Merge branch 'master' of git+ssh://git.overlays.gentoo.org/proj/virtualization

Conflicts:
	app-emulation/xen-tools/Manifest

13 files changed, 1190 insertions, 0 deletions

diff --git a/app-emulation/xen/Manifest b/app-emulation/xen/Manifest
new file mode 100644
index 0000000..61a4034
--- /dev/null
+++ b/app-emulation/xen/Manifest
@@ -0,0 +1,14 @@
+AUX Manifest 1462 RMD160 c2090ecd3fcacafcc988563676c028d8b9bd8d0c SHA1 1f1e6db2c197e9a197e876c74131fadca34944cd SHA256 fdbed299dcfeafae7b3fb738912d67f10eef61b337a0315d0b15dc6d984e69b8
+AUX xen-3.3.0-unexported-target-fix.patch 788 RMD160 4b30444c021479cbd3969493639533fc1e43e781 SHA1 9119f06b4a005c385ac27e085e2d96ccf9cd4dc9 SHA256 e46f5fbe4c579b84f895f0ac6e05589553a11305ca30e69405082d58abd9ee07
+AUX xen-3.4.2-CVE-2011-1583.patch 2893 RMD160 c6ae9661202dafc2abdcf3aaf939464d14ded9fd SHA1 b2140fe7d615b542a96dadaaf8ace382e528d2cb SHA256 809c1744aee7569db31e9959c1e2c433ef6f4067134b26f70a689e056a024df9
+AUX xen-3.4.2-dump_registers-watchdog-fix.patch 533 RMD160 766249003d91cbec3b0014a8446e1a4d01cd847a SHA1 6306250671976c638f814a4958211af4bacb53b4 SHA256 17d18f268efd302085bdfa0673e2d9478e84206b6d060d0a63854441233a81c6
+AUX xen-3.4.2-fix-__addr_ok-limit.patch 3380 RMD160 8b8104a370847c1c148255855901b9dd32e6c888 SHA1 e3dd5cfda2410917b0844dff999ccbee2463ccb4 SHA256 dab6954da3cbf7592a36a6234561174d0d117711b87c0868d17f9d21af75a835
+AUX xen-3.4.2-no-DMA.patch 2708 RMD160 9aa83e21e8b07feca1f799f9efb4f9cd5728c6c6 SHA1 e55fa5a04203470af68452762f919b402854fce9 SHA256 87a3fe134b8d3c762d4d229986ccb77898a603a18974f453cfdf6ba9d68fe982
+AUX xen-3.4.2-werror-idiocy.patch 16826 RMD160 14f4678c723fd9241c88786b5b07a8c25252ce6f SHA1 f15d3c4d37b9c11fed49c025de2eaeb6911845a1 SHA256 261ef6541736f1df757476590bb8581cac376c9408e5041e8356336e13025c67
+AUX xen-4.1.1-iommu_sec_fix.patch 2851 RMD160 4367178c10cdc1e752f3e9ffb70f42e6e7179242 SHA1 8487f85dbf81bf245deaccca5ff5b8f46e60d112 SHA256 3a0ab3cb5c18db91f4be457cbba36189a558da7b794e1a35795f4fed3d48a7c8
+DIST xen-3.4.2.tar.gz 11187726 RMD160 2ef81df1f44356d60e04e21df2173ce5357d8509 SHA1 3cd2cafacd52bbac2e2da1cfd846ee6260b43455 SHA256 d17c33136041cc8da69214ccf527fc48637bee7a9ab4d68a88ec50e6a9d20b0b
+DIST xen-4.1.1.tar.gz 10355625 RMD160 4b3c0641b0f098889f627662aa6b8fea00c5b636 SHA1 f1b5ef4b663c339faf9c77fc895327cfbcc9776c SHA256 246289227507466b5da8b2d0da84a5b0e68a392527b16cde38898d0348890f5b
+EBUILD xen-3.4.2-r4.ebuild 3247 RMD160 73c91e87a06e83faee786268db656531a2dbe71f SHA1 94f6be18689fd09099ad062f829358bfa159d6ef SHA256 385ddd40121b1d415214e9adc619cb39825febcaec21b7cb70c2d2f2e4b60a04
+EBUILD xen-4.1.1-r2.ebuild 3339 RMD160 d70e58cadf5b9c45d67e2c5d05a8061c67d62319 SHA1 06f5c7c6e493f47d476d08663cfdc536ac0ee760 SHA256 6f7089d85d6ab12d22d5acec4efca8a7646a9dfc3c7a6b1b030336cb77867376
+EBUILD xen-9999.ebuild 3170 RMD160 5bbc3bb7dec7d099f639334843c3c6607ff1c5c5 SHA1 799030d125b2acb9976df9e39896937a3c591973 SHA256 b75349eb41edeb16f4571355b963de576cf58e9c7d86a4c4f74d4892d43b094f
+MISC metadata.xml 581 RMD160 d22ffb491d9dad33425b97add683dd6b8b9139e1 SHA1 649f65e9fd2ab25e32394c555a24fc0f6b59c37f SHA256 1cf2cc4bb5b5278ac75e74910607518ddd2bd6454f18325319ce1ac102fab535
diff --git a/app-emulation/xen/files/Manifest b/app-emulation/xen/files/Manifest
new file mode 100644
index 0000000..236346a
--- /dev/null
+++ b/app-emulation/xen/files/Manifest
@@ -0,0 +1,7 @@
+MISC xen-3.3.0-unexported-target-fix.patch 788 RMD160 4b30444c021479cbd3969493639533fc1e43e781 SHA1 9119f06b4a005c385ac27e085e2d96ccf9cd4dc9 SHA256 e46f5fbe4c579b84f895f0ac6e05589553a11305ca30e69405082d58abd9ee07
+MISC xen-3.4.2-CVE-2011-1583.patch 2893 RMD160 c6ae9661202dafc2abdcf3aaf939464d14ded9fd SHA1 b2140fe7d615b542a96dadaaf8ace382e528d2cb SHA256 809c1744aee7569db31e9959c1e2c433ef6f4067134b26f70a689e056a024df9
+MISC xen-3.4.2-dump_registers-watchdog-fix.patch 533 RMD160 766249003d91cbec3b0014a8446e1a4d01cd847a SHA1 6306250671976c638f814a4958211af4bacb53b4 SHA256 17d18f268efd302085bdfa0673e2d9478e84206b6d060d0a63854441233a81c6
+MISC xen-3.4.2-fix-__addr_ok-limit.patch 3380 RMD160 8b8104a370847c1c148255855901b9dd32e6c888 SHA1 e3dd5cfda2410917b0844dff999ccbee2463ccb4 SHA256 dab6954da3cbf7592a36a6234561174d0d117711b87c0868d17f9d21af75a835
+MISC xen-3.4.2-no-DMA.patch 2708 RMD160 9aa83e21e8b07feca1f799f9efb4f9cd5728c6c6 SHA1 e55fa5a04203470af68452762f919b402854fce9 SHA256 87a3fe134b8d3c762d4d229986ccb77898a603a18974f453cfdf6ba9d68fe982
+MISC xen-3.4.2-werror-idiocy.patch 16826 RMD160 14f4678c723fd9241c88786b5b07a8c25252ce6f SHA1 f15d3c4d37b9c11fed49c025de2eaeb6911845a1 SHA256 261ef6541736f1df757476590bb8581cac376c9408e5041e8356336e13025c67
+MISC xen-4.1.1-iommu_sec_fix.patch 2851 RMD160 4367178c10cdc1e752f3e9ffb70f42e6e7179242 SHA1 8487f85dbf81bf245deaccca5ff5b8f46e60d112 SHA256 3a0ab3cb5c18db91f4be457cbba36189a558da7b794e1a35795f4fed3d48a7c8
diff --git a/app-emulation/xen/files/xen-3.3.0-unexported-target-fix.patch b/app-emulation/xen/files/xen-3.3.0-unexported-target-fix.patch
new file mode 100644
index 0000000..89f91a4
--- /dev/null
+++ b/app-emulation/xen/files/xen-3.3.0-unexported-target-fix.patch
@@ -0,0 +1,21 @@
+diff -Nru a/tools/ioemu-qemu-xen/xen-setup b/tools/ioemu-qemu-xen/xen-setup
+--- a/tools/ioemu-qemu-xen/xen-setup	2008-08-22 17:56:41.000000000 +0800
++++ b/tools/ioemu-qemu-xen/xen-setup	2009-02-20 10:55:37.000000000 +0800
+@@ -3,6 +3,8 @@
+ 
+ # git-clean -x -d && ./xen-setup && make prefix=/usr CMDLINE_CFLAGS='-O0 -g' -j4 && make install DESTDIR=`pwd`/dist/ prefix=/usr && rsync -a --stats --delete . thule:shadow/qemu-iwj.git/ && rsync -a --stats dist/. root@thule:/
+ 
++target=i386-dm
++
+ rm -f $target/Makefile
+ rm -f $target/config.mak
+ rm -f config-host.mak
+@@ -11,8 +13,6 @@
+ 
+ ./configure --disable-gfx-check --disable-gcc-check --disable-curses --disable-slirp "$@" --prefix=/usr
+ 
+-target=i386-dm
+-
+ if [ "x$XEN_ROOT" != x ]; then
+ 	echo "XEN_ROOT=$XEN_ROOT" >>config-host.mak
+ fi
diff --git a/app-emulation/xen/files/xen-3.4.2-CVE-2011-1583.patch b/app-emulation/xen/files/xen-3.4.2-CVE-2011-1583.patch
new file mode 100644
index 0000000..f5cec4d
--- /dev/null
+++ b/app-emulation/xen/files/xen-3.4.2-CVE-2011-1583.patch
@@ -0,0 +1,87 @@
+--- tools/libxc/xc_dom_bzimageloader.c	2009-11-10 23:12:56.000000000 +0800
++++ tools/libxc/xc_dom_bzimageloader.c	2011-10-09 20:10:08.972815311 +0800
+@@ -308,19 +308,19 @@ 
+ 
+ extern struct xc_dom_loader elf_loader;
+ 
+-static unsigned int payload_offset(struct setup_header *hdr)
++static int check_magic(struct xc_dom_image *dom, const void *magic, size_t len)
+ {
+-    unsigned int off;
++    if (len > dom->kernel_size)
++       return 0;
++    
++        return (memcmp(dom->kernel_blob, magic, len) == 0);
++ }
+ 
+-    off = (hdr->setup_sects + 1) * 512;
+-    off += hdr->payload_offset;
+-    return off;
+-}
+-
+-static int xc_dom_probe_bzimage_kernel(struct xc_dom_image *dom)
++static int check_bzimage_kernel(struct xc_dom_image *dom, int verbose)
+ {
+     struct setup_header *hdr;
+-    int ret;
++    uint64_t payload_offset, payload_length;
++    /* int ret; */
+ 
+     if ( dom->kernel_blob == NULL )
+     {
+@@ -352,20 +352,47 @@ 
+         return -EINVAL;
+     }
+ 
+-    dom->kernel_blob = dom->kernel_blob + payload_offset(hdr);
+-    dom->kernel_size = hdr->payload_length;
++     /* upcast to 64 bits to avoid overflow */
++    /* setup_sects is u8 and so cannot overflow */
++    payload_offset = (hdr->setup_sects + 1) * 512;
++    payload_offset += hdr->payload_offset;
++    payload_length = hdr->payload_length;
+ 
+-    if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 )
+-    {
++/*    if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 )
++    { 
+         ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size);
+-        if ( ret == -1 )
++        if ( ret == -1 )  */
++     if ( payload_offset >= dom->kernel_size )
++     {
++         xc_dom_panic(XC_INVALID_KERNEL, "%s: payload offset overflow",
++                     __FUNCTION__);
++        return -EINVAL;
++    }
++    if ( (payload_offset + payload_length) > dom->kernel_size )
++    {
++       xc_dom_panic(XC_INVALID_KERNEL, "%s: payload length overflow",
++                     __FUNCTION__);
++    }
++
++    dom->kernel_blob = dom->kernel_blob + payload_offset;
++    dom->kernel_size = payload_length;
++    
++    if ( check_magic(dom, "\037\213", 2) )
++    {
++        if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 )
+         {
+-            xc_dom_panic(XC_INVALID_KERNEL,
+-                         "%s: unable to gzip decompress kernel\n",
+-                         __FUNCTION__);
++            if ( verbose )
++                xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\$n",
++                             __FUNCTION__);
+             return -EINVAL;
+         }
+     }
++    else
++    {
++        xc_dom_panic(XC_INVALID_KERNEL, "%s: unknown compression format\n",
++                     __FUNCTION__);
++           return -EINVAL;
++     }
+     else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 )
+     {
+         ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size);
diff --git a/app-emulation/xen/files/xen-3.4.2-dump_registers-watchdog-fix.patch b/app-emulation/xen/files/xen-3.4.2-dump_registers-watchdog-fix.patch
new file mode 100644
index 0000000..7c8ff5b
--- /dev/null
+++ b/app-emulation/xen/files/xen-3.4.2-dump_registers-watchdog-fix.patch
@@ -0,0 +1,19 @@
+diff -r 784caad93325 xen/common/keyhandler.c
+--- a/xen/common/keyhandler.c	Tue Nov 10 15:03:52 2009 +0000
++++ b/xen/common/keyhandler.c	Tue Jan 05 10:47:49 2010 +0000
+@@ -106,6 +106,7 @@
+     unsigned int cpu;
+ 
+     /* We want to get everything out that we possibly can. */
++    watchdog_disable();
+     console_start_sync();
+ 
+     printk("'%c' pressed -> dumping registers\n", key);
+@@ -125,6 +126,7 @@
+     printk("\n");
+ 
+     console_end_sync();
++    watchdog_enable();
+ }
+ 
+ static void dump_dom0_registers(unsigned char key)
diff --git a/app-emulation/xen/files/xen-3.4.2-fix-__addr_ok-limit.patch b/app-emulation/xen/files/xen-3.4.2-fix-__addr_ok-limit.patch
new file mode 100644
index 0000000..8616008
--- /dev/null
+++ b/app-emulation/xen/files/xen-3.4.2-fix-__addr_ok-limit.patch
@@ -0,0 +1,101 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+             Xen Security Advisory CVE-2011-2901 / XSA-4
+                        revision no.2
+        Xen <= 3.3 DoS due to incorrect virtual address validation
+
+ISSUE DESCRIPTION
+=================
+
+The x86_64 __addr_ok() macro intends to ensure that the checked
+address is either in the positive half of the 48-bit virtual address
+space, or above the Xen-reserved area. However, the current shift
+count is off-by-one, allowing full access to the "negative half" too,
+via certain hypercalls which ignore virtual-address bits [63:48].
+Vulnerable hypercalls exist only in very old versions of the
+hypervisor.
+
+VULNERABLE SYSTEMS
+==================
+
+All systems running a Xen 3.3 or earlier hypervisor with 64-bit PV
+guests with untrusted administrators are vulnerable.
+
+IMPACT
+======
+
+A malicious guest administrator on a vulnerable system is able to
+crash the host.
+
+There are no known further exploits but these have not been ruled out.
+
+RESOLUTION
+==========
+
+The attached patch resolves the issue.
+
+Alternatively, users may choose to upgrade to a more recent hypervisor
+
+PATCHES
+=======
+
+The following patch resolves this issue.
+
+Filename: fix-__addr_ok-limit.patch
+SHA1: f18bde8d276110451c608a16f577865aa1226b4f
+SHA256: 2da5aac72e1ac4849c34d38374ae456795905fd9512eef94b48fc31383c21636
+
+This patch should apply cleanly, and fix the problem, for all affected
+versions of Xen.
+
+It is harmless when applied to later hypervisors and will be included
+in the Xen unstable branch in due course.
+
+VERSION HISTORY
+===============
+
+Analysis following version 1 of this advisory (sent out to the
+predisclosure list during the embargo period) indicates that the
+actual DoS vulnerability only exists in very old hypervisors, Xen 3.3
+and earlier, contrary to previous reports.
+
+This advisory is no longer embargoed.
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+iQEcBAEBAgAGBQJOYLq2AAoJEIP+FMlX6CvZLegH/26/oJBkd/WM/yYhXkzlbnIP
+MxF6Fgy96Omu8poQTanD7g1vEcM0TOLY+Kk3GGsfj4aDdEJ5Nq4ZOW8ooI0VnVcD
+7VXQqFsXPxre+eZ6g+G0AsmzdsG45C3qujUTRfGKqzYwXqjWjt9nNsdIy1Mrz8/4
+zG1uLDkN0LXnBG2Te4q8ZckYwMq8gFXHHnH35RfQ5Besu6pvJmtK3rFXETdlP12A
+JjBh7t5jsCfzvYWFQehVp8mJupuftiOBPClmVh4vrvN9gYd5rzEgB4Q9Ioiqz2qT
+2bE1zegR8NeOKBOi9xriTU8F530OdFzeWAbo7D5gyEbYdc60eNwbadcgNGLbzMg=
+=09T8
+-----END PGP SIGNATURE-----
+
+Subject: XSA-4: xen: correct limit checking in x86_64 version of __addr_ok
+
+The x86_64 __addr_ok() macro intends to ensure that the checked
+address is either in the positive half of the 48-bit virtual address
+space, or above the Xen-reserved area. However, the current shift
+count is off-by-one, allowing full access to the "negative half"
+too. Guests may exploit this to gain access to off-limits ranges.
+
+This issue has been assigned CVE-2011-2901.
+
+Signed-off-by: Laszlo Ersek <lersek@...hat.com>
+Signed-off-by: Ian Campbell <ian.campbell@...rix.com>
+
+diff --git a/xen/include/asm-x86/x86_64/uaccess.h
+b/xen/include/asm-x86/x86_64/uaccess.h
+--- a/xen/include/asm-x86/x86_64/uaccess.h
++++ b/xen/include/asm-x86/x86_64/uaccess.h
+@@ -34,7 +34,7 @@
+  * non-canonical address (and thus fault) before ever reaching VIRT_START.
+  */
+ #define __addr_ok(addr) \
+-    (((unsigned long)(addr) < (1UL<<48)) || \
++    (((unsigned long)(addr) < (1UL<<47)) || \
+      ((unsigned long)(addr) >= HYPERVISOR_VIRT_END))
+
+ #define access_ok(addr, size) \
diff --git a/app-emulation/xen/files/xen-3.4.2-no-DMA.patch b/app-emulation/xen/files/xen-3.4.2-no-DMA.patch
new file mode 100644
index 0000000..f04d9e2
--- /dev/null
+++ b/app-emulation/xen/files/xen-3.4.2-no-DMA.patch
@@ -0,0 +1,71 @@
+# HG changeset patch
+# User Tim Deegan <Tim.Deegan@citrix.com>
+# Date 1313145221 -3600
+# Node ID 84e3706df07a1963e23cd3875d8603917657d462
+# Parent  cb22fa57ff252893b6adb1481e09b1287eacd990
+Passthrough: disable bus-mastering on any card that causes an IOMMU fault.
+
+This stops the card from raising back-to-back faults and live-locking
+the CPU that handles them.
+
+Signed-off-by: Tim Deegan <tim@xen.org>
+Acked-by: Wei Wang2 <wei.wang2@amd.com>
+Acked-by: Allen M Kay <allen.m.kay@intel.com>
+
+--- a/xen/drivers/passthrough/vtd/iommu.c.orig	Mon Jul 25 16:48:39 2011 +0100
++++ b/xen/drivers/passthrough/vtd/iommu.c	Fri Aug 12 11:33:41 2011 +0100
+@@ -733,7 +733,7 @@
+     while (1)
+     {
+         u8 fault_reason;
+-        u16 source_id;
++        u16 source_id, cword;
+         u32 data;
+         u64 guest_addr;
+         int type;
+@@ -766,6 +766,14 @@
+         iommu_page_fault_do_one(iommu, type, fault_reason,
+                               source_id, guest_addr);
+ 
++        /* Tell the device to stop DMAing; we can't rely on the guest to
++         * control it for us. */
++        cword = pci_conf_read16(PCI_BUS(source_id), PCI_SLOT(source_id), 
++                                PCI_FUNC(source_id), PCI_COMMAND);
++        pci_conf_write16(PCI_BUS(source_id), PCI_SLOT(source_id), 
++                         PCI_FUNC(source_id), PCI_COMMAND, 
++                         cword & ~PCI_COMMAND_MASTER);
++
+         fault_index++;
+         if ( fault_index > cap_num_fault_regs(iommu->cap) )
+             fault_index = 0;
+
+--- a/xen/drivers/passthrough/amd/iommu_init.c.orig	Mon Jul 25 16:48:39 2011 +0100
++++ b/xen/drivers/passthrough/amd/iommu_init.c	Fri Aug 12 11:33:41 2011 +0100
+@@ -415,7 +415,7 @@
+  
+ static void parse_event_log_entry(u32 entry[])
+ {
+-    u16 domain_id, device_id;
++    u16 domain_id, device_id, bdf, cword;
+     u32 code;
+     u64 *addr;
+     char * event_str[] = {"ILLEGAL_DEV_TABLE_ENTRY",
+@@ -449,6 +449,18 @@
+         printk(XENLOG_ERR "AMD-Vi: "
+             "%s: domain = %d, device id = 0x%04x, fault address = 0x%"PRIx64"\n",
+             event_str[code-1], domain_id, device_id, *addr);
++
++        /* Tell the device to stop DMAing; we can't rely on the guest to
++         * control it for us. */
++        for ( bdf = 0; bdf < ivrs_bdf_entries; bdf++ )
++            if ( get_dma_requestor_id(bdf) == device_id ) 
++            {
++                cword = pci_conf_read16(PCI_BUS(bdf), PCI_SLOT(bdf), 
++                                PCI_FUNC(bdf), PCI_COMMAND);
++                pci_conf_write16(PCI_BUS(bdf), PCI_SLOT(bdf), 
++                                 PCI_FUNC(bdf), PCI_COMMAND, 
++                                 cword & ~PCI_COMMAND_MASTER);
++            }
+     }
+ }
+
diff --git a/app-emulation/xen/files/xen-3.4.2-werror-idiocy.patch b/app-emulation/xen/files/xen-3.4.2-werror-idiocy.patch
new file mode 100644
index 0000000..7f5b3cb
--- /dev/null
+++ b/app-emulation/xen/files/xen-3.4.2-werror-idiocy.patch
@@ -0,0 +1,429 @@
+diff -ur xen-3.4.2.orig//Config.mk xen-3.4.2//Config.mk
+--- xen-3.4.2.orig//Config.mk	2009-11-10 23:16:03.000000000 +0800
++++ xen-3.4.2//Config.mk	2011-09-25 02:34:11.605793042 +0800
+@@ -14,7 +14,7 @@
+ 
+ # Tools to run on system hosting the build
+ HOSTCC      = gcc
+-HOSTCFLAGS  = -Wall -Werror -Wstrict-prototypes -O2 -fomit-frame-pointer
++HOSTCFLAGS  = -Wall  -Wstrict-prototypes -O2 -fomit-frame-pointer
+ HOSTCFLAGS += -fno-strict-aliasing
+ 
+ DISTDIR     ?= $(XEN_ROOT)/dist
+diff -ur xen-3.4.2.orig//extras/mini-os/minios.mk xen-3.4.2//extras/mini-os/minios.mk
+--- xen-3.4.2.orig//extras/mini-os/minios.mk	2009-11-10 23:12:55.000000000 +0800
++++ xen-3.4.2//extras/mini-os/minios.mk	2011-09-25 02:34:11.855793042 +0800
+@@ -6,7 +6,7 @@
+ 
+ # Define some default flags.
+ # NB. '-Wcast-qual' is nasty, so I omitted it.
+-DEF_CFLAGS += -fno-builtin -Wall -Werror -Wredundant-decls -Wno-format -Wno-redundant-decls
++DEF_CFLAGS += -fno-builtin -Wall  -Wredundant-decls -Wno-format -Wno-redundant-decls
+ DEF_CFLAGS += $(call cc-option,$(CC),-fno-stack-protector,)
+ DEF_CFLAGS += $(call cc-option,$(CC),-fgnu89-inline)
+ DEF_CFLAGS += -Wstrict-prototypes -Wnested-externs -Wpointer-arith -Winline
+diff -ur xen-3.4.2.orig//tools/blktap/drivers/Makefile xen-3.4.2//tools/blktap/drivers/Makefile
+--- xen-3.4.2.orig//tools/blktap/drivers/Makefile	2009-11-10 23:12:55.000000000 +0800
++++ xen-3.4.2//tools/blktap/drivers/Makefile	2011-09-25 02:34:11.750793042 +0800
+@@ -5,7 +5,7 @@
+ QCOW_UTIL    = img2qcow qcow2raw qcow-create
+ LIBAIO_DIR   = ../../libaio/src
+ 
+-CFLAGS   += -Werror
++CFLAGS   += 
+ CFLAGS   += -Wno-unused
+ CFLAGS   += -I../lib
+ CFLAGS   += $(CFLAGS_libxenctrl)
+diff -ur xen-3.4.2.orig//tools/blktap/lib/Makefile xen-3.4.2//tools/blktap/lib/Makefile
+--- xen-3.4.2.orig//tools/blktap/lib/Makefile	2009-11-10 23:12:55.000000000 +0800
++++ xen-3.4.2//tools/blktap/lib/Makefile	2011-09-25 02:34:11.748793042 +0800
+@@ -13,7 +13,7 @@
+ SRCS     :=
+ SRCS     += xenbus.c blkif.c xs_api.c
+ 
+-CFLAGS   += -Werror
++CFLAGS   += 
+ CFLAGS   += -Wno-unused
+ CFLAGS   += -fPIC
+ # get asprintf():
+diff -ur xen-3.4.2.orig//tools/console/Makefile xen-3.4.2//tools/console/Makefile
+--- xen-3.4.2.orig//tools/console/Makefile	2009-11-10 23:12:55.000000000 +0800
++++ xen-3.4.2//tools/console/Makefile	2011-09-25 02:34:11.704793042 +0800
+@@ -2,7 +2,7 @@
+ XEN_ROOT=../..
+ include $(XEN_ROOT)/tools/Rules.mk
+ 
+-CFLAGS  += -Werror
++CFLAGS  += 
+ 
+ CFLAGS  += $(CFLAGS_libxenctrl)
+ CFLAGS  += $(CFLAGS_libxenstore)
+diff -ur xen-3.4.2.orig//tools/debugger/xenitp/Makefile xen-3.4.2//tools/debugger/xenitp/Makefile
+--- xen-3.4.2.orig//tools/debugger/xenitp/Makefile	2009-11-10 23:12:55.000000000 +0800
++++ xen-3.4.2//tools/debugger/xenitp/Makefile	2011-09-25 02:34:11.744793042 +0800
+@@ -1,7 +1,7 @@
+ XEN_ROOT=../../..
+ include $(XEN_ROOT)/tools/Rules.mk
+ 
+-#CFLAGS  += -Werror -g -O0
++#CFLAGS  +=  -g -O0
+ 
+ CFLAGS  += $(CFLAGS_libxenctrl)
+ 
+diff -ur xen-3.4.2.orig//tools/firmware/Rules.mk xen-3.4.2//tools/firmware/Rules.mk
+--- xen-3.4.2.orig//tools/firmware/Rules.mk	2009-11-10 23:12:55.000000000 +0800
++++ xen-3.4.2//tools/firmware/Rules.mk	2011-09-25 02:34:11.565793045 +0800
+@@ -10,7 +10,7 @@
+ CFLAGS += -DNDEBUG
+ endif
+ 
+-CFLAGS += -Werror
++CFLAGS += 
+ 
+ # Disable PIE/SSP if GCC supports them. They can break us.
+ $(call cc-option-add,CFLAGS,CC,-nopie)
+diff -ur xen-3.4.2.orig//tools/flask/libflask/Makefile xen-3.4.2//tools/flask/libflask/Makefile
+--- xen-3.4.2.orig//tools/flask/libflask/Makefile	2009-11-10 23:12:56.000000000 +0800
++++ xen-3.4.2//tools/flask/libflask/Makefile	2011-09-25 02:34:11.657793042 +0800
+@@ -9,7 +9,7 @@
+ SRCS       :=
+ SRCS       += flask_op.c
+ 
+-CFLAGS   += -Werror
++CFLAGS   += 
+ CFLAGS   += -fno-strict-aliasing
+ CFLAGS   += $(INCLUDES) -I./include -I$(XEN_LIBXC) -I$(XEN_INCLUDE)
+ 
+diff -ur xen-3.4.2.orig//tools/flask/loadpolicy/Makefile xen-3.4.2//tools/flask/loadpolicy/Makefile
+--- xen-3.4.2.orig//tools/flask/loadpolicy/Makefile	2009-11-10 23:12:56.000000000 +0800
++++ xen-3.4.2//tools/flask/loadpolicy/Makefile	2011-09-25 02:34:11.660793042 +0800
+@@ -6,7 +6,7 @@
+ LIBFLASK_ROOT = $(XEN_ROOT)/tools/flask/libflask
+ 
+ PROFILE=#-pg
+-BASECFLAGS=-Wall -g -Werror
++BASECFLAGS=-Wall -g 
+ BASECFLAGS+= $(PROFILE)
+ #BASECFLAGS+= -I$(XEN_ROOT)/tools
+ BASECFLAGS+= $(CFLAGS_libxenctrl)
+diff -ur xen-3.4.2.orig//tools/fs-back/Makefile xen-3.4.2//tools/fs-back/Makefile
+--- xen-3.4.2.orig//tools/fs-back/Makefile	2009-11-10 23:12:56.000000000 +0800
++++ xen-3.4.2//tools/fs-back/Makefile	2011-09-25 02:34:11.637793042 +0800
+@@ -5,7 +5,7 @@
+ 
+ IBIN         = fs-backend 
+ 
+-CFLAGS   += -Werror
++CFLAGS   += 
+ CFLAGS   += -Wno-unused
+ CFLAGS   += -fno-strict-aliasing
+ CFLAGS   += $(CFLAGS_libxenctrl)
+diff -ur xen-3.4.2.orig//tools/ioemu-qemu-xen/configure xen-3.4.2//tools/ioemu-qemu-xen/configure
+--- xen-3.4.2.orig//tools/ioemu-qemu-xen/configure	2009-11-05 19:44:56.000000000 +0800
++++ xen-3.4.2//tools/ioemu-qemu-xen/configure	2011-09-25 02:34:11.888793042 +0800
+@@ -468,7 +468,7 @@
+ CFLAGS="$CFLAGS -Wall -Wundef -Wendif-labels -Wwrite-strings -Wmissing-prototypes -Wstrict-prototypes -Wredundant-decls"
+ LDFLAGS="$LDFLAGS -g"
+ if test "$werror" = "yes" ; then
+-CFLAGS="$CFLAGS -Werror"
++CFLAGS="$CFLAGS"
+ fi
+ 
+ if test "$solaris" = "no" ; then
+@@ -1150,7 +1150,7 @@
+ echo "sparse enabled    $sparse"
+ echo "profiler          $profiler"
+ echo "static build      $static"
+-echo "-Werror enabled   $werror"
++
+ if test "$darwin" = "yes" ; then
+     echo "Cocoa support     $cocoa"
+ fi
+diff -ur xen-3.4.2.orig//tools/ioemu-qemu-xen/Makefile.target xen-3.4.2//tools/ioemu-qemu-xen/Makefile.target
+--- xen-3.4.2.orig//tools/ioemu-qemu-xen/Makefile.target	2011-09-25 02:33:23.946793064 +0800
++++ xen-3.4.2//tools/ioemu-qemu-xen/Makefile.target	2011-09-25 02:34:11.584793042 +0800
+@@ -26,7 +26,7 @@
+ TARGET_PATH=$(SRC_PATH)/target-$(TARGET_BASE_ARCH)
+ VPATH=$(SRC_PATH):$(TARGET_PATH):$(SRC_PATH)/hw
+ CPPFLAGS=-I. -I.. -I$(TARGET_PATH) -I$(SRC_PATH) -MMD -MT $@ -MP -DNEED_CPU_H
+-#CFLAGS+=-Werror
++#CFLAGS+=
+ LIBS=
+ # user emulator name
+ ifndef TARGET_ARCH2
+diff -ur xen-3.4.2.orig//tools/libaio/harness/Makefile xen-3.4.2//tools/libaio/harness/Makefile
+--- xen-3.4.2.orig//tools/libaio/harness/Makefile	2009-11-10 23:12:56.000000000 +0800
++++ xen-3.4.2//tools/libaio/harness/Makefile	2011-09-25 02:34:11.674793042 +0800
+@@ -4,7 +4,7 @@
+ HARNESS_SRCS:=main.c
+ # io_queue.c
+ 
+-CFLAGS=-Wall -Werror -g -O -laio
++CFLAGS=-Wall  -g -O -laio
+ #-lpthread -lrt
+ 
+ all: $(PROGS)
+diff -ur xen-3.4.2.orig//tools/libfsimage/Rules.mk xen-3.4.2//tools/libfsimage/Rules.mk
+--- xen-3.4.2.orig//tools/libfsimage/Rules.mk	2009-11-10 23:12:56.000000000 +0800
++++ xen-3.4.2//tools/libfsimage/Rules.mk	2011-09-25 02:34:11.566793044 +0800
+@@ -1,6 +1,6 @@
+ include $(XEN_ROOT)/tools/Rules.mk
+ 
+-CFLAGS += -I$(XEN_ROOT)/tools/libfsimage/common/ -Werror
++CFLAGS += -I$(XEN_ROOT)/tools/libfsimage/common/ 
+ LDFLAGS += -L../common/
+ 
+ PIC_OBJS := $(patsubst %.c,%.opic,$(LIB_SRCS-y))
+diff -ur xen-3.4.2.orig//tools/libxc/Makefile xen-3.4.2//tools/libxc/Makefile
+--- xen-3.4.2.orig//tools/libxc/Makefile	2011-09-25 02:33:23.987793064 +0800
++++ xen-3.4.2//tools/libxc/Makefile	2011-09-25 02:34:11.687793042 +0800
+@@ -52,7 +52,7 @@
+ 
+ -include $(XEN_TARGET_ARCH)/Makefile
+ 
+-CFLAGS   += -Werror -Wmissing-prototypes
++CFLAGS   +=  -Wmissing-prototypes
+ CFLAGS   += $(INCLUDES) -I. -I../xenstore -I../include
+ 
+ # Needed for posix_fadvise64() in xc_linux.c
+diff -ur xen-3.4.2.orig//tools/libxen/Makefile.dist xen-3.4.2//tools/libxen/Makefile.dist
+--- xen-3.4.2.orig//tools/libxen/Makefile.dist	2009-11-10 23:12:56.000000000 +0800
++++ xen-3.4.2//tools/libxen/Makefile.dist	2011-09-25 02:34:11.593793042 +0800
+@@ -22,7 +22,7 @@
+ CFLAGS = -Iinclude                     \
+          $(shell xml2-config --cflags) \
+          $(shell curl-config --cflags) \
+-         -W -Wall -Wmissing-prototypes -Werror -std=c99 -O2 -fPIC
++         -W -Wall -Wmissing-prototypes  -std=c99 -O2 -fPIC
+ 
+ LDFLAGS = $(shell xml2-config --libs) \
+           $(shell curl-config --libs)
+diff -ur xen-3.4.2.orig//tools/misc/lomount/Makefile xen-3.4.2//tools/misc/lomount/Makefile
+--- xen-3.4.2.orig//tools/misc/lomount/Makefile	2009-11-10 23:12:56.000000000 +0800
++++ xen-3.4.2//tools/misc/lomount/Makefile	2011-09-25 02:34:11.666793042 +0800
+@@ -1,7 +1,7 @@
+ XEN_ROOT=../../..
+ include $(XEN_ROOT)/tools/Rules.mk
+ 
+-CFLAGS  += -Werror
++CFLAGS  += 
+ 
+ HDRS     = $(wildcard *.h)
+ OBJS     = $(patsubst %.c,%.o,$(wildcard *.c))
+diff -ur xen-3.4.2.orig//tools/misc/Makefile xen-3.4.2//tools/misc/Makefile
+--- xen-3.4.2.orig//tools/misc/Makefile	2009-11-10 23:12:56.000000000 +0800
++++ xen-3.4.2//tools/misc/Makefile	2011-09-25 02:34:11.669793042 +0800
+@@ -1,7 +1,7 @@
+ XEN_ROOT=../..
+ include $(XEN_ROOT)/tools/Rules.mk
+ 
+-CFLAGS   += -Werror
++CFLAGS   += 
+ 
+ INCLUDES += -I $(XEN_XC)
+ INCLUDES += -I $(XEN_LIBXC)
+diff -ur xen-3.4.2.orig//tools/pygrub/setup.py xen-3.4.2//tools/pygrub/setup.py
+--- xen-3.4.2.orig//tools/pygrub/setup.py	2009-11-10 23:12:56.000000000 +0800
++++ xen-3.4.2//tools/pygrub/setup.py	2011-09-25 02:34:11.901793042 +0800
+@@ -3,7 +3,7 @@
+ import os
+ import sys
+ 
+-extra_compile_args  = [ "-fno-strict-aliasing", "-Werror" ]
++extra_compile_args  = [ "-fno-strict-aliasing" ]
+ 
+ XEN_ROOT = "../.."
+ 
+diff -ur xen-3.4.2.orig//tools/python/setup.py xen-3.4.2//tools/python/setup.py
+--- xen-3.4.2.orig//tools/python/setup.py	2009-11-10 23:12:56.000000000 +0800
++++ xen-3.4.2//tools/python/setup.py	2011-09-25 02:34:11.897793042 +0800
+@@ -4,7 +4,7 @@
+ 
+ XEN_ROOT = "../.."
+ 
+-extra_compile_args  = [ "-fno-strict-aliasing", "-Werror" ]
++extra_compile_args  = [ "-fno-strict-aliasing" ]
+ 
+ include_dirs = [ XEN_ROOT + "/tools/libxc",
+                  XEN_ROOT + "/tools/xenstore",
+diff -ur xen-3.4.2.orig//tools/security/Makefile xen-3.4.2//tools/security/Makefile
+--- xen-3.4.2.orig//tools/security/Makefile	2009-11-10 23:12:56.000000000 +0800
++++ xen-3.4.2//tools/security/Makefile	2011-09-25 02:34:11.701793042 +0800
+@@ -1,7 +1,7 @@
+ XEN_ROOT = ../..
+ include $(XEN_ROOT)/tools/Rules.mk
+ 
+-CFLAGS   += -Werror
++CFLAGS   += 
+ CFLAGS   += -fno-strict-aliasing
+ CFLAGS   += -I. $(CFLAGS_libxenctrl)
+ 
+diff -ur xen-3.4.2.orig//tools/vnet/libxutil/Makefile xen-3.4.2//tools/vnet/libxutil/Makefile
+--- xen-3.4.2.orig//tools/vnet/libxutil/Makefile	2009-11-10 23:12:57.000000000 +0800
++++ xen-3.4.2//tools/vnet/libxutil/Makefile	2011-09-25 02:34:11.694793042 +0800
+@@ -25,7 +25,7 @@
+ PIC_OBJS := $(LIB_SRCS:.c=.opic)
+ 
+ $(call cc-option-add,CFLAGS,CC,-fgnu89-inline)
+-CFLAGS   += -Werror -fno-strict-aliasing
++CFLAGS   +=  -fno-strict-aliasing
+ CFLAGS   += -O3
+ #CFLAGS   += -g
+ 
+diff -ur xen-3.4.2.orig//tools/vtpm/Rules.mk xen-3.4.2//tools/vtpm/Rules.mk
+--- xen-3.4.2.orig//tools/vtpm/Rules.mk	2009-11-10 23:12:57.000000000 +0800
++++ xen-3.4.2//tools/vtpm/Rules.mk	2011-09-25 02:34:11.563793044 +0800
+@@ -9,7 +9,7 @@
+ TOOLS_INSTALL_DIR = $(DESTDIR)/usr/bin
+ 
+ # General compiler flags
+-CFLAGS   = -Werror -g3 -I.
++CFLAGS   =  -g3 -I.
+ 
+ # Generic project files
+ HDRS	= $(wildcard *.h)
+diff -ur xen-3.4.2.orig//tools/vtpm_manager/Rules.mk xen-3.4.2//tools/vtpm_manager/Rules.mk
+--- xen-3.4.2.orig//tools/vtpm_manager/Rules.mk	2009-11-10 23:12:57.000000000 +0800
++++ xen-3.4.2//tools/vtpm_manager/Rules.mk	2011-09-25 02:34:11.562793042 +0800
+@@ -9,7 +9,7 @@
+ TOOLS_INSTALL_DIR = $(DESTDIR)/usr/bin
+ 
+ # General compiler flags
+-CFLAGS	= -Werror -g3 -I.
++CFLAGS	=  -g3 -I.
+ 
+ # Generic project files
+ HDRS	= $(wildcard *.h)
+diff -ur xen-3.4.2.orig//tools/xcutils/Makefile xen-3.4.2//tools/xcutils/Makefile
+--- xen-3.4.2.orig//tools/xcutils/Makefile	2009-11-10 23:12:57.000000000 +0800
++++ xen-3.4.2//tools/xcutils/Makefile	2011-09-25 02:34:11.636793042 +0800
+@@ -11,7 +11,7 @@
+ XEN_ROOT	= ../..
+ include $(XEN_ROOT)/tools/Rules.mk
+ 
+-CFLAGS += -Werror
++CFLAGS += 
+ CFLAGS += $(CFLAGS_libxenctrl) $(CFLAGS_libxenguest) $(CFLAGS_libxenstore)
+ 
+ PROGRAMS = xc_restore xc_save readnotes lsevtchn
+diff -ur xen-3.4.2.orig//tools/xenmon/Makefile xen-3.4.2//tools/xenmon/Makefile
+--- xen-3.4.2.orig//tools/xenmon/Makefile	2009-11-10 23:12:57.000000000 +0800
++++ xen-3.4.2//tools/xenmon/Makefile	2011-09-25 02:34:11.641793042 +0800
+@@ -13,7 +13,7 @@
+ XEN_ROOT=../..
+ include $(XEN_ROOT)/tools/Rules.mk
+ 
+-CFLAGS  += -Werror
++CFLAGS  += 
+ CFLAGS  += -I $(XEN_XC)
+ CFLAGS  += $(CFLAGS_libxenctrl)
+ LDFLAGS += $(LDFLAGS_libxenctrl)
+diff -ur xen-3.4.2.orig//tools/xenpmd/Makefile xen-3.4.2//tools/xenpmd/Makefile
+--- xen-3.4.2.orig//tools/xenpmd/Makefile	2009-11-10 23:12:57.000000000 +0800
++++ xen-3.4.2//tools/xenpmd/Makefile	2011-09-25 02:34:11.656793042 +0800
+@@ -1,7 +1,7 @@
+ XEN_ROOT=../..
+ include $(XEN_ROOT)/tools/Rules.mk
+ 
+-CFLAGS  += -Werror
++CFLAGS  += 
+ CFLAGS  += $(CFLAGS_libxenstore)
+ LDFLAGS += $(LDFLAGS_libxenstore)
+ 
+diff -ur xen-3.4.2.orig//tools/xenstat/libxenstat/Makefile xen-3.4.2//tools/xenstat/libxenstat/Makefile
+--- xen-3.4.2.orig//tools/xenstat/libxenstat/Makefile	2009-11-10 23:12:57.000000000 +0800
++++ xen-3.4.2//tools/xenstat/libxenstat/Makefile	2011-09-25 02:34:11.681793042 +0800
+@@ -34,7 +34,7 @@
+ OBJECTS-$(CONFIG_NetBSD) += src/xenstat_netbsd.o
+ SONAME_FLAGS=-Wl,$(SONAME_LDFLAG) -Wl,libxenstat.so.$(MAJOR)
+ 
+-WARN_FLAGS=-Wall -Werror
++WARN_FLAGS=-Wall 
+ 
+ CFLAGS+=-Isrc -I$(XEN_LIBXC) -I$(XEN_XENSTORE) -I$(XEN_INCLUDE)
+ LDFLAGS+=-Lsrc -L$(XEN_XENSTORE)/ -L$(XEN_LIBXC)/
+diff -ur xen-3.4.2.orig//tools/xenstat/xentop/Makefile xen-3.4.2//tools/xenstat/xentop/Makefile
+--- xen-3.4.2.orig//tools/xenstat/xentop/Makefile	2009-11-10 23:12:57.000000000 +0800
++++ xen-3.4.2//tools/xenstat/xentop/Makefile	2011-09-25 02:34:11.684793042 +0800
+@@ -18,7 +18,7 @@
+ all install xentop:
+ else
+ 
+-CFLAGS += -DGCC_PRINTF -Wall -Werror -I$(XEN_LIBXENSTAT)
++CFLAGS += -DGCC_PRINTF -Wall  -I$(XEN_LIBXENSTAT)
+ LDFLAGS += -L$(XEN_LIBXENSTAT)
+ LDLIBS += -lxenstat $(CURSES_LIBS) $(SOCKET_LIBS)
+ CFLAGS += -DHOST_$(XEN_OS)
+diff -ur xen-3.4.2.orig//tools/xenstore/Makefile xen-3.4.2//tools/xenstore/Makefile
+--- xen-3.4.2.orig//tools/xenstore/Makefile	2009-11-10 23:12:57.000000000 +0800
++++ xen-3.4.2//tools/xenstore/Makefile	2011-09-25 02:34:11.640793042 +0800
+@@ -4,7 +4,7 @@
+ MAJOR = 3.0
+ MINOR = 0
+ 
+-CFLAGS += -Werror
++CFLAGS += 
+ CFLAGS += -I.
+ CFLAGS += $(CFLAGS_libxenctrl)
+ 
+diff -ur xen-3.4.2.orig//tools/xenstore/xenstored_core.c xen-3.4.2//tools/xenstore/xenstored_core.c
+--- xen-3.4.2.orig//tools/xenstore/xenstored_core.c	2009-11-10 23:12:57.000000000 +0800
++++ xen-3.4.2//tools/xenstore/xenstored_core.c	2011-09-25 02:34:11.845793042 +0800
+@@ -865,7 +865,7 @@
+ {
+ 	unsigned int offset, datalen;
+ 	struct node *node;
+-	char *vec[1] = { NULL }; /* gcc4 + -W + -Werror fucks code. */
++	char *vec[1] = { NULL }; /* gcc4 + -W +  fucks code. */
+ 	char *name;
+ 
+ 	/* Extra "strings" can be created by binary data. */
+diff -ur xen-3.4.2.orig//tools/xentrace/Makefile xen-3.4.2//tools/xentrace/Makefile
+--- xen-3.4.2.orig//tools/xentrace/Makefile	2009-11-10 23:12:57.000000000 +0800
++++ xen-3.4.2//tools/xentrace/Makefile	2011-09-25 02:34:11.745793042 +0800
+@@ -1,7 +1,7 @@
+ XEN_ROOT=../..
+ include $(XEN_ROOT)/tools/Rules.mk
+ 
+-CFLAGS  += -Werror
++CFLAGS  += 
+ 
+ CFLAGS  += $(CFLAGS_libxenctrl)
+ LDFLAGS += $(LDFLAGS_libxenctrl)
+Only in xen-3.4.2/: Werror.sh
+diff -ur xen-3.4.2.orig//xen/arch/ia64/Rules.mk xen-3.4.2//xen/arch/ia64/Rules.mk
+--- xen-3.4.2.orig//xen/arch/ia64/Rules.mk	2009-11-10 23:12:57.000000000 +0800
++++ xen-3.4.2//xen/arch/ia64/Rules.mk	2011-09-25 02:34:11.570793042 +0800
+@@ -68,7 +68,7 @@
+ CFLAGS += -DCONFIG_XEN_IA64_TLBFLUSH_CLOCK
+ endif
+ ifeq ($(no_warns),y)
+-CFLAGS	+= -Wa,--fatal-warnings -Werror -Wno-uninitialized
++CFLAGS	+= -Wa,--fatal-warnings  -Wno-uninitialized
+ endif
+ ifneq ($(vhpt_disable),y)
+ CFLAGS += -DVHPT_ENABLED=1
+diff -ur xen-3.4.2.orig//xen/arch/x86/boot/build32.mk xen-3.4.2//xen/arch/x86/boot/build32.mk
+--- xen-3.4.2.orig//xen/arch/x86/boot/build32.mk	2009-11-10 23:12:57.000000000 +0800
++++ xen-3.4.2//xen/arch/x86/boot/build32.mk	2011-09-25 02:34:11.914793042 +0800
+@@ -8,7 +8,7 @@
+ $(call cc-option-add,CFLAGS,CC,-fno-stack-protector)
+ $(call cc-option-add,CFLAGS,CC,-fno-stack-protector-all)
+ 
+-CFLAGS += -Werror -fno-builtin -msoft-float
++CFLAGS += -fno-builtin -msoft-float
+ 
+ # NB. awk invocation is a portable alternative to 'head -n -1'
+ %.S: %.bin
+diff -ur xen-3.4.2.orig//xen/arch/x86/Rules.mk xen-3.4.2//xen/arch/x86/Rules.mk
+--- xen-3.4.2.orig//xen/arch/x86/Rules.mk	2009-11-10 23:12:57.000000000 +0800
++++ xen-3.4.2//xen/arch/x86/Rules.mk	2011-09-25 02:34:11.572793042 +0800
+@@ -17,7 +17,7 @@
+ endif
+ 
+ CFLAGS += -fno-builtin -fno-common
+-CFLAGS += -iwithprefix include -Werror -Wno-pointer-arith -pipe
++CFLAGS += -iwithprefix include  -Wno-pointer-arith -pipe
+ CFLAGS += -I$(BASEDIR)/include 
+ CFLAGS += -I$(BASEDIR)/include/asm-x86/mach-generic
+ CFLAGS += -I$(BASEDIR)/include/asm-x86/mach-default
\ No newline at end of file
diff --git a/app-emulation/xen/files/xen-4.1.1-iommu_sec_fix.patch b/app-emulation/xen/files/xen-4.1.1-iommu_sec_fix.patch
new file mode 100644
index 0000000..737c2bd
--- /dev/null
+++ b/app-emulation/xen/files/xen-4.1.1-iommu_sec_fix.patch
@@ -0,0 +1,74 @@
+
+# HG changeset patch
+# User Tim Deegan <Tim.Deegan@citrix.com>
+# Date 1313145221 -3600
+# Node ID 84e3706df07a1963e23cd3875d8603917657d462
+# Parent  cb22fa57ff252893b6adb1481e09b1287eacd990
+Passthrough: disable bus-mastering on any card that causes an IOMMU fault.
+
+This stops the card from raising back-to-back faults and live-locking
+the CPU that handles them.
+
+Signed-off-by: Tim Deegan <tim@xen.org>
+Acked-by: Wei Wang2 <wei.wang2@amd.com>
+Acked-by: Allen M Kay <allen.m.kay@intel.com>
+
+diff -r cb22fa57ff25 -r 84e3706df07a xen/drivers/passthrough/amd/iommu_init.c
+--- a/xen/drivers/passthrough/amd/iommu_init.c	Mon Jul 25 16:48:39 2011 +0100
++++ b/xen/drivers/passthrough/amd/iommu_init.c	Fri Aug 12 11:33:41 2011 +0100
+@@ -462,7 +462,7 @@
+ 
+ static void parse_event_log_entry(u32 entry[])
+ {
+-    u16 domain_id, device_id;
++    u16 domain_id, device_id, bdf, cword;
+     u32 code;
+     u64 *addr;
+     char * event_str[] = {"ILLEGAL_DEV_TABLE_ENTRY",
+@@ -497,6 +497,18 @@
+                "%s: domain = %d, device id = 0x%04x, "
+                "fault address = 0x%"PRIx64"\n",
+                event_str[code-1], domain_id, device_id, *addr);
++
++        /* Tell the device to stop DMAing; we can't rely on the guest to
++         * control it for us. */
++        for ( bdf = 0; bdf < ivrs_bdf_entries; bdf++ )
++            if ( get_dma_requestor_id(bdf) == device_id ) 
++            {
++                cword = pci_conf_read16(PCI_BUS(bdf), PCI_SLOT(bdf), 
++                                PCI_FUNC(bdf), PCI_COMMAND);
++                pci_conf_write16(PCI_BUS(bdf), PCI_SLOT(bdf), 
++                                 PCI_FUNC(bdf), PCI_COMMAND, 
++                                 cword & ~PCI_COMMAND_MASTER);
++            }
+     }
+     else
+     {
+diff -r cb22fa57ff25 -r 84e3706df07a xen/drivers/passthrough/vtd/iommu.c
+--- a/xen/drivers/passthrough/vtd/iommu.c	Mon Jul 25 16:48:39 2011 +0100
++++ b/xen/drivers/passthrough/vtd/iommu.c	Fri Aug 12 11:33:41 2011 +0100
+@@ -893,7 +893,7 @@
+     while (1)
+     {
+         u8 fault_reason;
+-        u16 source_id;
++        u16 source_id, cword;
+         u32 data;
+         u64 guest_addr;
+         int type;
+@@ -926,6 +926,14 @@
+         iommu_page_fault_do_one(iommu, type, fault_reason,
+                                 source_id, guest_addr);
+ 
++        /* Tell the device to stop DMAing; we can't rely on the guest to
++         * control it for us. */
++        cword = pci_conf_read16(PCI_BUS(source_id), PCI_SLOT(source_id), 
++                                PCI_FUNC(source_id), PCI_COMMAND);
++        pci_conf_write16(PCI_BUS(source_id), PCI_SLOT(source_id), 
++                         PCI_FUNC(source_id), PCI_COMMAND, 
++                         cword & ~PCI_COMMAND_MASTER);
++
+         fault_index++;
+         if ( fault_index > cap_num_fault_regs(iommu->cap) )
+             fault_index = 0;
+
diff --git a/app-emulation/xen/metadata.xml b/app-emulation/xen/metadata.xml
new file mode 100644
index 0000000..6550459
--- /dev/null
+++ b/app-emulation/xen/metadata.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<herd>xen</herd>
+	<maintainer>
+		<email>johneed@hotmail.com</email>
+		<name>Ian Delaney aka idella4 proxy maintainer</name>
+	</maintainer>
+	<use>
+		<flag name='acm'>Enable the ACM/sHype XSM module from IBM</flag>
+		<flag name='flask'>Enable the Flask XSM module from NSA</flag>
+		<flag name='pae'>Enable support for PAE kernels (usually x86-32 with >4GB memory)</flag>
+		<flag name='xsm'>Enable the Xen Security Modules (XSM)</flag>
+	</use>
+</pkgmetadata>
diff --git a/app-emulation/xen/xen-3.4.2-r4.ebuild b/app-emulation/xen/xen-3.4.2-r4.ebuild
new file mode 100644
index 0000000..643ade2
--- /dev/null
+++ b/app-emulation/xen/xen-3.4.2-r4.ebuild
@@ -0,0 +1,114 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-3.4.2-r4.ebuild,v 1.3 2011/10/15 19:38:16 hwoarang Exp $
+
+EAPI=2
+
+inherit mount-boot flag-o-matic toolchain-funcs base
+
+DESCRIPTION="The Xen virtual machine monitor"
+HOMEPAGE="http://xen.org/"
+SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 x86"
+IUSE="debug custom-cflags pae acm flask xsm"
+
+RDEPEND="|| ( sys-boot/grub
+		sys-boot/grub-static )
+		>=sys-kernel/xen-sources-2.6.18"
+PDEPEND="~app-emulation/xen-tools-${PV}"
+PATCHES=(
+	"${FILESDIR}/"${PN}-3.3.0-unexported-target-fix.patch
+	"${FILESDIR}/"${P}-dump_registers-watchdog-fix.patch
+	"${FILESDIR}/"${P}-no-DMA.patch
+	"${FILESDIR}/"${P}-werror-idiocy.patch
+	"${FILESDIR}/"${P}-fix-__addr_ok-limit.patch
+	"${FILESDIR}/"${P}-CVE-2011-1583.patch
+)
+
+RESTRICT="test"
+
+# Approved by QA team in bug #144032
+QA_WX_LOAD="boot/xen-syms-${PV}"
+
+pkg_setup() {
+	if [ -x "${S}/.config/" ]; then
+		die "You will need to remove ${S}/.config by hand"
+	fi
+	if [[ -z ${XEN_TARGET_ARCH} ]]; then
+		if use x86 && use amd64; then
+			die "Confusion! Both x86 and amd64 are set in your use flags!"
+		elif use x86; then
+			export XEN_TARGET_ARCH="x86_32"
+		elif use amd64; then
+			export XEN_TARGET_ARCH="x86_64"
+		else
+			die "Unsupported architecture!"
+		fi
+	fi
+
+	if use xsm ; then
+		export "XSM_ENABLE=y"
+		use acm && export "ACM_SECURITY=y"
+		if use flask ; then
+			! use acm  && export "FLASK_ENABLE=y"
+			  use acm  && ewarn "Both acm and flask XSM specified, defaulting to acm."
+		fi
+	elif use acm || use flask ; then
+		ewarn "acm and flask require USE=xsm to be set, dropping use flags"
+	fi
+}
+
+src_prepare() {
+	base_src_prepare
+
+	# if the user *really* wants to use their own custom-cflags, let them
+	if use custom-cflags; then
+		einfo "User wants their own CFLAGS - removing defaults"
+		# try and remove all the default custom-cflags
+		find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \
+			-i {} \;
+	fi
+}
+
+src_compile() {
+	local myopt
+	use debug && myopt="${myopt} debug=y"
+	use pae && myopt="${myopt} pae=y"
+
+	if use custom-cflags; then
+		filter-flags -fPIE -fstack-protector
+		replace-flags -O3 -O2
+	else
+		unset CFLAGS
+	fi
+
+	# Send raw LDFLAGS so that --as-needed works
+	emake CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" -C xen ${myopt} || die "compile failed"
+}
+
+src_install() {
+	local myopt
+	use debug && myopt="${myopt} debug=y"
+	use pae && myopt="${myopt} pae=y"
+
+	emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install || die "install failed"
+}
+
+pkg_postinst() {
+	elog "Official Xen Guide and the unoffical wiki page:"
+	elog " http://www.gentoo.org/doc/en/xen-guide.xml"
+	elog " http://en.gentoo-wiki.com/wiki/Xen/"
+
+	if use pae; then
+		echo
+		ewarn "This is a PAE build of Xen. It will *only* boot PAE kernels!"
+	fi
+}
diff --git a/app-emulation/xen/xen-4.1.1-r2.ebuild b/app-emulation/xen/xen-4.1.1-r2.ebuild
new file mode 100644
index 0000000..4b3a74b
--- /dev/null
+++ b/app-emulation/xen/xen-4.1.1-r2.ebuild
@@ -0,0 +1,121 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.1.1-r2.ebuild,v 1.7 2011/11/08 23:46:38 mr_bones_ Exp $
+
+EAPI="4"
+
+if [[ $PV == *9999 ]]; then
+	KEYWORDS=""
+	REPO="xen-unstable.hg"
+	EHG_REPO_URI="http://xenbits.xensource.com/${REPO}"
+	S="${WORKDIR}/${REPO}"
+	live_eclass="mercurial"
+else
+	KEYWORDS="amd64 x86"
+	SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz"
+fi
+
+inherit mount-boot flag-o-matic toolchain-funcs ${live_eclass}
+
+DESCRIPTION="The Xen virtual machine monitor"
+HOMEPAGE="http://xen.org/"
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="custom-cflags debug flask pae xsm"
+
+RDEPEND="|| ( sys-boot/grub
+		sys-boot/grub-static )"
+PDEPEND="~app-emulation/xen-tools-${PV}"
+
+RESTRICT="test"
+
+# Approved by QA team in bug #144032
+QA_WX_LOAD="boot/xen-syms-${PV}"
+
+REQUIRED_USE="
+	flask? ( xsm )
+	"
+
+pkg_setup() {
+	if [[ -z ${XEN_TARGET_ARCH} ]]; then
+		if use x86 && use amd64; then
+			die "Confusion! Both x86 and amd64 are set in your use flags!"
+		elif use x86; then
+			export XEN_TARGET_ARCH="x86_32"
+		elif use amd64; then
+			export XEN_TARGET_ARCH="x86_64"
+		else
+			die "Unsupported architecture!"
+		fi
+	fi
+
+	if use flask ; then
+		export "XSM_ENABLE=y"
+		export "FLASK_ENABLE=y"
+	elif use xsm ; then
+		export "XSM_ENABLE=y"
+	fi
+}
+
+src_prepare() {
+	# Drop .config
+	sed -e '/-include $(XEN_ROOT)\/.config/d' -i Config.mk || die "Couldn't	drop"
+	# if the user *really* wants to use their own custom-cflags, let them
+	if use custom-cflags; then
+		einfo "User wants their own CFLAGS - removing defaults"
+		# try and remove all the default custom-cflags
+		find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \
+			-i {} \; || die "failed to set custom-cflags"
+	fi
+
+	# remove -Werror for gcc-4.6's sake
+	find "${S}" -name 'Makefile*' -o -name '*.mk' -o -name 'common.make' | \
+		xargs sed -i 's/ *-Werror */ /' || die "failed to remove -Werror"
+	# not strictly necessary to fix this
+	sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to remove -Werror on setup.py"
+
+	# Add sccurity fix bug #379241
+	epatch "${FILESDIR}/${P}-iommu_sec_fix.patch"
+}
+
+src_configure() {
+	use debug && myopt="${myopt} debug=y"
+	use pae && myopt="${myopt} pae=y"
+
+	if use custom-cflags; then
+		filter-flags -fPIE -fstack-protector
+		replace-flags -O3 -O2
+	else
+		unset CFLAGS
+	fi
+}
+
+src_compile() {
+	# Send raw LDFLAGS so that --as-needed works
+	emake CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt}
+}
+
+src_install() {
+	local myopt
+	use debug && myopt="${myopt} debug=y"
+	use pae && myopt="${myopt} pae=y"
+
+	emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install
+}
+
+pkg_postinst() {
+	elog "Official Xen Guide and the unoffical wiki page:"
+	elog " http://www.gentoo.org/doc/en/xen-guide.xml"
+	elog " http://en.gentoo-wiki.com/wiki/Xen/"
+
+	if use pae; then
+		echo
+		ewarn "This is a PAE build of Xen. It will *only* boot PAE kernels!"
+	fi
+}
diff --git a/app-emulation/xen/xen-9999.ebuild b/app-emulation/xen/xen-9999.ebuild
new file mode 100644
index 0000000..c3e1126
--- /dev/null
+++ b/app-emulation/xen/xen-9999.ebuild
@@ -0,0 +1,117 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-9999.ebuild,v 1.4 2011/09/11 14:48:15 alexxy Exp $
+
+EAPI="4"
+
+if [[ $PV == *9999 ]]; then
+	KEYWORDS=""
+	REPO="xen-unstable.hg"
+	EHG_REPO_URI="http://xenbits.xensource.com/${REPO}"
+	S="${WORKDIR}/${REPO}"
+	live_eclass="mercurial"
+else
+	KEYWORDS="~amd64 ~x86"
+	SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz"
+fi
+
+inherit mount-boot flag-o-matic toolchain-funcs ${live_eclass}
+
+DESCRIPTION="The Xen virtual machine monitor"
+HOMEPAGE="http://xen.org/"
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="custom-cflags debug flask pae xsm"
+
+RDEPEND="|| ( sys-boot/grub
+		sys-boot/grub-static )"
+PDEPEND="~app-emulation/xen-tools-${PV}"
+
+RESTRICT="test"
+
+# Approved by QA team in bug #144032
+QA_WX_LOAD="boot/xen-syms-${PV}"
+
+REQUIRED_USE="flask? ( xsm )"
+
+pkg_setup() {
+	if [[ -z ${XEN_TARGET_ARCH} ]]; then
+		if use x86 && use amd64; then
+			die "Confusion! Both x86 and amd64 are set in your use flags!"
+		elif use x86; then
+			export XEN_TARGET_ARCH="x86_32"
+		elif use amd64; then
+			export XEN_TARGET_ARCH="x86_64"
+		else
+			die "Unsupported architecture!"
+		fi
+	fi
+
+	if use flask ; then
+		export "XSM_ENABLE=y"
+		export "FLASK_ENABLE=y"
+	elif use xsm ; then
+		export "XSM_ENABLE=y"
+	fi
+}
+
+src_prepare() {
+	# Drop .config
+	sed -e '/-include $(XEN_ROOT)\/.config/d' -i Config.mk || die "Couldn't	drop"
+
+	# if the user *really* wants to use their own custom-cflags, let them
+	if use custom-cflags; then
+		einfo "User wants their own CFLAGS - removing defaults"
+		# try and remove all the default custom-cflags
+		find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \
+			-i {} \;
+	fi
+
+	# remove -Werror for gcc-4.6's sake
+	find "${S}" -name 'Makefile*' -o -name '*.mk' -o -name 'common.make' | \
+		xargs sed -i 's/ *-Werror */ /'
+	# not strictly necessary to fix this
+	sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py"
+}
+
+src_configure() {
+	use debug && myopt="${myopt} debug=y"
+	use pae && myopt="${myopt} pae=y"
+
+	if use custom-cflags; then
+		filter-flags -fPIE -fstack-protector
+		replace-flags -O3 -O2
+	else
+		unset CFLAGS
+	fi
+}
+
+src_compile() {
+	# Send raw LDFLAGS so that --as-needed works
+	emake CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)"  -C xen ${myopt}
+}
+
+src_install() {
+	local myopt
+	use debug && myopt="${myopt} debug=y"
+	use pae && myopt="${myopt} pae=y"
+
+	emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install
+}
+
+pkg_postinst() {
+	elog "Official Xen Guide and the unoffical wiki page:"
+	elog " http://www.gentoo.org/doc/en/xen-guide.xml"
+	elog " http://en.gentoo-wiki.com/wiki/Xen/"
+
+	if use pae; then
+		echo
+		ewarn "This is a PAE build of Xen. It will *only* boot PAE kernels!"
+	fi
+}