode.
+
+This is XSA-186
+
+Reported-by: Brian Marcotte <marcotte@panix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 22 ++++------------------
+ 1 file changed, 4 insertions(+), 18 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index d5a56cf..bf3529a 100644
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1570,10 +1570,6 @@ x86_emulate(
+ #endif
+     }
+ 
+-    /* Truncate rIP to def_ad_bytes (2 or 4) if necessary. */
+-    if ( def_ad_bytes < sizeof(_regs.eip) )
+-        _regs.eip &= (1UL << (def_ad_bytes * 8)) - 1;
+-
+     /* Prefix bytes. */
+     for ( ; ; )
+     {
+@@ -3906,21 +3902,11 @@ x86_emulate(
+ 
+     /* Commit shadow register state. */
+     _regs.eflags &= ~EFLG_RF;
+-    switch ( __builtin_expect(def_ad_bytes, sizeof(_regs.eip)) )
+-    {
+-        uint16_t ip;
+ 
+-    case 2:
+-        ip = _regs.eip;
+-        _regs.eip = ctxt->regs->eip;
+-        *(uint16_t *)&_regs.eip = ip;
+-        break;
+-#ifdef __x86_64__
+-    case 4:
+-        _regs.rip = _regs._eip;
+-        break;
+-#endif
+-    }
++    /* Zero the upper 32 bits of %rip if not in long mode. */
++    if ( def_ad_bytes < sizeof(_regs.eip) )
++        _regs.eip = (uint32_t)_regs.eip;
++
+     *ctxt->regs = _regs;
+ 
+  done:
+-- 
+2.1.4
+
diff --git a/main/xen/xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch b/main/xen/xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
new file mode 100644
index 0000000000..cb73a81042
--- /dev/null
+++ b/main/xen/xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
@@ -0,0 +1,28 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: hvm/fep: Allow testing of instructions crossing the -1 -> 0 virtual boundary
+
+The Force Emulation Prefix is named to follow its PV counterpart for cpuid or
+rdtsc, but isn't really an instruction prefix.  It behaves as a break-out into
+Xen, with the purpose of emulating the next instruction in the current state.
+
+It is important to be able to test legal situations which occur in real
+hardware, including instruction which cross certain boundaries, and
+instructions starting at 0.
+
+Reported-by: Brian Marcotte <marcotte@panix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -3905,6 +3905,10 @@ void hvm_ud_intercept(struct cpu_user_re
+         {
+             regs->eip += sizeof(sig);
+             regs->eflags &= ~X86_EFLAGS_RF;
++
++            /* Zero the upper 32 bits of %rip if not in long mode. */
++            if ( !(hvm_long_mode_enabled(cur) && cs.attr.fields.l) )
++                regs->eip = regs->_eip;
+         }
+     }
+ 
diff --git a/main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch b/main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
new file mode 100644
index 0000000000..bc99596083
--- /dev/null
+++ b/main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
@@ -0,0 +1,42 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[]
+
+hvm_get_seg_reg() does not perform a range check on its input segment, calls
+hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[].
+
+x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG()
+in {vmx,svm}_get_segment_register().
+
+HVM guests running with shadow paging can end up performing a virtual to
+linear translation with x86_seg_none.  This is used for addresses which are
+already linear.  However, none of this is a legitimate pagetable update, so
+fail the emulation in such a case.
+
+This is XSA-187
+
+Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+
+--- a/xen/arch/x86/mm/shadow/common.c
++++ b/xen/arch/x86/mm/shadow/common.c
+@@ -140,9 +140,18 @@ static int hvm_translate_linear_addr(
+     struct sh_emulate_ctxt *sh_ctxt,
+     unsigned long *paddr)
+ {
+-    struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt);
++    struct segment_register *reg;
+     int okay;
+ 
++    /*
++     * Can arrive here with non-user segments.  However, no such cirucmstance
++     * is part of a legitimate pagetable update, so fail the emulation.
++     */
++    if ( !is_x86_user_segment(seg) )
++        return X86EMUL_UNHANDLEABLE;
++
++    reg = hvm_get_seg_reg(seg, sh_ctxt);
++
+     okay = hvm_virtual_to_linear_addr(
+         seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
+ 
diff --git a/main/xen/xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch b/main/xen/xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
new file mode 100644
index 0000000000..5529701d36
--- /dev/null
+++ b/main/xen/xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
@@ -0,0 +1,153 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/segment: Bounds check accesses to emulation ctxt->seg_reg[]
+
+HVM HAP codepaths have space for all segment registers in the seg_reg[]
+cache (with x86_seg_none still risking an array overrun), while the shadow
+codepaths only have space for the user segments.
+
+Range check the input segment of *_get_seg_reg() against the size of the array
+used to cache the results, to avoid overruns in the case that the callers
+don't filter their input suitably.
+
+Subsume the is_x86_user_segment(seg) checks from the shadow code, which were
+an incomplete attempt at range checking, and are now superceeded.  Make
+hvm_get_seg_reg() static, as it is not used outside of shadow/common.c
+
+No functional change, but far easier to reason that no overflow is possible.
+
+Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Tim Deegan <tim@xen.org>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/emulate.c
++++ b/xen/arch/x86/hvm/emulate.c
+@@ -534,6 +534,8 @@ static int hvmemul_virtual_to_linear(
+     *reps = min_t(unsigned long, *reps, max_reps);
+ 
+     reg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
++    if ( IS_ERR(reg) )
++        return -PTR_ERR(reg);
+ 
+     if ( (hvmemul_ctxt->ctxt.regs->eflags & X86_EFLAGS_DF) && (*reps > 1) )
+     {
+@@ -1369,6 +1371,10 @@ static int hvmemul_read_segment(
+     struct hvm_emulate_ctxt *hvmemul_ctxt =
+         container_of(ctxt, struct hvm_emulate_ctxt, ctxt);
+     struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
++
++    if ( IS_ERR(sreg) )
++         return -PTR_ERR(sreg);
++
+     memcpy(reg, sreg, sizeof(struct segment_register));
+     return X86EMUL_OKAY;
+ }
+@@ -1382,6 +1388,9 @@ static int hvmemul_write_segment(
+         container_of(ctxt, struct hvm_emulate_ctxt, ctxt);
+     struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
+ 
++    if ( IS_ERR(sreg) )
++         return -PTR_ERR(sreg);
++
+     memcpy(sreg, reg, sizeof(struct segment_register));
+     __set_bit(seg, &hvmemul_ctxt->seg_reg_dirty);
+ 
+@@ -1934,10 +1943,17 @@ void hvm_emulate_writeback(
+     }
+ }
+ 
++/*
++ * Callers which pass a known in-range x86_segment can rely on the return
++ * pointer being valid.  Other callers must explicitly check for errors.
++ */
+ struct segment_register *hvmemul_get_seg_reg(
+     enum x86_segment seg,
+     struct hvm_emulate_ctxt *hvmemul_ctxt)
+ {
++    if ( seg < 0 || seg >= ARRAY_SIZE(hvmemul_ctxt->seg_reg) )
++        return ERR_PTR(-X86EMUL_UNHANDLEABLE);
++
+     if ( !__test_and_set_bit(seg, &hvmemul_ctxt->seg_reg_accessed) )
+         hvm_get_segment_register(current, seg, &hvmemul_ctxt->seg_reg[seg]);
+     return &hvmemul_ctxt->seg_reg[seg];
+--- a/xen/arch/x86/mm/shadow/common.c
++++ b/xen/arch/x86/mm/shadow/common.c
+@@ -123,10 +123,19 @@ __initcall(shadow_audit_key_init);
+ /* x86 emulator support for the shadow code
+  */
+ 
+-struct segment_register *hvm_get_seg_reg(
++/*
++ * Callers which pass a known in-range x86_segment can rely on the return
++ * pointer being valid.  Other callers must explicitly check for errors.
++ */
++static struct segment_register *hvm_get_seg_reg(
+     enum x86_segment seg, struct sh_emulate_ctxt *sh_ctxt)
+ {
+-    struct segment_register *seg_reg = &sh_ctxt->seg_reg[seg];
++    struct segment_register *seg_reg;
++
++    if ( seg < 0 || seg >= ARRAY_SIZE(sh_ctxt->seg_reg) )
++        return ERR_PTR(-X86EMUL_UNHANDLEABLE);
++
++    seg_reg = &sh_ctxt->seg_reg[seg];
+     if ( !__test_and_set_bit(seg, &sh_ctxt->valid_seg_regs) )
+         hvm_get_segment_register(current, seg, seg_reg);
+     return seg_reg;
+@@ -143,14 +152,9 @@ static int hvm_translate_linear_addr(
+     struct segment_register *reg;
+     int okay;
+ 
+-    /*
+-     * Can arrive here with non-user segments.  However, no such cirucmstance
+-     * is part of a legitimate pagetable update, so fail the emulation.
+-     */
+-    if ( !is_x86_user_segment(seg) )
+-        return X86EMUL_UNHANDLEABLE;
+-
+     reg = hvm_get_seg_reg(seg, sh_ctxt);
++    if ( IS_ERR(reg) )
++        return -PTR_ERR(reg);
+ 
+     okay = hvm_virtual_to_linear_addr(
+         seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
+@@ -253,9 +257,6 @@ hvm_emulate_write(enum x86_segment seg,
+     unsigned long addr;
+     int rc;
+ 
+-    if ( !is_x86_user_segment(seg) )
+-        return X86EMUL_UNHANDLEABLE;
+-
+     /* How many emulations could we save if we unshadowed on stack writes? */
+     if ( seg == x86_seg_ss )
+         perfc_incr(shadow_fault_emulate_stack);
+@@ -283,7 +284,7 @@ hvm_emulate_cmpxchg(enum x86_segment seg
+     unsigned long addr, old, new;
+     int rc;
+ 
+-    if ( !is_x86_user_segment(seg) || bytes > sizeof(long) )
++    if ( bytes > sizeof(long) )
+         return X86EMUL_UNHANDLEABLE;
+ 
+     rc = hvm_translate_linear_addr(
+--- a/xen/arch/x86/mm/shadow/private.h
++++ b/xen/arch/x86/mm/shadow/private.h
+@@ -740,8 +740,6 @@ const struct x86_emulate_ops *shadow_ini
+     struct sh_emulate_ctxt *sh_ctxt, struct cpu_user_regs *regs);
+ void shadow_continue_emulation(
+     struct sh_emulate_ctxt *sh_ctxt, struct cpu_user_regs *regs);
+-struct segment_register *hvm_get_seg_reg(
+-    enum x86_segment seg, struct sh_emulate_ctxt *sh_ctxt);
+ 
+ #if (SHADOW_OPTIMIZATIONS & SHOPT_VIRTUAL_TLB)
+ /**************************************************************************/
+--- a/xen/include/asm-x86/hvm/emulate.h
++++ b/xen/include/asm-x86/hvm/emulate.h
+@@ -13,6 +13,7 @@
+ #define __ASM_X86_HVM_EMULATE_H__
+ 
+ #include <xen/config.h>
++#include <xen/err.h>
+ #include <asm/hvm/hvm.h>
+ #include <asm/x86_emulate.h>
+