From xen-changelog-bounces@lists.xenproject.org Mon Jun 01 08:44:10 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 01 Jun 2026 08:44:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1323769.1589425 (Exim 4.92) (envelope-from ) id 1wTyFe-0006Nd-6E; Mon, 01 Jun 2026 08:44:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1323769.1589425; Mon, 01 Jun 2026 08:44:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wTyFe-0006NV-3Y; Mon, 01 Jun 2026 08:44:02 +0000 Received: by outflank-mailman (input) for mailman id 1323769; Mon, 01 Jun 2026 08:44:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wTyFd-0006NP-Sk for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 08:44:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wTyFd-001EyC-2g for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 08:44:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wTyFd-00EVaQ-2U for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 08:44:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=8kJVta2Bx8SS/jdV0TaFUb/dERVR4A8suN/QiG+Xv1E=; b=7OElK0/waXcdnx417P5GH8rPOX 0UOKcAnF8B1M2Ezpvk75i9135PB366zy7/2tVsLh2jNKjdqp/x9Feoiky5PbSPqgEEfNKBO5wpiq9 fYr8J65mnqKhA/RfwUsy0VzN/U5KneK1izx/0tWaqUh0LuG+5Q5wKJ3dY/0KwpORtwPo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] docs: fix typo in printk-formats documentation Message-Id: Date: Mon, 01 Jun 2026 08:44:01 +0000 commit b7809aad2d62faef0e033a5d392b580a4cdfa959 Author: Ravindra Kumar Bundela AuthorDate: Mon Jun 1 12:42:13 2026 +0530 Commit: Michal Orzel CommitDate: Mon Jun 1 10:36:15 2026 +0200 docs: fix typo in printk-formats documentation Signed-off-by: Ravindra Kumar Bundela Acked-by: Michal Orzel --- docs/misc/printk-formats.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/misc/printk-formats.txt b/docs/misc/printk-formats.txt index ce32829dae..2cad98703b 100644 --- a/docs/misc/printk-formats.txt +++ b/docs/misc/printk-formats.txt @@ -23,7 +23,7 @@ Bitmaps (e.g. cpumask/nodemask): Symbol/Function pointers: - %ps Symbol name with condition offset and size (iff offset != 0) + %ps Symbol name with conditional offset and size (iff offset != 0) e.g. printk default_idle+0x78/0x7d -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 01 08:44:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 01 Jun 2026 08:44:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1323770.1589428 (Exim 4.92) (envelope-from ) id 1wTyFp-0006PR-7N; Mon, 01 Jun 2026 08:44:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1323770.1589428; Mon, 01 Jun 2026 08:44:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wTyFp-0006PJ-4s; Mon, 01 Jun 2026 08:44:13 +0000 Received: by outflank-mailman (input) for mailman id 1323770; Mon, 01 Jun 2026 08:44:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wTyFn-0006P5-Vi for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 08:44:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wTyFn-001EyP-33 for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 08:44:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wTyFn-00EVge-2s for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 08:44:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=EbI1PhcQ3PrQEUvCkvRcA+20bxJ0HDzD4Qdkaa5M9w8=; b=b3HrAsYIgXoEyVdVu6vRU2vs7Y +Sef2EvhZpPifpPFwrnM0ZGaYkidiQjF8kPAXsrfm0cikezkSpg12eM0I6R7W7uAcbSAFzIPyOVn7 04vfngRg3Q8wONBt5cd5SE0wXQkvP7x8tTZ7gYgGr0ohWcK+eSM4p4Rc2xDVlF1JlHCs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] docs: fix spelling of 'receive' in xen-command-line Message-Id: Date: Mon, 01 Jun 2026 08:44:11 +0000 commit 275ae20dd7d8a7b9c4263e543c2489409845bbc2 Author: Ravindra Kumar Bundela AuthorDate: Mon Jun 1 12:42:14 2026 +0530 Commit: Michal Orzel CommitDate: Mon Jun 1 10:36:15 2026 +0200 docs: fix spelling of 'receive' in xen-command-line Signed-off-by: Ravindra Kumar Bundela Acked-by: Michal Orzel --- docs/misc/xen-command-line.pandoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 8c89b7852c..ef3c737189 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -191,7 +191,7 @@ The functionality that this option controls is only available when Xen has been compiled with the build setting for Argo enabled in the build configuration. Argo is a interdomain communication mechanism, where Xen acts as the central -point of authority. Guests may register memory rings to recieve messages, +point of authority. Guests may register memory rings to receive messages, query the status of other domains, and send messages by hypercall, all subject to appropriate auditing by Xen. Argo is disabled by default. -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 01 08:44:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 01 Jun 2026 08:44:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1323771.1589433 (Exim 4.92) (envelope-from ) id 1wTyFz-0006Rj-91; Mon, 01 Jun 2026 08:44:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1323771.1589433; Mon, 01 Jun 2026 08:44:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wTyFz-0006Ra-6G; Mon, 01 Jun 2026 08:44:23 +0000 Received: by outflank-mailman (input) for mailman id 1323771; Mon, 01 Jun 2026 08:44:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wTyFy-0006RT-25 for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 08:44:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wTyFy-001EyV-07 for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 08:44:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wTyFx-00EVqA-3D for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 08:44:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=F2njWHC8ESXJSGA0cByfL/eGysL4JqtnDhYOXXtFmx4=; b=d8DUPXZvV6WvOFiqZmRDJgfi0x +0u84i5mD7ITSgUbCb1BsZUDo7elfn0m8cgTh3Rfuu22xjgc+UwGFY9y2Zj6Hq+CnHzKzGhTQ3T02 EaQcWVmgJp2klaAUTVac7/2IF+scY2/bb311lE1qyQtKVG3rYu4UAODh4WO3LSaQt+2o=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] docs: fix spelling of 'receiver' and 'receiving' in libxc-migration-stream Message-Id: Date: Mon, 01 Jun 2026 08:44:21 +0000 commit 5fa6f9584220c4d1dad6a3f07cbc3ccb2404464a Author: Ravindra Kumar Bundela AuthorDate: Mon Jun 1 12:42:15 2026 +0530 Commit: Michal Orzel CommitDate: Mon Jun 1 10:36:15 2026 +0200 docs: fix spelling of 'receiver' and 'receiving' in libxc-migration-stream Signed-off-by: Ravindra Kumar Bundela Acked-by: Michal Orzel --- docs/specs/libxc-migration-stream.pandoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/specs/libxc-migration-stream.pandoc b/docs/specs/libxc-migration-stream.pandoc index 8aeab3b11b..1319ce1f1e 100644 --- a/docs/specs/libxc-migration-stream.pandoc +++ b/docs/specs/libxc-migration-stream.pandoc @@ -753,7 +753,7 @@ A v3 stream is compatible with a v2 stream, but mandates the presense of a STATIC_DATA_END record ahead of any memory/register content. This is to ease the introduction of new static configuration records over time. -A v3-compatible reciever interpreting a v2 stream should infer the position of +A v3-compatible receiver interpreting a v2 stream should infer the position of STATIC_DATA_END based on finding the first X86_PV_P2M_FRAMES record (for PV guests), or PAGE_DATA record (for HVM guests) and behave as if STATIC_DATA_END had been sent. @@ -807,7 +807,7 @@ never change size or location. Errata ====== -1. For compatibility with older code, the receving side of a stream should +1. For compatibility with older code, the receiving side of a stream should tolerate and ignore variable sized records with zero content. Xen releases between 4.6 and 4.8 could end up generating valid HVM_PARAMS or X86_PV_VCPU_{EXTENDED,XSAVE,MSRS} records with zero-length content. -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 01 09:55:12 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 01 Jun 2026 09:55:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1323784.1589448 (Exim 4.92) (envelope-from ) id 1wTzMN-0006u9-9y; Mon, 01 Jun 2026 09:55:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1323784.1589448; Mon, 01 Jun 2026 09:55:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wTzMN-0006tz-6W; Mon, 01 Jun 2026 09:55:03 +0000 Received: by outflank-mailman (input) for mailman id 1323784; Mon, 01 Jun 2026 09:55:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wTzMM-0006tt-80 for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 09:55:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wTzMM-001GXF-0Y for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 09:55:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wTzMM-00F2QG-0M for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 09:55:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=zVWmWLJcNmaC17zl9XKjHIwbr4u6plnQXTOVJjJxpVM=; b=3xa7tDrNje4aD2++XPF2bKyI+L MaUnoNRA0CEk2e2EZkKpzfmBXTObq57Efs+5OEJ93NqC1LvHvr/OWuhFeJ5mFkGIhAzOl0vN7y6rj 6WfLy/qJFXrCIuK+Qh0sjZp6LQMBQnJSLpX+8Xc4rbqvCklgH0sp1bBCeLRI/OsOu/lo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] docs: fix typo in printk-formats documentation Message-Id: Date: Mon, 01 Jun 2026 09:55:02 +0000 commit b7809aad2d62faef0e033a5d392b580a4cdfa959 Author: Ravindra Kumar Bundela AuthorDate: Mon Jun 1 12:42:13 2026 +0530 Commit: Michal Orzel CommitDate: Mon Jun 1 10:36:15 2026 +0200 docs: fix typo in printk-formats documentation Signed-off-by: Ravindra Kumar Bundela Acked-by: Michal Orzel --- docs/misc/printk-formats.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/misc/printk-formats.txt b/docs/misc/printk-formats.txt index ce32829dae..2cad98703b 100644 --- a/docs/misc/printk-formats.txt +++ b/docs/misc/printk-formats.txt @@ -23,7 +23,7 @@ Bitmaps (e.g. cpumask/nodemask): Symbol/Function pointers: - %ps Symbol name with condition offset and size (iff offset != 0) + %ps Symbol name with conditional offset and size (iff offset != 0) e.g. printk default_idle+0x78/0x7d -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Jun 01 09:55:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 01 Jun 2026 09:55:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1323785.1589450 (Exim 4.92) (envelope-from ) id 1wTzMX-0006w8-AX; Mon, 01 Jun 2026 09:55:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1323785.1589450; Mon, 01 Jun 2026 09:55:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wTzMX-0006w0-7o; Mon, 01 Jun 2026 09:55:13 +0000 Received: by outflank-mailman (input) for mailman id 1323785; Mon, 01 Jun 2026 09:55:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wTzMW-0006vq-9X for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 09:55:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wTzMW-001Gam-0q for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 09:55:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wTzMW-00F2VG-0j for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 09:55:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=e05bbQUfeB1By24rRRdRlDA3rZNd/55jZ97TGl0yG1A=; b=TCXleRhSDf0M0nd3FjWgAoOgbn LQvCzicFLJMrmSAQVefmXbcrYptc5rdujJ37fwc5xdgmwCDjdlFF8BREcr6q5e/0cBnC44XylpVH4 54cJQp52P82hocWYEMAJ17ugRIOfb91knEM8M2tP14UI2NVUIiP9KvIFGgWX18LklF/4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] docs: fix spelling of 'receive' in xen-command-line Message-Id: Date: Mon, 01 Jun 2026 09:55:12 +0000 commit 275ae20dd7d8a7b9c4263e543c2489409845bbc2 Author: Ravindra Kumar Bundela AuthorDate: Mon Jun 1 12:42:14 2026 +0530 Commit: Michal Orzel CommitDate: Mon Jun 1 10:36:15 2026 +0200 docs: fix spelling of 'receive' in xen-command-line Signed-off-by: Ravindra Kumar Bundela Acked-by: Michal Orzel --- docs/misc/xen-command-line.pandoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 8c89b7852c..ef3c737189 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -191,7 +191,7 @@ The functionality that this option controls is only available when Xen has been compiled with the build setting for Argo enabled in the build configuration. Argo is a interdomain communication mechanism, where Xen acts as the central -point of authority. Guests may register memory rings to recieve messages, +point of authority. Guests may register memory rings to receive messages, query the status of other domains, and send messages by hypercall, all subject to appropriate auditing by Xen. Argo is disabled by default. -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Jun 01 09:55:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 01 Jun 2026 09:55:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1323786.1589454 (Exim 4.92) (envelope-from ) id 1wTzMh-0006yL-Bf; Mon, 01 Jun 2026 09:55:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1323786.1589454; Mon, 01 Jun 2026 09:55:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wTzMh-0006yD-96; Mon, 01 Jun 2026 09:55:23 +0000 Received: by outflank-mailman (input) for mailman id 1323786; Mon, 01 Jun 2026 09:55:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wTzMg-0006y6-Du for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 09:55:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wTzMg-001Gat-1H for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 09:55:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wTzMg-00F2aW-11 for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 09:55:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=cxUkyJieNj7gu6sGgCf8991/I6xbAmLfahRG8HBTilY=; b=6TjkG39ttkCnke3ZXkhnYAPGWX Cw0wx4IlPdE8IeDbnmHkOj5JonbeO2r5QGVStGfVGlsO6S2n/qc8QKxTFAjkfEidaeca+aNcocXhX sVyDEAtllOxnBCG3BMe4QdWRVJVrPTvZIBegHw390jmgJkrOZjE05YH63SnJrKB1XCZk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] docs: fix spelling of 'receiver' and 'receiving' in libxc-migration-stream Message-Id: Date: Mon, 01 Jun 2026 09:55:22 +0000 commit 5fa6f9584220c4d1dad6a3f07cbc3ccb2404464a Author: Ravindra Kumar Bundela AuthorDate: Mon Jun 1 12:42:15 2026 +0530 Commit: Michal Orzel CommitDate: Mon Jun 1 10:36:15 2026 +0200 docs: fix spelling of 'receiver' and 'receiving' in libxc-migration-stream Signed-off-by: Ravindra Kumar Bundela Acked-by: Michal Orzel --- docs/specs/libxc-migration-stream.pandoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/specs/libxc-migration-stream.pandoc b/docs/specs/libxc-migration-stream.pandoc index 8aeab3b11b..1319ce1f1e 100644 --- a/docs/specs/libxc-migration-stream.pandoc +++ b/docs/specs/libxc-migration-stream.pandoc @@ -753,7 +753,7 @@ A v3 stream is compatible with a v2 stream, but mandates the presense of a STATIC_DATA_END record ahead of any memory/register content. This is to ease the introduction of new static configuration records over time. -A v3-compatible reciever interpreting a v2 stream should infer the position of +A v3-compatible receiver interpreting a v2 stream should infer the position of STATIC_DATA_END based on finding the first X86_PV_P2M_FRAMES record (for PV guests), or PAGE_DATA record (for HVM guests) and behave as if STATIC_DATA_END had been sent. @@ -807,7 +807,7 @@ never change size or location. Errata ====== -1. For compatibility with older code, the receving side of a stream should +1. For compatibility with older code, the receiving side of a stream should tolerate and ignore variable sized records with zero content. Xen releases between 4.6 and 4.8 could end up generating valid HVM_PARAMS or X86_PV_VCPU_{EXTENDED,XSAVE,MSRS} records with zero-length content. -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Jun 01 11:33:07 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 01 Jun 2026 11:33:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1323856.1589521 (Exim 4.92) (envelope-from ) id 1wU0tD-0005ro-S1; Mon, 01 Jun 2026 11:33:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1323856.1589521; Mon, 01 Jun 2026 11:33:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU0tD-0005rg-PP; Mon, 01 Jun 2026 11:33:03 +0000 Received: by outflank-mailman (input) for mailman id 1323856; Mon, 01 Jun 2026 11:33:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU0tC-0005rX-1U for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 11:33:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wU0tB-001InO-3D for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 11:33:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wU0tB-00Folx-2z for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 11:33:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=s59HVPZWOsInCURB7/VSgGJHg+Q6U+KMYaVHaFkelzg=; b=BR9D1t2ANCk4RaiHQER7h3oUyh muHUIKc5ax20QNGQA4J85OpQAp8jfSklHJ5KfVF6T9TIwCiVoz2+D/wgJ3C+qAON7ic12wkB9teHk fm4MBPCRfuqaEJtl71FurN5fSNBayxX2vHQoeNtK3Vs4J7pHsRrdWri3A4ag98pFCTZI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] docs: fix spelling of 'necessarily' in index.rst Message-Id: Date: Mon, 01 Jun 2026 11:33:01 +0000 commit 2121ecf1c3620a4724f5254b54c16b6383cf1a44 Author: Eduardo Marinho AuthorDate: Mon Jun 1 07:39:03 2026 -0300 Commit: Andrew Cooper CommitDate: Mon Jun 1 12:25:48 2026 +0100 docs: fix spelling of 'necessarily' in index.rst Correct a minor typo in the introduction section to improve readability. Signed-off-by: Eduardo Marinho Acked-by: Andrew Cooper --- docs/index.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/index.rst b/docs/index.rst index bd87d736b9..57da8c2708 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -17,7 +17,7 @@ User documentation ------------------ This is documentation for an administrator of a Xen system. It is intended -for someone who is not necesserily a developer, has installed Xen from their +for someone who is not necessarily a developer, has installed Xen from their preferred distribution, and is attempting to run virtual machines and configure the system. -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 01 11:33:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 01 Jun 2026 11:33:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1323857.1589526 (Exim 4.92) (envelope-from ) id 1wU0tN-0005tp-TY; Mon, 01 Jun 2026 11:33:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1323857.1589526; Mon, 01 Jun 2026 11:33:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU0tN-0005th-Qh; Mon, 01 Jun 2026 11:33:13 +0000 Received: by outflank-mailman (input) for mailman id 1323857; Mon, 01 Jun 2026 11:33:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU0tM-0005tZ-3r for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 11:33:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wU0tM-001InS-0H for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 11:33:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wU0tM-00FowD-0A for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 11:33:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=4+ijp2NBj6+jYFyZkZKRmm0cI+VC8Ut0HpyL4HW9ukY=; b=t866AloWEwWFnWFnf/y0vTmtVd G3ZGHKAcemNpwJqr8jah3xhx9E03aZdoo+ZDLbsCCEgzTn4fZQxIervCf13hEf9Ich2upnEKe9hfa JlmIAhXPG5wMAA6T5Sr1St2uDg0TLiFtGSwjl6cRaRPxTbGlNiN7o/1l1L4QJ3VxvFlQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] docs/admin-guide: drop duplicated word in microcode-loading.rst Message-Id: Date: Mon, 01 Jun 2026 11:33:12 +0000 commit 9db2c3b29f103f9a6836560907401ca9418a67c5 Author: Eduardo Marinho AuthorDate: Mon Jun 1 07:39:04 2026 -0300 Commit: Andrew Cooper CommitDate: Mon Jun 1 12:25:48 2026 +0100 docs/admin-guide: drop duplicated word in microcode-loading.rst Remove the duplicated word "contains" in the microcode loading documentation. Signed-off-by: Eduardo Marinho Acked-by: Andrew Cooper --- docs/admin-guide/microcode-loading.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/admin-guide/microcode-loading.rst b/docs/admin-guide/microcode-loading.rst index 148bc8559b..cd8ebeb564 100644 --- a/docs/admin-guide/microcode-loading.rst +++ b/docs/admin-guide/microcode-loading.rst @@ -97,7 +97,7 @@ appropriate distro package, and add ``ucode=scan`` to Xen's command line. Xen is compatible with the Linux initrd microcode protocol. The initrd is expected to be generated with an uncompressed CPIO archive at the beginning -which contains contains one of these two files:: +which contains one of these two files:: kernel/x86/microcode/GenuineIntel.bin kernel/x86/microcode/AuthenticAMD.bin -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 01 11:33:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 01 Jun 2026 11:33:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1323858.1589529 (Exim 4.92) (envelope-from ) id 1wU0tX-0005w4-Ur; Mon, 01 Jun 2026 11:33:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1323858.1589529; Mon, 01 Jun 2026 11:33:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU0tX-0005vw-S5; Mon, 01 Jun 2026 11:33:23 +0000 Received: by outflank-mailman (input) for mailman id 1323858; Mon, 01 Jun 2026 11:33:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU0tW-0005vl-79 for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 11:33:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wU0tW-001InW-0a for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 11:33:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wU0tW-00Fp3f-0R for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 11:33:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=wLWAr+pGv+ca3gViguwHj/KwZxfvtIahuCn0EzniJ18=; b=Zgscum2q0Vpsd0te4fwq/+gRnz kyxaAqxkMmyAm88DROZHbEwD+0ZpM97WfsbflOxDhvo+WAWvx3B7ncGckAc0JIOJVKyCqfJdW4KuJ nQhnNQ93qAHyTNuLaf1bnArnlW0XQQLcx9rXYhtVZIgInvNvdX5gMviL1gJiroKyNyEQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] docs/specs: drop duplicated word in libxl-migration-stream.pandoc Message-Id: Date: Mon, 01 Jun 2026 11:33:22 +0000 commit d38a353eaceddc97ee41d4cce30ed44fc2044a42 Author: Eduardo Marinho AuthorDate: Mon Jun 1 07:39:05 2026 -0300 Commit: Andrew Cooper CommitDate: Mon Jun 1 12:25:48 2026 +0100 docs/specs: drop duplicated word in libxl-migration-stream.pandoc Remove the duplicated word "to" in the libxl migration stream specification. Signed-off-by: Eduardo Marinho Acked-by: Andrew Cooper --- docs/specs/libxl-migration-stream.pandoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/specs/libxl-migration-stream.pandoc b/docs/specs/libxl-migration-stream.pandoc index 5ec5dc991b..b9484cd787 100644 --- a/docs/specs/libxl-migration-stream.pandoc +++ b/docs/specs/libxl-migration-stream.pandoc @@ -218,8 +218,8 @@ tuples. Each (key, value) tuple is a packed pair of NUL terminated octets, conforming to xenstore protocol character encoding (keys strictly as alphanumeric ASCII and `-/_@`, values expected to be human-readable ASCII). -Keys shall be relative to to the device models xenstore tree for the new -domain. At the time of writing, keys are relative to the path +Keys shall be relative to the device models xenstore tree for the new domain. +At the time of writing, keys are relative to the path > `/local/domain/$dm_domid/device-model/$domid/` -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 01 14:11:12 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 01 Jun 2026 14:11:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1323883.1589542 (Exim 4.92) (envelope-from ) id 1wU3M6-0000xe-QY; Mon, 01 Jun 2026 14:11:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1323883.1589542; Mon, 01 Jun 2026 14:11:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU3M6-0000xW-Nk; Mon, 01 Jun 2026 14:11:02 +0000 Received: by outflank-mailman (input) for mailman id 1323883; Mon, 01 Jun 2026 14:11:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU3M5-0000xQ-RG for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 14:11:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wU3M5-001MLN-2c for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 14:11:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wU3M5-00H3fx-2Q for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 14:11:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=t1KT87EXfa7LH/LlLE+lIOjGPs4mtY+Ced83jlUVpd0=; b=a5neOYBsploX0kNxtPSNecKCB2 cfe++1suJbLP08J6Ymviws51e+TkHi2CJRVVERXDK65tBdFzQkhI78gjoqfvcqgq36/MZaBrqnlT2 WHGywQjPJQPkuLsdHe23zxZPepJlm1Pul/Po+vD5hNfu+uZBkCQrYcmS7cM71LTUi25o=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] docs: fix spelling of 'necessarily' in index.rst Message-Id: Date: Mon, 01 Jun 2026 14:11:01 +0000 commit 2121ecf1c3620a4724f5254b54c16b6383cf1a44 Author: Eduardo Marinho AuthorDate: Mon Jun 1 07:39:03 2026 -0300 Commit: Andrew Cooper CommitDate: Mon Jun 1 12:25:48 2026 +0100 docs: fix spelling of 'necessarily' in index.rst Correct a minor typo in the introduction section to improve readability. Signed-off-by: Eduardo Marinho Acked-by: Andrew Cooper --- docs/index.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/index.rst b/docs/index.rst index bd87d736b9..57da8c2708 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -17,7 +17,7 @@ User documentation ------------------ This is documentation for an administrator of a Xen system. It is intended -for someone who is not necesserily a developer, has installed Xen from their +for someone who is not necessarily a developer, has installed Xen from their preferred distribution, and is attempting to run virtual machines and configure the system. -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Jun 01 14:11:12 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 01 Jun 2026 14:11:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1323884.1589547 (Exim 4.92) (envelope-from ) id 1wU3MG-0000za-TM; Mon, 01 Jun 2026 14:11:12 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1323884.1589547; Mon, 01 Jun 2026 14:11:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU3MG-0000zS-PA; Mon, 01 Jun 2026 14:11:12 +0000 Received: by outflank-mailman (input) for mailman id 1323884; Mon, 01 Jun 2026 14:11:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU3MF-0000zC-UU for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 14:11:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wU3MF-001MLc-2v for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 14:11:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wU3MF-00H3j8-2m for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 14:11:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=zRhdtfvXsBavE+DZKZ+S788Xo4XRqR9Z1+2J4C/pSvo=; b=ZC/dLR+7oHkcVE57ja2nXkpay7 ioJ5hvI4WNy+WDP7ULh0sRNfthTwT6XoRudO2ULD9Qoekil56xyoPDmhurzbQJ7G2ba2oDSGIEP+C jGR1zrOGV8fGv7hrGd3SR3lIP+x5jM9S8OM3Rj46nFcPkdZhazQzrfi3/lIg9e/4l58Q=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] docs/admin-guide: drop duplicated word in microcode-loading.rst Message-Id: Date: Mon, 01 Jun 2026 14:11:11 +0000 commit 9db2c3b29f103f9a6836560907401ca9418a67c5 Author: Eduardo Marinho AuthorDate: Mon Jun 1 07:39:04 2026 -0300 Commit: Andrew Cooper CommitDate: Mon Jun 1 12:25:48 2026 +0100 docs/admin-guide: drop duplicated word in microcode-loading.rst Remove the duplicated word "contains" in the microcode loading documentation. Signed-off-by: Eduardo Marinho Acked-by: Andrew Cooper --- docs/admin-guide/microcode-loading.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/admin-guide/microcode-loading.rst b/docs/admin-guide/microcode-loading.rst index 148bc8559b..cd8ebeb564 100644 --- a/docs/admin-guide/microcode-loading.rst +++ b/docs/admin-guide/microcode-loading.rst @@ -97,7 +97,7 @@ appropriate distro package, and add ``ucode=scan`` to Xen's command line. Xen is compatible with the Linux initrd microcode protocol. The initrd is expected to be generated with an uncompressed CPIO archive at the beginning -which contains contains one of these two files:: +which contains one of these two files:: kernel/x86/microcode/GenuineIntel.bin kernel/x86/microcode/AuthenticAMD.bin -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Jun 01 14:11:22 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 01 Jun 2026 14:11:22 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1323885.1589549 (Exim 4.92) (envelope-from ) id 1wU3MQ-00011W-TE; Mon, 01 Jun 2026 14:11:22 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1323885.1589549; Mon, 01 Jun 2026 14:11:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU3MQ-00011O-Qg; Mon, 01 Jun 2026 14:11:22 +0000 Received: by outflank-mailman (input) for mailman id 1323885; Mon, 01 Jun 2026 14:11:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU3MQ-00011I-0q for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 14:11:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wU3MP-001MLi-3D for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 14:11:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wU3MP-00H3oF-35 for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 14:11:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=1tDg9sH+aTiWhv7rp7IEr1UB7QR2aPQ4irdqMH9tHuQ=; b=p8FQF0lK1Ip1ckg5h86cymFJy6 XsQbSirkp+Cfpl8ibncomkk1vjwWZoZ0FnYFDkiC/UUExj8JJ/EjittNKOohgfAFlszEAjSFwdnV4 aBMGvUuqIGpTkC08B+Y25MS2xjZR4KDVVhe4Ij7PZ6B1OXqZE2AiOTbxxe81FH1ULAZo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] docs/specs: drop duplicated word in libxl-migration-stream.pandoc Message-Id: Date: Mon, 01 Jun 2026 14:11:21 +0000 commit d38a353eaceddc97ee41d4cce30ed44fc2044a42 Author: Eduardo Marinho AuthorDate: Mon Jun 1 07:39:05 2026 -0300 Commit: Andrew Cooper CommitDate: Mon Jun 1 12:25:48 2026 +0100 docs/specs: drop duplicated word in libxl-migration-stream.pandoc Remove the duplicated word "to" in the libxl migration stream specification. Signed-off-by: Eduardo Marinho Acked-by: Andrew Cooper --- docs/specs/libxl-migration-stream.pandoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/specs/libxl-migration-stream.pandoc b/docs/specs/libxl-migration-stream.pandoc index 5ec5dc991b..b9484cd787 100644 --- a/docs/specs/libxl-migration-stream.pandoc +++ b/docs/specs/libxl-migration-stream.pandoc @@ -218,8 +218,8 @@ tuples. Each (key, value) tuple is a packed pair of NUL terminated octets, conforming to xenstore protocol character encoding (keys strictly as alphanumeric ASCII and `-/_@`, values expected to be human-readable ASCII). -Keys shall be relative to to the device models xenstore tree for the new -domain. At the time of writing, keys are relative to the path +Keys shall be relative to the device models xenstore tree for the new domain. +At the time of writing, keys are relative to the path > `/local/domain/$dm_domid/device-model/$domid/` -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Jun 01 16:11:08 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 01 Jun 2026 16:11:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1323995.1589662 (Exim 4.92) (envelope-from ) id 1wU5EF-0006Ip-Hz; Mon, 01 Jun 2026 16:11:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1323995.1589662; Mon, 01 Jun 2026 16:11:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU5EF-0006If-F9; Mon, 01 Jun 2026 16:11:03 +0000 Received: by outflank-mailman (input) for mailman id 1323995; Mon, 01 Jun 2026 16:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU5EE-0006IZ-1l for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 16:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wU5ED-001Pa7-39 for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 16:11:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wU5ED-000LUK-2x for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 16:11:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=+1wHgsrg5sQ4RPVOw6iXFlJUJL6Dn8Wiep4nHTZaSdg=; b=slwVB+fLurGs2PLUtGxdW5lgQX h4UFEm1C/y0SI6SAy5ycX/yGDadbki+pEQH7Q1oWxZ2kH4eedNu1FXBzbonUf84HqGaZafEDYyM6p NX9VesEI2BtQ+f+ihAatPL553H7LsckhxMu8Q6v3sQph1WddJmBuyrTjXz58H0ZE9vZY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] Config.mk: Pin QEMU_UPSTREAM_REVISION Message-Id: Date: Mon, 01 Jun 2026 16:11:01 +0000 commit b33d0bed3897f50a1a7b596ee24f658490da0450 Author: Andrew Cooper AuthorDate: Mon Jun 1 16:23:34 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 1 17:07:48 2026 +0100 Config.mk: Pin QEMU_UPSTREAM_REVISION Signed-off-by: Andrew Cooper Acked-by: Oleksii Kurochko --- Config.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Config.mk b/Config.mk index b3d48e49c7..86a4999246 100644 --- a/Config.mk +++ b/Config.mk @@ -214,7 +214,7 @@ OVMF_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/ovmf.git OVMF_UPSTREAM_REVISION ?= ba91d0292e593df8528b66f99c1b0b14fadc8e16 QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git -QEMU_UPSTREAM_REVISION ?= master +QEMU_UPSTREAM_REVISION ?= e064f42c80be6f6ff8c12dcb2a663bdf70f965f6 MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git MINIOS_UPSTREAM_REVISION ?= b6f79f5f44cf69044079c042b88fe9d75367642e -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 01 16:11:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 01 Jun 2026 16:11:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1323996.1589666 (Exim 4.92) (envelope-from ) id 1wU5EP-0006Lp-J0; Mon, 01 Jun 2026 16:11:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1323996.1589666; Mon, 01 Jun 2026 16:11:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU5EP-0006Li-GP; Mon, 01 Jun 2026 16:11:13 +0000 Received: by outflank-mailman (input) for mailman id 1323996; Mon, 01 Jun 2026 16:11:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU5EO-0006L7-4I for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 16:11:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wU5EO-001PaD-0G for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 16:11:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wU5EO-000LZC-06 for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 16:11:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=SsckrQqCdrbZLhp0lj4uMbnnXAQoyNcIrDcE1sa2RZM=; b=eapFMdKVFAEgsBKPZ+GH4NMVtl o8AMyHKvREKU0BpGQPJjWlhBsZsskQu66TAuRiHxgNO61d8qHB1TmeiEBILP+OwNUvdhtKS7XIYz2 C5mRgccXQrdz6sBa4rBjE71RCy8wzxXdPNFUu5gI2evV03DjacUOKVHyt9buel6WpnvM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] Update Xen version to 4.22.0-rc1 Message-Id: Date: Mon, 01 Jun 2026 16:11:12 +0000 commit c069c014f21fd1f5925d8c30c18adb4f26381475 Author: Andrew Cooper AuthorDate: Mon Jun 1 16:26:12 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 1 17:07:48 2026 +0100 Update Xen version to 4.22.0-rc1 Signed-off-by: Andrew Cooper Acked-by: Oleksii Kurochko --- README | 10 +++++----- SUPPORT.md | 2 +- xen/Makefile | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README b/README index 889a4ea906..3dcc00c4a4 100644 --- a/README +++ b/README @@ -1,9 +1,9 @@ ############################################################ -__ __ _ _ _ -\ \/ /___ _ __ _ _ _ __ ___| |_ __ _| |__ | | ___ - \ // _ \ '_ \ _____| | | | '_ \/ __| __/ _` | '_ \| |/ _ \ - / \ __/ | | |_____| |_| | | | \__ \ || (_| | |_) | | __/ -/_/\_\___|_| |_| \__,_|_| |_|___/\__\__,_|_.__/|_|\___| +__ __ _ _ ____ ____ +\ \/ /___ _ __ | || | |___ \|___ \ _ __ ___ + \ // _ \ '_ \ | || |_ __) | __) |__| '__/ __| + / \ __/ | | | |__ _| / __/ / __/|__| | | (__ +/_/\_\___|_| |_| |_|(_)_____|_____| |_| \___| ############################################################ diff --git a/SUPPORT.md b/SUPPORT.md index 8e7ab7cb3e..abc7beac5b 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -9,7 +9,7 @@ for the definitions of the support status levels etc. # Release Support - Xen-Version: 4.22-unstable + Xen-Version: 4.22-rc Initial-Release: n/a Supported-Until: TBD Security-Support-Until: Unreleased - not yet security-supported diff --git a/xen/Makefile b/xen/Makefile index a2b442e76d..1f11610b5f 100644 --- a/xen/Makefile +++ b/xen/Makefile @@ -6,7 +6,7 @@ this-makefile := $(call lastword,$(MAKEFILE_LIST)) # All other places this is stored (eg. compile.h) should be autogenerated. export XEN_VERSION = 4 export XEN_SUBVERSION = 22 -export XEN_EXTRAVERSION ?= -unstable$(XEN_VENDORVERSION) +export XEN_EXTRAVERSION ?= .0-rc1$(XEN_VENDORVERSION) export XEN_FULLVERSION = $(XEN_VERSION).$(XEN_SUBVERSION)$(XEN_EXTRAVERSION) -include xen-version -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 01 17:22:08 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 01 Jun 2026 17:22:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1324044.1589715 (Exim 4.92) (envelope-from ) id 1wU6Kx-000157-Ao; Mon, 01 Jun 2026 17:22:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1324044.1589715; Mon, 01 Jun 2026 17:22:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU6Kx-00014z-8F; Mon, 01 Jun 2026 17:22:03 +0000 Received: by outflank-mailman (input) for mailman id 1324044; Mon, 01 Jun 2026 17:22:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU6Kw-00014t-AG for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 17:22:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wU6Kw-001R7n-0i for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 17:22:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wU6Kw-00104A-0W for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 17:22:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=YQGlaECQGCiYz10DK7HtNjahcAQsUB/tWOUhun8yVg0=; b=GUn5rD6qG2/vsH4dCtyC4vNgVn Y7oOXnxReTq/31OonvHw6t9OL78yJ5DwOh5wzM5jd7ss22NCLA+JN0WUQfwLh8kXbAZaY2s/x1Loc b29TOO8MSsLbtLZHo72qFHHd+kdzIEyTNdiXfs75nxt1qdM2WpR8ICxZDttH5W6iYIFE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] Config.mk: Pin QEMU_UPSTREAM_REVISION Message-Id: Date: Mon, 01 Jun 2026 17:22:02 +0000 commit b33d0bed3897f50a1a7b596ee24f658490da0450 Author: Andrew Cooper AuthorDate: Mon Jun 1 16:23:34 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 1 17:07:48 2026 +0100 Config.mk: Pin QEMU_UPSTREAM_REVISION Signed-off-by: Andrew Cooper Acked-by: Oleksii Kurochko --- Config.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Config.mk b/Config.mk index b3d48e49c7..86a4999246 100644 --- a/Config.mk +++ b/Config.mk @@ -214,7 +214,7 @@ OVMF_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/ovmf.git OVMF_UPSTREAM_REVISION ?= ba91d0292e593df8528b66f99c1b0b14fadc8e16 QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git -QEMU_UPSTREAM_REVISION ?= master +QEMU_UPSTREAM_REVISION ?= e064f42c80be6f6ff8c12dcb2a663bdf70f965f6 MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git MINIOS_UPSTREAM_REVISION ?= b6f79f5f44cf69044079c042b88fe9d75367642e -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Jun 01 17:22:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 01 Jun 2026 17:22:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1324045.1589718 (Exim 4.92) (envelope-from ) id 1wU6L7-00018U-C7; Mon, 01 Jun 2026 17:22:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1324045.1589718; Mon, 01 Jun 2026 17:22:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU6L7-00018M-9c; Mon, 01 Jun 2026 17:22:13 +0000 Received: by outflank-mailman (input) for mailman id 1324045; Mon, 01 Jun 2026 17:22:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wU6L6-00017z-Bd for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 17:22:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wU6L6-001R7s-12 for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 17:22:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wU6L6-0010Ab-0t for xen-changelog@lists.xenproject.org; Mon, 01 Jun 2026 17:22:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ZysT7jDeKkpfRemeinQ7yubwGVrzGkih7h6UI+3++j4=; b=o7AMQcRwTl0fDYNAd2AEN2eiS4 u9EkwRSG/NP75GSltcNpG4NfbRKAso/bM4Ekk2c0PF7vUZjaQZ5E15x/nkSWIbilXxUfcm7g/fWuD ujlcXyh+nWBKDhKDFBztxV0ZC5czZ5t7pcFzgTjSL8ARZvY66dDw1NohJUkTrFMI47SE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] Update Xen version to 4.22.0-rc1 Message-Id: Date: Mon, 01 Jun 2026 17:22:12 +0000 commit c069c014f21fd1f5925d8c30c18adb4f26381475 Author: Andrew Cooper AuthorDate: Mon Jun 1 16:26:12 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 1 17:07:48 2026 +0100 Update Xen version to 4.22.0-rc1 Signed-off-by: Andrew Cooper Acked-by: Oleksii Kurochko --- README | 10 +++++----- SUPPORT.md | 2 +- xen/Makefile | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README b/README index 889a4ea906..3dcc00c4a4 100644 --- a/README +++ b/README @@ -1,9 +1,9 @@ ############################################################ -__ __ _ _ _ -\ \/ /___ _ __ _ _ _ __ ___| |_ __ _| |__ | | ___ - \ // _ \ '_ \ _____| | | | '_ \/ __| __/ _` | '_ \| |/ _ \ - / \ __/ | | |_____| |_| | | | \__ \ || (_| | |_) | | __/ -/_/\_\___|_| |_| \__,_|_| |_|___/\__\__,_|_.__/|_|\___| +__ __ _ _ ____ ____ +\ \/ /___ _ __ | || | |___ \|___ \ _ __ ___ + \ // _ \ '_ \ | || |_ __) | __) |__| '__/ __| + / \ __/ | | | |__ _| / __/ / __/|__| | | (__ +/_/\_\___|_| |_| |_|(_)_____|_____| |_| \___| ############################################################ diff --git a/SUPPORT.md b/SUPPORT.md index 8e7ab7cb3e..abc7beac5b 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -9,7 +9,7 @@ for the definitions of the support status levels etc. # Release Support - Xen-Version: 4.22-unstable + Xen-Version: 4.22-rc Initial-Release: n/a Supported-Until: TBD Security-Support-Until: Unreleased - not yet security-supported diff --git a/xen/Makefile b/xen/Makefile index a2b442e76d..1f11610b5f 100644 --- a/xen/Makefile +++ b/xen/Makefile @@ -6,7 +6,7 @@ this-makefile := $(call lastword,$(MAKEFILE_LIST)) # All other places this is stored (eg. compile.h) should be autogenerated. export XEN_VERSION = 4 export XEN_SUBVERSION = 22 -export XEN_EXTRAVERSION ?= -unstable$(XEN_VENDORVERSION) +export XEN_EXTRAVERSION ?= .0-rc1$(XEN_VENDORVERSION) export XEN_FULLVERSION = $(XEN_VERSION).$(XEN_SUBVERSION)$(XEN_EXTRAVERSION) -include xen-version -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 07:22:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 07:22:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1325799.1591130 (Exim 4.92) (envelope-from ) id 1wUfvO-0001hc-Po; Wed, 03 Jun 2026 07:22:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1325799.1591130; Wed, 03 Jun 2026 07:22:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUfvO-0001hU-Mo; Wed, 03 Jun 2026 07:22:02 +0000 Received: by outflank-mailman (input) for mailman id 1325799; Wed, 03 Jun 2026 07:22:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUfvN-0001hO-RD for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 07:22:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUfvN-004umR-2N for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 07:22:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUfvN-00B6n3-2E for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 07:22:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=1x56n91lQzGT8x7uhYAGfDtfQvPc3us3aNl9dcsG+mg=; b=1RBKQhRfNbHF/JD9Se5ug84nxn CADnd3D4b25kes6v0DfDGLiOmjw88avJHTa63gIn5tRo6IUboEATju/ltgljTU7HsRKUjHOjP2xFz AS2c1FwUj6WA52kUaZ8Rs4CtKUyAz4bhN8f1yUDW54F2RR9JxjasSMuV1FGzvxBoA7nA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CI: disable debug info for analysis jobs Message-Id: Date: Wed, 03 Jun 2026 07:22:01 +0000 commit c866569ce1591fcae53c03921cf244c93037b2f4 Author: Jan Beulich AuthorDate: Wed Jun 3 08:15:55 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 08:15:55 2026 +0200 CI: disable debug info for analysis jobs Its generating and linking takes time (and space), while at the same time Eclair should be entirely independent of its presence. Signed-off-by: Jan Beulich Reviewed-by: Nicola Vetrini Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- automation/gitlab-ci/analyze.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/automation/gitlab-ci/analyze.yaml b/automation/gitlab-ci/analyze.yaml index 9bf032931f..55c42e3f84 100644 --- a/automation/gitlab-ci/analyze.yaml +++ b/automation/gitlab-ci/analyze.yaml @@ -47,6 +47,7 @@ eclair-x86_64-allcode: RULESET: "monitored" EXTRA_XEN_CONFIG: | CONFIG_ARGO=y + CONFIG_DEBUG_INFO=n CONFIG_DEBUG_LOCK_PROFILE=y CONFIG_DEBUG_TRACE=y CONFIG_EFI_SET_VIRTUAL_ADDRESS_MAP=y @@ -105,6 +106,7 @@ eclair-x86_64-amd: CONFIG_INTEL_IOMMU=n CONFIG_EXPERT=y CONFIG_DEBUG=y + CONFIG_DEBUG_INFO=n CONFIG_GDBSX=n CONFIG_FRAME_POINTER=n CONFIG_SELF_TESTS=n @@ -129,6 +131,7 @@ eclair-ARM64-allcode: CONFIG_ARM64_SVE=y CONFIG_ARM_SMMU_V3=y CONFIG_BOOT_TIME_CPUPOOLS=y + CONFIG_DEBUG_INFO=n CONFIG_DEBUG_LOCK_PROFILE=y CONFIG_DEBUG_TRACE=y CONFIG_DEVICE_TREE_DEBUG=y @@ -206,6 +209,7 @@ eclair-ARM64-amd: CONFIG_ARM_SMMU_V3=y CONFIG_EXPERT=y CONFIG_DEBUG=y + CONFIG_DEBUG_INFO=n CONFIG_FRAME_POINTER=n CONFIG_SELF_TESTS=n CONFIG_DEBUG_LOCKS=n -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 07:22:12 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 07:22:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1325800.1591134 (Exim 4.92) (envelope-from ) id 1wUfvY-0001ks-R4; Wed, 03 Jun 2026 07:22:12 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1325800.1591134; Wed, 03 Jun 2026 07:22:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUfvY-0001kj-OD; Wed, 03 Jun 2026 07:22:12 +0000 Received: by outflank-mailman (input) for mailman id 1325800; Wed, 03 Jun 2026 07:22:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUfvX-0001jk-Sk for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 07:22:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUfvX-004umt-2k for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 07:22:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUfvX-00B6s2-2X for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 07:22:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=2xE5ergwCt+Rq/P4PN5nFTOxpJ31U1q8jVIMBhgG5QY=; b=sdaiuTbSdYdMh+ouzjEVTgBHT9 NeGirtwZtdTzmrjA5uzsF9gnnF8yYB+w3L3WZZN2k+vP1tB5QLwK3He//v05/fQbKzoqSFdjQgEu9 AR3wK1rZ/9qevEJljBcSnzxw3G/Bt3asWCsDHoeHgnOKEOsAlBAeyJ/mnCgomltK+M80=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/riscv: fix switch_stack_and_jump() for range beyond 1M Message-Id: Date: Wed, 03 Jun 2026 07:22:11 +0000 commit 0f1ca0a3bc8d360b8ecd0231097a2e4d472838db Author: Oleksii Kurochko AuthorDate: Wed Jun 3 08:16:28 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 08:16:28 2026 +0200 xen/riscv: fix switch_stack_and_jump() for range beyond 1M The `j` instruction (JAL x0) used in switch_stack_and_jump() is a J-type instruction with only a ±1MB range, and that this can be exceeded in some configurations, causing a linker error: relocation truncated to fit: R_RISCV_JAL against `' Replace `j` with `jr` (JALR x0) via an explicit register, which has unlimited range. Found in a downstream branch when UBSAN instrumentation was enabled. Note that the `tail` instruction looks more natural here, but `jr` is chosen instead to avoid depending on how the assembler expands `tail` and which scratch register it uses (`t1` in GAS), which would need to be listed in the clobber section of `asm volatile`. Fixes: e66003e7be199 ("xen/riscv: introduce setup_initial_pages") Signed-off-by: Oleksii Kurochko Reviewed-by: Baptiste Le Duc Acked-by: Jan Beulich --- xen/arch/riscv/include/asm/current.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/riscv/include/asm/current.h b/xen/arch/riscv/include/asm/current.h index 5fbee8182c..78ec52fd8a 100644 --- a/xen/arch/riscv/include/asm/current.h +++ b/xen/arch/riscv/include/asm/current.h @@ -54,7 +54,7 @@ DECLARE_PER_CPU(struct vcpu *, curr_vcpu); #define switch_stack_and_jump(stack, fn) do { \ asm volatile ( \ "mv sp, %0\n" \ - "j " #fn :: "r" (stack), "X" (fn) : "memory" ); \ + "jr %1" :: "r" (stack), "r" (fn) : "memory" ); \ unreachable(); \ } while ( false ) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 07:22:22 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 07:22:22 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1325801.1591138 (Exim 4.92) (envelope-from ) id 1wUfvi-0001mz-SB; Wed, 03 Jun 2026 07:22:22 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1325801.1591138; Wed, 03 Jun 2026 07:22:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUfvi-0001ms-PV; Wed, 03 Jun 2026 07:22:22 +0000 Received: by outflank-mailman (input) for mailman id 1325801; Wed, 03 Jun 2026 07:22:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUfvh-0001ml-VS for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 07:22:21 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUfvh-004un2-32 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 07:22:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUfvh-00B6wc-2u for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 07:22:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=0LHq8aT84Mtz4nC8ptd4xFsIvBx6cE2PQBWCsFEm7Zg=; b=iXOlOe6+CZ5amWTs52fvJyClqU UpkOhFFQ81ZkmKZOVCe34ER4Gi6hJjNCo06EC+368NGWEFq99bWIf3E7CcV0UYsEgZd+Ix2OcSKD1 cRYUxe++6u8CPRG4FDfkdjf8yMgOk7PutU2+CLWVd+PgOjDhCMUKoc8xWTqNpEO7enw4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/PV: drop a local variable from pv_emulate_gate_op() Message-Id: Date: Wed, 03 Jun 2026 07:22:21 +0000 commit 2220363115909988d3d0535a5cea349505f5b2c8 Author: Jan Beulich AuthorDate: Wed Jun 3 08:17:23 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 08:17:23 2026 +0200 x86/PV: drop a local variable from pv_emulate_gate_op() The inner "rc" shadows the function scope one, thus violating Misra C:2012 rule 5.3 ("An identifier declared in an inner scope shall not hide an identifier declared in an outer scope"). Drop the inner variable, as there's no other (later) use of the value it holds. No difference in generated code. Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/pv/emul-gate-op.c | 1 - 1 file changed, 1 deletion(-) diff --git a/xen/arch/x86/pv/emul-gate-op.c b/xen/arch/x86/pv/emul-gate-op.c index d0f7f06e01..05262a983a 100644 --- a/xen/arch/x86/pv/emul-gate-op.c +++ b/xen/arch/x86/pv/emul-gate-op.c @@ -287,7 +287,6 @@ void pv_emulate_gate_op(struct cpu_user_regs *regs) { unsigned int ss, esp, *stkp; uint32_t value; - int rc; #define push(item) do \ { \ value = (item); \ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 07:22:32 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 07:22:32 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1325802.1591142 (Exim 4.92) (envelope-from ) id 1wUfvs-0001p2-Ti; Wed, 03 Jun 2026 07:22:32 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1325802.1591142; Wed, 03 Jun 2026 07:22:32 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUfvs-0001oq-Qs; Wed, 03 Jun 2026 07:22:32 +0000 Received: by outflank-mailman (input) for mailman id 1325802; Wed, 03 Jun 2026 07:22:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUfvs-0001ok-2y for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 07:22:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUfvs-004un9-0B for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 07:22:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUfvs-00B71Q-01 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 07:22:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Tw9YIVGTOeVsNOLJvM5mola0lNV+YsF29TgaEQERLU4=; b=prS24GQNPCvC94ssEE8o5AalC+ kQPwHeyU9R2IqySkl8lHJ2BA45HZgEXJxF36F+CUJzr6zywjFxvT3fC3d2k/LaQhYybTNPmFivt5z nqrnaAQwfAMDIJGm+R9Fn96az9Kam0tJb9Me67EI6Xhp2AKnVVOuG/qPJQvSfuLe32PM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/efi: Use blexit() instead of BUG_ON() in read_file() Message-Id: Date: Wed, 03 Jun 2026 07:22:32 +0000 commit 7e11543c53396ea2e59320127573bf4151fae008 Author: Szymon Acedański AuthorDate: Wed Jun 3 08:17:56 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 08:17:56 2026 +0200 xen/efi: Use blexit() instead of BUG_ON() in read_file() Follow-up to 880e40b187aa, which added a BUG_ON() guard in read_file(). But as Jan pointed out, before ExitBootServices BUG_ON() is not functional. It results in a hang with no message. On the other hand blexit() prints a message and returns back to the bootloader. Fixes: 880e40b187aa ("xen/efi: Fix boot from a device without a file system") Reported-by: Jan Beulich Signed-off-by: Szymon Acedański Reviewed-by: Jan Beulich Acked-by: Marek Marczykowski-Górecki Release-Acked-by: Oleksii Kurochko --- xen/common/efi/boot.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c index 2971ea8696..8f24df9bc2 100644 --- a/xen/common/efi/boot.c +++ b/xen/common/efi/boot.c @@ -849,7 +849,8 @@ static bool __init read_file(EFI_FILE_HANDLE dir_handle, CHAR16 *name, if ( !name ) PrintErrMesg(L"No filename", EFI_OUT_OF_RESOURCES); - BUG_ON(!dir_handle); + if ( !dir_handle ) + blexit(L"BUG: !dir_handle in read_file()"); what = L"Open"; ret = dir_handle->Open(dir_handle, &FileHandle, name, -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 08:33:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 08:33:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1325878.1591218 (Exim 4.92) (envelope-from ) id 1wUh26-000866-V7; Wed, 03 Jun 2026 08:33:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1325878.1591218; Wed, 03 Jun 2026 08:33:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUh26-00085y-Sg; Wed, 03 Jun 2026 08:33:02 +0000 Received: by outflank-mailman (input) for mailman id 1325878; Wed, 03 Jun 2026 08:33:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUh25-00085s-IN for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 08:33:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUh25-004xKU-1S for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 08:33:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUh25-00BYBV-1K for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 08:33:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=cF2yAGk4RgM3H2iE8H+szy/A7RiPSfp4naX7HwH8EQA=; b=1bWSeC90+Kh3DZ11uCCEE2qUcc ebnmJS7QWmnLuFFswDOdMc0boR5zgamyCobn7qDak6iIjvqiBE1mVJPiVqajTgj6xTXjLXsBmRDeM Q56ESfDyc47ITRYW1aYK6xZZ3lfJK/yDGD3GQOEj6ZoZg+EVNUfbCx4LZhj4J7XYSN4k=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: disable debug info for analysis jobs Message-Id: Date: Wed, 03 Jun 2026 08:33:01 +0000 commit c866569ce1591fcae53c03921cf244c93037b2f4 Author: Jan Beulich AuthorDate: Wed Jun 3 08:15:55 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 08:15:55 2026 +0200 CI: disable debug info for analysis jobs Its generating and linking takes time (and space), while at the same time Eclair should be entirely independent of its presence. Signed-off-by: Jan Beulich Reviewed-by: Nicola Vetrini Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- automation/gitlab-ci/analyze.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/automation/gitlab-ci/analyze.yaml b/automation/gitlab-ci/analyze.yaml index 9bf032931f..55c42e3f84 100644 --- a/automation/gitlab-ci/analyze.yaml +++ b/automation/gitlab-ci/analyze.yaml @@ -47,6 +47,7 @@ eclair-x86_64-allcode: RULESET: "monitored" EXTRA_XEN_CONFIG: | CONFIG_ARGO=y + CONFIG_DEBUG_INFO=n CONFIG_DEBUG_LOCK_PROFILE=y CONFIG_DEBUG_TRACE=y CONFIG_EFI_SET_VIRTUAL_ADDRESS_MAP=y @@ -105,6 +106,7 @@ eclair-x86_64-amd: CONFIG_INTEL_IOMMU=n CONFIG_EXPERT=y CONFIG_DEBUG=y + CONFIG_DEBUG_INFO=n CONFIG_GDBSX=n CONFIG_FRAME_POINTER=n CONFIG_SELF_TESTS=n @@ -129,6 +131,7 @@ eclair-ARM64-allcode: CONFIG_ARM64_SVE=y CONFIG_ARM_SMMU_V3=y CONFIG_BOOT_TIME_CPUPOOLS=y + CONFIG_DEBUG_INFO=n CONFIG_DEBUG_LOCK_PROFILE=y CONFIG_DEBUG_TRACE=y CONFIG_DEVICE_TREE_DEBUG=y @@ -206,6 +209,7 @@ eclair-ARM64-amd: CONFIG_ARM_SMMU_V3=y CONFIG_EXPERT=y CONFIG_DEBUG=y + CONFIG_DEBUG_INFO=n CONFIG_FRAME_POINTER=n CONFIG_SELF_TESTS=n CONFIG_DEBUG_LOCKS=n -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 08:33:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 08:33:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1325879.1591222 (Exim 4.92) (envelope-from ) id 1wUh2H-00087p-0b; Wed, 03 Jun 2026 08:33:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1325879.1591222; Wed, 03 Jun 2026 08:33:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUh2G-00087h-U6; Wed, 03 Jun 2026 08:33:12 +0000 Received: by outflank-mailman (input) for mailman id 1325879; Wed, 03 Jun 2026 08:33:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUh2F-00087V-JJ for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 08:33:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUh2F-004xKn-1p for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 08:33:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUh2F-00BYFB-1d for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 08:33:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=wDtMvZXNg2m+VaJvihtj0EdF9i+wC7a+4cliIeVvfXo=; b=loNDedE73xlpbVsuUjPq3TXEAn oOMwjzCUxl+nDcCadjc2FLdxWt8AIa4kHTvWVdnD4Ao1DdxzRBqVa3w+MhNKRWifu/R5NRogkAoYL HS5t/A63rr3a7kUKpLvwieg+TrWWIWJXDy4t2qxJLvVWOl5sYYURSIVndMTgsKS9jY10=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/riscv: fix switch_stack_and_jump() for range beyond 1M Message-Id: Date: Wed, 03 Jun 2026 08:33:11 +0000 commit 0f1ca0a3bc8d360b8ecd0231097a2e4d472838db Author: Oleksii Kurochko AuthorDate: Wed Jun 3 08:16:28 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 08:16:28 2026 +0200 xen/riscv: fix switch_stack_and_jump() for range beyond 1M The `j` instruction (JAL x0) used in switch_stack_and_jump() is a J-type instruction with only a ±1MB range, and that this can be exceeded in some configurations, causing a linker error: relocation truncated to fit: R_RISCV_JAL against `' Replace `j` with `jr` (JALR x0) via an explicit register, which has unlimited range. Found in a downstream branch when UBSAN instrumentation was enabled. Note that the `tail` instruction looks more natural here, but `jr` is chosen instead to avoid depending on how the assembler expands `tail` and which scratch register it uses (`t1` in GAS), which would need to be listed in the clobber section of `asm volatile`. Fixes: e66003e7be199 ("xen/riscv: introduce setup_initial_pages") Signed-off-by: Oleksii Kurochko Reviewed-by: Baptiste Le Duc Acked-by: Jan Beulich --- xen/arch/riscv/include/asm/current.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/riscv/include/asm/current.h b/xen/arch/riscv/include/asm/current.h index 5fbee8182c..78ec52fd8a 100644 --- a/xen/arch/riscv/include/asm/current.h +++ b/xen/arch/riscv/include/asm/current.h @@ -54,7 +54,7 @@ DECLARE_PER_CPU(struct vcpu *, curr_vcpu); #define switch_stack_and_jump(stack, fn) do { \ asm volatile ( \ "mv sp, %0\n" \ - "j " #fn :: "r" (stack), "X" (fn) : "memory" ); \ + "jr %1" :: "r" (stack), "r" (fn) : "memory" ); \ unreachable(); \ } while ( false ) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 08:33:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 08:33:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1325880.1591225 (Exim 4.92) (envelope-from ) id 1wUh2R-0008A1-23; Wed, 03 Jun 2026 08:33:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1325880.1591225; Wed, 03 Jun 2026 08:33:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUh2Q-00089t-Vg; Wed, 03 Jun 2026 08:33:22 +0000 Received: by outflank-mailman (input) for mailman id 1325880; Wed, 03 Jun 2026 08:33:21 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUh2P-00089j-Nn for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 08:33:21 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUh2P-004xLE-2D for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 08:33:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUh2P-00BYIW-1z for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 08:33:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=8goRNh3k+pxSqGtvEBTQjio7haJUFjLA3evOA9USGEk=; b=3BYeU/IjyPuaBFzgjtcbXqp08o 5HWFfiaAfIz8tOAs+4NWdigjyY1BtfSqon+gSf9FTBlxrDONW4bGn6Z/OiMJH0CSaIxsQwaNXHF/i QhNg2LB8sNogUsjXnJbhk4sdDpbdF8bGWckEMFlo7R8om0+mPMTdJXYdKUNAAiwbGFZA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/PV: drop a local variable from pv_emulate_gate_op() Message-Id: Date: Wed, 03 Jun 2026 08:33:21 +0000 commit 2220363115909988d3d0535a5cea349505f5b2c8 Author: Jan Beulich AuthorDate: Wed Jun 3 08:17:23 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 08:17:23 2026 +0200 x86/PV: drop a local variable from pv_emulate_gate_op() The inner "rc" shadows the function scope one, thus violating Misra C:2012 rule 5.3 ("An identifier declared in an inner scope shall not hide an identifier declared in an outer scope"). Drop the inner variable, as there's no other (later) use of the value it holds. No difference in generated code. Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/pv/emul-gate-op.c | 1 - 1 file changed, 1 deletion(-) diff --git a/xen/arch/x86/pv/emul-gate-op.c b/xen/arch/x86/pv/emul-gate-op.c index d0f7f06e01..05262a983a 100644 --- a/xen/arch/x86/pv/emul-gate-op.c +++ b/xen/arch/x86/pv/emul-gate-op.c @@ -287,7 +287,6 @@ void pv_emulate_gate_op(struct cpu_user_regs *regs) { unsigned int ss, esp, *stkp; uint32_t value; - int rc; #define push(item) do \ { \ value = (item); \ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 08:33:33 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 08:33:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1325881.1591232 (Exim 4.92) (envelope-from ) id 1wUh2b-0008C5-4V; Wed, 03 Jun 2026 08:33:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1325881.1591232; Wed, 03 Jun 2026 08:33:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUh2b-0008Bu-0e; Wed, 03 Jun 2026 08:33:33 +0000 Received: by outflank-mailman (input) for mailman id 1325881; Wed, 03 Jun 2026 08:33:31 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUh2Z-0008Bn-QO for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 08:33:31 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUh2Z-004xLM-2X for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 08:33:31 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUh2Z-00BYM7-2N for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 08:33:31 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=SGS5kKS9LvPLdCygHEFWjlunKqYW41IoRBkUPWxPIg4=; b=enWZ+g2UMU1CJ//NKdAk3BO2rm Ues+EIcSW0R3JxN4DkpH9AIhlrlin75OKXHWVWZ/lCJ911emUdUjt0lHA/5YqxQOkLdqh/iVc0wgc 4Hu73lvFJvtxzmz+gIigAE1ATvp5IfIMH4RF+bWgvH3HCSdiH0RMpbfxWerj+HJeN8f4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/efi: Use blexit() instead of BUG_ON() in read_file() Message-Id: Date: Wed, 03 Jun 2026 08:33:31 +0000 commit 7e11543c53396ea2e59320127573bf4151fae008 Author: Szymon Acedański AuthorDate: Wed Jun 3 08:17:56 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 08:17:56 2026 +0200 xen/efi: Use blexit() instead of BUG_ON() in read_file() Follow-up to 880e40b187aa, which added a BUG_ON() guard in read_file(). But as Jan pointed out, before ExitBootServices BUG_ON() is not functional. It results in a hang with no message. On the other hand blexit() prints a message and returns back to the bootloader. Fixes: 880e40b187aa ("xen/efi: Fix boot from a device without a file system") Reported-by: Jan Beulich Signed-off-by: Szymon Acedański Reviewed-by: Jan Beulich Acked-by: Marek Marczykowski-Górecki Release-Acked-by: Oleksii Kurochko --- xen/common/efi/boot.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c index 2971ea8696..8f24df9bc2 100644 --- a/xen/common/efi/boot.c +++ b/xen/common/efi/boot.c @@ -849,7 +849,8 @@ static bool __init read_file(EFI_FILE_HANDLE dir_handle, CHAR16 *name, if ( !name ) PrintErrMesg(L"No filename", EFI_OUT_OF_RESOURCES); - BUG_ON(!dir_handle); + if ( !dir_handle ) + blexit(L"BUG: !dir_handle in read_file()"); what = L"Open"; ret = dir_handle->Open(dir_handle, &FileHandle, name, -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 09:33:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 09:33:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1325963.1591333 (Exim 4.92) (envelope-from ) id 1wUhyB-0005EU-1P; Wed, 03 Jun 2026 09:33:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1325963.1591333; Wed, 03 Jun 2026 09:33:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUhyA-0005EM-Uw; Wed, 03 Jun 2026 09:33:02 +0000 Received: by outflank-mailman (input) for mailman id 1325963; Wed, 03 Jun 2026 09:33:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUhy9-0005EG-Qn for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:33:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUhy9-004zBW-2E for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:33:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUhy9-00BwXS-21 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:33:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=9kuAGvNnHXLetoZXVRQxEkSVhjR+3iCYJ7AoknmxNoY=; b=3MRCQeHw/F85j0Z0pmP2G6KHgG e/8o6qmv0a4VH5i64/ZAxC1n+K4Zdu8lBHmGS14YsCqtpTCfkSKAS4Sev9tym0Mq+FlqtbdAhJCfd wJp6qqhc+8Jy47Nq0+6V5xU3+pKhHgEIZNbyvh2XP1+ee/hwLaFvFkOEl0XMa6S7yyxM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/shadow: Deviate multi.h as being included multiple times Message-Id: Date: Wed, 03 Jun 2026 09:33:01 +0000 commit 9d67c78690538437390260cc5d7fd9b71f0a64d3 Author: Andrew Cooper AuthorDate: Fri Dec 12 19:15:53 2025 +0000 Commit: Andrew Cooper CommitDate: Wed Jun 3 10:23:21 2026 +0100 x86/shadow: Deviate multi.h as being included multiple times Use a SAF-8 marker. This addresses a MISRA D4.10 violation. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/mm/shadow/multi.h | 1 + 1 file changed, 1 insertion(+) diff --git a/xen/arch/x86/mm/shadow/multi.h b/xen/arch/x86/mm/shadow/multi.h index fc86d7a8d9..3f2562d25e 100644 --- a/xen/arch/x86/mm/shadow/multi.h +++ b/xen/arch/x86/mm/shadow/multi.h @@ -8,6 +8,7 @@ * Parts based on earlier work by Michael A Fetterman, Ian Pratt et al. */ +/* SAF-8-safe inclusion procedure left to caller */ extern int SHADOW_INTERNAL_NAME(sh_map_and_validate_gl1e, GUEST_LEVELS)( struct vcpu *v, mfn_t gl1mfn, void *new_gl1p, u32 size); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 09:33:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 09:33:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1325964.1591338 (Exim 4.92) (envelope-from ) id 1wUhyL-0005GE-3R; Wed, 03 Jun 2026 09:33:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1325964.1591338; Wed, 03 Jun 2026 09:33:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUhyL-0005G5-0B; Wed, 03 Jun 2026 09:33:13 +0000 Received: by outflank-mailman (input) for mailman id 1325964; Wed, 03 Jun 2026 09:33:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUhyJ-0005Fn-Qg for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:33:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUhyJ-004zBs-2W for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:33:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUhyJ-00Bwdz-2O for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:33:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=y2wVxgC6aQQL+iZ3k5+iKveZHLtpGWMG8xpe7f7hBhE=; b=wj8eGKQoKKq6o3ggFP0g2c2jZX sm0FecKquiBpiYpkgqTok2ZIzD1FgVlrRdMn0HLB06cWy7FxPZvANEE7U0alR0x7yVQlVtpwlagzv Dp9PB/tvoqGxeNCbiQ+MxIGgR22MF4M8E9BAAk+rFBBJj2laYTvyTlV4VI/UPff30tkk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CI: Mark eclair-x86_64-allcode as blocking now that it's clean Message-Id: Date: Wed, 03 Jun 2026 09:33:11 +0000 commit 0b03d963730b4c3df5b4583c054e2cd0d99758c2 Author: Andrew Cooper AuthorDate: Tue Jun 2 16:51:24 2026 +0100 Commit: Andrew Cooper CommitDate: Wed Jun 3 10:23:21 2026 +0100 CI: Mark eclair-x86_64-allcode as blocking now that it's clean Signed-off-by: Andrew Cooper Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- automation/gitlab-ci/analyze.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/automation/gitlab-ci/analyze.yaml b/automation/gitlab-ci/analyze.yaml index 55c42e3f84..3f7532ee1d 100644 --- a/automation/gitlab-ci/analyze.yaml +++ b/automation/gitlab-ci/analyze.yaml @@ -63,7 +63,6 @@ eclair-x86_64-allcode: CONFIG_XEN_GUEST=y CONFIG_XHCI=y CONFIG_XSM=y - allow_failure: true eclair-x86_64-testing: extends: eclair-x86_64-allcode -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 09:55:07 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 09:55:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326008.1591395 (Exim 4.92) (envelope-from ) id 1wUiJT-0002fd-1I; Wed, 03 Jun 2026 09:55:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326008.1591395; Wed, 03 Jun 2026 09:55:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiJS-0002fV-Ut; Wed, 03 Jun 2026 09:55:02 +0000 Received: by outflank-mailman (input) for mailman id 1326008; Wed, 03 Jun 2026 09:55:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiJR-0002fN-TZ for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:55:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUiJR-004zqY-2k for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:55:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUiJR-00C6AI-2a for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:55:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=CYzdSt7TwFyCDrrpjHsEXBg8+gV4aDocqJH4xfcnnRI=; b=T1qwTRQH8vwbCsk3d5ehRIMjTJ UtGJ6BLD2bkwyBxODyqTxXbuwbKgsM4FF4UkEhOYXZ139V5jhMGghY3Vtw18xSFS3h6yhux+WS56x JkD5dmgzNRky+ycTI74MsGqTwDxbKSEUJ1N8ECupOuo8k4kpD1CA8aBSWGvY2WfV9W3Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/fred: Enable FRED by default on AMD systems Message-Id: Date: Wed, 03 Jun 2026 09:55:01 +0000 commit 286059a3bbc747943aa5496fbbc46ce38b166b46 Author: Andrew Cooper AuthorDate: Sun May 25 02:05:15 2025 +0100 Commit: Andrew Cooper CommitDate: Wed Jun 3 10:48:49 2026 +0100 x86/fred: Enable FRED by default on AMD systems FRED is now believed to be complete for AMD systems, and has had its tyres kicked by both XenServer and AMD. Enable FRED by default on capable AMD systems (Zen6 and later). Support on Intel is still not yet complete. Leave it as tech preview and not security supported. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- docs/misc/xen-command-line.pandoc | 9 +++++---- xen/arch/x86/traps-setup.c | 4 ++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index ef3c737189..93c2a73f4a 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -1259,12 +1259,13 @@ does not provide `VM_ENTRY_LOAD_GUEST_PAT`. ### fred (x86) > `= ` -> Default: `false` +> Default: `true` on AMD, `false` otherwise Flexible Return and Event Delivery is an overhaul of interrupt, exception and -system call handling, fixing many corner cases in the x86 architecture, and -expected in hardware from 2025. Support in Xen is a work in progress and -disabled by default. +system call handling, fixing many corner cases in the x86 architecture, and is +available on Intel Panther Lake and Diamond Rapids CPUs, and AMD Zen6 CPUs. +FRED is fully supported on AMD hardware. On Intel hardware it is still tech +preview, and in particular not security supported. ### gnttab > `= List of [ max-ver:, transitive=, transfer= ]` diff --git a/xen/arch/x86/traps-setup.c b/xen/arch/x86/traps-setup.c index ccbd53fd9d..a79a3b2013 100644 --- a/xen/arch/x86/traps-setup.c +++ b/xen/arch/x86/traps-setup.c @@ -22,7 +22,7 @@ unsigned int __ro_after_init ler_msr; static bool __initdata opt_ler; boolean_param("ler", opt_ler); -int8_t __ro_after_init opt_fred = 0; +int8_t __ro_after_init opt_fred = -1; boolean_param("fred", opt_fred); void nocall entry_PF(void); @@ -392,7 +392,7 @@ void __init traps_init(void) } if ( opt_fred == -1 ) - opt_fred = !pv_shim; + opt_fred = (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) && !pv_shim; if ( opt_fred ) { -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 09:55:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 09:55:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326009.1591399 (Exim 4.92) (envelope-from ) id 1wUiJd-0002ha-2t; Wed, 03 Jun 2026 09:55:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326009.1591399; Wed, 03 Jun 2026 09:55:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiJd-0002hS-01; Wed, 03 Jun 2026 09:55:13 +0000 Received: by outflank-mailman (input) for mailman id 1326009; Wed, 03 Jun 2026 09:55:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiJc-0002hK-BP for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:55:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUiJc-004zuC-12 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:55:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUiJc-00C6FR-0u for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:55:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=bpWqqDFN8nTCcaNAKyHp5rLn3UCZoBicLTCZNyGlleM=; b=AtqHQ3HMFMkzM/tv0hQr2gpS4L ZkK/BFQT6KRN8FL9o+tpxCPTDSihIMxHXPLOdnRujfjaS/j7uwDBDu9ZoPV2XqwiYBHhMjyQzJ0P+ Gm1iCwM86Y5KcAfb6FVdCCUOxMQzBtePm8+myNpeCsBi6x4ENKyyV68KWuQyd7xTlX7Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] x86/svm: Add Enumerations for the SVM virtual NMI Message-Id: Date: Wed, 03 Jun 2026 09:55:12 +0000 commit 02bcb4ece75a659636524777480d54f55d4bc1dd Author: Abdelkareem Abdelsaamad AuthorDate: Wed Jun 3 11:36:14 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:36:14 2026 +0200 x86/svm: Add Enumerations for the SVM virtual NMI Introduce the cpuid bit for the SVM vNMI feature support for the x86\AMD platforms. The feature support is indicated by the CPUID Fn8000_000A_EDX[25] = 1. Add defines for the three SVM's Virtual NMI (vNMI) managements bits in the VMCB structure's vintr_t: vintr_t(11) - Virtual NMI is pending. vintr_t(12) - Virtual NMI is masked. vintr_t(26) - Enable NMI virtualization. Signed-off-by: Abdelkareem Abdelsaamad Reviewed-by: Teddy Astie Acked-by: Jan Beulich master commit: 0294292b4ca6d90e18cb66912d18b88576dd2733 master date: 2026-02-23 08:41:32 +0100 --- xen/arch/x86/include/asm/hvm/svm/svm.h | 2 ++ xen/arch/x86/include/asm/hvm/svm/vmcb.h | 8 ++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/include/asm/hvm/svm/svm.h b/xen/arch/x86/include/asm/hvm/svm/svm.h index 4eeeb25da9..eb6fe3e993 100644 --- a/xen/arch/x86/include/asm/hvm/svm/svm.h +++ b/xen/arch/x86/include/asm/hvm/svm/svm.h @@ -37,6 +37,7 @@ extern u32 svm_feature_flags; #define SVM_FEATURE_VGIF 16 /* Virtual GIF */ #define SVM_FEATURE_SSS 19 /* NPT Supervisor Shadow Stacks */ #define SVM_FEATURE_SPEC_CTRL 20 /* MSR_SPEC_CTRL virtualisation */ +#define SVM_FEATURE_VNMI 25 /* Virtual NMI */ static inline bool cpu_has_svm_feature(unsigned int feat) { @@ -56,5 +57,6 @@ static inline bool cpu_has_svm_feature(unsigned int feat) #define cpu_has_svm_vloadsave cpu_has_svm_feature(SVM_FEATURE_VLOADSAVE) #define cpu_has_svm_sss cpu_has_svm_feature(SVM_FEATURE_SSS) #define cpu_has_svm_spec_ctrl cpu_has_svm_feature(SVM_FEATURE_SPEC_CTRL) +#define cpu_has_svm_vnmi cpu_has_svm_feature(SVM_FEATURE_VNMI) #endif /* __ASM_X86_HVM_SVM_H__ */ diff --git a/xen/arch/x86/include/asm/hvm/svm/vmcb.h b/xen/arch/x86/include/asm/hvm/svm/vmcb.h index 28f715e376..78bc0a8075 100644 --- a/xen/arch/x86/include/asm/hvm/svm/vmcb.h +++ b/xen/arch/x86/include/asm/hvm/svm/vmcb.h @@ -338,13 +338,17 @@ typedef union u64 tpr: 8; u64 irq: 1; u64 vgif: 1; - u64 rsvd0: 6; + u64 : 1; + u64 vnmi_pending: 1; + u64 vnmi_blocking:1; + u64 : 3; u64 prio: 4; u64 ign_tpr: 1; u64 rsvd1: 3; u64 intr_masking: 1; u64 vgif_enable: 1; - u64 rsvd2: 6; + u64 vnmi_enable: 1; + u64 : 5; u64 vector: 8; u64 rsvd3: 24; } fields; -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 09:55:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 09:55:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326010.1591403 (Exim 4.92) (envelope-from ) id 1wUiJn-0002k1-3w; Wed, 03 Jun 2026 09:55:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326010.1591403; Wed, 03 Jun 2026 09:55:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiJn-0002jt-1Q; Wed, 03 Jun 2026 09:55:23 +0000 Received: by outflank-mailman (input) for mailman id 1326010; Wed, 03 Jun 2026 09:55:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiJm-0002jn-F7 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:55:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUiJm-004zuf-1O for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:55:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUiJm-00C6K3-1D for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:55:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=NS9MO3IRcctBEZ1cbMlqkF+y6gmNkK4MWuPlB/R0dPw=; b=nKTiaSUrcYaagU+nNAI8ttxzO8 fD6Tw8XkmjPetPoyBaBRcTvT3Wf31zK5NaXXZAtdQdstON4cIfdtkls0Bjy3ZwOgsOrO93m3RU85+ Ot36NAExXFpYX8Vg+LVbmX22OHtRHMOP4/KA6olU7gYHlSlTwAvmHpGACuwx9i/A1gfA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] docs: Update console=pv requirement Message-Id: Date: Wed, 03 Jun 2026 09:55:22 +0000 commit 3928945562505ebb0f7af525b4b3c01087e74d39 Author: Teddy Astie AuthorDate: Wed Jun 3 11:36:46 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:36:46 2026 +0200 docs: Update console=pv requirement PV console doesn't require Xen to be running as a shim and only requires CONFIG_XEN_GUEST and running as a Xen guest. Update the documentation accordingly. Fixes: 4f6609d6a665 ("x86/guest: use PV console for Xen/Dom0 I/O") Signed-off-by: Teddy Astie Reviewed-by: Andrew Cooper master commit: f47c2e96ab9b61debe18fc0c52faa1672a5d24f9 master date: 2026-05-21 09:13:42 +0200 --- docs/misc/xen-command-line.pandoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 34004ce282..9607aa77d4 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -446,8 +446,9 @@ the converse; transmitted and received characters will have their MSB cleared. This allows a single port to be shared by two subsystems (e.g. console and debugger). -`pv` indicates that Xen should use Xen's PV console. This option is -only available when used together with `pv-in-pvh`. +`pv` indicates that Xen should use Xen's PV console. This option requires +Xen running as a Xen guest. and is only available if the hypervisor was +compiled with `CONFIG_XEN_GUEST` enabled. `dbgp` or `ehci` indicates that Xen should use a USB2 debug port. -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 09:55:33 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 09:55:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326011.1591407 (Exim 4.92) (envelope-from ) id 1wUiJx-0002m9-5B; Wed, 03 Jun 2026 09:55:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326011.1591407; Wed, 03 Jun 2026 09:55:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiJx-0002m2-2g; Wed, 03 Jun 2026 09:55:33 +0000 Received: by outflank-mailman (input) for mailman id 1326011; Wed, 03 Jun 2026 09:55:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiJw-0002lw-Hv for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:55:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUiJw-004zuv-1h for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:55:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUiJw-00C6PI-1a for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:55:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=rdjGA2+EGph6vtJuXQ73B23eilctec1PwS6VlptbDz4=; b=zXDA25VHI8FLpFn02wHw48RziZ vv/clbhzeemc5vW5xZF4mblJX7Ri6mVy8cXSPbRwWTqWGsyyXk3mMX3CCY1u5Ua6ofPfedu8HUHl7 6YU0vSmXKVXnrxcUkZ8rseZZrYaSKpUkKy9662tm1McVM07ge311aSJ3kMMyXQ5uveGU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] x86/svm: Support vNMI on capable hardware Message-Id: Date: Wed, 03 Jun 2026 09:55:32 +0000 commit 4d6e6ed0164672f6d18e5cf827a1abe91ec2f948 Author: Abdelkareem Abdelsaamad AuthorDate: Wed Jun 3 11:36:55 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:36:55 2026 +0200 x86/svm: Support vNMI on capable hardware Starting with Zen4, AMD CPUs can virtualise NMIs for a guest. On older hardware, determining when an NMI is safe to deliver is a challenge and Xen does not handle all corner cases correctly. With vNMI, there is an enablement bit and two new bits of state in the VMCB; a pending bit, and a blocked bit. These directly map to the CPU state for handling NMIs, and are maintained by hardware during the running of the vCPU. When vNMI is enabled, have svm_{get,set}_interrupt_shadow() work in terms of the vnmi_blocking bit rather than the IRET intercept. This allows an emulated IRET instruction to re-enable NMIs. When injecting a new NMI, simply set the vnmi_pending bit; hardware will deliver the NMI to the guest at the next suitable juncture. One complication is that, when delivering a second NMI before the first has completed, the mix between common HVM logic and SVM specific logic will try to open an NMI window, malfunctioning as it does so. When vNMI is enabled, short circuit this to not consider NMIs blocked. Signed-off-by: Abdelkareem Abdelsaamad Signed-off-by: Andrew Cooper Reviewed-by: Teddy Astie Reviewed-by: Jan Beulich master commit: 86a203ab8d38f3bae19219980c2a37d091a8f7aa master date: 2026-05-21 16:43:01 +0100 --- xen/arch/x86/hvm/svm/intr.c | 19 +++++++++++++++++++ xen/arch/x86/hvm/svm/svm.c | 23 +++++++++++++++++------ xen/arch/x86/hvm/svm/vmcb.c | 2 ++ 3 files changed, 38 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/hvm/svm/intr.c b/xen/arch/x86/hvm/svm/intr.c index 46186a1102..caeeb76a28 100644 --- a/xen/arch/x86/hvm/svm/intr.c +++ b/xen/arch/x86/hvm/svm/intr.c @@ -33,6 +33,12 @@ static void svm_inject_nmi(struct vcpu *v) u32 general1_intercepts = vmcb_get_general1_intercepts(vmcb); intinfo_t event; + if ( vmcb->_vintr.fields.vnmi_enable ) + { + vmcb->_vintr.fields.vnmi_pending = true; + return; + } + event.raw = 0; event.v = true; event.type = X86_ET_NMI; @@ -142,6 +148,19 @@ void asmlinkage svm_intr_assist(void) return; intblk = hvm_interrupt_blocked(v, intack); + + /* + * When vNMI is active, NMIs can be injected by setting vnmi_pending + * and hardware will deliver them at the next appropriate opportunity. + * Consider them not blocked, to avoid trying to open an NMI Window. + * + * Correctness here relies on the fact that all vNMI capable hardware + * has vGIF, and vGIF is always activated when appropriate. + */ + if ( intblk == hvm_intblk_nmi_iret && + vmcb->_vintr.fields.vnmi_enable ) + intblk = hvm_intblk_none; + if ( intblk == hvm_intblk_svm_gif ) { ASSERT(nestedhvm_enabled(v->domain)); diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index 90bff72687..b85686e387 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -547,7 +547,9 @@ static unsigned cf_check int svm_get_interrupt_shadow(struct vcpu *v) if ( vmcb->int_stat.intr_shadow ) intr_shadow |= HVM_INTR_SHADOW_MOV_SS | HVM_INTR_SHADOW_STI; - if ( vmcb_get_general1_intercepts(vmcb) & GENERAL1_INTERCEPT_IRET ) + if ( vmcb->_vintr.fields.vnmi_enable + ? vmcb->_vintr.fields.vnmi_blocking + : (vmcb_get_general1_intercepts(vmcb) & GENERAL1_INTERCEPT_IRET) ) intr_shadow |= HVM_INTR_SHADOW_NMI; return intr_shadow; @@ -557,15 +559,23 @@ static void cf_check svm_set_interrupt_shadow( struct vcpu *v, unsigned int intr_shadow) { struct vmcb_struct *vmcb = v->arch.hvm.svm.vmcb; - u32 general1_intercepts = vmcb_get_general1_intercepts(vmcb); + bool block_nmi = intr_shadow & HVM_INTR_SHADOW_NMI; vmcb->int_stat.intr_shadow = !!(intr_shadow & (HVM_INTR_SHADOW_MOV_SS|HVM_INTR_SHADOW_STI)); - general1_intercepts &= ~GENERAL1_INTERCEPT_IRET; - if ( intr_shadow & HVM_INTR_SHADOW_NMI ) - general1_intercepts |= GENERAL1_INTERCEPT_IRET; - vmcb_set_general1_intercepts(vmcb, general1_intercepts); + if ( vmcb->_vintr.fields.vnmi_enable ) + vmcb->_vintr.fields.vnmi_blocking = block_nmi; + else + { + uint32_t gen1 = vmcb_get_general1_intercepts(vmcb); + + gen1 &= ~GENERAL1_INTERCEPT_IRET; + if ( block_nmi ) + gen1 |= GENERAL1_INTERCEPT_IRET; + + vmcb_set_general1_intercepts(vmcb, gen1); + } } static int cf_check svm_guest_x86_mode(struct vcpu *v) @@ -2534,6 +2544,7 @@ const struct hvm_function_table * __init start_svm(void) P(cpu_has_tsc_ratio, "TSC Rate MSR"); P(cpu_has_svm_sss, "NPT Supervisor Shadow Stack"); P(cpu_has_svm_spec_ctrl, "MSR_SPEC_CTRL virtualisation"); + P(cpu_has_svm_vnmi, "Virtual NMI"); #undef P if ( !printed ) diff --git a/xen/arch/x86/hvm/svm/vmcb.c b/xen/arch/x86/hvm/svm/vmcb.c index c57d314a24..d1227a256c 100644 --- a/xen/arch/x86/hvm/svm/vmcb.c +++ b/xen/arch/x86/hvm/svm/vmcb.c @@ -176,6 +176,8 @@ static int construct_vmcb(struct vcpu *v) if ( default_xen_spec_ctrl == SPEC_CTRL_STIBP ) v->arch.msrs->spec_ctrl.raw = SPEC_CTRL_STIBP; + vmcb->_vintr.fields.vnmi_enable = cpu_has_svm_vnmi; + return 0; } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 09:55:44 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 09:55:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326012.1591411 (Exim 4.92) (envelope-from ) id 1wUiK8-0002oe-7K; Wed, 03 Jun 2026 09:55:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326012.1591411; Wed, 03 Jun 2026 09:55:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiK8-0002oW-4S; Wed, 03 Jun 2026 09:55:44 +0000 Received: by outflank-mailman (input) for mailman id 1326012; Wed, 03 Jun 2026 09:55:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiK6-0002oK-Kx for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:55:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUiK6-004zv8-20 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:55:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUiK6-00C6X1-1s for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:55:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=DSQIhRVDZIb22VUPhzG2VhPFnkhwaukZ/JQCW9V73oI=; b=Qve+YNs+Di7boKjmbPSVirtF2b 9E6Rj85kOPAxbBN9rR/4H4rqJD5wC7Lf1VcshpC7vefRNWYQNbWbmWMDqItOBRmCbOnid69zTSITW 365Sqysll9QyE4WTpDaznA5xozXcwp5TbMbhiEeHiOiydxQRXb9C6tMJWYUcRtcfsLvM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] xen/gnttab: Fix TOCTOU race in gnttab_set_version() Message-Id: Date: Wed, 03 Jun 2026 09:55:42 +0000 commit 04db4dc2a2ce05063b872eb3cf95c2401c44a9f0 Author: Alejandro Vallejo AuthorDate: Wed Jun 3 11:37:15 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:37:15 2026 +0200 xen/gnttab: Fix TOCTOU race in gnttab_set_version() Move first read of gt->gt_version inside the critical region of the rwlock, otherwise concurrent gnttab operations (silly as they would be) may get mutually confused as to the actual current version. Fixes: c1488502c949("grant-tables: do not fail attempts to...") Reported-by: Oleksandr Tyshchenko Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich master commit: c0e548d9206b3a281f9d30a2670be543fb383223 master date: 2026-05-22 13:32:44 +0200 --- xen/common/grant_table.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index f9e4bffdb1..5e09027821 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -3185,11 +3185,12 @@ gnttab_set_version(XEN_GUEST_HANDLE_PARAM(gnttab_set_version_t) uop) if ( op.version == 2 && gt->max_version == 1 ) goto out; /* Behave as before set_version was introduced. */ + grant_write_lock(gt); + res = 0; if ( gt->gt_version == op.version ) - goto out; + goto out_unlock; - grant_write_lock(gt); /* * Make sure that the grant table isn't currently in use when we * change the version number, except for the first 8 entries which -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 09:55:54 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 09:55:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326015.1591415 (Exim 4.92) (envelope-from ) id 1wUiKI-0002rE-9h; Wed, 03 Jun 2026 09:55:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326015.1591415; Wed, 03 Jun 2026 09:55:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiKI-0002r6-74; Wed, 03 Jun 2026 09:55:54 +0000 Received: by outflank-mailman (input) for mailman id 1326015; Wed, 03 Jun 2026 09:55:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiKG-0002qz-O3 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:55:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUiKG-004zvL-2G for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:55:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUiKG-00C6bF-2A for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:55:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=qLFby7m7LIVsAoe5j/zTzXsyqgHiHCrDd7MjKO28bmw=; b=ZcDCMbuoibhWpyvqu434OeM1St c6NRwNG1a9SJMVMKzNLCLbEvS1msWf1RLhgstzjmQ2BuzK8+zgAJ71mN2yspOfoHKP/fdJgo7tG7Y IxpL0Diwr2mLJKqrQlJ0pdfEQxcL+cFH6IZcMSnSmc2PgCe5C+0mpU+xFSJyB2DN8V9I=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] x86/pv32: Fix bogus CR2 in pagefault for gate emulation Message-Id: Date: Wed, 03 Jun 2026 09:55:52 +0000 commit 647e362ad170708e6d7b53d0725cd3e30fb94d84 Author: Teddy Astie AuthorDate: Wed Jun 3 11:37:32 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:37:32 2026 +0200 x86/pv32: Fix bogus CR2 in pagefault for gate emulation __{put,get}_guest() returns -EFAULT on access faults which causes the injected CR2 to be off by 14 bytes (as EFAULT is 14) which is incorrect. Fix the computation by relying on __copy_{from,to}_guest_pv() which reports the number of remaining bytes instead of a negative errno, such that we can compute the offset properly. Fixes: 70ad570b2799 ("x86/64: paravirt 32-on-64 call gate support") Signed-off-by: Teddy Astie Reviewed-by: Jan Beulich master commit: 03878fba4af14fab942c2ce8ed2d6d18c204a603 master date: 2026-05-22 14:33:44 +0100 --- xen/arch/x86/pv/emul-gate-op.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/pv/emul-gate-op.c b/xen/arch/x86/pv/emul-gate-op.c index dcac0a0401..1fcab1f3a3 100644 --- a/xen/arch/x86/pv/emul-gate-op.c +++ b/xen/arch/x86/pv/emul-gate-op.c @@ -284,12 +284,14 @@ void pv_emulate_gate_op(struct cpu_user_regs *regs) if ( !jump ) { unsigned int ss, esp, *stkp; + uint32_t value; int rc; #define push(item) do \ { \ + value = (item); \ --stkp; \ esp -= 4; \ - rc = __put_guest(item, stkp); \ + rc = __copy_to_guest_pv(stkp, &value, sizeof(value)); \ if ( rc ) \ { \ pv_inject_page_fault(PFEC_write_access, \ @@ -357,7 +359,7 @@ void pv_emulate_gate_op(struct cpu_user_regs *regs) unsigned int parm; --ustkp; - rc = __get_guest(parm, ustkp); + rc = __copy_from_guest_pv(&parm, ustkp, sizeof(parm)); if ( rc ) { pv_inject_page_fault(0, (unsigned long)(ustkp + 1) - rc); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 09:56:04 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 09:56:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326017.1591419 (Exim 4.92) (envelope-from ) id 1wUiKS-0002tN-B6; Wed, 03 Jun 2026 09:56:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326017.1591419; Wed, 03 Jun 2026 09:56:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiKS-0002tF-8X; Wed, 03 Jun 2026 09:56:04 +0000 Received: by outflank-mailman (input) for mailman id 1326017; Wed, 03 Jun 2026 09:56:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiKQ-0002t7-RO for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:56:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUiKQ-004zvi-2b for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:56:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUiKQ-00C6gI-2R for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:56:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=BcSTiN56itOUdmLsL3db3J1EjIDx3KbxUTlr2jl2yFE=; b=IG//jZcIzjsZO2lkRAFQ4sl1hR RsAOWhOUBt/d+KjfqEscpQp2jERwoWzJfom+6G8Mk4+bByaklCnYPVgSg8MR6o1la6Qy6OJ0oZyOl JHgCYfJ4JeuuILDNmECw29GhobVzJ9E35kcFl/1kR64h+TfH5NrVzC427l/DK8rOiNw4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] x86/pv: Provide better SYSCALL backwards compatibility in FRED mode Message-Id: Date: Wed, 03 Jun 2026 09:56:02 +0000 commit 9a0327bf537bdc1db559504e4a936108a28bd565 Author: Andrew Cooper AuthorDate: Wed Jun 3 11:38:18 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:38:18 2026 +0200 x86/pv: Provide better SYSCALL backwards compatibility in FRED mode In FRED mode, the SYSCALL instruction does not modify %rcx/%r11. All current software using SYSCALL expects the pre-FRED behaviour and spills %rcx/%r11 around the invocation, which is why FRED not doing this goes largely unnoticed. However, consider the following migration scenario: * VM suspends. Hypercall, so SYSCALL, %rcx/%r11 left unmodified * VM moves to a non-FRED system * Xen resumes the VM with a real SYSRET instruction Instead of resuming at the instruction following the SYSCALL instruction, the VM is resumed at whatever dead value was in %rcx. In FRED mode, manually adjust %rcx/%r11 when SYSCALL is used and when SYSRET would have been used. Regarding the choice of instructions in eretu_exit_to_guest(), a branch would be a context dependent 50/50 split (i.e. increased chance of mispredict), and only saves one instruction. The CMOVs read the same cacheline that ERETU is about to process, so are as close to free as we can reasonably get. Fixes: 76193ef47d91 ("x86/pv: System call handling in FRED mode") Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich master commit: c5a4b9125bed42d1947a48058119cd335294164b master date: 2026-05-28 16:19:16 +0100 --- xen/arch/x86/traps.c | 2 ++ xen/arch/x86/x86_64/entry-fred.S | 12 +++++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c index 85d835ab43..9fdb08ce1a 100644 --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -2409,6 +2409,8 @@ void asmlinkage entry_from_pv(struct cpu_user_regs *regs) regs->ssx = l ? FLAT_KERNEL_SS : FLAT_USER_SS32; regs->csx = l ? FLAT_KERNEL_CS64 : FLAT_USER_CS32; + regs->rcx = regs->rip; + regs->r11 = regs->rflags; if ( guest_kernel_mode(curr, regs) ) pv_hypercall(regs); diff --git a/xen/arch/x86/x86_64/entry-fred.S b/xen/arch/x86/x86_64/entry-fred.S index 2fa57beb93..e9c84423da 100644 --- a/xen/arch/x86/x86_64/entry-fred.S +++ b/xen/arch/x86/x86_64/entry-fred.S @@ -4,6 +4,7 @@ #include #include +#include .section .text.entry, "ax", @progbits @@ -26,7 +27,16 @@ FUNC(entry_FRED_R3, 4096) END(entry_FRED_R3) FUNC(eretu_exit_to_guest) - POP_GPRS + /* + * PV guests aren't aware of FRED. If Xen in IDT mode would have used + * a SYSRET instruction, preserve the legacy behaviour for %rcx/%r11 + */ + testb $TRAP_syscall >> 8, UREGS_entry_vector + 1(%rsp) + + POP_GPRS /* Preserves flags */ + + cmovnz EFRAME_rip(%rsp), %rcx + cmovnz EFRAME_eflags(%rsp), %r11 /* * Exceptions here are handled by redirecting either to -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 09:56:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 09:56:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326018.1591423 (Exim 4.92) (envelope-from ) id 1wUiKc-0002vH-CY; Wed, 03 Jun 2026 09:56:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326018.1591423; Wed, 03 Jun 2026 09:56:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiKc-0002v9-9s; Wed, 03 Jun 2026 09:56:14 +0000 Received: by outflank-mailman (input) for mailman id 1326018; Wed, 03 Jun 2026 09:56:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiKa-0002v3-U5 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:56:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUiKa-004zvs-2u for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:56:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUiKa-00C6l8-2m for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:56:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Y7wPUc7M6X1Rqk0vdh0ZV46k1R0XdJcMtKNKbK+TLPI=; b=r4ckSFFgMrHFYAAVifWbi/qzCl rDlMffsUPsM4/Nwg7LVecbOL5ZgHqwjnawzvYWQH9SoiD/pIdi1pwc+VZ0pEhfcYpE+WtTvvj0Afj 4Kio9hBsZ9Fxx4SbJ15EBf/3h080cufvI8D3aD6m0f07L34nW0bWm9owlrO3fGsTK11I=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] xen/efi: Fix boot from a device without a file system Message-Id: Date: Wed, 03 Jun 2026 09:56:12 +0000 commit 4989714420c9ed7a85b9d5d50199dcc8bf288bb5 Author: Szymon Acedański AuthorDate: Wed Jun 3 11:38:50 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:38:50 2026 +0200 xen/efi: Fix boot from a device without a file system When netbooting a unified Xen kernel image (via GRUB chainloader), the resulting loaded_image->DeviceHandle does not support SIMPLE_FILE_SYSTEM_PROTOCOL. Instead of crashing via noreturn PrintErrMesg() in get_parent_handle(), we defer calling this function until filesystem access is needed. This way when booting UKI, get_parent_handle() is not called at all. Suggested-by: Andrew Cooper Suggested-by: Marek Marczykowski-Górecki Signed-off-by: Szymon Acedański Acked-by: Marek Marczykowski-Górecki xen/efi: Use blexit() instead of BUG_ON() in read_file() Follow-up to 880e40b187aa, which added a BUG_ON() guard in read_file(). But as Jan pointed out, before ExitBootServices BUG_ON() is not functional. It results in a hang with no message. On the other hand blexit() prints a message and returns back to the bootloader. Fixes: 880e40b187aa ("xen/efi: Fix boot from a device without a file system") Reported-by: Jan Beulich Signed-off-by: Szymon Acedański Reviewed-by: Jan Beulich Acked-by: Marek Marczykowski-Górecki master commit: 880e40b187aa7c50cb32b20498aeed622f0062c7 master date: 2026-05-28 16:19:16 +0100 master commit: 7e11543c53396ea2e59320127573bf4151fae008 master date: 2026-06-03 08:17:56 +0200 --- xen/arch/arm/efi/efi-boot.h | 12 ++++---- xen/arch/x86/efi/efi-boot.h | 9 ++++-- xen/common/efi/boot.c | 67 ++++++++++++++++++++++++++++----------------- 3 files changed, 55 insertions(+), 33 deletions(-) diff --git a/xen/arch/arm/efi/efi-boot.h b/xen/arch/arm/efi/efi-boot.h index 7844b9529e..6bddae0f94 100644 --- a/xen/arch/arm/efi/efi-boot.h +++ b/xen/arch/arm/efi/efi-boot.h @@ -403,7 +403,7 @@ static void __init noreturn efi_arch_post_exit_boot(void) } static void __init efi_arch_cfg_file_early(const EFI_LOADED_IMAGE *image, - EFI_FILE_HANDLE dir_handle, + EFI_FILE_HANDLE *dir_handle, const char *section) { union string name; @@ -419,8 +419,11 @@ static void __init efi_arch_cfg_file_early(const EFI_LOADED_IMAGE *image, name.s = get_value(&cfg, section, "dtb"); if ( name.s ) { + CHAR16 *fname; + split_string(name.s); - read_file(dir_handle, s2w(&name), &dtbfile, NULL); + ensure_dir_handle(image, dir_handle, &fname); + read_file(*dir_handle, s2w(&name), &dtbfile, NULL); efi_bs->FreePool(name.w); } } @@ -430,7 +433,7 @@ static void __init efi_arch_cfg_file_early(const EFI_LOADED_IMAGE *image, } static void __init efi_arch_cfg_file_late(const EFI_LOADED_IMAGE *image, - EFI_FILE_HANDLE dir_handle, + EFI_FILE_HANDLE *dir_handle, const char *section) { } @@ -665,8 +668,7 @@ static int __init allocate_module_file(const EFI_LOADED_IMAGE *loaded_image, file_info->name_len = name_len; /* Get the file system interface. */ - if ( !*dir_handle ) - *dir_handle = get_parent_handle(loaded_image, &fname); + ensure_dir_handle(loaded_image, dir_handle, &fname); /* Load the binary in memory */ read_file(*dir_handle, s2w(&module_name), &module_binary, NULL); diff --git a/xen/arch/x86/efi/efi-boot.h b/xen/arch/x86/efi/efi-boot.h index 0194720003..38fd68676f 100644 --- a/xen/arch/x86/efi/efi-boot.h +++ b/xen/arch/x86/efi/efi-boot.h @@ -284,13 +284,13 @@ static void __init noreturn efi_arch_post_exit_boot(void) } static void __init efi_arch_cfg_file_early(const EFI_LOADED_IMAGE *image, - EFI_FILE_HANDLE dir_handle, + EFI_FILE_HANDLE *dir_handle, const char *section) { } static void __init efi_arch_cfg_file_late(const EFI_LOADED_IMAGE *image, - EFI_FILE_HANDLE dir_handle, + EFI_FILE_HANDLE *dir_handle, const char *section) { union string name; @@ -303,9 +303,12 @@ static void __init efi_arch_cfg_file_late(const EFI_LOADED_IMAGE *image, name.s = get_value(&cfg, "global", "ucode"); if ( name.s ) { + CHAR16 *fname; + microcode_set_module(mbi.mods_count); split_string(name.s); - read_file(dir_handle, s2w(&name), &ucode, NULL); + ensure_dir_handle(image, dir_handle, &fname); + read_file(*dir_handle, s2w(&name), &ucode, NULL); efi_bs->FreePool(name.w); } } diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c index 99d507d1f6..b3df99fc8d 100644 --- a/xen/common/efi/boot.c +++ b/xen/common/efi/boot.c @@ -547,6 +547,17 @@ static EFI_FILE_HANDLE __init get_parent_handle(const EFI_LOADED_IMAGE *loaded_i return dir_handle; } +static void __init ensure_dir_handle(const EFI_LOADED_IMAGE *loaded_image, + EFI_FILE_HANDLE *dir_handle, + CHAR16 **file_name) +{ + if ( *dir_handle ) + return; + *dir_handle = get_parent_handle(loaded_image, file_name); + if ( !*dir_handle ) + blexit(L"Cannot load files without a usable file system"); +} + static CHAR16 *__init point_tail(CHAR16 *fn) { CHAR16 *tail = NULL; @@ -813,12 +824,12 @@ static bool __init read_file(EFI_FILE_HANDLE dir_handle, CHAR16 *name, if ( !name ) PrintErrMesg(L"No filename", EFI_OUT_OF_RESOURCES); + if ( !dir_handle ) + blexit(L"BUG: !dir_handle in read_file()"); + what = L"Open"; - if ( dir_handle ) - ret = dir_handle->Open(dir_handle, &FileHandle, name, - EFI_FILE_MODE_READ, 0); - else - ret = EFI_NOT_FOUND; + ret = dir_handle->Open(dir_handle, &FileHandle, name, + EFI_FILE_MODE_READ, 0); if ( file == &cfg && ret == EFI_NOT_FOUND ) return false; if ( EFI_ERROR(ret) ) @@ -1514,7 +1525,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle, if ( use_cfg_file ) { - EFI_FILE_HANDLE dir_handle; + EFI_FILE_HANDLE dir_handle = NULL; EFI_HANDLE gop_handle; UINTN depth, cols, rows; @@ -1526,31 +1537,33 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle, gop = efi_get_gop(&gop_handle); - /* Get the file system interface. */ - dir_handle = get_parent_handle(loaded_image, &file_name); - /* Read and parse the config file. */ if ( read_section(loaded_image, L"config", &cfg, NULL) ) PrintStr(L"Using builtin config file\r\n"); - else if ( !cfg_file_name && file_name ) + else { - CHAR16 *tail; + ensure_dir_handle(loaded_image, &dir_handle, &file_name); - while ( (tail = point_tail(file_name)) != NULL ) + if ( !cfg_file_name ) { - wstrcpy(tail, L".cfg"); - if ( read_file(dir_handle, file_name, &cfg, NULL) ) - break; - *tail = 0; + CHAR16 *tail; + + while ( (tail = point_tail(file_name)) != NULL ) + { + wstrcpy(tail, L".cfg"); + if ( read_file(dir_handle, file_name, &cfg, NULL) ) + break; + *tail = 0; + } + if ( !tail ) + blexit(L"No configuration file found."); + PrintStr(L"Using configuration file '"); + PrintStr(file_name); + PrintStr(L"'\r\n"); } - if ( !tail ) - blexit(L"No configuration file found."); - PrintStr(L"Using configuration file '"); - PrintStr(file_name); - PrintStr(L"'\r\n"); + else if ( !read_file(dir_handle, cfg_file_name, &cfg, NULL) ) + blexit(L"Configuration file not found."); } - else if ( !read_file(dir_handle, cfg_file_name, &cfg, NULL) ) - blexit(L"Configuration file not found."); pre_parse(&cfg); if ( section.w ) @@ -1567,6 +1580,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle, if ( !name.s ) break; free_cfg(); + ensure_dir_handle(loaded_image, &dir_handle, &file_name); if ( !read_file(dir_handle, s2w(&name), &cfg, NULL) ) { PrintStr(L"Chained configuration file '"); @@ -1578,13 +1592,14 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle, efi_bs->FreePool(name.w); } - efi_arch_cfg_file_early(loaded_image, dir_handle, section.s); + efi_arch_cfg_file_early(loaded_image, &dir_handle, section.s); option_str = name.s ? split_string(name.s) : NULL; if ( !read_section(loaded_image, L"kernel", &kernel, option_str) && name.s ) { + ensure_dir_handle(loaded_image, &dir_handle, &file_name); read_file(dir_handle, s2w(&name), &kernel, option_str); efi_bs->FreePool(name.w); } @@ -1599,6 +1614,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle, name.s = get_value(&cfg, section.s, "ramdisk"); if ( name.s ) { + ensure_dir_handle(loaded_image, &dir_handle, &file_name); read_file(dir_handle, s2w(&name), &ramdisk, NULL); efi_bs->FreePool(name.w); } @@ -1609,6 +1625,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle, name.s = get_value(&cfg, section.s, "xsm"); if ( name.s ) { + ensure_dir_handle(loaded_image, &dir_handle, &file_name); read_file(dir_handle, s2w(&name), &xsm, NULL); efi_bs->FreePool(name.w); } @@ -1634,7 +1651,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle, } } - efi_arch_cfg_file_late(loaded_image, dir_handle, section.s); + efi_arch_cfg_file_late(loaded_image, &dir_handle, section.s); free_cfg(); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 09:56:24 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 09:56:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326019.1591427 (Exim 4.92) (envelope-from ) id 1wUiKm-0002xG-Df; Wed, 03 Jun 2026 09:56:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326019.1591427; Wed, 03 Jun 2026 09:56:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiKm-0002x8-B7; Wed, 03 Jun 2026 09:56:24 +0000 Received: by outflank-mailman (input) for mailman id 1326019; Wed, 03 Jun 2026 09:56:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiKl-0002x2-Bd for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:56:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUiKl-004zwN-14 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:56:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUiKl-00C6sD-0x for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:56:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=U5VEMcZffQezCzQQITcgvhiuY4+Qmj2R4Kb2wyZd2IA=; b=4znCoL3pr9OjD4hrTDrfVrJvkv updKuImGpN7R2RLjOmHBINiEb4b9fA0usmmzSomPrdlsQPlQ38qWoIDEjncaj9W3LHn0rnWi9k7TL z1lG6WJ8KLQ8M3EnU0Y0LG6O1UpGfCpecBQqkrLmg8bCfAoc74fidOt8ee00jpTk0NF8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] x86/svm: Add Enumerations for the SVM virtual NMI Message-Id: Date: Wed, 03 Jun 2026 09:56:23 +0000 commit ccac1955c4e99572815c0dac4a69bd7a95ae47ad Author: Abdelkareem Abdelsaamad AuthorDate: Wed Jun 3 11:39:31 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:39:31 2026 +0200 x86/svm: Add Enumerations for the SVM virtual NMI Introduce the cpuid bit for the SVM vNMI feature support for the x86\AMD platforms. The feature support is indicated by the CPUID Fn8000_000A_EDX[25] = 1. Add defines for the three SVM's Virtual NMI (vNMI) managements bits in the VMCB structure's vintr_t: vintr_t(11) - Virtual NMI is pending. vintr_t(12) - Virtual NMI is masked. vintr_t(26) - Enable NMI virtualization. Signed-off-by: Abdelkareem Abdelsaamad Reviewed-by: Teddy Astie Acked-by: Jan Beulich master commit: 0294292b4ca6d90e18cb66912d18b88576dd2733 master date: 2026-02-23 08:41:32 +0100 --- xen/arch/x86/include/asm/hvm/svm/svm.h | 2 ++ xen/arch/x86/include/asm/hvm/svm/vmcb.h | 8 ++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/include/asm/hvm/svm/svm.h b/xen/arch/x86/include/asm/hvm/svm/svm.h index 4eeeb25da9..eb6fe3e993 100644 --- a/xen/arch/x86/include/asm/hvm/svm/svm.h +++ b/xen/arch/x86/include/asm/hvm/svm/svm.h @@ -37,6 +37,7 @@ extern u32 svm_feature_flags; #define SVM_FEATURE_VGIF 16 /* Virtual GIF */ #define SVM_FEATURE_SSS 19 /* NPT Supervisor Shadow Stacks */ #define SVM_FEATURE_SPEC_CTRL 20 /* MSR_SPEC_CTRL virtualisation */ +#define SVM_FEATURE_VNMI 25 /* Virtual NMI */ static inline bool cpu_has_svm_feature(unsigned int feat) { @@ -56,5 +57,6 @@ static inline bool cpu_has_svm_feature(unsigned int feat) #define cpu_has_svm_vloadsave cpu_has_svm_feature(SVM_FEATURE_VLOADSAVE) #define cpu_has_svm_sss cpu_has_svm_feature(SVM_FEATURE_SSS) #define cpu_has_svm_spec_ctrl cpu_has_svm_feature(SVM_FEATURE_SPEC_CTRL) +#define cpu_has_svm_vnmi cpu_has_svm_feature(SVM_FEATURE_VNMI) #endif /* __ASM_X86_HVM_SVM_H__ */ diff --git a/xen/arch/x86/include/asm/hvm/svm/vmcb.h b/xen/arch/x86/include/asm/hvm/svm/vmcb.h index 28f715e376..78bc0a8075 100644 --- a/xen/arch/x86/include/asm/hvm/svm/vmcb.h +++ b/xen/arch/x86/include/asm/hvm/svm/vmcb.h @@ -338,13 +338,17 @@ typedef union u64 tpr: 8; u64 irq: 1; u64 vgif: 1; - u64 rsvd0: 6; + u64 : 1; + u64 vnmi_pending: 1; + u64 vnmi_blocking:1; + u64 : 3; u64 prio: 4; u64 ign_tpr: 1; u64 rsvd1: 3; u64 intr_masking: 1; u64 vgif_enable: 1; - u64 rsvd2: 6; + u64 vnmi_enable: 1; + u64 : 5; u64 vector: 8; u64 rsvd3: 24; } fields; -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 09:56:34 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 09:56:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326020.1591430 (Exim 4.92) (envelope-from ) id 1wUiKw-0002zD-F7; Wed, 03 Jun 2026 09:56:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326020.1591430; Wed, 03 Jun 2026 09:56:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiKw-0002z4-CR; Wed, 03 Jun 2026 09:56:34 +0000 Received: by outflank-mailman (input) for mailman id 1326020; Wed, 03 Jun 2026 09:56:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiKv-0002yw-Ek for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:56:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUiKv-004zwW-1L for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:56:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUiKv-00C6wJ-1E for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:56:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=8hd1p9WT1abhifVXQ34wtQLjNf44ucHh0vjKMmnptvw=; b=231eV6RZ1rFuRZI59EvB2zFn0r EpWjpBFcGmPqoe3lpcAbN+DfXb7bm8nRZBq/OphhgkfI9MpCaS53+Yy8+yIyAPpIVPfwH+MGqli/l mkftUPloYFy9tCuMT9qTanAJ7Vq0eF3Ol/MIHdPx4gGeawPFUuD2KVuSl2S75oeJBVnY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] docs: Update console=pv requirement Message-Id: Date: Wed, 03 Jun 2026 09:56:33 +0000 commit 806c814537ee760ab74400b2907061cc7f269c0e Author: Teddy Astie AuthorDate: Wed Jun 3 11:40:05 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:40:05 2026 +0200 docs: Update console=pv requirement PV console doesn't require Xen to be running as a shim and only requires CONFIG_XEN_GUEST and running as a Xen guest. Update the documentation accordingly. Fixes: 4f6609d6a665 ("x86/guest: use PV console for Xen/Dom0 I/O") Signed-off-by: Teddy Astie Reviewed-by: Andrew Cooper master commit: f47c2e96ab9b61debe18fc0c52faa1672a5d24f9 master date: 2026-05-21 09:13:42 +0200 --- docs/misc/xen-command-line.pandoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index ff7bc7e861..c4c888ac04 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -446,8 +446,9 @@ the converse; transmitted and received characters will have their MSB cleared. This allows a single port to be shared by two subsystems (e.g. console and debugger). -`pv` indicates that Xen should use Xen's PV console. This option is -only available when used together with `pv-in-pvh`. +`pv` indicates that Xen should use Xen's PV console. This option requires +Xen running as a Xen guest. and is only available if the hypervisor was +compiled with `CONFIG_XEN_GUEST` enabled. `dbgp` or `ehci` indicates that Xen should use a USB2 debug port. -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 09:56:44 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 09:56:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326021.1591434 (Exim 4.92) (envelope-from ) id 1wUiL6-000321-HX; Wed, 03 Jun 2026 09:56:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326021.1591434; Wed, 03 Jun 2026 09:56:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiL6-00031t-Ez; Wed, 03 Jun 2026 09:56:44 +0000 Received: by outflank-mailman (input) for mailman id 1326021; Wed, 03 Jun 2026 09:56:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiL5-00031f-HG for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:56:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUiL5-004zwh-1d for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:56:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUiL5-00C6zp-1W for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:56:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=SGcsO1Et2u1BXAzU7Y2faYSMTv/sHjkX4UizLeFlr8Q=; b=eVfhCJc7E2DXsfaFHN8uozBHnl IUbSpPy3ZzZ7V1LsMDkq+1GS+T3g37ex7if81elIe4MaIny3eY/++9VfpwwkAKG056iayv0TBu3I0 hAHK+PFDOMNarnaWk0/EgpIDiN8FU2aSdfyXJ+C+NL+ehP55WFSY7EfbspObwzyeAYPI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] x86/svm: Support vNMI on capable hardware Message-Id: Date: Wed, 03 Jun 2026 09:56:43 +0000 commit 33a6d8a25b9c74b3a8c3101764b8517700252734 Author: Abdelkareem Abdelsaamad AuthorDate: Wed Jun 3 11:40:15 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:40:15 2026 +0200 x86/svm: Support vNMI on capable hardware Starting with Zen4, AMD CPUs can virtualise NMIs for a guest. On older hardware, determining when an NMI is safe to deliver is a challenge and Xen does not handle all corner cases correctly. With vNMI, there is an enablement bit and two new bits of state in the VMCB; a pending bit, and a blocked bit. These directly map to the CPU state for handling NMIs, and are maintained by hardware during the running of the vCPU. When vNMI is enabled, have svm_{get,set}_interrupt_shadow() work in terms of the vnmi_blocking bit rather than the IRET intercept. This allows an emulated IRET instruction to re-enable NMIs. When injecting a new NMI, simply set the vnmi_pending bit; hardware will deliver the NMI to the guest at the next suitable juncture. One complication is that, when delivering a second NMI before the first has completed, the mix between common HVM logic and SVM specific logic will try to open an NMI window, malfunctioning as it does so. When vNMI is enabled, short circuit this to not consider NMIs blocked. Signed-off-by: Abdelkareem Abdelsaamad Signed-off-by: Andrew Cooper Reviewed-by: Teddy Astie Reviewed-by: Jan Beulich master commit: 86a203ab8d38f3bae19219980c2a37d091a8f7aa master date: 2026-05-21 16:43:01 +0100 --- xen/arch/x86/hvm/svm/intr.c | 19 +++++++++++++++++++ xen/arch/x86/hvm/svm/svm.c | 23 +++++++++++++++++------ xen/arch/x86/hvm/svm/vmcb.c | 2 ++ 3 files changed, 38 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/hvm/svm/intr.c b/xen/arch/x86/hvm/svm/intr.c index 46186a1102..caeeb76a28 100644 --- a/xen/arch/x86/hvm/svm/intr.c +++ b/xen/arch/x86/hvm/svm/intr.c @@ -33,6 +33,12 @@ static void svm_inject_nmi(struct vcpu *v) u32 general1_intercepts = vmcb_get_general1_intercepts(vmcb); intinfo_t event; + if ( vmcb->_vintr.fields.vnmi_enable ) + { + vmcb->_vintr.fields.vnmi_pending = true; + return; + } + event.raw = 0; event.v = true; event.type = X86_ET_NMI; @@ -142,6 +148,19 @@ void asmlinkage svm_intr_assist(void) return; intblk = hvm_interrupt_blocked(v, intack); + + /* + * When vNMI is active, NMIs can be injected by setting vnmi_pending + * and hardware will deliver them at the next appropriate opportunity. + * Consider them not blocked, to avoid trying to open an NMI Window. + * + * Correctness here relies on the fact that all vNMI capable hardware + * has vGIF, and vGIF is always activated when appropriate. + */ + if ( intblk == hvm_intblk_nmi_iret && + vmcb->_vintr.fields.vnmi_enable ) + intblk = hvm_intblk_none; + if ( intblk == hvm_intblk_svm_gif ) { ASSERT(nestedhvm_enabled(v->domain)); diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index 8bb829a13d..ce54b7857f 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -545,7 +545,9 @@ static unsigned cf_check int svm_get_interrupt_shadow(struct vcpu *v) if ( vmcb->int_stat.intr_shadow ) intr_shadow |= HVM_INTR_SHADOW_MOV_SS | HVM_INTR_SHADOW_STI; - if ( vmcb_get_general1_intercepts(vmcb) & GENERAL1_INTERCEPT_IRET ) + if ( vmcb->_vintr.fields.vnmi_enable + ? vmcb->_vintr.fields.vnmi_blocking + : (vmcb_get_general1_intercepts(vmcb) & GENERAL1_INTERCEPT_IRET) ) intr_shadow |= HVM_INTR_SHADOW_NMI; return intr_shadow; @@ -555,15 +557,23 @@ static void cf_check svm_set_interrupt_shadow( struct vcpu *v, unsigned int intr_shadow) { struct vmcb_struct *vmcb = v->arch.hvm.svm.vmcb; - u32 general1_intercepts = vmcb_get_general1_intercepts(vmcb); + bool block_nmi = intr_shadow & HVM_INTR_SHADOW_NMI; vmcb->int_stat.intr_shadow = !!(intr_shadow & (HVM_INTR_SHADOW_MOV_SS|HVM_INTR_SHADOW_STI)); - general1_intercepts &= ~GENERAL1_INTERCEPT_IRET; - if ( intr_shadow & HVM_INTR_SHADOW_NMI ) - general1_intercepts |= GENERAL1_INTERCEPT_IRET; - vmcb_set_general1_intercepts(vmcb, general1_intercepts); + if ( vmcb->_vintr.fields.vnmi_enable ) + vmcb->_vintr.fields.vnmi_blocking = block_nmi; + else + { + uint32_t gen1 = vmcb_get_general1_intercepts(vmcb); + + gen1 &= ~GENERAL1_INTERCEPT_IRET; + if ( block_nmi ) + gen1 |= GENERAL1_INTERCEPT_IRET; + + vmcb_set_general1_intercepts(vmcb, gen1); + } } static int cf_check svm_guest_x86_mode(struct vcpu *v) @@ -2518,6 +2528,7 @@ const struct hvm_function_table * __init start_svm(void) P(cpu_has_tsc_ratio, "TSC Rate MSR"); P(cpu_has_svm_sss, "NPT Supervisor Shadow Stack"); P(cpu_has_svm_spec_ctrl, "MSR_SPEC_CTRL virtualisation"); + P(cpu_has_svm_vnmi, "Virtual NMI"); #undef P if ( !printed ) diff --git a/xen/arch/x86/hvm/svm/vmcb.c b/xen/arch/x86/hvm/svm/vmcb.c index 4e1f61dbe0..f6b6f3d61b 100644 --- a/xen/arch/x86/hvm/svm/vmcb.c +++ b/xen/arch/x86/hvm/svm/vmcb.c @@ -173,6 +173,8 @@ static int construct_vmcb(struct vcpu *v) if ( default_xen_spec_ctrl == SPEC_CTRL_STIBP ) v->arch.msrs->spec_ctrl.raw = SPEC_CTRL_STIBP; + vmcb->_vintr.fields.vnmi_enable = cpu_has_svm_vnmi; + return 0; } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 09:56:54 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 09:56:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326022.1591439 (Exim 4.92) (envelope-from ) id 1wUiLG-00033y-J0; Wed, 03 Jun 2026 09:56:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326022.1591439; Wed, 03 Jun 2026 09:56:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiLG-00033q-GN; Wed, 03 Jun 2026 09:56:54 +0000 Received: by outflank-mailman (input) for mailman id 1326022; Wed, 03 Jun 2026 09:56:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiLF-00033k-Jw for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:56:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUiLF-004zww-1u for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:56:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUiLF-00C73w-1o for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:56:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=M4OkTrwJScRXwtZiwdLAxwGHbmCzZqd559CAbJwSUp4=; b=PjohQjERQ2NK4TDEk5u2QraiXA JNFKm+T52wi2VuJr/CMmodkpbUJijXVcS3+jwPhEfY54+hHQBBBjXPRi19tOza7CfCZRqsHu4Ny9X D4odyfuV8kCLewwMlMqhHRnQuAZMRUVfhwO58K85XBnLpZxG7I+fyFG5bP6G71rPow78=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] xen/gnttab: Fix TOCTOU race in gnttab_set_version() Message-Id: Date: Wed, 03 Jun 2026 09:56:53 +0000 commit 2abb8d0fbf9333473e369b161ace15d35dae49cf Author: Alejandro Vallejo AuthorDate: Wed Jun 3 11:40:34 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:40:34 2026 +0200 xen/gnttab: Fix TOCTOU race in gnttab_set_version() Move first read of gt->gt_version inside the critical region of the rwlock, otherwise concurrent gnttab operations (silly as they would be) may get mutually confused as to the actual current version. Fixes: c1488502c949("grant-tables: do not fail attempts to...") Reported-by: Oleksandr Tyshchenko Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich master commit: c0e548d9206b3a281f9d30a2670be543fb383223 master date: 2026-05-22 13:32:44 +0200 --- xen/common/grant_table.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index e0f306f268..15262819e1 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -3183,11 +3183,12 @@ gnttab_set_version(XEN_GUEST_HANDLE_PARAM(gnttab_set_version_t) uop) if ( op.version == 2 && gt->max_version == 1 ) goto out; /* Behave as before set_version was introduced. */ + grant_write_lock(gt); + res = 0; if ( gt->gt_version == op.version ) - goto out; + goto out_unlock; - grant_write_lock(gt); /* * Make sure that the grant table isn't currently in use when we * change the version number, except for the first 8 entries which -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 09:57:04 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 09:57:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326023.1591443 (Exim 4.92) (envelope-from ) id 1wUiLQ-00035x-KQ; Wed, 03 Jun 2026 09:57:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326023.1591443; Wed, 03 Jun 2026 09:57:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiLQ-00035p-Hj; Wed, 03 Jun 2026 09:57:04 +0000 Received: by outflank-mailman (input) for mailman id 1326023; Wed, 03 Jun 2026 09:57:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUiLP-00035j-N0 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:57:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUiLP-004zxL-2C for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:57:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUiLP-00C76L-27 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 09:57:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=XaC3JeXN1AGu4vd/dFbsboGefysW/xRJ+GKfWhfUXGw=; b=KO9N5c3FbY8wKh+LkQGergfAGp At2OxdW1HV8Ceqw2okT41NRzOhi4VXgL0mhVLZsnvtd0bkKAut/EKZQjf7mcrfnmlELP7bb1/04w5 UuvNSecoV/wWFqGr+FrmxMzxxvkpVJdF03zbrfzdkwy6QOLe3EnhbYG5yc+NCpaXi/MI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] x86/pv32: Fix bogus CR2 in pagefault for gate emulation Message-Id: Date: Wed, 03 Jun 2026 09:57:03 +0000 commit 6cf9b61548a174f8627b9b7cfc96c8e4ebf40bf1 Author: Teddy Astie AuthorDate: Wed Jun 3 11:40:48 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:40:48 2026 +0200 x86/pv32: Fix bogus CR2 in pagefault for gate emulation __{put,get}_guest() returns -EFAULT on access faults which causes the injected CR2 to be off by 14 bytes (as EFAULT is 14) which is incorrect. Fix the computation by relying on __copy_{from,to}_guest_pv() which reports the number of remaining bytes instead of a negative errno, such that we can compute the offset properly. Fixes: 70ad570b2799 ("x86/64: paravirt 32-on-64 call gate support") Signed-off-by: Teddy Astie Reviewed-by: Jan Beulich master commit: 03878fba4af14fab942c2ce8ed2d6d18c204a603 master date: 2026-05-22 14:33:44 +0100 --- xen/arch/x86/pv/emul-gate-op.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/pv/emul-gate-op.c b/xen/arch/x86/pv/emul-gate-op.c index dcac0a0401..1fcab1f3a3 100644 --- a/xen/arch/x86/pv/emul-gate-op.c +++ b/xen/arch/x86/pv/emul-gate-op.c @@ -284,12 +284,14 @@ void pv_emulate_gate_op(struct cpu_user_regs *regs) if ( !jump ) { unsigned int ss, esp, *stkp; + uint32_t value; int rc; #define push(item) do \ { \ + value = (item); \ --stkp; \ esp -= 4; \ - rc = __put_guest(item, stkp); \ + rc = __copy_to_guest_pv(stkp, &value, sizeof(value)); \ if ( rc ) \ { \ pv_inject_page_fault(PFEC_write_access, \ @@ -357,7 +359,7 @@ void pv_emulate_gate_op(struct cpu_user_regs *regs) unsigned int parm; --ustkp; - rc = __get_guest(parm, ustkp); + rc = __copy_from_guest_pv(&parm, ustkp, sizeof(parm)); if ( rc ) { pv_inject_page_fault(0, (unsigned long)(ustkp + 1) - rc); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 10:22:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 10:22:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326056.1591474 (Exim 4.92) (envelope-from ) id 1wUijb-0000X8-2m; Wed, 03 Jun 2026 10:22:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326056.1591474; Wed, 03 Jun 2026 10:22:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUijb-0000Wz-02; Wed, 03 Jun 2026 10:22:03 +0000 Received: by outflank-mailman (input) for mailman id 1326056; Wed, 03 Jun 2026 10:22:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUija-0000Wt-Au for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:22:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUija-0050oO-0q for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:22:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUija-00CGoz-0i for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:22:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=NTRN1SQa6LdAYGFO7DmJvWbVIDFhGVsm6sOwDsPb5qk=; b=6/SRWWt/hE10dIMYTJv7a0GCGU z6B5o1b3YqE9A+3wgsY4q/NfIFz9Wq38AEGAfkUpnxfUET2Q34N7B74y3gFU548doa7dXJfI2mYcC FguSrJak3iegk7owCNOU8EpZb601lQyI2o/H8hT50l8Bq+aRbeK2tw5N4f1imC7gEIpo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/shadow: Deviate multi.h as being included multiple times Message-Id: Date: Wed, 03 Jun 2026 10:22:02 +0000 commit 9d67c78690538437390260cc5d7fd9b71f0a64d3 Author: Andrew Cooper AuthorDate: Fri Dec 12 19:15:53 2025 +0000 Commit: Andrew Cooper CommitDate: Wed Jun 3 10:23:21 2026 +0100 x86/shadow: Deviate multi.h as being included multiple times Use a SAF-8 marker. This addresses a MISRA D4.10 violation. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/mm/shadow/multi.h | 1 + 1 file changed, 1 insertion(+) diff --git a/xen/arch/x86/mm/shadow/multi.h b/xen/arch/x86/mm/shadow/multi.h index fc86d7a8d9..3f2562d25e 100644 --- a/xen/arch/x86/mm/shadow/multi.h +++ b/xen/arch/x86/mm/shadow/multi.h @@ -8,6 +8,7 @@ * Parts based on earlier work by Michael A Fetterman, Ian Pratt et al. */ +/* SAF-8-safe inclusion procedure left to caller */ extern int SHADOW_INTERNAL_NAME(sh_map_and_validate_gl1e, GUEST_LEVELS)( struct vcpu *v, mfn_t gl1mfn, void *new_gl1p, u32 size); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 10:22:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 10:22:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326057.1591478 (Exim 4.92) (envelope-from ) id 1wUijl-0000aW-4L; Wed, 03 Jun 2026 10:22:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326057.1591478; Wed, 03 Jun 2026 10:22:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUijl-0000aP-1M; Wed, 03 Jun 2026 10:22:13 +0000 Received: by outflank-mailman (input) for mailman id 1326057; Wed, 03 Jun 2026 10:22:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUijk-0000a3-Cf for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:22:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUijk-0050oZ-1A for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:22:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUijk-00CGtn-10 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:22:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=TcrUOeF8ENhOwqvXP1Ciitu/SunBT/3fYqZ9Yt4wQ5w=; b=yc7b8yOqj/mhOVv3oKNn3XIv2I bZh3ApF6SF3sJtwWyILUa/fLEoxJi1+RmESJ3BdrjqBt1bfnszjzIM227CvRW3fSKLtWnZwLuS3mo q10qTY0ueEtmVV8UKJKgRLGIimRXKoRCDfEDSc64vc/PET0UYmPI6Rqn3YrfJfmQzY7k=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: Mark eclair-x86_64-allcode as blocking now that it's clean Message-Id: Date: Wed, 03 Jun 2026 10:22:12 +0000 commit 0b03d963730b4c3df5b4583c054e2cd0d99758c2 Author: Andrew Cooper AuthorDate: Tue Jun 2 16:51:24 2026 +0100 Commit: Andrew Cooper CommitDate: Wed Jun 3 10:23:21 2026 +0100 CI: Mark eclair-x86_64-allcode as blocking now that it's clean Signed-off-by: Andrew Cooper Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- automation/gitlab-ci/analyze.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/automation/gitlab-ci/analyze.yaml b/automation/gitlab-ci/analyze.yaml index 55c42e3f84..3f7532ee1d 100644 --- a/automation/gitlab-ci/analyze.yaml +++ b/automation/gitlab-ci/analyze.yaml @@ -63,7 +63,6 @@ eclair-x86_64-allcode: CONFIG_XEN_GUEST=y CONFIG_XHCI=y CONFIG_XSM=y - allow_failure: true eclair-x86_64-testing: extends: eclair-x86_64-allcode -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 10:55:09 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 10:55:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326065.1591481 (Exim 4.92) (envelope-from ) id 1wUjFW-0004o6-8q; Wed, 03 Jun 2026 10:55:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326065.1591481; Wed, 03 Jun 2026 10:55:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjFW-0004ny-68; Wed, 03 Jun 2026 10:55:02 +0000 Received: by outflank-mailman (input) for mailman id 1326065; Wed, 03 Jun 2026 10:55:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjFV-0004ns-OY for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:55:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUjFV-0051kr-29 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:55:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUjFV-00CUA3-1t for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:55:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Dx/RVohj/haPtEukIdJDqauC6HAZxhFO7NjTtDBelC0=; b=LfQgDZyXZ8jChry6m6pDBQS3Pt Lcmmgj0MRaviw4OxfN4NDpt+7Jj0S/V2OMWPoejyF2vbQ5S0ygIBdtuXhD4YWmXphGCMEJWEdlG6V uEe/emj/Z0323IBZgJItaBwKIrO/dEb1uDku4j6BJvzk814roCJerQkdVHgSf8wkY4w0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] x86/svm: Add Enumerations for the SVM virtual NMI Message-Id: Date: Wed, 03 Jun 2026 10:55:01 +0000 commit 02bcb4ece75a659636524777480d54f55d4bc1dd Author: Abdelkareem Abdelsaamad AuthorDate: Wed Jun 3 11:36:14 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:36:14 2026 +0200 x86/svm: Add Enumerations for the SVM virtual NMI Introduce the cpuid bit for the SVM vNMI feature support for the x86\AMD platforms. The feature support is indicated by the CPUID Fn8000_000A_EDX[25] = 1. Add defines for the three SVM's Virtual NMI (vNMI) managements bits in the VMCB structure's vintr_t: vintr_t(11) - Virtual NMI is pending. vintr_t(12) - Virtual NMI is masked. vintr_t(26) - Enable NMI virtualization. Signed-off-by: Abdelkareem Abdelsaamad Reviewed-by: Teddy Astie Acked-by: Jan Beulich master commit: 0294292b4ca6d90e18cb66912d18b88576dd2733 master date: 2026-02-23 08:41:32 +0100 --- xen/arch/x86/include/asm/hvm/svm/svm.h | 2 ++ xen/arch/x86/include/asm/hvm/svm/vmcb.h | 8 ++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/include/asm/hvm/svm/svm.h b/xen/arch/x86/include/asm/hvm/svm/svm.h index 4eeeb25da9..eb6fe3e993 100644 --- a/xen/arch/x86/include/asm/hvm/svm/svm.h +++ b/xen/arch/x86/include/asm/hvm/svm/svm.h @@ -37,6 +37,7 @@ extern u32 svm_feature_flags; #define SVM_FEATURE_VGIF 16 /* Virtual GIF */ #define SVM_FEATURE_SSS 19 /* NPT Supervisor Shadow Stacks */ #define SVM_FEATURE_SPEC_CTRL 20 /* MSR_SPEC_CTRL virtualisation */ +#define SVM_FEATURE_VNMI 25 /* Virtual NMI */ static inline bool cpu_has_svm_feature(unsigned int feat) { @@ -56,5 +57,6 @@ static inline bool cpu_has_svm_feature(unsigned int feat) #define cpu_has_svm_vloadsave cpu_has_svm_feature(SVM_FEATURE_VLOADSAVE) #define cpu_has_svm_sss cpu_has_svm_feature(SVM_FEATURE_SSS) #define cpu_has_svm_spec_ctrl cpu_has_svm_feature(SVM_FEATURE_SPEC_CTRL) +#define cpu_has_svm_vnmi cpu_has_svm_feature(SVM_FEATURE_VNMI) #endif /* __ASM_X86_HVM_SVM_H__ */ diff --git a/xen/arch/x86/include/asm/hvm/svm/vmcb.h b/xen/arch/x86/include/asm/hvm/svm/vmcb.h index 28f715e376..78bc0a8075 100644 --- a/xen/arch/x86/include/asm/hvm/svm/vmcb.h +++ b/xen/arch/x86/include/asm/hvm/svm/vmcb.h @@ -338,13 +338,17 @@ typedef union u64 tpr: 8; u64 irq: 1; u64 vgif: 1; - u64 rsvd0: 6; + u64 : 1; + u64 vnmi_pending: 1; + u64 vnmi_blocking:1; + u64 : 3; u64 prio: 4; u64 ign_tpr: 1; u64 rsvd1: 3; u64 intr_masking: 1; u64 vgif_enable: 1; - u64 rsvd2: 6; + u64 vnmi_enable: 1; + u64 : 5; u64 vector: 8; u64 rsvd3: 24; } fields; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 10:55:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 10:55:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326066.1591486 (Exim 4.92) (envelope-from ) id 1wUjFg-0004pi-A6; Wed, 03 Jun 2026 10:55:12 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326066.1591486; Wed, 03 Jun 2026 10:55:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjFg-0004pa-7V; Wed, 03 Jun 2026 10:55:12 +0000 Received: by outflank-mailman (input) for mailman id 1326066; Wed, 03 Jun 2026 10:55:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjFf-0004pT-QV for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:55:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUjFf-0051og-2X for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:55:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUjFf-00CUDx-2L for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:55:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=n/OeUaElDc3uV8aMxOFXFu8VBEhfvyVNOKylfv8KjgI=; b=ZqiMPcbGLTArZsxR9MfZxNkMuN QDmYYZd+Injm+Gpy+XDwmExCRiYgZ17Ode5CCnXPzDFHHDxz6p9Y4tl7NjjaMDPZBI2cUlz21EuQv v1XLweJxpdpzY4oZLdv6in506oCOdke8IKzPbO+GxnN+SorygK+TSSFooZTQRJm0U8EY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] docs: Update console=pv requirement Message-Id: Date: Wed, 03 Jun 2026 10:55:11 +0000 commit 3928945562505ebb0f7af525b4b3c01087e74d39 Author: Teddy Astie AuthorDate: Wed Jun 3 11:36:46 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:36:46 2026 +0200 docs: Update console=pv requirement PV console doesn't require Xen to be running as a shim and only requires CONFIG_XEN_GUEST and running as a Xen guest. Update the documentation accordingly. Fixes: 4f6609d6a665 ("x86/guest: use PV console for Xen/Dom0 I/O") Signed-off-by: Teddy Astie Reviewed-by: Andrew Cooper master commit: f47c2e96ab9b61debe18fc0c52faa1672a5d24f9 master date: 2026-05-21 09:13:42 +0200 --- docs/misc/xen-command-line.pandoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 34004ce282..9607aa77d4 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -446,8 +446,9 @@ the converse; transmitted and received characters will have their MSB cleared. This allows a single port to be shared by two subsystems (e.g. console and debugger). -`pv` indicates that Xen should use Xen's PV console. This option is -only available when used together with `pv-in-pvh`. +`pv` indicates that Xen should use Xen's PV console. This option requires +Xen running as a Xen guest. and is only available if the hypervisor was +compiled with `CONFIG_XEN_GUEST` enabled. `dbgp` or `ehci` indicates that Xen should use a USB2 debug port. -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 10:55:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 10:55:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326067.1591490 (Exim 4.92) (envelope-from ) id 1wUjFr-0004sR-Cq; Wed, 03 Jun 2026 10:55:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326067.1591490; Wed, 03 Jun 2026 10:55:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjFr-0004sJ-AB; Wed, 03 Jun 2026 10:55:23 +0000 Received: by outflank-mailman (input) for mailman id 1326067; Wed, 03 Jun 2026 10:55:21 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjFp-0004sC-TN for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:55:21 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUjFp-0051p9-2q for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:55:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUjFp-00CUHX-2i for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:55:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=vLC+Q/rpy8uJwPD7DAjzQOjoMUbkAE1nMvGmYI7LWmI=; b=RwXfjiDxW4Dg2zMaKE0RVWSrfo YmIWB7rolWbO/P9Cg111NohbxBINzlioDFBVuvhkB8Umi/gFjXk4lQVm6hvPxxJWFThfucKE1ZYTV dz5PK8jD0IjZz5mH71q06PKxFjJaJ29C3p5YicwLUklGnFGQ9KMbjRuyYTT2HkmkoOq0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] x86/svm: Support vNMI on capable hardware Message-Id: Date: Wed, 03 Jun 2026 10:55:21 +0000 commit 4d6e6ed0164672f6d18e5cf827a1abe91ec2f948 Author: Abdelkareem Abdelsaamad AuthorDate: Wed Jun 3 11:36:55 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:36:55 2026 +0200 x86/svm: Support vNMI on capable hardware Starting with Zen4, AMD CPUs can virtualise NMIs for a guest. On older hardware, determining when an NMI is safe to deliver is a challenge and Xen does not handle all corner cases correctly. With vNMI, there is an enablement bit and two new bits of state in the VMCB; a pending bit, and a blocked bit. These directly map to the CPU state for handling NMIs, and are maintained by hardware during the running of the vCPU. When vNMI is enabled, have svm_{get,set}_interrupt_shadow() work in terms of the vnmi_blocking bit rather than the IRET intercept. This allows an emulated IRET instruction to re-enable NMIs. When injecting a new NMI, simply set the vnmi_pending bit; hardware will deliver the NMI to the guest at the next suitable juncture. One complication is that, when delivering a second NMI before the first has completed, the mix between common HVM logic and SVM specific logic will try to open an NMI window, malfunctioning as it does so. When vNMI is enabled, short circuit this to not consider NMIs blocked. Signed-off-by: Abdelkareem Abdelsaamad Signed-off-by: Andrew Cooper Reviewed-by: Teddy Astie Reviewed-by: Jan Beulich master commit: 86a203ab8d38f3bae19219980c2a37d091a8f7aa master date: 2026-05-21 16:43:01 +0100 --- xen/arch/x86/hvm/svm/intr.c | 19 +++++++++++++++++++ xen/arch/x86/hvm/svm/svm.c | 23 +++++++++++++++++------ xen/arch/x86/hvm/svm/vmcb.c | 2 ++ 3 files changed, 38 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/hvm/svm/intr.c b/xen/arch/x86/hvm/svm/intr.c index 46186a1102..caeeb76a28 100644 --- a/xen/arch/x86/hvm/svm/intr.c +++ b/xen/arch/x86/hvm/svm/intr.c @@ -33,6 +33,12 @@ static void svm_inject_nmi(struct vcpu *v) u32 general1_intercepts = vmcb_get_general1_intercepts(vmcb); intinfo_t event; + if ( vmcb->_vintr.fields.vnmi_enable ) + { + vmcb->_vintr.fields.vnmi_pending = true; + return; + } + event.raw = 0; event.v = true; event.type = X86_ET_NMI; @@ -142,6 +148,19 @@ void asmlinkage svm_intr_assist(void) return; intblk = hvm_interrupt_blocked(v, intack); + + /* + * When vNMI is active, NMIs can be injected by setting vnmi_pending + * and hardware will deliver them at the next appropriate opportunity. + * Consider them not blocked, to avoid trying to open an NMI Window. + * + * Correctness here relies on the fact that all vNMI capable hardware + * has vGIF, and vGIF is always activated when appropriate. + */ + if ( intblk == hvm_intblk_nmi_iret && + vmcb->_vintr.fields.vnmi_enable ) + intblk = hvm_intblk_none; + if ( intblk == hvm_intblk_svm_gif ) { ASSERT(nestedhvm_enabled(v->domain)); diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index 90bff72687..b85686e387 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -547,7 +547,9 @@ static unsigned cf_check int svm_get_interrupt_shadow(struct vcpu *v) if ( vmcb->int_stat.intr_shadow ) intr_shadow |= HVM_INTR_SHADOW_MOV_SS | HVM_INTR_SHADOW_STI; - if ( vmcb_get_general1_intercepts(vmcb) & GENERAL1_INTERCEPT_IRET ) + if ( vmcb->_vintr.fields.vnmi_enable + ? vmcb->_vintr.fields.vnmi_blocking + : (vmcb_get_general1_intercepts(vmcb) & GENERAL1_INTERCEPT_IRET) ) intr_shadow |= HVM_INTR_SHADOW_NMI; return intr_shadow; @@ -557,15 +559,23 @@ static void cf_check svm_set_interrupt_shadow( struct vcpu *v, unsigned int intr_shadow) { struct vmcb_struct *vmcb = v->arch.hvm.svm.vmcb; - u32 general1_intercepts = vmcb_get_general1_intercepts(vmcb); + bool block_nmi = intr_shadow & HVM_INTR_SHADOW_NMI; vmcb->int_stat.intr_shadow = !!(intr_shadow & (HVM_INTR_SHADOW_MOV_SS|HVM_INTR_SHADOW_STI)); - general1_intercepts &= ~GENERAL1_INTERCEPT_IRET; - if ( intr_shadow & HVM_INTR_SHADOW_NMI ) - general1_intercepts |= GENERAL1_INTERCEPT_IRET; - vmcb_set_general1_intercepts(vmcb, general1_intercepts); + if ( vmcb->_vintr.fields.vnmi_enable ) + vmcb->_vintr.fields.vnmi_blocking = block_nmi; + else + { + uint32_t gen1 = vmcb_get_general1_intercepts(vmcb); + + gen1 &= ~GENERAL1_INTERCEPT_IRET; + if ( block_nmi ) + gen1 |= GENERAL1_INTERCEPT_IRET; + + vmcb_set_general1_intercepts(vmcb, gen1); + } } static int cf_check svm_guest_x86_mode(struct vcpu *v) @@ -2534,6 +2544,7 @@ const struct hvm_function_table * __init start_svm(void) P(cpu_has_tsc_ratio, "TSC Rate MSR"); P(cpu_has_svm_sss, "NPT Supervisor Shadow Stack"); P(cpu_has_svm_spec_ctrl, "MSR_SPEC_CTRL virtualisation"); + P(cpu_has_svm_vnmi, "Virtual NMI"); #undef P if ( !printed ) diff --git a/xen/arch/x86/hvm/svm/vmcb.c b/xen/arch/x86/hvm/svm/vmcb.c index c57d314a24..d1227a256c 100644 --- a/xen/arch/x86/hvm/svm/vmcb.c +++ b/xen/arch/x86/hvm/svm/vmcb.c @@ -176,6 +176,8 @@ static int construct_vmcb(struct vcpu *v) if ( default_xen_spec_ctrl == SPEC_CTRL_STIBP ) v->arch.msrs->spec_ctrl.raw = SPEC_CTRL_STIBP; + vmcb->_vintr.fields.vnmi_enable = cpu_has_svm_vnmi; + return 0; } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 10:55:33 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 10:55:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326068.1591494 (Exim 4.92) (envelope-from ) id 1wUjG1-0004uR-E4; Wed, 03 Jun 2026 10:55:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326068.1591494; Wed, 03 Jun 2026 10:55:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjG1-0004uJ-BY; Wed, 03 Jun 2026 10:55:33 +0000 Received: by outflank-mailman (input) for mailman id 1326068; Wed, 03 Jun 2026 10:55:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjG0-0004uC-0d for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:55:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUjFz-0051pH-37 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:55:31 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUjFz-00CULD-30 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:55:31 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=zVGjp6i3VICyAWk0jBRKX7r+D3nC9WHjA1sXgb3UbkE=; b=m6rdi1cmeDX5c4rRXrHQke7/UR tAIwko+FlPqI2HUJVwEQN5SfkYpqUODOMBiapYytk+it/xq5yqJWOHm83ZuaghvSnAdhjTacgIBSf 2iOu2X+2KkKdipq/cS8tn0CD+d4sMuJ2Izmx/caQPdvAG3okajYH/vTW4fKQQYGzT7wE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] xen/gnttab: Fix TOCTOU race in gnttab_set_version() Message-Id: Date: Wed, 03 Jun 2026 10:55:31 +0000 commit 04db4dc2a2ce05063b872eb3cf95c2401c44a9f0 Author: Alejandro Vallejo AuthorDate: Wed Jun 3 11:37:15 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:37:15 2026 +0200 xen/gnttab: Fix TOCTOU race in gnttab_set_version() Move first read of gt->gt_version inside the critical region of the rwlock, otherwise concurrent gnttab operations (silly as they would be) may get mutually confused as to the actual current version. Fixes: c1488502c949("grant-tables: do not fail attempts to...") Reported-by: Oleksandr Tyshchenko Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich master commit: c0e548d9206b3a281f9d30a2670be543fb383223 master date: 2026-05-22 13:32:44 +0200 --- xen/common/grant_table.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index f9e4bffdb1..5e09027821 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -3185,11 +3185,12 @@ gnttab_set_version(XEN_GUEST_HANDLE_PARAM(gnttab_set_version_t) uop) if ( op.version == 2 && gt->max_version == 1 ) goto out; /* Behave as before set_version was introduced. */ + grant_write_lock(gt); + res = 0; if ( gt->gt_version == op.version ) - goto out; + goto out_unlock; - grant_write_lock(gt); /* * Make sure that the grant table isn't currently in use when we * change the version number, except for the first 8 entries which -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 10:55:43 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 10:55:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326069.1591498 (Exim 4.92) (envelope-from ) id 1wUjGB-0004wh-FS; Wed, 03 Jun 2026 10:55:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326069.1591498; Wed, 03 Jun 2026 10:55:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjGB-0004wZ-Cv; Wed, 03 Jun 2026 10:55:43 +0000 Received: by outflank-mailman (input) for mailman id 1326069; Wed, 03 Jun 2026 10:55:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjGA-0004wS-5E for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:55:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUjGA-0051pR-0O for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:55:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUjGA-00CUOh-03 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:55:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=egXSfk2NmgxdQ7ZdH+JtVoC/WDbGvVdKLaXOmFLrjCY=; b=qDg869NTbql96d1fVnEQT5/01S SEIfedDeiViN4BtWzZ+BUZD4eSCmudqiCR4hQvRZLNVGU84rxRNyp2ADw5RrPYkUOC+RVzrLteUpY /UZCfmpwVMxqbowL0eiWCxZoRGEu0qSdtfDNlkJ7y0uv98s/p1XDccTZLf/SIlAzGGwk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] x86/pv32: Fix bogus CR2 in pagefault for gate emulation Message-Id: Date: Wed, 03 Jun 2026 10:55:42 +0000 commit 647e362ad170708e6d7b53d0725cd3e30fb94d84 Author: Teddy Astie AuthorDate: Wed Jun 3 11:37:32 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:37:32 2026 +0200 x86/pv32: Fix bogus CR2 in pagefault for gate emulation __{put,get}_guest() returns -EFAULT on access faults which causes the injected CR2 to be off by 14 bytes (as EFAULT is 14) which is incorrect. Fix the computation by relying on __copy_{from,to}_guest_pv() which reports the number of remaining bytes instead of a negative errno, such that we can compute the offset properly. Fixes: 70ad570b2799 ("x86/64: paravirt 32-on-64 call gate support") Signed-off-by: Teddy Astie Reviewed-by: Jan Beulich master commit: 03878fba4af14fab942c2ce8ed2d6d18c204a603 master date: 2026-05-22 14:33:44 +0100 --- xen/arch/x86/pv/emul-gate-op.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/pv/emul-gate-op.c b/xen/arch/x86/pv/emul-gate-op.c index dcac0a0401..1fcab1f3a3 100644 --- a/xen/arch/x86/pv/emul-gate-op.c +++ b/xen/arch/x86/pv/emul-gate-op.c @@ -284,12 +284,14 @@ void pv_emulate_gate_op(struct cpu_user_regs *regs) if ( !jump ) { unsigned int ss, esp, *stkp; + uint32_t value; int rc; #define push(item) do \ { \ + value = (item); \ --stkp; \ esp -= 4; \ - rc = __put_guest(item, stkp); \ + rc = __copy_to_guest_pv(stkp, &value, sizeof(value)); \ if ( rc ) \ { \ pv_inject_page_fault(PFEC_write_access, \ @@ -357,7 +359,7 @@ void pv_emulate_gate_op(struct cpu_user_regs *regs) unsigned int parm; --ustkp; - rc = __get_guest(parm, ustkp); + rc = __copy_from_guest_pv(&parm, ustkp, sizeof(parm)); if ( rc ) { pv_inject_page_fault(0, (unsigned long)(ustkp + 1) - rc); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 10:55:53 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 10:55:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326070.1591501 (Exim 4.92) (envelope-from ) id 1wUjGL-0004yf-Gq; Wed, 03 Jun 2026 10:55:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326070.1591501; Wed, 03 Jun 2026 10:55:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjGL-0004yX-EK; Wed, 03 Jun 2026 10:55:53 +0000 Received: by outflank-mailman (input) for mailman id 1326070; Wed, 03 Jun 2026 10:55:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjGK-0004yQ-8Q for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:55:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUjGK-0051pd-0h for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:55:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUjGK-00CUSa-0Y for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:55:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ZZ+uhLxjDq5jHrYRFhvLzGZsYHTiSZhMtLwPQ/402Wc=; b=uBKd9jtppYf7NMD4EBIovoyFOj w4pkYD0OTCbs52hkiYoXaTC2yYliViVdwOrSG0Z1RylM7uj/5g8Au2WMNipEaa8vZH9nCSKsx4ect IrMF89r28QNehDLx1Npybd2ywHAr8eKMqO1AWv3ep0l7FZONyhuYGKF2Fuez6kXeV4AM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] x86/pv: Provide better SYSCALL backwards compatibility in FRED mode Message-Id: Date: Wed, 03 Jun 2026 10:55:52 +0000 commit 9a0327bf537bdc1db559504e4a936108a28bd565 Author: Andrew Cooper AuthorDate: Wed Jun 3 11:38:18 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:38:18 2026 +0200 x86/pv: Provide better SYSCALL backwards compatibility in FRED mode In FRED mode, the SYSCALL instruction does not modify %rcx/%r11. All current software using SYSCALL expects the pre-FRED behaviour and spills %rcx/%r11 around the invocation, which is why FRED not doing this goes largely unnoticed. However, consider the following migration scenario: * VM suspends. Hypercall, so SYSCALL, %rcx/%r11 left unmodified * VM moves to a non-FRED system * Xen resumes the VM with a real SYSRET instruction Instead of resuming at the instruction following the SYSCALL instruction, the VM is resumed at whatever dead value was in %rcx. In FRED mode, manually adjust %rcx/%r11 when SYSCALL is used and when SYSRET would have been used. Regarding the choice of instructions in eretu_exit_to_guest(), a branch would be a context dependent 50/50 split (i.e. increased chance of mispredict), and only saves one instruction. The CMOVs read the same cacheline that ERETU is about to process, so are as close to free as we can reasonably get. Fixes: 76193ef47d91 ("x86/pv: System call handling in FRED mode") Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich master commit: c5a4b9125bed42d1947a48058119cd335294164b master date: 2026-05-28 16:19:16 +0100 --- xen/arch/x86/traps.c | 2 ++ xen/arch/x86/x86_64/entry-fred.S | 12 +++++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c index 85d835ab43..9fdb08ce1a 100644 --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -2409,6 +2409,8 @@ void asmlinkage entry_from_pv(struct cpu_user_regs *regs) regs->ssx = l ? FLAT_KERNEL_SS : FLAT_USER_SS32; regs->csx = l ? FLAT_KERNEL_CS64 : FLAT_USER_CS32; + regs->rcx = regs->rip; + regs->r11 = regs->rflags; if ( guest_kernel_mode(curr, regs) ) pv_hypercall(regs); diff --git a/xen/arch/x86/x86_64/entry-fred.S b/xen/arch/x86/x86_64/entry-fred.S index 2fa57beb93..e9c84423da 100644 --- a/xen/arch/x86/x86_64/entry-fred.S +++ b/xen/arch/x86/x86_64/entry-fred.S @@ -4,6 +4,7 @@ #include #include +#include .section .text.entry, "ax", @progbits @@ -26,7 +27,16 @@ FUNC(entry_FRED_R3, 4096) END(entry_FRED_R3) FUNC(eretu_exit_to_guest) - POP_GPRS + /* + * PV guests aren't aware of FRED. If Xen in IDT mode would have used + * a SYSRET instruction, preserve the legacy behaviour for %rcx/%r11 + */ + testb $TRAP_syscall >> 8, UREGS_entry_vector + 1(%rsp) + + POP_GPRS /* Preserves flags */ + + cmovnz EFRAME_rip(%rsp), %rcx + cmovnz EFRAME_eflags(%rsp), %r11 /* * Exceptions here are handled by redirecting either to -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 10:56:03 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 10:56:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326071.1591505 (Exim 4.92) (envelope-from ) id 1wUjGV-00050e-IU; Wed, 03 Jun 2026 10:56:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326071.1591505; Wed, 03 Jun 2026 10:56:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjGV-00050W-Fl; Wed, 03 Jun 2026 10:56:03 +0000 Received: by outflank-mailman (input) for mailman id 1326071; Wed, 03 Jun 2026 10:56:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjGU-00050Q-B3 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:56:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUjGU-0051pz-0z for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:56:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUjGU-00CUYp-0t for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 10:56:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6kpnR9kp43J+/VHDor5dj+if8c0idoJmulUFF1GUZRQ=; b=ekv6V9/C9Nu6jXj4f+OCOpfPLz VY8vckBOAw7VGyGioWiU+5UDKxBc78/NQfGA2R9fY0YZ4ZLsMH/+mnxN29qjN+ZLHGNYW6RjQm/0c iBxiSxjZCywIrCcL/9Lj2L0p1Xqajld0Yqm8c+79Cj4aTuMPDQY7gY+4FdY5dRHuzZJc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] xen/efi: Fix boot from a device without a file system Message-Id: Date: Wed, 03 Jun 2026 10:56:02 +0000 commit 4989714420c9ed7a85b9d5d50199dcc8bf288bb5 Author: Szymon Acedański AuthorDate: Wed Jun 3 11:38:50 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:38:50 2026 +0200 xen/efi: Fix boot from a device without a file system When netbooting a unified Xen kernel image (via GRUB chainloader), the resulting loaded_image->DeviceHandle does not support SIMPLE_FILE_SYSTEM_PROTOCOL. Instead of crashing via noreturn PrintErrMesg() in get_parent_handle(), we defer calling this function until filesystem access is needed. This way when booting UKI, get_parent_handle() is not called at all. Suggested-by: Andrew Cooper Suggested-by: Marek Marczykowski-Górecki Signed-off-by: Szymon Acedański Acked-by: Marek Marczykowski-Górecki xen/efi: Use blexit() instead of BUG_ON() in read_file() Follow-up to 880e40b187aa, which added a BUG_ON() guard in read_file(). But as Jan pointed out, before ExitBootServices BUG_ON() is not functional. It results in a hang with no message. On the other hand blexit() prints a message and returns back to the bootloader. Fixes: 880e40b187aa ("xen/efi: Fix boot from a device without a file system") Reported-by: Jan Beulich Signed-off-by: Szymon Acedański Reviewed-by: Jan Beulich Acked-by: Marek Marczykowski-Górecki master commit: 880e40b187aa7c50cb32b20498aeed622f0062c7 master date: 2026-05-28 16:19:16 +0100 master commit: 7e11543c53396ea2e59320127573bf4151fae008 master date: 2026-06-03 08:17:56 +0200 --- xen/arch/arm/efi/efi-boot.h | 12 ++++---- xen/arch/x86/efi/efi-boot.h | 9 ++++-- xen/common/efi/boot.c | 67 ++++++++++++++++++++++++++++----------------- 3 files changed, 55 insertions(+), 33 deletions(-) diff --git a/xen/arch/arm/efi/efi-boot.h b/xen/arch/arm/efi/efi-boot.h index 7844b9529e..6bddae0f94 100644 --- a/xen/arch/arm/efi/efi-boot.h +++ b/xen/arch/arm/efi/efi-boot.h @@ -403,7 +403,7 @@ static void __init noreturn efi_arch_post_exit_boot(void) } static void __init efi_arch_cfg_file_early(const EFI_LOADED_IMAGE *image, - EFI_FILE_HANDLE dir_handle, + EFI_FILE_HANDLE *dir_handle, const char *section) { union string name; @@ -419,8 +419,11 @@ static void __init efi_arch_cfg_file_early(const EFI_LOADED_IMAGE *image, name.s = get_value(&cfg, section, "dtb"); if ( name.s ) { + CHAR16 *fname; + split_string(name.s); - read_file(dir_handle, s2w(&name), &dtbfile, NULL); + ensure_dir_handle(image, dir_handle, &fname); + read_file(*dir_handle, s2w(&name), &dtbfile, NULL); efi_bs->FreePool(name.w); } } @@ -430,7 +433,7 @@ static void __init efi_arch_cfg_file_early(const EFI_LOADED_IMAGE *image, } static void __init efi_arch_cfg_file_late(const EFI_LOADED_IMAGE *image, - EFI_FILE_HANDLE dir_handle, + EFI_FILE_HANDLE *dir_handle, const char *section) { } @@ -665,8 +668,7 @@ static int __init allocate_module_file(const EFI_LOADED_IMAGE *loaded_image, file_info->name_len = name_len; /* Get the file system interface. */ - if ( !*dir_handle ) - *dir_handle = get_parent_handle(loaded_image, &fname); + ensure_dir_handle(loaded_image, dir_handle, &fname); /* Load the binary in memory */ read_file(*dir_handle, s2w(&module_name), &module_binary, NULL); diff --git a/xen/arch/x86/efi/efi-boot.h b/xen/arch/x86/efi/efi-boot.h index 0194720003..38fd68676f 100644 --- a/xen/arch/x86/efi/efi-boot.h +++ b/xen/arch/x86/efi/efi-boot.h @@ -284,13 +284,13 @@ static void __init noreturn efi_arch_post_exit_boot(void) } static void __init efi_arch_cfg_file_early(const EFI_LOADED_IMAGE *image, - EFI_FILE_HANDLE dir_handle, + EFI_FILE_HANDLE *dir_handle, const char *section) { } static void __init efi_arch_cfg_file_late(const EFI_LOADED_IMAGE *image, - EFI_FILE_HANDLE dir_handle, + EFI_FILE_HANDLE *dir_handle, const char *section) { union string name; @@ -303,9 +303,12 @@ static void __init efi_arch_cfg_file_late(const EFI_LOADED_IMAGE *image, name.s = get_value(&cfg, "global", "ucode"); if ( name.s ) { + CHAR16 *fname; + microcode_set_module(mbi.mods_count); split_string(name.s); - read_file(dir_handle, s2w(&name), &ucode, NULL); + ensure_dir_handle(image, dir_handle, &fname); + read_file(*dir_handle, s2w(&name), &ucode, NULL); efi_bs->FreePool(name.w); } } diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c index 99d507d1f6..b3df99fc8d 100644 --- a/xen/common/efi/boot.c +++ b/xen/common/efi/boot.c @@ -547,6 +547,17 @@ static EFI_FILE_HANDLE __init get_parent_handle(const EFI_LOADED_IMAGE *loaded_i return dir_handle; } +static void __init ensure_dir_handle(const EFI_LOADED_IMAGE *loaded_image, + EFI_FILE_HANDLE *dir_handle, + CHAR16 **file_name) +{ + if ( *dir_handle ) + return; + *dir_handle = get_parent_handle(loaded_image, file_name); + if ( !*dir_handle ) + blexit(L"Cannot load files without a usable file system"); +} + static CHAR16 *__init point_tail(CHAR16 *fn) { CHAR16 *tail = NULL; @@ -813,12 +824,12 @@ static bool __init read_file(EFI_FILE_HANDLE dir_handle, CHAR16 *name, if ( !name ) PrintErrMesg(L"No filename", EFI_OUT_OF_RESOURCES); + if ( !dir_handle ) + blexit(L"BUG: !dir_handle in read_file()"); + what = L"Open"; - if ( dir_handle ) - ret = dir_handle->Open(dir_handle, &FileHandle, name, - EFI_FILE_MODE_READ, 0); - else - ret = EFI_NOT_FOUND; + ret = dir_handle->Open(dir_handle, &FileHandle, name, + EFI_FILE_MODE_READ, 0); if ( file == &cfg && ret == EFI_NOT_FOUND ) return false; if ( EFI_ERROR(ret) ) @@ -1514,7 +1525,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle, if ( use_cfg_file ) { - EFI_FILE_HANDLE dir_handle; + EFI_FILE_HANDLE dir_handle = NULL; EFI_HANDLE gop_handle; UINTN depth, cols, rows; @@ -1526,31 +1537,33 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle, gop = efi_get_gop(&gop_handle); - /* Get the file system interface. */ - dir_handle = get_parent_handle(loaded_image, &file_name); - /* Read and parse the config file. */ if ( read_section(loaded_image, L"config", &cfg, NULL) ) PrintStr(L"Using builtin config file\r\n"); - else if ( !cfg_file_name && file_name ) + else { - CHAR16 *tail; + ensure_dir_handle(loaded_image, &dir_handle, &file_name); - while ( (tail = point_tail(file_name)) != NULL ) + if ( !cfg_file_name ) { - wstrcpy(tail, L".cfg"); - if ( read_file(dir_handle, file_name, &cfg, NULL) ) - break; - *tail = 0; + CHAR16 *tail; + + while ( (tail = point_tail(file_name)) != NULL ) + { + wstrcpy(tail, L".cfg"); + if ( read_file(dir_handle, file_name, &cfg, NULL) ) + break; + *tail = 0; + } + if ( !tail ) + blexit(L"No configuration file found."); + PrintStr(L"Using configuration file '"); + PrintStr(file_name); + PrintStr(L"'\r\n"); } - if ( !tail ) - blexit(L"No configuration file found."); - PrintStr(L"Using configuration file '"); - PrintStr(file_name); - PrintStr(L"'\r\n"); + else if ( !read_file(dir_handle, cfg_file_name, &cfg, NULL) ) + blexit(L"Configuration file not found."); } - else if ( !read_file(dir_handle, cfg_file_name, &cfg, NULL) ) - blexit(L"Configuration file not found."); pre_parse(&cfg); if ( section.w ) @@ -1567,6 +1580,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle, if ( !name.s ) break; free_cfg(); + ensure_dir_handle(loaded_image, &dir_handle, &file_name); if ( !read_file(dir_handle, s2w(&name), &cfg, NULL) ) { PrintStr(L"Chained configuration file '"); @@ -1578,13 +1592,14 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle, efi_bs->FreePool(name.w); } - efi_arch_cfg_file_early(loaded_image, dir_handle, section.s); + efi_arch_cfg_file_early(loaded_image, &dir_handle, section.s); option_str = name.s ? split_string(name.s) : NULL; if ( !read_section(loaded_image, L"kernel", &kernel, option_str) && name.s ) { + ensure_dir_handle(loaded_image, &dir_handle, &file_name); read_file(dir_handle, s2w(&name), &kernel, option_str); efi_bs->FreePool(name.w); } @@ -1599,6 +1614,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle, name.s = get_value(&cfg, section.s, "ramdisk"); if ( name.s ) { + ensure_dir_handle(loaded_image, &dir_handle, &file_name); read_file(dir_handle, s2w(&name), &ramdisk, NULL); efi_bs->FreePool(name.w); } @@ -1609,6 +1625,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle, name.s = get_value(&cfg, section.s, "xsm"); if ( name.s ) { + ensure_dir_handle(loaded_image, &dir_handle, &file_name); read_file(dir_handle, s2w(&name), &xsm, NULL); efi_bs->FreePool(name.w); } @@ -1634,7 +1651,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle, } } - efi_arch_cfg_file_late(loaded_image, dir_handle, section.s); + efi_arch_cfg_file_late(loaded_image, &dir_handle, section.s); free_cfg(); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 11:33:04 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 11:33:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326108.1591546 (Exim 4.92) (envelope-from ) id 1wUjqI-00058o-F9; Wed, 03 Jun 2026 11:33:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326108.1591546; Wed, 03 Jun 2026 11:33:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjqI-00058g-CY; Wed, 03 Jun 2026 11:33:02 +0000 Received: by outflank-mailman (input) for mailman id 1326108; Wed, 03 Jun 2026 11:33:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjqH-00058a-I0 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 11:33:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUjqH-0052xO-1V for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 11:33:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUjqH-00CiHS-1N for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 11:33:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=EOkG+cudCtjvVQHR970LN4Pdq+kop0s5G9rQYAF6iMA=; b=t0UDLQiIfbFcL7gNz5jtZx+v6M y5T68BSUGNyByS4K1OcFVHrbvoFyTNCTtSohnitYRPZ8379uIDJn6BJr6JhVbrmGSjIWRfKOnyIAd bsvUawlzHZBAfgmK5y9PrNwvSUNkY8hvg5fZ0VyQn0atkN7wFb8XpWYgwGMfjI1AXZ88=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] x86/svm: Add Enumerations for the SVM virtual NMI Message-Id: Date: Wed, 03 Jun 2026 11:33:01 +0000 commit ccac1955c4e99572815c0dac4a69bd7a95ae47ad Author: Abdelkareem Abdelsaamad AuthorDate: Wed Jun 3 11:39:31 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:39:31 2026 +0200 x86/svm: Add Enumerations for the SVM virtual NMI Introduce the cpuid bit for the SVM vNMI feature support for the x86\AMD platforms. The feature support is indicated by the CPUID Fn8000_000A_EDX[25] = 1. Add defines for the three SVM's Virtual NMI (vNMI) managements bits in the VMCB structure's vintr_t: vintr_t(11) - Virtual NMI is pending. vintr_t(12) - Virtual NMI is masked. vintr_t(26) - Enable NMI virtualization. Signed-off-by: Abdelkareem Abdelsaamad Reviewed-by: Teddy Astie Acked-by: Jan Beulich master commit: 0294292b4ca6d90e18cb66912d18b88576dd2733 master date: 2026-02-23 08:41:32 +0100 --- xen/arch/x86/include/asm/hvm/svm/svm.h | 2 ++ xen/arch/x86/include/asm/hvm/svm/vmcb.h | 8 ++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/include/asm/hvm/svm/svm.h b/xen/arch/x86/include/asm/hvm/svm/svm.h index 4eeeb25da9..eb6fe3e993 100644 --- a/xen/arch/x86/include/asm/hvm/svm/svm.h +++ b/xen/arch/x86/include/asm/hvm/svm/svm.h @@ -37,6 +37,7 @@ extern u32 svm_feature_flags; #define SVM_FEATURE_VGIF 16 /* Virtual GIF */ #define SVM_FEATURE_SSS 19 /* NPT Supervisor Shadow Stacks */ #define SVM_FEATURE_SPEC_CTRL 20 /* MSR_SPEC_CTRL virtualisation */ +#define SVM_FEATURE_VNMI 25 /* Virtual NMI */ static inline bool cpu_has_svm_feature(unsigned int feat) { @@ -56,5 +57,6 @@ static inline bool cpu_has_svm_feature(unsigned int feat) #define cpu_has_svm_vloadsave cpu_has_svm_feature(SVM_FEATURE_VLOADSAVE) #define cpu_has_svm_sss cpu_has_svm_feature(SVM_FEATURE_SSS) #define cpu_has_svm_spec_ctrl cpu_has_svm_feature(SVM_FEATURE_SPEC_CTRL) +#define cpu_has_svm_vnmi cpu_has_svm_feature(SVM_FEATURE_VNMI) #endif /* __ASM_X86_HVM_SVM_H__ */ diff --git a/xen/arch/x86/include/asm/hvm/svm/vmcb.h b/xen/arch/x86/include/asm/hvm/svm/vmcb.h index 28f715e376..78bc0a8075 100644 --- a/xen/arch/x86/include/asm/hvm/svm/vmcb.h +++ b/xen/arch/x86/include/asm/hvm/svm/vmcb.h @@ -338,13 +338,17 @@ typedef union u64 tpr: 8; u64 irq: 1; u64 vgif: 1; - u64 rsvd0: 6; + u64 : 1; + u64 vnmi_pending: 1; + u64 vnmi_blocking:1; + u64 : 3; u64 prio: 4; u64 ign_tpr: 1; u64 rsvd1: 3; u64 intr_masking: 1; u64 vgif_enable: 1; - u64 rsvd2: 6; + u64 vnmi_enable: 1; + u64 : 5; u64 vector: 8; u64 rsvd3: 24; } fields; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 11:33:12 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 11:33:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326109.1591550 (Exim 4.92) (envelope-from ) id 1wUjqS-0005Af-Gb; Wed, 03 Jun 2026 11:33:12 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326109.1591550; Wed, 03 Jun 2026 11:33:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjqS-0005AW-Ds; Wed, 03 Jun 2026 11:33:12 +0000 Received: by outflank-mailman (input) for mailman id 1326109; Wed, 03 Jun 2026 11:33:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjqR-0005AM-J9 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 11:33:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUjqR-0052xZ-1o for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 11:33:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUjqR-00CiLF-1g for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 11:33:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=2KzU+Nf8yZBV4UNp3//le19NckY5Z3gqmFg3P/0/ePA=; b=wJpy/zA3sWVJgou4DwqAto1OBk ZQFUvUEkUyr9Wg0YCTAa4wg/9N1yIk7kOhwQW6ZKQXBNmLt7NMHAog2wqibHgGGGLk1ovHBHwI+Ox JXJqVd4ZyJ8yDn0QruEGgcQ7evHt52yr2eqqILQWBi3Hf8TOIqAP5cmm5ctoF1XhQ2+4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] docs: Update console=pv requirement Message-Id: Date: Wed, 03 Jun 2026 11:33:11 +0000 commit 806c814537ee760ab74400b2907061cc7f269c0e Author: Teddy Astie AuthorDate: Wed Jun 3 11:40:05 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:40:05 2026 +0200 docs: Update console=pv requirement PV console doesn't require Xen to be running as a shim and only requires CONFIG_XEN_GUEST and running as a Xen guest. Update the documentation accordingly. Fixes: 4f6609d6a665 ("x86/guest: use PV console for Xen/Dom0 I/O") Signed-off-by: Teddy Astie Reviewed-by: Andrew Cooper master commit: f47c2e96ab9b61debe18fc0c52faa1672a5d24f9 master date: 2026-05-21 09:13:42 +0200 --- docs/misc/xen-command-line.pandoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index ff7bc7e861..c4c888ac04 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -446,8 +446,9 @@ the converse; transmitted and received characters will have their MSB cleared. This allows a single port to be shared by two subsystems (e.g. console and debugger). -`pv` indicates that Xen should use Xen's PV console. This option is -only available when used together with `pv-in-pvh`. +`pv` indicates that Xen should use Xen's PV console. This option requires +Xen running as a Xen guest. and is only available if the hypervisor was +compiled with `CONFIG_XEN_GUEST` enabled. `dbgp` or `ehci` indicates that Xen should use a USB2 debug port. -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 11:33:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 11:33:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326110.1591553 (Exim 4.92) (envelope-from ) id 1wUjqd-0005Cj-Hc; Wed, 03 Jun 2026 11:33:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326110.1591553; Wed, 03 Jun 2026 11:33:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjqd-0005Cc-FC; Wed, 03 Jun 2026 11:33:23 +0000 Received: by outflank-mailman (input) for mailman id 1326110; Wed, 03 Jun 2026 11:33:21 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjqb-0005CT-Nl for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 11:33:21 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUjqb-0052xw-2H for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 11:33:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUjqb-00CiOs-1z for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 11:33:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=SWkc8aPvZSG09M3+Cq9rHrBEXt9nSddnNZGO+GH4opY=; b=zbt/wTO6GBmC4CwBumOPDYySx5 Us/leylIdsbMus/voiqE3vk5Qv3beuXGChuycp0MoJrX02/xrJn4gQnlU690s8g6sy5HEzG3yL/XP ojUqnL9MpINb199dS1PP4aMH4/GcmyEkVXcShSjBLsO7FYR4SbWGGNxo3RlQR7bibTCI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] x86/svm: Support vNMI on capable hardware Message-Id: Date: Wed, 03 Jun 2026 11:33:21 +0000 commit 33a6d8a25b9c74b3a8c3101764b8517700252734 Author: Abdelkareem Abdelsaamad AuthorDate: Wed Jun 3 11:40:15 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:40:15 2026 +0200 x86/svm: Support vNMI on capable hardware Starting with Zen4, AMD CPUs can virtualise NMIs for a guest. On older hardware, determining when an NMI is safe to deliver is a challenge and Xen does not handle all corner cases correctly. With vNMI, there is an enablement bit and two new bits of state in the VMCB; a pending bit, and a blocked bit. These directly map to the CPU state for handling NMIs, and are maintained by hardware during the running of the vCPU. When vNMI is enabled, have svm_{get,set}_interrupt_shadow() work in terms of the vnmi_blocking bit rather than the IRET intercept. This allows an emulated IRET instruction to re-enable NMIs. When injecting a new NMI, simply set the vnmi_pending bit; hardware will deliver the NMI to the guest at the next suitable juncture. One complication is that, when delivering a second NMI before the first has completed, the mix between common HVM logic and SVM specific logic will try to open an NMI window, malfunctioning as it does so. When vNMI is enabled, short circuit this to not consider NMIs blocked. Signed-off-by: Abdelkareem Abdelsaamad Signed-off-by: Andrew Cooper Reviewed-by: Teddy Astie Reviewed-by: Jan Beulich master commit: 86a203ab8d38f3bae19219980c2a37d091a8f7aa master date: 2026-05-21 16:43:01 +0100 --- xen/arch/x86/hvm/svm/intr.c | 19 +++++++++++++++++++ xen/arch/x86/hvm/svm/svm.c | 23 +++++++++++++++++------ xen/arch/x86/hvm/svm/vmcb.c | 2 ++ 3 files changed, 38 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/hvm/svm/intr.c b/xen/arch/x86/hvm/svm/intr.c index 46186a1102..caeeb76a28 100644 --- a/xen/arch/x86/hvm/svm/intr.c +++ b/xen/arch/x86/hvm/svm/intr.c @@ -33,6 +33,12 @@ static void svm_inject_nmi(struct vcpu *v) u32 general1_intercepts = vmcb_get_general1_intercepts(vmcb); intinfo_t event; + if ( vmcb->_vintr.fields.vnmi_enable ) + { + vmcb->_vintr.fields.vnmi_pending = true; + return; + } + event.raw = 0; event.v = true; event.type = X86_ET_NMI; @@ -142,6 +148,19 @@ void asmlinkage svm_intr_assist(void) return; intblk = hvm_interrupt_blocked(v, intack); + + /* + * When vNMI is active, NMIs can be injected by setting vnmi_pending + * and hardware will deliver them at the next appropriate opportunity. + * Consider them not blocked, to avoid trying to open an NMI Window. + * + * Correctness here relies on the fact that all vNMI capable hardware + * has vGIF, and vGIF is always activated when appropriate. + */ + if ( intblk == hvm_intblk_nmi_iret && + vmcb->_vintr.fields.vnmi_enable ) + intblk = hvm_intblk_none; + if ( intblk == hvm_intblk_svm_gif ) { ASSERT(nestedhvm_enabled(v->domain)); diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index 8bb829a13d..ce54b7857f 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -545,7 +545,9 @@ static unsigned cf_check int svm_get_interrupt_shadow(struct vcpu *v) if ( vmcb->int_stat.intr_shadow ) intr_shadow |= HVM_INTR_SHADOW_MOV_SS | HVM_INTR_SHADOW_STI; - if ( vmcb_get_general1_intercepts(vmcb) & GENERAL1_INTERCEPT_IRET ) + if ( vmcb->_vintr.fields.vnmi_enable + ? vmcb->_vintr.fields.vnmi_blocking + : (vmcb_get_general1_intercepts(vmcb) & GENERAL1_INTERCEPT_IRET) ) intr_shadow |= HVM_INTR_SHADOW_NMI; return intr_shadow; @@ -555,15 +557,23 @@ static void cf_check svm_set_interrupt_shadow( struct vcpu *v, unsigned int intr_shadow) { struct vmcb_struct *vmcb = v->arch.hvm.svm.vmcb; - u32 general1_intercepts = vmcb_get_general1_intercepts(vmcb); + bool block_nmi = intr_shadow & HVM_INTR_SHADOW_NMI; vmcb->int_stat.intr_shadow = !!(intr_shadow & (HVM_INTR_SHADOW_MOV_SS|HVM_INTR_SHADOW_STI)); - general1_intercepts &= ~GENERAL1_INTERCEPT_IRET; - if ( intr_shadow & HVM_INTR_SHADOW_NMI ) - general1_intercepts |= GENERAL1_INTERCEPT_IRET; - vmcb_set_general1_intercepts(vmcb, general1_intercepts); + if ( vmcb->_vintr.fields.vnmi_enable ) + vmcb->_vintr.fields.vnmi_blocking = block_nmi; + else + { + uint32_t gen1 = vmcb_get_general1_intercepts(vmcb); + + gen1 &= ~GENERAL1_INTERCEPT_IRET; + if ( block_nmi ) + gen1 |= GENERAL1_INTERCEPT_IRET; + + vmcb_set_general1_intercepts(vmcb, gen1); + } } static int cf_check svm_guest_x86_mode(struct vcpu *v) @@ -2518,6 +2528,7 @@ const struct hvm_function_table * __init start_svm(void) P(cpu_has_tsc_ratio, "TSC Rate MSR"); P(cpu_has_svm_sss, "NPT Supervisor Shadow Stack"); P(cpu_has_svm_spec_ctrl, "MSR_SPEC_CTRL virtualisation"); + P(cpu_has_svm_vnmi, "Virtual NMI"); #undef P if ( !printed ) diff --git a/xen/arch/x86/hvm/svm/vmcb.c b/xen/arch/x86/hvm/svm/vmcb.c index 4e1f61dbe0..f6b6f3d61b 100644 --- a/xen/arch/x86/hvm/svm/vmcb.c +++ b/xen/arch/x86/hvm/svm/vmcb.c @@ -173,6 +173,8 @@ static int construct_vmcb(struct vcpu *v) if ( default_xen_spec_ctrl == SPEC_CTRL_STIBP ) v->arch.msrs->spec_ctrl.raw = SPEC_CTRL_STIBP; + vmcb->_vintr.fields.vnmi_enable = cpu_has_svm_vnmi; + return 0; } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 11:33:33 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 11:33:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326111.1591558 (Exim 4.92) (envelope-from ) id 1wUjqn-0005Eg-JH; Wed, 03 Jun 2026 11:33:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326111.1591558; Wed, 03 Jun 2026 11:33:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjqn-0005EY-Gf; Wed, 03 Jun 2026 11:33:33 +0000 Received: by outflank-mailman (input) for mailman id 1326111; Wed, 03 Jun 2026 11:33:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjqm-0005ER-BV for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 11:33:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUjqm-0052y7-13 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 11:33:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUjql-00CiUM-2T for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 11:33:31 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RhyiEEs+vvYfAL+mAowTw2TAAfR4S4wiapupS6ZTKNY=; b=1Y8lpm14QRiNOJD3uFtWyMjY3z jTN8bFn6ua+iTJhR0GnbEbWs1KDslDTy5+pGl387PsWUsp4C81m3omigy+Q94iQMpTBSl+T0CYpbF cnB3SGeU85014nlPWMRM+1Yfdzgam9mdHNRrGPI1g75nFRNzKgmyPTk/+tR0cRtW8Q2E=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] xen/gnttab: Fix TOCTOU race in gnttab_set_version() Message-Id: Date: Wed, 03 Jun 2026 11:33:31 +0000 commit 2abb8d0fbf9333473e369b161ace15d35dae49cf Author: Alejandro Vallejo AuthorDate: Wed Jun 3 11:40:34 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:40:34 2026 +0200 xen/gnttab: Fix TOCTOU race in gnttab_set_version() Move first read of gt->gt_version inside the critical region of the rwlock, otherwise concurrent gnttab operations (silly as they would be) may get mutually confused as to the actual current version. Fixes: c1488502c949("grant-tables: do not fail attempts to...") Reported-by: Oleksandr Tyshchenko Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich master commit: c0e548d9206b3a281f9d30a2670be543fb383223 master date: 2026-05-22 13:32:44 +0200 --- xen/common/grant_table.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index e0f306f268..15262819e1 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -3183,11 +3183,12 @@ gnttab_set_version(XEN_GUEST_HANDLE_PARAM(gnttab_set_version_t) uop) if ( op.version == 2 && gt->max_version == 1 ) goto out; /* Behave as before set_version was introduced. */ + grant_write_lock(gt); + res = 0; if ( gt->gt_version == op.version ) - goto out; + goto out_unlock; - grant_write_lock(gt); /* * Make sure that the grant table isn't currently in use when we * change the version number, except for the first 8 entries which -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 11:33:43 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 11:33:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326112.1591562 (Exim 4.92) (envelope-from ) id 1wUjqx-0005Gw-Kb; Wed, 03 Jun 2026 11:33:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326112.1591562; Wed, 03 Jun 2026 11:33:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjqx-0005Go-I4; Wed, 03 Jun 2026 11:33:43 +0000 Received: by outflank-mailman (input) for mailman id 1326112; Wed, 03 Jun 2026 11:33:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUjqw-0005Gg-EE for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 11:33:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUjqw-0052yL-1K for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 11:33:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUjqw-00CiYR-1D for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 11:33:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=3wBtEsVdHl7iig433WZ3Umu0G9QmmH2z1xzMf2Uz0Is=; b=qlKpeaZN2xFG5XMFl9IbaIasg/ 1MjvgkQbwZPh1WArJKTSGwhW7Z8I4zV40HgmijygHqUKbwjxZc9gLw+6BdAZ7DTZ99FkxqZjri9hv gZGUs+w83HqvMRopoGA9kdVOdEiYjZLgYuv1TMprLdrjWYRKx7JBdQz1KKrGnNhDxaN8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] x86/pv32: Fix bogus CR2 in pagefault for gate emulation Message-Id: Date: Wed, 03 Jun 2026 11:33:42 +0000 commit 6cf9b61548a174f8627b9b7cfc96c8e4ebf40bf1 Author: Teddy Astie AuthorDate: Wed Jun 3 11:40:48 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 3 11:40:48 2026 +0200 x86/pv32: Fix bogus CR2 in pagefault for gate emulation __{put,get}_guest() returns -EFAULT on access faults which causes the injected CR2 to be off by 14 bytes (as EFAULT is 14) which is incorrect. Fix the computation by relying on __copy_{from,to}_guest_pv() which reports the number of remaining bytes instead of a negative errno, such that we can compute the offset properly. Fixes: 70ad570b2799 ("x86/64: paravirt 32-on-64 call gate support") Signed-off-by: Teddy Astie Reviewed-by: Jan Beulich master commit: 03878fba4af14fab942c2ce8ed2d6d18c204a603 master date: 2026-05-22 14:33:44 +0100 --- xen/arch/x86/pv/emul-gate-op.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/pv/emul-gate-op.c b/xen/arch/x86/pv/emul-gate-op.c index dcac0a0401..1fcab1f3a3 100644 --- a/xen/arch/x86/pv/emul-gate-op.c +++ b/xen/arch/x86/pv/emul-gate-op.c @@ -284,12 +284,14 @@ void pv_emulate_gate_op(struct cpu_user_regs *regs) if ( !jump ) { unsigned int ss, esp, *stkp; + uint32_t value; int rc; #define push(item) do \ { \ + value = (item); \ --stkp; \ esp -= 4; \ - rc = __put_guest(item, stkp); \ + rc = __copy_to_guest_pv(stkp, &value, sizeof(value)); \ if ( rc ) \ { \ pv_inject_page_fault(PFEC_write_access, \ @@ -357,7 +359,7 @@ void pv_emulate_gate_op(struct cpu_user_regs *regs) unsigned int parm; --ustkp; - rc = __get_guest(parm, ustkp); + rc = __copy_from_guest_pv(&parm, ustkp, sizeof(parm)); if ( rc ) { pv_inject_page_fault(0, (unsigned long)(ustkp + 1) - rc); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Wed Jun 03 12:11:08 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jun 2026 12:11:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1326138.1591574 (Exim 4.92) (envelope-from ) id 1wUkR4-0002gH-E1; Wed, 03 Jun 2026 12:11:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1326138.1591574; Wed, 03 Jun 2026 12:11:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUkR4-0002gB-BG; Wed, 03 Jun 2026 12:11:02 +0000 Received: by outflank-mailman (input) for mailman id 1326138; Wed, 03 Jun 2026 12:11:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wUkR3-0002g5-CL for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 12:11:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wUkR3-00548y-10 for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 12:11:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wUkR3-00CxiE-0o for xen-changelog@lists.xenproject.org; Wed, 03 Jun 2026 12:11:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=N13nF5n7zOOHFxwojbXhuLGSeXnCHgHCZ+1nLvpO9Qw=; b=WE43MM2Qq7dY2Znpw3zd4QJujL aECo1Kmcj8pKlGDR2koELyV19Rg8YYys/FxhMin3EBLBO/ZOV9zE++5RzRQ0RiKSkiELeFsaXakFY O3CvwqN0AxCTYwnr9Pwg2VLK0Uyd2nBHWx4izbwaR11jVDwmJsP/q4KSd0wS+K6BRO4w=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/fred: Enable FRED by default on AMD systems Message-Id: Date: Wed, 03 Jun 2026 12:11:01 +0000 commit 286059a3bbc747943aa5496fbbc46ce38b166b46 Author: Andrew Cooper AuthorDate: Sun May 25 02:05:15 2025 +0100 Commit: Andrew Cooper CommitDate: Wed Jun 3 10:48:49 2026 +0100 x86/fred: Enable FRED by default on AMD systems FRED is now believed to be complete for AMD systems, and has had its tyres kicked by both XenServer and AMD. Enable FRED by default on capable AMD systems (Zen6 and later). Support on Intel is still not yet complete. Leave it as tech preview and not security supported. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- docs/misc/xen-command-line.pandoc | 9 +++++---- xen/arch/x86/traps-setup.c | 4 ++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index ef3c737189..93c2a73f4a 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -1259,12 +1259,13 @@ does not provide `VM_ENTRY_LOAD_GUEST_PAT`. ### fred (x86) > `= ` -> Default: `false` +> Default: `true` on AMD, `false` otherwise Flexible Return and Event Delivery is an overhaul of interrupt, exception and -system call handling, fixing many corner cases in the x86 architecture, and -expected in hardware from 2025. Support in Xen is a work in progress and -disabled by default. +system call handling, fixing many corner cases in the x86 architecture, and is +available on Intel Panther Lake and Diamond Rapids CPUs, and AMD Zen6 CPUs. +FRED is fully supported on AMD hardware. On Intel hardware it is still tech +preview, and in particular not security supported. ### gnttab > `= List of [ max-ver:, transitive=, transfer= ]` diff --git a/xen/arch/x86/traps-setup.c b/xen/arch/x86/traps-setup.c index ccbd53fd9d..a79a3b2013 100644 --- a/xen/arch/x86/traps-setup.c +++ b/xen/arch/x86/traps-setup.c @@ -22,7 +22,7 @@ unsigned int __ro_after_init ler_msr; static bool __initdata opt_ler; boolean_param("ler", opt_ler); -int8_t __ro_after_init opt_fred = 0; +int8_t __ro_after_init opt_fred = -1; boolean_param("fred", opt_fred); void nocall entry_PF(void); @@ -392,7 +392,7 @@ void __init traps_init(void) } if ( opt_fred == -1 ) - opt_fred = !pv_shim; + opt_fred = (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) && !pv_shim; if ( opt_fred ) { -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 09:22:07 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 09:22:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329266.1593461 (Exim 4.92) (envelope-from ) id 1wVQkd-0001Ry-DC; Fri, 05 Jun 2026 09:22:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329266.1593461; Fri, 05 Jun 2026 09:22:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVQkd-0001Ro-AB; Fri, 05 Jun 2026 09:22:03 +0000 Received: by outflank-mailman (input) for mailman id 1329266; Fri, 05 Jun 2026 09:22:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVQkb-0001Ri-Pa for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:22:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVQkb-008cjc-26 for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:22:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVQkb-00Cr3P-1y for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:22:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=EEG1RPwVfMP3UIXqzAmhh2Uqjs8S77T3hELhNARFgaw=; b=KoGdPcTsJhFqtBLS1VXiWVpvX5 rSs5rqjkUYFIWi5N/f/sx3DELxAFOlXcf/lXThitMLLIvDXWUlqNVWAQhTJj9wLZZPK55uufOe0lw TrX46TwpqD8TCCjp3n76WZwMTMo52wiJMaq+efckxnwYIXI/jZytHSDexLcNDrpU6CvY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/page_alloc: verify buddy alignment in reserve_offlined_page() Message-Id: Date: Fri, 05 Jun 2026 09:22:01 +0000 commit 71c6a623176638f32cac816522864bed3cf28000 Author: Bernhard Kaindl AuthorDate: Fri Jun 5 10:08:22 2026 +0200 Commit: Jan Beulich CommitDate: Fri Jun 5 10:08:22 2026 +0200 xen/page_alloc: verify buddy alignment in reserve_offlined_page() reserve_offlined_page() fails to verify alignment when growing buddies around offlined pages. Consequently, misaligned buddies may be constructed from non-offlined page ranges and returned to the free lists. After a particular sequence of allocations and frees, pages from such a misaligned buddy may be allocated more than once, eventually triggering a Xen BUG() in alloc_heap_pages(). Fixes: e4865c2315 ('Page offline support in Xen side') Signed-off-by: Bernhard Kaindl Reviewed-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/common/page_alloc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c index 2c4ff2c34c..2767376a71 100644 --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -1202,6 +1202,11 @@ static int reserve_offlined_page(struct page_info *head) if ( (cur_head + (1 << next_order)) >= (head + ( 1 << head_order)) ) goto merge; + /* Do not grow to next_order if cur_head is not aligned to it. */ + if ( mfn_x(page_to_mfn(cur_head)) & (1UL << cur_order) ) + goto merge; + + /* Check for offlined pages in upper half of next_order range. */ for ( i = (1 << cur_order), pg = cur_head + (1 << cur_order ); i < (1 << next_order); i++, pg++ ) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 09:22:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 09:22:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329267.1593465 (Exim 4.92) (envelope-from ) id 1wVQkn-0001VX-EK; Fri, 05 Jun 2026 09:22:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329267.1593465; Fri, 05 Jun 2026 09:22:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVQkn-0001VN-BW; Fri, 05 Jun 2026 09:22:13 +0000 Received: by outflank-mailman (input) for mailman id 1329267; Fri, 05 Jun 2026 09:22:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVQkl-0001U8-P6 for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:22:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVQkl-008cjr-2P for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:22:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVQkl-00Cr71-2H for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:22:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=rWiAJoXFSK5BsB8DqLxBBmuvN4NhVKbO8Ps8eb3OtO0=; b=Zl3TxSGt9etVgeKs+XC8jFmJRz ZwLdSTNk8BK2ftFmIAkcNhOE3aqpsRRU9mTLLqIFRZsO5jb5dx6zRQbQCcL+AIm6w+K0ieOsS+XhF 236RagyrhKP1j3P/dERsnq9nrhlEDJuhezBc3z7PPzm0GAxAwiyEo40uKPMw0fEVTn5I=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/mm: Fix off-by-one preventing tail merge in reserve_offlined_page() Message-Id: Date: Fri, 05 Jun 2026 09:22:11 +0000 commit 5cb7ff13eec6cc332c671f70d6055022863ca222 Author: Bernhard Kaindl AuthorDate: Fri Jun 5 10:08:42 2026 +0200 Commit: Jan Beulich CommitDate: Fri Jun 5 10:08:42 2026 +0200 xen/mm: Fix off-by-one preventing tail merge in reserve_offlined_page() reserve_offlined_page() reserves pages marked for offlining and returns free buddies from the remaining healthy tail pages back to the free list. Consider an order-2 buddy (4 pages) with the following layout: +---------------+---------------+---------------+---------------+ | head page tail page 1, tail page 2 tail page 3 | | PFN_ORDER(pg) marked as to | | == 2 be offlined | +---------------+---------------+---------------+---------------+ The expected result after removing tail page 1 and returning the remaining healthy pages to the free list would be: +---------------+ +---------------+---------------+ | single page | offlined page | head page tail page | | PFN_ORDER(pg) | not returned | PFN_ORDER(pg) | | == 0 | to the heap | == 1 | +---------------+ +---------------+---------------+ A trivial off-by-one error in the growth loop stops the growth loop early before the tail end of the original buddy and we end up with: +---------------+ +---------------+---------------+ | single page | offlined page | single page | single page | | PFN_ORDER(pg) | not returned | PFN_ORDER(pg) | PFN_ORDER(pg) | | == 0 | to the heap | == 0 | == 0 | +---------------+ +---------------+---------------+ If the offlined page was in a much larger buddy, this would lead to much more memory not available for higher order allocations requiring the full tail end of the original buddy for allocation. Fix the growth loop to correctly grow the buddy to the tail end to make the full allocation unit available for future allocation. Fixes: e4865c2315 ('Page offline support in Xen side') Signed-off-by: Bernhard Kaindl Reviewed-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/common/page_alloc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c index 2767376a71..e01ac3e99c 100644 --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -1195,11 +1195,13 @@ static int reserve_offlined_page(struct page_info *head) next_order = cur_order = 0; + /* Attempt to grow the order (size) of the buddy as much as possible. */ while ( cur_order < head_order ) { next_order = cur_order + 1; - if ( (cur_head + (1 << next_order)) >= (head + ( 1 << head_order)) ) + /* Do not grow to next_order if it would go beyond the buddy. */ + if ( (cur_head + (1 << next_order)) > (head + (1 << head_order)) ) goto merge; /* Do not grow to next_order if cur_head is not aligned to it. */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 09:22:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 09:22:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329268.1593468 (Exim 4.92) (envelope-from ) id 1wVQkx-0001Xe-FY; Fri, 05 Jun 2026 09:22:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329268.1593468; Fri, 05 Jun 2026 09:22:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVQkx-0001XW-Cr; Fri, 05 Jun 2026 09:22:23 +0000 Received: by outflank-mailman (input) for mailman id 1329268; Fri, 05 Jun 2026 09:22:21 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVQkv-0001XQ-Rz for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:22:21 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVQkv-008cjx-2h for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:22:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVQkv-00Cr9z-2a for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:22:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=hp8e5Pg6mTNoYiiFaD2cMHkdfWZWyNczuPqUjLECRCI=; b=J1AkQOFfAQM9SRXvqyiPZJdAkL KWJSfnYsfNZwUKw8Yj7N/BibDPmpIDASf3YV2zpqWBr9PLtsqIFG4lYKqWDW4GASTxHbLqSNOQgvi fPARzpFmrUt9l0rvovOiBYNShGP6V7dhAaJSOjjGM6wj83eaTzrjP6tkurJ+JNRv6HK0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] argo: lower level of noisy connection-refused log Message-Id: Date: Fri, 05 Jun 2026 09:22:21 +0000 commit a9720605b6a556e76be7b4d5a59559942cb1852e Author: Denis Mukhin AuthorDate: Thu Jun 4 14:49:21 2026 -0700 Commit: Jan Beulich CommitDate: Fri Jun 5 10:09:06 2026 +0200 argo: lower level of noisy connection-refused log Switch the log line to argo_dprintk() so it is enabled only in debug environments, as it can spam the logs when a dom0 service using the Argo hypercall tries to communicate with a domain that is still starting up. Note that this also lowers the log level to debug when the argo_dprintk() facility is enabled. Signed-off-by: Denis Mukhin Reviewed-by: Mykola Kvach Reviewed-by: Stefano Stabellini Reviewed-by: Jason Andryuk Release-Acked-by: Oleksii Kurochko --- xen/common/argo.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/xen/common/argo.c b/xen/common/argo.c index 28626e00a8..98a3db7fd0 100644 --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -2034,10 +2034,9 @@ sendv(struct domain *src_d, xen_argo_addr_t *src_addr, src_id.domain_id); if ( !ring_info ) { - gprintk(XENLOG_ERR, - "argo: vm%u connection refused, src (vm%u:%x) dst (vm%u:%x)\n", - current->domain->domain_id, src_id.domain_id, src_id.aport, - dst_addr->domain_id, dst_addr->aport); + argo_dprintk("vm%u connection refused, src (vm%u:%x) dst (vm%u:%x)\n", + current->domain->domain_id, src_id.domain_id, src_id.aport, + dst_addr->domain_id, dst_addr->aport); ret = -ECONNREFUSED; } -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 09:22:33 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 09:22:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329269.1593472 (Exim 4.92) (envelope-from ) id 1wVQl7-0001Zi-H3; Fri, 05 Jun 2026 09:22:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329269.1593472; Fri, 05 Jun 2026 09:22:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVQl7-0001ZZ-ED; Fri, 05 Jun 2026 09:22:33 +0000 Received: by outflank-mailman (input) for mailman id 1329269; Fri, 05 Jun 2026 09:22:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVQl5-0001ZS-VH for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:22:31 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVQl5-008ck3-31 for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:22:31 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVQl5-00CrD7-2s for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:22:31 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=XasBgz6jsqqYQk1/P6CxBbPTMRqt5lfLYkwGvSQ1k2A=; b=i6pxa/AhTay8mt/0x5Fti8gmRc N8I5xiNpZAgKolbIJNlezcYi3oEUoi/hOD1kkSrT8iju7cymIxBhQ9PSPOcVfycRXRgvaMaLsX86f ps163tPuM11RzX3nfvkssfiQZGjCxM2eSNAbsF2KpydncuRoZPFyuLntCT71X/pEpTco=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] argo: correct logline in ring_unmap() Message-Id: Date: Fri, 05 Jun 2026 09:22:31 +0000 commit 03ebee6ed8105ff6ad12d6df428dfd4cab647691 Author: Denis Mukhin AuthorDate: Thu Jun 4 14:49:22 2026 -0700 Commit: Jan Beulich CommitDate: Fri Jun 5 10:09:42 2026 +0200 argo: correct logline in ring_unmap() Drop XENLOG_ERR from the logline since argo_dprintk() already injects the proper log level indicator. Also, drop "argo: " prefix, since it is also injected by argo_dprintk() Signed-off-by: Denis Mukhin Reviewed-by: Mykola Kvach Reviewed-by: Stefano Stabellini Reviewed-by: Jason Andryuk Release-Acked-by: Oleksii Kurochko --- xen/common/argo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/common/argo.c b/xen/common/argo.c index 98a3db7fd0..5da14c929e 100644 --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -474,7 +474,7 @@ ring_unmap(const struct domain *d, struct argo_ring_info *ring_info) continue; ASSERT(!mfn_eq(ring_info->mfns[i], INVALID_MFN)); - argo_dprintk(XENLOG_ERR "argo: unmapping page %"PRI_mfn" from %p\n", + argo_dprintk("unmapping page %"PRI_mfn" from %p\n", mfn_x(ring_info->mfns[i]), ring_info->mfn_mapping[i]); unmap_domain_page_global(ring_info->mfn_mapping[i]); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 09:22:43 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 09:22:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329270.1593476 (Exim 4.92) (envelope-from ) id 1wVQlH-0001bi-IL; Fri, 05 Jun 2026 09:22:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329270.1593476; Fri, 05 Jun 2026 09:22:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVQlH-0001bb-Fc; Fri, 05 Jun 2026 09:22:43 +0000 Received: by outflank-mailman (input) for mailman id 1329270; Fri, 05 Jun 2026 09:22:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVQlG-0001bT-2U for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:22:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVQlG-008ck8-07 for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:22:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVQlF-00CrFw-3B for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:22:41 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=OdZpWnFzkrQMAEHbreZYO3EWdHokni1Uw7J2OGkzYn8=; b=d1H3cCL+ISq92tuj20R77yEvya QMn7nJIe9+CJ6Qltzdk27eQCtNb9DktNkVW5H0nBMnRdItdRFaF2Cv2jzy0NKThdmzjFkzIDuFL/y LQvFVemoCgt5oTH6b32nIMuHtW25uSLNgwy2wno8fbCVOGhurqLkmM8HoDcnifL4gpaE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] argo: drop argo prefix from argo_dprintk() calls Message-Id: Date: Fri, 05 Jun 2026 09:22:41 +0000 commit 2bc9bc1978ad02e03d16026ad2d2e9641ddc29fb Author: Denis Mukhin AuthorDate: Thu Jun 4 14:49:23 2026 -0700 Commit: Jan Beulich CommitDate: Fri Jun 5 10:09:52 2026 +0200 argo: drop argo prefix from argo_dprintk() calls argo_dprintk() prefixes all log lines with "argo: " automatically. Remove duplicate prefixes from log messages in the Argo module where applicable. Signed-off-by: Denis Mukhin Reviewed-by: Mykola Kvach Reviewed-by: Stefano Stabellini Reviewed-by: Jason Andryuk Release-Acked-by: Oleksii Kurochko --- xen/common/argo.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/xen/common/argo.c b/xen/common/argo.c index 5da14c929e..ffa1f43437 100644 --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -1467,7 +1467,7 @@ find_ring_mfns(struct domain *d, struct argo_ring_info *ring_info, if ( ring_info->mfns ) { /* Ring already existed: drop the previous mapping. */ - argo_dprintk("argo: vm%u re-register existing ring " + argo_dprintk("vm%u re-register existing ring " "(vm%u:%x vm%u) clears mapping\n", d->domain_id, ring_info->id.domain_id, ring_info->id.aport, ring_info->id.partner_id); @@ -1527,7 +1527,7 @@ find_ring_mfns(struct domain *d, struct argo_ring_info *ring_info, { ASSERT(ring_info->nmfns == NPAGES_RING(len)); - argo_dprintk("argo: vm%u ring (vm%u:%x vm%u) %p " + argo_dprintk("vm%u ring (vm%u:%x vm%u) %p " "mfn_mapping %p len %u nmfns %u\n", d->domain_id, ring_info->id.domain_id, ring_info->id.aport, ring_info->id.partner_id, ring_info, @@ -1741,7 +1741,7 @@ register_ring(struct domain *currd, list_add(&ring_info->node, &currd->argo->ring_hash[hash_index(&ring_info->id)]); - argo_dprintk("argo: vm%u registering ring (vm%u:%x vm%u)\n", + argo_dprintk("vm%u registering ring (vm%u:%x vm%u)\n", currd->domain_id, ring_id.domain_id, ring_id.aport, ring_id.partner_id); } @@ -1781,7 +1781,7 @@ register_ring(struct domain *currd, goto out_unlock2; } - argo_dprintk("argo: vm%u re-registering existing ring (vm%u:%x vm%u)\n", + argo_dprintk("vm%u re-registering existing ring (vm%u:%x vm%u)\n", currd->domain_id, ring_id.domain_id, ring_id.aport, ring_id.partner_id); } -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 09:22:52 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 09:22:52 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329271.1593480 (Exim 4.92) (envelope-from ) id 1wVQlQ-0001df-Jk; Fri, 05 Jun 2026 09:22:52 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329271.1593480; Fri, 05 Jun 2026 09:22:52 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVQlQ-0001dX-HA; Fri, 05 Jun 2026 09:22:52 +0000 Received: by outflank-mailman (input) for mailman id 1329271; Fri, 05 Jun 2026 09:22:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVQlQ-0001dR-5L for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:22:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVQlQ-008ckD-0P for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:22:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVQlQ-00CrJN-0H for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:22:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=OCFgavipEfnqF7cM10/QcIHzw19flPx3QU7TdTFLjOA=; b=b6NbnPuMInbEa/PEVCOlyTnQGL IAz/eNj5/lpBsxi9I7XiSxyaCgNFDYu29qTSSR8zIj4Z/Gymnc0KWgZvXjd+F3ZbLZ1QPkkU6q/WA 3YHy4PgJBJua70h1ayzOfDeVgcnhPrmjA7kk+oGw9qnMpedbOY5uzdUdmUEf9RvIVPmQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] argo: fixup argo_dprintk() Message-Id: Date: Fri, 05 Jun 2026 09:22:52 +0000 commit 957f0f0b739142513f517979f4301b8d0dd1e855 Author: Denis Mukhin AuthorDate: Thu Jun 4 14:49:24 2026 -0700 Commit: Jan Beulich CommitDate: Fri Jun 5 10:10:04 2026 +0200 argo: fixup argo_dprintk() Current argo_dprintk() implementation is a wrapper around raw printk(). Rewire it through gprintk() to allow for better debugging context (such as domain ID). Signed-off-by: Denis Mukhin Reviewed-by: Stefano Stabellini Reviewed-by: Jason Andryuk Release-Acked-by: Oleksii Kurochko --- xen/common/argo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/common/argo.c b/xen/common/argo.c index ffa1f43437..3c38a51d09 100644 --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -322,7 +322,7 @@ static DEFINE_RWLOCK(L1_global_argo_rwlock); /* L1 */ #define argo_dprintk(fmt, args...) \ do { \ if ( ARGO_DEBUG ) \ - printk(XENLOG_DEBUG "argo: " fmt, ##args); \ + gprintk(XENLOG_DEBUG, "argo: " fmt, ##args);\ } while ( 0 ) /* -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 09:23:02 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 09:23:02 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329272.1593483 (Exim 4.92) (envelope-from ) id 1wVQla-0001fd-L7; Fri, 05 Jun 2026 09:23:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329272.1593483; Fri, 05 Jun 2026 09:23:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVQla-0001fU-IS; Fri, 05 Jun 2026 09:23:02 +0000 Received: by outflank-mailman (input) for mailman id 1329272; Fri, 05 Jun 2026 09:23:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVQla-0001fO-8n for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:23:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVQla-008ckr-0k for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:23:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVQla-00CrNC-0Z for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 09:23:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=0yh3cNkjCUM/KKDDsYml7U2KS98byEDzm7uipXIlDkU=; b=C3GYG8krVWAGRVdDDkEIvk3n2m 3GCYQbzs5fPoDRJgF7eIQvLbNhnIg74hzjEUMB6TDFX6MrPNuOIdW4o88AAommtnAZaIPWGDk9lTw l8GMlgy9MKgosktyndPN6QfpCEAocPxU+nTrQZHQb6KsaWk4ys+BeodBRLNzNDZ7VqFE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] argo: introduce CONFIG_ARGO_DEBUG Message-Id: Date: Fri, 05 Jun 2026 09:23:02 +0000 commit 3c4e804607a5a1254b168d88572cb9ec311543a9 Author: Denis Mukhin AuthorDate: Thu Jun 4 14:49:25 2026 -0700 Commit: Jan Beulich CommitDate: Fri Jun 5 10:10:14 2026 +0200 argo: introduce CONFIG_ARGO_DEBUG Add Kconfig knob to enable traces for Argo debugging. Signed-off-by: Denis Mukhin Reviewed-by: Jason Andryuk Acked-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/common/Kconfig | 6 ++++++ xen/common/argo.c | 3 +-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 5ff71480ee..79b7fa62e7 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -491,6 +491,12 @@ config ARGO If unsure, say N. +config ARGO_DEBUG + bool "Argo: enable debug traces (UNSUPPORTED)" + depends on ARGO + help + Enables extra debug traces for Argo debugging. + source "common/sched/Kconfig" config CRYPTO diff --git a/xen/common/argo.c b/xen/common/argo.c index 3c38a51d09..b9b362064e 100644 --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -318,10 +318,9 @@ static DEFINE_RWLOCK(L1_global_argo_rwlock); /* L1 */ ((LOCKING_Read_L1 && spin_is_locked(&(d)->argo->send_L2_lock)) || \ LOCKING_Write_L1) -#define ARGO_DEBUG 0 #define argo_dprintk(fmt, args...) \ do { \ - if ( ARGO_DEBUG ) \ + if ( IS_ENABLED(CONFIG_ARGO_DEBUG) ) \ gprintk(XENLOG_DEBUG, "argo: " fmt, ##args);\ } while ( 0 ) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 10:11:07 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 10:11:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329316.1593507 (Exim 4.92) (envelope-from ) id 1wVRW3-0003Ba-C0; Fri, 05 Jun 2026 10:11:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329316.1593507; Fri, 05 Jun 2026 10:11:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVRW3-0003BT-8G; Fri, 05 Jun 2026 10:11:03 +0000 Received: by outflank-mailman (input) for mailman id 1329316; Fri, 05 Jun 2026 10:11:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVRW1-0003BN-LY for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:11:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVRW1-008dvk-1v for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:11:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVRW1-00D7Yo-1n for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:11:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=LeubbTuvcobEFwBuEhRhCdOC8BB9AxMfJKq5rcKTeeE=; b=34QvuFWzLErwxaUzYrO9aKj+ZY v2GzfuK5xWOhD0ZoGNPmDMRdrgh9C5ipwq4N5dB6s1j1QhHG43ydVV/jLZhaFvb6TBwEe6P0E6493 bdrMvJGJ2lW5/mf6KGagQxIBgdM3Zqd6NKiDK4UElRzuYw1Y8HRXm07sYCIAewVw/rqw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/page_alloc: verify buddy alignment in reserve_offlined_page() Message-Id: Date: Fri, 05 Jun 2026 10:11:01 +0000 commit 71c6a623176638f32cac816522864bed3cf28000 Author: Bernhard Kaindl AuthorDate: Fri Jun 5 10:08:22 2026 +0200 Commit: Jan Beulich CommitDate: Fri Jun 5 10:08:22 2026 +0200 xen/page_alloc: verify buddy alignment in reserve_offlined_page() reserve_offlined_page() fails to verify alignment when growing buddies around offlined pages. Consequently, misaligned buddies may be constructed from non-offlined page ranges and returned to the free lists. After a particular sequence of allocations and frees, pages from such a misaligned buddy may be allocated more than once, eventually triggering a Xen BUG() in alloc_heap_pages(). Fixes: e4865c2315 ('Page offline support in Xen side') Signed-off-by: Bernhard Kaindl Reviewed-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/common/page_alloc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c index 2c4ff2c34c..2767376a71 100644 --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -1202,6 +1202,11 @@ static int reserve_offlined_page(struct page_info *head) if ( (cur_head + (1 << next_order)) >= (head + ( 1 << head_order)) ) goto merge; + /* Do not grow to next_order if cur_head is not aligned to it. */ + if ( mfn_x(page_to_mfn(cur_head)) & (1UL << cur_order) ) + goto merge; + + /* Check for offlined pages in upper half of next_order range. */ for ( i = (1 << cur_order), pg = cur_head + (1 << cur_order ); i < (1 << next_order); i++, pg++ ) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 10:11:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 10:11:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329317.1593511 (Exim 4.92) (envelope-from ) id 1wVRWD-0003E5-ET; Fri, 05 Jun 2026 10:11:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329317.1593511; Fri, 05 Jun 2026 10:11:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVRWD-0003Dx-BF; Fri, 05 Jun 2026 10:11:13 +0000 Received: by outflank-mailman (input) for mailman id 1329317; Fri, 05 Jun 2026 10:11:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVRWB-0003DZ-NK for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:11:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVRWB-008dvz-2E for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:11:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVRWB-00D7cL-26 for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:11:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=mTKh7FH7i90xaKMdP5V8QskNmXlPm/nJmXra4Rc+n9I=; b=Xn/vrxm/zywroU/VX/1ASbTE8/ XQAUXqZS/lOYfSYhZGtDUOeyaAW4DL7d1G31UgbmdLjZElGcfRaywqe8zOr3ku6Ka+sarN0s82SZV Bk7VksUBWupC7eZaK3HnLYaaco1qhsC33kR44mLJ7AmPQ8mbQipVQMYj88nO/c/2fZCs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/mm: Fix off-by-one preventing tail merge in reserve_offlined_page() Message-Id: Date: Fri, 05 Jun 2026 10:11:11 +0000 commit 5cb7ff13eec6cc332c671f70d6055022863ca222 Author: Bernhard Kaindl AuthorDate: Fri Jun 5 10:08:42 2026 +0200 Commit: Jan Beulich CommitDate: Fri Jun 5 10:08:42 2026 +0200 xen/mm: Fix off-by-one preventing tail merge in reserve_offlined_page() reserve_offlined_page() reserves pages marked for offlining and returns free buddies from the remaining healthy tail pages back to the free list. Consider an order-2 buddy (4 pages) with the following layout: +---------------+---------------+---------------+---------------+ | head page tail page 1, tail page 2 tail page 3 | | PFN_ORDER(pg) marked as to | | == 2 be offlined | +---------------+---------------+---------------+---------------+ The expected result after removing tail page 1 and returning the remaining healthy pages to the free list would be: +---------------+ +---------------+---------------+ | single page | offlined page | head page tail page | | PFN_ORDER(pg) | not returned | PFN_ORDER(pg) | | == 0 | to the heap | == 1 | +---------------+ +---------------+---------------+ A trivial off-by-one error in the growth loop stops the growth loop early before the tail end of the original buddy and we end up with: +---------------+ +---------------+---------------+ | single page | offlined page | single page | single page | | PFN_ORDER(pg) | not returned | PFN_ORDER(pg) | PFN_ORDER(pg) | | == 0 | to the heap | == 0 | == 0 | +---------------+ +---------------+---------------+ If the offlined page was in a much larger buddy, this would lead to much more memory not available for higher order allocations requiring the full tail end of the original buddy for allocation. Fix the growth loop to correctly grow the buddy to the tail end to make the full allocation unit available for future allocation. Fixes: e4865c2315 ('Page offline support in Xen side') Signed-off-by: Bernhard Kaindl Reviewed-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/common/page_alloc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c index 2767376a71..e01ac3e99c 100644 --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -1195,11 +1195,13 @@ static int reserve_offlined_page(struct page_info *head) next_order = cur_order = 0; + /* Attempt to grow the order (size) of the buddy as much as possible. */ while ( cur_order < head_order ) { next_order = cur_order + 1; - if ( (cur_head + (1 << next_order)) >= (head + ( 1 << head_order)) ) + /* Do not grow to next_order if it would go beyond the buddy. */ + if ( (cur_head + (1 << next_order)) > (head + (1 << head_order)) ) goto merge; /* Do not grow to next_order if cur_head is not aligned to it. */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 10:11:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 10:11:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329318.1593514 (Exim 4.92) (envelope-from ) id 1wVRWN-0003GM-FG; Fri, 05 Jun 2026 10:11:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329318.1593514; Fri, 05 Jun 2026 10:11:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVRWN-0003GE-Cc; Fri, 05 Jun 2026 10:11:23 +0000 Received: by outflank-mailman (input) for mailman id 1329318; Fri, 05 Jun 2026 10:11:21 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVRWL-0003G7-RJ for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:11:21 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVRWL-008dw7-2a for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:11:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVRWL-00D7gZ-2O for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:11:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=CgYSMEB1nMT/iOJG2xmmqAqwglf63lIEzSP1shXsLZI=; b=mj3N+ASJdENOKal9IysVSLKHHv WL6LqK2K0zA0/R19pAiI7JhF4L0DiUM5cJYa9PiJG24iemoi7kWVVt3iGOBDak1jZ3HEIBDzFwXey kioIin7V0rCV+N/GRWKxRjArUX2ftf2Av7+wn5POtpXfPsnR+4y0K3c30ojPLkb7tP0I=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] argo: lower level of noisy connection-refused log Message-Id: Date: Fri, 05 Jun 2026 10:11:21 +0000 commit a9720605b6a556e76be7b4d5a59559942cb1852e Author: Denis Mukhin AuthorDate: Thu Jun 4 14:49:21 2026 -0700 Commit: Jan Beulich CommitDate: Fri Jun 5 10:09:06 2026 +0200 argo: lower level of noisy connection-refused log Switch the log line to argo_dprintk() so it is enabled only in debug environments, as it can spam the logs when a dom0 service using the Argo hypercall tries to communicate with a domain that is still starting up. Note that this also lowers the log level to debug when the argo_dprintk() facility is enabled. Signed-off-by: Denis Mukhin Reviewed-by: Mykola Kvach Reviewed-by: Stefano Stabellini Reviewed-by: Jason Andryuk Release-Acked-by: Oleksii Kurochko --- xen/common/argo.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/xen/common/argo.c b/xen/common/argo.c index 28626e00a8..98a3db7fd0 100644 --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -2034,10 +2034,9 @@ sendv(struct domain *src_d, xen_argo_addr_t *src_addr, src_id.domain_id); if ( !ring_info ) { - gprintk(XENLOG_ERR, - "argo: vm%u connection refused, src (vm%u:%x) dst (vm%u:%x)\n", - current->domain->domain_id, src_id.domain_id, src_id.aport, - dst_addr->domain_id, dst_addr->aport); + argo_dprintk("vm%u connection refused, src (vm%u:%x) dst (vm%u:%x)\n", + current->domain->domain_id, src_id.domain_id, src_id.aport, + dst_addr->domain_id, dst_addr->aport); ret = -ECONNREFUSED; } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 10:11:33 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 10:11:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329319.1593518 (Exim 4.92) (envelope-from ) id 1wVRWX-0003II-Gd; Fri, 05 Jun 2026 10:11:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329319.1593518; Fri, 05 Jun 2026 10:11:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVRWX-0003IA-E5; Fri, 05 Jun 2026 10:11:33 +0000 Received: by outflank-mailman (input) for mailman id 1329319; Fri, 05 Jun 2026 10:11:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVRWV-0003I3-VI for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:11:31 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVRWV-008dwB-2u for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:11:31 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVRWV-00D7lp-2l for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:11:31 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=x8ODowZusqXJgRGfu5qr3fumQzpL/8MMpil9Lk/A4SM=; b=G0ahvrHMznIdWpmydgX5OnFaGP UUdEO3IxCrm2OsPGgqcXiJ//qAUo89+KK0y6asZbP+Lzj25hmwuA55bxwB+2XF7coCL/djEo8yOIo vdSTYg+/DlY3MWDn2D6RVRg6z192YizPiGQUgHbRpHxjWBypntuyKL49USqMbvZ+3YZE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] argo: correct logline in ring_unmap() Message-Id: Date: Fri, 05 Jun 2026 10:11:31 +0000 commit 03ebee6ed8105ff6ad12d6df428dfd4cab647691 Author: Denis Mukhin AuthorDate: Thu Jun 4 14:49:22 2026 -0700 Commit: Jan Beulich CommitDate: Fri Jun 5 10:09:42 2026 +0200 argo: correct logline in ring_unmap() Drop XENLOG_ERR from the logline since argo_dprintk() already injects the proper log level indicator. Also, drop "argo: " prefix, since it is also injected by argo_dprintk() Signed-off-by: Denis Mukhin Reviewed-by: Mykola Kvach Reviewed-by: Stefano Stabellini Reviewed-by: Jason Andryuk Release-Acked-by: Oleksii Kurochko --- xen/common/argo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/common/argo.c b/xen/common/argo.c index 98a3db7fd0..5da14c929e 100644 --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -474,7 +474,7 @@ ring_unmap(const struct domain *d, struct argo_ring_info *ring_info) continue; ASSERT(!mfn_eq(ring_info->mfns[i], INVALID_MFN)); - argo_dprintk(XENLOG_ERR "argo: unmapping page %"PRI_mfn" from %p\n", + argo_dprintk("unmapping page %"PRI_mfn" from %p\n", mfn_x(ring_info->mfns[i]), ring_info->mfn_mapping[i]); unmap_domain_page_global(ring_info->mfn_mapping[i]); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 10:11:43 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 10:11:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329320.1593523 (Exim 4.92) (envelope-from ) id 1wVRWh-0003KJ-IA; Fri, 05 Jun 2026 10:11:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329320.1593523; Fri, 05 Jun 2026 10:11:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVRWh-0003K9-FO; Fri, 05 Jun 2026 10:11:43 +0000 Received: by outflank-mailman (input) for mailman id 1329320; Fri, 05 Jun 2026 10:11:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVRWg-0003K1-1C for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:11:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVRWg-008dwI-01 for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:11:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVRWf-00D7qX-35 for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:11:41 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ozB31LrGN0/AGvbgd7VFWYM8TZB52CuBJkxMXt95GWI=; b=IRW315OAvRPdIs/73hCysEOU1p xn5OYuOU5szvj/hirUlscTowM2XSoCSgcAkiw2manozaQzGXCDHQPJjyHv+dDDVT2hgGRIq4hJjM0 gz0X50G+CEuBFmVHLKpy0/DQmkn+BIlu/xpoZAyE+gL2ZIVUt2OUttF5+vYlEOBvuGJg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] argo: drop argo prefix from argo_dprintk() calls Message-Id: Date: Fri, 05 Jun 2026 10:11:41 +0000 commit 2bc9bc1978ad02e03d16026ad2d2e9641ddc29fb Author: Denis Mukhin AuthorDate: Thu Jun 4 14:49:23 2026 -0700 Commit: Jan Beulich CommitDate: Fri Jun 5 10:09:52 2026 +0200 argo: drop argo prefix from argo_dprintk() calls argo_dprintk() prefixes all log lines with "argo: " automatically. Remove duplicate prefixes from log messages in the Argo module where applicable. Signed-off-by: Denis Mukhin Reviewed-by: Mykola Kvach Reviewed-by: Stefano Stabellini Reviewed-by: Jason Andryuk Release-Acked-by: Oleksii Kurochko --- xen/common/argo.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/xen/common/argo.c b/xen/common/argo.c index 5da14c929e..ffa1f43437 100644 --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -1467,7 +1467,7 @@ find_ring_mfns(struct domain *d, struct argo_ring_info *ring_info, if ( ring_info->mfns ) { /* Ring already existed: drop the previous mapping. */ - argo_dprintk("argo: vm%u re-register existing ring " + argo_dprintk("vm%u re-register existing ring " "(vm%u:%x vm%u) clears mapping\n", d->domain_id, ring_info->id.domain_id, ring_info->id.aport, ring_info->id.partner_id); @@ -1527,7 +1527,7 @@ find_ring_mfns(struct domain *d, struct argo_ring_info *ring_info, { ASSERT(ring_info->nmfns == NPAGES_RING(len)); - argo_dprintk("argo: vm%u ring (vm%u:%x vm%u) %p " + argo_dprintk("vm%u ring (vm%u:%x vm%u) %p " "mfn_mapping %p len %u nmfns %u\n", d->domain_id, ring_info->id.domain_id, ring_info->id.aport, ring_info->id.partner_id, ring_info, @@ -1741,7 +1741,7 @@ register_ring(struct domain *currd, list_add(&ring_info->node, &currd->argo->ring_hash[hash_index(&ring_info->id)]); - argo_dprintk("argo: vm%u registering ring (vm%u:%x vm%u)\n", + argo_dprintk("vm%u registering ring (vm%u:%x vm%u)\n", currd->domain_id, ring_id.domain_id, ring_id.aport, ring_id.partner_id); } @@ -1781,7 +1781,7 @@ register_ring(struct domain *currd, goto out_unlock2; } - argo_dprintk("argo: vm%u re-registering existing ring (vm%u:%x vm%u)\n", + argo_dprintk("vm%u re-registering existing ring (vm%u:%x vm%u)\n", currd->domain_id, ring_id.domain_id, ring_id.aport, ring_id.partner_id); } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 10:11:53 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 10:11:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329321.1593526 (Exim 4.92) (envelope-from ) id 1wVRWr-0003MM-JO; Fri, 05 Jun 2026 10:11:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329321.1593526; Fri, 05 Jun 2026 10:11:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVRWr-0003ME-Gj; Fri, 05 Jun 2026 10:11:53 +0000 Received: by outflank-mailman (input) for mailman id 1329321; Fri, 05 Jun 2026 10:11:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVRWq-0003M6-4O for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:11:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVRWq-008dwO-0L for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:11:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVRWq-00D7t6-0B for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:11:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=62+/zEpKyTVCDfvoT9psUvPOIQUcJyrlu0eITROdq7U=; b=hWWsKzZSIYVs4WVuVJftReVfHU 8zEFzQR6CY76v19ki+PxWsjuvTDvi7JIRRXPoWn9RteYktFSAaYi7cvb7aBvFD2GCkZDc+jMtpdS3 DDww1DVdeQ7tJJhgTsae6Toe5E4OgPnuINQZwIFqkeglUtohnj+HDk2PybjiRlfPiWlE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] argo: fixup argo_dprintk() Message-Id: Date: Fri, 05 Jun 2026 10:11:52 +0000 commit 957f0f0b739142513f517979f4301b8d0dd1e855 Author: Denis Mukhin AuthorDate: Thu Jun 4 14:49:24 2026 -0700 Commit: Jan Beulich CommitDate: Fri Jun 5 10:10:04 2026 +0200 argo: fixup argo_dprintk() Current argo_dprintk() implementation is a wrapper around raw printk(). Rewire it through gprintk() to allow for better debugging context (such as domain ID). Signed-off-by: Denis Mukhin Reviewed-by: Stefano Stabellini Reviewed-by: Jason Andryuk Release-Acked-by: Oleksii Kurochko --- xen/common/argo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/common/argo.c b/xen/common/argo.c index ffa1f43437..3c38a51d09 100644 --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -322,7 +322,7 @@ static DEFINE_RWLOCK(L1_global_argo_rwlock); /* L1 */ #define argo_dprintk(fmt, args...) \ do { \ if ( ARGO_DEBUG ) \ - printk(XENLOG_DEBUG "argo: " fmt, ##args); \ + gprintk(XENLOG_DEBUG, "argo: " fmt, ##args);\ } while ( 0 ) /* -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 10:12:03 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 10:12:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329323.1593529 (Exim 4.92) (envelope-from ) id 1wVRX1-0003OP-KS; Fri, 05 Jun 2026 10:12:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329323.1593529; Fri, 05 Jun 2026 10:12:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVRX1-0003OI-I1; Fri, 05 Jun 2026 10:12:03 +0000 Received: by outflank-mailman (input) for mailman id 1329323; Fri, 05 Jun 2026 10:12:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVRX0-0003OB-7K for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:12:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVRX0-008dwy-0c for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:12:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVRX0-00D7xM-0W for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 10:12:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=i6njH2qfLaD4Pppo5qfh2yLyqdzHj5Gzvy4M6PTBm5k=; b=dpWOYE8cgaveQQh9jnPZnxLR+t daR5RJ169SPPfrHBMPmJJ7+hULztrYjp8iQbRhlUERM++pDvZkjYzs2DxlUF5FFMPOPqIK0niMQel L6+9PKMTsld58wbFpO15WcXDngtk06bSwDQpAIX16463vMyy6C1unkvbt7DI8Apqpmis=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] argo: introduce CONFIG_ARGO_DEBUG Message-Id: Date: Fri, 05 Jun 2026 10:12:02 +0000 commit 3c4e804607a5a1254b168d88572cb9ec311543a9 Author: Denis Mukhin AuthorDate: Thu Jun 4 14:49:25 2026 -0700 Commit: Jan Beulich CommitDate: Fri Jun 5 10:10:14 2026 +0200 argo: introduce CONFIG_ARGO_DEBUG Add Kconfig knob to enable traces for Argo debugging. Signed-off-by: Denis Mukhin Reviewed-by: Jason Andryuk Acked-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/common/Kconfig | 6 ++++++ xen/common/argo.c | 3 +-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 5ff71480ee..79b7fa62e7 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -491,6 +491,12 @@ config ARGO If unsure, say N. +config ARGO_DEBUG + bool "Argo: enable debug traces (UNSUPPORTED)" + depends on ARGO + help + Enables extra debug traces for Argo debugging. + source "common/sched/Kconfig" config CRYPTO diff --git a/xen/common/argo.c b/xen/common/argo.c index 3c38a51d09..b9b362064e 100644 --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -318,10 +318,9 @@ static DEFINE_RWLOCK(L1_global_argo_rwlock); /* L1 */ ((LOCKING_Read_L1 && spin_is_locked(&(d)->argo->send_L2_lock)) || \ LOCKING_Write_L1) -#define ARGO_DEBUG 0 #define argo_dprintk(fmt, args...) \ do { \ - if ( ARGO_DEBUG ) \ + if ( IS_ENABLED(CONFIG_ARGO_DEBUG) ) \ gprintk(XENLOG_DEBUG, "argo: " fmt, ##args);\ } while ( 0 ) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 13:55:11 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 13:55:11 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329512.1593588 (Exim 4.92) (envelope-from ) id 1wVV0o-0000MD-Sg; Fri, 05 Jun 2026 13:55:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329512.1593588; Fri, 05 Jun 2026 13:55:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVV0o-0000M5-Pj; Fri, 05 Jun 2026 13:55:02 +0000 Received: by outflank-mailman (input) for mailman id 1329512; Fri, 05 Jun 2026 13:55:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVV0o-0000Lz-7Z for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 13:55:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVV0o-008iwC-0V for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 13:55:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVV0o-00EPdg-0J for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 13:55:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=29DhCwDlN+7EwN0iRwgMVUjQxz15Vct0C4Eed5DPo5w=; b=P0hr1V2DD0vF1HQiXtK5QnNDRx 6eMDyjsCmcoHyjUTgOEsanmnCu0hbV/+JY0AjtgSZGlOb4xq7++6syLq91cCW7q5M5n1+rssaT1OV tG4p8iLrgQaB1WP47M1p8zVRB4CThR5qDcAvAOA28B/h9Gj9baBMSDiNlfYAxmUuYGJE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CI: Remove .cirrus.yml now that CirrusCI has shut down Message-Id: Date: Fri, 05 Jun 2026 13:55:02 +0000 commit 144dce88d59bfe145d106b01221d4addd9853197 Author: Andrew Cooper AuthorDate: Thu Jun 4 13:54:36 2026 +0100 Commit: Andrew Cooper CommitDate: Fri Jun 5 14:50:30 2026 +0100 CI: Remove .cirrus.yml now that CirrusCI has shut down Signed-off-by: Andrew Cooper Acked-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- .cirrus.yml | 212 ------------------------------------------------------------ 1 file changed, 212 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml deleted file mode 100644 index 839c25149c..0000000000 --- a/.cirrus.yml +++ /dev/null @@ -1,212 +0,0 @@ -## FreeBSD Build Jobs - -# https://cirrus-ci.org/guide/tips-and-tricks/#sharing-configuration-between-tasks -freebsd_versions: &FREEBSD_VERSIONS - env: - FREEBSD_LEGACY: freebsd-13-5 - FREEBSD_PRODUCTION: freebsd-14-3 - FREEBSD_CURRENT: freebsd-15-0-amd64-ufs - -# Build jobs - -freebsd_template: &FREEBSD_ENV - environment: - APPEND_LIB: /usr/local/lib - APPEND_INCLUDES: /usr/local/include - CIRRUS_CLONE_DEPTH: 1 - CIRRUS_LOG_TIMESTAMP: true - -freebsd_template_latest: &FREEBSD_ENV_PRODUCTION - << : *FREEBSD_VERSIONS - freebsd_instance: - image_family: $FREEBSD_PRODUCTION - << : *FREEBSD_ENV - -freebsd_configure_artifacts: &FREEBSD_CONFIGURE_ARTIFACTS - always: - rename_script: - - cp xen/.config xen-config - config_artifacts: - path: xen-config - type: text/plain - -task: - name: 'FreeBSD: full build' - - # It's not possible to use the matrix keyword in YAML aliases, as they - # keyword usage is restricted to task, docker_builder or pipe. Attempting to - # use a YAML alias with the duplicated keys doesn't work either. Use an env - # variable so the version can also be appended to the task alias. - << : *FREEBSD_VERSIONS - env: - matrix: - FREEBSD_VERSION: $FREEBSD_LEGACY - FREEBSD_VERSION: $FREEBSD_PRODUCTION - FREEBSD_VERSION: $FREEBSD_CURRENT - - alias: freebsd_full_$FREEBSD_VERSION - freebsd_instance: - image_family: $FREEBSD_VERSION - - << : *FREEBSD_ENV - - install_script: pkg install -y seabios gmake ninja bash - pkgconf bison perl5 - json-c lzo2 pixman argp-standalone - libxml2 glib git python3 libinotify - - configure_script: - - cc --version - - ./configure --with-system-seabios=/usr/local/share/seabios/bios.bin - --with-extra-qemuu-configure-args="--extra-ldflags=-L${APPEND_LIB} --extra-cflags=-I${APPEND_INCLUDES}" - - gmake -j`sysctl -n hw.ncpu` -C xen clang=y defconfig - - << : *FREEBSD_CONFIGURE_ARTIFACTS - - build_script: - - gmake -j`sysctl -n hw.ncpu` clang=y - - xen_artifacts: - path: xen/xen - type: application/octet-stream - - debug_artifacts: - path: xen/xen-syms - type: application/octet-stream - -task: - name: 'FreeBSD: randconfig build' - - # It's not possible to use the matrix keyword in YAML aliases, as they - # keyword usage is restricted to task, docker_builder or pipe. Attempting to - # use a YAML alias with the duplicated `image_family` keys doesn't work - # either. Abstract the version numbers at least. - << : *FREEBSD_VERSIONS - freebsd_instance: - matrix: - image_family: $FREEBSD_LEGACY - image_family: $FREEBSD_PRODUCTION - image_family: $FREEBSD_CURRENT - - << : *FREEBSD_ENV - - install_script: pkg install -y gmake python3 bison - - configure_script: - - cc --version - - gmake -j`sysctl -n hw.ncpu` -C xen clang=y \ - KCONFIG_ALLCONFIG=tools/kconfig/allrandom.config randconfig - - << : *FREEBSD_CONFIGURE_ARTIFACTS - - build_script: - - gmake -j`sysctl -n hw.ncpu` build-xen clang=y - -task: - name: 'FreeBSD: XTF build' - alias: xtf - - << : *FREEBSD_ENV_PRODUCTION - - clone_script: - - pkg install -y git - - git clone --depth 1 https://xenbits.xen.org/git-http/xtf.git - - install_script: pkg install -y gmake - - build_script: - - cd xtf - - cc --version - - git rev-parse HEAD - - gmake -j`sysctl -n hw.ncpu` LLVM=y - - xtf_artifacts: - path: xtf/tests/selftest/test-*-selftest - type: application/octet-stream - -## macOS Build Jobs - -task: - name: 'macOS: hypervisor build' - - env: - matrix: - ARCH: x86_64 - ARCH: aarch64 - - alias: macos-$ARCH - macos_instance: - image: ghcr.io/cirruslabs/macos-runner:sonoma - - environment: - CIRRUS_CLONE_DEPTH: 1 - CIRRUS_LOG_TIMESTAMP: true - - install_script: - - brew install $ARCH-elf-gcc $ARCH-elf-binutils - - build_script: - - make -j`sysctl -n hw.ncpu` - XEN_TARGET_ARCH=`echo $ARCH | sed -e s/aarch64/arm64/` - CROSS_COMPILE=$ARCH-elf- HOSTCC=clang -C xen - - xen_artifacts: - path: xen/xen - type: application/octet-stream - - debug_artifacts: - path: xen/xen-syms - type: application/octet-stream - -## Test Jobs - -task: - name: 'XTF selftest' - - << : *FREEBSD_ENV_PRODUCTION - - env: - matrix: - BUILD: freebsd_full_$FREEBSD_LEGACY - BUILD: freebsd_full_$FREEBSD_PRODUCTION - BUILD: freebsd_full_$FREEBSD_CURRENT - BUILD: macos-x86_64 - - depends_on: - - $BUILD - - xtf - - install_script: pkg install -y qemu-nox11 expect - - env: - matrix: - XTF_ARCH: hvm32 - XTF_ARCH: hvm32pae - XTF_ARCH: hvm32pse - XTF_ARCH: hvm64 - XTF_ARCH: pv64 - - fetch_script: - - fetch https://api.cirrus-ci.com/v1/artifact/build/$CIRRUS_BUILD_ID/xtf/xtf.zip - - fetch https://api.cirrus-ci.com/v1/artifact/build/$CIRRUS_BUILD_ID/$BUILD/xen.zip - - unzip xtf.zip - - unzip xen.zip - - test_script: | - case "$XTF_ARCH" in \ - *hvm*) \ - XEN_EXTRA_CMD="dom0=pvh dom0-iommu=none" \ - ;; \ - esac - export TEST_CMD="qemu-system-x86_64 -kernel xen/xen -initrd xtf/tests/selftest/test-${XTF_ARCH}-selftest \ - -append \"loglvl=all console=com1 noreboot console_timestamps=boot dom0=verbose ${XEN_EXTRA_CMD}\" \ - -m 512 -nographic -monitor none -serial stdio" - export TEST_LOG="serial-${FREEBSD_BUILD}-${XTF_ARCH}.txt" - export PASSED="Test result: SUCCESS" - export TEST_TIMEOUT=120 - ./automation/scripts/console.exp 2>&1 | sed 's/\r\+$//' - - always: - serial_artifacts: - path: serial-*.txt - type: text/plain -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 13:55:12 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 13:55:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329513.1593592 (Exim 4.92) (envelope-from ) id 1wVV0y-0000O7-Th; Fri, 05 Jun 2026 13:55:12 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329513.1593592; Fri, 05 Jun 2026 13:55:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVV0y-0000O0-RC; Fri, 05 Jun 2026 13:55:12 +0000 Received: by outflank-mailman (input) for mailman id 1329513; Fri, 05 Jun 2026 13:55:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVV0y-0000Nt-A6 for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 13:55:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVV0y-008izh-0u for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 13:55:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVV0y-00EPhT-0f for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 13:55:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=maiySUpLiopStHuZzJK+HTTVj8XV4leqgCci4ful34Y=; b=Io1iuuVSDR11x35KPBL5StJpje Ze8MwNo7fKuc+KqCP+asD/KKiHdmWXt2k2vAwSfYV6KA45FQT1UjuLwWQE4iuT2k/gFDbBpSpMJVp MvN83NOuZnh8zCheYz+xq9Cv5dqDAcMA3qbo+3jYZhrPvvZaWELeCIp8V5/1fTo20efM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] MAINTAINERS: Update Ocaml maintainers Message-Id: Date: Fri, 05 Jun 2026 13:55:12 +0000 commit 0d9d20bff0877f0911682a9b9ac56cbbaecb8a67 Author: Andrew Cooper AuthorDate: Tue Jun 2 14:43:19 2026 +0100 Commit: Andrew Cooper CommitDate: Fri Jun 5 14:50:30 2026 +0100 MAINTAINERS: Update Ocaml maintainers Christian has just left Citrix, and Dave almost a decade ago. Andrii (a XAPI committer) has worked on oxenstored before and has agreed to step up as a maintainer, and Guillaume wishes to get involved and learn too. In practice I do a lot of the bindings work, so lets make things official. Signed-off-by: Andrew Cooper Acked-by: Andrii Sultanov Acked-by: Guillaume Thouvenin Release-Acked-by: Oleksii Kurochko --- MAINTAINERS | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 77f72e52f4..ccb01b8e39 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -453,8 +453,9 @@ F: xen/arch/arm/include/asm/linflex-uart.h F: xen/drivers/char/linflex-uart.c OCAML TOOLS -M: Christian Lindig -M: David Scott +M: Andrew Cooper +M: Andrii Sultanov +R: Guillaume Thouvenin S: Supported F: tools/ocaml/ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 15:33:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 15:33:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329687.1593697 (Exim 4.92) (envelope-from ) id 1wVWXf-0005kw-5h; Fri, 05 Jun 2026 15:33:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329687.1593697; Fri, 05 Jun 2026 15:33:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVWXf-0005ko-3C; Fri, 05 Jun 2026 15:33:03 +0000 Received: by outflank-mailman (input) for mailman id 1329687; Fri, 05 Jun 2026 15:33:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVWXd-0005ki-PM for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 15:33:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVWXd-008lBI-2I for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 15:33:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVWXd-00EyF9-2B for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 15:33:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=LxTESZwmvdab7QrChcuwbj41/Q0k8LbK+84r/QQj+QQ=; b=Y8/lWFA3ELtsh5zwwWbHX0TI9H R/LDQZ+uvTRbyCV6ser7ZngIg0o8xuQAD0QW6ADuBVjXfeQZosDoPfwQLjnsNpPH49MpnfwIDy6Y/ bFC7FnAT8+DU2UvgK5IEJpcU5JkYGffw6xkLw7UnUrwJoy/cAUle5DVRnnVgUJGMWeWE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: Remove .cirrus.yml now that CirrusCI has shut down Message-Id: Date: Fri, 05 Jun 2026 15:33:01 +0000 commit 144dce88d59bfe145d106b01221d4addd9853197 Author: Andrew Cooper AuthorDate: Thu Jun 4 13:54:36 2026 +0100 Commit: Andrew Cooper CommitDate: Fri Jun 5 14:50:30 2026 +0100 CI: Remove .cirrus.yml now that CirrusCI has shut down Signed-off-by: Andrew Cooper Acked-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- .cirrus.yml | 212 ------------------------------------------------------------ 1 file changed, 212 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml deleted file mode 100644 index 839c25149c..0000000000 --- a/.cirrus.yml +++ /dev/null @@ -1,212 +0,0 @@ -## FreeBSD Build Jobs - -# https://cirrus-ci.org/guide/tips-and-tricks/#sharing-configuration-between-tasks -freebsd_versions: &FREEBSD_VERSIONS - env: - FREEBSD_LEGACY: freebsd-13-5 - FREEBSD_PRODUCTION: freebsd-14-3 - FREEBSD_CURRENT: freebsd-15-0-amd64-ufs - -# Build jobs - -freebsd_template: &FREEBSD_ENV - environment: - APPEND_LIB: /usr/local/lib - APPEND_INCLUDES: /usr/local/include - CIRRUS_CLONE_DEPTH: 1 - CIRRUS_LOG_TIMESTAMP: true - -freebsd_template_latest: &FREEBSD_ENV_PRODUCTION - << : *FREEBSD_VERSIONS - freebsd_instance: - image_family: $FREEBSD_PRODUCTION - << : *FREEBSD_ENV - -freebsd_configure_artifacts: &FREEBSD_CONFIGURE_ARTIFACTS - always: - rename_script: - - cp xen/.config xen-config - config_artifacts: - path: xen-config - type: text/plain - -task: - name: 'FreeBSD: full build' - - # It's not possible to use the matrix keyword in YAML aliases, as they - # keyword usage is restricted to task, docker_builder or pipe. Attempting to - # use a YAML alias with the duplicated keys doesn't work either. Use an env - # variable so the version can also be appended to the task alias. - << : *FREEBSD_VERSIONS - env: - matrix: - FREEBSD_VERSION: $FREEBSD_LEGACY - FREEBSD_VERSION: $FREEBSD_PRODUCTION - FREEBSD_VERSION: $FREEBSD_CURRENT - - alias: freebsd_full_$FREEBSD_VERSION - freebsd_instance: - image_family: $FREEBSD_VERSION - - << : *FREEBSD_ENV - - install_script: pkg install -y seabios gmake ninja bash - pkgconf bison perl5 - json-c lzo2 pixman argp-standalone - libxml2 glib git python3 libinotify - - configure_script: - - cc --version - - ./configure --with-system-seabios=/usr/local/share/seabios/bios.bin - --with-extra-qemuu-configure-args="--extra-ldflags=-L${APPEND_LIB} --extra-cflags=-I${APPEND_INCLUDES}" - - gmake -j`sysctl -n hw.ncpu` -C xen clang=y defconfig - - << : *FREEBSD_CONFIGURE_ARTIFACTS - - build_script: - - gmake -j`sysctl -n hw.ncpu` clang=y - - xen_artifacts: - path: xen/xen - type: application/octet-stream - - debug_artifacts: - path: xen/xen-syms - type: application/octet-stream - -task: - name: 'FreeBSD: randconfig build' - - # It's not possible to use the matrix keyword in YAML aliases, as they - # keyword usage is restricted to task, docker_builder or pipe. Attempting to - # use a YAML alias with the duplicated `image_family` keys doesn't work - # either. Abstract the version numbers at least. - << : *FREEBSD_VERSIONS - freebsd_instance: - matrix: - image_family: $FREEBSD_LEGACY - image_family: $FREEBSD_PRODUCTION - image_family: $FREEBSD_CURRENT - - << : *FREEBSD_ENV - - install_script: pkg install -y gmake python3 bison - - configure_script: - - cc --version - - gmake -j`sysctl -n hw.ncpu` -C xen clang=y \ - KCONFIG_ALLCONFIG=tools/kconfig/allrandom.config randconfig - - << : *FREEBSD_CONFIGURE_ARTIFACTS - - build_script: - - gmake -j`sysctl -n hw.ncpu` build-xen clang=y - -task: - name: 'FreeBSD: XTF build' - alias: xtf - - << : *FREEBSD_ENV_PRODUCTION - - clone_script: - - pkg install -y git - - git clone --depth 1 https://xenbits.xen.org/git-http/xtf.git - - install_script: pkg install -y gmake - - build_script: - - cd xtf - - cc --version - - git rev-parse HEAD - - gmake -j`sysctl -n hw.ncpu` LLVM=y - - xtf_artifacts: - path: xtf/tests/selftest/test-*-selftest - type: application/octet-stream - -## macOS Build Jobs - -task: - name: 'macOS: hypervisor build' - - env: - matrix: - ARCH: x86_64 - ARCH: aarch64 - - alias: macos-$ARCH - macos_instance: - image: ghcr.io/cirruslabs/macos-runner:sonoma - - environment: - CIRRUS_CLONE_DEPTH: 1 - CIRRUS_LOG_TIMESTAMP: true - - install_script: - - brew install $ARCH-elf-gcc $ARCH-elf-binutils - - build_script: - - make -j`sysctl -n hw.ncpu` - XEN_TARGET_ARCH=`echo $ARCH | sed -e s/aarch64/arm64/` - CROSS_COMPILE=$ARCH-elf- HOSTCC=clang -C xen - - xen_artifacts: - path: xen/xen - type: application/octet-stream - - debug_artifacts: - path: xen/xen-syms - type: application/octet-stream - -## Test Jobs - -task: - name: 'XTF selftest' - - << : *FREEBSD_ENV_PRODUCTION - - env: - matrix: - BUILD: freebsd_full_$FREEBSD_LEGACY - BUILD: freebsd_full_$FREEBSD_PRODUCTION - BUILD: freebsd_full_$FREEBSD_CURRENT - BUILD: macos-x86_64 - - depends_on: - - $BUILD - - xtf - - install_script: pkg install -y qemu-nox11 expect - - env: - matrix: - XTF_ARCH: hvm32 - XTF_ARCH: hvm32pae - XTF_ARCH: hvm32pse - XTF_ARCH: hvm64 - XTF_ARCH: pv64 - - fetch_script: - - fetch https://api.cirrus-ci.com/v1/artifact/build/$CIRRUS_BUILD_ID/xtf/xtf.zip - - fetch https://api.cirrus-ci.com/v1/artifact/build/$CIRRUS_BUILD_ID/$BUILD/xen.zip - - unzip xtf.zip - - unzip xen.zip - - test_script: | - case "$XTF_ARCH" in \ - *hvm*) \ - XEN_EXTRA_CMD="dom0=pvh dom0-iommu=none" \ - ;; \ - esac - export TEST_CMD="qemu-system-x86_64 -kernel xen/xen -initrd xtf/tests/selftest/test-${XTF_ARCH}-selftest \ - -append \"loglvl=all console=com1 noreboot console_timestamps=boot dom0=verbose ${XEN_EXTRA_CMD}\" \ - -m 512 -nographic -monitor none -serial stdio" - export TEST_LOG="serial-${FREEBSD_BUILD}-${XTF_ARCH}.txt" - export PASSED="Test result: SUCCESS" - export TEST_TIMEOUT=120 - ./automation/scripts/console.exp 2>&1 | sed 's/\r\+$//' - - always: - serial_artifacts: - path: serial-*.txt - type: text/plain -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 15:33:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 15:33:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329688.1593701 (Exim 4.92) (envelope-from ) id 1wVWXp-0005mb-7E; Fri, 05 Jun 2026 15:33:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329688.1593701; Fri, 05 Jun 2026 15:33:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVWXp-0005mT-4a; Fri, 05 Jun 2026 15:33:13 +0000 Received: by outflank-mailman (input) for mailman id 1329688; Fri, 05 Jun 2026 15:33:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVWXn-0005mF-TT for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 15:33:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVWXn-008lBM-2q for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 15:33:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVWXn-00EyIU-2T for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 15:33:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=hz1qJZmThKiXRcFL0GnWsiAr6CXDDBJkqVti744VB4Q=; b=lPLxQX//1opkexOQqXXOp/1Wbr vERlEV3DxmDjbPiUB5v6/uaEFB1ULstfVyCYYzrRvtHJBKbj6CLg/5GY5bjKta7trX5BArQO21fNm 7ZSIGbgZjJtVe3/k0jQXP/y0+IrHyQ9IwnombMMZZE8SkVUdC35JRCMzyLTQ9wOupua8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] MAINTAINERS: Update Ocaml maintainers Message-Id: Date: Fri, 05 Jun 2026 15:33:11 +0000 commit 0d9d20bff0877f0911682a9b9ac56cbbaecb8a67 Author: Andrew Cooper AuthorDate: Tue Jun 2 14:43:19 2026 +0100 Commit: Andrew Cooper CommitDate: Fri Jun 5 14:50:30 2026 +0100 MAINTAINERS: Update Ocaml maintainers Christian has just left Citrix, and Dave almost a decade ago. Andrii (a XAPI committer) has worked on oxenstored before and has agreed to step up as a maintainer, and Guillaume wishes to get involved and learn too. In practice I do a lot of the bindings work, so lets make things official. Signed-off-by: Andrew Cooper Acked-by: Andrii Sultanov Acked-by: Guillaume Thouvenin Release-Acked-by: Oleksii Kurochko --- MAINTAINERS | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 77f72e52f4..ccb01b8e39 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -453,8 +453,9 @@ F: xen/arch/arm/include/asm/linflex-uart.h F: xen/drivers/char/linflex-uart.c OCAML TOOLS -M: Christian Lindig -M: David Scott +M: Andrew Cooper +M: Andrii Sultanov +R: Guillaume Thouvenin S: Supported F: tools/ocaml/ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 18:22:08 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 18:22:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329931.1593781 (Exim 4.92) (envelope-from ) id 1wVZBD-00062z-Ho; Fri, 05 Jun 2026 18:22:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329931.1593781; Fri, 05 Jun 2026 18:22:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZBD-00062q-Eu; Fri, 05 Jun 2026 18:22:03 +0000 Received: by outflank-mailman (input) for mailman id 1329931; Fri, 05 Jun 2026 18:22:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZBC-00062k-Cq for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:22:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVZBC-008paO-12 for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:22:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVZBC-00G5eC-0s for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:22:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=8/8KI+EhIRiMtvRd0SWxcYdszHB5xYBeJ+EJhPGFaLU=; b=xrl2R0UNQEsu+TybGN01Zoam7d AbyiGqvHdUO0gGHvMok/EqmF9l7WfTw3Ewo6PhBxuV55v0GfiqIbUe7gWZy8kAWDL0RXyz1Dex7HO SsP19AELJLvQyiVDGdpHeQ4XjuJ6ZInRIa3yS2KTufR0sQn7+MDHfPgMsm+Sg4jYhIaU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/mcfg: sort header includes Message-Id: Date: Fri, 05 Jun 2026 18:22:02 +0000 commit ce47b7897d4ad0cb19771d4a0cb0e810d71f5049 Author: Roger Pau Monne AuthorDate: Wed Jun 3 14:58:48 2026 +0200 Commit: Roger Pau Monne CommitDate: Fri Jun 5 17:40:21 2026 +0200 x86/mcfg: sort header includes No functional change intended. Signed-off-by: Roger Pau Monné Acked-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/x86_64/mmconfig-shared.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/x86_64/mmconfig-shared.c b/xen/arch/x86/x86_64/mmconfig-shared.c index ab082b5f5b..d0cbc15170 100644 --- a/xen/arch/x86/x86_64/mmconfig-shared.c +++ b/xen/arch/x86/x86_64/mmconfig-shared.c @@ -12,17 +12,19 @@ * Author: Allen Kay - adapted to xen from Linux */ +#include #include #include #include -#include -#include #include -#include #include +#include +#include + #include #include #include + #include #include "mmconfig.h" -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 18:22:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 18:22:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329932.1593784 (Exim 4.92) (envelope-from ) id 1wVZBN-000677-Iu; Fri, 05 Jun 2026 18:22:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329932.1593784; Fri, 05 Jun 2026 18:22:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZBN-00066z-GC; Fri, 05 Jun 2026 18:22:13 +0000 Received: by outflank-mailman (input) for mailman id 1329932; Fri, 05 Jun 2026 18:22:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZBM-00066b-F4 for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:22:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVZBM-008pai-1P for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:22:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVZBM-00G5iZ-1C for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:22:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Meb0yyIT2udGYLj7gDZerA+u5CyzPocEuvzMMYmZ2zU=; b=djOzCgMbSUjBLRDnCQt9N2SVjO VmkTTcyyDEOTA5vyjvlUVCON871ietaK+NupGqNXwuK2JBGhEbeCTUU75UdxzhvFqRyP3RE3Pgj3G bCWhvZ50PlujMqXLdlxn5fnQfH/mLScI/x2dGiZLdqiK0vaqp5zfod7XmIx47Ft/2794=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/mcfg: relax memory map checks on newer firmware Message-Id: Date: Fri, 05 Jun 2026 18:22:12 +0000 commit 87279cafc0b6ba7078576d7f8355caee0cc9598a Author: Roger Pau Monne AuthorDate: Wed Jun 3 14:58:33 2026 +0200 Commit: Roger Pau Monne CommitDate: Fri Jun 5 17:40:21 2026 +0200 x86/mcfg: relax memory map checks on newer firmware Per PCI Firmware 3.3 specification, section 4.1.2, ECAM space must be reserved by declaring a motherboard resource, but there's no requirement to mention it in E820. The specification additionally states that: the resources can optionally be returned in Int15 E820h or EFIGetMemoryMap as reserved memory. Recent Lenovo systems have been found to have the MMCFG region in an E820 hole, which looks to be technically spec compliant, but is rejected by Xen. The logic was introduced in Linux in 2006 as 946f2ee5c731 ("[PATCH] i386/x86-64: Check that MCFG points to an e820 reserved area"). This was picked up by Xen when MCFG support was added in 3b35911d709e ("Enable pci mmcfg and ATS for x86_64"). Apply an approach similar to what Linux has done in 199f968f1484 ("x86/pci: Skip early E820 check for ECAM region") and relax the strict reserved region checking so it's only done for firmware manufactured prior to 2016. For firmware from 2016 and newer allow MCFG region to reside in holes on the memory map. Note Xen is still more strict than Linux however, as it will refuse to use MCFG regions that overlap with memory map regions different than reserved. When dom0 boots it can prevent access to misconfigured MCFG regions by using the PHYSDEVOP_pci_mmcfg_reserved hypercall. This brings Xen's early usage of MCFG (prior to ACPI AML parsing) more in line with the implementation in Linux. Signed-off-by: Roger Pau Monné Reviewed-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/x86_64/mmconfig-shared.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/x86_64/mmconfig-shared.c b/xen/arch/x86/x86_64/mmconfig-shared.c index d0cbc15170..b33e2f56e6 100644 --- a/xen/arch/x86/x86_64/mmconfig-shared.c +++ b/xen/arch/x86/x86_64/mmconfig-shared.c @@ -13,6 +13,7 @@ */ #include +#include #include #include #include @@ -369,12 +370,15 @@ static bool __init pci_mmcfg_reject_broken(void) typeof(pci_mmcfg_config[0]) *cfg; int i; bool valid = true; + int year; if ((pci_mmcfg_config_num == 0) || (pci_mmcfg_config == NULL) || (pci_mmcfg_config[0].address == 0)) return 0; + dmi_get_date(DMI_BIOS_DATE, &year, NULL, NULL); + for (i = 0; i < pci_mmcfg_config_num; i++) { u64 addr, size; @@ -390,7 +394,13 @@ static bool __init pci_mmcfg_reject_broken(void) (unsigned int)cfg->start_bus_number, (unsigned int)cfg->end_bus_number); - if ( !is_mmconf_reserved(addr, size, i, cfg) || + /* + * For firmwares prior to 2016, confirm that MMCFG is marked as + * reserved. For 2016 and later, also allow MMCFG being in a hole. + */ + if ( ((year < 2016 || !is_memory_hole(maddr_to_mfn(addr), + maddr_to_mfn(addr + size - 1))) && + !is_mmconf_reserved(addr, size, i, cfg)) || pci_mmcfg_arch_enable(i) < 0 ) { pci_mmcfg_arch_disable(i); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 18:22:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 18:22:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329933.1593789 (Exim 4.92) (envelope-from ) id 1wVZBX-0006BM-LR; Fri, 05 Jun 2026 18:22:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329933.1593789; Fri, 05 Jun 2026 18:22:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZBX-0006BE-Il; Fri, 05 Jun 2026 18:22:23 +0000 Received: by outflank-mailman (input) for mailman id 1329933; Fri, 05 Jun 2026 18:22:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZBW-0006B6-Iq for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:22:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVZBW-008pan-1k for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:22:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVZBW-00G5nR-1a for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:22:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=f/oit5hDqHJCuCTffwe2fK6fzOrkqv836gkVeIgntEY=; b=2S0WlNQxNA2UoNa8naGlu141/J timRMgmgsHM0HzIhHSiPKKj9Zw81HB2WzJK+zvYtXELfTUNP8oyksE1emX1bCkzX+hSS1Rn2iFPDz 3A5bToe/MC91SuJm/oXtJFaN/W00vDe1VVi9BgwTXPh6fJJTB9ebWCz8+hEa5bjl3cnE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] tools/bitops: adjust bitmap_or() interface to match hypervisor Message-Id: Date: Fri, 05 Jun 2026 18:22:22 +0000 commit bf90a4aa5e3b4823f139d7ea4567b0e162316098 Author: Roger Pau Monne AuthorDate: Fri May 29 11:21:21 2026 +0200 Commit: Roger Pau Monne CommitDate: Fri Jun 5 17:40:21 2026 +0200 tools/bitops: adjust bitmap_or() interface to match hypervisor Adjust the only toolstack caller to use the new interface. No functional change intended. Signed-off-by: Roger Pau Monné Acked-by: Anthony PERARD Release-Acked-by: Oleksii Kurochko --- tools/include/xen-tools/bitops.h | 7 ++++--- tools/libs/guest/xg_sr_save.c | 3 ++- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/tools/include/xen-tools/bitops.h b/tools/include/xen-tools/bitops.h index 3b98fba6d7..29587e89fa 100644 --- a/tools/include/xen-tools/bitops.h +++ b/tools/include/xen-tools/bitops.h @@ -81,14 +81,15 @@ static inline int test_and_set_bit(unsigned long nr, void *addr) return oldbit; } -static inline void bitmap_or(void *_dst, const void *_other, +static inline void bitmap_or(void *_dst, const void *_src1, const void *_src2, unsigned long nr_bits) { char *dst = _dst; - const char *other = _other; + const char *src1 = _src1, *src2 = _src2; unsigned long i; + for ( i = 0; i < bitmap_size(nr_bits); ++i ) - dst[i] |= other[i]; + dst[i] = src1[i] | src2[i]; } #endif /* __XEN_TOOLS_BITOPS_H__ */ diff --git a/tools/libs/guest/xg_sr_save.c b/tools/libs/guest/xg_sr_save.c index 3b2c5222e4..fdbceab52e 100644 --- a/tools/libs/guest/xg_sr_save.c +++ b/tools/libs/guest/xg_sr_save.c @@ -668,7 +668,8 @@ static int suspend_and_send_dirty(struct xc_sr_context *ctx) else xc_set_progress_prefix(xch, "Checkpointed save"); - bitmap_or(dirty_bitmap, ctx->save.deferred_pages, ctx->save.p2m_size); + bitmap_or(dirty_bitmap, dirty_bitmap, ctx->save.deferred_pages, + ctx->save.p2m_size); if ( !ctx->save.live && ctx->stream_type == XC_STREAM_COLO ) { -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 18:22:33 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 18:22:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329934.1593793 (Exim 4.92) (envelope-from ) id 1wVZBh-0006DJ-Mu; Fri, 05 Jun 2026 18:22:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329934.1593793; Fri, 05 Jun 2026 18:22:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZBh-0006DB-KC; Fri, 05 Jun 2026 18:22:33 +0000 Received: by outflank-mailman (input) for mailman id 1329934; Fri, 05 Jun 2026 18:22:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZBg-0006D5-NG for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:22:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVZBg-008pav-2C for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:22:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVZBg-00G5sw-20 for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:22:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7GCQ0oI+YMkV0H4LHJRTFbZbT7jFdMMjhxj2wyfyK48=; b=7N/xji0+GBY6TMvZnDnrr+qUn+ CKGGrBBo4bIGB2Cqbv1ar/joPfll16sipulvZHfwAs3epdxSdtuFzHjZpZF0I9TslYqGIwRKi3Z/V UaeInJgzo2UDjGyYVM42c9bkZAru7TRD8XHlZLktCwo0CrFHop+ODK1o/sSZM3IKBRV0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] tools/macros: adjust ROUNDUP() interface to match hypervisor Message-Id: Date: Fri, 05 Jun 2026 18:22:32 +0000 commit ce17dc6742507d5d78caea9f3cf089f5fdb92c5e Author: Roger Pau Monne AuthorDate: Fri May 29 13:23:50 2026 +0200 Commit: Roger Pau Monne CommitDate: Fri Jun 5 17:40:21 2026 +0200 tools/macros: adjust ROUNDUP() interface to match hypervisor Adjust user-space callers to use the new interface. No functional change intended. Signed-off-by: Roger Pau Monné Reviewed-by: Anthony PERARD Reviewed-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- tools/console/daemon/io.c | 2 +- tools/include/xen-tools/common-macros.h | 4 +--- tools/libs/call/buffer.c | 3 ++- tools/libs/foreignmemory/linux.c | 2 +- tools/libs/gnttab/freebsd.c | 2 +- tools/libs/gnttab/linux.c | 2 +- tools/libs/guest/xg_core.c | 2 +- tools/libs/guest/xg_dom_arm.c | 6 +++--- tools/libs/guest/xg_dom_x86.c | 2 +- tools/libs/guest/xg_private.h | 4 ++-- tools/libs/guest/xg_sr_common.c | 6 +++--- tools/libs/guest/xg_sr_stream_format.h | 2 +- tools/libs/light/libxl_arm_acpi.c | 24 ++++++++++++------------ tools/libs/light/libxl_create.c | 2 +- tools/libs/light/libxl_sr_stream_format.h | 2 +- tools/libs/light/libxl_stream_read.c | 2 +- tools/libs/light/libxl_stream_write.c | 4 ++-- tools/misc/xen-mfndump.c | 2 +- tools/ocaml/libs/xc/xenctrl_stubs.c | 2 +- tools/xenstored/core.c | 4 ++-- tools/xenstored/domain.c | 9 +++++---- tools/xenstored/watch.c | 2 +- 22 files changed, 45 insertions(+), 45 deletions(-) diff --git a/tools/console/daemon/io.c b/tools/console/daemon/io.c index 43d4973c24..b6c46d11de 100644 --- a/tools/console/daemon/io.c +++ b/tools/console/daemon/io.c @@ -1233,7 +1233,7 @@ static int set_fds(int fd, short events) /* Round up to 2^8 boundary, in practice this just * make newsize larger than current_array_size. */ - newsize = ROUNDUP(nr_fds + 1, 8); + newsize = ROUNDUP(nr_fds + 1, 1U << 8); new_fds = realloc(fds, sizeof(struct pollfd)*newsize); if (!new_fds) diff --git a/tools/include/xen-tools/common-macros.h b/tools/include/xen-tools/common-macros.h index 9838a108aa..9e27991782 100644 --- a/tools/include/xen-tools/common-macros.h +++ b/tools/include/xen-tools/common-macros.h @@ -68,9 +68,7 @@ }) #endif -#ifndef ROUNDUP -#define ROUNDUP(_x,_w) (((unsigned long)(_x)+(1UL<<(_w))-1) & ~((1UL<<(_w))-1)) -#endif +#define ROUNDUP(x, a) (((x) + (a) - 1) & ~((a) - 1)) #define MASK_EXTR(v, m) (((v) & (m)) / ((m) & -(m))) #define MASK_INSR(v, m) (((v) * ((m) & -(m))) & (m)) diff --git a/tools/libs/call/buffer.c b/tools/libs/call/buffer.c index 2579b8c719..155e4f9d43 100644 --- a/tools/libs/call/buffer.c +++ b/tools/libs/call/buffer.c @@ -155,7 +155,8 @@ struct allocation_header { void *xencall_alloc_buffer(xencall_handle *xcall, size_t size) { - size_t actual_size = ROUNDUP(size + sizeof(struct allocation_header), PAGE_SHIFT); + size_t actual_size = ROUNDUP(size + sizeof(struct allocation_header), + PAGE_SIZE); int nr_pages = actual_size >> PAGE_SHIFT; struct allocation_header *hdr; diff --git a/tools/libs/foreignmemory/linux.c b/tools/libs/foreignmemory/linux.c index 12f959765a..6d2f30cdf1 100644 --- a/tools/libs/foreignmemory/linux.c +++ b/tools/libs/foreignmemory/linux.c @@ -198,7 +198,7 @@ void *osdep_xenforeignmemory_map(xenforeignmemory_handle *fmem, */ privcmd_mmapbatch_t ioctlx; xen_pfn_t *pfn; - unsigned int pfn_arr_size = ROUNDUP((num * sizeof(*pfn)), XC_PAGE_SHIFT); + unsigned int pfn_arr_size = ROUNDUP(num * sizeof(*pfn), XC_PAGE_SIZE); int os_page_size = sysconf(_SC_PAGESIZE); if ( pfn_arr_size <= os_page_size ) diff --git a/tools/libs/gnttab/freebsd.c b/tools/libs/gnttab/freebsd.c index d69d928a16..8012744782 100644 --- a/tools/libs/gnttab/freebsd.c +++ b/tools/libs/gnttab/freebsd.c @@ -74,7 +74,7 @@ void *osdep_gnttab_grant_map(xengnttab_handle *xgt, int domids_stride; unsigned int refs_size = ROUNDUP(count * sizeof(struct ioctl_gntdev_grant_ref), - XC_PAGE_SHIFT); + XC_PAGE_SIZE); int os_page_size = getpagesize(); domids_stride = (flags & XENGNTTAB_GRANT_MAP_SINGLE_DOMAIN) ? 0 : 1; diff --git a/tools/libs/gnttab/linux.c b/tools/libs/gnttab/linux.c index 7286c1d4fe..829877e64b 100644 --- a/tools/libs/gnttab/linux.c +++ b/tools/libs/gnttab/linux.c @@ -101,7 +101,7 @@ void *osdep_gnttab_grant_map(xengnttab_handle *xgt, map = alloca(map_size); else { - map_size = ROUNDUP(map_size, XC_PAGE_SHIFT); + map_size = ROUNDUP(map_size, XC_PAGE_SIZE); map = mmap(NULL, map_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON | MAP_POPULATE, -1, 0); if ( map == MAP_FAILED ) diff --git a/tools/libs/guest/xg_core.c b/tools/libs/guest/xg_core.c index f83436d6cb..d3640f0ef8 100644 --- a/tools/libs/guest/xg_core.c +++ b/tools/libs/guest/xg_core.c @@ -696,7 +696,7 @@ xc_domain_dumpcore_via_callback(xc_interface *xch, for ( i = 1; i < sheaders->num; i++ ) sheaders->shdrs[i].sh_offset += fixup; offset += fixup; - dummy_len = ROUNDUP(offset, PAGE_SHIFT) - offset; /* padding length */ + dummy_len = ROUNDUP(offset, PAGE_SIZE) - offset; /* padding length */ offset += dummy_len; /* pages */ diff --git a/tools/libs/guest/xg_dom_arm.c b/tools/libs/guest/xg_dom_arm.c index c8d0918506..739ec1c338 100644 --- a/tools/libs/guest/xg_dom_arm.c +++ b/tools/libs/guest/xg_dom_arm.c @@ -364,12 +364,12 @@ static int meminit(struct xc_dom_image *dom) /* Convenient */ const uint64_t kernbase = dom->kernel_seg.vstart; - const uint64_t kernend = ROUNDUP(dom->kernel_seg.vend, 21/*2MB*/); + const uint64_t kernend = ROUNDUP(dom->kernel_seg.vend, MB(2)); const uint64_t kernsize = kernend - kernbase; const uint64_t dtb_size = dom->devicetree_blob ? - ROUNDUP(dom->devicetree_size, XC_PAGE_SHIFT) : 0; + ROUNDUP(dom->devicetree_size, XC_PAGE_SIZE) : 0; const uint64_t ramdisk_size = dom->modules[0].blob ? - ROUNDUP(dom->modules[0].size, XC_PAGE_SHIFT) : 0; + ROUNDUP(dom->modules[0].size, XC_PAGE_SIZE) : 0; const uint64_t modsize = dtb_size + ramdisk_size; const uint64_t ram128mb = bankbase[0] + (128<<20); diff --git a/tools/libs/guest/xg_dom_x86.c b/tools/libs/guest/xg_dom_x86.c index 268936efe2..1dc19529f5 100644 --- a/tools/libs/guest/xg_dom_x86.c +++ b/tools/libs/guest/xg_dom_x86.c @@ -678,7 +678,7 @@ static int alloc_magic_pages_hvm(struct xc_dom_image *dom) { if ( dom->cmdline ) { - dom->cmdline_size = ROUNDUP(strlen(dom->cmdline) + 1, 3); + dom->cmdline_size = ROUNDUP(strlen(dom->cmdline) + 1, 8); start_info_size += dom->cmdline_size; } } diff --git a/tools/libs/guest/xg_private.h b/tools/libs/guest/xg_private.h index 285229cf82..31a79bccf7 100644 --- a/tools/libs/guest/xg_private.h +++ b/tools/libs/guest/xg_private.h @@ -135,7 +135,7 @@ typedef uint64_t x86_pgentry_t; #define PAGE_SIZE_X86 (1UL << PAGE_SHIFT_X86) #define PAGE_MASK_X86 (~(PAGE_SIZE_X86-1)) -#define NRPAGES(x) (ROUNDUP(x, PAGE_SHIFT) >> PAGE_SHIFT) +#define NRPAGES(x) (ROUNDUP(x, PAGE_SIZE) >> PAGE_SHIFT) static inline xen_pfn_t xc_pfn_to_mfn(xen_pfn_t pfn, xen_pfn_t *p2m, unsigned gwidth) @@ -167,7 +167,7 @@ int pin_table(xc_interface *xch, unsigned int type, unsigned long mfn, */ #define M2P_SHIFT L2_PAGETABLE_SHIFT_PAE #define M2P_CHUNK_SIZE (1 << M2P_SHIFT) -#define M2P_SIZE(_m) ROUNDUP(((_m) * sizeof(xen_pfn_t)), M2P_SHIFT) +#define M2P_SIZE(_m) ROUNDUP(((_m) * sizeof(xen_pfn_t)), M2P_CHUNK_SIZE) #define M2P_CHUNKS(_m) (M2P_SIZE((_m)) >> M2P_SHIFT) #if defined(__x86_64__) || defined(__i386__) diff --git a/tools/libs/guest/xg_sr_common.c b/tools/libs/guest/xg_sr_common.c index 7ccdc3b1f6..c7b3c6f3bc 100644 --- a/tools/libs/guest/xg_sr_common.c +++ b/tools/libs/guest/xg_sr_common.c @@ -56,11 +56,11 @@ const char *rec_type_to_str(uint32_t type) int write_split_record(struct xc_sr_context *ctx, struct xc_sr_record *rec, void *buf, size_t sz) { - static const char zeroes[(1u << REC_ALIGN_ORDER) - 1] = { 0 }; + static const char zeroes[REC_ALIGN] = {}; xc_interface *xch = ctx->xch; typeof(rec->length) combined_length = rec->length + sz; - size_t record_length = ROUNDUP(combined_length, REC_ALIGN_ORDER); + size_t record_length = ROUNDUP(combined_length, REC_ALIGN); struct iovec parts[] = { { &rec->type, sizeof(rec->type) }, { &combined_length, sizeof(combined_length) }, @@ -110,7 +110,7 @@ int read_record(struct xc_sr_context *ctx, int fd, struct xc_sr_record *rec) return -1; } - datasz = ROUNDUP(rhdr.length, REC_ALIGN_ORDER); + datasz = ROUNDUP(rhdr.length, REC_ALIGN); if ( datasz ) { diff --git a/tools/libs/guest/xg_sr_stream_format.h b/tools/libs/guest/xg_sr_stream_format.h index 8a0da26f75..99dca5d490 100644 --- a/tools/libs/guest/xg_sr_stream_format.h +++ b/tools/libs/guest/xg_sr_stream_format.h @@ -53,7 +53,7 @@ struct xc_sr_rhdr }; /* All records must be aligned up to an 8 octet boundary */ -#define REC_ALIGN_ORDER (3U) +#define REC_ALIGN 8 /* Somewhat arbitrary - 128MB */ #define REC_LENGTH_MAX (128U << 20) diff --git a/tools/libs/light/libxl_arm_acpi.c b/tools/libs/light/libxl_arm_acpi.c index ba874c3d32..690fa227a5 100644 --- a/tools/libs/light/libxl_arm_acpi.c +++ b/tools/libs/light/libxl_arm_acpi.c @@ -107,12 +107,12 @@ int libxl__get_acpi_size(libxl__gc *gc, if (rc < 0) goto out; - *out = ROUNDUP(size, 3) + - ROUNDUP(sizeof(struct acpi_table_rsdp), 3) + - ROUNDUP(sizeof(struct acpi_table_xsdt), 3) + - ROUNDUP(sizeof(struct acpi_table_gtdt), 3) + - ROUNDUP(sizeof(struct acpi_table_fadt), 3) + - ROUNDUP(sizeof(dsdt_anycpu_arm_len), 3); + *out = ROUNDUP(size, 8) + + ROUNDUP(sizeof(struct acpi_table_rsdp), 8) + + ROUNDUP(sizeof(struct acpi_table_xsdt), 8) + + ROUNDUP(sizeof(struct acpi_table_gtdt), 8) + + ROUNDUP(sizeof(struct acpi_table_fadt), 8) + + ROUNDUP(sizeof(dsdt_anycpu_arm_len), 8); out: return rc; @@ -128,7 +128,7 @@ static int libxl__allocate_acpi_tables(libxl__gc *gc, acpitables[RSDP].addr = GUEST_ACPI_BASE; acpitables[RSDP].size = sizeof(struct acpi_table_rsdp); - dom->acpi_modules[0].length += ROUNDUP(acpitables[RSDP].size, 3); + dom->acpi_modules[0].length += ROUNDUP(acpitables[RSDP].size, 8); acpitables[XSDT].addr = GUEST_ACPI_BASE + dom->acpi_modules[0].length; /* @@ -137,11 +137,11 @@ static int libxl__allocate_acpi_tables(libxl__gc *gc, */ acpitables[XSDT].size = sizeof(struct acpi_table_xsdt) + sizeof(uint64_t) * 2; - dom->acpi_modules[0].length += ROUNDUP(acpitables[XSDT].size, 3); + dom->acpi_modules[0].length += ROUNDUP(acpitables[XSDT].size, 8); acpitables[GTDT].addr = GUEST_ACPI_BASE + dom->acpi_modules[0].length; acpitables[GTDT].size = sizeof(struct acpi_table_gtdt); - dom->acpi_modules[0].length += ROUNDUP(acpitables[GTDT].size, 3); + dom->acpi_modules[0].length += ROUNDUP(acpitables[GTDT].size, 8); acpitables[MADT].addr = GUEST_ACPI_BASE + dom->acpi_modules[0].length; @@ -150,15 +150,15 @@ static int libxl__allocate_acpi_tables(libxl__gc *gc, goto out; acpitables[MADT].size = size; - dom->acpi_modules[0].length += ROUNDUP(acpitables[MADT].size, 3); + dom->acpi_modules[0].length += ROUNDUP(acpitables[MADT].size, 8); acpitables[FADT].addr = GUEST_ACPI_BASE + dom->acpi_modules[0].length; acpitables[FADT].size = sizeof(struct acpi_table_fadt); - dom->acpi_modules[0].length += ROUNDUP(acpitables[FADT].size, 3); + dom->acpi_modules[0].length += ROUNDUP(acpitables[FADT].size, 8); acpitables[DSDT].addr = GUEST_ACPI_BASE + dom->acpi_modules[0].length; acpitables[DSDT].size = dsdt_anycpu_arm_len; - dom->acpi_modules[0].length += ROUNDUP(acpitables[DSDT].size, 3); + dom->acpi_modules[0].length += ROUNDUP(acpitables[DSDT].size, 8); assert(dom->acpi_modules[0].length <= GUEST_ACPI_SIZE); dom->acpi_modules[0].data = libxl__zalloc(gc, dom->acpi_modules[0].length); diff --git a/tools/libs/light/libxl_create.c b/tools/libs/light/libxl_create.c index 6fd62d1403..a8b0c8c500 100644 --- a/tools/libs/light/libxl_create.c +++ b/tools/libs/light/libxl_create.c @@ -600,7 +600,7 @@ int libxl__domain_make(libxl__gc *gc, libxl_domain_config *d_config, .opts = 0, /* .opts will be set below */ .nr = b_info->altp2m_count, }, - .vmtrace_size = ROUNDUP(b_info->vmtrace_buf_kb << 10, XC_PAGE_SHIFT), + .vmtrace_size = ROUNDUP(b_info->vmtrace_buf_kb << 10, XC_PAGE_SIZE), .cpupool_id = info->poolid, }; diff --git a/tools/libs/light/libxl_sr_stream_format.h b/tools/libs/light/libxl_sr_stream_format.h index f8f4723c2e..118428e989 100644 --- a/tools/libs/light/libxl_sr_stream_format.h +++ b/tools/libs/light/libxl_sr_stream_format.h @@ -29,7 +29,7 @@ typedef struct libxl__sr_rec_hdr } libxl__sr_rec_hdr; /* All records must be aligned up to an 8 octet boundary */ -#define REC_ALIGN_ORDER 3U +#define REC_ALIGN 8 #define REC_TYPE_END 0x00000000U #define REC_TYPE_LIBXC_CONTEXT 0x00000001U diff --git a/tools/libs/light/libxl_stream_read.c b/tools/libs/light/libxl_stream_read.c index e64e8f0ead..99c7607b6c 100644 --- a/tools/libs/light/libxl_stream_read.c +++ b/tools/libs/light/libxl_stream_read.c @@ -511,7 +511,7 @@ static void record_header_done(libxl__egc *egc, return; } - size_t bytes_to_read = ROUNDUP(rec->hdr.length, REC_ALIGN_ORDER); + size_t bytes_to_read = ROUNDUP(rec->hdr.length, REC_ALIGN); rec->body = libxl__malloc(NOGC, bytes_to_read); rc = setup_read(stream, "record body", diff --git a/tools/libs/light/libxl_stream_write.c b/tools/libs/light/libxl_stream_write.c index 98d44597a7..d26f281faa 100644 --- a/tools/libs/light/libxl_stream_write.c +++ b/tools/libs/light/libxl_stream_write.c @@ -119,7 +119,7 @@ static void setup_generic_write(libxl__egc *egc, void *body, sws_record_done_cb cb) { - static const uint8_t zero_padding[1U << REC_ALIGN_ORDER] = { 0 }; + static const uint8_t zero_padding[REC_ALIGN] = {}; libxl__datacopier_state *dc = &stream->dc; int rc; @@ -136,7 +136,7 @@ static void setup_generic_write(libxl__egc *egc, return; } - size_t padsz = ROUNDUP(hdr->length, REC_ALIGN_ORDER) - hdr->length; + size_t padsz = ROUNDUP(hdr->length, REC_ALIGN) - hdr->length; uint32_t length = hdr->length; /* Insert header */ diff --git a/tools/misc/xen-mfndump.c b/tools/misc/xen-mfndump.c index 28687afbf0..99a0b1d3b5 100644 --- a/tools/misc/xen-mfndump.c +++ b/tools/misc/xen-mfndump.c @@ -10,7 +10,7 @@ #include -#define M2P_SIZE(_m) ROUNDUP(((_m) * sizeof(xen_pfn_t)), 21) +#define M2P_SIZE(_m) ROUNDUP(((_m) * sizeof(xen_pfn_t)), MB(2)) #define is_mapped(pfn_type) (!((pfn_type) & 0x80000000UL)) #define ERROR(msg, args...) fprintf(stderr, msg, ## args) diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c b/tools/ocaml/libs/xc/xenctrl_stubs.c index c55f73b265..7f6381cdd2 100644 --- a/tools/ocaml/libs/xc/xenctrl_stubs.c +++ b/tools/ocaml/libs/xc/xenctrl_stubs.c @@ -221,7 +221,7 @@ CAMLprim value stub_xc_domain_create(value xch_val, value wanted_domid, value co if ( altp2m_nr != (uint16_t)altp2m_nr ) caml_invalid_argument("altp2m_count"); - vmtrace_size = ROUNDUP(vmtrace_size << 10, XC_PAGE_SHIFT); + vmtrace_size = ROUNDUP(vmtrace_size << 10, XC_PAGE_SIZE); if ( vmtrace_size != (uint32_t)vmtrace_size ) caml_invalid_argument("vmtrace_buf_kb"); diff --git a/tools/xenstored/core.c b/tools/xenstored/core.c index d6d462b7bc..769e2c19cc 100644 --- a/tools/xenstored/core.c +++ b/tools/xenstored/core.c @@ -466,7 +466,7 @@ int set_fd(int fd, short events) /* Round up to 2^8 boundary, in practice this just * make newsize larger than current_array_size. */ - newsize = ROUNDUP(nr_fds + 1, 8); + newsize = ROUNDUP(nr_fds + 1, 1U << 8); new_fds = realloc(poll_fds, sizeof(struct pollfd)*newsize); if (!new_fds) @@ -3067,7 +3067,7 @@ static int dump_state_node(const void *ctx, struct connection *conn, head.length += node->hdr.num_perms * sizeof(*sn.perms); head.length += pathlen; head.length += node->hdr.datalen; - head.length = ROUNDUP(head.length, 3); + head.length = ROUNDUP(head.length, 8); if (fwrite(&head, sizeof(head), 1, fp) != 1) return dump_state_node_err(data, "Dump node head error"); diff --git a/tools/xenstored/domain.c b/tools/xenstored/domain.c index 2db452144d..429868928e 100644 --- a/tools/xenstored/domain.c +++ b/tools/xenstored/domain.c @@ -2159,7 +2159,7 @@ const char *dump_state_connections(FILE *fp) if (ret) return ret; head.length += sc.data_in_len + sc.data_out_len; - head.length = ROUNDUP(head.length, 3); + head.length = ROUNDUP(head.length, 8); if (c->domain) { sc.fields |= XS_STATE_CONN_FIELDS_UNIQ_ID; head.length += sizeof(uint64_t); @@ -2232,7 +2232,8 @@ void read_state_connection(const void *ctx, const void *state) unsigned long off; off = sizeof(*sc) + sc->data_in_len + sc->data_out_len; - domain->unique_id = *(uint64_t *)(state + ROUNDUP(off, 3)); + domain->unique_id = + *(uint64_t *)(state + ROUNDUP(off, 8)); } } @@ -2308,7 +2309,7 @@ static int dump_state_domain(const void *k, void *v, void *arg) n_quota = get_quota_size(domain->acc, &rec_len); rec_len += n_quota * sizeof(sd->quota_val[0]); rec_len += sizeof(*sd); - rec_len = ROUNDUP(rec_len, 3); + rec_len = ROUNDUP(rec_len, 8); record = talloc_size(NULL, rec_len + sizeof(*head)); if (!record) @@ -2372,7 +2373,7 @@ const char *dump_state_glb_quota(FILE *fp) n_quota = get_quota_size(quotas, &rec_len); rec_len += n_quota * sizeof(glb->quota_val[0]); rec_len += sizeof(*glb); - rec_len = ROUNDUP(rec_len, 3); + rec_len = ROUNDUP(rec_len, 8); record = talloc_size(NULL, rec_len + sizeof(*head)); if (!record) diff --git a/tools/xenstored/watch.c b/tools/xenstored/watch.c index a9a06e9e48..c143e6fbcf 100644 --- a/tools/xenstored/watch.c +++ b/tools/xenstored/watch.c @@ -349,7 +349,7 @@ const char *dump_state_watches(FILE *fp, struct connection *conn, } head.length += path_len + token_len; - head.length = ROUNDUP(head.length, 3); + head.length = ROUNDUP(head.length, 8); if (fwrite(&head, sizeof(head), 1, fp) != 1) return "Dump watch state error"; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 18:22:43 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 18:22:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329935.1593796 (Exim 4.92) (envelope-from ) id 1wVZBr-0006FL-OR; Fri, 05 Jun 2026 18:22:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329935.1593796; Fri, 05 Jun 2026 18:22:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZBr-0006FC-Lf; Fri, 05 Jun 2026 18:22:43 +0000 Received: by outflank-mailman (input) for mailman id 1329935; Fri, 05 Jun 2026 18:22:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZBq-0006F3-R2 for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:22:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVZBq-008paz-2b for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:22:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVZBq-00G5x3-2N for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:22:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=DGRuqVwJtck1xuyAf8DcKoKQMkm5DdoWcPwbxrO7Mdg=; b=hFVm/ywtu+aVXqiKr3oPDkFY52 R2ONvwPWqhamACe8Q++QslMIXq5K4S/HQkwST+c+JljrBCC6mIp0iPjFD03CwObVymNBU6TaN/3qy HpKzG4pL4vx6CBJGUpMAcdLrz3Xryw0R8+FdmyNgejV2E9QzS+B4QIFuXSDEtBLhHSi8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/numa: prepare NUMA setup code for unit testing Message-Id: Date: Fri, 05 Jun 2026 18:22:42 +0000 commit 2b40ba07efc6756a056776db3fe3ae829b0251c1 Author: Roger Pau Monne AuthorDate: Fri May 29 11:25:54 2026 +0200 Commit: Roger Pau Monne CommitDate: Fri Jun 5 17:40:21 2026 +0200 xen/numa: prepare NUMA setup code for unit testing Introduce __XEN__ guards to differentiate between hypervisor vs unit test builds. Also move numa_set_node() so it's outside the __XEN__ guards. No functional change intended. Signed-off-by: Roger Pau Monné Acked-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/common/numa.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/xen/common/numa.c b/xen/common/numa.c index ad75955a16..8544a15982 100644 --- a/xen/common/numa.c +++ b/xen/common/numa.c @@ -4,6 +4,7 @@ * Adapted for Xen: Ryan Harper */ +#ifdef __XEN__ #include #include #include @@ -13,6 +14,7 @@ #include #include #include +#endif /* __XEN__ */ static nodemask_t __initdata processor_nodes_parsed; static nodemask_t __initdata memory_nodes_parsed; @@ -561,6 +563,12 @@ void __init numa_init_array(void) } } +void numa_set_node(unsigned int cpu, nodeid_t node) +{ + cpu_to_node[cpu] = node; +} + +#ifdef __XEN__ #ifdef CONFIG_NUMA_EMU static unsigned int __initdata numa_fake; @@ -661,11 +669,6 @@ void numa_add_cpu(unsigned int cpu) cpumask_set_cpu(cpu, &node_to_cpumask[cpu_to_node(cpu)]); } -void numa_set_node(unsigned int cpu, nodeid_t node) -{ - cpu_to_node[cpu] = node; -} - /* [numa=off] */ static int __init cf_check numa_setup(const char *opt) { @@ -830,3 +833,4 @@ static int __init cf_check register_numa_trigger(void) return 0; } __initcall(register_numa_trigger); +#endif /* __XEN__ */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 18:22:54 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 18:22:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329936.1593800 (Exim 4.92) (envelope-from ) id 1wVZC2-0006HG-Pc; Fri, 05 Jun 2026 18:22:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329936.1593800; Fri, 05 Jun 2026 18:22:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZC2-0006H8-N5; Fri, 05 Jun 2026 18:22:54 +0000 Received: by outflank-mailman (input) for mailman id 1329936; Fri, 05 Jun 2026 18:22:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZC1-0006H2-2t for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:22:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVZC0-008pb4-2t for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:22:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVZC0-00G60v-2l for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:22:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=qoZwuI4nfDFINCIA004gGGei8tWGKsO1VsPuf9oCLaA=; b=bUBLEveLET0eVnLHN1XZCtA8qX xL+nB4iAg0sVBFKxq+nwVvC/qNl8m5K7gfMg4jFBUGrV8223uGJTuwyZl50L/CiBJ1inYrqzpHSyK xpNEQ3Zhs+2mhqVT8DWhacANtqB1wuB0caK9JtkbVAwvc9ELtXDtPckQiR+B//2BBOBA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] tests/numa: add unit tests for NUMA setup logic Message-Id: Date: Fri, 05 Jun 2026 18:22:52 +0000 commit 97e3837af345cb5e99c016d538d886fa6553d2be Author: Roger Pau Monne AuthorDate: Fri May 29 11:26:31 2026 +0200 Commit: Roger Pau Monne CommitDate: Fri Jun 5 19:12:13 2026 +0200 tests/numa: add unit tests for NUMA setup logic NUMA setup, like PDX, requires certain amount of logic to configure the internal structures and parameters for NUMA operation. Introduce some very basic testing that allows building and testing NUMA setup logic in as a user-space unit test. This allows feeding synthetic memory affinity and map to the logic, allowing to reproduce bugs that would otherwise need access to real systems with such a configuration. For the time being introduce a single test case, based on a known working NUMA setup for an AMD Turin system. Also the testing after setup is currently limited to ensuring the start and end RAM region addresses fall into a correctly setup memory block. Signed-off-by: Roger Pau Monné Reviewed-by: Anthony PERARD Acked-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- tools/tests/Makefile | 1 + tools/tests/numa/.gitignore | 2 + tools/tests/numa/Makefile | 46 ++++++++ tools/tests/numa/test-numa.c | 218 ++++++++++++++++++++++++++++++++++++ tools/tests/numa/wrapped-xen-numa.h | 187 +++++++++++++++++++++++++++++++ 5 files changed, 454 insertions(+) diff --git a/tools/tests/Makefile b/tools/tests/Makefile index 6477a4386d..fc0ed80915 100644 --- a/tools/tests/Makefile +++ b/tools/tests/Makefile @@ -4,6 +4,7 @@ include $(XEN_ROOT)/tools/Rules.mk SUBDIRS-y := SUBDIRS-y += domid SUBDIRS-y += mem-claim +SUBDIRS-y += numa SUBDIRS-y += paging-mempool SUBDIRS-y += pdx SUBDIRS-y += rangeset diff --git a/tools/tests/numa/.gitignore b/tools/tests/numa/.gitignore new file mode 100644 index 0000000000..0710a767f4 --- /dev/null +++ b/tools/tests/numa/.gitignore @@ -0,0 +1,2 @@ +/numa.h +/test-numa diff --git a/tools/tests/numa/Makefile b/tools/tests/numa/Makefile new file mode 100644 index 0000000000..43e2db489d --- /dev/null +++ b/tools/tests/numa/Makefile @@ -0,0 +1,46 @@ +XEN_ROOT=$(CURDIR)/../../.. +include $(XEN_ROOT)/tools/Rules.mk + +TARGETS := test-numa + +.PHONY: all +all: $(TARGETS) + +.PHONY: run +run: $(TARGETS) +ifeq ($(CC),$(HOSTCC)) + set -e; \ + for test in $? ; do \ + ./$$test ; \ + done +else + $(warning HOSTCC != CC, will not run test) +endif + +.PHONY: clean +clean: + $(RM) -- *.o $(TARGETS) $(DEPS_RM) numa.h + +.PHONY: distclean +distclean: clean + $(RM) -- *~ + +.PHONY: install +install: all + $(INSTALL_DIR) $(DESTDIR)$(LIBEXEC)/tests + $(INSTALL_PROG) $(TARGETS) $(DESTDIR)$(LIBEXEC)/tests + +.PHONY: uninstall +uninstall: + $(RM) -- $(patsubst %,$(DESTDIR)$(LIBEXEC)/tests/%,$(TARGETS)) + +numa.h: $(XEN_ROOT)/xen/include/xen/numa.h + sed -e '/^#[[:space:]]*include/d' <$< >$@ + +CFLAGS += -D__XEN_TOOLS__ +CFLAGS += $(CFLAGS_xeninclude) + +test-numa: test-numa.c numa.h + $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $< $(APPEND_CFLAGS) + +-include $(DEPS_INCLUDE) diff --git a/tools/tests/numa/test-numa.c b/tools/tests/numa/test-numa.c new file mode 100644 index 0000000000..ed91a2824f --- /dev/null +++ b/tools/tests/numa/test-numa.c @@ -0,0 +1,218 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Unit tests for NUMA setup. + * + * Copyright (C) 2026 Cloud Software Group + */ + +#include "wrapped-xen-numa.h" +#include "../../xen/common/numa.c" + +static void numa_reset_state(void) +{ + bitmap_clear(processor_nodes_parsed.bits, CONFIG_NR_NUMA_NODES); + bitmap_clear(memory_nodes_parsed.bits, CONFIG_NR_NUMA_NODES); + bitmap_clear(memblk_hotplug, NR_NODE_MEMBLKS); + memset(numa_nodes, 0, sizeof(numa_nodes)); + memset(node_memblk_range, 0, sizeof(node_memblk_range)); + memset(memblk_nodeid, 0, sizeof(memblk_nodeid)); + memset(node_data, 0, sizeof(node_data)); + memset(node_to_cpumask, 0, sizeof(node_to_cpumask)); + memset(cpu_to_node, NUMA_NO_NODE, sizeof(cpu_to_node)); + num_node_memblks = 0; + memnode_shift = 0; + memnodemapsize = 0; + if ( memnodemap != _memnodemap ) + free(memnodemap); + memnodemap = NULL; + bitmap_clear(node_online_map.bits, CONFIG_NR_NUMA_NODES); + node_set(1, node_online_map); +} + +struct mem_affinity { + /* Ranges are defined as [start, end]. */ + paddr_t start, end; + unsigned int nid; +}; + +struct mem_range { + /* Ranges are defined as [start, end]. */ + paddr_t start, end; +}; + +const static struct mem_range *ram; + +int arch_get_ram_range(unsigned int idx, paddr_t *start, paddr_t *end) +{ + if ( idx >= MAX_RANGES || !ram[idx].end ) + return -ENOENT; + + *start = ram[idx].start; + *end = ram[idx].end + 1; + + return 0; +} + +static void print_ranges(const struct mem_affinity *r) +{ + unsigned int i; + + printf("Affinity ranges:\n"); + for ( i = 0; i < MAX_RANGES; i++ ) + { + if ( !r[i].end ) + break; + + printf(" NID %u [%" PRIpaddr ", %" PRIpaddr "]\n", + r[i].nid, r[i].start, r[i].end); + } + + printf("RAM ranges:\n"); + for ( i = 0; i < MAX_RANGES; i++ ) + { + if ( !ram[i].end ) + break; + + printf(" [%" PRIpaddr ", %" PRIpaddr "]\n", + ram[i].start, ram[i].end); + } +} + +static bool test_paddr(paddr_t addr) +{ + mfn_t mfn = PFN_DOWN(addr); + unsigned int idx = mfn >> memnode_shift; + unsigned int nid; + + if ( idx >= memnodemapsize ) + { + printf("Fail: MFN %lx -> IDX %u outside of memnodemap range\n", + mfn, idx); + return false; + } + + nid = memnodemap[idx]; + if ( nid >= MAX_NUMNODES ) + { + printf("Fail: MFN %lx -> NID %u >= MAX_NUMNODES (%u)\n", + mfn, nid, MAX_NUMNODES); + return false; + } + + if ( !node_data[nid].node_spanned_pages ) + { + printf("Fail: MFN %lx -> NID %u without spanned pages\n", + mfn, nid); + return false; + + } + + if ( !node_data[nid].node_spanned_pages ) + { + printf("Fail: MFN %lx -> NID %u without spanned pages\n", + mfn, nid); + return false; + + } + + if ( !node_data[nid].node_spanned_pages ) + { + printf("Fail: MFN %lx outside NID range [%013lx, %013lx]\n", + mfn, node_data[nid].node_start_pfn, + node_data[nid].node_start_pfn + + node_data[nid].node_spanned_pages - 1); + return false; + } + + return true; +} + +int main(int argc, char **argv) +{ + static const struct { + struct mem_affinity affinity[MAX_RANGES]; + struct mem_range ram[MAX_RANGES]; + } tests[] = { + /* From an arbitrary AMD Turin system. */ + { + .affinity = { + { .nid = 0, .start = 0x00000000000ULL, .end = 0x0000009ffffULL }, + { .nid = 0, .start = 0x000000c0000ULL, .end = 0x000afffffffULL }, + { .nid = 0, .start = 0x00100000000ULL, .end = 0x0c04fffffffULL }, + { .nid = 1, .start = 0x0c050000000ULL, .end = 0x0fc4fffffffULL }, + { .nid = 1, .start = 0x10000000000ULL, .end = 0x183ffffffffULL }, + }, + .ram = { + { .start = 0x00000000000ULL, .end = 0x0000009ffffULL }, + { .start = 0x00000100000ULL, .end = 0x0007590ffffULL }, + { .start = 0x000759d1000ULL, .end = 0x00075a0ffffULL }, + { .start = 0x00076000000ULL, .end = 0x00094c73fffULL }, + { .start = 0x0009b5ff000ULL, .end = 0x0009fff9fffULL }, + { .start = 0x0009ffff000ULL, .end = 0x0009fffffffULL }, + { .start = 0x00100010000ULL, .end = 0x0fc4fffffffULL }, + { .start = 0x10000000000ULL, .end = 0x183f7ffffffULL }, + { .start = 0x183f8800000ULL, .end = 0x183faabffffULL }, + }, + }, + }; + int ret_code = EXIT_SUCCESS; + + /* Dummy firmware interface provider name, use TST for TEST. */ + numa_fw_nid_name = "TST"; + + for ( unsigned int i = 0 ; i < ARRAY_SIZE(tests); i++ ) + { + paddr_t min = ~(paddr_t)0, max = 0; + unsigned int j; + + numa_reset_state(); + + ram = tests[i].ram; + + for ( j = 0; + j < ARRAY_SIZE(tests[i].affinity) && tests[i].affinity[j].end; + j++ ) + { + const struct mem_affinity *affinity = &tests[i].affinity[j]; + paddr_t length = affinity->end - affinity->start + 1; + + if ( !numa_update_node_memblks(affinity->nid, affinity->nid, + affinity->start, length, false) ) + { + printf("Fail to add NID %u [%" PRIpaddr ", %" PRIpaddr "]\n", + affinity->nid, affinity->start, affinity->end); + ret_code = EXIT_FAILURE; + continue; + } + + min = min(min, affinity->start); + max = max(max, affinity->end); + } + + if ( !numa_process_nodes(min, max + 1) ) + { + printf("Unable to process nodes\n"); + print_ranges(tests[i].affinity); + ret_code = EXIT_FAILURE; + continue; + } + + for ( j = 0; + j < ARRAY_SIZE(tests[i].ram) && tests[i].ram[j].end; + j++ ) + if ( !test_paddr(tests[i].ram[j].start) || + !test_paddr(tests[i].ram[j].end) ) + ret_code = EXIT_FAILURE; + } + + return ret_code; +} + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/tools/tests/numa/wrapped-xen-numa.h b/tools/tests/numa/wrapped-xen-numa.h new file mode 100644 index 0000000000..ed97524e48 --- /dev/null +++ b/tools/tests/numa/wrapped-xen-numa.h @@ -0,0 +1,187 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Unit tests for NUMA setup. + * + * Copyright (C) 2026 Cloud Software Group + */ + +#ifndef WRAPPED_XEN_NUMA_H +#define WRAPPED_XEN_NUMA_H + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#define CONFIG_DEBUG +#define CONFIG_NUMA +#define CONFIG_NR_NUMA_NODES 64 +#define NR_CPUS 256 +#define MAX_RANGES 128 +#define PADDR_BITS 52 + +#define __init +#define __initdata +#define __ro_after_init +#define __read_mostly + +#define printk printf +#define XENLOG_INFO "" +#define XENLOG_DEBUG "" +#define XENLOG_WARNING "" +#define KERN_INFO "" +#define KERN_ERR "" +#define KERN_WARNING "" +#define KERN_DEBUG "" + +#define PAGE_SHIFT 12 +/* Some libcs define PAGE_SIZE in limits.h. */ +#undef PAGE_SIZE +#define PAGE_SIZE (1L << PAGE_SHIFT) +#define MAX_ORDER 18 /* 2 * PAGETABLE_ORDER (9) */ + +#define PFN_DOWN(x) ((x) >> PAGE_SHIFT) +#define PFN_UP(x) (((x) + PAGE_SIZE-1) >> PAGE_SHIFT) + +#define paddr_to_pfn(pa) ((unsigned long)((pa) >> PAGE_SHIFT)) +#define mfn_to_pdx(mfn) (mfn) +#define paddr_to_pdx(pa) ((pa) >> PAGE_SHIFT) +#define mfn_to_maddr(mfn) ((mfn) << PAGE_SHIFT) + +#define ASSERT assert +#define ASSERT_UNREACHABLE() assert(0) + +/* For the purposes of the testing assume arch NID == Xen NID. */ +#define numa_node_to_arch_nid(n) (n) + +typedef uint64_t paddr_t; +#define PRIpaddr "016" PRIx64 + +typedef unsigned long mfn_t; +typedef uint8_t nodeid_t; + +#define __set_bit set_bit +#define __clear_bit clear_bit + +static inline unsigned int find_next_bit( + const unsigned long *addr, unsigned int size, unsigned int off) +{ + unsigned int i; + + ASSERT(size <= BITS_PER_LONG); + + for ( i = off; i < size; i++ ) + if ( *addr & (1UL << i) ) + return i; + + return size; +} + +#define find_first_bit(b, s) find_next_bit(b, s, 0) + +/* Minimal cpumask support. */ +typedef struct cpumask{ DECLARE_BITMAP(bits, NR_CPUS); } cpumask_t; + +#define cpumask_clear_cpu(c, m) clear_bit(c, (m)->bits) + +/* Define the nodemask helpers used. */ +typedef struct nodemask{ DECLARE_BITMAP(bits, CONFIG_NR_NUMA_NODES); } nodemask_t; + +#define node_set(node, dst) set_bit(node, (dst).bits) + +#define first_node(n) __first_node(&(n), CONFIG_NR_NUMA_NODES) +static inline int __first_node(const nodemask_t *srcp, unsigned int s) +{ + return min(s, find_next_bit(srcp->bits, s, 0)); +} + +#define next_node(n, m) __next_node(n, &(m), CONFIG_NR_NUMA_NODES) +static inline int __next_node(unsigned int n, const nodemask_t *srcp, + unsigned int s) +{ + return min(s, find_next_bit(srcp->bits, s, n + 1)); +} + +#define nodes_or(dst, src1, src2) \ + bitmap_or((dst).bits, (src1).bits, (src2).bits, CONFIG_NR_NUMA_NODES) + +static inline bool nodemask_test(unsigned int node, const nodemask_t *dst) +{ + return test_bit(node, dst->bits); +} + +#define node_set_online(node) set_bit(node, node_online_map.bits) + +#define cycle_node(n, src) __cycle_node(n, &(src), MAX_NUMNODES) +static inline int __cycle_node(int n, const nodemask_t *maskp, + unsigned int nbits) +{ + unsigned int nxt = __next_node(n, maskp, nbits); + + if ( nxt == nbits ) + nxt = __first_node(maskp, nbits); + + return nxt; +} + +#define for_each_node_mask(node, mask) \ + for ( (node) = first_node(mask); \ + (node) < MAX_NUMNODES; \ + (node) = next_node(node, mask) ) + +/* + * Dummy helper to satisfy allocate_cachealigned_memnodemap(), the memory + * allocation is instead done in vmap_contig(). + */ +static inline mfn_t alloc_boot_pages(unsigned long nr, unsigned long align) +{ + return 0; +} + +static inline void *vmap_contig(mfn_t mfn, unsigned int nr) +{ + assert(!mfn); + return calloc(PAGE_SIZE, nr); +} + +static inline void panic(const char *msg) +{ + printf("%s\n", msg); + abort(); +} + +/* Dummy implementations to satisfy the build. */ +static inline bool arch_numa_disabled(void) +{ + return false; +} + +static inline void numa_fw_bad(void) { } + +static inline bool arch_numa_unavailable(void) +{ + return false; +} + +static paddr_t mem_hotplug; +static unsigned int __read_mostly nr_cpu_ids = NR_CPUS; + +#include "numa.h" + +#endif + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * indent-tabs-mode: nil + * End: + */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 18:23:04 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 18:23:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329937.1593805 (Exim 4.92) (envelope-from ) id 1wVZCC-0006Jg-SY; Fri, 05 Jun 2026 18:23:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329937.1593805; Fri, 05 Jun 2026 18:23:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZCC-0006JY-Pv; Fri, 05 Jun 2026 18:23:04 +0000 Received: by outflank-mailman (input) for mailman id 1329937; Fri, 05 Jun 2026 18:23:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZCB-0006JQ-0j for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:23:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVZCA-008pbf-3C for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:23:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVZCA-00G64c-34 for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 18:23:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=8trDTMMoX51cbWQYAC32GuFOIZiNZvkWN8+5oZ6IZR8=; b=UX7nFYFz9Uf/uwpsAMk4Ray8oY EgwNixR+IvEJvyYr7FvPyScXp2jWe7SIew4CimTlExc12y1UDv6Nh62DAWyPDw6y7yq8GeaIoADvs pbkddjM/d9l5Y6hk8XHqa0PZ9TV88kKz2Pi5Semmepdnu9mqS9vL+cGpzIu2tzL4ew38=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/numa: fix setup of non-aligned memory affinity ranges Message-Id: Date: Fri, 05 Jun 2026 18:23:02 +0000 commit 188d5305297f4e842511d1374c7121ac8a37c169 Author: Roger Pau Monne AuthorDate: Fri May 29 13:03:48 2026 +0200 Commit: Roger Pau Monne CommitDate: Fri Jun 5 19:13:47 2026 +0200 xen/numa: fix setup of non-aligned memory affinity ranges The logic to populate memnodemap in populate_memnodemap() assumes that all ranges are aligned to the hash shift, this however is only true for the first address in a memory affinity node. Any subsequent ranges belonging to the same node might not be aligned to the hash shift value. Such lack of alignment causes issues to the logic in populate_memnodemap(), as then the tail of the range might not be properly accounted for and setup in memnodemap. Fix this by forcing the start address of all regions to be aligned to the hash shift; if such alignment causes a region overlap it would always be between regions on the same node, and hence will never cause setup issues of the memnodemap array. Introduce two additional test cases to the user-space NUMA setup unit testing, first test case is the native memory affinity and memory map of the system where this issue was found, second test case is a simplification to demonstrate the original problem more clearly. Fixes: 1666086b0044 ("x86/NUMA: improve memnode_shift calculation for multi node system") Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich Reviewed-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- tools/include/xen-tools/common-macros.h | 1 + tools/tests/numa/test-numa.c | 45 +++++++++++++++++++++++++++++++++ xen/common/numa.c | 6 +++++ 3 files changed, 52 insertions(+) diff --git a/tools/include/xen-tools/common-macros.h b/tools/include/xen-tools/common-macros.h index 9e27991782..88b4a0e5a6 100644 --- a/tools/include/xen-tools/common-macros.h +++ b/tools/include/xen-tools/common-macros.h @@ -69,6 +69,7 @@ #endif #define ROUNDUP(x, a) (((x) + (a) - 1) & ~((a) - 1)) +#define ROUNDDOWN(x, a) ((x) & ~((a) - 1)) #define MASK_EXTR(v, m) (((v) & (m)) / ((m) & -(m))) #define MASK_INSR(v, m) (((v) * ((m) & -(m))) & (m)) diff --git a/tools/tests/numa/test-numa.c b/tools/tests/numa/test-numa.c index ed91a2824f..51cc0475c7 100644 --- a/tools/tests/numa/test-numa.c +++ b/tools/tests/numa/test-numa.c @@ -154,6 +154,51 @@ int main(int argc, char **argv) { .start = 0x183f8800000ULL, .end = 0x183faabffffULL }, }, }, + /* Found on a pre-production system. */ + { + .affinity = { + { .nid = 0, .start = 0x00000000000ULL, .end = 0x000afffffffULL }, + { .nid = 0, .start = 0x00100000000ULL, .end = 0x0fc4fffffffULL }, + { .nid = 0, .start = 0x10000000000ULL, .end = 0x103ffffffffULL }, + { .nid = 1, .start = 0x10400000000ULL, .end = 0x203ffffffffULL }, + }, + .ram = { + { .start = 0x00000000000ULL, .end = 0x0000009ffffULL }, + { .start = 0x00000100000ULL, .end = 0x000165bffffULL }, + { .start = 0x00016600000ULL, .end = 0x0001aa1dfffULL }, + { .start = 0x0001aa1f000ULL, .end = 0x0001aa53fffULL }, + { .start = 0x0001aab8000ULL, .end = 0x0001aac6fffULL }, + { .start = 0x0001aacc000ULL, .end = 0x0006f3fefffULL }, + { .start = 0x00075dff000ULL, .end = 0x00075dfffffULL }, + { .start = 0x00076000000ULL, .end = 0x000a7ffffffULL }, + { .start = 0x00100010000ULL, .end = 0x0fc43ffffffULL }, + { .start = 0x0fc45000000ULL, .end = 0x0fc47ffffffULL }, + { .start = 0x0fc49000000ULL, .end = 0x0fc4bffffffULL }, + { .start = 0x0fc4d000000ULL, .end = 0x0fc4d3bffffULL }, + { .start = 0x0fc4f000000ULL, .end = 0x0fc4f0fffffULL }, + { .start = 0x10000000000ULL, .end = 0x203fd7fffffULL }, + }, + }, + /* + * Reduction of the issue above: introduce an unaligned middle region + * with regards to the hash shift. + */ + { + .affinity = { + { .nid = 0, .start = 0x00000ULL, .end = 0x00fffULL }, + /* + * The offset of the region below is not aligned with the hash + * shift: the shift calculation only takes into account the + * start of node address. + */ + { .nid = 0, .start = 0x01000ULL, .end = 0x04fffULL }, + { .nid = 1, .start = 0x14000ULL, .end = 0x14fffULL }, + }, + .ram = { + { .start = 0x00000ULL, .end = 0x04fffULL }, + { .start = 0x14000ULL, .end = 0x14fffULL }, + }, + }, }; int ret_code = EXIT_SUCCESS; diff --git a/xen/common/numa.c b/xen/common/numa.c index 8544a15982..92f8f1cedc 100644 --- a/xen/common/numa.c +++ b/xen/common/numa.c @@ -405,6 +405,12 @@ static int __init populate_memnodemap(const struct node *nodes, if ( (epdx >> shift) >= memnodemapsize ) return 0; + /* + * Round down start address: if start is not aligned to the memnodemap + * chunk size the tail remainder might not be added. Overlaps created + * by rounding will fall into the same NUMA region. + */ + spdx = ROUNDDOWN(spdx, 1UL << shift); do { if ( memnodemap[spdx >> shift] != NUMA_NO_NODE && (!nodeids || memnodemap[spdx >> shift] != nodeids[i]) ) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 19:11:10 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 19:11:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329965.1593808 (Exim 4.92) (envelope-from ) id 1wVZwe-00069B-1l; Fri, 05 Jun 2026 19:11:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329965.1593808; Fri, 05 Jun 2026 19:11:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZwd-000693-VR; Fri, 05 Jun 2026 19:11:03 +0000 Received: by outflank-mailman (input) for mailman id 1329965; Fri, 05 Jun 2026 19:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZwc-00068w-Fw for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVZwc-008qgD-1N for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:11:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVZwc-00GMgz-1B for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:11:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=gbjPfC/OsSid4feqaOdxH+nxC/7KGeCKNtFM7WqOciY=; b=HIkNrTDiujO0d9jI97a2re+7Hf oJy6BaM5CcFzj0T9k8A+GOmmTH6Kb5wYAl7DYgnJwVa+ZCmUqUA38ZjBs9N0mnYuPmTCjf4VXO++p 5dvFkqPbjX9P4hDwTt9YUiyDKXjomNbqmcgf3XGf1RZ1ng4b4pjkkqkHKGuBXW42nUko=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/mcfg: sort header includes Message-Id: Date: Fri, 05 Jun 2026 19:11:02 +0000 commit ce47b7897d4ad0cb19771d4a0cb0e810d71f5049 Author: Roger Pau Monne AuthorDate: Wed Jun 3 14:58:48 2026 +0200 Commit: Roger Pau Monne CommitDate: Fri Jun 5 17:40:21 2026 +0200 x86/mcfg: sort header includes No functional change intended. Signed-off-by: Roger Pau Monné Acked-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/x86_64/mmconfig-shared.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/x86_64/mmconfig-shared.c b/xen/arch/x86/x86_64/mmconfig-shared.c index ab082b5f5b..d0cbc15170 100644 --- a/xen/arch/x86/x86_64/mmconfig-shared.c +++ b/xen/arch/x86/x86_64/mmconfig-shared.c @@ -12,17 +12,19 @@ * Author: Allen Kay - adapted to xen from Linux */ +#include #include #include #include -#include -#include #include -#include #include +#include +#include + #include #include #include + #include #include "mmconfig.h" -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 19:11:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 19:11:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329966.1593813 (Exim 4.92) (envelope-from ) id 1wVZwo-0006Ag-36; Fri, 05 Jun 2026 19:11:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329966.1593813; Fri, 05 Jun 2026 19:11:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZwo-0006AY-0T; Fri, 05 Jun 2026 19:11:14 +0000 Received: by outflank-mailman (input) for mailman id 1329966; Fri, 05 Jun 2026 19:11:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZwm-0006AO-Ii for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:11:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVZwm-008qgc-1j for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:11:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVZwm-00GMl5-1X for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:11:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=nH+gQQ1HDlKn6Mq99S3U1wG48s82xRlpCIavDAEL+cQ=; b=LgrHrzLOz2lEvbUDNL2mM2AS2V wWFydRXEIP7MkOnASy6S1S38cddVKGFZKPC3xwho/HcKWsQPHCJyZUG29t7mCZDMXZXhSYKCvMHPL tXI/6YKqQXmBm6+5VEczjlkTJlP4xCFzOEb16B8ltBzBqoZPAphERFFD3jJmm6wP43wY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/mcfg: relax memory map checks on newer firmware Message-Id: Date: Fri, 05 Jun 2026 19:11:12 +0000 commit 87279cafc0b6ba7078576d7f8355caee0cc9598a Author: Roger Pau Monne AuthorDate: Wed Jun 3 14:58:33 2026 +0200 Commit: Roger Pau Monne CommitDate: Fri Jun 5 17:40:21 2026 +0200 x86/mcfg: relax memory map checks on newer firmware Per PCI Firmware 3.3 specification, section 4.1.2, ECAM space must be reserved by declaring a motherboard resource, but there's no requirement to mention it in E820. The specification additionally states that: the resources can optionally be returned in Int15 E820h or EFIGetMemoryMap as reserved memory. Recent Lenovo systems have been found to have the MMCFG region in an E820 hole, which looks to be technically spec compliant, but is rejected by Xen. The logic was introduced in Linux in 2006 as 946f2ee5c731 ("[PATCH] i386/x86-64: Check that MCFG points to an e820 reserved area"). This was picked up by Xen when MCFG support was added in 3b35911d709e ("Enable pci mmcfg and ATS for x86_64"). Apply an approach similar to what Linux has done in 199f968f1484 ("x86/pci: Skip early E820 check for ECAM region") and relax the strict reserved region checking so it's only done for firmware manufactured prior to 2016. For firmware from 2016 and newer allow MCFG region to reside in holes on the memory map. Note Xen is still more strict than Linux however, as it will refuse to use MCFG regions that overlap with memory map regions different than reserved. When dom0 boots it can prevent access to misconfigured MCFG regions by using the PHYSDEVOP_pci_mmcfg_reserved hypercall. This brings Xen's early usage of MCFG (prior to ACPI AML parsing) more in line with the implementation in Linux. Signed-off-by: Roger Pau Monné Reviewed-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/x86_64/mmconfig-shared.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/x86_64/mmconfig-shared.c b/xen/arch/x86/x86_64/mmconfig-shared.c index d0cbc15170..b33e2f56e6 100644 --- a/xen/arch/x86/x86_64/mmconfig-shared.c +++ b/xen/arch/x86/x86_64/mmconfig-shared.c @@ -13,6 +13,7 @@ */ #include +#include #include #include #include @@ -369,12 +370,15 @@ static bool __init pci_mmcfg_reject_broken(void) typeof(pci_mmcfg_config[0]) *cfg; int i; bool valid = true; + int year; if ((pci_mmcfg_config_num == 0) || (pci_mmcfg_config == NULL) || (pci_mmcfg_config[0].address == 0)) return 0; + dmi_get_date(DMI_BIOS_DATE, &year, NULL, NULL); + for (i = 0; i < pci_mmcfg_config_num; i++) { u64 addr, size; @@ -390,7 +394,13 @@ static bool __init pci_mmcfg_reject_broken(void) (unsigned int)cfg->start_bus_number, (unsigned int)cfg->end_bus_number); - if ( !is_mmconf_reserved(addr, size, i, cfg) || + /* + * For firmwares prior to 2016, confirm that MMCFG is marked as + * reserved. For 2016 and later, also allow MMCFG being in a hole. + */ + if ( ((year < 2016 || !is_memory_hole(maddr_to_mfn(addr), + maddr_to_mfn(addr + size - 1))) && + !is_mmconf_reserved(addr, size, i, cfg)) || pci_mmcfg_arch_enable(i) < 0 ) { pci_mmcfg_arch_disable(i); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 19:11:24 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 19:11:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329967.1593817 (Exim 4.92) (envelope-from ) id 1wVZwy-0006Cz-4b; Fri, 05 Jun 2026 19:11:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329967.1593817; Fri, 05 Jun 2026 19:11:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZwy-0006Cs-1p; Fri, 05 Jun 2026 19:11:24 +0000 Received: by outflank-mailman (input) for mailman id 1329967; Fri, 05 Jun 2026 19:11:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZww-0006Cl-L4 for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:11:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVZww-008qgi-21 for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:11:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVZww-00GMti-1t for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:11:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Cng6iGX3BcdHDAUfpQUFpT3gzaFAZiXKL9jwV08oK2k=; b=UBySUMaVA09tDlSshp434LoIQ1 CKGPnwM7XnH2D4hyS0HJ4DhcsO9i68HU3sUWZnEn0z5T2rizFcgqSs+J353t3RD0GgIJcOIgWMSXQ kQGSMloH2DaN3bA33whLowYrj6BjOyEaBasWqj0+bGIxPijvsdOdLVawwuskt34wbHu8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/bitops: adjust bitmap_or() interface to match hypervisor Message-Id: Date: Fri, 05 Jun 2026 19:11:22 +0000 commit bf90a4aa5e3b4823f139d7ea4567b0e162316098 Author: Roger Pau Monne AuthorDate: Fri May 29 11:21:21 2026 +0200 Commit: Roger Pau Monne CommitDate: Fri Jun 5 17:40:21 2026 +0200 tools/bitops: adjust bitmap_or() interface to match hypervisor Adjust the only toolstack caller to use the new interface. No functional change intended. Signed-off-by: Roger Pau Monné Acked-by: Anthony PERARD Release-Acked-by: Oleksii Kurochko --- tools/include/xen-tools/bitops.h | 7 ++++--- tools/libs/guest/xg_sr_save.c | 3 ++- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/tools/include/xen-tools/bitops.h b/tools/include/xen-tools/bitops.h index 3b98fba6d7..29587e89fa 100644 --- a/tools/include/xen-tools/bitops.h +++ b/tools/include/xen-tools/bitops.h @@ -81,14 +81,15 @@ static inline int test_and_set_bit(unsigned long nr, void *addr) return oldbit; } -static inline void bitmap_or(void *_dst, const void *_other, +static inline void bitmap_or(void *_dst, const void *_src1, const void *_src2, unsigned long nr_bits) { char *dst = _dst; - const char *other = _other; + const char *src1 = _src1, *src2 = _src2; unsigned long i; + for ( i = 0; i < bitmap_size(nr_bits); ++i ) - dst[i] |= other[i]; + dst[i] = src1[i] | src2[i]; } #endif /* __XEN_TOOLS_BITOPS_H__ */ diff --git a/tools/libs/guest/xg_sr_save.c b/tools/libs/guest/xg_sr_save.c index 3b2c5222e4..fdbceab52e 100644 --- a/tools/libs/guest/xg_sr_save.c +++ b/tools/libs/guest/xg_sr_save.c @@ -668,7 +668,8 @@ static int suspend_and_send_dirty(struct xc_sr_context *ctx) else xc_set_progress_prefix(xch, "Checkpointed save"); - bitmap_or(dirty_bitmap, ctx->save.deferred_pages, ctx->save.p2m_size); + bitmap_or(dirty_bitmap, dirty_bitmap, ctx->save.deferred_pages, + ctx->save.p2m_size); if ( !ctx->save.live && ctx->stream_type == XC_STREAM_COLO ) { -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 19:11:34 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 19:11:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329968.1593821 (Exim 4.92) (envelope-from ) id 1wVZx8-0006F3-6a; Fri, 05 Jun 2026 19:11:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329968.1593821; Fri, 05 Jun 2026 19:11:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZx8-0006Ev-3U; Fri, 05 Jun 2026 19:11:34 +0000 Received: by outflank-mailman (input) for mailman id 1329968; Fri, 05 Jun 2026 19:11:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZx6-0006Ej-Ox for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:11:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVZx6-008qgo-2O for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:11:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVZx6-00GMxl-2G for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:11:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=aHgu9e/RWHUeBflRe4O7eAIX3U8FCXQ6LMBSXMYf/fA=; b=SZF+H5BWgjo6HlzioxRAggE6vw gvGJtO9WYzQvmm36NlKksQ17vMrl2rm+27jRDzeN6mAev5VSztye5UEUVnw/5ZnCWPEsWx5ex8owl 6VoQ6z8GziqBr0JhQXFUBFFaWzJuPSN2jVagWUuHZcNzCc9LL2WCZWnkh6bPGb8Pa9FA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/macros: adjust ROUNDUP() interface to match hypervisor Message-Id: Date: Fri, 05 Jun 2026 19:11:32 +0000 commit ce17dc6742507d5d78caea9f3cf089f5fdb92c5e Author: Roger Pau Monne AuthorDate: Fri May 29 13:23:50 2026 +0200 Commit: Roger Pau Monne CommitDate: Fri Jun 5 17:40:21 2026 +0200 tools/macros: adjust ROUNDUP() interface to match hypervisor Adjust user-space callers to use the new interface. No functional change intended. Signed-off-by: Roger Pau Monné Reviewed-by: Anthony PERARD Reviewed-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- tools/console/daemon/io.c | 2 +- tools/include/xen-tools/common-macros.h | 4 +--- tools/libs/call/buffer.c | 3 ++- tools/libs/foreignmemory/linux.c | 2 +- tools/libs/gnttab/freebsd.c | 2 +- tools/libs/gnttab/linux.c | 2 +- tools/libs/guest/xg_core.c | 2 +- tools/libs/guest/xg_dom_arm.c | 6 +++--- tools/libs/guest/xg_dom_x86.c | 2 +- tools/libs/guest/xg_private.h | 4 ++-- tools/libs/guest/xg_sr_common.c | 6 +++--- tools/libs/guest/xg_sr_stream_format.h | 2 +- tools/libs/light/libxl_arm_acpi.c | 24 ++++++++++++------------ tools/libs/light/libxl_create.c | 2 +- tools/libs/light/libxl_sr_stream_format.h | 2 +- tools/libs/light/libxl_stream_read.c | 2 +- tools/libs/light/libxl_stream_write.c | 4 ++-- tools/misc/xen-mfndump.c | 2 +- tools/ocaml/libs/xc/xenctrl_stubs.c | 2 +- tools/xenstored/core.c | 4 ++-- tools/xenstored/domain.c | 9 +++++---- tools/xenstored/watch.c | 2 +- 22 files changed, 45 insertions(+), 45 deletions(-) diff --git a/tools/console/daemon/io.c b/tools/console/daemon/io.c index 43d4973c24..b6c46d11de 100644 --- a/tools/console/daemon/io.c +++ b/tools/console/daemon/io.c @@ -1233,7 +1233,7 @@ static int set_fds(int fd, short events) /* Round up to 2^8 boundary, in practice this just * make newsize larger than current_array_size. */ - newsize = ROUNDUP(nr_fds + 1, 8); + newsize = ROUNDUP(nr_fds + 1, 1U << 8); new_fds = realloc(fds, sizeof(struct pollfd)*newsize); if (!new_fds) diff --git a/tools/include/xen-tools/common-macros.h b/tools/include/xen-tools/common-macros.h index 9838a108aa..9e27991782 100644 --- a/tools/include/xen-tools/common-macros.h +++ b/tools/include/xen-tools/common-macros.h @@ -68,9 +68,7 @@ }) #endif -#ifndef ROUNDUP -#define ROUNDUP(_x,_w) (((unsigned long)(_x)+(1UL<<(_w))-1) & ~((1UL<<(_w))-1)) -#endif +#define ROUNDUP(x, a) (((x) + (a) - 1) & ~((a) - 1)) #define MASK_EXTR(v, m) (((v) & (m)) / ((m) & -(m))) #define MASK_INSR(v, m) (((v) * ((m) & -(m))) & (m)) diff --git a/tools/libs/call/buffer.c b/tools/libs/call/buffer.c index 2579b8c719..155e4f9d43 100644 --- a/tools/libs/call/buffer.c +++ b/tools/libs/call/buffer.c @@ -155,7 +155,8 @@ struct allocation_header { void *xencall_alloc_buffer(xencall_handle *xcall, size_t size) { - size_t actual_size = ROUNDUP(size + sizeof(struct allocation_header), PAGE_SHIFT); + size_t actual_size = ROUNDUP(size + sizeof(struct allocation_header), + PAGE_SIZE); int nr_pages = actual_size >> PAGE_SHIFT; struct allocation_header *hdr; diff --git a/tools/libs/foreignmemory/linux.c b/tools/libs/foreignmemory/linux.c index 12f959765a..6d2f30cdf1 100644 --- a/tools/libs/foreignmemory/linux.c +++ b/tools/libs/foreignmemory/linux.c @@ -198,7 +198,7 @@ void *osdep_xenforeignmemory_map(xenforeignmemory_handle *fmem, */ privcmd_mmapbatch_t ioctlx; xen_pfn_t *pfn; - unsigned int pfn_arr_size = ROUNDUP((num * sizeof(*pfn)), XC_PAGE_SHIFT); + unsigned int pfn_arr_size = ROUNDUP(num * sizeof(*pfn), XC_PAGE_SIZE); int os_page_size = sysconf(_SC_PAGESIZE); if ( pfn_arr_size <= os_page_size ) diff --git a/tools/libs/gnttab/freebsd.c b/tools/libs/gnttab/freebsd.c index d69d928a16..8012744782 100644 --- a/tools/libs/gnttab/freebsd.c +++ b/tools/libs/gnttab/freebsd.c @@ -74,7 +74,7 @@ void *osdep_gnttab_grant_map(xengnttab_handle *xgt, int domids_stride; unsigned int refs_size = ROUNDUP(count * sizeof(struct ioctl_gntdev_grant_ref), - XC_PAGE_SHIFT); + XC_PAGE_SIZE); int os_page_size = getpagesize(); domids_stride = (flags & XENGNTTAB_GRANT_MAP_SINGLE_DOMAIN) ? 0 : 1; diff --git a/tools/libs/gnttab/linux.c b/tools/libs/gnttab/linux.c index 7286c1d4fe..829877e64b 100644 --- a/tools/libs/gnttab/linux.c +++ b/tools/libs/gnttab/linux.c @@ -101,7 +101,7 @@ void *osdep_gnttab_grant_map(xengnttab_handle *xgt, map = alloca(map_size); else { - map_size = ROUNDUP(map_size, XC_PAGE_SHIFT); + map_size = ROUNDUP(map_size, XC_PAGE_SIZE); map = mmap(NULL, map_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON | MAP_POPULATE, -1, 0); if ( map == MAP_FAILED ) diff --git a/tools/libs/guest/xg_core.c b/tools/libs/guest/xg_core.c index f83436d6cb..d3640f0ef8 100644 --- a/tools/libs/guest/xg_core.c +++ b/tools/libs/guest/xg_core.c @@ -696,7 +696,7 @@ xc_domain_dumpcore_via_callback(xc_interface *xch, for ( i = 1; i < sheaders->num; i++ ) sheaders->shdrs[i].sh_offset += fixup; offset += fixup; - dummy_len = ROUNDUP(offset, PAGE_SHIFT) - offset; /* padding length */ + dummy_len = ROUNDUP(offset, PAGE_SIZE) - offset; /* padding length */ offset += dummy_len; /* pages */ diff --git a/tools/libs/guest/xg_dom_arm.c b/tools/libs/guest/xg_dom_arm.c index c8d0918506..739ec1c338 100644 --- a/tools/libs/guest/xg_dom_arm.c +++ b/tools/libs/guest/xg_dom_arm.c @@ -364,12 +364,12 @@ static int meminit(struct xc_dom_image *dom) /* Convenient */ const uint64_t kernbase = dom->kernel_seg.vstart; - const uint64_t kernend = ROUNDUP(dom->kernel_seg.vend, 21/*2MB*/); + const uint64_t kernend = ROUNDUP(dom->kernel_seg.vend, MB(2)); const uint64_t kernsize = kernend - kernbase; const uint64_t dtb_size = dom->devicetree_blob ? - ROUNDUP(dom->devicetree_size, XC_PAGE_SHIFT) : 0; + ROUNDUP(dom->devicetree_size, XC_PAGE_SIZE) : 0; const uint64_t ramdisk_size = dom->modules[0].blob ? - ROUNDUP(dom->modules[0].size, XC_PAGE_SHIFT) : 0; + ROUNDUP(dom->modules[0].size, XC_PAGE_SIZE) : 0; const uint64_t modsize = dtb_size + ramdisk_size; const uint64_t ram128mb = bankbase[0] + (128<<20); diff --git a/tools/libs/guest/xg_dom_x86.c b/tools/libs/guest/xg_dom_x86.c index 268936efe2..1dc19529f5 100644 --- a/tools/libs/guest/xg_dom_x86.c +++ b/tools/libs/guest/xg_dom_x86.c @@ -678,7 +678,7 @@ static int alloc_magic_pages_hvm(struct xc_dom_image *dom) { if ( dom->cmdline ) { - dom->cmdline_size = ROUNDUP(strlen(dom->cmdline) + 1, 3); + dom->cmdline_size = ROUNDUP(strlen(dom->cmdline) + 1, 8); start_info_size += dom->cmdline_size; } } diff --git a/tools/libs/guest/xg_private.h b/tools/libs/guest/xg_private.h index 285229cf82..31a79bccf7 100644 --- a/tools/libs/guest/xg_private.h +++ b/tools/libs/guest/xg_private.h @@ -135,7 +135,7 @@ typedef uint64_t x86_pgentry_t; #define PAGE_SIZE_X86 (1UL << PAGE_SHIFT_X86) #define PAGE_MASK_X86 (~(PAGE_SIZE_X86-1)) -#define NRPAGES(x) (ROUNDUP(x, PAGE_SHIFT) >> PAGE_SHIFT) +#define NRPAGES(x) (ROUNDUP(x, PAGE_SIZE) >> PAGE_SHIFT) static inline xen_pfn_t xc_pfn_to_mfn(xen_pfn_t pfn, xen_pfn_t *p2m, unsigned gwidth) @@ -167,7 +167,7 @@ int pin_table(xc_interface *xch, unsigned int type, unsigned long mfn, */ #define M2P_SHIFT L2_PAGETABLE_SHIFT_PAE #define M2P_CHUNK_SIZE (1 << M2P_SHIFT) -#define M2P_SIZE(_m) ROUNDUP(((_m) * sizeof(xen_pfn_t)), M2P_SHIFT) +#define M2P_SIZE(_m) ROUNDUP(((_m) * sizeof(xen_pfn_t)), M2P_CHUNK_SIZE) #define M2P_CHUNKS(_m) (M2P_SIZE((_m)) >> M2P_SHIFT) #if defined(__x86_64__) || defined(__i386__) diff --git a/tools/libs/guest/xg_sr_common.c b/tools/libs/guest/xg_sr_common.c index 7ccdc3b1f6..c7b3c6f3bc 100644 --- a/tools/libs/guest/xg_sr_common.c +++ b/tools/libs/guest/xg_sr_common.c @@ -56,11 +56,11 @@ const char *rec_type_to_str(uint32_t type) int write_split_record(struct xc_sr_context *ctx, struct xc_sr_record *rec, void *buf, size_t sz) { - static const char zeroes[(1u << REC_ALIGN_ORDER) - 1] = { 0 }; + static const char zeroes[REC_ALIGN] = {}; xc_interface *xch = ctx->xch; typeof(rec->length) combined_length = rec->length + sz; - size_t record_length = ROUNDUP(combined_length, REC_ALIGN_ORDER); + size_t record_length = ROUNDUP(combined_length, REC_ALIGN); struct iovec parts[] = { { &rec->type, sizeof(rec->type) }, { &combined_length, sizeof(combined_length) }, @@ -110,7 +110,7 @@ int read_record(struct xc_sr_context *ctx, int fd, struct xc_sr_record *rec) return -1; } - datasz = ROUNDUP(rhdr.length, REC_ALIGN_ORDER); + datasz = ROUNDUP(rhdr.length, REC_ALIGN); if ( datasz ) { diff --git a/tools/libs/guest/xg_sr_stream_format.h b/tools/libs/guest/xg_sr_stream_format.h index 8a0da26f75..99dca5d490 100644 --- a/tools/libs/guest/xg_sr_stream_format.h +++ b/tools/libs/guest/xg_sr_stream_format.h @@ -53,7 +53,7 @@ struct xc_sr_rhdr }; /* All records must be aligned up to an 8 octet boundary */ -#define REC_ALIGN_ORDER (3U) +#define REC_ALIGN 8 /* Somewhat arbitrary - 128MB */ #define REC_LENGTH_MAX (128U << 20) diff --git a/tools/libs/light/libxl_arm_acpi.c b/tools/libs/light/libxl_arm_acpi.c index ba874c3d32..690fa227a5 100644 --- a/tools/libs/light/libxl_arm_acpi.c +++ b/tools/libs/light/libxl_arm_acpi.c @@ -107,12 +107,12 @@ int libxl__get_acpi_size(libxl__gc *gc, if (rc < 0) goto out; - *out = ROUNDUP(size, 3) + - ROUNDUP(sizeof(struct acpi_table_rsdp), 3) + - ROUNDUP(sizeof(struct acpi_table_xsdt), 3) + - ROUNDUP(sizeof(struct acpi_table_gtdt), 3) + - ROUNDUP(sizeof(struct acpi_table_fadt), 3) + - ROUNDUP(sizeof(dsdt_anycpu_arm_len), 3); + *out = ROUNDUP(size, 8) + + ROUNDUP(sizeof(struct acpi_table_rsdp), 8) + + ROUNDUP(sizeof(struct acpi_table_xsdt), 8) + + ROUNDUP(sizeof(struct acpi_table_gtdt), 8) + + ROUNDUP(sizeof(struct acpi_table_fadt), 8) + + ROUNDUP(sizeof(dsdt_anycpu_arm_len), 8); out: return rc; @@ -128,7 +128,7 @@ static int libxl__allocate_acpi_tables(libxl__gc *gc, acpitables[RSDP].addr = GUEST_ACPI_BASE; acpitables[RSDP].size = sizeof(struct acpi_table_rsdp); - dom->acpi_modules[0].length += ROUNDUP(acpitables[RSDP].size, 3); + dom->acpi_modules[0].length += ROUNDUP(acpitables[RSDP].size, 8); acpitables[XSDT].addr = GUEST_ACPI_BASE + dom->acpi_modules[0].length; /* @@ -137,11 +137,11 @@ static int libxl__allocate_acpi_tables(libxl__gc *gc, */ acpitables[XSDT].size = sizeof(struct acpi_table_xsdt) + sizeof(uint64_t) * 2; - dom->acpi_modules[0].length += ROUNDUP(acpitables[XSDT].size, 3); + dom->acpi_modules[0].length += ROUNDUP(acpitables[XSDT].size, 8); acpitables[GTDT].addr = GUEST_ACPI_BASE + dom->acpi_modules[0].length; acpitables[GTDT].size = sizeof(struct acpi_table_gtdt); - dom->acpi_modules[0].length += ROUNDUP(acpitables[GTDT].size, 3); + dom->acpi_modules[0].length += ROUNDUP(acpitables[GTDT].size, 8); acpitables[MADT].addr = GUEST_ACPI_BASE + dom->acpi_modules[0].length; @@ -150,15 +150,15 @@ static int libxl__allocate_acpi_tables(libxl__gc *gc, goto out; acpitables[MADT].size = size; - dom->acpi_modules[0].length += ROUNDUP(acpitables[MADT].size, 3); + dom->acpi_modules[0].length += ROUNDUP(acpitables[MADT].size, 8); acpitables[FADT].addr = GUEST_ACPI_BASE + dom->acpi_modules[0].length; acpitables[FADT].size = sizeof(struct acpi_table_fadt); - dom->acpi_modules[0].length += ROUNDUP(acpitables[FADT].size, 3); + dom->acpi_modules[0].length += ROUNDUP(acpitables[FADT].size, 8); acpitables[DSDT].addr = GUEST_ACPI_BASE + dom->acpi_modules[0].length; acpitables[DSDT].size = dsdt_anycpu_arm_len; - dom->acpi_modules[0].length += ROUNDUP(acpitables[DSDT].size, 3); + dom->acpi_modules[0].length += ROUNDUP(acpitables[DSDT].size, 8); assert(dom->acpi_modules[0].length <= GUEST_ACPI_SIZE); dom->acpi_modules[0].data = libxl__zalloc(gc, dom->acpi_modules[0].length); diff --git a/tools/libs/light/libxl_create.c b/tools/libs/light/libxl_create.c index 6fd62d1403..a8b0c8c500 100644 --- a/tools/libs/light/libxl_create.c +++ b/tools/libs/light/libxl_create.c @@ -600,7 +600,7 @@ int libxl__domain_make(libxl__gc *gc, libxl_domain_config *d_config, .opts = 0, /* .opts will be set below */ .nr = b_info->altp2m_count, }, - .vmtrace_size = ROUNDUP(b_info->vmtrace_buf_kb << 10, XC_PAGE_SHIFT), + .vmtrace_size = ROUNDUP(b_info->vmtrace_buf_kb << 10, XC_PAGE_SIZE), .cpupool_id = info->poolid, }; diff --git a/tools/libs/light/libxl_sr_stream_format.h b/tools/libs/light/libxl_sr_stream_format.h index f8f4723c2e..118428e989 100644 --- a/tools/libs/light/libxl_sr_stream_format.h +++ b/tools/libs/light/libxl_sr_stream_format.h @@ -29,7 +29,7 @@ typedef struct libxl__sr_rec_hdr } libxl__sr_rec_hdr; /* All records must be aligned up to an 8 octet boundary */ -#define REC_ALIGN_ORDER 3U +#define REC_ALIGN 8 #define REC_TYPE_END 0x00000000U #define REC_TYPE_LIBXC_CONTEXT 0x00000001U diff --git a/tools/libs/light/libxl_stream_read.c b/tools/libs/light/libxl_stream_read.c index e64e8f0ead..99c7607b6c 100644 --- a/tools/libs/light/libxl_stream_read.c +++ b/tools/libs/light/libxl_stream_read.c @@ -511,7 +511,7 @@ static void record_header_done(libxl__egc *egc, return; } - size_t bytes_to_read = ROUNDUP(rec->hdr.length, REC_ALIGN_ORDER); + size_t bytes_to_read = ROUNDUP(rec->hdr.length, REC_ALIGN); rec->body = libxl__malloc(NOGC, bytes_to_read); rc = setup_read(stream, "record body", diff --git a/tools/libs/light/libxl_stream_write.c b/tools/libs/light/libxl_stream_write.c index 98d44597a7..d26f281faa 100644 --- a/tools/libs/light/libxl_stream_write.c +++ b/tools/libs/light/libxl_stream_write.c @@ -119,7 +119,7 @@ static void setup_generic_write(libxl__egc *egc, void *body, sws_record_done_cb cb) { - static const uint8_t zero_padding[1U << REC_ALIGN_ORDER] = { 0 }; + static const uint8_t zero_padding[REC_ALIGN] = {}; libxl__datacopier_state *dc = &stream->dc; int rc; @@ -136,7 +136,7 @@ static void setup_generic_write(libxl__egc *egc, return; } - size_t padsz = ROUNDUP(hdr->length, REC_ALIGN_ORDER) - hdr->length; + size_t padsz = ROUNDUP(hdr->length, REC_ALIGN) - hdr->length; uint32_t length = hdr->length; /* Insert header */ diff --git a/tools/misc/xen-mfndump.c b/tools/misc/xen-mfndump.c index 28687afbf0..99a0b1d3b5 100644 --- a/tools/misc/xen-mfndump.c +++ b/tools/misc/xen-mfndump.c @@ -10,7 +10,7 @@ #include -#define M2P_SIZE(_m) ROUNDUP(((_m) * sizeof(xen_pfn_t)), 21) +#define M2P_SIZE(_m) ROUNDUP(((_m) * sizeof(xen_pfn_t)), MB(2)) #define is_mapped(pfn_type) (!((pfn_type) & 0x80000000UL)) #define ERROR(msg, args...) fprintf(stderr, msg, ## args) diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c b/tools/ocaml/libs/xc/xenctrl_stubs.c index c55f73b265..7f6381cdd2 100644 --- a/tools/ocaml/libs/xc/xenctrl_stubs.c +++ b/tools/ocaml/libs/xc/xenctrl_stubs.c @@ -221,7 +221,7 @@ CAMLprim value stub_xc_domain_create(value xch_val, value wanted_domid, value co if ( altp2m_nr != (uint16_t)altp2m_nr ) caml_invalid_argument("altp2m_count"); - vmtrace_size = ROUNDUP(vmtrace_size << 10, XC_PAGE_SHIFT); + vmtrace_size = ROUNDUP(vmtrace_size << 10, XC_PAGE_SIZE); if ( vmtrace_size != (uint32_t)vmtrace_size ) caml_invalid_argument("vmtrace_buf_kb"); diff --git a/tools/xenstored/core.c b/tools/xenstored/core.c index d6d462b7bc..769e2c19cc 100644 --- a/tools/xenstored/core.c +++ b/tools/xenstored/core.c @@ -466,7 +466,7 @@ int set_fd(int fd, short events) /* Round up to 2^8 boundary, in practice this just * make newsize larger than current_array_size. */ - newsize = ROUNDUP(nr_fds + 1, 8); + newsize = ROUNDUP(nr_fds + 1, 1U << 8); new_fds = realloc(poll_fds, sizeof(struct pollfd)*newsize); if (!new_fds) @@ -3067,7 +3067,7 @@ static int dump_state_node(const void *ctx, struct connection *conn, head.length += node->hdr.num_perms * sizeof(*sn.perms); head.length += pathlen; head.length += node->hdr.datalen; - head.length = ROUNDUP(head.length, 3); + head.length = ROUNDUP(head.length, 8); if (fwrite(&head, sizeof(head), 1, fp) != 1) return dump_state_node_err(data, "Dump node head error"); diff --git a/tools/xenstored/domain.c b/tools/xenstored/domain.c index 2db452144d..429868928e 100644 --- a/tools/xenstored/domain.c +++ b/tools/xenstored/domain.c @@ -2159,7 +2159,7 @@ const char *dump_state_connections(FILE *fp) if (ret) return ret; head.length += sc.data_in_len + sc.data_out_len; - head.length = ROUNDUP(head.length, 3); + head.length = ROUNDUP(head.length, 8); if (c->domain) { sc.fields |= XS_STATE_CONN_FIELDS_UNIQ_ID; head.length += sizeof(uint64_t); @@ -2232,7 +2232,8 @@ void read_state_connection(const void *ctx, const void *state) unsigned long off; off = sizeof(*sc) + sc->data_in_len + sc->data_out_len; - domain->unique_id = *(uint64_t *)(state + ROUNDUP(off, 3)); + domain->unique_id = + *(uint64_t *)(state + ROUNDUP(off, 8)); } } @@ -2308,7 +2309,7 @@ static int dump_state_domain(const void *k, void *v, void *arg) n_quota = get_quota_size(domain->acc, &rec_len); rec_len += n_quota * sizeof(sd->quota_val[0]); rec_len += sizeof(*sd); - rec_len = ROUNDUP(rec_len, 3); + rec_len = ROUNDUP(rec_len, 8); record = talloc_size(NULL, rec_len + sizeof(*head)); if (!record) @@ -2372,7 +2373,7 @@ const char *dump_state_glb_quota(FILE *fp) n_quota = get_quota_size(quotas, &rec_len); rec_len += n_quota * sizeof(glb->quota_val[0]); rec_len += sizeof(*glb); - rec_len = ROUNDUP(rec_len, 3); + rec_len = ROUNDUP(rec_len, 8); record = talloc_size(NULL, rec_len + sizeof(*head)); if (!record) diff --git a/tools/xenstored/watch.c b/tools/xenstored/watch.c index a9a06e9e48..c143e6fbcf 100644 --- a/tools/xenstored/watch.c +++ b/tools/xenstored/watch.c @@ -349,7 +349,7 @@ const char *dump_state_watches(FILE *fp, struct connection *conn, } head.length += path_len + token_len; - head.length = ROUNDUP(head.length, 3); + head.length = ROUNDUP(head.length, 8); if (fwrite(&head, sizeof(head), 1, fp) != 1) return "Dump watch state error"; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 19:11:44 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 19:11:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329969.1593825 (Exim 4.92) (envelope-from ) id 1wVZxI-0006Ha-9H; Fri, 05 Jun 2026 19:11:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329969.1593825; Fri, 05 Jun 2026 19:11:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZxI-0006HS-6m; Fri, 05 Jun 2026 19:11:44 +0000 Received: by outflank-mailman (input) for mailman id 1329969; Fri, 05 Jun 2026 19:11:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZxG-0006HE-Rz for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:11:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVZxG-008qgs-2h for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:11:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVZxG-00GN2e-2Y for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:11:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=LePhx1ZP2ajBgdpJAm/zc2gbHlGzykxWcwTfTPILKAA=; b=Bht4+gf+c74csxPT9TQnRz+7PO krA8B7+dO7aUXPYVPhfStx+QKjE3Ex0AknCiVg7zSy1xrn2r9z+vejCyyy55uTBYC4OkrSRdnxxcB D5rD06zS6XV4GqBrnsJKYbIJGm395kwjw4cRo0Jx4yjRxXfYtV9Qja2zS7lvAsZ+/I2M=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/numa: prepare NUMA setup code for unit testing Message-Id: Date: Fri, 05 Jun 2026 19:11:42 +0000 commit 2b40ba07efc6756a056776db3fe3ae829b0251c1 Author: Roger Pau Monne AuthorDate: Fri May 29 11:25:54 2026 +0200 Commit: Roger Pau Monne CommitDate: Fri Jun 5 17:40:21 2026 +0200 xen/numa: prepare NUMA setup code for unit testing Introduce __XEN__ guards to differentiate between hypervisor vs unit test builds. Also move numa_set_node() so it's outside the __XEN__ guards. No functional change intended. Signed-off-by: Roger Pau Monné Acked-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/common/numa.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/xen/common/numa.c b/xen/common/numa.c index ad75955a16..8544a15982 100644 --- a/xen/common/numa.c +++ b/xen/common/numa.c @@ -4,6 +4,7 @@ * Adapted for Xen: Ryan Harper */ +#ifdef __XEN__ #include #include #include @@ -13,6 +14,7 @@ #include #include #include +#endif /* __XEN__ */ static nodemask_t __initdata processor_nodes_parsed; static nodemask_t __initdata memory_nodes_parsed; @@ -561,6 +563,12 @@ void __init numa_init_array(void) } } +void numa_set_node(unsigned int cpu, nodeid_t node) +{ + cpu_to_node[cpu] = node; +} + +#ifdef __XEN__ #ifdef CONFIG_NUMA_EMU static unsigned int __initdata numa_fake; @@ -661,11 +669,6 @@ void numa_add_cpu(unsigned int cpu) cpumask_set_cpu(cpu, &node_to_cpumask[cpu_to_node(cpu)]); } -void numa_set_node(unsigned int cpu, nodeid_t node) -{ - cpu_to_node[cpu] = node; -} - /* [numa=off] */ static int __init cf_check numa_setup(const char *opt) { @@ -830,3 +833,4 @@ static int __init cf_check register_numa_trigger(void) return 0; } __initcall(register_numa_trigger); +#endif /* __XEN__ */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 19:11:54 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 19:11:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329970.1593829 (Exim 4.92) (envelope-from ) id 1wVZxS-0006JW-Ag; Fri, 05 Jun 2026 19:11:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329970.1593829; Fri, 05 Jun 2026 19:11:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZxS-0006JO-89; Fri, 05 Jun 2026 19:11:54 +0000 Received: by outflank-mailman (input) for mailman id 1329970; Fri, 05 Jun 2026 19:11:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZxQ-0006JH-VY for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:11:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVZxQ-008qgx-31 for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:11:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVZxQ-00GN80-2r for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:11:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=iVbbB95UReJGJC9Qcarm0NvWvkSKm6NqLKk/a+iy/rY=; b=iRWeuGCpV/XRkgCn54Un4zi1Va wa9qodehz0ujHU6fKK+LSpYaZGH3RO/aX5eLvq8eOZrgtHQm+hrmsXfkKdysJd99kmKRZJ2Hf6P7E n4YHs0T0hjZ2aqx+UJcxWoAA3fOpuIIfHNp9MRid4P3yiJmT/faEJr/tVRCbu4Y4RoU8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tests/numa: add unit tests for NUMA setup logic Message-Id: Date: Fri, 05 Jun 2026 19:11:52 +0000 commit 97e3837af345cb5e99c016d538d886fa6553d2be Author: Roger Pau Monne AuthorDate: Fri May 29 11:26:31 2026 +0200 Commit: Roger Pau Monne CommitDate: Fri Jun 5 19:12:13 2026 +0200 tests/numa: add unit tests for NUMA setup logic NUMA setup, like PDX, requires certain amount of logic to configure the internal structures and parameters for NUMA operation. Introduce some very basic testing that allows building and testing NUMA setup logic in as a user-space unit test. This allows feeding synthetic memory affinity and map to the logic, allowing to reproduce bugs that would otherwise need access to real systems with such a configuration. For the time being introduce a single test case, based on a known working NUMA setup for an AMD Turin system. Also the testing after setup is currently limited to ensuring the start and end RAM region addresses fall into a correctly setup memory block. Signed-off-by: Roger Pau Monné Reviewed-by: Anthony PERARD Acked-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- tools/tests/Makefile | 1 + tools/tests/numa/.gitignore | 2 + tools/tests/numa/Makefile | 46 ++++++++ tools/tests/numa/test-numa.c | 218 ++++++++++++++++++++++++++++++++++++ tools/tests/numa/wrapped-xen-numa.h | 187 +++++++++++++++++++++++++++++++ 5 files changed, 454 insertions(+) diff --git a/tools/tests/Makefile b/tools/tests/Makefile index 6477a4386d..fc0ed80915 100644 --- a/tools/tests/Makefile +++ b/tools/tests/Makefile @@ -4,6 +4,7 @@ include $(XEN_ROOT)/tools/Rules.mk SUBDIRS-y := SUBDIRS-y += domid SUBDIRS-y += mem-claim +SUBDIRS-y += numa SUBDIRS-y += paging-mempool SUBDIRS-y += pdx SUBDIRS-y += rangeset diff --git a/tools/tests/numa/.gitignore b/tools/tests/numa/.gitignore new file mode 100644 index 0000000000..0710a767f4 --- /dev/null +++ b/tools/tests/numa/.gitignore @@ -0,0 +1,2 @@ +/numa.h +/test-numa diff --git a/tools/tests/numa/Makefile b/tools/tests/numa/Makefile new file mode 100644 index 0000000000..43e2db489d --- /dev/null +++ b/tools/tests/numa/Makefile @@ -0,0 +1,46 @@ +XEN_ROOT=$(CURDIR)/../../.. +include $(XEN_ROOT)/tools/Rules.mk + +TARGETS := test-numa + +.PHONY: all +all: $(TARGETS) + +.PHONY: run +run: $(TARGETS) +ifeq ($(CC),$(HOSTCC)) + set -e; \ + for test in $? ; do \ + ./$$test ; \ + done +else + $(warning HOSTCC != CC, will not run test) +endif + +.PHONY: clean +clean: + $(RM) -- *.o $(TARGETS) $(DEPS_RM) numa.h + +.PHONY: distclean +distclean: clean + $(RM) -- *~ + +.PHONY: install +install: all + $(INSTALL_DIR) $(DESTDIR)$(LIBEXEC)/tests + $(INSTALL_PROG) $(TARGETS) $(DESTDIR)$(LIBEXEC)/tests + +.PHONY: uninstall +uninstall: + $(RM) -- $(patsubst %,$(DESTDIR)$(LIBEXEC)/tests/%,$(TARGETS)) + +numa.h: $(XEN_ROOT)/xen/include/xen/numa.h + sed -e '/^#[[:space:]]*include/d' <$< >$@ + +CFLAGS += -D__XEN_TOOLS__ +CFLAGS += $(CFLAGS_xeninclude) + +test-numa: test-numa.c numa.h + $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $< $(APPEND_CFLAGS) + +-include $(DEPS_INCLUDE) diff --git a/tools/tests/numa/test-numa.c b/tools/tests/numa/test-numa.c new file mode 100644 index 0000000000..ed91a2824f --- /dev/null +++ b/tools/tests/numa/test-numa.c @@ -0,0 +1,218 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Unit tests for NUMA setup. + * + * Copyright (C) 2026 Cloud Software Group + */ + +#include "wrapped-xen-numa.h" +#include "../../xen/common/numa.c" + +static void numa_reset_state(void) +{ + bitmap_clear(processor_nodes_parsed.bits, CONFIG_NR_NUMA_NODES); + bitmap_clear(memory_nodes_parsed.bits, CONFIG_NR_NUMA_NODES); + bitmap_clear(memblk_hotplug, NR_NODE_MEMBLKS); + memset(numa_nodes, 0, sizeof(numa_nodes)); + memset(node_memblk_range, 0, sizeof(node_memblk_range)); + memset(memblk_nodeid, 0, sizeof(memblk_nodeid)); + memset(node_data, 0, sizeof(node_data)); + memset(node_to_cpumask, 0, sizeof(node_to_cpumask)); + memset(cpu_to_node, NUMA_NO_NODE, sizeof(cpu_to_node)); + num_node_memblks = 0; + memnode_shift = 0; + memnodemapsize = 0; + if ( memnodemap != _memnodemap ) + free(memnodemap); + memnodemap = NULL; + bitmap_clear(node_online_map.bits, CONFIG_NR_NUMA_NODES); + node_set(1, node_online_map); +} + +struct mem_affinity { + /* Ranges are defined as [start, end]. */ + paddr_t start, end; + unsigned int nid; +}; + +struct mem_range { + /* Ranges are defined as [start, end]. */ + paddr_t start, end; +}; + +const static struct mem_range *ram; + +int arch_get_ram_range(unsigned int idx, paddr_t *start, paddr_t *end) +{ + if ( idx >= MAX_RANGES || !ram[idx].end ) + return -ENOENT; + + *start = ram[idx].start; + *end = ram[idx].end + 1; + + return 0; +} + +static void print_ranges(const struct mem_affinity *r) +{ + unsigned int i; + + printf("Affinity ranges:\n"); + for ( i = 0; i < MAX_RANGES; i++ ) + { + if ( !r[i].end ) + break; + + printf(" NID %u [%" PRIpaddr ", %" PRIpaddr "]\n", + r[i].nid, r[i].start, r[i].end); + } + + printf("RAM ranges:\n"); + for ( i = 0; i < MAX_RANGES; i++ ) + { + if ( !ram[i].end ) + break; + + printf(" [%" PRIpaddr ", %" PRIpaddr "]\n", + ram[i].start, ram[i].end); + } +} + +static bool test_paddr(paddr_t addr) +{ + mfn_t mfn = PFN_DOWN(addr); + unsigned int idx = mfn >> memnode_shift; + unsigned int nid; + + if ( idx >= memnodemapsize ) + { + printf("Fail: MFN %lx -> IDX %u outside of memnodemap range\n", + mfn, idx); + return false; + } + + nid = memnodemap[idx]; + if ( nid >= MAX_NUMNODES ) + { + printf("Fail: MFN %lx -> NID %u >= MAX_NUMNODES (%u)\n", + mfn, nid, MAX_NUMNODES); + return false; + } + + if ( !node_data[nid].node_spanned_pages ) + { + printf("Fail: MFN %lx -> NID %u without spanned pages\n", + mfn, nid); + return false; + + } + + if ( !node_data[nid].node_spanned_pages ) + { + printf("Fail: MFN %lx -> NID %u without spanned pages\n", + mfn, nid); + return false; + + } + + if ( !node_data[nid].node_spanned_pages ) + { + printf("Fail: MFN %lx outside NID range [%013lx, %013lx]\n", + mfn, node_data[nid].node_start_pfn, + node_data[nid].node_start_pfn + + node_data[nid].node_spanned_pages - 1); + return false; + } + + return true; +} + +int main(int argc, char **argv) +{ + static const struct { + struct mem_affinity affinity[MAX_RANGES]; + struct mem_range ram[MAX_RANGES]; + } tests[] = { + /* From an arbitrary AMD Turin system. */ + { + .affinity = { + { .nid = 0, .start = 0x00000000000ULL, .end = 0x0000009ffffULL }, + { .nid = 0, .start = 0x000000c0000ULL, .end = 0x000afffffffULL }, + { .nid = 0, .start = 0x00100000000ULL, .end = 0x0c04fffffffULL }, + { .nid = 1, .start = 0x0c050000000ULL, .end = 0x0fc4fffffffULL }, + { .nid = 1, .start = 0x10000000000ULL, .end = 0x183ffffffffULL }, + }, + .ram = { + { .start = 0x00000000000ULL, .end = 0x0000009ffffULL }, + { .start = 0x00000100000ULL, .end = 0x0007590ffffULL }, + { .start = 0x000759d1000ULL, .end = 0x00075a0ffffULL }, + { .start = 0x00076000000ULL, .end = 0x00094c73fffULL }, + { .start = 0x0009b5ff000ULL, .end = 0x0009fff9fffULL }, + { .start = 0x0009ffff000ULL, .end = 0x0009fffffffULL }, + { .start = 0x00100010000ULL, .end = 0x0fc4fffffffULL }, + { .start = 0x10000000000ULL, .end = 0x183f7ffffffULL }, + { .start = 0x183f8800000ULL, .end = 0x183faabffffULL }, + }, + }, + }; + int ret_code = EXIT_SUCCESS; + + /* Dummy firmware interface provider name, use TST for TEST. */ + numa_fw_nid_name = "TST"; + + for ( unsigned int i = 0 ; i < ARRAY_SIZE(tests); i++ ) + { + paddr_t min = ~(paddr_t)0, max = 0; + unsigned int j; + + numa_reset_state(); + + ram = tests[i].ram; + + for ( j = 0; + j < ARRAY_SIZE(tests[i].affinity) && tests[i].affinity[j].end; + j++ ) + { + const struct mem_affinity *affinity = &tests[i].affinity[j]; + paddr_t length = affinity->end - affinity->start + 1; + + if ( !numa_update_node_memblks(affinity->nid, affinity->nid, + affinity->start, length, false) ) + { + printf("Fail to add NID %u [%" PRIpaddr ", %" PRIpaddr "]\n", + affinity->nid, affinity->start, affinity->end); + ret_code = EXIT_FAILURE; + continue; + } + + min = min(min, affinity->start); + max = max(max, affinity->end); + } + + if ( !numa_process_nodes(min, max + 1) ) + { + printf("Unable to process nodes\n"); + print_ranges(tests[i].affinity); + ret_code = EXIT_FAILURE; + continue; + } + + for ( j = 0; + j < ARRAY_SIZE(tests[i].ram) && tests[i].ram[j].end; + j++ ) + if ( !test_paddr(tests[i].ram[j].start) || + !test_paddr(tests[i].ram[j].end) ) + ret_code = EXIT_FAILURE; + } + + return ret_code; +} + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/tools/tests/numa/wrapped-xen-numa.h b/tools/tests/numa/wrapped-xen-numa.h new file mode 100644 index 0000000000..ed97524e48 --- /dev/null +++ b/tools/tests/numa/wrapped-xen-numa.h @@ -0,0 +1,187 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Unit tests for NUMA setup. + * + * Copyright (C) 2026 Cloud Software Group + */ + +#ifndef WRAPPED_XEN_NUMA_H +#define WRAPPED_XEN_NUMA_H + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#define CONFIG_DEBUG +#define CONFIG_NUMA +#define CONFIG_NR_NUMA_NODES 64 +#define NR_CPUS 256 +#define MAX_RANGES 128 +#define PADDR_BITS 52 + +#define __init +#define __initdata +#define __ro_after_init +#define __read_mostly + +#define printk printf +#define XENLOG_INFO "" +#define XENLOG_DEBUG "" +#define XENLOG_WARNING "" +#define KERN_INFO "" +#define KERN_ERR "" +#define KERN_WARNING "" +#define KERN_DEBUG "" + +#define PAGE_SHIFT 12 +/* Some libcs define PAGE_SIZE in limits.h. */ +#undef PAGE_SIZE +#define PAGE_SIZE (1L << PAGE_SHIFT) +#define MAX_ORDER 18 /* 2 * PAGETABLE_ORDER (9) */ + +#define PFN_DOWN(x) ((x) >> PAGE_SHIFT) +#define PFN_UP(x) (((x) + PAGE_SIZE-1) >> PAGE_SHIFT) + +#define paddr_to_pfn(pa) ((unsigned long)((pa) >> PAGE_SHIFT)) +#define mfn_to_pdx(mfn) (mfn) +#define paddr_to_pdx(pa) ((pa) >> PAGE_SHIFT) +#define mfn_to_maddr(mfn) ((mfn) << PAGE_SHIFT) + +#define ASSERT assert +#define ASSERT_UNREACHABLE() assert(0) + +/* For the purposes of the testing assume arch NID == Xen NID. */ +#define numa_node_to_arch_nid(n) (n) + +typedef uint64_t paddr_t; +#define PRIpaddr "016" PRIx64 + +typedef unsigned long mfn_t; +typedef uint8_t nodeid_t; + +#define __set_bit set_bit +#define __clear_bit clear_bit + +static inline unsigned int find_next_bit( + const unsigned long *addr, unsigned int size, unsigned int off) +{ + unsigned int i; + + ASSERT(size <= BITS_PER_LONG); + + for ( i = off; i < size; i++ ) + if ( *addr & (1UL << i) ) + return i; + + return size; +} + +#define find_first_bit(b, s) find_next_bit(b, s, 0) + +/* Minimal cpumask support. */ +typedef struct cpumask{ DECLARE_BITMAP(bits, NR_CPUS); } cpumask_t; + +#define cpumask_clear_cpu(c, m) clear_bit(c, (m)->bits) + +/* Define the nodemask helpers used. */ +typedef struct nodemask{ DECLARE_BITMAP(bits, CONFIG_NR_NUMA_NODES); } nodemask_t; + +#define node_set(node, dst) set_bit(node, (dst).bits) + +#define first_node(n) __first_node(&(n), CONFIG_NR_NUMA_NODES) +static inline int __first_node(const nodemask_t *srcp, unsigned int s) +{ + return min(s, find_next_bit(srcp->bits, s, 0)); +} + +#define next_node(n, m) __next_node(n, &(m), CONFIG_NR_NUMA_NODES) +static inline int __next_node(unsigned int n, const nodemask_t *srcp, + unsigned int s) +{ + return min(s, find_next_bit(srcp->bits, s, n + 1)); +} + +#define nodes_or(dst, src1, src2) \ + bitmap_or((dst).bits, (src1).bits, (src2).bits, CONFIG_NR_NUMA_NODES) + +static inline bool nodemask_test(unsigned int node, const nodemask_t *dst) +{ + return test_bit(node, dst->bits); +} + +#define node_set_online(node) set_bit(node, node_online_map.bits) + +#define cycle_node(n, src) __cycle_node(n, &(src), MAX_NUMNODES) +static inline int __cycle_node(int n, const nodemask_t *maskp, + unsigned int nbits) +{ + unsigned int nxt = __next_node(n, maskp, nbits); + + if ( nxt == nbits ) + nxt = __first_node(maskp, nbits); + + return nxt; +} + +#define for_each_node_mask(node, mask) \ + for ( (node) = first_node(mask); \ + (node) < MAX_NUMNODES; \ + (node) = next_node(node, mask) ) + +/* + * Dummy helper to satisfy allocate_cachealigned_memnodemap(), the memory + * allocation is instead done in vmap_contig(). + */ +static inline mfn_t alloc_boot_pages(unsigned long nr, unsigned long align) +{ + return 0; +} + +static inline void *vmap_contig(mfn_t mfn, unsigned int nr) +{ + assert(!mfn); + return calloc(PAGE_SIZE, nr); +} + +static inline void panic(const char *msg) +{ + printf("%s\n", msg); + abort(); +} + +/* Dummy implementations to satisfy the build. */ +static inline bool arch_numa_disabled(void) +{ + return false; +} + +static inline void numa_fw_bad(void) { } + +static inline bool arch_numa_unavailable(void) +{ + return false; +} + +static paddr_t mem_hotplug; +static unsigned int __read_mostly nr_cpu_ids = NR_CPUS; + +#include "numa.h" + +#endif + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * indent-tabs-mode: nil + * End: + */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 05 19:12:04 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jun 2026 19:12:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1329971.1593833 (Exim 4.92) (envelope-from ) id 1wVZxc-0006LV-CD; Fri, 05 Jun 2026 19:12:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1329971.1593833; Fri, 05 Jun 2026 19:12:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZxc-0006LN-9X; Fri, 05 Jun 2026 19:12:04 +0000 Received: by outflank-mailman (input) for mailman id 1329971; Fri, 05 Jun 2026 19:12:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wVZxb-0006LF-1d for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:12:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wVZxb-008qhG-04 for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:12:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wVZxa-00GND8-3B for xen-changelog@lists.xenproject.org; Fri, 05 Jun 2026 19:12:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ED626lPLQhF9gVfvldLpOpaCTFpM6rJzaynTo+WDnlY=; b=U6DehfuFdS0q69FyqoilyR1Z6W 5kzS+yqK0wtqxhM/q6C5As/i1b+K5K0by+Vx9fkA3TAvxRoIJKzyx5+nIIoLT53NSttTF1leLau3F Nn5Fuw/jXu3m5u36mGCTJS43pOZUOPJAqklThrT8wJIhX6BPoaMzpiLX/iPkgVg8ZhoY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/numa: fix setup of non-aligned memory affinity ranges Message-Id: Date: Fri, 05 Jun 2026 19:12:02 +0000 commit 188d5305297f4e842511d1374c7121ac8a37c169 Author: Roger Pau Monne AuthorDate: Fri May 29 13:03:48 2026 +0200 Commit: Roger Pau Monne CommitDate: Fri Jun 5 19:13:47 2026 +0200 xen/numa: fix setup of non-aligned memory affinity ranges The logic to populate memnodemap in populate_memnodemap() assumes that all ranges are aligned to the hash shift, this however is only true for the first address in a memory affinity node. Any subsequent ranges belonging to the same node might not be aligned to the hash shift value. Such lack of alignment causes issues to the logic in populate_memnodemap(), as then the tail of the range might not be properly accounted for and setup in memnodemap. Fix this by forcing the start address of all regions to be aligned to the hash shift; if such alignment causes a region overlap it would always be between regions on the same node, and hence will never cause setup issues of the memnodemap array. Introduce two additional test cases to the user-space NUMA setup unit testing, first test case is the native memory affinity and memory map of the system where this issue was found, second test case is a simplification to demonstrate the original problem more clearly. Fixes: 1666086b0044 ("x86/NUMA: improve memnode_shift calculation for multi node system") Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich Reviewed-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- tools/include/xen-tools/common-macros.h | 1 + tools/tests/numa/test-numa.c | 45 +++++++++++++++++++++++++++++++++ xen/common/numa.c | 6 +++++ 3 files changed, 52 insertions(+) diff --git a/tools/include/xen-tools/common-macros.h b/tools/include/xen-tools/common-macros.h index 9e27991782..88b4a0e5a6 100644 --- a/tools/include/xen-tools/common-macros.h +++ b/tools/include/xen-tools/common-macros.h @@ -69,6 +69,7 @@ #endif #define ROUNDUP(x, a) (((x) + (a) - 1) & ~((a) - 1)) +#define ROUNDDOWN(x, a) ((x) & ~((a) - 1)) #define MASK_EXTR(v, m) (((v) & (m)) / ((m) & -(m))) #define MASK_INSR(v, m) (((v) * ((m) & -(m))) & (m)) diff --git a/tools/tests/numa/test-numa.c b/tools/tests/numa/test-numa.c index ed91a2824f..51cc0475c7 100644 --- a/tools/tests/numa/test-numa.c +++ b/tools/tests/numa/test-numa.c @@ -154,6 +154,51 @@ int main(int argc, char **argv) { .start = 0x183f8800000ULL, .end = 0x183faabffffULL }, }, }, + /* Found on a pre-production system. */ + { + .affinity = { + { .nid = 0, .start = 0x00000000000ULL, .end = 0x000afffffffULL }, + { .nid = 0, .start = 0x00100000000ULL, .end = 0x0fc4fffffffULL }, + { .nid = 0, .start = 0x10000000000ULL, .end = 0x103ffffffffULL }, + { .nid = 1, .start = 0x10400000000ULL, .end = 0x203ffffffffULL }, + }, + .ram = { + { .start = 0x00000000000ULL, .end = 0x0000009ffffULL }, + { .start = 0x00000100000ULL, .end = 0x000165bffffULL }, + { .start = 0x00016600000ULL, .end = 0x0001aa1dfffULL }, + { .start = 0x0001aa1f000ULL, .end = 0x0001aa53fffULL }, + { .start = 0x0001aab8000ULL, .end = 0x0001aac6fffULL }, + { .start = 0x0001aacc000ULL, .end = 0x0006f3fefffULL }, + { .start = 0x00075dff000ULL, .end = 0x00075dfffffULL }, + { .start = 0x00076000000ULL, .end = 0x000a7ffffffULL }, + { .start = 0x00100010000ULL, .end = 0x0fc43ffffffULL }, + { .start = 0x0fc45000000ULL, .end = 0x0fc47ffffffULL }, + { .start = 0x0fc49000000ULL, .end = 0x0fc4bffffffULL }, + { .start = 0x0fc4d000000ULL, .end = 0x0fc4d3bffffULL }, + { .start = 0x0fc4f000000ULL, .end = 0x0fc4f0fffffULL }, + { .start = 0x10000000000ULL, .end = 0x203fd7fffffULL }, + }, + }, + /* + * Reduction of the issue above: introduce an unaligned middle region + * with regards to the hash shift. + */ + { + .affinity = { + { .nid = 0, .start = 0x00000ULL, .end = 0x00fffULL }, + /* + * The offset of the region below is not aligned with the hash + * shift: the shift calculation only takes into account the + * start of node address. + */ + { .nid = 0, .start = 0x01000ULL, .end = 0x04fffULL }, + { .nid = 1, .start = 0x14000ULL, .end = 0x14fffULL }, + }, + .ram = { + { .start = 0x00000ULL, .end = 0x04fffULL }, + { .start = 0x14000ULL, .end = 0x14fffULL }, + }, + }, }; int ret_code = EXIT_SUCCESS; diff --git a/xen/common/numa.c b/xen/common/numa.c index 8544a15982..92f8f1cedc 100644 --- a/xen/common/numa.c +++ b/xen/common/numa.c @@ -405,6 +405,12 @@ static int __init populate_memnodemap(const struct node *nodes, if ( (epdx >> shift) >= memnodemapsize ) return 0; + /* + * Round down start address: if start is not aligned to the memnodemap + * chunk size the tail remainder might not be added. Overlaps created + * by rounding will fall into the same NUMA region. + */ + spdx = ROUNDDOWN(spdx, 1UL << shift); do { if ( memnodemap[spdx >> shift] != NUMA_NO_NODE && (!nodeids || memnodemap[spdx >> shift] != nodeids[i]) ) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Jun 08 09:22:08 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 08 Jun 2026 09:22:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1331477.1594035 (Exim 4.92) (envelope-from ) id 1wWWBH-0002TD-HU; Mon, 08 Jun 2026 09:22:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1331477.1594035; Mon, 08 Jun 2026 09:22:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWWBH-0002T4-Es; Mon, 08 Jun 2026 09:22:03 +0000 Received: by outflank-mailman (input) for mailman id 1331477; Mon, 08 Jun 2026 09:22:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWWBG-0002Sx-7l for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 09:22:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWWBG-0002Z6-1O for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 09:22:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWWBG-000ZtI-0D for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 09:22:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=wZmJ2goPeDGy1ndBAe4zzRczbQqp0u3+8LnJdIWG6k4=; b=pi2WX9s76Me7vismSGNFLJfzRN N2vw/OugSP8Ue1nta6PFWRiE81hm8TGK1SmsZOIClIYDclHcP9KHWn9k3u8J2zWDUWe4tiV2JISST 4fc6sy/cHKjcKN3eDdupAwQ/T3+XG0D3Kyyu//A1coRWVcff8Wqup3QnBDnJ0JXnPRMw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/hvm: Partially revert ("xen/mem_access: wrap memory access when VM_EVENT=n") Message-Id: Date: Mon, 08 Jun 2026 09:22:02 +0000 commit d2ddd2beff0feda877cc6d8a0e9ca97e848bcb78 Author: Andrew Cooper AuthorDate: Fri Jun 5 20:28:35 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 10:07:05 2026 +0100 x86/hvm: Partially revert ("xen/mem_access: wrap memory access when VM_EVENT=n") It is erroneous to check current like this; most commonly, introspection is dom0 issuing hypercalls against domU. The use of vm_event_is_enabled() is only for the IS_ENABLED(CONFIG_VM_EVENT) short circut, so just use that directly. Reported-by: Hady Azzam Fixes: b18e38e42da6 ("xen/mem_access: wrap memory access when VM_EVENT=n") Signed-off-by: Andrew Cooper Reviewed-by: Jason Andryuk Tested-by: Hady Azzam Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/hvm/hvm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index f759a397c5..cbcef18449 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -4789,7 +4789,7 @@ static int do_altp2m_op( break; case HVMOP_altp2m_set_mem_access: - if ( !vm_event_is_enabled(current) ) + if ( !IS_ENABLED(CONFIG_VM_EVENT) ) { rc = -EOPNOTSUPP; break; @@ -4804,7 +4804,7 @@ static int do_altp2m_op( break; case HVMOP_altp2m_set_mem_access_multi: - if ( !vm_event_is_enabled(current) ) + if ( !IS_ENABLED(CONFIG_VM_EVENT) ) { rc = -EOPNOTSUPP; break; @@ -4841,7 +4841,7 @@ static int do_altp2m_op( break; case HVMOP_altp2m_get_mem_access: - if ( !vm_event_is_enabled(current) ) + if ( !IS_ENABLED(CONFIG_VM_EVENT) ) { rc = -EOPNOTSUPP; break; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 08 13:11:08 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 08 Jun 2026 13:11:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1331642.1594194 (Exim 4.92) (envelope-from ) id 1wWZkt-0003GE-UL; Mon, 08 Jun 2026 13:11:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1331642.1594194; Mon, 08 Jun 2026 13:11:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWZkt-0003G6-Qt; Mon, 08 Jun 2026 13:11:03 +0000 Received: by outflank-mailman (input) for mailman id 1331642; Mon, 08 Jun 2026 13:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWZks-0003G0-J2 for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWZks-0006pJ-2X for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:11:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWZks-0022k3-1I for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:11:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=TdryZ2cTt+0dKayvuL0NTuGVywmGyh2yaCqzb5NDWJU=; b=MsOaUhlwwUCTMpclzL9RyJeQAv U4JPIHCT8TL2fvmYRExbxyyfQbYW1r7pl5G+S3m2fSGJ6eTvPzD3/8yJ+SZ2YRlm49dH1eokvCGvT BkVybXIN+meiC4v/VfwQt8XYoOKuaX7fWR7qZEPjHfm+BLbsbFKGIgim0jYT85V29YHk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] tools/configure: Detect the presence of liblz4 Message-Id: Date: Mon, 08 Jun 2026 13:11:02 +0000 commit 924c0ff17fca4f4527e8076f8d6b88dd39176dc8 Author: Andrew Cooper AuthorDate: Tue May 5 12:42:00 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 14:06:40 2026 +0100 tools/configure: Detect the presence of liblz4 As with other compression libraries, group liblz4 into ZLIB_{CFLAGS,LIBS}. Add the packages to the Debian Trixie build containers for coverage. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- automation/build/debian/13-arm64v8.dockerfile | 1 + automation/build/debian/13-x86_64.dockerfile | 1 + tools/configure | 79 +++++++++++++++++++++++++++ tools/configure.ac | 4 ++ 4 files changed, 85 insertions(+) diff --git a/automation/build/debian/13-arm64v8.dockerfile b/automation/build/debian/13-arm64v8.dockerfile index b9062ee8b4..ee9bb841eb 100644 --- a/automation/build/debian/13-arm64v8.dockerfile +++ b/automation/build/debian/13-arm64v8.dockerfile @@ -28,6 +28,7 @@ RUN <&6; } ZLIB_LIBS="$ZLIB_LIBS $libzstd_LIBS" fi +pkg_failed=no +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for liblz4" >&5 +printf %s "checking for liblz4... " >&6; } + +if test -n "$liblz4_CFLAGS"; then + pkg_cv_liblz4_CFLAGS="$liblz4_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"liblz4\""; } >&5 + ($PKG_CONFIG --exists --print-errors "liblz4") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_liblz4_CFLAGS=`$PKG_CONFIG --cflags "liblz4" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$liblz4_LIBS"; then + pkg_cv_liblz4_LIBS="$liblz4_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"liblz4\""; } >&5 + ($PKG_CONFIG --exists --print-errors "liblz4") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_liblz4_LIBS=`$PKG_CONFIG --libs "liblz4" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + liblz4_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "liblz4" 2>&1` + else + liblz4_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "liblz4" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$liblz4_PKG_ERRORS" >&5 + + true +elif test $pkg_failed = untried; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } + true +else + liblz4_CFLAGS=$pkg_cv_liblz4_CFLAGS + liblz4_LIBS=$pkg_cv_liblz4_LIBS + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +printf "%s\n" "yes" >&6; } + ZLIB_CFLAGS="$ZLIB_CFLAGS -DHAVE_LZ4 $liblz4_CFLAGS" + ZLIB_LIBS="$ZLIB_LIBS $liblz4_LIBS" +fi + ac_fn_c_check_header_compile "$LINENO" "ext2fs/ext2fs.h" "ac_cv_header_ext2fs_ext2fs_h" "$ac_includes_default" diff --git a/tools/configure.ac b/tools/configure.ac index ecd45e782e..74b9f56025 100644 --- a/tools/configure.ac +++ b/tools/configure.ac @@ -403,6 +403,10 @@ PKG_CHECK_MODULES([libzstd], [libzstd], [ZLIB_CFLAGS="$ZLIB_CFLAGS -DHAVE_ZSTD $libzstd_CFLAGS" ZLIB_LIBS="$ZLIB_LIBS $libzstd_LIBS"], [true]) +PKG_CHECK_MODULES([liblz4], [liblz4], + [ZLIB_CFLAGS="$ZLIB_CFLAGS -DHAVE_LZ4 $liblz4_CFLAGS" + ZLIB_LIBS="$ZLIB_LIBS $liblz4_LIBS"], + [true]) AC_SUBST([ZLIB_CFLAGS]) AC_SUBST([ZLIB_LIBS]) AX_CHECK_EXTFS -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 08 13:11:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 08 Jun 2026 13:11:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1331644.1594198 (Exim 4.92) (envelope-from ) id 1wWZl3-0003I3-V0; Mon, 08 Jun 2026 13:11:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1331644.1594198; Mon, 08 Jun 2026 13:11:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWZl3-0003Hv-SK; Mon, 08 Jun 2026 13:11:13 +0000 Received: by outflank-mailman (input) for mailman id 1331644; Mon, 08 Jun 2026 13:11:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWZl2-0003Hn-Lo for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:11:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWZl2-0006pN-2x for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:11:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWZl2-0022oS-1p for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:11:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=gFieHoPVnAAj0+tKMfRNqY0EIlRhh2+Wp3oSH9jAmMA=; b=6+KPbnm1rQ3AP+0lbtofuNoENH QOi3ujkjS39cxvL813A4D5987TiN0QhBh7EzTvkRwvBh6z857tRYd4LXWzIDZ+Xgk1jA8WmQiITTE eW3xBxYsncLBCXwFXeBydbaCiyI1zH1c2yhuPtSkYHuKHSH2G3xgvIPSpYDGRa80muO8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] tools/libs/guest: Use the system liblz4 in the bzimage loader Message-Id: Date: Mon, 08 Jun 2026 13:11:12 +0000 commit 38492dc098a19e851a916a9e441008083538bc69 Author: Andrew Cooper AuthorDate: Tue May 5 12:52:03 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 14:06:40 2026 +0100 tools/libs/guest: Use the system liblz4 in the bzimage loader Right now lz4, unlike every other compression scheme, unconditionally uses Xen's unsafe decompressor. Make it consistent with all other compression schemes by using liblz4. The unsafe decompression is still required for the MiniOS build, so rename xg_dom_decompress_lz4.c to xg_dom_decompress_unsafe_lz4.c and drop the non-MiniOS content. Signed-off-by: Andrew Cooper Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- CHANGELOG.md | 1 + tools/libs/guest/Makefile.common | 2 +- tools/libs/guest/xg_dom_bzimageloader.c | 128 ++++++++++++++++++++- tools/libs/guest/xg_dom_decompress.h | 6 - tools/libs/guest/xg_dom_decompress_lz4.c | 143 ------------------------ tools/libs/guest/xg_dom_decompress_unsafe.h | 2 + tools/libs/guest/xg_dom_decompress_unsafe_lz4.c | 39 +++++++ 7 files changed, 170 insertions(+), 151 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1db3efc486..5cf19372a3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) represent a wildcard input. - On x86: - Enable pf-fixup option by default for PVH dom0. + - The libxenguest bzImage loader now uses the system liblz4 library. ### Added - Support for per-domain Xenstore quota in C xenstored (includes diff --git a/tools/libs/guest/Makefile.common b/tools/libs/guest/Makefile.common index b928a4a246..86b1f160e5 100644 --- a/tools/libs/guest/Makefile.common +++ b/tools/libs/guest/Makefile.common @@ -46,7 +46,6 @@ OBJS-y += xg_dom_core.o OBJS-y += xg_dom_boot.o OBJS-y += xg_dom_elfloader.o OBJS-$(CONFIG_X86) += xg_dom_bzimageloader.o -OBJS-$(CONFIG_X86) += xg_dom_decompress_lz4.o OBJS-$(CONFIG_X86) += xg_dom_hvmloader.o OBJS-$(CONFIG_ARM) += xg_dom_armzimageloader.o OBJS-y += xg_dom_binloader.o @@ -59,6 +58,7 @@ OBJS-$(CONFIG_ARM) += xg_dom_arm.o ifeq ($(CONFIG_LIBXC_MINIOS),y) OBJS-y += xg_dom_decompress_unsafe.o OBJS-y += xg_dom_decompress_unsafe_bzip2.o +OBJS-y += xg_dom_decompress_unsafe_lz4.o OBJS-y += xg_dom_decompress_unsafe_lzma.o OBJS-y += xg_dom_decompress_unsafe_lzo1x.o OBJS-y += xg_dom_decompress_unsafe_xz.o diff --git a/tools/libs/guest/xg_dom_bzimageloader.c b/tools/libs/guest/xg_dom_bzimageloader.c index 1fb4e5a1f7..32b3c682a4 100644 --- a/tools/libs/guest/xg_dom_bzimageloader.c +++ b/tools/libs/guest/xg_dom_bzimageloader.c @@ -32,7 +32,6 @@ #include #include "xg_private.h" -#include "xg_dom_decompress.h" #include @@ -623,6 +622,133 @@ static int xc_try_zstd_decode( #endif +#if defined(HAVE_LZ4) + +#include + +#define ARCHIVE_MAGICNUMBER 0x184C2102 + +static int xc_try_lz4_decode(struct xc_dom_image *dom, void **blob, size_t *size) +{ + size_t outsize, insize; + unsigned char *outbuf = NULL, *inp = *blob, *outp; + uint32_t chunksize; + + /* Magic, descriptor byte, and trailing size field. */ + if ( *size <= 8 ) + { + DOMPRINTF("LZ4: insufficient input data"); + goto err; + } + + insize = *size - 4; + outsize = get_unaligned_le32(*blob + insize); + + if ( xc_dom_kernel_check_size(dom, outsize) ) + { + DOMPRINTF("LZ4: output too large"); + goto err; + } + + outbuf = malloc(outsize); + if ( !outbuf ) + { + DOMPRINTF("LZ4: failed to alloc memory"); + goto err; + } + outp = outbuf; + + chunksize = get_unaligned_le32(inp); + if ( chunksize == ARCHIVE_MAGICNUMBER ) + { + inp += 4; + insize -= 4; + } + else + { + DOMPRINTF("LZ4: invalid header"); + goto err; + } + + for ( ;; ) + { + int dst_len, len; + + if ( insize < 4 ) + { + DOMPRINTF("LZ4: missing data"); + goto err; + } + + chunksize = get_unaligned_le32(inp); + inp += 4; + insize -= 4; + + if ( chunksize == ARCHIVE_MAGICNUMBER ) + continue; + + if ( chunksize > insize ) + { + DOMPRINTF("LZ4: insufficient input data"); + goto err; + } + + dst_len = outsize - (outp - outbuf); + len = LZ4_decompress_safe((const void *)inp, + (void *)outp, chunksize, dst_len); + + if ( len < 0 ) + { + DOMPRINTF("LZ4: decoding failed"); + goto err; + } + + outp += len; + inp += chunksize; + insize -= chunksize; + + if ( insize == 0 ) + break; + } + + if ( (outp - outbuf) != outsize ) + { + DOMPRINTF("LZ4: got 0x%zx bytes instead of 0x%zx", + outp - outbuf, outsize); + goto err; + } + + if ( xc_dom_register_external(dom, outbuf, outsize) ) + { + DOMPRINTF("LZ4: error registering stream output"); + goto err; + } + + DOMPRINTF("%s: LZ4 decompress OK, 0x%zx -> 0x%zx", + __FUNCTION__, insize, outsize); + + *blob = outbuf; + *size = outsize; + + return 0; + + err: + free(outbuf); + return -1; +} + +#else /* !defined(HAVE_LZ4) */ + +static int xc_try_lz4_decode(struct xc_dom_image *dom, void **blob, size_t *size) +{ + xc_dom_panic(dom->xch, XC_INTERNAL_ERROR, + "%s: LZ4 decompress support unavailable\n", + __FUNCTION__); + return -1; +} + +#endif + #endif /* !__MINIOS__ */ struct setup_header { diff --git a/tools/libs/guest/xg_dom_decompress.h b/tools/libs/guest/xg_dom_decompress.h deleted file mode 100644 index d7a45f730d..0000000000 --- a/tools/libs/guest/xg_dom_decompress.h +++ /dev/null @@ -1,6 +0,0 @@ -#ifdef __MINIOS__ -# include "xg_dom_decompress_unsafe.h" -#endif - -int xc_try_lz4_decode(struct xc_dom_image *dom, void **blob, size_t *size); - diff --git a/tools/libs/guest/xg_dom_decompress_lz4.c b/tools/libs/guest/xg_dom_decompress_lz4.c deleted file mode 100644 index 53ef0bf328..0000000000 --- a/tools/libs/guest/xg_dom_decompress_lz4.c +++ /dev/null @@ -1,143 +0,0 @@ -#include -#include -#include -#include - -#include INCLUDE_ENDIAN_H - -#define XG_NEED_UNALIGNED -#include "xg_private.h" -#include "xg_dom_decompress.h" - -#define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS - -typedef uint8_t u8; -typedef uint16_t u16; -typedef uint32_t u32; -typedef uint64_t u64; - -#define likely(a) a -#define unlikely(a) a - -static inline uint16_t le16_to_cpu(uint16_t v) -{ -#if BYTE_ORDER == BIG_ENDIAN - return __builtin_bswap16(v); -#else - return v; -#endif -} - -#include "../../xen/include/xen/lz4.h" -#include "../../xen/common/decompress.h" - -#ifndef __MINIOS__ - -#include "../../xen/common/lz4/decompress.c" - -#define ARCHIVE_MAGICNUMBER 0x184C2102 - -int xc_try_lz4_decode( - struct xc_dom_image *dom, void **blob, size_t *psize) -{ - int ret = -1; - unsigned char *inp = *blob, *output, *outp; - ssize_t size = *psize - 4; - size_t out_len, dest_len, chunksize; - const char *msg; - - if (size < 4) { - msg = "input too small"; - goto exit_0; - } - - out_len = get_unaligned_le32(inp + size); - if (xc_dom_kernel_check_size(dom, out_len)) { - msg = "Decompressed image too large"; - goto exit_0; - } - - output = malloc(out_len); - if (!output) { - msg = "Could not allocate output buffer"; - goto exit_0; - } - outp = output; - - chunksize = get_unaligned_le32(inp); - if (chunksize == ARCHIVE_MAGICNUMBER) { - inp += 4; - size -= 4; - } else { - msg = "invalid header"; - goto exit_2; - } - - for (;;) { - if (size < 4) { - msg = "missing data"; - goto exit_2; - } - chunksize = get_unaligned_le32(inp); - if (chunksize == ARCHIVE_MAGICNUMBER) { - inp += 4; - size -= 4; - continue; - } - inp += 4; - size -= 4; - if (chunksize > size) { - msg = "insufficient input data"; - goto exit_2; - } - - dest_len = out_len - (outp - output); - ret = lz4_decompress_unknownoutputsize(inp, chunksize, outp, - &dest_len); - if (ret < 0) { - msg = "decoding failed"; - goto exit_2; - } - - ret = -1; - outp += dest_len; - size -= chunksize; - - if (size == 0) - { - if ( xc_dom_register_external(dom, output, out_len) ) - { - msg = "Error registering stream output"; - goto exit_2; - } - *blob = output; - *psize = out_len; - return 0; - } - - if (size < 0) { - msg = "data corrupted"; - goto exit_2; - } - - inp += chunksize; - } - -exit_2: - free(output); -exit_0: - DOMPRINTF("LZ4 decompression error: %s\n", msg); - return ret; -} - -#else /* __MINIOS__ */ - -#include "../../xen/common/unlz4.c" - -int xc_try_lz4_decode( - struct xc_dom_image *dom, void **blob, size_t *size) -{ - return xc_dom_decompress_unsafe(unlz4, dom, blob, size); -} - -#endif diff --git a/tools/libs/guest/xg_dom_decompress_unsafe.h b/tools/libs/guest/xg_dom_decompress_unsafe.h index ac6b94288d..5bc2222076 100644 --- a/tools/libs/guest/xg_dom_decompress_unsafe.h +++ b/tools/libs/guest/xg_dom_decompress_unsafe.h @@ -16,6 +16,8 @@ int xc_dom_decompress_unsafe( int xc_try_bzip2_decode(struct xc_dom_image *dom, void **blob, size_t *size) __attribute__((visibility("internal"))); +int xc_try_lz4_decode(struct xc_dom_image *dom, void **blob, size_t *size) + __attribute__((visibility("internal"))); int xc_try_lzma_decode(struct xc_dom_image *dom, void **blob, size_t *size) __attribute__((visibility("internal"))); int xc_try_lzo1x_decode(struct xc_dom_image *dom, void **blob, size_t *size) diff --git a/tools/libs/guest/xg_dom_decompress_unsafe_lz4.c b/tools/libs/guest/xg_dom_decompress_unsafe_lz4.c new file mode 100644 index 0000000000..405143aa61 --- /dev/null +++ b/tools/libs/guest/xg_dom_decompress_unsafe_lz4.c @@ -0,0 +1,39 @@ +#include +#include +#include +#include + +#include INCLUDE_ENDIAN_H + +#define XG_NEED_UNALIGNED +#include "xg_private.h" +#include "xg_dom_decompress.h" + +#define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS + +typedef uint8_t u8; +typedef uint16_t u16; +typedef uint32_t u32; +typedef uint64_t u64; + +#define likely(a) a +#define unlikely(a) a + +static inline uint16_t le16_to_cpu(uint16_t v) +{ +#if BYTE_ORDER == BIG_ENDIAN + return __builtin_bswap16(v); +#else + return v; +#endif +} + +#include "../../xen/include/xen/lz4.h" +#include "../../xen/common/decompress.h" +#include "../../xen/common/unlz4.c" + +int xc_try_lz4_decode( + struct xc_dom_image *dom, void **blob, size_t *size) +{ + return xc_dom_decompress_unsafe(unlz4, dom, blob, size); +} -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 08 13:11:24 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 08 Jun 2026 13:11:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1331645.1594203 (Exim 4.92) (envelope-from ) id 1wWZlE-0003KE-0n; Mon, 08 Jun 2026 13:11:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1331645.1594203; Mon, 08 Jun 2026 13:11:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWZlD-0003K6-Tk; Mon, 08 Jun 2026 13:11:23 +0000 Received: by outflank-mailman (input) for mailman id 1331645; Mon, 08 Jun 2026 13:11:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWZlC-0003Jz-PO for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:11:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWZlD-0006pX-06 for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:11:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWZlC-0022uy-2F for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:11:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ozP+ID63ogoA/uAD+nFbs0e6nkEV5++KhWLP2Y3e6g8=; b=ItmVzX2ZPXxfoS0CaOoFkpkY6K Z9CB9x+jGhHP2mj7qqTNHDEWrMA/yWzh14/VoHIn8c0QlKo2Kc/8BsiI8QOvTGud43wlGLbudLzei BUriCd4e9f+X+b4ML7Kq3Gk0LTzcZL7SslJ80a9VclXIZ6FtIjh06pNPAL6CyN0Z1ils=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] docs: remove non-breaking space from xen-command-line Message-Id: Date: Mon, 08 Jun 2026 13:11:22 +0000 commit f12caafc04328f979a805378a703fc718ede59a4 Author: Roger Pau Monne AuthorDate: Mon Jun 8 10:24:40 2026 +0200 Commit: Andrew Cooper CommitDate: Mon Jun 8 14:06:40 2026 +0100 docs: remove non-breaking space from xen-command-line Fixes rendering of the generated html. Fixes: 31d9c88a3857 ("pdx: introduce command line compression toggle") Signed-of-by: Roger Pau Monné Acked-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- docs/misc/xen-command-line.pandoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 93c2a73f4a..1c711fa980 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2082,7 +2082,7 @@ for all of them (`true`), only for those subject to XPTI (`xpti`) or for those not subject to XPTI (`no-xpti`). The feature is used only in case INVPCID is supported and not disabled via `invpcid=false`. -### pdx-compress +### pdx-compress > `= ` > Default: `true` if CONFIG_PDX_NONE is unset -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 08 13:11:34 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 08 Jun 2026 13:11:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1331646.1594206 (Exim 4.92) (envelope-from ) id 1wWZlO-0003M9-1l; Mon, 08 Jun 2026 13:11:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1331646.1594206; Mon, 08 Jun 2026 13:11:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWZlN-0003M1-VI; Mon, 08 Jun 2026 13:11:33 +0000 Received: by outflank-mailman (input) for mailman id 1331646; Mon, 08 Jun 2026 13:11:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWZlM-0003Lv-Rx for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:11:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWZlN-0006pd-0N for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:11:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWZlM-0022zf-2b for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:11:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=iMkL9ntIala9tORedRwlbcpeU4kCxuJqGcYsnrmjq2s=; b=CX4v2/gtrZbJOUvKv7vSqkPj3G 4fvlF8no6kTNKfCO23EqFYoqeHiFGB+w0MRja0DrgEowi2lvz7PGcZln4WhFZR025v8sMgqeW+dvD hvG4LmIpHxccGy/SPHVIKrFWC2Km8JCEjrdFgCbeg3GR3CGeE3K9lLqiBCdfFEKyLzGk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CI: Drop test-artifacts/Makefile Message-Id: Date: Mon, 08 Jun 2026 13:11:32 +0000 commit e58d8aa17197800d6bf1206cbb5053fba7526ad7 Author: Andrew Cooper AuthorDate: Fri Jun 5 13:38:40 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 14:06:40 2026 +0100 CI: Drop test-artifacts/Makefile This is unused since commit 3c0c177ff904 ("CI: Switch qemu-arm* jobs to using the distro provided QEMU"), and wants never to return. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- automation/tests-artifacts/Makefile | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/automation/tests-artifacts/Makefile b/automation/tests-artifacts/Makefile deleted file mode 100644 index 80a60a94f3..0000000000 --- a/automation/tests-artifacts/Makefile +++ /dev/null @@ -1,19 +0,0 @@ - -# the base of where these containers will appear -REGISTRY := registry.gitlab.com/xen-project/xen/tests-artifacts -CONTAINERS = $(subst .dockerfile,,$(wildcard */*.dockerfile)) - -help: - @echo "Containers to build and export tests artifacts." - @echo "To build one run 'make ARTIFACT/VERSION'. Available containers:" - @$(foreach file,$(sort $(CONTAINERS)),echo ${file};) - @echo "To push container builds, set the env var PUSH" - -%: %.dockerfile ## Builds containers - $(DOCKER_CMD) build --pull -t $(REGISTRY)/$(@D):$(@F) -f $< $( Envelope-to: archives@lists.xen.org Delivery-date: Mon, 08 Jun 2026 13:11:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1331647.1594212 (Exim 4.92) (envelope-from ) id 1wWZlY-0003OA-4B; Mon, 08 Jun 2026 13:11:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1331647.1594212; Mon, 08 Jun 2026 13:11:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWZlY-0003O1-0M; Mon, 08 Jun 2026 13:11:44 +0000 Received: by outflank-mailman (input) for mailman id 1331647; Mon, 08 Jun 2026 13:11:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWZlW-0003Nu-Ul for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:11:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWZlX-0006ph-0e for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:11:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWZlW-00233f-2s for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:11:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=qAdFvX4w1zQJIvUfA/cRfScn6Bg5AOGzrQSNyh0mopg=; b=RegG65bBprteh7hw/YTx5aigkA 2wggW/fV6JvkEoKAiLoMNWseoVs4rsplEhlgMosbpfsWTeo/yWmn2NE9H3qw0ISOH0QTxHEvolps7 a9sae9j9f1Z7v2S//k5VnSuidcJosJ10S9Spw+6RDP+YxMKkY3821jdfZ5fMyewWVXeA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CI: Swap ocaml-nox for ocaml in newer Debian/Ubuntu Message-Id: Date: Mon, 08 Jun 2026 13:11:42 +0000 commit fdcc559661cf41390fe2b15b4ad09bd6518fa5f3 Author: Andrew Cooper AuthorDate: Fri Jun 5 14:19:57 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 14:06:40 2026 +0100 CI: Swap ocaml-nox for ocaml in newer Debian/Ubuntu Ocaml 4.08 and earlier had the compiler package depend on graphics, and therefore on X. Ocaml 4.09 and later dropped this dependency. Debian and Ubuntu versions with Ocaml 4.08 and earlier (which are Debian Bullseye/11, and Ubuntu Focal/20.04 and earlier) had ocaml-nox packages with this dependency stripped, which we use to keep the size of the containers down. In newer versions of Debian and Ubuntu, ocaml-nox is just a transitional package referring back to ocaml. Ubuntu Resolute/26.04 has finally removed this transitional package. For all versions where ocaml-nox is just a transitional package, swap to the ocaml package. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- automation/build/debian/12-arm64v8.dockerfile | 2 +- automation/build/debian/12-x86_32.dockerfile | 2 +- automation/build/debian/12-x86_64.dockerfile | 2 +- automation/build/debian/13-arm64v8.dockerfile | 2 +- automation/build/debian/13-x86_32.dockerfile | 2 +- automation/build/debian/13-x86_64.dockerfile | 2 +- automation/build/ubuntu/22.04-x86_64.dockerfile | 2 +- automation/build/ubuntu/24.04-x86_64.dockerfile | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/automation/build/debian/12-arm64v8.dockerfile b/automation/build/debian/12-arm64v8.dockerfile index c0e08a010f..5cc4de822c 100644 --- a/automation/build/debian/12-arm64v8.dockerfile +++ b/automation/build/debian/12-arm64v8.dockerfile @@ -46,7 +46,7 @@ RUN < Envelope-to: archives@lists.xen.org Delivery-date: Mon, 08 Jun 2026 13:11:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1331648.1594213 (Exim 4.92) (envelope-from ) id 1wWZli-0003Re-6I; Mon, 08 Jun 2026 13:11:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1331648.1594213; Mon, 08 Jun 2026 13:11:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWZli-0003RW-3k; Mon, 08 Jun 2026 13:11:54 +0000 Received: by outflank-mailman (input) for mailman id 1331648; Mon, 08 Jun 2026 13:11:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWZlh-0003RQ-1b for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:11:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWZlh-0006s0-0x for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:11:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWZlg-00237O-39 for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:11:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7wPtjtV0dZwLMhn6MlkLtDNgzSc4Twg54uhcji5n8y8=; b=00Dnc254pcJhwgQ0bKFhG7cXFV Q9DdNSatytYn5KbYjKPZob9v/FJhdGMizoNIn5gYJHQ/AvJsqJgUdwGHDW6Em0W+hnwc9Ai+muoOy RFmN7pR7mnxsOzCQ6TglcamLBQ+aC6q5xVqJbydBuKsL+UGrZ1KO+YckmjSKG3zSsGME=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CI: Drop Ubuntu 16.04 Message-Id: Date: Mon, 08 Jun 2026 13:11:52 +0000 commit def7f9ef58c17f93fc3608e3feb6fec70c80d037 Author: Andrew Cooper AuthorDate: Fri Jun 5 13:27:40 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 14:06:40 2026 +0100 CI: Drop Ubuntu 16.04 Ubuntu 16.04 is now fully out of support. Introduce an 18.04 GCC Debug job in lieu of losing the 16.04 job. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- automation/build/ubuntu/16.04-x86_64.dockerfile | 65 ------------------------- automation/gitlab-ci/build.yaml | 11 ++--- 2 files changed, 3 insertions(+), 73 deletions(-) diff --git a/automation/build/ubuntu/16.04-x86_64.dockerfile b/automation/build/ubuntu/16.04-x86_64.dockerfile deleted file mode 100644 index 72a46389fa..0000000000 --- a/automation/build/ubuntu/16.04-x86_64.dockerfile +++ /dev/null @@ -1,65 +0,0 @@ -# syntax=docker/dockerfile:1 -FROM --platform=linux/amd64 ubuntu:16.04 -LABEL maintainer.name="The Xen Project" -LABEL maintainer.email="xen-devel@lists.xenproject.org" - -ENV DEBIAN_FRONTEND=noninteractive - -RUN < Envelope-to: archives@lists.xen.org Delivery-date: Mon, 08 Jun 2026 13:12:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1331649.1594218 (Exim 4.92) (envelope-from ) id 1wWZls-0003Tu-7c; Mon, 08 Jun 2026 13:12:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1331649.1594218; Mon, 08 Jun 2026 13:12:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWZls-0003Tm-52; Mon, 08 Jun 2026 13:12:04 +0000 Received: by outflank-mailman (input) for mailman id 1331649; Mon, 08 Jun 2026 13:12:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWZlr-0003Tg-4g for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:12:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWZlr-0006sH-1H for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:12:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWZlr-0023CU-0E for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:12:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=xm9kgdzVf9U54TM86bjGqNEnxXe3aL0mwQpwaPqWDs0=; b=uOQVDUKPIRPV7JtjzOqrQOdk52 iEWmR5nITJ/ntEaPsSJqZYqsYTeQEU8SmnBG1REajppQGqnGTQLusxyZ0P9ZImALU7mWVoM74ptAU nirs9LrNwWxe3X3tfwOf+mFC0cGYdcVhxQlw53W4+8ruuDIkTUMkoAmXJV3cyD0HNVIY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CI: Add Ubuntu 26.04 Message-Id: Date: Mon, 08 Jun 2026 13:12:03 +0000 commit 58d797e1ac4ae2e5abdd3030fa02d771b087f022 Author: Andrew Cooper AuthorDate: Fri Jun 5 13:37:30 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 14:06:40 2026 +0100 CI: Add Ubuntu 26.04 Swap yajl for json-c, given the deprecation of the former. Add lz4. Add 26.04 GCC/Clang debug/non-debug jobs. Drop the 24.04 debug jobs to keep the overall job count down. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- automation/build/ubuntu/26.04-x86_64.dockerfile | 75 +++++++++++++++++++++++++ automation/gitlab-ci/build.yaml | 22 ++++++-- 2 files changed, 91 insertions(+), 6 deletions(-) diff --git a/automation/build/ubuntu/26.04-x86_64.dockerfile b/automation/build/ubuntu/26.04-x86_64.dockerfile new file mode 100644 index 0000000000..be7298e5e8 --- /dev/null +++ b/automation/build/ubuntu/26.04-x86_64.dockerfile @@ -0,0 +1,75 @@ +# syntax=docker/dockerfile:1 +FROM --platform=linux/amd64 ubuntu:26.04 +LABEL maintainer.name="The Xen Project" +LABEL maintainer.email="xen-devel@lists.xenproject.org" + +ENV DEBIAN_FRONTEND=noninteractive + +RUN < Envelope-to: archives@lists.xen.org Delivery-date: Mon, 08 Jun 2026 13:12:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1331650.1594222 (Exim 4.92) (envelope-from ) id 1wWZm2-0003Vz-9M; Mon, 08 Jun 2026 13:12:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1331650.1594222; Mon, 08 Jun 2026 13:12:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWZm2-0003Vp-6M; Mon, 08 Jun 2026 13:12:14 +0000 Received: by outflank-mailman (input) for mailman id 1331650; Mon, 08 Jun 2026 13:12:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWZm1-0003Vj-7H for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:12:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWZm1-0006sL-1W for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:12:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWZm1-0023GD-0Y for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:12:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=rFTG01BygoaUP6x/souMC/Phd4WhgUc0pA5Kuxr6hWg=; b=eMSrJOtAcsCUIptgPDuBhD0AYN BmdLaers/hHCoPEHlptfMcbkC+gf6UHMHEd71NKlUVDsO6dVaOPFMFX9TeaaVjZ/u4MHlhOFQ22Pp 2+xcGw7c1KPAGRPrTRWc/1bVe0gwy9x8cc8onsRiA78DAKuq8Rs5KwixsTh+ZZ6ZBVQg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CI: Update Fedora to 43 Message-Id: Date: Mon, 08 Jun 2026 13:12:13 +0000 commit 58eaf63b82bc9665df0b976293b8f4c032c564d5 Author: Andrew Cooper AuthorDate: Fri Jun 5 13:41:31 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 14:06:40 2026 +0100 CI: Update Fedora to 43 Swap yajl for json-c, given the deprecation of the former. Add lz4. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- automation/build/fedora/41-x86_64.dockerfile | 78 --------------------------- automation/build/fedora/43-x86_64.dockerfile | 79 ++++++++++++++++++++++++++++ automation/gitlab-ci/build.yaml | 8 +-- 3 files changed, 83 insertions(+), 82 deletions(-) diff --git a/automation/build/fedora/41-x86_64.dockerfile b/automation/build/fedora/41-x86_64.dockerfile deleted file mode 100644 index e33329aedc..0000000000 --- a/automation/build/fedora/41-x86_64.dockerfile +++ /dev/null @@ -1,78 +0,0 @@ -# syntax=docker/dockerfile:1 -FROM --platform=linux/amd64 fedora:41 -LABEL maintainer.name="The Xen Project" -LABEL maintainer.email="xen-devel@lists.xenproject.org" - -RUN < Envelope-to: archives@lists.xen.org Delivery-date: Mon, 08 Jun 2026 13:12:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1331651.1594226 (Exim 4.92) (envelope-from ) id 1wWZmC-0003Xu-Am; Mon, 08 Jun 2026 13:12:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1331651.1594226; Mon, 08 Jun 2026 13:12:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWZmC-0003Xm-85; Mon, 08 Jun 2026 13:12:24 +0000 Received: by outflank-mailman (input) for mailman id 1331651; Mon, 08 Jun 2026 13:12:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWZmB-0003Xg-9a for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:12:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWZmB-0006sR-1l for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:12:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWZmB-0023Jv-0n for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 13:12:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7qHKtargI++WwTZ1xgyxQO2LzMw6PiOtNAxYBc3FDQk=; b=kxt62sbqdTmmJrq1p1g8Gzae6T ISEvoRu9OyNfdB33tNNikBu7R4UQ6YJoVV7nIMAaZ+dFFWVzdRtn591Lnw/JIDlZrySET6O2G9pw9 udmpAPMDb+BlpOuQQuUlxAb1G8xndOMrS2RyHyd+mOZivukxPQ918IpofCwLCPaDX5q4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CI: Update Opensuse 15.6 to 16.0 Message-Id: Date: Mon, 08 Jun 2026 13:12:23 +0000 commit 37df17d2f903503c619713eb01e488f2cb1a257f Author: Andrew Cooper AuthorDate: Fri Jun 5 13:47:24 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 14:06:40 2026 +0100 CI: Update Opensuse 15.6 to 16.0 The default version of python is 3.13, so drop the 3.11 overrides. Swap yajl for json-c, given the deprecation of the former. Add lz4. bin86/dev86 are no longer available. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- .../build/opensuse/leap-15.6-x86_64.dockerfile | 81 ---------------------- .../build/opensuse/leap-16.0-x86_64.dockerfile | 78 +++++++++++++++++++++ automation/gitlab-ci/build.yaml | 16 ++--- 3 files changed, 86 insertions(+), 89 deletions(-) diff --git a/automation/build/opensuse/leap-15.6-x86_64.dockerfile b/automation/build/opensuse/leap-15.6-x86_64.dockerfile deleted file mode 100644 index 33db3ecd63..0000000000 --- a/automation/build/opensuse/leap-15.6-x86_64.dockerfile +++ /dev/null @@ -1,81 +0,0 @@ -# syntax=docker/dockerfile:1 -FROM --platform=linux/amd64 opensuse/leap:15.6 -LABEL maintainer.name="The Xen Project" -LABEL maintainer.email="xen-devel@lists.xenproject.org" - -ENV PYTHON=python3.11 -ENV XEN_TARGET_ARCH=x86_64 - -RUN < Envelope-to: archives@lists.xen.org Delivery-date: Mon, 08 Jun 2026 22:11:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1332125.1594766 (Exim 4.92) (envelope-from ) id 1wWiBT-0003FT-1W; Mon, 08 Jun 2026 22:11:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1332125.1594766; Mon, 08 Jun 2026 22:11:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWiBS-0003FL-UN; Mon, 08 Jun 2026 22:11:02 +0000 Received: by outflank-mailman (input) for mailman id 1332125; Mon, 08 Jun 2026 22:11:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWiBR-0003FF-Om for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 22:11:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWiBR-000HMn-3B for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 22:11:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWiBR-005MXT-26 for xen-changelog@lists.xenproject.org; Mon, 08 Jun 2026 22:11:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ZxMmLeeBlMJ403H1um+CGG+KOQJVui4sOykABgF2o8o=; b=CsNZkFfKOpOQlRm3Cnh0oAyNR2 YsAEsJHKzYMrB5UN0EpbHGraeZjy/hYkAsLfTJTZz9i8s1Ya4QnjBBnl8xvtO6PE90vIrjUUU6jWf Nim88N4urKIfXaiXRaZv3QJ2NI8lhvD1ikx+RUc6g0hs6NbUwpihu98+xQhnUFsO9Ph0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] Revert recent ARGO changes Message-Id: Date: Mon, 08 Jun 2026 22:11:01 +0000 commit ccd8c65794144b522efcccc165f829d766dc8efa Author: Andrew Cooper AuthorDate: Mon Jun 8 23:02:08 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 23:03:22 2026 +0100 Revert recent ARGO changes This reverts commit 3c4e804607a5a1254b168d88572cb9ec311543a9. This reverts commit 957f0f0b739142513f517979f4301b8d0dd1e855. This reverts commit 2bc9bc1978ad02e03d16026ad2d2e9641ddc29fb. This reverts commit 03ebee6ed8105ff6ad12d6df428dfd4cab647691. This reverts commit a9720605b6a556e76be7b4d5a59559942cb1852e. These were committed without a maintainer ack, and therefore in contravention of policy. Signed-off-by: Andrew Cooper --- xen/common/Kconfig | 6 ------ xen/common/argo.c | 22 ++++++++++++---------- 2 files changed, 12 insertions(+), 16 deletions(-) diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 79b7fa62e7..5ff71480ee 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -491,12 +491,6 @@ config ARGO If unsure, say N. -config ARGO_DEBUG - bool "Argo: enable debug traces (UNSUPPORTED)" - depends on ARGO - help - Enables extra debug traces for Argo debugging. - source "common/sched/Kconfig" config CRYPTO diff --git a/xen/common/argo.c b/xen/common/argo.c index b9b362064e..28626e00a8 100644 --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -318,10 +318,11 @@ static DEFINE_RWLOCK(L1_global_argo_rwlock); /* L1 */ ((LOCKING_Read_L1 && spin_is_locked(&(d)->argo->send_L2_lock)) || \ LOCKING_Write_L1) +#define ARGO_DEBUG 0 #define argo_dprintk(fmt, args...) \ do { \ - if ( IS_ENABLED(CONFIG_ARGO_DEBUG) ) \ - gprintk(XENLOG_DEBUG, "argo: " fmt, ##args);\ + if ( ARGO_DEBUG ) \ + printk(XENLOG_DEBUG "argo: " fmt, ##args); \ } while ( 0 ) /* @@ -473,7 +474,7 @@ ring_unmap(const struct domain *d, struct argo_ring_info *ring_info) continue; ASSERT(!mfn_eq(ring_info->mfns[i], INVALID_MFN)); - argo_dprintk("unmapping page %"PRI_mfn" from %p\n", + argo_dprintk(XENLOG_ERR "argo: unmapping page %"PRI_mfn" from %p\n", mfn_x(ring_info->mfns[i]), ring_info->mfn_mapping[i]); unmap_domain_page_global(ring_info->mfn_mapping[i]); @@ -1466,7 +1467,7 @@ find_ring_mfns(struct domain *d, struct argo_ring_info *ring_info, if ( ring_info->mfns ) { /* Ring already existed: drop the previous mapping. */ - argo_dprintk("vm%u re-register existing ring " + argo_dprintk("argo: vm%u re-register existing ring " "(vm%u:%x vm%u) clears mapping\n", d->domain_id, ring_info->id.domain_id, ring_info->id.aport, ring_info->id.partner_id); @@ -1526,7 +1527,7 @@ find_ring_mfns(struct domain *d, struct argo_ring_info *ring_info, { ASSERT(ring_info->nmfns == NPAGES_RING(len)); - argo_dprintk("vm%u ring (vm%u:%x vm%u) %p " + argo_dprintk("argo: vm%u ring (vm%u:%x vm%u) %p " "mfn_mapping %p len %u nmfns %u\n", d->domain_id, ring_info->id.domain_id, ring_info->id.aport, ring_info->id.partner_id, ring_info, @@ -1740,7 +1741,7 @@ register_ring(struct domain *currd, list_add(&ring_info->node, &currd->argo->ring_hash[hash_index(&ring_info->id)]); - argo_dprintk("vm%u registering ring (vm%u:%x vm%u)\n", + argo_dprintk("argo: vm%u registering ring (vm%u:%x vm%u)\n", currd->domain_id, ring_id.domain_id, ring_id.aport, ring_id.partner_id); } @@ -1780,7 +1781,7 @@ register_ring(struct domain *currd, goto out_unlock2; } - argo_dprintk("vm%u re-registering existing ring (vm%u:%x vm%u)\n", + argo_dprintk("argo: vm%u re-registering existing ring (vm%u:%x vm%u)\n", currd->domain_id, ring_id.domain_id, ring_id.aport, ring_id.partner_id); } @@ -2033,9 +2034,10 @@ sendv(struct domain *src_d, xen_argo_addr_t *src_addr, src_id.domain_id); if ( !ring_info ) { - argo_dprintk("vm%u connection refused, src (vm%u:%x) dst (vm%u:%x)\n", - current->domain->domain_id, src_id.domain_id, src_id.aport, - dst_addr->domain_id, dst_addr->aport); + gprintk(XENLOG_ERR, + "argo: vm%u connection refused, src (vm%u:%x) dst (vm%u:%x)\n", + current->domain->domain_id, src_id.domain_id, src_id.aport, + dst_addr->domain_id, dst_addr->aport); ret = -ECONNREFUSED; } -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 10:33:09 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 10:33:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1332596.1595061 (Exim 4.92) (envelope-from ) id 1wWtlX-0005TR-5Z; Tue, 09 Jun 2026 10:33:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1332596.1595061; Tue, 09 Jun 2026 10:33:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWtlX-0005TJ-2x; Tue, 09 Jun 2026 10:33:03 +0000 Received: by outflank-mailman (input) for mailman id 1332596; Tue, 09 Jun 2026 10:33:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWtlW-0005TD-4f for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 10:33:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWtlW-001d7t-10 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 10:33:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWtlV-00ApHw-37 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 10:33:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Bp+B8UVYdcWQdy50h6eTDGAphvjBsFCyWJdfyWHfTzw=; b=I2985eZ7Ae9ClVsDOZuAPE4Y7L tm4HhMaSlwAk3ZkKCBF+hYlTPfPEMn7NeeD7UixJQYxspBD5sSuheo96VY/SWsHtA1YNyw+QlIMzK y0+LsuOaag05uyTNonxWAEcGORermQNcrV4hVlFmbS348GhTQWLcpHSZmhZFvlUe69Xg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/pdx: fix off-by-one index in offset mask calculation Message-Id: Date: Tue, 09 Jun 2026 10:33:01 +0000 commit edf942201dd112dee6b040f7eb0bf2b8a7608047 Author: Roger Pau Monne AuthorDate: Tue Jun 9 10:19:51 2026 +0200 Commit: Roger Pau Monne CommitDate: Tue Jun 9 11:43:24 2026 +0200 xen/pdx: fix off-by-one index in offset mask calculation Adjust the mask calculation in case the last range is merged with the previous one, as then the mask must be calculated from the previous range, which the current one has been merged into. Instead of fixing the off-by-one in place, move the calculation of the bit change mask to the next loop, after the ranges have been merged. This simplifies the logic by consolidating mask calculation in a single place, possibly making it less error prone in the future. Also add a test case that triggers the bug being fixed by this commit. Fixes: c5c45bcbd6a1 ("pdx: introduce a new compression algorithm based on region offsets") Signed-off-by: Roger Pau Monné Acked-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- tools/tests/pdx/test-pdx.c | 14 ++++++++++++++ xen/common/pdx.c | 13 ++++++------- 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/tools/tests/pdx/test-pdx.c b/tools/tests/pdx/test-pdx.c index d783186577..4de8d43d86 100644 --- a/tools/tests/pdx/test-pdx.c +++ b/tools/tests/pdx/test-pdx.c @@ -191,6 +191,20 @@ int main(int argc, char **argv) }, .compress = false, }, + /* + * Dell R740, dual socket. Merging of ranges causes mask differences + * in PDX offset mode. Useful for checking mask calculations. + */ + { + .ranges = { + { .start = 0x0000000UL, .end = 0x0080000UL }, + { .start = 0x0100000UL, .end = 0x3070000UL }, + { .start = 0x3070000UL, .end = 0x3870000UL }, + { .start = 0x3870000UL, .end = 0x6870000UL }, + { .start = 0x6870000UL, .end = 0x7070000UL }, + }, + .compress = false, + }, }; int ret_code = EXIT_SUCCESS; diff --git a/xen/common/pdx.c b/xen/common/pdx.c index 7e070ff962..e7e16e193e 100644 --- a/xen/common/pdx.c +++ b/xen/common/pdx.c @@ -391,10 +391,7 @@ bool __init pfn_pdx_compression_setup(paddr_t base) if ( !i || ranges[i].base_pfn >= (ranges[i - 1].base_pfn + ranges[i - 1].pages) ) - { - mask |= pdx_region_mask(ranges[i].base_pfn, ranges[i].pages); continue; - } ranges[i - 1].pages = ranges[i].base_pfn + ranges[i].pages - ranges[i - 1].base_pfn; @@ -402,19 +399,21 @@ bool __init pfn_pdx_compression_setup(paddr_t base) if ( i + 1 < nr_ranges ) memmove(&ranges[i], &ranges[i + 1], (nr_ranges - (i + 1)) * sizeof(ranges[0])); - else /* last range */ - mask |= pdx_region_mask(ranges[i].base_pfn, ranges[i].pages); nr_ranges--; i--; } /* - * Populate a mask with the non-equal bits of the different ranges, do this - * to calculate the maximum PFN shift to use as the lookup table index. + * Populate two masks: one with the non-equal bits of the different ranges, + * another with the bits that change inside ranges. Do this to calculate + * the maximum PFN shift to use as the lookup table index. */ for ( i = 0; i < nr_ranges; i++ ) + { + mask |= pdx_region_mask(ranges[i].base_pfn, ranges[i].pages); for ( unsigned int j = i + 1; j < nr_ranges; j++ ) idx_mask |= ranges[i].base_pfn ^ ranges[j].base_pfn; + } /* Mask out the bits that change inside of ranges. */ idx_mask &= ~mask; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 10:33:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 10:33:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1332597.1595065 (Exim 4.92) (envelope-from ) id 1wWtlh-0005V4-76; Tue, 09 Jun 2026 10:33:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1332597.1595065; Tue, 09 Jun 2026 10:33:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWtlh-0005Uu-4K; Tue, 09 Jun 2026 10:33:13 +0000 Received: by outflank-mailman (input) for mailman id 1332597; Tue, 09 Jun 2026 10:33:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWtlg-0005Ul-6r for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 10:33:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWtlg-001d8G-1T for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 10:33:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWtlg-00ApTM-0H for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 10:33:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=4o48Ifk8emyCvSb5sSu24k/yDaKb66x5onkoZ+TuOb0=; b=ETMNQHgFfiVz3q5Gjq8pMaN+4/ sgR1e5VHLNTlAfCTZDSEhTWrYyqQ+sqWv30u9wkXXDziVDynQuLoZ3uo663iMWK7BLIWlAQ3PFcwM xy0zSwomEiucO8AG9FeZnHwbuwPvrVvMUmg9lR10E1wqALgyPx9+PLWTCcP4JlN4lDTc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/sched: remove duplicate trace.h include Message-Id: Date: Tue, 09 Jun 2026 10:33:12 +0000 commit 53859e27ff1a931df9fb28c2223447e2764bd7d3 Author: Furkan Caliskan AuthorDate: Sun May 31 17:08:19 2026 +0300 Commit: Roger Pau Monne CommitDate: Tue Jun 9 12:07:46 2026 +0200 xen/sched: remove duplicate trace.h include Fixes: 8726c0557752 ("xen: add real time scheduler rtds") Signed-off-by: Furkan Caliskan Reviewed-by: Juergen Gross Release-Acked-by: Oleksii Kurochko --- xen/common/sched/rt.c | 1 - 1 file changed, 1 deletion(-) diff --git a/xen/common/sched/rt.c b/xen/common/sched/rt.c index 4b637aa9db..b9a3e7720e 100644 --- a/xen/common/sched/rt.c +++ b/xen/common/sched/rt.c @@ -26,7 +26,6 @@ #include #include #include -#include #include #include -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 10:33:31 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 10:33:31 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1332598.1595069 (Exim 4.92) (envelope-from ) id 1wWtls-0005Zq-8G; Tue, 09 Jun 2026 10:33:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1332598.1595069; Tue, 09 Jun 2026 10:33:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWtls-0005Zi-5f; Tue, 09 Jun 2026 10:33:24 +0000 Received: by outflank-mailman (input) for mailman id 1332598; Tue, 09 Jun 2026 10:33:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWtlq-0005ZW-BJ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 10:33:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWtlq-001d8O-1t for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 10:33:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWtlq-00Apgw-0m for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 10:33:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=QI6iFOLAHPNIEsc10Dxh2YKGK0iEButjsQOqUJotr+0=; b=aIwuIvsli/YqwXZNgs5pvyAfvL c445/uAlVUDjz9fV7xlWzcx9PBPw98aAz477Cja3uqb5j7eFhXRCeBw57zFe8iNpiZcojwKrVJ42N TJipq+up8JZYC2HmjyosCFtA+3y9u2qhpMQ566wgcvZYpXDawXw093SzjMymnbB9E41E=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] tools/ocaml: silence ocaml_deprecated_auto_include alert Message-Id: Date: Tue, 09 Jun 2026 10:33:22 +0000 commit c3cf7c41214ac180902ca7dc826047774d3c5fb1 Author: Guillaume Thouvenin AuthorDate: Tue Jun 9 09:36:35 2026 +0200 Commit: Roger Pau Monne CommitDate: Tue Jun 9 12:14:43 2026 +0200 tools/ocaml: silence ocaml_deprecated_auto_include alert Ocaml's lib directory layout changed in 5.0: the unix and dynlink libraries have been moved out of the standard library directory into subdirectories. The compiler still locates them automatically but emits an ocaml_deprecated_auto_include alert when doing so. This patch sets the paths explicitly with -I +unix and -I +dynlink to silence the alert. Signed-off-by: Guillaume Thouvenin Reviewed-by: Andrii Sultanov Tested-by: Andrii Sultanov Acked-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- tools/ocaml/common.make | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/ocaml/common.make b/tools/ocaml/common.make index c7eefceeb4..0e6714e25a 100644 --- a/tools/ocaml/common.make +++ b/tools/ocaml/common.make @@ -11,6 +11,7 @@ OCAMLFIND ?= ocamlfind CFLAGS += -fPIC -I$(shell ocamlc -where) +OCAMLINCLUDE += -I +unix -I +dynlink OCAMLOPTFLAGS = -g -ccopt "$(LDFLAGS)" -dtypes $(OCAMLINCLUDE) -w F -warn-error F OCAMLCFLAGS += -g $(OCAMLINCLUDE) -w F -warn-error F -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:11:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:11:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333029.1595285 (Exim 4.92) (envelope-from ) id 1wWvIN-00012v-Qz; Tue, 09 Jun 2026 12:11:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333029.1595285; Tue, 09 Jun 2026 12:11:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvIN-00012n-OI; Tue, 09 Jun 2026 12:11:03 +0000 Received: by outflank-mailman (input) for mailman id 1333029; Tue, 09 Jun 2026 12:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvIM-00012h-DX for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvIM-001f0i-24 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:11:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvIM-00CYht-12 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:11:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=lmNFXBZRfnwHh+HeQX28O9ssv8HwldA6IlQ26EwNW5Q=; b=OR8M0Rg9589kYK5FmRZP8QV6Lz fquAjaPwpGsJHQfLzrpkwhSwm+TXeef3iRO82MfoqH7JtZKrtLS356V8pd0jHlrW8hPGzht7E4UjS mrTIAExS42FhrpkktlfVMhBZKl92zvnm7XgtjA7BaY99MQn5S/PT8BBEeMoYc8dnwGyU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/HVM: add locking to I/O port translation list traversal Message-Id: Date: Tue, 09 Jun 2026 12:11:02 +0000 commit 7787f8e9396d06026f72d3db13e836f365e085f8 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:21 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 x86/HVM: add locking to I/O port translation list traversal XEN_DOMCTL_ioport_mapping is usable by DM stubdoms, and hence we can't assume the list to be left unaltered while the guest (really: the hypervisor on behalf of the guest) is accessing it. This is XSA-491 / CVE-2026-42487. Fixes: 192c4dabc344 ("domctl and p2m changes for PCI passthru") Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné --- xen/arch/x86/domctl.c | 8 ++++ xen/arch/x86/hvm/emulate.c | 1 - xen/arch/x86/hvm/hvm.c | 1 + xen/arch/x86/hvm/io.c | 72 +++++++++++++++++++++++++---------- xen/arch/x86/include/asm/hvm/domain.h | 1 + xen/arch/x86/include/asm/hvm/vcpu.h | 2 - 6 files changed, 61 insertions(+), 24 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index bfbc35c08b..b967a56e52 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -667,6 +667,7 @@ long arch_do_domctl( "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if (g2m_ioport->mport == fmp ) { @@ -688,11 +689,14 @@ long arch_do_domctl( g2m_ioport->np = np; list_add_tail(&g2m_ioport->list, &hvm->g2m_ioport_list); } + write_unlock(&hvm->g2m_ioport_lock); if ( !ret ) ret = ioports_permit_access(d, fmp, fmp + np - 1); if ( ret && !found && g2m_ioport ) { + write_lock(&hvm->g2m_ioport_lock); list_del(&g2m_ioport->list); + write_unlock(&hvm->g2m_ioport_lock); xfree(g2m_ioport); } } @@ -701,6 +705,8 @@ long arch_do_domctl( printk(XENLOG_G_INFO "ioport_map:remove: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if ( g2m_ioport->mport == fmp ) { @@ -708,6 +714,8 @@ long arch_do_domctl( xfree(g2m_ioport); break; } + write_unlock(&hvm->g2m_ioport_lock); + ret = ioports_deny_access(d, fmp, fmp + np - 1); if ( ret && is_hardware_domain(currd) ) printk(XENLOG_ERR diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c index bb1bb03ac4..2efb1d4f08 100644 --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -160,7 +160,6 @@ void hvmemul_cancel(struct vcpu *v) hvio->mmio_insn_bytes = 0; hvio->mmio_access = (struct npfec){}; hvio->mmio_retry = false; - hvio->g2m_ioport = NULL; hvmemul_cache_disable(v); } diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index cbcef18449..a75ccb57bf 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -613,6 +613,7 @@ int hvm_domain_initialise(struct domain *d, spin_lock_init(&d->arch.hvm.irq_lock); spin_lock_init(&d->arch.hvm.write_map.lock); + rwlock_init(&d->arch.hvm.g2m_ioport_lock); rwlock_init(&d->arch.hvm.mmcfg_lock); INIT_LIST_HEAD(&d->arch.hvm.write_map.list); INIT_LIST_HEAD(&d->arch.hvm.g2m_ioport_list); diff --git a/xen/arch/x86/hvm/io.c b/xen/arch/x86/hvm/io.c index 23a5ea0e61..912e55d416 100644 --- a/xen/arch/x86/hvm/io.c +++ b/xen/arch/x86/hvm/io.c @@ -143,36 +143,56 @@ bool handle_pio(uint16_t port, unsigned int size, int dir) return true; } -static bool cf_check g2m_portio_accept( - const struct hvm_io_handler *handler, const ioreq_t *p) +/* NB: Returns with the lock held in the success case. */ +static const struct g2m_ioport *g2m_portio_find_and_lock(struct hvm_domain *hvm, + uint64_t addr, + uint32_t size) { - struct vcpu *curr = current; - const struct hvm_domain *hvm = &curr->domain->arch.hvm; - struct hvm_vcpu_io *hvio = &curr->arch.hvm.hvm_io; - struct g2m_ioport *g2m_ioport; - unsigned int start, end; + const struct g2m_ioport *g2m_ioport; + + read_lock(&hvm->g2m_ioport_lock); list_for_each_entry( g2m_ioport, &hvm->g2m_ioport_list, list ) { - start = g2m_ioport->gport; - end = start + g2m_ioport->np; - if ( (p->addr >= start) && (p->addr + p->size <= end) ) - { - hvio->g2m_ioport = g2m_ioport; - return 1; - } + unsigned int start = g2m_ioport->gport; + + if ( addr >= start && addr + size <= start + g2m_ioport->np ) + return g2m_ioport; } - return 0; + read_unlock(&hvm->g2m_ioport_lock); + + return NULL; +} + +static bool cf_check g2m_portio_accept( + const struct hvm_io_handler *handler, const ioreq_t *p) +{ + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, p->addr, p->size); + + if ( !g2m_ioport ) + return false; + + read_unlock(&hvm->g2m_ioport_lock); + + return true; } static int cf_check g2m_portio_read( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t *data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -189,6 +209,8 @@ static int cf_check g2m_portio_read( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } @@ -196,9 +218,15 @@ static int cf_check g2m_portio_write( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -215,6 +243,8 @@ static int cf_check g2m_portio_write( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } diff --git a/xen/arch/x86/include/asm/hvm/domain.h b/xen/arch/x86/include/asm/hvm/domain.h index abf9bc448d..dd7fa96aad 100644 --- a/xen/arch/x86/include/asm/hvm/domain.h +++ b/xen/arch/x86/include/asm/hvm/domain.h @@ -124,6 +124,7 @@ struct hvm_domain { /* List of guest to machine IO ports mapping. */ struct list_head g2m_ioport_list; + rwlock_t g2m_ioport_lock; /* List of MMCFG regions trapped by Xen. */ struct list_head mmcfg_regions; diff --git a/xen/arch/x86/include/asm/hvm/vcpu.h b/xen/arch/x86/include/asm/hvm/vcpu.h index 836138a4a6..2a14fa0a63 100644 --- a/xen/arch/x86/include/asm/hvm/vcpu.h +++ b/xen/arch/x86/include/asm/hvm/vcpu.h @@ -53,8 +53,6 @@ struct hvm_vcpu_io { unsigned long msix_unmask_address; unsigned long msix_snoop_address; unsigned long msix_snoop_gpa; - - const struct g2m_ioport *g2m_ioport; }; struct nestedvcpu { -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:11:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:11:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333030.1595290 (Exim 4.92) (envelope-from ) id 1wWvIX-00014p-SE; Tue, 09 Jun 2026 12:11:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333030.1595290; Tue, 09 Jun 2026 12:11:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvIX-00014i-Pe; Tue, 09 Jun 2026 12:11:13 +0000 Received: by outflank-mailman (input) for mailman id 1333030; Tue, 09 Jun 2026 12:11:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvIW-00014Z-GW for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:11:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvIW-001f15-2P for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:11:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvIW-00CYq9-1N for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:11:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=pIJh5bG9UQ2HKyO2xNnLYV+cUtfBIKZpf5Kao3BsxiY=; b=6YXfso7d7BAlkz8mWHlFpAWaiG gaQ4O4qQfDOs574VCbbz8xvjSstF89wNW6HPDcdMDUEwaL5QQHb45K9RzPhuMqNOyTIDz0mr5R51k LbleNaZQvzz0WWZagfh9N9MCd5qqLgWSRifZcsV9RGc5B0SfQj5AMh5UIkT+JWDhj1hs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] sched: use sequence counter to enlighten vcpu_runstate_get() Message-Id: Date: Tue, 09 Jun 2026 12:11:12 +0000 commit 1dc4d5d81822541a5cc82fa6387d2d73eebc7023 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 sched: use sequence counter to enlighten vcpu_runstate_get() Subsequently XEN_DOMCTL_getdomaininfo will want to invoke the function without holding a lock, thus allowing parallel execution of potentially many instances. As was learned from 228ab9992ffb ("domctl: improve locking during domain destruction"), reverted by d0887cc6b16e, such parallelism can result in severe lock contention on any (previously) inner lock. To avoid taking that risk replace the use of the scheduler lock in vcpu_runstate_get() by a newly introduced sequence counter. Convert the "no lock if current" property to "use a local counter instance", thus guaranteeing the loop to exit after the first iteration. Skeleton and commentary of the seqcount implementation based on / derived from Linux 6.11-rc. To have runstate_seq placed next to runstate in struct vcpu, without introducing a new obvious padding hole, yet while keeping the latter adjacent to runstate_guest{,_area} as well, move runstate down a little. This is part of XSA-492. Requested-by: Andrew Cooper Signed-off-by: Jan Beulich Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Juergen Gross --- xen/common/sched/core.c | 47 +++++++-------- xen/include/xen/sched.h | 4 +- xen/include/xen/seqcount.h | 139 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 162 insertions(+), 28 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 8e2b75bc35..a65d49a442 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -280,13 +280,18 @@ static inline void vcpu_runstate_change( } delta = new_entry_time - v->runstate.state_entry_time; - if ( delta > 0 ) + + /* Serialization: ->schedule_lock (see ASSERT() above). */ + with_seq_write(&v->runstate_seq) { - v->runstate.time[v->runstate.state] += delta; - v->runstate.state_entry_time = new_entry_time; - } + if ( delta > 0 ) + { + v->runstate.time[v->runstate.state] += delta; + v->runstate.state_entry_time = new_entry_time; + } - v->runstate.state = new_state; + v->runstate.state = new_state; + } } void sched_guest_idle(void (*idle) (void), unsigned int cpu) @@ -306,30 +311,18 @@ void sched_guest_idle(void (*idle) (void), unsigned int cpu) void vcpu_runstate_get(const struct vcpu *v, struct vcpu_runstate_info *runstate) { - spinlock_t *lock; - s_time_t delta; - struct sched_unit *unit; + struct seqcount seq = SEQCNT_ZERO(); + const struct seqcount *s = likely(v == current) ? &seq : &v->runstate_seq; - rcu_read_lock(&sched_res_rculock); - - /* - * Be careful in case of an idle vcpu: the assignment to a unit might - * change even with the scheduling lock held, so be sure to use the - * correct unit for locking in order to avoid triggering an ASSERT() in - * the unlock function. - */ - unit = is_idle_vcpu(v) ? get_sched_res(v->processor)->sched_unit_idle - : v->sched_unit; - lock = likely(v == current) ? NULL : unit_schedule_lock_irq(unit); - memcpy(runstate, &v->runstate, sizeof(*runstate)); - delta = NOW() - runstate->state_entry_time; - if ( delta > 0 ) - runstate->time[runstate->state] += delta; - - if ( unlikely(lock != NULL) ) - unit_schedule_unlock_irq(lock, unit); + until_seq_read(s) + { + s_time_t delta; - rcu_read_unlock(&sched_res_rculock); + *runstate = v->runstate; + delta = NOW() - runstate->state_entry_time; + if ( delta > 0 ) + runstate->time[runstate->state] += delta; + } } uint64_t get_cpu_idle_time(unsigned int cpu) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 00db1da12f..898256d320 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -16,6 +16,7 @@ #include #include #include +#include #include #include #include @@ -198,7 +199,6 @@ struct vcpu struct sched_unit *sched_unit; - struct vcpu_runstate_info runstate; #ifndef CONFIG_COMPAT # define runstate_guest(v) ((v)->runstate_guest) XEN_GUEST_HANDLE(vcpu_runstate_info_t) runstate_guest; /* guest address */ @@ -210,6 +210,8 @@ struct vcpu } runstate_guest; /* guest address */ #endif struct guest_area runstate_guest_area; + struct vcpu_runstate_info runstate; + struct seqcount runstate_seq; unsigned int new_state; /* Initialization completed for this VCPU? */ diff --git a/xen/include/xen/seqcount.h b/xen/include/xen/seqcount.h new file mode 100644 index 0000000000..b5faf422e4 --- /dev/null +++ b/xen/include/xen/seqcount.h @@ -0,0 +1,139 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef XEN_SEQCOUNT_H +#define XEN_SEQCOUNT_H + +#include +#include + +#include +#include + +/* + * Sequence counters (seqcount_t) + * + * This is the raw counting mechanism, without any writer protection. + * + * Write side critical sections must be serialized (and non-preemptible). + * + * If readers can be invoked from interrupt contexts, interrupts must also + * be respectively disabled before entering the write section. + * + * This mechanism can't be used if the protected data contains pointers, + * as the writer can invalidate a pointer that a reader is following. + */ +struct seqcount { + unsigned int sequence; +}; + +/* + * SEQCNT_ZERO() - initializer for seqcount_t + * @name: Name of the struct seqcount instance + */ +#define SEQCNT_ZERO() { .sequence = 0 } + +static inline unsigned int seqprop_sequence(const struct seqcount *s) +{ + return ACCESS_ONCE(s->sequence); +} + +/* + * read_seqcount_begin() - begin a seqcount read critical section + * @s: Pointer to struct seqcount + * + * Return: count to be passed to read_seqcount_retry() + */ +static inline unsigned int _read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq; + + while ((seq = seqprop_sequence(s)) & 1) + cpu_relax(); + + smp_rmb(); + + return seq; +} + +static always_inline unsigned int read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq = _read_seqcount_begin(s); + + block_lock_speculation(); + + return seq; +} + +/* + * read_seqcount_retry() - end a seqcount read critical section + * @s: Pointer to struct seqcount + * @start: count, from read_seqcount_begin() + * + * read_seqcount_retry closes the read critical section of given struct + * seqcount. If the critical section was invalid, it must be ignored + * (and typically retried). + * + * Return: true if a read section retry is required, else false + */ +static inline bool _read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + smp_rmb(); + return unlikely(seqprop_sequence(s) != start); +} + +static always_inline bool read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + return lock_evaluate_nospec(_read_seqcount_retry(s, start)); +} + +/* Loops until a consistent count has been observed across the loop body. */ +#define until_seq_read(seq) \ + for ( unsigned int retry_ = 1, count_; \ + retry_ && (count_ = read_seqcount_begin(seq), true); \ + retry_ = read_seqcount_retry(seq, count_) ) + +/* + * write_seqcount_begin() - start a struct seqcount write side critical section + * @s: Pointer to struct seqcount + * + * Context: sequence counter write side sections must be serialized. + * If readers can be invoked from interrupt context, interrupts must be + * respectively disabled. + */ +static inline void write_seqcount_begin(struct seqcount *s) +{ + add_sized(&s->sequence, 1); + smp_wmb(); +} + +/* + * write_seqcount_end() - end a struct seqcount write side critical section + * @s: Pointer to seqcount + */ +static inline void write_seqcount_end(struct seqcount *s) +{ + smp_wmb(); + add_sized(&s->sequence, 1); +} + +/* + * Not really a loop, but we need write_seqcount_{begin,end}() in the correct + * position. + */ +#define with_seq_write(seq) \ + for ( bool once_ = true; \ + once_ && (write_seqcount_begin(seq), true); \ + (write_seqcount_end(seq), once_ = false) ) + +#endif /* XEN_SEQCOUNT_H */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:11:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:11:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333031.1595293 (Exim 4.92) (envelope-from ) id 1wWvIh-000178-Tk; Tue, 09 Jun 2026 12:11:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333031.1595293; Tue, 09 Jun 2026 12:11:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvIh-000170-RE; Tue, 09 Jun 2026 12:11:23 +0000 Received: by outflank-mailman (input) for mailman id 1333031; Tue, 09 Jun 2026 12:11:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvIg-00016s-Ix for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:11:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvIg-001f1F-2h for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:11:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvIg-00CYwW-1h for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:11:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=+X0OqZt9AdlU6d+5BvbUnbQTnHV3Qf8xK+TvYLe2lQw=; b=wm5VuhI1LXd1/cPhOGDW5zR54D +KfJdEls6wMCL8KGScgzlurRgXN/O0BbFrCG1QP1aBZjuF12ICtlisbgEmcVh11sBmqLqEIWffnVF njNQsS5p6mhoBRhjk+UE1+s+S2J8oQkWRpw32e9Fc6IUHF9y+LidiXUXZHPbU4RIu6zQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:11:22 +0000 commit 784bd4dc0bc440b978b80b6945c4bc380b28e32d Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock getdomaininfo() is not called under consistently the same lock. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. (Callers not pausing the domain they want to retrieve information for already need to be aware that not all of the data returned can be relied on as being consistent; most data will also be stale by the time the caller gets to look at it.) Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. While moving, convert an assignment to an assertion: The domain in question was determined from the field which previously was "updated". This is part of XSA-492. Fixes: 5513bd0b4675 ("add xenstore domain flag to hypervisor") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith --- xen/common/domctl.c | 31 ++++++++++++++++++++----------- xen/include/xsm/dummy.h | 6 +++++- xen/xsm/flask/hooks.c | 6 +++++- 3 files changed, 30 insertions(+), 13 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index b969f5ada6..c205ba802d 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -318,6 +318,26 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } + /* Handle sub-ops not requiring the domctl lock. */ + switch ( op->cmd ) + { + case XEN_DOMCTL_getdomaininfo: + ret = xsm_getdomaininfo(XSM_XS_PRIV, d); + if ( !ret ) + { + getdomaininfo(d, &op->u.getdomaininfo); + + ASSERT(op->domain == op->u.getdomaininfo.domain); + copyback = true; + } + + goto domctl_out_unlock_domonly; + + default: + /* Everything else handled further down. */ + break; + } + ret = xsm_domctl(XSM_OTHER, d, op->cmd, /* SSIDRef only applicable for cmd == createdomain */ op->u.createdomain.ssidref); @@ -521,17 +541,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = 1; break; - case XEN_DOMCTL_getdomaininfo: - ret = xsm_getdomaininfo(XSM_XS_PRIV, d); - if ( ret ) - break; - - getdomaininfo(d, &op->u.getdomaininfo); - - op->domain = op->u.getdomaininfo.domain; - copyback = 1; - break; - case XEN_DOMCTL_getvcpucontext: { vcpu_guest_context_u c = { .nat = NULL }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index b8fd7aeedd..6ca4209108 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,9 +172,13 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: return xsm_default_action(XSM_XS_PRIV, current->domain, d); + + case XEN_DOMCTL_getdomaininfo: + ASSERT_UNREACHABLE(); + return -EILSEQ; + default: return xsm_default_action(XSM_PRIV, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 28522dcbd2..03413eac51 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -649,8 +649,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, */ return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); - /* These have individual XSM hooks (common/domctl.c) */ + /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + ASSERT_UNREACHABLE(); + return -EILSEQ; + + /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:11:33 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:11:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333032.1595298 (Exim 4.92) (envelope-from ) id 1wWvIr-000196-VZ; Tue, 09 Jun 2026 12:11:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333032.1595298; Tue, 09 Jun 2026 12:11:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvIr-00018y-Sc; Tue, 09 Jun 2026 12:11:33 +0000 Received: by outflank-mailman (input) for mailman id 1333032; Tue, 09 Jun 2026 12:11:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvIq-00018r-Lz for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:11:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvIq-001f1L-2z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:11:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvIq-00CZ3w-1z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:11:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=VQU2ksD/R+uRwZfDZIwxxMyi//vajwcOnztWwN6DK68=; b=asyYA3liuc2/XS6nxp+ea5dPvk KX8lx/kzQT/vpGSj4SyzxSFa1Afk54xgjf6vI1ch6rBTJB6rnoHFF344hgE3VwTLo9QylxdF/g4ax BDO8pT+hEtD1KN+D0oMthjjMvbYEdOEVFzYvKX1JpjZSq19lBW+HL9oIcs52fCPRr1kI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: protect locking for get_domain_state Message-Id: Date: Tue, 09 Jun 2026 12:11:32 +0000 commit 5154fdda1124ae76e6a5efc124227790d81046ab Author: Daniel P. Smith AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: protect locking for get_domain_state When DOMID_INVALID is passed, the dom exec handler lock is being taken without any check that the domain is even allowed to take the lock. This allows for an unauthorized domain to DoS the get_domain_state domctl op. Move to consider the op effectively being called against the hypervisor. Thus it is the target of the call being invoked to identify the last domain with a state change. The subsequent check of whether the source domain is allowed the state of the last domain to change state is still relevant. This is part of XSA-492. Signed-off-by: Daniel P. Smith Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné --- tools/flask/policy/modules/xenstore.te | 1 + xen/common/domain.c | 6 +----- xen/common/domctl.c | 14 +++++++++++--- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/tools/flask/policy/modules/xenstore.te b/tools/flask/policy/modules/xenstore.te index 776c274869..12549f5482 100644 --- a/tools/flask/policy/modules/xenstore.te +++ b/tools/flask/policy/modules/xenstore.te @@ -14,6 +14,7 @@ allow xenstore_t xen_t:xen writeconsole; # Xenstore queries domaininfo on all domains allow xenstore_t domain_type:domain getdomaininfo; allow xenstore_t domain_type:domain2 get_domain_state; +allow xenstore_t domxen_t:domain2 get_domain_state; # As a shortcut, the following 3 rules are used instead of adding a domain_comms # rule between xenstore_t and every domain type that talks to xenstore diff --git a/xen/common/domain.c b/xen/common/domain.c index bb9e210c28..021e6d8432 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -218,12 +218,8 @@ int get_domain_state(struct xen_domctl_get_domain_state *info, struct domain *d, if ( info->pad0 ) return -EINVAL; - if ( d ) + if ( d != dom_xen ) { - rc = xsm_get_domain_state(XSM_XS_PRIV, d); - if ( rc ) - return rc; - set_domain_state_info(info, d); return 0; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index c205ba802d..eee30e8534 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -304,13 +304,19 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) fallthrough; case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_vm_event_op: - case XEN_DOMCTL_get_domain_state: if ( op->domain == DOMID_INVALID ) { d = NULL; break; } fallthrough; + case XEN_DOMCTL_get_domain_state: + if ( op->domain == DOMID_INVALID ) + { + d = dom_xen; + break; + } + fallthrough; default: d = rcu_lock_domain_by_id(op->domain); if ( !d ) @@ -868,7 +874,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; case XEN_DOMCTL_get_domain_state: - ret = get_domain_state(&op->u.get_domain_state, d, &op->domain); + ret = xsm_get_domain_state(XSM_XS_PRIV, d); + if ( !ret ) + ret = get_domain_state(&op->u.get_domain_state, d, &op->domain); if ( !ret ) copyback = true; break; @@ -881,7 +889,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) domctl_lock_release(); domctl_out_unlock_domonly: - if ( d && d != dom_io ) + if ( d && !is_system_domain(d) ) rcu_unlock_domain(d); if ( copyback && __copy_to_guest(u_domctl, op, 1) ) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:11:44 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:11:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333033.1595301 (Exim 4.92) (envelope-from ) id 1wWvJ2-0001Bm-1p; Tue, 09 Jun 2026 12:11:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333033.1595301; Tue, 09 Jun 2026 12:11:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvJ1-0001Bc-VL; Tue, 09 Jun 2026 12:11:43 +0000 Received: by outflank-mailman (input) for mailman id 1333033; Tue, 09 Jun 2026 12:11:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvJ0-0001BI-On for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:11:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvJ1-001f1P-03 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:11:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvJ0-00CZ9d-2G for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:11:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=qmm10dx6u1oOFKXIxRv46tzD+jPujlL7+lV5NGiUsmI=; b=Dmv8P29ZKAytHdePsYZAfO/1Ix +LRtjwDQJDVcSJoCmCM1YpeiOGxid01G1wF592mB3rbnn4S7YnOU6x1qXjUSHy6wlc6jjbOexQKcf 6WL6vSvwzHPR+LAFVmJMSZk6q4c2ySiM9ovO3q4cPnt3o6bHqaLCf6V71Qo8FFbAM4AY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: handle XEN_DOMCTL_get_domain_state without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:11:42 +0000 commit eedff4bcd3d1314f098c2a151d4bb8a90c0f1820 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: handle XEN_DOMCTL_get_domain_state without acquiring domctl lock get_domain_state() uses its own locking. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Fixes: 3ad3df1bd0aa ("xen: add new domctl get_domain_state") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/common/domctl.c | 16 ++++++++-------- xen/include/xsm/dummy.h | 3 +-- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 10 insertions(+), 11 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index eee30e8534..8745bc3d30 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -339,6 +339,14 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; + case XEN_DOMCTL_get_domain_state: + ret = xsm_get_domain_state(XSM_XS_PRIV, d); + if ( !ret ) + ret = get_domain_state(&op->u.get_domain_state, d, &op->domain); + if ( !ret ) + copyback = true; + goto domctl_out_unlock_domonly; + default: /* Everything else handled further down. */ break; @@ -873,14 +881,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -EOPNOTSUPP; break; - case XEN_DOMCTL_get_domain_state: - ret = xsm_get_domain_state(XSM_XS_PRIV, d); - if ( !ret ) - ret = get_domain_state(&op->u.get_domain_state, d, &op->domain); - if ( !ret ) - copyback = true; - break; - default: ret = arch_do_domctl(op, d, u_domctl); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 6ca4209108..ffc6bcbde7 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,10 +172,9 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_get_domain_state: - return xsm_default_action(XSM_XS_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_domain_state: ASSERT_UNREACHABLE(); return -EILSEQ; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 03413eac51..bdfaa936be 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -651,6 +651,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_domain_state: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -661,7 +662,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: - case XEN_DOMCTL_get_domain_state: /* These have individual XSM hooks (arch/../domctl.c) */ case XEN_DOMCTL_bind_pt_irq: -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:11:54 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:11:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333037.1595306 (Exim 4.92) (envelope-from ) id 1wWvJC-0001Dn-32; Tue, 09 Jun 2026 12:11:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333037.1595306; Tue, 09 Jun 2026 12:11:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvJC-0001Df-0M; Tue, 09 Jun 2026 12:11:54 +0000 Received: by outflank-mailman (input) for mailman id 1333037; Tue, 09 Jun 2026 12:11:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvJA-0001DY-Re for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:11:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvJB-001f1V-0K for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:11:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvJA-00CZEy-2a for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:11:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=+83eJXfEHnsJA5keE91/P5H7yFMuRbsQceTVXkOk0mY=; b=ojyU2dVxpWHwNBoj3BLAfzD2Xb Ny29pGlu7JeoePlwX4wPJIvW1EZINZnugiWJWRJpPJB1vpcsKC+5qedH/Nifdwukbe/xAMySEjk+P dkV+u2UuDx4bXRa65RSRVUxENtYrobFmRbGXVhudP9YwihPGk27IWioTW6SPdQj0y8WY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domain: locking for iomem_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:11:52 +0000 commit 960713dfd4a405e67e9f174302f8f9fd9e0e50dc Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domain: locking for iomem_caps accesses In order to be able to pull at least the XEN_DOMCTL_iomem_mapping handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_iomem_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné --- xen/common/domain.c | 6 ++++++ xen/common/domctl.c | 53 +++++++++++++++++++++++++++++++++++++++---------- xen/include/xen/iocap.h | 3 +++ xen/include/xen/sched.h | 1 + 4 files changed, 52 insertions(+), 11 deletions(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index 021e6d8432..8f2bfcae28 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -568,10 +568,15 @@ static int late_hwdom_init(struct domain *d) * may be modified after this hypercall returns if a more complex * device model is desired. */ + write_lock(&dom0->caps_lock); rangeset_swap(d->irq_caps, dom0->irq_caps); rangeset_swap(d->iomem_caps, dom0->iomem_caps); #ifdef CONFIG_X86 rangeset_swap(d->arch.ioport_caps, dom0->arch.ioport_caps); +#endif + write_unlock(&dom0->caps_lock); + +#ifdef CONFIG_X86 setup_io_bitmap(d); setup_io_bitmap(dom0); #endif @@ -937,6 +942,7 @@ struct domain *domain_create(domid_t domid, rspin_lock_init_prof(d, domain_lock); rspin_lock_init_prof(d, page_alloc_lock); spin_lock_init(&d->hypercall_deadlock_mutex); + rwlock_init(&d->caps_lock); INIT_PAGE_LIST_HEAD(&d->page_list); INIT_PAGE_LIST_HEAD(&d->extra_page_list); INIT_PAGE_LIST_HEAD(&d->xenpage_list); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 8745bc3d30..8c59d0da9f 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -267,6 +267,35 @@ static struct vnuma_info *vnuma_init(const struct xen_domctl_vnuma *uinfo, return ERR_PTR(ret); } +void iocaps_double_lock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d->domain_id > currd->domain_id ) + read_lock(&currd->caps_lock); + + if ( write ) + write_lock(&d->caps_lock); + else + read_lock(&d->caps_lock); + + if ( d->domain_id < currd->domain_id ) + read_lock(&currd->caps_lock); +} + +void iocaps_double_unlock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d != currd ) + read_unlock(&currd->caps_lock); + + if ( write ) + write_unlock(&d->caps_lock); + else + read_unlock(&d->caps_lock); +} + static bool is_stable_domctl(uint32_t cmd) { return cmd == XEN_DOMCTL_get_domain_state; @@ -692,6 +721,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ break; + iocaps_double_lock(d, true); + if ( !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) || xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) @@ -700,6 +731,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); else ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); break; } @@ -724,19 +757,15 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; #endif + iocaps_double_lock(d, false); + ret = -EPERM; if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) ) - break; - - ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add); - if ( ret ) - break; - - if ( !paging_mode_translate(d) ) - break; - - if ( add ) + !iomem_access_permitted(d, mfn, mfn_end) || + (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || + !paging_mode_translate(d) ) + /* Nothing. */; + else if ( add ) { printk(XENLOG_G_DEBUG "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", @@ -760,6 +789,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", ret, d->domain_id, mfn, mfn_end); } + + iocaps_double_unlock(d, false); break; } diff --git a/xen/include/xen/iocap.h b/xen/include/xen/iocap.h index ffbc48b60f..cb36ebbeeb 100644 --- a/xen/include/xen/iocap.h +++ b/xen/include/xen/iocap.h @@ -12,6 +12,9 @@ #include #include +void iocaps_double_lock(struct domain *d, bool write); +void iocaps_double_unlock(struct domain *d, bool write); + static inline int iomem_permit_access(struct domain *d, unsigned long s, unsigned long e) { diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 898256d320..11ffebbea4 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -551,6 +551,7 @@ struct domain #endif /* I/O capabilities (access to IRQs and memory-mapped I/O). */ + rwlock_t caps_lock; struct rangeset *iomem_caps; struct rangeset *irq_caps; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:12:04 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:12:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333038.1595310 (Exim 4.92) (envelope-from ) id 1wWvJM-0001Fl-4S; Tue, 09 Jun 2026 12:12:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333038.1595310; Tue, 09 Jun 2026 12:12:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvJM-0001Fc-1n; Tue, 09 Jun 2026 12:12:04 +0000 Received: by outflank-mailman (input) for mailman id 1333038; Tue, 09 Jun 2026 12:12:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvJK-0001FW-UO for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:12:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvJL-001f1k-0b for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:12:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvJK-00CZMp-2r for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:12:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=GV5gWGBbl6Kqo8bWntTGFAw6Ysn05vXGwCuS6vW9Dew=; b=bI7NUtWeE2mxJlgIB4vEjvkRuw 0TzLcxkBeanXBQmBswyWr6/E517Y02np/4BtVGGrpk1I/uUmPpqQlsCRlzie0KsHztdc7WDWP6Hyf EZ8hDHrM/jBlwc93PI3uSiEtMp70zxO2HHebRqXjXFsGp18WSJ3lNzaJBVR/rGSBq+vc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/domain: locking for ioport_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:12:02 +0000 commit c9f4586766c4ceeaf013fbc02ad79359c62102c3 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 x86/domain: locking for ioport_caps accesses In order to be able to pull at least the XEN_DOMCTL_ioport_mapping handling out of the domctl-locked region, the new separate (per-domain) lock is used to synchronize in particular with XEN_DOMCTL_ioport_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné --- xen/arch/x86/domctl.c | 21 ++++++++++++--------- xen/arch/x86/setup.c | 3 +++ 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index b967a56e52..1368223bdf 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -237,6 +237,8 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + iocaps_double_lock(d, true); + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) ret = -EINVAL; else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || @@ -246,6 +248,8 @@ long arch_do_domctl( ret = ioports_permit_access(d, fp, fp + np - 1); else ret = ioports_deny_access(d, fp, fp + np - 1); + + iocaps_double_unlock(d, true); break; } @@ -652,16 +656,13 @@ long arch_do_domctl( break; } - ret = -EPERM; - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) - break; - - ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add); - if ( ret ) - break; - hvm = &d->arch.hvm; - if ( add ) + iocaps_double_lock(d, true); + + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || + (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) + ret = ret ?: -EPERM; + else if ( add ) { printk(XENLOG_G_INFO "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", @@ -722,6 +723,8 @@ long arch_do_domctl( "ioport_map: error %ld denying dom%d access to [%x,%x]\n", ret, d->domain_id, fmp, fmp + np - 1); } + + iocaps_double_unlock(d, true); break; } diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 19ee857abf..4192edf635 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -2339,9 +2339,12 @@ void __hwdom_init setup_io_bitmap(struct domain *d) return; bitmap_fill(d->arch.hvm.io_bitmap, 0x10000); + + read_lock(&d->caps_lock); if ( rangeset_report_ranges(d->arch.ioport_caps, 0, 0x10000, io_bitmap_cb, d) ) BUG(); + read_unlock(&d->caps_lock); /* * We need to trap 4-byte accesses to 0xcf8 (see admin_io_okay(), -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:12:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:12:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333040.1595313 (Exim 4.92) (envelope-from ) id 1wWvJW-0001Iy-5l; Tue, 09 Jun 2026 12:12:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333040.1595313; Tue, 09 Jun 2026 12:12:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvJW-0001Ir-35; Tue, 09 Jun 2026 12:12:14 +0000 Received: by outflank-mailman (input) for mailman id 1333040; Tue, 09 Jun 2026 12:12:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvJV-0001Il-0z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:12:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvJV-001f24-0t for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:12:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvJU-00CZVE-37 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:12:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=abLfthkwK3njAaff8cFfup4atrjagml4BGNRcINsPWY=; b=lGQQ/NbS4xzryp6f1EnTB7trbl Y25kuXBHFSIOttUQeYheGqO64d7a901pO/7koIE0Zw3ZYYz8cOG3Npb3ZoV5Q1+TID8Dx/I3VLPSn Z2iNr0IYoQdwgIyuK8yofvn3FgyISKpT4WyxOlvGt0UDVAbzXl1orD8v/37JlYXfyRxw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domain: locking for irq_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:12:12 +0000 commit 329edc090dd5c833213bad3f13f1cbc252bc15a2 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domain: locking for irq_caps accesses In order to be able to pull at least the XEN_DOMCTL_{,un}bind_pt_irq handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_{irq,gsi}_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Reviewed-by: Julien Grall --- xen/arch/arm/domctl.c | 37 +++++++++++++++++++++---------------- xen/arch/x86/domctl.c | 51 +++++++++++++++++++++++++++++++-------------------- xen/common/domctl.c | 5 +++++ 3 files changed, 57 insertions(+), 36 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index ad914c915f..75c3df602a 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -76,6 +76,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, case XEN_DOMCTL_bind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -107,21 +108,26 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - if ( !vgic_reserve_virq(d, virq) ) - return -EBUSY; - - rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); - if ( rc ) - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !vgic_reserve_virq(d, virq) ) + rc = -EBUSY; + else + { + rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); + if ( rc ) + vgic_free_virq(d, virq); + } + read_unlock(&currd->caps_lock); return rc; } case XEN_DOMCTL_unbind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -138,16 +144,15 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - rc = release_guest_irq(d, virq); - if ( rc ) - return rc; - - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !(rc = release_guest_irq(d, virq)) ) + vgic_free_virq(d, virq); - return 0; + read_unlock(&currd->caps_lock); + return rc; } case XEN_DOMCTL_vuart_op: diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 1368223bdf..649b22a4c4 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -271,16 +271,17 @@ long arch_do_domctl( break; } - ret = -EPERM; + iocaps_double_lock(d, true); + if ( !irq_access_permitted(currd, irq) || xsm_irq_permission(XSM_HOOK, d, irq, flags) ) - break; - - if ( flags ) + ret = -EPERM; + else if ( flags ) ret = irq_permit_access(d, irq); else ret = irq_deny_access(d, irq); + iocaps_double_unlock(d, true); break; } @@ -583,20 +584,27 @@ long arch_do_domctl( break; irq = domain_pirq_to_irq(d, bind->machine_irq); - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; + if ( irq <= 0 ) + ret = -EPERM; - ret = -ESRCH; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_create_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + else + ret = -ESRCH; + + read_unlock(&currd->caps_lock); break; } @@ -609,23 +617,26 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); if ( ret ) break; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_destroy_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + + read_unlock(&currd->caps_lock); break; } diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 8c59d0da9f..704142ed76 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -700,6 +700,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -EINVAL; break; } + + iocaps_double_lock(d, true); + irq = pirq_access_permitted(current->domain, pirq); if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) ret = -EPERM; @@ -707,6 +710,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = irq_permit_access(d, irq); else ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); break; } #endif -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:12:24 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:12:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333042.1595317 (Exim 4.92) (envelope-from ) id 1wWvJg-0001NX-7N; Tue, 09 Jun 2026 12:12:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333042.1595317; Tue, 09 Jun 2026 12:12:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvJg-0001NP-4e; Tue, 09 Jun 2026 12:12:24 +0000 Received: by outflank-mailman (input) for mailman id 1333042; Tue, 09 Jun 2026 12:12:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvJf-0001NI-4C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:12:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvJf-001f28-1D for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:12:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvJf-00CZey-0C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:12:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=gziMYQ1llVSrohMFeIKpQX9ggrp67K/2rja9OFY8HCw=; b=kULfWYIrlYICFIkopJZmAOV1hs 1qyHb61ozZ6yelgY6RyZetSSU0/4wdtQLcMx8XQwhqUt6kS/ZWVXZk3K9+/7JuZS2BWCEDb5iifMj zF6PL7IsfUNzP/ofRgs3BPInTpJVbsrNHHeGqynPdH81ip7y40h4Tw1USOiJukACbt7A=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] XSM/Flask: split the .iomem_mapping() hook Message-Id: Date: Tue, 09 Jun 2026 12:12:23 +0000 commit 6bb83b1aa01bb3baabc150a881849977c82146a4 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 XSM/Flask: split the .iomem_mapping() hook It's used twice in entirely different situations. The use in do_domctl() wants to become an ordinary XSM_DM_PRIV invocation, while the one in vPCI code need to remain XSM_HOOK (it may plausibly become XSM_TARGET). For Flask, the same backing function will continue to be used for the time being. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith --- xen/drivers/vpci/header.c | 2 +- xen/include/xsm/dummy.h | 7 +++++++ xen/include/xsm/xsm.h | 8 ++++++++ xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) diff --git a/xen/drivers/vpci/header.c b/xen/drivers/vpci/header.c index a760d8c32f..d1c92cf77f 100644 --- a/xen/drivers/vpci/header.c +++ b/xen/drivers/vpci/header.c @@ -68,7 +68,7 @@ static int cf_check map_range( return -EPERM; } - rc = xsm_iomem_mapping(XSM_HOOK, map->d, map_mfn, m_end, map->map); + rc = xsm_iomem_mapping_vpci(XSM_HOOK, map->d, map_mfn, m_end, map->map); if ( rc ) { printk(XENLOG_G_WARNING diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index ffc6bcbde7..a6216239cc 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -573,6 +573,13 @@ static XSM_INLINE int cf_check xsm_iomem_mapping( return xsm_default_action(action, current->domain, d); } +static XSM_INLINE int cf_check xsm_iomem_mapping_vpci( + XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + XSM_ASSERT_ACTION(XSM_HOOK); + return xsm_default_action(action, current->domain, d); +} + static XSM_INLINE int cf_check xsm_pci_config_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index cc32a6c091..2708d5ecba 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -116,6 +116,8 @@ struct xsm_ops { uint8_t allow); int (*iomem_mapping)(struct domain *d, uint64_t s, uint64_t e, uint8_t allow); + int (*iomem_mapping_vpci)(struct domain *d, uint64_t s, uint64_t e, + uint8_t allow); int (*pci_config_permission)(struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access); @@ -516,6 +518,12 @@ static inline int xsm_iomem_mapping( return alternative_call(xsm_ops.iomem_mapping, d, s, e, allow); } +static inline int xsm_iomem_mapping_vpci( + xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + return alternative_call(xsm_ops.iomem_mapping_vpci, d, s, e, allow); +} + static inline int xsm_pci_config_permission( xsm_default_t def, struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 244ef55752..9b0eab4bfc 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -74,6 +74,7 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .irq_permission = xsm_irq_permission, .iomem_permission = xsm_iomem_permission, .iomem_mapping = xsm_iomem_mapping, + .iomem_mapping_vpci = xsm_iomem_mapping_vpci, .pci_config_permission = xsm_pci_config_permission, .get_vnumainfo = xsm_get_vnumainfo, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index bdfaa936be..aee8b9fe91 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1911,6 +1911,7 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .irq_permission = flask_irq_permission, .iomem_permission = flask_iomem_permission, .iomem_mapping = flask_iomem_mapping, + .iomem_mapping_vpci = flask_iomem_mapping, .pci_config_permission = flask_pci_config_permission, .resource_plug_core = flask_resource_plug_core, -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:12:34 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:12:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333043.1595333 (Exim 4.92) (envelope-from ) id 1wWvJq-0001en-2Z; Tue, 09 Jun 2026 12:12:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333043.1595333; Tue, 09 Jun 2026 12:12:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvJp-0001ef-V8; Tue, 09 Jun 2026 12:12:33 +0000 Received: by outflank-mailman (input) for mailman id 1333043; Tue, 09 Jun 2026 12:12:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvJp-0001eM-72 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:12:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvJp-001f2F-1V for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:12:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvJp-00CZpb-0V for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:12:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7I9DzHXiDrXrqln36vnd0/ncTM5golN5TjeXo+HD2ao=; b=Ki4VRK97cxtfm6aBZfnwUr9mZA gVfsv/wEe494YaSghHjb4sQcKM8Tt1S0ft7It2sTyTLrNLwmklvnHzbe2N6dIOUv3ps9vxX1JidKI 9TIAOh5mGBerD6QcsGJPAJjvRkojgh8NuGnddc+t4JzMAyl2hWjF2tR8zO+bpn4qdHAQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:12:33 +0000 commit 5a81fb873cb0c7913995372d22660d6a2db0ec48 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. Move the re-purposed dedicated XSM check as early as possible. Minimal "modernization": Switch "add" to bool and use %pd in log messages. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/common/domctl.c | 118 ++++++++++++++++++++++++------------------------ xen/include/xsm/dummy.h | 4 +- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 63 insertions(+), 61 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 704142ed76..c5daaf51f0 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -376,6 +376,66 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = true; goto domctl_out_unlock_domonly; + case XEN_DOMCTL_memory_mapping: + { + unsigned long gfn = op->u.memory_mapping.first_gfn; + unsigned long mfn = op->u.memory_mapping.first_mfn; + unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; + unsigned long mfn_end = mfn + nr_mfns - 1; + bool add = op->u.memory_mapping.add_mapping; + + ret = -EINVAL; + if ( mfn_end < mfn || /* Wrap? */ + ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || + (gfn + nr_mfns - 1) < gfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_mapping(XSM_DM_PRIV, d, mfn, mfn_end, add); + if ( ret || !paging_mode_translate(d) ) + goto domctl_out_unlock_domonly; + +#ifndef CONFIG_X86 /* XXX ARM!? */ + ret = -E2BIG; + /* Must break hypercall up as this could take a while. */ + if ( nr_mfns > 64 ) + goto domctl_out_unlock_domonly; +#endif + + iocaps_double_lock(d, false); + + ret = -EPERM; + if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || + !iomem_access_permitted(d, mfn, mfn_end) ) + /* Nothing. */; + else if ( add ) + { + printk(XENLOG_G_DEBUG + "memory_map:add: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 ) + printk(XENLOG_G_WARNING + "memory_map:fail: %pd gfn=%lx mfn=%lx nr=%lx ret:%ld\n", + d, gfn, mfn, nr_mfns, ret); + } + else + { + printk(XENLOG_G_DEBUG + "memory_map:remove: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 && is_hardware_domain(current->domain) ) + printk(XENLOG_ERR + "memory_map: error %ld removing %pd access to [%lx,%lx]\n", + ret, d, mfn, mfn_end); + } + + iocaps_double_unlock(d, false); + goto domctl_out_unlock_domonly; + } + default: /* Everything else handled further down. */ break; @@ -741,64 +801,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - case XEN_DOMCTL_memory_mapping: - { - unsigned long gfn = op->u.memory_mapping.first_gfn; - unsigned long mfn = op->u.memory_mapping.first_mfn; - unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; - unsigned long mfn_end = mfn + nr_mfns - 1; - int add = op->u.memory_mapping.add_mapping; - - ret = -EINVAL; - if ( mfn_end < mfn || /* wrap? */ - ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || - (gfn + nr_mfns - 1) < gfn ) /* wrap? */ - break; - -#ifndef CONFIG_X86 /* XXX ARM!? */ - ret = -E2BIG; - /* Must break hypercall up as this could take a while. */ - if ( nr_mfns > 64 ) - break; -#endif - - iocaps_double_lock(d, false); - - ret = -EPERM; - if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) || - (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || - !paging_mode_translate(d) ) - /* Nothing. */; - else if ( add ) - { - printk(XENLOG_G_DEBUG - "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 ) - printk(XENLOG_G_WARNING - "memory_map:fail: dom%d gfn=%lx mfn=%lx nr=%lx ret:%ld\n", - d->domain_id, gfn, mfn, nr_mfns, ret); - } - else - { - printk(XENLOG_G_DEBUG - "memory_map:remove: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 && is_hardware_domain(current->domain) ) - printk(XENLOG_ERR - "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", - ret, d->domain_id, mfn, mfn_end); - } - - iocaps_double_unlock(d, false); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index a6216239cc..7733e3385a 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,13 +168,13 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_ioport_mapping: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -569,7 +569,7 @@ static XSM_INLINE int cf_check xsm_iomem_permission( static XSM_INLINE int cf_check xsm_iomem_mapping( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index aee8b9fe91..2e29ad0719 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -652,6 +652,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -659,7 +660,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:12:44 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:12:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333044.1595334 (Exim 4.92) (envelope-from ) id 1wWvK0-0001mS-39; Tue, 09 Jun 2026 12:12:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333044.1595334; Tue, 09 Jun 2026 12:12:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvK0-0001mK-0O; Tue, 09 Jun 2026 12:12:44 +0000 Received: by outflank-mailman (input) for mailman id 1333044; Tue, 09 Jun 2026 12:12:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvJz-0001m3-9x for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:12:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvJz-001f2J-1n for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:12:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvJz-00CZzg-0o for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:12:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=yPVre7yuyTFcncIBDl5T8j1WX6D+23+HRM2zhwbuo34=; b=om9g+sqI2sGQjEz2zfVnGsCz5e dlFu1hnrd/mFHiKG+0esmgRrS8h/HehIQOOnhGMSyoav3ZUm9WbkI1lwWPe7x8GWC1SPQNh0ISdzC 3zuvYYZJEVMWU9UqKf+7txeuhg/BGQM/DQdBf2CKEFbANbBXSY3yMkaAnmwb3z2e2kIQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:12:43 +0000 commit 9ac94138a5f31b5325fe4401e5cd9e377bbedcdb Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the handling is in arch-specific code (x86 only), almost no code is being moved, but a 2nd (extensible to other sub-ops) invocation of arch_do_domctl() is being added. Move just the re-purposed dedicated XSM check as early as possible. In flask_domctl() don't put #ifdef around the moved case label. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith --- xen/arch/x86/domctl.c | 9 ++++++--- xen/common/domctl.c | 4 ++++ xen/include/xsm/dummy.h | 4 ++-- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 649b22a4c4..7e7c61bdfc 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -667,12 +667,15 @@ long arch_do_domctl( break; } + ret = xsm_ioport_mapping(XSM_DM_PRIV, d, fmp, fmp + np - 1, add); + if ( ret ) + break; + hvm = &d->arch.hvm; iocaps_double_lock(d, true); - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || - (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) - ret = ret ?: -EPERM; + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) + ret = -EPERM; else if ( add ) { printk(XENLOG_G_INFO diff --git a/xen/common/domctl.c b/xen/common/domctl.c index c5daaf51f0..82bbfa32d6 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -436,6 +436,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_mapping: + ret = arch_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + default: /* Everything else handled further down. */ break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 7733e3385a..11fbb7ac68 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -167,13 +167,13 @@ static XSM_INLINE int cf_check xsm_domctl( XSM_ASSERT_ACTION(XSM_OTHER); switch ( cmd ) { - case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -765,7 +765,7 @@ static XSM_INLINE int cf_check xsm_ioport_permission( static XSM_INLINE int cf_check xsm_ioport_mapping( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 2e29ad0719..13d32feb96 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -652,6 +652,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -670,7 +671,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: case XEN_DOMCTL_ioport_permission: - case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_gsi_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:12:54 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:12:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333048.1595338 (Exim 4.92) (envelope-from ) id 1wWvKA-0001sq-4L; Tue, 09 Jun 2026 12:12:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333048.1595338; Tue, 09 Jun 2026 12:12:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvKA-0001si-1k; Tue, 09 Jun 2026 12:12:54 +0000 Received: by outflank-mailman (input) for mailman id 1333048; Tue, 09 Jun 2026 12:12:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvK9-0001sX-Cw for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:12:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvK9-001f2R-26 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:12:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvK9-00Ca9I-16 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:12:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=C47XZdQQOM2DOxkzr/AuzJmt16FOrVjSriS+GcU4p+o=; b=bR1KyaGGeVIZzVgfdKgZvqwzOT AwUsOYzRvxGVkyN1n2kbdGkCpiJCL5fT1Lqz4l0J6HlejTxQ9pLDFDd6AS4cPc5bEXzhGPqRPHQfF ejP2hVOPzX0Si3zMu2Rks5jsJhMgdKA55Zk9up5Nxa9LJpF5+icLOsDRWAEJMFm92WAs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:12:53 +0000 commit e263eeaf71b961d0d6f987bf7a33c8517be1bae5 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. (It also already isn't used when pt_irq_{create,destroy}_bind() are invoked for PVH Dom0.) As the handling is in arch-specific code, no code is being moved, but the 2nd (extensible to other sub-ops like the ones here) invocation of arch_do_domctl() is being re-used. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith Acked-by: Julien Grall --- xen/arch/arm/domctl.c | 4 ++-- xen/arch/x86/domctl.c | 4 ++-- xen/common/domctl.c | 2 ++ xen/include/xsm/dummy.h | 8 +++----- xen/xsm/flask/hooks.c | 5 ++--- 5 files changed, 11 insertions(+), 12 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index 75c3df602a..6c9a3f9920 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -104,7 +104,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - rc = xsm_bind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; @@ -140,7 +140,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( irq != virq ) return -EINVAL; - rc = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 7e7c61bdfc..66c6bdf0a3 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -579,7 +579,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_bind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; @@ -617,7 +617,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 82bbfa32d6..10460c1c57 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -437,6 +437,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_bind_pt_irq: + case XEN_DOMCTL_unbind_pt_irq: ret = arch_do_domctl(op, d, u_domctl); goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 11fbb7ac68..2ab2f5fc52 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,13 +168,11 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: - return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -534,14 +532,14 @@ static XSM_INLINE int cf_check xsm_unmap_domain_pirq( static XSM_INLINE int cf_check xsm_bind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } static XSM_INLINE int cf_check xsm_unbind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 13d32feb96..435cb8d661 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -650,10 +650,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ + case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -664,9 +666,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: - /* These have individual XSM hooks (arch/../domctl.c) */ - case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:13:04 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:13:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333054.1595343 (Exim 4.92) (envelope-from ) id 1wWvKK-00021m-63; Tue, 09 Jun 2026 12:13:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333054.1595343; Tue, 09 Jun 2026 12:13:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvKK-00021e-36; Tue, 09 Jun 2026 12:13:04 +0000 Received: by outflank-mailman (input) for mailman id 1333054; Tue, 09 Jun 2026 12:13:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvKJ-00021W-GZ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:13:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvKJ-001f2p-2S for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:13:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvKJ-00CaGv-1P for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:13:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=qNiKsaKeGMhkggM1uk8d1pmhMb6/LivL1qyiJn8YWRs=; b=SHvzMdLYJLsgaETxgLVoFw2JbI kANBQbr21E/Hk0maAwxTZg6gVmu/KfB1gu+k5DB0AuUedVxEsp6oaXCxAhj+qvlmm0zizeqVw20tU Bl9dsXziaA5kywUN67gfIiVNGHMUppedq12MvNcARYRFhWdhSalfI/JL4wGUZXmcgJjI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:13:03 +0000 commit 9f54e10bf3ab02c8d5dc3253d85c9b3258d1fc88 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the I/O port handling is in arch-specific code (x86 only), no code is being moved, but the 2nd invocation of arch_do_domctl() is re-used. Move the re-purposed dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith --- xen/arch/x86/domctl.c | 13 ++++++++---- xen/common/domctl.c | 54 ++++++++++++++++++++++++++----------------------- xen/include/xsm/dummy.h | 6 ++++-- xen/xsm/flask/hooks.c | 4 ++-- 4 files changed, 44 insertions(+), 33 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 66c6bdf0a3..18c19c4b63 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -237,12 +237,17 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + ret = -EINVAL; + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) + break; + + ret = xsm_ioport_permission(XSM_PRIV, d, fp, fp + np - 1, allow); + if ( ret ) + break; + iocaps_double_lock(d, true); - if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) - ret = -EINVAL; - else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || - xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) ) + if ( !ioports_access_permitted(currd, fp, fp + np - 1) ) ret = -EPERM; else if ( allow ) ret = ioports_permit_access(d, fp, fp + np - 1); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 10460c1c57..c6c8e0440b 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -376,6 +376,34 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = true; goto domctl_out_unlock_domonly; + case XEN_DOMCTL_iomem_permission: + { + unsigned long mfn = op->u.iomem_permission.first_mfn; + unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; + bool allow = op->u.iomem_permission.allow_access; + + ret = -EINVAL; + if ( (mfn + nr_mfns - 1) < mfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_permission(XSM_PRIV, d, mfn, mfn + nr_mfns - 1, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !iomem_access_permitted(current->domain, + mfn, mfn + nr_mfns - 1) ) + ret = -EPERM; + else if ( allow ) + ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); + else + ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_memory_mapping: { unsigned long gfn = op->u.memory_mapping.first_gfn; @@ -436,6 +464,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: @@ -782,31 +811,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif - case XEN_DOMCTL_iomem_permission: - { - unsigned long mfn = op->u.iomem_permission.first_mfn; - unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; - int allow = op->u.iomem_permission.allow_access; - - ret = -EINVAL; - if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ - break; - - iocaps_double_lock(d, true); - - if ( !iomem_access_permitted(current->domain, - mfn, mfn + nr_mfns - 1) || - xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) - ret = -EPERM; - else if ( allow ) - ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); - else - ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); - - iocaps_double_unlock(d, true); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 2ab2f5fc52..d3d2a29ae4 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -170,7 +170,9 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -560,7 +562,7 @@ static XSM_INLINE int cf_check xsm_irq_permission( static XSM_INLINE int cf_check xsm_iomem_permission( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } @@ -756,7 +758,7 @@ static XSM_INLINE int cf_check xsm_priv_mapping( static XSM_INLINE int cf_check xsm_ioport_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 435cb8d661..3338a35c1e 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -653,7 +653,9 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -662,14 +664,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: - case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: - case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_gsi_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:13:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:13:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333055.1595346 (Exim 4.92) (envelope-from ) id 1wWvKU-00025q-8C; Tue, 09 Jun 2026 12:13:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333055.1595346; Tue, 09 Jun 2026 12:13:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvKU-00025i-5g; Tue, 09 Jun 2026 12:13:14 +0000 Received: by outflank-mailman (input) for mailman id 1333055; Tue, 09 Jun 2026 12:13:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvKT-00025a-JN for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:13:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvKT-001f3C-2k for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:13:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvKT-00CaPj-1l for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:13:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=M9n08LLddtv8pMWkWn5dy+SGEOfAk6rV84wlphKOYLQ=; b=wxd3LKiVHek2eEDWOT16j+bimb E0MmpNvwtpE1SHYZD4BJquyeNmKT5g1btERwsz8pDcjdQa3NGYsfau8mIF8swAvfSievddRkjebnB iFc480EcHrOAlpD+Bl4iPVK0eyBaFvhf/z5XZT1zeSXKkHi/j4B0m2/A8tv3LO7rOI9o=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: handle XEN_DOMCTL_{irq,gsi}_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:13:13 +0000 commit 6b71151cd84cafff1ea9e67a8022e7a3e41d811f Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: handle XEN_DOMCTL_{irq,gsi}_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the GSI handling is in arch-specific code (x86 only), no code is being moved there; the 2nd invocation of arch_do_domctl() is re-used. Move the re-purposed (XSM_HOOK -> XSM_PRIV, as xsm_domctl() is now bypassed) dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/arch/x86/domctl.c | 7 ++++-- xen/common/domctl.c | 60 +++++++++++++++++++++++++++---------------------- xen/include/xsm/dummy.h | 4 +++- xen/xsm/flask/hooks.c | 4 ++-- 4 files changed, 43 insertions(+), 32 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 18c19c4b63..83bf51e498 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -276,10 +276,13 @@ long arch_do_domctl( break; } + ret = xsm_irq_permission(XSM_PRIV, d, irq, flags); + if ( ret ) + break; + iocaps_double_lock(d, true); - if ( !irq_access_permitted(currd, irq) || - xsm_irq_permission(XSM_HOOK, d, irq, flags) ) + if ( !irq_access_permitted(currd, irq) ) ret = -EPERM; else if ( flags ) ret = irq_permit_access(d, irq); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index c6c8e0440b..4bb4be009b 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -464,8 +464,41 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } +#ifdef CONFIG_HAS_PIRQ + case XEN_DOMCTL_irq_permission: + { + unsigned int pirq = op->u.irq_permission.pirq, irq; + bool allow = op->u.irq_permission.allow_access; + + ret = -EINVAL; + if ( pirq >= current->domain->nr_pirqs ) + goto domctl_out_unlock_domonly; + + irq = domain_pirq_to_irq(current->domain, pirq); + + ret = -EPERM; + if ( irq ) + ret = xsm_irq_permission(XSM_PRIV, d, irq, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !irq_access_permitted(current->domain, irq) ) + ret = -EPERM; + else if ( allow ) + ret = irq_permit_access(d, irq); + else + ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } +#endif + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: ret = arch_do_domctl(op, d, u_domctl); @@ -784,33 +817,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } break; -#ifdef CONFIG_HAS_PIRQ - case XEN_DOMCTL_irq_permission: - { - unsigned int pirq = op->u.irq_permission.pirq, irq; - int allow = op->u.irq_permission.allow_access; - - if ( pirq >= current->domain->nr_pirqs ) - { - ret = -EINVAL; - break; - } - - iocaps_double_lock(d, true); - - irq = pirq_access_permitted(current->domain, pirq); - if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) - ret = -EPERM; - else if ( allow ) - ret = irq_permit_access(d, irq); - else - ret = irq_deny_access(d, irq); - - iocaps_double_unlock(d, true); - break; - } -#endif - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index d3d2a29ae4..d4e3e27ab4 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -170,9 +170,11 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -555,7 +557,7 @@ static XSM_INLINE int cf_check xsm_unmap_domain_irq( static XSM_INLINE int cf_check xsm_irq_permission( XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 3338a35c1e..14df9b78d4 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -653,9 +653,11 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -663,14 +665,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: - case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: - case XEN_DOMCTL_gsi_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH /* -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:13:24 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:13:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333058.1595356 (Exim 4.92) (envelope-from ) id 1wWvKe-0002AH-Ct; Tue, 09 Jun 2026 12:13:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333058.1595356; Tue, 09 Jun 2026 12:13:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvKe-0002A4-9h; Tue, 09 Jun 2026 12:13:24 +0000 Received: by outflank-mailman (input) for mailman id 1333058; Tue, 09 Jun 2026 12:13:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvKd-00029w-MQ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:13:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvKd-001f3I-32 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:13:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvKd-00CaYr-23 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:13:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=y/3ZTbkl7oXJME74sxff7giFafw8cXrtwx5NbIPYp0s=; b=YGVyMjraUaMkjWbc04oGE28lI2 mm4OS7NkdZs9XUyg3lHzPJtyEOA8XXCFAEVhyySWG2MbdZmWMerSi9gQZqHRq019k6owKst3Gi3Ok HqctjW5cpmigtilNOZjNmzyY2fmae1OGoJhbApekSJT4DZv7cOvv09boyqwTtoSfavWA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl/XSM: drop vm_event_control hook Message-Id: Date: Tue, 09 Jun 2026 12:13:23 +0000 commit b4a7c17146f4363750d26cb2dcee08b480625a3d Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl/XSM: drop vm_event_control hook Integrate the checking with xsm_domctl(). Care needs to be taken with the GET_VERSION sub-op, which may be invoked with DOMID_INVALID, and which has been (and continues to be) bypassing XSM checking. Since the latter two parameters were unused, monitor_domctl() invoking the hook was actually redundant with the earlier xsm_domctl() (as can be seen nicely from the hunks changing xsm/flask/hooks.c). As a positive side effect, permissions are then checked at the same early point with and without Flask. While folding XEN_DOMCTL_monitor_op and XEN_DOMCTL_vm_event_op in flask_domctl(), also fold in XEN_DOMCTL_set_access_required. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/common/domctl.c | 17 +++++++++++++++++ xen/common/monitor.c | 5 ----- xen/common/vm_event.c | 9 ++++----- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 8 -------- xen/xsm/dummy.c | 2 -- xen/xsm/flask/hooks.c | 11 +---------- 7 files changed, 22 insertions(+), 37 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 4bb4be009b..d22fa089e1 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -496,6 +496,23 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif + case XEN_DOMCTL_vm_event_op: + if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) + { + /* No XSM check (and potentially d == NULL) here. */ + ret = vm_event_domctl(d, &op->u.vm_event_op); + if ( !ret ) + copyback = true; + goto domctl_out_unlock_domonly; + } + if ( !d ) + { + ret = -ESRCH; + goto domctl_out_unlock_domonly; + } + /* Other sub-ops handled further down. */ + break; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_gsi_permission: diff --git a/xen/common/monitor.c b/xen/common/monitor.c index d5c9ff1cbf..aec6391faf 100644 --- a/xen/common/monitor.c +++ b/xen/common/monitor.c @@ -30,16 +30,11 @@ int monitor_domctl(struct domain *d, struct xen_domctl_monitor_op *mop) { - int rc; bool requested_status = false; if ( unlikely(current->domain == d) ) /* no domain_pause() */ return -EPERM; - rc = xsm_vm_event_control(XSM_PRIV, d, mop->op, mop->event); - if ( unlikely(rc) ) - return rc; - switch ( mop->op ) { case XEN_DOMCTL_MONITOR_OP_ENABLE: diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c index cf0258223f..6f62755af8 100644 --- a/xen/common/vm_event.c +++ b/xen/common/vm_event.c @@ -604,11 +604,10 @@ int vm_event_domctl(struct domain *d, struct xen_domctl_vm_event_op *vec) /* All other subops need to target a real domain. */ if ( unlikely(d == NULL) ) - return -ESRCH; - - rc = xsm_vm_event_control(XSM_PRIV, d, vec->mode, vec->op); - if ( rc ) - return rc; + { + ASSERT_UNREACHABLE(); + return -EILSEQ; + } if ( unlikely(d == current->domain) ) /* no domain_pause() */ { diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index d4e3e27ab4..ed2bcc6521 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -646,13 +646,6 @@ static XSM_INLINE int cf_check xsm_hvm_altp2mhvm_op( } #ifdef CONFIG_VM_EVENT -static XSM_INLINE int cf_check xsm_vm_event_control( - XSM_DEFAULT_ARG struct domain *d, int mode, int op) -{ - XSM_ASSERT_ACTION(XSM_PRIV); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_mem_access(XSM_DEFAULT_ARG struct domain *d) { XSM_ASSERT_ACTION(XSM_DM_PRIV); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 2708d5ecba..cce0972f53 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -156,8 +156,6 @@ struct xsm_ops { int (*get_vnumainfo)(struct domain *d); #ifdef CONFIG_VM_EVENT - int (*vm_event_control)(struct domain *d, int mode, int op); - int (*mem_access)(struct domain *d); #endif @@ -651,12 +649,6 @@ static inline int xsm_get_vnumainfo(xsm_default_t def, struct domain *d) } #ifdef CONFIG_VM_EVENT -static inline int xsm_vm_event_control( - xsm_default_t def, struct domain *d, int mode, int op) -{ - return alternative_call(xsm_ops.vm_event_control, d, mode, op); -} - static inline int xsm_mem_access(xsm_default_t def, struct domain *d) { return alternative_call(xsm_ops.mem_access, d); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 9b0eab4bfc..31ee287d68 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -115,8 +115,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .map_gmfn_foreign = xsm_map_gmfn_foreign, #ifdef CONFIG_VM_EVENT - .vm_event_control = xsm_vm_event_control, - .mem_access = xsm_mem_access, #endif diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 14df9b78d4..51188f33f3 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -666,7 +666,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: - case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ @@ -760,9 +759,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__TRIGGER); case XEN_DOMCTL_set_access_required: - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); - case XEN_DOMCTL_monitor_op: + case XEN_DOMCTL_vm_event_op: return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); case XEN_DOMCTL_debug_op: @@ -1332,11 +1330,6 @@ static int cf_check flask_hvm_altp2mhvm_op(struct domain *d, uint64_t mode, uint } #ifdef CONFIG_VM_EVENT -static int cf_check flask_vm_event_control(struct domain *d, int mode, int op) -{ - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); -} - static int cf_check flask_mem_access(struct domain *d) { return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__MEM_ACCESS); @@ -1933,8 +1926,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .get_vnumainfo = flask_get_vnumainfo, #ifdef CONFIG_VM_EVENT - .vm_event_control = flask_vm_event_control, - .mem_access = flask_mem_access, #endif -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:13:35 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:13:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333059.1595357 (Exim 4.92) (envelope-from ) id 1wWvKp-0002DE-Dk; Tue, 09 Jun 2026 12:13:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333059.1595357; Tue, 09 Jun 2026 12:13:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvKp-0002D6-B6; Tue, 09 Jun 2026 12:13:35 +0000 Received: by outflank-mailman (input) for mailman id 1333059; Tue, 09 Jun 2026 12:13:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvKn-0002Cr-PB for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:13:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvKo-001f3P-06 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:13:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvKn-00CaeG-2L for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:13:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=YZLy7YiqsuZUtiL+WEyBgSN6EQdkDDi0L4qsS6ak+Bk=; b=gjJWlrqzuzWQ21ybXIjIJylOfL qDzUeBLmvXcxqhUQWPRyJ3J/aOeggjdjJa+YygwEZzP0mSdsZCfU7uXlIc4o7xz5gp0T6d4LUiwsT mF0XRb+OeOJV8LyHB4VpF4mLvwzKaMevFxFq0lPkxLIHR+Z6Cq87Fs+X/gLNKMPMDhUI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl/XSM: pass full struct xen_domctl to xsm_domctl() Message-Id: Date: Tue, 09 Jun 2026 12:13:33 +0000 commit 83f0e11ed16b5ceb42e47dcaab5afd35583ec5d7 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl/XSM: pass full struct xen_domctl to xsm_domctl() Subsequently some sub-ops will want to inspect their sub-sub-ops. Plus this way we don't need to pass SSIDref separately anymore for domain_create. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith --- xen/arch/x86/mm/paging.c | 2 +- xen/common/domctl.c | 4 +--- xen/include/xsm/dummy.h | 4 ++-- xen/include/xsm/xsm.h | 6 +++--- xen/xsm/flask/hooks.c | 10 +++++----- 5 files changed, 12 insertions(+), 14 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index 2396f81ad5..92bd7d7f26 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -747,7 +747,7 @@ long do_paging_domctl_cont( if ( d == NULL ) return -ESRCH; - ret = xsm_domctl(XSM_OTHER, d, op.cmd, 0 /* SSIDref not applicable */); + ret = xsm_domctl(XSM_OTHER, d, &op); if ( !ret ) { if ( domctl_lock_acquire() ) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index d22fa089e1..d28626b4ca 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -526,9 +526,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - ret = xsm_domctl(XSM_OTHER, d, op->cmd, - /* SSIDRef only applicable for cmd == createdomain */ - op->u.createdomain.ssidref); + ret = xsm_domctl(XSM_OTHER, d, op); if ( ret ) goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index ed2bcc6521..19e39d9c7d 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,10 +162,10 @@ static XSM_INLINE int cf_check xsm_set_target( } static XSM_INLINE int cf_check xsm_domctl( - XSM_DEFAULT_ARG struct domain *d, unsigned int cmd, uint32_t ssidref) + XSM_DEFAULT_ARG struct domain *d, struct xen_domctl *op) { XSM_ASSERT_ACTION(XSM_OTHER); - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index cce0972f53..31bbbc1597 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -61,7 +61,7 @@ struct xsm_ops { int (*sysctl_scheduler_op)(int op); #endif int (*set_target)(struct domain *d, struct domain *e); - int (*domctl)(struct domain *d, unsigned int cmd, uint32_t ssidref); + int (*domctl)(struct domain *d, struct xen_domctl *op); int (*sysctl)(int cmd); int (*readconsole)(uint32_t clear); @@ -258,9 +258,9 @@ static inline int xsm_set_target( } static inline int xsm_domctl(xsm_default_t def, struct domain *d, - unsigned int cmd, uint32_t ssidref) + struct xen_domctl *op) { - return alternative_call(xsm_ops.domctl, d, cmd, ssidref); + return alternative_call(xsm_ops.domctl, d, op); } static inline int xsm_sysctl(xsm_default_t def, int cmd) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 51188f33f3..086d4c81db 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -634,10 +634,9 @@ static int cf_check flask_set_target(struct domain *d, struct domain *t) return rc; } -static int cf_check flask_domctl(struct domain *d, unsigned int cmd, - uint32_t ssidref) +static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) { - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_createdomain: /* @@ -647,7 +646,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, * Note that d is NULL because we haven't even allocated memory for it * this early in XEN_DOMCTL_createdomain. */ - return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); + return avc_current_has_perm(op->u.createdomain.ssidref, SECCLASS_DOMAIN, + DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: @@ -822,7 +822,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SET_LLC_COLORS); default: - return avc_unknown_permission("domctl", cmd); + return avc_unknown_permission("domctl", op->cmd); } } -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:13:45 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:13:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333062.1595362 (Exim 4.92) (envelope-from ) id 1wWvKz-0002Gh-FQ; Tue, 09 Jun 2026 12:13:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333062.1595362; Tue, 09 Jun 2026 12:13:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvKz-0002GZ-CY; Tue, 09 Jun 2026 12:13:45 +0000 Received: by outflank-mailman (input) for mailman id 1333062; Tue, 09 Jun 2026 12:13:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvKx-0002GK-Rs for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:13:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvKy-001f3U-0N for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:13:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvKx-00Camb-2d for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:13:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=jucR0WTM9Cf5S1RcD5DUi4vZevYjGGntdhhYoJrLcuE=; b=E4EdIAmZqYblWjf6hovUBTFW1J NoDauNEsiblEb+srLGIcFlF9Bgdgf3QUcqNeTGHSqICrK9BfkUkZYzQyB4Yn8VXCJ03OTR3va3Wya CGbwvDZZlHANbTdpZNr+fsq/TU8kVKbU7tTpvdAiC0yy3wp2TniObgJF92a3gSyTRfgc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl/XSM: drop scheduler_op hook Message-Id: Date: Tue, 09 Jun 2026 12:13:43 +0000 commit 3ba374d3886f0e1d835eafe62cc2fa20ca5376ad Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl/XSM: drop scheduler_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Juergen Gross --- xen/common/sched/core.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 7 ++++--- 5 files changed, 4 insertions(+), 22 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index a65d49a442..cf7c4e7a8a 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -2072,10 +2072,6 @@ long sched_adjust(struct domain *d, struct xen_domctl_scheduler_op *op) { long ret; - ret = xsm_domctl_scheduler_op(XSM_HOOK, d, op->cmd); - if ( ret ) - return ret; - if ( op->sched_id != dom_scheduler(d)->sched_id ) return -EINVAL; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 19e39d9c7d..19e1283d55 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -141,13 +141,6 @@ static XSM_INLINE int cf_check xsm_getdomaininfo( return xsm_default_action(action, current->domain, d); } -static XSM_INLINE int cf_check xsm_domctl_scheduler_op( - XSM_DEFAULT_ARG struct domain *d, int cmd) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 31bbbc1597..266af2c7ba 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -56,7 +56,6 @@ struct xsm_ops { struct xen_domctl_getdomaininfo *info); int (*domain_create)(struct domain *d, uint32_t ssidref); int (*getdomaininfo)(struct domain *d); - int (*domctl_scheduler_op)(struct domain *d, int op); #ifdef CONFIG_SYSCTL int (*sysctl_scheduler_op)(int op); #endif @@ -238,12 +237,6 @@ static inline int xsm_get_domain_state(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.get_domain_state, d); } -static inline int xsm_domctl_scheduler_op( - xsm_default_t def, struct domain *d, int cmd) -{ - return alternative_call(xsm_ops.domctl_scheduler_op, d, cmd); -} - #ifdef CONFIG_SYSCTL static inline int xsm_sysctl_scheduler_op(xsm_default_t def, int cmd) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 31ee287d68..b49bd96ef1 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -18,7 +18,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .security_domaininfo = xsm_security_domaininfo, .domain_create = xsm_domain_create, .getdomaininfo = xsm_getdomaininfo, - .domctl_scheduler_op = xsm_domctl_scheduler_op, #ifdef CONFIG_SYSCTL .sysctl_scheduler_op = xsm_sysctl_scheduler_op, #endif diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 086d4c81db..d344338fc6 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -576,7 +576,7 @@ static int cf_check flask_getdomaininfo(struct domain *d) return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO); } -static int cf_check flask_domctl_scheduler_op(struct domain *d, int op) +static int flask_domctl_scheduler_op(struct domain *d, int op) { switch ( op ) { @@ -664,7 +664,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return -EILSEQ; /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: #ifdef CONFIG_X86 @@ -712,6 +711,9 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_setdomainhandle: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE); + case XEN_DOMCTL_scheduler_op: + return flask_domctl_scheduler_op(d, op->u.scheduler_op.cmd); + case XEN_DOMCTL_set_ext_vcpucontext: case XEN_DOMCTL_set_vcpu_msrs: case XEN_DOMCTL_setvcpucontext: @@ -1847,7 +1849,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .security_domaininfo = flask_security_domaininfo, .domain_create = flask_domain_create, .getdomaininfo = flask_getdomaininfo, - .domctl_scheduler_op = flask_domctl_scheduler_op, #ifdef CONFIG_SYSCTL .sysctl_scheduler_op = flask_sysctl_scheduler_op, #endif -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:13:55 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:13:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333066.1595365 (Exim 4.92) (envelope-from ) id 1wWvL9-0002Jl-IW; Tue, 09 Jun 2026 12:13:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333066.1595365; Tue, 09 Jun 2026 12:13:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvL9-0002Jd-Fz; Tue, 09 Jun 2026 12:13:55 +0000 Received: by outflank-mailman (input) for mailman id 1333066; Tue, 09 Jun 2026 12:13:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvL7-0002JU-UX for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:13:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvL8-001f3a-0e for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:13:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvL7-00Care-2t for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:13:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=cGhmX+T7qk/4yBcpyXW16O9lkCWu4bCYoHbzFZUMh+k=; b=MXyFO3lcE0Uec0/9SLGJv27YXR T7wAKdC0M18JnB4+OORE7zsICl7v3GE4/B8lY9QgD0q7C3FLmC7l6zR7wBm83HO/cFpPrJh+CmsxC De9eA2GIZHy2Q5KvQkyFMmBFrmqVOl9oNQfs9qEmBleGASjNwQdESuRhCMkEgVDdRuAE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl/XSM: drop shadow_control_op hook Message-Id: Date: Tue, 09 Jun 2026 12:13:53 +0000 commit d9d2758622422a4db0498a74c3dfd1c8168a8154 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl/XSM: drop shadow_control_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith --- xen/arch/x86/mm/paging.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 13 +++++++------ 5 files changed, 7 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index 92bd7d7f26..1a58228086 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -689,10 +689,6 @@ int paging_domctl(struct domain *d, struct xen_domctl_shadow_op *sc, return -EBUSY; } - rc = xsm_shadow_control(XSM_HOOK, d, sc->op); - if ( rc ) - return rc; - /* Code to handle log-dirty. Note that some log dirty operations * piggy-back on shadow operations. For example, when * XEN_DOMCTL_SHADOW_OP_OFF is called, it first checks whether log dirty diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 19e1283d55..1dde2cd5c6 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -675,13 +675,6 @@ static XSM_INLINE int cf_check xsm_do_mca(XSM_DEFAULT_VOID) return xsm_default_action(action, current->domain, NULL); } -static XSM_INLINE int cf_check xsm_shadow_control( - XSM_DEFAULT_ARG struct domain *d, uint32_t op) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_mem_sharing_op( XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 266af2c7ba..dfff432ff1 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -170,7 +170,6 @@ struct xsm_ops { #ifdef CONFIG_X86 int (*do_mca)(void); - int (*shadow_control)(struct domain *d, uint32_t op); int (*mem_sharing_op)(struct domain *d, struct domain *cd, int op); int (*apic)(struct domain *d, int cmd); int (*machine_memory_map)(void); @@ -673,12 +672,6 @@ static inline int xsm_do_mca(xsm_default_t def) return alternative_call(xsm_ops.do_mca); } -static inline int xsm_shadow_control( - xsm_default_t def, struct domain *d, uint32_t op) -{ - return alternative_call(xsm_ops.shadow_control, d, op); -} - static inline int xsm_mem_sharing_op( xsm_default_t def, struct domain *d, struct domain *cd, int op) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index b49bd96ef1..cfa83380e6 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -128,7 +128,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .platform_op = xsm_platform_op, #ifdef CONFIG_X86 .do_mca = xsm_do_mca, - .shadow_control = xsm_shadow_control, .mem_sharing_op = xsm_mem_sharing_op, .apic = xsm_apic, .machine_memory_map = xsm_machine_memory_map, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index d344338fc6..a7075f742b 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -39,6 +39,7 @@ #ifdef CONFIG_X86 #include +static int flask_shadow_control(struct domain *d, unsigned int op); #else #define pv_shim false #endif @@ -666,10 +667,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: -#ifdef CONFIG_X86 - /* These have individual XSM hooks (arch/x86/domctl.c) */ - case XEN_DOMCTL_shadow_op: -#endif #ifdef CONFIG_HAS_PASSTHROUGH /* * These have individual XSM hooks @@ -754,6 +751,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_get_address_size: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETADDRSIZE); +#ifdef CONFIG_X86 + case XEN_DOMCTL_shadow_op: + return flask_shadow_control(d, op->u.shadow_op.op); +#endif + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1566,7 +1568,7 @@ static int cf_check flask_do_mca(void) return domain_has_xen(current->domain, XEN__MCA_OP); } -static int cf_check flask_shadow_control(struct domain *d, uint32_t op) +static int flask_shadow_control(struct domain *d, unsigned int op) { uint32_t perm; @@ -1960,7 +1962,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .platform_op = flask_platform_op, #ifdef CONFIG_X86 .do_mca = flask_do_mca, - .shadow_control = flask_shadow_control, .mem_sharing_op = flask_mem_sharing_op, .apic = flask_apic, .machine_memory_map = flask_machine_memory_map, -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:14:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:14:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333067.1595370 (Exim 4.92) (envelope-from ) id 1wWvLJ-0002Lv-K0; Tue, 09 Jun 2026 12:14:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333067.1595370; Tue, 09 Jun 2026 12:14:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvLJ-0002Ln-HK; Tue, 09 Jun 2026 12:14:05 +0000 Received: by outflank-mailman (input) for mailman id 1333067; Tue, 09 Jun 2026 12:14:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvLI-0002Lh-1O for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:14:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvLI-001f43-0w for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:14:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvLH-00Cb0v-3B for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:14:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=tOfYKxggnPdJSjTt24kLr8x/aA/+6gZCO8gT4ffTWck=; b=ptsFBPxMPWm/vtoG2cs0Y+iQMa xp3p0jb/pYThnhQaOYYDvXeueejh6UsIDzry1wpknfOK/ba0rypumcyZ4ZGV99eGXNMUBLtqEeudx 3BS7LSWfZ6Tj8Z8N9NL4Jxlxcz5ojV/APBUoPlFPNCy4RN1SB++ay3b/irovaQNth6t8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:14:03 +0000 commit 471b377747cb5eb0ea7c1ca48ac9d38027a9aa13 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock iommu_get_device_group() uses its own locking. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/common/domctl.c | 5 ++++- xen/drivers/passthrough/pci.c | 4 ++-- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index d28626b4ca..a9816b2e58 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -513,6 +513,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) /* Other sub-ops handled further down. */ break; + case XEN_DOMCTL_get_device_group: + ret = iommu_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_gsi_permission: @@ -923,7 +927,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_assign_device: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_deassign_device: - case XEN_DOMCTL_get_device_group: ret = iommu_do_domctl(op, d, u_domctl); break; diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 464bb0fee4..7991a0f91b 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1703,7 +1703,7 @@ static int iommu_get_device_group( if ( (pdev->seg != seg) || ((b == bus) && (df == devfn)) ) continue; - if ( xsm_get_device_group(XSM_HOOK, (seg << 16) | (b << 8) | df) ) + if ( xsm_get_device_group(XSM_PRIV, (seg << 16) | (b << 8) | df) ) continue; sdev_id = iommu_call(ops, get_device_group_id, seg, b, df); @@ -1773,7 +1773,7 @@ int iommu_do_pci_domctl( u32 max_sdevs; XEN_GUEST_HANDLE_64(uint32) sdevs; - ret = xsm_get_device_group(XSM_HOOK, domctl->u.get_device_group.machine_sbdf); + ret = xsm_get_device_group(XSM_PRIV, domctl->u.get_device_group.machine_sbdf); if ( ret ) break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 1dde2cd5c6..ca010387b1 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,6 +162,7 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_get_domain_state: case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: @@ -394,7 +395,7 @@ static XSM_INLINE int cf_check xsm_get_vnumainfo( static XSM_INLINE int cf_check xsm_get_device_group( XSM_DEFAULT_ARG uint32_t machine_bdf) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index a7075f742b..14347ae2fd 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -653,6 +653,7 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_get_domain_state: case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: @@ -672,7 +673,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) * These have individual XSM hooks * (drivers/passthrough/{pci,device_tree.c) */ - case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_assign_device: case XEN_DOMCTL_deassign_device: -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:14:15 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:14:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333068.1595374 (Exim 4.92) (envelope-from ) id 1wWvLT-0002OH-Lr; Tue, 09 Jun 2026 12:14:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333068.1595374; Tue, 09 Jun 2026 12:14:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvLT-0002O9-Ie; Tue, 09 Jun 2026 12:14:15 +0000 Received: by outflank-mailman (input) for mailman id 1333068; Tue, 09 Jun 2026 12:14:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvLS-0002Nw-4l for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:14:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvLS-001f4O-1E for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:14:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvLS-00Cb8u-0G for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:14:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=m3/l/+D1jOkozLuvDFXKVIqIm7gPfuRzmPrvxPrbVWw=; b=48ODr0Yxdd+lU3ok6mUgWJBupJ JBrl2e7RUJER1tmV3/f1DDXsRbyFomcf3cdYh3PIMNJOtIqEwWwMb1RASdsjZFv7UPDYpScp/3/q0 zCQfMaV8EALxhFCcFbK5iwf7EHgsK2XPDU2nuK0G5SImva6BJeE3aZdXYMRC9ENPBmtk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl/XSM: drop {,de}assign_{,dt}device hooks Message-Id: Date: Tue, 09 Jun 2026 12:14:14 +0000 commit eab54f074f17c134fa6fa780f672393066e7b631 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl/XSM: drop {,de}assign_{,dt}device hooks Integrate the checking with xsm_domctl(). As a positive side effect, permissions are then checked at the same early point with and without Flask. As the DT device path needs fetching earlier (but must not be double fetched), cache it in a private field of the public interface struct. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/common/domctl.c | 9 ++++ xen/drivers/passthrough/device_tree.c | 36 ++++++++-------- xen/drivers/passthrough/pci.c | 8 ---- xen/include/public/domctl.h | 5 ++- xen/include/xsm/dummy.h | 32 -------------- xen/include/xsm/xsm.h | 34 --------------- xen/xsm/dummy.c | 7 ---- xen/xsm/flask/hooks.c | 79 +++++++++++++++++++++++++---------- 8 files changed, 89 insertions(+), 121 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index a9816b2e58..200b5b3669 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -325,6 +325,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_deassign_device: if ( op->domain == DOMID_IO ) { +#ifdef CONFIG_HAS_DEVICE_TREE_DISCOVERY + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; +#endif d = dom_io; break; } @@ -332,6 +336,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) return -ESRCH; fallthrough; case XEN_DOMCTL_test_assign_device: +#ifdef CONFIG_HAS_DEVICE_TREE_DISCOVERY + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; + fallthrough; +#endif case XEN_DOMCTL_vm_event_op: if ( op->domain == DOMID_INVALID ) { diff --git a/xen/drivers/passthrough/device_tree.c b/xen/drivers/passthrough/device_tree.c index f5850a2607..ab1e07ac99 100644 --- a/xen/drivers/passthrough/device_tree.c +++ b/xen/drivers/passthrough/device_tree.c @@ -340,15 +340,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( (d && d->is_dying) || domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_assign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( domctl->cmd == XEN_DOMCTL_test_assign_device ) { @@ -396,15 +396,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_deassign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( d == dom_io ) { diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 7991a0f91b..d37ceb7b6c 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1823,10 +1823,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_assign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); @@ -1868,10 +1864,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_deassign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h index 23124547f3..cdf350a290 100644 --- a/xen/include/public/domctl.h +++ b/xen/include/public/domctl.h @@ -575,7 +575,10 @@ struct xen_domctl_assign_device { } pci; struct { uint32_t size; /* Length of the path */ - XEN_GUEST_HANDLE_64(char) path; /* path to the device tree node */ + XEN_GUEST_HANDLE_64(char) path; /* Path to the device tree node */ +#ifdef __XEN__ + struct dt_device_node *dev; /* Resolved device node of the above */ +#endif } dt; } u; }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index ca010387b1..81d9a7ba3b 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -398,40 +398,8 @@ static XSM_INLINE int cf_check xsm_get_device_group( XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } - -static XSM_INLINE int cf_check xsm_assign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - #endif /* HAS_PASSTHROUGH && HAS_PCI */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) -static XSM_INLINE int cf_check xsm_assign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE_DISCOVERY */ - static XSM_INLINE int cf_check xsm_resource_plug_core(XSM_DEFAULT_VOID) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index dfff432ff1..fb622c62ce 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -122,13 +122,6 @@ struct xsm_ops { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) int (*get_device_group)(uint32_t machine_bdf); - int (*assign_device)(struct domain *d, uint32_t machine_bdf); - int (*deassign_device)(struct domain *d, uint32_t machine_bdf); -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) - int (*assign_dtdevice)(struct domain *d, const char *dtpath); - int (*deassign_dtdevice)(struct domain *d, const char *dtpath); #endif int (*resource_plug_core)(void); @@ -526,35 +519,8 @@ static inline int xsm_get_device_group(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.get_device_group, machine_bdf); } - -static inline int xsm_assign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.assign_device, d, machine_bdf); -} - -static inline int xsm_deassign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.deassign_device, d, machine_bdf); -} #endif /* HAS_PASSTHROUGH && HAS_PCI) */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) -static inline int xsm_assign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.assign_dtdevice, d, dtpath); -} - -static inline int xsm_deassign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.deassign_dtdevice, d, dtpath); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE_DISCOVERY */ - static inline int xsm_resource_plug_pci(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.resource_plug_pci, machine_bdf); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index cfa83380e6..6c17bbff3a 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -79,13 +79,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = xsm_get_device_group, - .assign_device = xsm_assign_device, - .deassign_device = xsm_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) - .assign_dtdevice = xsm_assign_dtdevice, - .deassign_dtdevice = xsm_deassign_dtdevice, #endif .resource_plug_core = xsm_resource_plug_core, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 14347ae2fd..fe75412f5e 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -44,6 +44,17 @@ static int flask_shadow_control(struct domain *d, unsigned int op); #define pv_shim false #endif +#ifdef CONFIG_HAS_PASSTHROUGH +#ifdef CONFIG_HAS_PCI +static int flask_assign_device(struct domain *d, unsigned int machine_bdf); +static int flask_deassign_device(struct domain *d, unsigned int machine_bdf); +#endif +#ifdef CONFIG_HAS_DEVICE_TREE_DISCOVERY +static int flask_assign_dtdevice(struct domain *d, const char *dtpath); +static int flask_deassign_dtdevice(struct domain *d, const char *dtpath); +#endif +#endif /* CONFIG_HAS_PASSTHROUGH */ + static uint32_t domain_sid(const struct domain *dom) { struct domain_security_struct *dsec = dom->ssid; @@ -667,16 +678,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: - -#ifdef CONFIG_HAS_PASSTHROUGH - /* - * These have individual XSM hooks - * (drivers/passthrough/{pci,device_tree.c) - */ - case XEN_DOMCTL_test_assign_device: - case XEN_DOMCTL_assign_device: - case XEN_DOMCTL_deassign_device: -#endif return 0; case XEN_DOMCTL_destroydomain: @@ -756,6 +757,49 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return flask_shadow_control(d, op->u.shadow_op.op); #endif +#ifdef CONFIG_HAS_PASSTHROUGH + + case XEN_DOMCTL_test_assign_device: + case XEN_DOMCTL_assign_device: + case XEN_DOMCTL_deassign_device: + switch ( op->u.assign_device.dev ) + { +#ifdef CONFIG_HAS_PCI + case XEN_DOMCTL_DEV_PCI: + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_device( + d, op->u.assign_device.u.pci.machine_sbdf) + : flask_deassign_device( + d, op->u.assign_device.u.pci.machine_sbdf); +#endif + +#ifdef CONFIG_HAS_DEVICE_TREE_DISCOVERY + case XEN_DOMCTL_DEV_DT: + { + struct dt_device_node *dev; + int ret = dt_find_node_by_gpath(op->u.assign_device.u.dt.path, + op->u.assign_device.u.dt.size, + &dev); + + if ( ret ) + return ret; + + op->u.assign_device.u.dt.dev = dev; + + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_dtdevice(d, dt_node_full_name(dev)) + : flask_deassign_dtdevice(d, dt_node_full_name(dev)); + } +#endif + + default: + /* Unknown type. */ + break; + } + return avc_unknown_permission("assign_device", op->cmd); + +#endif /* CONFIG_HAS_PASSTHROUGH */ + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1379,7 +1423,7 @@ static int flask_test_assign_device(uint32_t machine_bdf) return avc_current_has_perm(rsid, SECCLASS_RESOURCE, RESOURCE__STAT_DEVICE, NULL); } -static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) +static int flask_assign_device(struct domain *d, uint32_t machine_bdf) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1409,7 +1453,7 @@ static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_device( +static int flask_deassign_device( struct domain *d, uint32_t machine_bdf) { uint32_t rsid; @@ -1441,7 +1485,7 @@ static int flask_test_assign_dtdevice(const char *dtpath) NULL); } -static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) +static int flask_assign_dtdevice(struct domain *d, const char *dtpath) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1471,7 +1515,7 @@ static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_dtdevice( +static int flask_deassign_dtdevice( struct domain *d, const char *dtpath) { uint32_t rsid; @@ -1950,13 +1994,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = flask_get_device_group, - .assign_device = flask_assign_device, - .deassign_device = flask_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) - .assign_dtdevice = flask_assign_dtdevice, - .deassign_dtdevice = flask_deassign_dtdevice, #endif .platform_op = flask_platform_op, -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:14:25 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:14:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333070.1595380 (Exim 4.92) (envelope-from ) id 1wWvLd-0002R1-QM; Tue, 09 Jun 2026 12:14:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333070.1595380; Tue, 09 Jun 2026 12:14:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvLd-0002Qs-M8; Tue, 09 Jun 2026 12:14:25 +0000 Received: by outflank-mailman (input) for mailman id 1333070; Tue, 09 Jun 2026 12:14:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvLc-0002Qd-8q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:14:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvLc-001f4S-1g for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:14:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvLc-00CbNf-0h for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:14:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=3W15XuYu9vN6uv/hs3dyJWoqdWtjKPl69cVCrf1bX0s=; b=rmGpDBp9IxfCT7zq+NnSaNHGsc 1La4lz5NuqfuHLnc/x2IXKzEXTrmacckFq1SCXWZ6mRyUr1iHVKm2sJUWvexvEKdIi+aewptIhabU wXPoeOLKx79ytS6EVBNPdtOYLGSHUZwR9PLmDmVXEOmQthCsS1k3lJRNFXWp69zoYPek=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:14:24 +0000 commit 4a93d1fb4f7f1231159688d428f7362d35d32ef6 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock The only locking required here is that between checking d->target and setting it. To avoid the need for an explicit lock, use cmpxchgptr() to update d->target. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/common/domctl.c | 54 ++++++++++++++++++++++--------------------------- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 5 +---- 3 files changed, 27 insertions(+), 35 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 200b5b3669..3efa5b9d55 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -505,6 +505,30 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif + case XEN_DOMCTL_set_target: + { + struct domain *e = get_domain_by_id(op->u.set_target.target); + + ret = -ESRCH; + if ( !e ) + goto domctl_out_unlock_domonly; + + if ( d == e ) + ret = -EINVAL; + else if ( !is_hvm_domain(e) ) + ret = -EOPNOTSUPP; + else + ret = xsm_set_target(XSM_PRIV, d, e); + + /* Hold reference on @e until we destroy @d. */ + if ( !ret && cmpxchgptr(&d->target, NULL, e) ) + ret = -EINVAL; + + if ( ret ) + put_domain(e); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_vm_event_op: if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) { @@ -849,36 +873,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; - case XEN_DOMCTL_set_target: - { - struct domain *e; - - ret = -ESRCH; - e = get_domain_by_id(op->u.set_target.target); - if ( e == NULL ) - break; - - ret = -EINVAL; - if ( (d == e) || (d->target != NULL) ) - { - put_domain(e); - break; - } - - ret = -EOPNOTSUPP; - if ( is_hvm_domain(e) ) - ret = xsm_set_target(XSM_HOOK, d, e); - if ( ret ) - { - put_domain(e); - break; - } - - /* Hold reference on @e until we destroy @d. */ - d->target = e; - break; - } - case XEN_DOMCTL_subscribe: d->suspend_evtchn = op->u.subscribe.port; break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 81d9a7ba3b..36369da963 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -150,7 +150,7 @@ static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) static XSM_INLINE int cf_check xsm_set_target( XSM_DEFAULT_ARG struct domain *d, struct domain *e) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } @@ -170,6 +170,7 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index fe75412f5e..cc799273f5 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -672,14 +672,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; - /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_set_target: - return 0; - case XEN_DOMCTL_destroydomain: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__DESTROY); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:14:35 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:14:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333071.1595381 (Exim 4.92) (envelope-from ) id 1wWvLn-0002TQ-QF; Tue, 09 Jun 2026 12:14:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333071.1595381; Tue, 09 Jun 2026 12:14:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvLn-0002TI-Nb; Tue, 09 Jun 2026 12:14:35 +0000 Received: by outflank-mailman (input) for mailman id 1333071; Tue, 09 Jun 2026 12:14:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvLm-0002T7-Bp for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:14:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvLm-001f4W-1z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:14:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvLm-00CbYk-10 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:14:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=82h7yuuyNwrXDU2/9pceKHxEGc7MN6wQfRaDBVyboNg=; b=diRjIgqqNg4mGWwqInolT0bFbp tXTPF+2h4lHE6F80jvN1CXHWepj7kANqtw6ZTIaL3QPmXLYXzpAo+VRmIuXXc6A27GLtDqLNdG2aU wHenLYwIoPTNZ+i3WVfr1wLXdgJIEmZ5cCY3B8ZzB4lsD7M2CZMurQV+nbxTgJLtPjVk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/arm: Sync missing definitions for Arm CPUs with Linux Message-Id: Date: Tue, 09 Jun 2026 12:14:34 +0000 commit d54682a5b23d7a22a0f1aa74130bd1ed8a669db1 Author: Michal Orzel AuthorDate: Fri May 22 09:35:55 2026 +0200 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 xen/arm: Sync missing definitions for Arm CPUs with Linux Synchronize with Linux kernel 7.0 definitions for the following CPUs: - Cortex-A76AE, - Cortex-A78AE, - Cortex-X1C, - Cortex-X3, - Neoverse-V2, - Cortex-X4, - Neoverse-V3AE, - Neoverse-V3, - Cortex-X925. These will be used for errata detection in subsequent patches. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall --- xen/arch/arm/include/asm/processor.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 895d7cd502..9e2b6bd597 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -89,13 +89,22 @@ #define ARM_CPU_PART_CORTEX_A76 0xD0B #define ARM_CPU_PART_NEOVERSE_N1 0xD0C #define ARM_CPU_PART_CORTEX_A77 0xD0D +#define ARM_CPU_PART_CORTEX_A76AE 0xD0E #define ARM_CPU_PART_NEOVERSE_V1 0xD40 #define ARM_CPU_PART_CORTEX_A78 0xD41 +#define ARM_CPU_PART_CORTEX_A78AE 0xD42 #define ARM_CPU_PART_CORTEX_X1 0xD44 #define ARM_CPU_PART_CORTEX_A710 0xD47 #define ARM_CPU_PART_CORTEX_X2 0xD48 #define ARM_CPU_PART_NEOVERSE_N2 0xD49 #define ARM_CPU_PART_CORTEX_A78C 0xD4B +#define ARM_CPU_PART_CORTEX_X1C 0xD4C +#define ARM_CPU_PART_CORTEX_X3 0xD4E +#define ARM_CPU_PART_NEOVERSE_V2 0xD4F +#define ARM_CPU_PART_CORTEX_X4 0xD82 +#define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 +#define ARM_CPU_PART_NEOVERSE_V3 0xD84 +#define ARM_CPU_PART_CORTEX_X925 0xD85 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -110,13 +119,22 @@ #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) +#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE) #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1) #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) +#define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) #define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2) #define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2) #define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C) +#define MIDR_CORTEX_X1C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1C) +#define MIDR_CORTEX_X3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X3) +#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2) +#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4) +#define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) +#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) +#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:14:45 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:14:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333073.1595386 (Exim 4.92) (envelope-from ) id 1wWvLx-0002Vk-RM; Tue, 09 Jun 2026 12:14:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333073.1595386; Tue, 09 Jun 2026 12:14:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvLx-0002Vd-Oy; Tue, 09 Jun 2026 12:14:45 +0000 Received: by outflank-mailman (input) for mailman id 1333073; Tue, 09 Jun 2026 12:14:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvLw-0002VS-ES for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:14:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvLw-001f4k-2F for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:14:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvLw-00Cbgp-1G for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:14:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=slFvozumxu0+EMvW+OkJuD62LwcC1v9s4Mq3XiFkD14=; b=WYqLAjDJUsNPh6kkmS9vkJIb4J x37mxQ3GWYN1ADTvLfTC5Uk0v3dk56rg+tgapu6H8R7NxlAur6WfYdMnnNLiDQKN47WWOZcPRx6gM mEQKZgX9p0Ks060OMwXp5a5SFOldmuGG0pWemMD8VBKEBPk+ZDNrPqV7r6MsXfOkzt8U=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/arm: Add C1-Ultra definitions Message-Id: Date: Tue, 09 Jun 2026 12:14:44 +0000 commit 36ddaa7918d6ec0d06a31079c8a25a6ae3c69cbc Author: Michal Orzel AuthorDate: Fri May 22 09:35:56 2026 +0200 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 xen/arm: Add C1-Ultra definitions Add processor definitions for C1-Ultra. These will be used for errata detection in subsequent patches. These values can be found in the C1-Ultra TRM: https://developer.arm.com/documentation/108014/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 9e2b6bd597..955cb1a8a7 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -105,6 +105,7 @@ #define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 +#define ARM_CPU_PART_C1_ULTRA 0xD8C #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -135,6 +136,7 @@ #define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) +#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:14:55 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:14:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333075.1595390 (Exim 4.92) (envelope-from ) id 1wWvM7-0002Y9-Sv; Tue, 09 Jun 2026 12:14:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333075.1595390; Tue, 09 Jun 2026 12:14:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvM7-0002Y1-QQ; Tue, 09 Jun 2026 12:14:55 +0000 Received: by outflank-mailman (input) for mailman id 1333075; Tue, 09 Jun 2026 12:14:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvM6-0002Xo-HH for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:14:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvM6-001f4q-2X for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:14:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvM6-00Cbu6-1W for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:14:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=FkgMqjh8bf99CXshNPX5hnTViQ27EIqx0gIzt4uEBY8=; b=uzYnFBsVEZmvqpsBiSqqL0v6ym Krx21BAxz8V9eCYqahKV12+8OSrxPo331nZHzZVap3LLsnKEEAxwjA8m8ksbpwjUAYqbi6bYxYyMN vJzrbATraeQd/Y2Dae5aj9vx5I1RgYTriPv3piQpR7l839MonWMzhWAzKjD4V8qZ6rZo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/arm: Add C1-Premium definitions Message-Id: Date: Tue, 09 Jun 2026 12:14:54 +0000 commit 0315d10321518beb24c41bb595e9197cadec0693 Author: Michal Orzel AuthorDate: Fri May 22 09:35:57 2026 +0200 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 xen/arm: Add C1-Premium definitions Add processor definitions for C1-Premium. These will be used for errata detection in subsequent patches. These values can be found in the C1-Premium TRM: https://developer.arm.com/documentation/109416/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 955cb1a8a7..a3753c317f 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -106,6 +106,7 @@ #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 #define ARM_CPU_PART_C1_ULTRA 0xD8C +#define ARM_CPU_PART_C1_PREMIUM 0xD90 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -137,6 +138,7 @@ #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) #define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) +#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:15:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:15:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333076.1595394 (Exim 4.92) (envelope-from ) id 1wWvMH-0002a9-UY; Tue, 09 Jun 2026 12:15:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333076.1595394; Tue, 09 Jun 2026 12:15:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvMH-0002a2-Rv; Tue, 09 Jun 2026 12:15:05 +0000 Received: by outflank-mailman (input) for mailman id 1333076; Tue, 09 Jun 2026 12:15:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvMG-0002Zv-Jy for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:15:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvMG-001f5I-2n for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:15:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvMG-00Cc6Y-1o for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:15:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=3+Fm8FZq6uaBbZPpY8YoaQSKpc3SSstOfYwi4KuSNc4=; b=EMUsKyuTj9psBUN/T/Jtkhw7P7 KLnbldanRvM8p+zvroolD515ptqI85Naa5tqFnQXuh+RLFlICTyhZBb4mtfiLm1ejH7pGT3M9v+l1 RTIsSsbK09tM5CvHna7RPKPHev+53xCvbZSbmjH7NTnmEAOh48Wto6fYPBlDQOFe6q/0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/arm: Mitigate TLBI errata on various Arm CPUs Message-Id: Date: Tue, 09 Jun 2026 12:15:04 +0000 commit 161e8f61b5b0f2c205072c7bc699bfc37653999f Author: Michal Orzel AuthorDate: Fri May 22 09:35:58 2026 +0200 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 xen/arm: Mitigate TLBI errata on various Arm CPUs A number of CPUs developed by Arm suffer from errata whereby a broadcast TLBI + DSB sequence may complete before the global observation of writes which are translated by an affected TLB entry. This can lead to memory corruption and potential privilege escalation. These errata ONLY affect the completion of memory accesses which have been translated by an invalidated TLB entry, and these errata DO NOT affect the actual invalidation of TLB entries. TLB entries are removed correctly. To mitigate this issue, Arm recommends that software follows each TLBI+DSB sequence with an additional TLBI+DSB, which will ensure that all memory write effects affected by the first TLBI have been globally observed. The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate the issue. Enable this workaround for affected CPUs. This is XSA-493 / CVE-2025-10263. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall --- xen/arch/arm/Kconfig | 21 ++++++++++++ xen/arch/arm/cpuerrata.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+) diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index 79622b46a1..5fa89fcb24 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -468,6 +468,27 @@ config ARM64_ERRATUM_1508412 If unsure, say Y. +config ARM64_ERRATUM_CVE_2025_10263 + bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" + default y + depends on ARM_64 + select ARM64_WORKAROUND_REPEAT_TLBI + help + This option adds a workaround for CVE-2025-10263. + + A broadcast TLBI on another PE may complete before affected memory + accesses are globally observed. This may permit bypass of Stage 1 + translation, Stage-2 translation, or GPT protection. + + The workaround repeats the TLBI VALE2IS, XZR + DSB ISH operation for all + the broadcast TLB flush operations. A single additional TLBI and DSB are + sufficient regardless of how many TLBIs are completed by the DSB. + + Note that software workarounds are required at all execution levels for + affected parts to fully mitigate this issue. + + If unsure, say Y. + endmenu config ARM64_HARDEN_BRANCH_PREDICTOR diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index 17cf134f1b..3a32183618 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -534,6 +534,92 @@ static const struct arm_cpu_capabilities arm_errata[] = { MIDR_RANGE(MIDR_NEOVERSE_N1, 0, 3 << MIDR_VARIANT_SHIFT), }, #endif +#ifdef CONFIG_ARM64_ERRATUM_CVE_2025_10263 + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X4), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_ULTRA), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM), + }, +#endif #ifdef CONFIG_ARM64_HARDEN_BRANCH_PREDICTOR { .capability = ARM_HARDEN_BRANCH_PREDICTOR, -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:15:16 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:15:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333081.1595398 (Exim 4.92) (envelope-from ) id 1wWvMS-0002ce-0P; Tue, 09 Jun 2026 12:15:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333081.1595398; Tue, 09 Jun 2026 12:15:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvMR-0002cW-TY; Tue, 09 Jun 2026 12:15:15 +0000 Received: by outflank-mailman (input) for mailman id 1333081; Tue, 09 Jun 2026 12:15:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvMQ-0002cN-NB for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:15:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvMQ-001f7g-37 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:15:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvMQ-00CcEG-29 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:15:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=wi6Cc4UJf2MeXtlDaQJE/QQ0cQMSPedRmAZSQ3brleg=; b=i1YmfdZsZk2KOrtlJlijWz0EWf XE9u4g5ak/pIv4qY74qPPuHwF4TPGYnxsgzC+8Wqf4iHzOaK99ClNYLIEumiVTuuE7VUNY9ZHY0OZ SY84t8yYuboXIXOlIB8ROmS2Y6BhrB5od8PqzAdbffhJlGFJE22ZuD90Qi91xmI6cpRQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/mm: accurately track which vCPU page-tables are loaded Message-Id: Date: Tue, 09 Jun 2026 12:15:14 +0000 commit 622c9a5ba95dae9b1084f16d0557ec64d1d12eaa Author: Roger Pau Monne AuthorDate: Mon Mar 16 11:03:22 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 x86/mm: accurately track which vCPU page-tables are loaded Neither current nor curr_vcpu per-CPU fields accurately track which page-tables are loaded. There are corner cases when dealing with shadow paging failures that switch to the idle vCPU page-tables without changing current or curr_vcpu per-CPU fields. Introduce a new per-CPU field that attempts to track which vCPU page-tables are loaded. Update such tracking when cr3 is changed, and do so in a region with interrupts disabled, as to avoid handling interrupts with a mismatch between the vCPU tracking field and the loaded page-tables. As a result of this newly more accurate tracking the mapcache override functionality can be removed: the dom0 PV builder was the only user of it, and it's updated here to properly signal which vCPU page-tables are loaded in the calls to switch_cr3_cr4(). Note the EFI page-tables have the Xen owned L4 slots copied from the idle page-tables, so for the effects of the mapcache the EFI page-tables could use the idle mapcache if it had one. Pass the idle vCPU in the switch_cr3_cr4() call that switches to the runtime EFI page-tables. There are known issues with the use of mapcache in NMI context.  This patch does not alter the behaviour. This is CVE-2026-42488 / XSA-494. Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference") Signed-off-by: Roger Pau Monné Acked-by: Andrew Cooper --- xen/arch/x86/domain_page.c | 48 +++++++++++++++--------------------- xen/arch/x86/flushtlb.c | 5 +++- xen/arch/x86/include/asm/domain.h | 1 - xen/arch/x86/include/asm/flushtlb.h | 2 +- xen/arch/x86/include/asm/processor.h | 3 +++ xen/arch/x86/mm.c | 4 +-- xen/arch/x86/pv/dom0_build.c | 12 +++------ xen/arch/x86/pv/domain.c | 13 ++++++++-- xen/arch/x86/smpboot.c | 1 + xen/common/efi/common-stub.c | 5 ---- xen/common/efi/runtime.c | 21 ++++++---------- xen/include/xen/efi.h | 1 - 12 files changed, 54 insertions(+), 62 deletions(-) diff --git a/xen/arch/x86/domain_page.c b/xen/arch/x86/domain_page.c index eac5e3304f..72c00194f3 100644 --- a/xen/arch/x86/domain_page.c +++ b/xen/arch/x86/domain_page.c @@ -18,48 +18,40 @@ #include #include -static DEFINE_PER_CPU(struct vcpu *, override); - static inline struct vcpu *mapcache_current_vcpu(void) { - /* In the common case we use the mapcache of the running VCPU. */ - struct vcpu *v = this_cpu(override) ?: current; - - /* - * When current isn't properly set up yet, this is equivalent to - * running in an idle vCPU (callers must check for NULL). - */ - if ( !v ) - return NULL; + struct vcpu *v = this_cpu(pgtable_vcpu); + struct vcpu *curr = current; /* - * When using efi runtime page tables, we have the equivalent of the idle - * domain's page tables but current may point at another domain's VCPU. - * Return NULL as though current is not properly set up yet. + * During early boot pgtable_vcpu is not set, callers must handle NULL. + * Non-PV domains don't have a mapcache, the directmap covers all physical + * address space. */ - if ( efi_rs_using_pgtables() ) + if ( !v || !is_pv_vcpu(v) ) return NULL; /* - * If guest_table is NULL, and we are running a paravirtualised guest, - * then it means we are running on the idle domain's page table and must - * therefore use its mapcache. + * If we are in a lazy context-switch state from a PV vCPU do a full switch + * to the idle vCPU now, otherwise an incoming FLUSH_VCPU_STATE IPI would + * change the page tables under our feet an invalidate any in-use mapcache + * entries. */ - if ( unlikely(pagetable_is_null(v->arch.guest_table)) && is_pv_vcpu(v) ) + if ( unlikely(this_cpu(curr_vcpu) != curr) ) { - /* If we really are idling, perform lazy context switch now. */ - if ( (v = idle_vcpu[smp_processor_id()]) == current ) - sync_local_execstate(); + ASSERT(curr == idle_vcpu[smp_processor_id()]); + sync_local_execstate(); /* We must now be running on the idle page table. */ ASSERT(cr3_pa(read_cr3()) == __pa(idle_pg_table)); } - return v; -} - -void __init mapcache_override_current(struct vcpu *v) -{ - this_cpu(override) = v; + /* + * At this point we can guarantee Xen is not in lazy context switch: either + * the code above will have synced the state, or an incoming + * FLUSH_VCPU_STATE IPI has done so behind our back. Use ACCESS_ONCE to + * ensure the compiler never returns the locally cached pgtable_vcpu value. + */ + return ACCESS_ONCE(this_cpu(pgtable_vcpu)); } #define mapcache_l2_entry(e) ((e) >> PAGETABLE_ORDER) diff --git a/xen/arch/x86/flushtlb.c b/xen/arch/x86/flushtlb.c index 23721bb52c..5e2ed50ec9 100644 --- a/xen/arch/x86/flushtlb.c +++ b/xen/arch/x86/flushtlb.c @@ -104,7 +104,9 @@ static void do_tlb_flush(void) local_irq_restore(flags); } -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) +DEFINE_PER_CPU(struct vcpu *, pgtable_vcpu); + +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4) { unsigned long flags, old_cr4; u32 t = 0; @@ -148,6 +150,7 @@ void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) if ( (old_cr4 & X86_CR4_PCIDE) > (cr4 & X86_CR4_PCIDE) ) cr3 |= X86_CR3_NOFLUSH; write_cr3(cr3); + this_cpu(pgtable_vcpu) = v; if ( old_cr4 != cr4 ) write_cr4(cr4); diff --git a/xen/arch/x86/include/asm/domain.h b/xen/arch/x86/include/asm/domain.h index 385a6666da..e0ce8b4c39 100644 --- a/xen/arch/x86/include/asm/domain.h +++ b/xen/arch/x86/include/asm/domain.h @@ -90,7 +90,6 @@ struct mapcache_domain { int mapcache_domain_init(struct domain *d); int mapcache_vcpu_init(struct vcpu *v); -void mapcache_override_current(struct vcpu *v); /* x86/64: toggle guest between kernel and user modes. */ void toggle_guest_mode(struct vcpu *v); diff --git a/xen/arch/x86/include/asm/flushtlb.h b/xen/arch/x86/include/asm/flushtlb.h index 7bcbca2b7f..345677eb72 100644 --- a/xen/arch/x86/include/asm/flushtlb.h +++ b/xen/arch/x86/include/asm/flushtlb.h @@ -104,7 +104,7 @@ static inline void invlpg(const void *p) } /* Write pagetable base and implicitly tick the tlbflush clock. */ -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4); +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4); /* flush_* flag fields: */ /* diff --git a/xen/arch/x86/include/asm/processor.h b/xen/arch/x86/include/asm/processor.h index c37bd7a176..8ca6799a81 100644 --- a/xen/arch/x86/include/asm/processor.h +++ b/xen/arch/x86/include/asm/processor.h @@ -329,6 +329,9 @@ DECLARE_PER_CPU(struct tss_page, tss_page); DECLARE_PER_CPU(root_pgentry_t *, root_pgt); +/* vCPU of the currently loaded page-tables. */ +DECLARE_PER_CPU(struct vcpu *, pgtable_vcpu); + extern void write_ptbase(struct vcpu *v); /* PAUSE (encoding: REP NOP) is a good thing to insert into busy-wait loops. */ diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index a158379e77..bb4ba0afe2 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -535,7 +535,7 @@ void write_ptbase(struct vcpu *v) cpu_info->pv_cr3 = __pa(this_cpu(root_pgt)); if ( new_cr4 & X86_CR4_PCIDE ) cpu_info->pv_cr3 |= get_pcid_bits(v, true); - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); } else { @@ -543,7 +543,7 @@ void write_ptbase(struct vcpu *v) cpu_info->use_pv_cr3 = false; cpu_info->xen_cr3 = 0; /* switch_cr3_cr4() serializes. */ - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); cpu_info->pv_cr3 = 0; } } diff --git a/xen/arch/x86/pv/dom0_build.c b/xen/arch/x86/pv/dom0_build.c index 12d8ba744a..ddeb144b06 100644 --- a/xen/arch/x86/pv/dom0_build.c +++ b/xen/arch/x86/pv/dom0_build.c @@ -831,8 +831,7 @@ static int __init dom0_construct(const struct boot_domain *bd) update_cr3(v); /* We run on dom0's page tables for the final part of the build process. */ - switch_cr3_cr4(cr3_pa(v->arch.cr3), read_cr4()); - mapcache_override_current(v); + switch_cr3_cr4(v, cr3_pa(v->arch.cr3), read_cr4()); /* Copy the OS image and free temporary buffer. */ elf.dest_base = (void*)vkern_start; @@ -841,8 +840,7 @@ static int __init dom0_construct(const struct boot_domain *bd) rc = elf_load_binary(&elf); if ( rc < 0 ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Failed to load the kernel binary\n"); goto out; } @@ -853,8 +851,7 @@ static int __init dom0_construct(const struct boot_domain *bd) if ( (parms.virt_hypercall < v_start) || (parms.virt_hypercall >= v_end) ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Invalid HYPERCALL_PAGE field in ELF notes.\n"); return -EINVAL; } @@ -995,8 +992,7 @@ static int __init dom0_construct(const struct boot_domain *bd) #endif /* Return to idle domain's page tables. */ - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); update_domain_wallclock_time(d); diff --git a/xen/arch/x86/pv/domain.c b/xen/arch/x86/pv/domain.c index 5027c32e1a..0c42ae58aa 100644 --- a/xen/arch/x86/pv/domain.c +++ b/xen/arch/x86/pv/domain.c @@ -457,6 +457,8 @@ static void _toggle_guest_pt(struct vcpu *v) pagetable_t old_shadow; unsigned long cr3; + ASSERT(local_irq_is_enabled()); + v->arch.flags ^= TF_kernel_mode; guest_update = v->arch.flags & TF_kernel_mode; old_shadow = update_cr3(v); @@ -479,15 +481,22 @@ static void _toggle_guest_pt(struct vcpu *v) { cr3 &= ~X86_CR3_NOFLUSH; + local_irq_disable(); if ( unlikely(mfn_eq(pagetable_get_mfn(old_shadow), maddr_to_mfn(cr3))) ) { - cr3 = idle_vcpu[v->processor]->arch.cr3; /* Also suppress runstate/time area updates below. */ guest_update = false; + + cr3 = idle_vcpu[v->processor]->arch.cr3; + this_cpu(pgtable_vcpu) = idle_vcpu[v->processor]; } + + write_cr3(cr3); + local_irq_enable(); } - write_cr3(cr3); + else + write_cr3(cr3); if ( !pagetable_is_null(old_shadow) ) shadow_put_top_level(v->domain, old_shadow); diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c index ff05955bae..d8fd71ffab 100644 --- a/xen/arch/x86/smpboot.c +++ b/xen/arch/x86/smpboot.c @@ -1063,6 +1063,7 @@ static int cpu_smpboot_alloc(unsigned int cpu) info->current_vcpu = idle_vcpu[cpu]; /* set_current() */ per_cpu(curr_vcpu, cpu) = idle_vcpu[cpu]; + per_cpu(pgtable_vcpu, cpu) = idle_vcpu[cpu]; gdt = per_cpu(gdt, cpu) ?: alloc_xenheap_pages(0, memflags); if ( gdt == NULL ) diff --git a/xen/common/efi/common-stub.c b/xen/common/efi/common-stub.c index 9dc8aa538c..f91ba6f740 100644 --- a/xen/common/efi/common-stub.c +++ b/xen/common/efi/common-stub.c @@ -7,11 +7,6 @@ bool efi_enabled(unsigned int feature) return false; } -bool efi_rs_using_pgtables(void) -{ - return false; -} - unsigned long efi_get_time(void) { BUG(); diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c index 0f1cc765ec..a23fa75e37 100644 --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -50,7 +50,6 @@ const CHAR16 *__read_mostly efi_fw_vendor; const EFI_RUNTIME_SERVICES *__read_mostly efi_rs; #ifndef CONFIG_ARM /* TODO - disabled until implemented on ARM */ static DEFINE_SPINLOCK(efi_rs_lock); -static unsigned int efi_rs_on_cpu = NR_CPUS; #endif UINTN __read_mostly efi_memmap_size; @@ -93,6 +92,11 @@ struct efi_rs_state efi_rs_enter(void) if ( mfn_eq(efi_l4_mfn, INVALID_MFN) ) return state; + /* + * If in lazy idle context switch state sync now to avoid an incoming + * FLUSH_VCPU_STATE IPI changing the loaded page-tables. + */ + sync_local_execstate(); state.cr3 = read_cr3(); vcpu_save_fpu(current); asm volatile ( "fnclex; fldcw %0" :: "m" (fcw) ); @@ -100,8 +104,6 @@ struct efi_rs_state efi_rs_enter(void) spin_lock(&efi_rs_lock); - efi_rs_on_cpu = smp_processor_id(); - /* prevent fixup_page_fault() from doing anything */ irq_enter(); @@ -116,7 +118,8 @@ struct efi_rs_state efi_rs_enter(void) lgdt(&gdt_desc); } - switch_cr3_cr4(mfn_to_maddr(efi_l4_mfn), read_cr4()); + switch_cr3_cr4(idle_vcpu[smp_processor_id()], mfn_to_maddr(efi_l4_mfn), + read_cr4()); /* * At the time of writing (2022), no UEFI firwmare is CET-IBT compatible. @@ -144,7 +147,7 @@ void efi_rs_leave(struct efi_rs_state *state) if ( state->msr_s_cet ) wrmsrl(MSR_S_CET, state->msr_s_cet); - switch_cr3_cr4(state->cr3, read_cr4()); + switch_cr3_cr4(curr, state->cr3, read_cr4()); if ( is_pv_vcpu(curr) && !is_idle_vcpu(curr) ) { struct desc_ptr gdt_desc = { @@ -155,18 +158,10 @@ void efi_rs_leave(struct efi_rs_state *state) lgdt(&gdt_desc); } irq_exit(); - efi_rs_on_cpu = NR_CPUS; spin_unlock(&efi_rs_lock); vcpu_restore_fpu(curr); } -bool efi_rs_using_pgtables(void) -{ - return !mfn_eq(efi_l4_mfn, INVALID_MFN) && - (smp_processor_id() == efi_rs_on_cpu) && - (read_cr3() == mfn_to_maddr(efi_l4_mfn)); -} - unsigned long efi_get_time(void) { EFI_TIME time; diff --git a/xen/include/xen/efi.h b/xen/include/xen/efi.h index 2e36b01e20..87146172ad 100644 --- a/xen/include/xen/efi.h +++ b/xen/include/xen/efi.h @@ -40,7 +40,6 @@ extern bool efi_secure_boot; void efi_init_memory(void); bool efi_boot_mem_unused(unsigned long *start, unsigned long *end); -bool efi_rs_using_pgtables(void); unsigned long efi_get_time(void); void efi_reset_system(bool warm); #ifndef COMPAT -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:15:27 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:15:27 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333082.1595402 (Exim 4.92) (envelope-from ) id 1wWvMd-0002fo-3T; Tue, 09 Jun 2026 12:15:27 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333082.1595402; Tue, 09 Jun 2026 12:15:27 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvMd-0002ff-0d; Tue, 09 Jun 2026 12:15:27 +0000 Received: by outflank-mailman (input) for mailman id 1333082; Tue, 09 Jun 2026 12:15:25 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvMb-0002fV-E9 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:15:25 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvMb-001f7k-2E for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:15:25 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvMb-00CcVq-1F for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:15:25 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RsmXrrL3NRd6wMyYVHxeFRxdqaAMhYYr7pA2q4/knhY=; b=yAKOtn4s86Hw3k4i9URO9GL2Ub DlFtFl/o+IA3wvyFI/jmEx5p6qre38dMgJuviRWaEH2Rq2pqFPBxbSyTJHEioBpBnnIEBEWf2O8QZ Ia+l5vh1o0ahpjvWSirnZJtWvvG4lWCjNuutdKzXwcsFHFVIKqSTRpEzinmWUdxBmgoc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] HACK: Disable Eclair, MacOS Message-Id: Date: Tue, 09 Jun 2026 12:15:25 +0000 commit 1b251cc02a24ed6e5ffdd71bc3f142f9a53551c3 Author: Andrew Cooper AuthorDate: Thu Jun 4 20:20:00 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 HACK: Disable Eclair, MacOS --- .gitlab-ci.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7974ac4e82..e85d1fea7a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -20,9 +20,6 @@ include: - local: 'automation/gitlab-ci/containers.yaml' rules: - if: $XEN_CI_REBUILD_CONTAINERS - - local: 'automation/gitlab-ci/analyze.yaml' - rules: - - if: $XEN_CI_REBUILD_CONTAINERS == null - local: 'automation/gitlab-ci/build.yaml' rules: - if: $XEN_CI_REBUILD_CONTAINERS == null -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:15:37 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:15:37 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333084.1595405 (Exim 4.92) (envelope-from ) id 1wWvMn-0002hw-4b; Tue, 09 Jun 2026 12:15:37 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333084.1595405; Tue, 09 Jun 2026 12:15:37 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvMn-0002ho-1v; Tue, 09 Jun 2026 12:15:37 +0000 Received: by outflank-mailman (input) for mailman id 1333084; Tue, 09 Jun 2026 12:15:35 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvMl-0002hi-LC for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:15:35 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvMl-001f7r-2V for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:15:35 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvMl-00Ccbx-1X for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:15:35 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=MZ0/S23oEJ/3aGG3/ysXhHFAvzhp3bhI3D3FILTxM3k=; b=4ZnSEgaZO9x6z//xM388zUnUFL T4QdNK0BfUTIF2CXMlDCBz6FGpq5Ddsgu+KPMNloDb7TXMhO4eIpUO0eiZSaa8o4g6fiPlybAYVpu WNCfO5MTEKCu81Kh4nVjf0gpDsDToqX3bboDGIHqw9TVVVikLVSnqcPjch8j4GTdMZIQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] x86/HVM: add locking to I/O port translation list traversal Message-Id: Date: Tue, 09 Jun 2026 12:15:35 +0000 commit 4ac1fc0c45b52ebbe9ad7ca1e39f949a431b43f6 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:21 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 x86/HVM: add locking to I/O port translation list traversal XEN_DOMCTL_ioport_mapping is usable by DM stubdoms, and hence we can't assume the list to be left unaltered while the guest (really: the hypervisor on behalf of the guest) is accessing it. This is XSA-491 / CVE-2026-42487. Fixes: 192c4dabc344 ("domctl and p2m changes for PCI passthru") Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 7787f8e9396d06026f72d3db13e836f365e085f8) --- xen/arch/x86/domctl.c | 8 ++++ xen/arch/x86/hvm/emulate.c | 1 - xen/arch/x86/hvm/hvm.c | 1 + xen/arch/x86/hvm/io.c | 72 +++++++++++++++++++++++++---------- xen/arch/x86/include/asm/hvm/domain.h | 1 + xen/arch/x86/include/asm/hvm/vcpu.h | 2 - 6 files changed, 61 insertions(+), 24 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 6153e3c07e..276049b044 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -663,6 +663,7 @@ long arch_do_domctl( "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if (g2m_ioport->mport == fmp ) { @@ -684,11 +685,14 @@ long arch_do_domctl( g2m_ioport->np = np; list_add_tail(&g2m_ioport->list, &hvm->g2m_ioport_list); } + write_unlock(&hvm->g2m_ioport_lock); if ( !ret ) ret = ioports_permit_access(d, fmp, fmp + np - 1); if ( ret && !found && g2m_ioport ) { + write_lock(&hvm->g2m_ioport_lock); list_del(&g2m_ioport->list); + write_unlock(&hvm->g2m_ioport_lock); xfree(g2m_ioport); } } @@ -697,6 +701,8 @@ long arch_do_domctl( printk(XENLOG_G_INFO "ioport_map:remove: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if ( g2m_ioport->mport == fmp ) { @@ -704,6 +710,8 @@ long arch_do_domctl( xfree(g2m_ioport); break; } + write_unlock(&hvm->g2m_ioport_lock); + ret = ioports_deny_access(d, fmp, fmp + np - 1); if ( ret && is_hardware_domain(currd) ) printk(XENLOG_ERR diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c index 2af4f30359..3a7976729b 100644 --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -160,7 +160,6 @@ void hvmemul_cancel(struct vcpu *v) hvio->mmio_insn_bytes = 0; hvio->mmio_access = (struct npfec){}; hvio->mmio_retry = false; - hvio->g2m_ioport = NULL; hvmemul_cache_disable(v); } diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 0c60faa39d..4fe1c5fa16 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -610,6 +610,7 @@ int hvm_domain_initialise(struct domain *d, spin_lock_init(&d->arch.hvm.irq_lock); spin_lock_init(&d->arch.hvm.uc_lock); spin_lock_init(&d->arch.hvm.write_map.lock); + rwlock_init(&d->arch.hvm.g2m_ioport_lock); rwlock_init(&d->arch.hvm.mmcfg_lock); INIT_LIST_HEAD(&d->arch.hvm.write_map.list); INIT_LIST_HEAD(&d->arch.hvm.g2m_ioport_list); diff --git a/xen/arch/x86/hvm/io.c b/xen/arch/x86/hvm/io.c index 23a5ea0e61..912e55d416 100644 --- a/xen/arch/x86/hvm/io.c +++ b/xen/arch/x86/hvm/io.c @@ -143,36 +143,56 @@ bool handle_pio(uint16_t port, unsigned int size, int dir) return true; } -static bool cf_check g2m_portio_accept( - const struct hvm_io_handler *handler, const ioreq_t *p) +/* NB: Returns with the lock held in the success case. */ +static const struct g2m_ioport *g2m_portio_find_and_lock(struct hvm_domain *hvm, + uint64_t addr, + uint32_t size) { - struct vcpu *curr = current; - const struct hvm_domain *hvm = &curr->domain->arch.hvm; - struct hvm_vcpu_io *hvio = &curr->arch.hvm.hvm_io; - struct g2m_ioport *g2m_ioport; - unsigned int start, end; + const struct g2m_ioport *g2m_ioport; + + read_lock(&hvm->g2m_ioport_lock); list_for_each_entry( g2m_ioport, &hvm->g2m_ioport_list, list ) { - start = g2m_ioport->gport; - end = start + g2m_ioport->np; - if ( (p->addr >= start) && (p->addr + p->size <= end) ) - { - hvio->g2m_ioport = g2m_ioport; - return 1; - } + unsigned int start = g2m_ioport->gport; + + if ( addr >= start && addr + size <= start + g2m_ioport->np ) + return g2m_ioport; } - return 0; + read_unlock(&hvm->g2m_ioport_lock); + + return NULL; +} + +static bool cf_check g2m_portio_accept( + const struct hvm_io_handler *handler, const ioreq_t *p) +{ + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, p->addr, p->size); + + if ( !g2m_ioport ) + return false; + + read_unlock(&hvm->g2m_ioport_lock); + + return true; } static int cf_check g2m_portio_read( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t *data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -189,6 +209,8 @@ static int cf_check g2m_portio_read( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } @@ -196,9 +218,15 @@ static int cf_check g2m_portio_write( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -215,6 +243,8 @@ static int cf_check g2m_portio_write( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } diff --git a/xen/arch/x86/include/asm/hvm/domain.h b/xen/arch/x86/include/asm/hvm/domain.h index 333501d5f2..1b2c59b18b 100644 --- a/xen/arch/x86/include/asm/hvm/domain.h +++ b/xen/arch/x86/include/asm/hvm/domain.h @@ -125,6 +125,7 @@ struct hvm_domain { /* List of guest to machine IO ports mapping. */ struct list_head g2m_ioport_list; + rwlock_t g2m_ioport_lock; /* List of MMCFG regions trapped by Xen. */ struct list_head mmcfg_regions; diff --git a/xen/arch/x86/include/asm/hvm/vcpu.h b/xen/arch/x86/include/asm/hvm/vcpu.h index 924af890c5..87586b05c6 100644 --- a/xen/arch/x86/include/asm/hvm/vcpu.h +++ b/xen/arch/x86/include/asm/hvm/vcpu.h @@ -54,8 +54,6 @@ struct hvm_vcpu_io { unsigned long msix_unmask_address; unsigned long msix_snoop_address; unsigned long msix_snoop_gpa; - - const struct g2m_ioport *g2m_ioport; }; struct nestedvcpu { -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:15:47 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:15:47 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333085.1595409 (Exim 4.92) (envelope-from ) id 1wWvMx-0002jz-5r; Tue, 09 Jun 2026 12:15:47 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333085.1595409; Tue, 09 Jun 2026 12:15:47 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvMx-0002js-3L; Tue, 09 Jun 2026 12:15:47 +0000 Received: by outflank-mailman (input) for mailman id 1333085; Tue, 09 Jun 2026 12:15:45 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvMv-0002jl-Jh for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:15:45 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvMv-001f7x-2m for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:15:45 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvMv-00Ccmi-1n for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:15:45 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6mXZxp+v4eRGzLorTVumRI3g3Czh1BgnW2R6JJzPmGk=; b=BoNtMq1EqpyfpnsW3ZOvAiA2mo 5R7eToKwt78L491fJAe//RWMVhFX2jDCrCT2yfpviWrPDQuCZLbzbS18XOzWCRKipvScYCn/2aoZK fGUGDClYkYH5obp8Mvo4W3cR4BhV020f2ClECElKDOEnX9ugE3TenwsTcGr6SKBXVLE4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] sched: use sequence counter to enlighten vcpu_runstate_get() Message-Id: Date: Tue, 09 Jun 2026 12:15:45 +0000 commit 8d2ffa5ba842a9a667157cacc7fe1d5aad3fe53e Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 sched: use sequence counter to enlighten vcpu_runstate_get() Subsequently XEN_DOMCTL_getdomaininfo will want to invoke the function without holding a lock, thus allowing parallel execution of potentially many instances. As was learned from 228ab9992ffb ("domctl: improve locking during domain destruction"), reverted by d0887cc6b16e, such parallelism can result in severe lock contention on any (previously) inner lock. To avoid taking that risk replace the use of the scheduler lock in vcpu_runstate_get() by a newly introduced sequence counter. Convert the "no lock if current" property to "use a local counter instance", thus guaranteeing the loop to exit after the first iteration. Skeleton and commentary of the seqcount implementation based on / derived from Linux 6.11-rc. To have runstate_seq placed next to runstate in struct vcpu, without introducing a new obvious padding hole, yet while keeping the latter adjacent to runstate_guest{,_area} as well, move runstate down a little. This is part of XSA-492. Requested-by: Andrew Cooper Signed-off-by: Jan Beulich Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Juergen Gross (cherry picked from commit 1dc4d5d81822541a5cc82fa6387d2d73eebc7023) --- xen/common/sched/core.c | 47 +++++++-------- xen/include/xen/sched.h | 4 +- xen/include/xen/seqcount.h | 139 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 162 insertions(+), 28 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 2ab4313517..adfdddde15 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -281,13 +281,18 @@ static inline void vcpu_runstate_change( } delta = new_entry_time - v->runstate.state_entry_time; - if ( delta > 0 ) + + /* Serialization: ->schedule_lock (see ASSERT() above). */ + with_seq_write(&v->runstate_seq) { - v->runstate.time[v->runstate.state] += delta; - v->runstate.state_entry_time = new_entry_time; - } + if ( delta > 0 ) + { + v->runstate.time[v->runstate.state] += delta; + v->runstate.state_entry_time = new_entry_time; + } - v->runstate.state = new_state; + v->runstate.state = new_state; + } } void sched_guest_idle(void (*idle) (void), unsigned int cpu) @@ -307,30 +312,18 @@ void sched_guest_idle(void (*idle) (void), unsigned int cpu) void vcpu_runstate_get(const struct vcpu *v, struct vcpu_runstate_info *runstate) { - spinlock_t *lock; - s_time_t delta; - struct sched_unit *unit; + struct seqcount seq = SEQCNT_ZERO(); + const struct seqcount *s = likely(v == current) ? &seq : &v->runstate_seq; - rcu_read_lock(&sched_res_rculock); - - /* - * Be careful in case of an idle vcpu: the assignment to a unit might - * change even with the scheduling lock held, so be sure to use the - * correct unit for locking in order to avoid triggering an ASSERT() in - * the unlock function. - */ - unit = is_idle_vcpu(v) ? get_sched_res(v->processor)->sched_unit_idle - : v->sched_unit; - lock = likely(v == current) ? NULL : unit_schedule_lock_irq(unit); - memcpy(runstate, &v->runstate, sizeof(*runstate)); - delta = NOW() - runstate->state_entry_time; - if ( delta > 0 ) - runstate->time[runstate->state] += delta; - - if ( unlikely(lock != NULL) ) - unit_schedule_unlock_irq(lock, unit); + until_seq_read(s) + { + s_time_t delta; - rcu_read_unlock(&sched_res_rculock); + *runstate = v->runstate; + delta = NOW() - runstate->state_entry_time; + if ( delta > 0 ) + runstate->time[runstate->state] += delta; + } } uint64_t get_cpu_idle_time(unsigned int cpu) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 610f3d4c0d..d867fa5745 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -16,6 +16,7 @@ #include #include #include +#include #include #include #include @@ -198,7 +199,6 @@ struct vcpu struct sched_unit *sched_unit; - struct vcpu_runstate_info runstate; #ifndef CONFIG_COMPAT # define runstate_guest(v) ((v)->runstate_guest) XEN_GUEST_HANDLE(vcpu_runstate_info_t) runstate_guest; /* guest address */ @@ -210,6 +210,8 @@ struct vcpu } runstate_guest; /* guest address */ #endif struct guest_area runstate_guest_area; + struct vcpu_runstate_info runstate; + struct seqcount runstate_seq; unsigned int new_state; /* Has the FPU been initialised? */ diff --git a/xen/include/xen/seqcount.h b/xen/include/xen/seqcount.h new file mode 100644 index 0000000000..b5faf422e4 --- /dev/null +++ b/xen/include/xen/seqcount.h @@ -0,0 +1,139 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef XEN_SEQCOUNT_H +#define XEN_SEQCOUNT_H + +#include +#include + +#include +#include + +/* + * Sequence counters (seqcount_t) + * + * This is the raw counting mechanism, without any writer protection. + * + * Write side critical sections must be serialized (and non-preemptible). + * + * If readers can be invoked from interrupt contexts, interrupts must also + * be respectively disabled before entering the write section. + * + * This mechanism can't be used if the protected data contains pointers, + * as the writer can invalidate a pointer that a reader is following. + */ +struct seqcount { + unsigned int sequence; +}; + +/* + * SEQCNT_ZERO() - initializer for seqcount_t + * @name: Name of the struct seqcount instance + */ +#define SEQCNT_ZERO() { .sequence = 0 } + +static inline unsigned int seqprop_sequence(const struct seqcount *s) +{ + return ACCESS_ONCE(s->sequence); +} + +/* + * read_seqcount_begin() - begin a seqcount read critical section + * @s: Pointer to struct seqcount + * + * Return: count to be passed to read_seqcount_retry() + */ +static inline unsigned int _read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq; + + while ((seq = seqprop_sequence(s)) & 1) + cpu_relax(); + + smp_rmb(); + + return seq; +} + +static always_inline unsigned int read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq = _read_seqcount_begin(s); + + block_lock_speculation(); + + return seq; +} + +/* + * read_seqcount_retry() - end a seqcount read critical section + * @s: Pointer to struct seqcount + * @start: count, from read_seqcount_begin() + * + * read_seqcount_retry closes the read critical section of given struct + * seqcount. If the critical section was invalid, it must be ignored + * (and typically retried). + * + * Return: true if a read section retry is required, else false + */ +static inline bool _read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + smp_rmb(); + return unlikely(seqprop_sequence(s) != start); +} + +static always_inline bool read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + return lock_evaluate_nospec(_read_seqcount_retry(s, start)); +} + +/* Loops until a consistent count has been observed across the loop body. */ +#define until_seq_read(seq) \ + for ( unsigned int retry_ = 1, count_; \ + retry_ && (count_ = read_seqcount_begin(seq), true); \ + retry_ = read_seqcount_retry(seq, count_) ) + +/* + * write_seqcount_begin() - start a struct seqcount write side critical section + * @s: Pointer to struct seqcount + * + * Context: sequence counter write side sections must be serialized. + * If readers can be invoked from interrupt context, interrupts must be + * respectively disabled. + */ +static inline void write_seqcount_begin(struct seqcount *s) +{ + add_sized(&s->sequence, 1); + smp_wmb(); +} + +/* + * write_seqcount_end() - end a struct seqcount write side critical section + * @s: Pointer to seqcount + */ +static inline void write_seqcount_end(struct seqcount *s) +{ + smp_wmb(); + add_sized(&s->sequence, 1); +} + +/* + * Not really a loop, but we need write_seqcount_{begin,end}() in the correct + * position. + */ +#define with_seq_write(seq) \ + for ( bool once_ = true; \ + once_ && (write_seqcount_begin(seq), true); \ + (write_seqcount_end(seq), once_ = false) ) + +#endif /* XEN_SEQCOUNT_H */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:15:57 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:15:57 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333086.1595413 (Exim 4.92) (envelope-from ) id 1wWvN7-0002m3-81; Tue, 09 Jun 2026 12:15:57 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333086.1595413; Tue, 09 Jun 2026 12:15:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvN7-0002lv-4t; Tue, 09 Jun 2026 12:15:57 +0000 Received: by outflank-mailman (input) for mailman id 1333086; Tue, 09 Jun 2026 12:15:55 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvN5-0002ll-MH for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:15:55 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvN5-001f81-32 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:15:55 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvN5-00Ccuf-24 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:15:55 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=GxTCLfxTUMtNrERQ3g4DvGuC/yX16GyZ3/pW76OyESI=; b=6XS3dgSGVwXtJiE76H5yxjbZFl 96U1XyuKCeJEKhM+p0XaMtiFBY6ovkN6oH2e7tBmyXg/OZNqv96dMiI79o0HWm7RHOzlQZaOh/mGG r/8/MP8UJEjo5qds9IN40QPD7t8NmBSBOBaa22jSZZ7fzW6mn9oOR7ynoGEpGo8U61Jg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:15:55 +0000 commit 1874bf7927674575d87eb13b5fd3476b02d4238d Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock getdomaininfo() is not called under consistently the same lock. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. (Callers not pausing the domain they want to retrieve information for already need to be aware that not all of the data returned can be relied on as being consistent; most data will also be stale by the time the caller gets to look at it.) Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. While moving, convert an assignment to an assertion: The domain in question was determined from the field which previously was "updated". This is part of XSA-492. Fixes: 5513bd0b4675 ("add xenstore domain flag to hypervisor") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 784bd4dc0bc440b978b80b6945c4bc380b28e32d) --- xen/common/domctl.c | 31 ++++++++++++++++++++----------- xen/include/xsm/dummy.h | 6 +++++- xen/xsm/flask/hooks.c | 6 +++++- 3 files changed, 30 insertions(+), 13 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 21bbffdc40..48be3ec58a 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -318,6 +318,26 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } + /* Handle sub-ops not requiring the domctl lock. */ + switch ( op->cmd ) + { + case XEN_DOMCTL_getdomaininfo: + ret = xsm_getdomaininfo(XSM_XS_PRIV, d); + if ( !ret ) + { + getdomaininfo(d, &op->u.getdomaininfo); + + ASSERT(op->domain == op->u.getdomaininfo.domain); + copyback = true; + } + + goto domctl_out_unlock_domonly; + + default: + /* Everything else handled further down. */ + break; + } + ret = xsm_domctl(XSM_OTHER, d, op->cmd, /* SSIDRef only applicable for cmd == createdomain */ op->u.createdomain.ssidref); @@ -516,17 +536,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = 1; break; - case XEN_DOMCTL_getdomaininfo: - ret = xsm_getdomaininfo(XSM_XS_PRIV, d); - if ( ret ) - break; - - getdomaininfo(d, &op->u.getdomaininfo); - - op->domain = op->u.getdomaininfo.domain; - copyback = 1; - break; - case XEN_DOMCTL_getvcpucontext: { vcpu_guest_context_u c = { .nat = NULL }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 12792c3a43..dcdfa79137 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,9 +172,13 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: return xsm_default_action(XSM_XS_PRIV, current->domain, d); + + case XEN_DOMCTL_getdomaininfo: + ASSERT_UNREACHABLE(); + return -EILSEQ; + default: return xsm_default_action(XSM_PRIV, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index b0308e1b26..529de9d7f5 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -682,8 +682,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, */ return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); - /* These have individual XSM hooks (common/domctl.c) */ + /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + ASSERT_UNREACHABLE(); + return -EILSEQ; + + /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:16:09 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:16:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333087.1595417 (Exim 4.92) (envelope-from ) id 1wWvNH-0002of-AI; Tue, 09 Jun 2026 12:16:07 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333087.1595417; Tue, 09 Jun 2026 12:16:07 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvNH-0002oX-7f; Tue, 09 Jun 2026 12:16:07 +0000 Received: by outflank-mailman (input) for mailman id 1333087; Tue, 09 Jun 2026 12:16:05 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvNF-0002oL-Qh for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:16:05 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvNG-001f8G-04 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:16:05 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvNF-00Cd3P-2K for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:16:05 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=iNExSOFevyZsmvklz9KjZ2VDN5I2CebVwPSHeHAI30s=; b=aooxMSSh8EH4gANZPaduna/e69 NlVdqZDgpDByLdQTKt5z8zuoWhWZ2O+G1UcTZpw0hP+5wbyDtmZJZmMMWvRb/wUCj1jryJp2x6fg5 Q56YA7e8EsYSI97UfEjxDiXUswHQ+AN0bp7AYeV3ZTpVrPRUQ+H2WExgiptKY/q0dyTE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] domctl: protect locking for get_domain_state Message-Id: Date: Tue, 09 Jun 2026 12:16:05 +0000 commit e772f8d428bd7f2c094df6704ec392f949f55e10 Author: Daniel P. Smith AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: protect locking for get_domain_state When DOMID_INVALID is passed, the dom exec handler lock is being taken without any check that the domain is even allowed to take the lock. This allows for an unauthorized domain to DoS the get_domain_state domctl op. Move to consider the op effectively being called against the hypervisor. Thus it is the target of the call being invoked to identify the last domain with a state change. The subsequent check of whether the source domain is allowed the state of the last domain to change state is still relevant. This is part of XSA-492. Signed-off-by: Daniel P. Smith Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 5154fdda1124ae76e6a5efc124227790d81046ab) --- tools/flask/policy/modules/xenstore.te | 1 + xen/common/domain.c | 6 +----- xen/common/domctl.c | 14 +++++++++++--- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/tools/flask/policy/modules/xenstore.te b/tools/flask/policy/modules/xenstore.te index 776c274869..12549f5482 100644 --- a/tools/flask/policy/modules/xenstore.te +++ b/tools/flask/policy/modules/xenstore.te @@ -14,6 +14,7 @@ allow xenstore_t xen_t:xen writeconsole; # Xenstore queries domaininfo on all domains allow xenstore_t domain_type:domain getdomaininfo; allow xenstore_t domain_type:domain2 get_domain_state; +allow xenstore_t domxen_t:domain2 get_domain_state; # As a shortcut, the following 3 rules are used instead of adding a domain_comms # rule between xenstore_t and every domain type that talks to xenstore diff --git a/xen/common/domain.c b/xen/common/domain.c index 88db82d187..dfeb6c7558 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -216,12 +216,8 @@ int get_domain_state(struct xen_domctl_get_domain_state *info, struct domain *d, if ( info->pad0 ) return -EINVAL; - if ( d ) + if ( d != dom_xen ) { - rc = xsm_get_domain_state(XSM_XS_PRIV, d); - if ( rc ) - return rc; - set_domain_state_info(info, d); return 0; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 48be3ec58a..9fe097cc71 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -304,13 +304,19 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) fallthrough; case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_vm_event_op: - case XEN_DOMCTL_get_domain_state: if ( op->domain == DOMID_INVALID ) { d = NULL; break; } fallthrough; + case XEN_DOMCTL_get_domain_state: + if ( op->domain == DOMID_INVALID ) + { + d = dom_xen; + break; + } + fallthrough; default: d = rcu_lock_domain_by_id(op->domain); if ( !d ) @@ -863,7 +869,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; case XEN_DOMCTL_get_domain_state: - ret = get_domain_state(&op->u.get_domain_state, d, &op->domain); + ret = xsm_get_domain_state(XSM_XS_PRIV, d); + if ( !ret ) + ret = get_domain_state(&op->u.get_domain_state, d, &op->domain); if ( !ret ) copyback = true; break; @@ -876,7 +884,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) domctl_lock_release(); domctl_out_unlock_domonly: - if ( d && d != dom_io ) + if ( d && !is_system_domain(d) ) rcu_unlock_domain(d); if ( copyback && __copy_to_guest(u_domctl, op, 1) ) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:16:16 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:16:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333090.1595422 (Exim 4.92) (envelope-from ) id 1wWvNQ-0002rn-Bf; Tue, 09 Jun 2026 12:16:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333090.1595422; Tue, 09 Jun 2026 12:16:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvNQ-0002rf-91; Tue, 09 Jun 2026 12:16:16 +0000 Received: by outflank-mailman (input) for mailman id 1333090; Tue, 09 Jun 2026 12:16:15 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvNP-0002rY-RU for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:16:15 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvNQ-001f8c-0K for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:16:15 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvNP-00CdI6-2a for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:16:15 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7BvIZXDd5X3ZBmX/BikIbl1iRhOUx77X1XKR5rFx/8o=; b=QivqgSiRTN/2Bc7iOfitL8H6Gr RItV9m6ETWnHUZ99lGJRQCuxhzpQxsfVBM9lmwi/rTRZJicTh01MOn9iWOhos4j0tmdRJnnGblSIo B+v/JS5Y/nOyADpfXku/+8JfH96D/zzZb6MRLpJWdeubqP9s9aaxB4X6OTO1BvqV6db4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] domctl: handle XEN_DOMCTL_get_domain_state without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:16:15 +0000 commit 7dff06d83cef9dba3780771eaac720c3c34f1877 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: handle XEN_DOMCTL_get_domain_state without acquiring domctl lock get_domain_state() uses its own locking. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Fixes: 3ad3df1bd0aa ("xen: add new domctl get_domain_state") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit eedff4bcd3d1314f098c2a151d4bb8a90c0f1820) --- xen/common/domctl.c | 16 ++++++++-------- xen/include/xsm/dummy.h | 3 +-- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 10 insertions(+), 11 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 9fe097cc71..509347822c 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -339,6 +339,14 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; + case XEN_DOMCTL_get_domain_state: + ret = xsm_get_domain_state(XSM_XS_PRIV, d); + if ( !ret ) + ret = get_domain_state(&op->u.get_domain_state, d, &op->domain); + if ( !ret ) + copyback = true; + goto domctl_out_unlock_domonly; + default: /* Everything else handled further down. */ break; @@ -868,14 +876,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -EOPNOTSUPP; break; - case XEN_DOMCTL_get_domain_state: - ret = xsm_get_domain_state(XSM_XS_PRIV, d); - if ( !ret ) - ret = get_domain_state(&op->u.get_domain_state, d, &op->domain); - if ( !ret ) - copyback = true; - break; - default: ret = arch_do_domctl(op, d, u_domctl); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index dcdfa79137..561b078419 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,10 +172,9 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_get_domain_state: - return xsm_default_action(XSM_XS_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_domain_state: ASSERT_UNREACHABLE(); return -EILSEQ; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 529de9d7f5..094cb7691f 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -684,6 +684,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_domain_state: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -694,7 +695,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: - case XEN_DOMCTL_get_domain_state: /* These have individual XSM hooks (arch/../domctl.c) */ case XEN_DOMCTL_bind_pt_irq: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:16:26 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:16:26 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333091.1595426 (Exim 4.92) (envelope-from ) id 1wWvNa-0002u4-D8; Tue, 09 Jun 2026 12:16:26 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333091.1595426; Tue, 09 Jun 2026 12:16:26 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvNa-0002tw-AM; Tue, 09 Jun 2026 12:16:26 +0000 Received: by outflank-mailman (input) for mailman id 1333091; Tue, 09 Jun 2026 12:16:25 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvNZ-0002to-Ua for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:16:25 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvNa-001f8k-0d for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:16:25 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvNZ-00CdTZ-2r for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:16:25 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=KO78SH6gxHSFVlemjL0YV2hpxhN6hbe53ljskQj62k4=; b=yM5Xn4iSCwhot6sVCyAIPI12Tw 884qpWx4pjR/3gg2lS1HkQoRAQO0dFXuxyppa/dj0xuMi+TNDH00O0sUbLPHpErAYotbeJCsfPgSZ +Ib4gAmI+6WUh0qx0jGWd2c7Bqe7fcXF6Noq4QT+rjdSIm+SDq82Oq/5xN8WNzWK4kVM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] domain: locking for iomem_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:16:25 +0000 commit 06ca3bef324ad44daa5691ab1d98f874325aed22 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domain: locking for iomem_caps accesses In order to be able to pull at least the XEN_DOMCTL_iomem_mapping handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_iomem_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 960713dfd4a405e67e9f174302f8f9fd9e0e50dc) --- xen/common/domain.c | 6 ++++++ xen/common/domctl.c | 53 +++++++++++++++++++++++++++++++++++++++---------- xen/include/xen/iocap.h | 3 +++ xen/include/xen/sched.h | 1 + 4 files changed, 52 insertions(+), 11 deletions(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index dfeb6c7558..69fe1debcc 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -518,10 +518,15 @@ static int late_hwdom_init(struct domain *d) * may be modified after this hypercall returns if a more complex * device model is desired. */ + write_lock(&dom0->caps_lock); rangeset_swap(d->irq_caps, dom0->irq_caps); rangeset_swap(d->iomem_caps, dom0->iomem_caps); #ifdef CONFIG_X86 rangeset_swap(d->arch.ioport_caps, dom0->arch.ioport_caps); +#endif + write_unlock(&dom0->caps_lock); + +#ifdef CONFIG_X86 setup_io_bitmap(d); setup_io_bitmap(dom0); #endif @@ -873,6 +878,7 @@ struct domain *domain_create(domid_t domid, rspin_lock_init_prof(d, domain_lock); rspin_lock_init_prof(d, page_alloc_lock); spin_lock_init(&d->hypercall_deadlock_mutex); + rwlock_init(&d->caps_lock); INIT_PAGE_LIST_HEAD(&d->page_list); INIT_PAGE_LIST_HEAD(&d->extra_page_list); INIT_PAGE_LIST_HEAD(&d->xenpage_list); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 509347822c..ba3667c4ca 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -267,6 +267,35 @@ static struct vnuma_info *vnuma_init(const struct xen_domctl_vnuma *uinfo, return ERR_PTR(ret); } +void iocaps_double_lock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d->domain_id > currd->domain_id ) + read_lock(&currd->caps_lock); + + if ( write ) + write_lock(&d->caps_lock); + else + read_lock(&d->caps_lock); + + if ( d->domain_id < currd->domain_id ) + read_lock(&currd->caps_lock); +} + +void iocaps_double_unlock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d != currd ) + read_unlock(&currd->caps_lock); + + if ( write ) + write_unlock(&d->caps_lock); + else + read_unlock(&d->caps_lock); +} + static bool is_stable_domctl(uint32_t cmd) { return cmd == XEN_DOMCTL_get_domain_state; @@ -687,6 +716,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ break; + iocaps_double_lock(d, true); + if ( !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) || xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) @@ -695,6 +726,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); else ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); break; } @@ -719,19 +752,15 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; #endif + iocaps_double_lock(d, false); + ret = -EPERM; if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) ) - break; - - ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add); - if ( ret ) - break; - - if ( !paging_mode_translate(d) ) - break; - - if ( add ) + !iomem_access_permitted(d, mfn, mfn_end) || + (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || + !paging_mode_translate(d) ) + /* Nothing. */; + else if ( add ) { printk(XENLOG_G_DEBUG "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", @@ -755,6 +784,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", ret, d->domain_id, mfn, mfn_end); } + + iocaps_double_unlock(d, false); break; } diff --git a/xen/include/xen/iocap.h b/xen/include/xen/iocap.h index ffbc48b60f..cb36ebbeeb 100644 --- a/xen/include/xen/iocap.h +++ b/xen/include/xen/iocap.h @@ -12,6 +12,9 @@ #include #include +void iocaps_double_lock(struct domain *d, bool write); +void iocaps_double_unlock(struct domain *d, bool write); + static inline int iomem_permit_access(struct domain *d, unsigned long s, unsigned long e) { diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index d867fa5745..f42fcaf20e 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -536,6 +536,7 @@ struct domain #endif /* I/O capabilities (access to IRQs and memory-mapped I/O). */ + rwlock_t caps_lock; struct rangeset *iomem_caps; struct rangeset *irq_caps; -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:16:36 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:16:36 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333092.1595429 (Exim 4.92) (envelope-from ) id 1wWvNk-0002w9-EO; Tue, 09 Jun 2026 12:16:36 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333092.1595429; Tue, 09 Jun 2026 12:16:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvNk-0002w1-Bn; Tue, 09 Jun 2026 12:16:36 +0000 Received: by outflank-mailman (input) for mailman id 1333092; Tue, 09 Jun 2026 12:16:36 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvNk-0002vv-1J for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:16:36 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvNk-001f8s-0w for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:16:36 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvNj-00CdhL-3A for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:16:35 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=NqiW1XTA7m2FAVb22k1zxoPZnMLfGAbwX5vKedwdK+s=; b=JsmGJ1K1yIZlx57DIDWDVX+P+H pNNnbaXEf+yazQ2hLWfRZ5CCy3vCo0+kg+XieANeRB8otB2UXkLOfLtciNC1tgCsHlAC7BGeSbcfY hpLQY0QKS06lpwCbID4U5wpLJiqKLXylv+gWwlwL5vqb9UAqu4aX9Tlt9rV1URtxfF10=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] x86/domain: locking for ioport_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:16:35 +0000 commit ab63ab56c7e1703dd5d0e796e464a587787239b8 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 x86/domain: locking for ioport_caps accesses In order to be able to pull at least the XEN_DOMCTL_ioport_mapping handling out of the domctl-locked region, the new separate (per-domain) lock is used to synchronize in particular with XEN_DOMCTL_ioport_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit c9f4586766c4ceeaf013fbc02ad79359c62102c3) --- xen/arch/x86/domctl.c | 21 ++++++++++++--------- xen/arch/x86/setup.c | 3 +++ 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 276049b044..ee46ed5546 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -233,6 +233,8 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + iocaps_double_lock(d, true); + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) ret = -EINVAL; else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || @@ -242,6 +244,8 @@ long arch_do_domctl( ret = ioports_permit_access(d, fp, fp + np - 1); else ret = ioports_deny_access(d, fp, fp + np - 1); + + iocaps_double_unlock(d, true); break; } @@ -648,16 +652,13 @@ long arch_do_domctl( break; } - ret = -EPERM; - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) - break; - - ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add); - if ( ret ) - break; - hvm = &d->arch.hvm; - if ( add ) + iocaps_double_lock(d, true); + + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || + (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) + ret = ret ?: -EPERM; + else if ( add ) { printk(XENLOG_G_INFO "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", @@ -718,6 +719,8 @@ long arch_do_domctl( "ioport_map: error %ld denying dom%d access to [%x,%x]\n", ret, d->domain_id, fmp, fmp + np - 1); } + + iocaps_double_unlock(d, true); break; } diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 7f264debc9..f4e06b2ad8 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -2339,9 +2339,12 @@ void __hwdom_init setup_io_bitmap(struct domain *d) return; bitmap_fill(d->arch.hvm.io_bitmap, 0x10000); + + read_lock(&d->caps_lock); if ( rangeset_report_ranges(d->arch.ioport_caps, 0, 0x10000, io_bitmap_cb, d) ) BUG(); + read_unlock(&d->caps_lock); /* * We need to trap 4-byte accesses to 0xcf8 (see admin_io_okay(), -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:16:46 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:16:46 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333093.1595434 (Exim 4.92) (envelope-from ) id 1wWvNu-0002yB-Fp; Tue, 09 Jun 2026 12:16:46 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333093.1595434; Tue, 09 Jun 2026 12:16:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvNu-0002y2-D8; Tue, 09 Jun 2026 12:16:46 +0000 Received: by outflank-mailman (input) for mailman id 1333093; Tue, 09 Jun 2026 12:16:46 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvNu-0002xw-41 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:16:46 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvNu-001f8w-1C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:16:46 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvNu-00CdrX-0E for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:16:46 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7RP+xg9+mqbHAN8eOZ+sv7HgwmHoNRP7dbl4UH3L9n8=; b=tmhn7qg1p+bPl2HyBz6lvPlb9b Bb6D84hArDc6hKZ0QjX9IaA/qJvu7qFgxzFqQ1Ol7y/7DOobbGy+WNYEpL1O8I9LCu0vytMcs9P23 tBkcd7H+N2D1xYHCUlqAuiHNzJn5ohXx+PslGogtVoWoVvlqyRVmK8pie9AqFe2lcmzM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] domain: locking for irq_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:16:46 +0000 commit b9aebf736d53df5d7190b88e813c70b454ca7640 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domain: locking for irq_caps accesses In order to be able to pull at least the XEN_DOMCTL_{,un}bind_pt_irq handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_{irq,gsi}_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Reviewed-by: Julien Grall (cherry picked from commit 329edc090dd5c833213bad3f13f1cbc252bc15a2) --- xen/arch/arm/domctl.c | 37 +++++++++++++++++++++---------------- xen/arch/x86/domctl.c | 51 +++++++++++++++++++++++++++++++-------------------- xen/common/domctl.c | 5 +++++ 3 files changed, 57 insertions(+), 36 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index ad914c915f..75c3df602a 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -76,6 +76,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, case XEN_DOMCTL_bind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -107,21 +108,26 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - if ( !vgic_reserve_virq(d, virq) ) - return -EBUSY; - - rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); - if ( rc ) - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !vgic_reserve_virq(d, virq) ) + rc = -EBUSY; + else + { + rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); + if ( rc ) + vgic_free_virq(d, virq); + } + read_unlock(&currd->caps_lock); return rc; } case XEN_DOMCTL_unbind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -138,16 +144,15 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - rc = release_guest_irq(d, virq); - if ( rc ) - return rc; - - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !(rc = release_guest_irq(d, virq)) ) + vgic_free_virq(d, virq); - return 0; + read_unlock(&currd->caps_lock); + return rc; } case XEN_DOMCTL_vuart_op: diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index ee46ed5546..bf8740c2d3 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -267,16 +267,17 @@ long arch_do_domctl( break; } - ret = -EPERM; + iocaps_double_lock(d, true); + if ( !irq_access_permitted(currd, irq) || xsm_irq_permission(XSM_HOOK, d, irq, flags) ) - break; - - if ( flags ) + ret = -EPERM; + else if ( flags ) ret = irq_permit_access(d, irq); else ret = irq_deny_access(d, irq); + iocaps_double_unlock(d, true); break; } @@ -579,20 +580,27 @@ long arch_do_domctl( break; irq = domain_pirq_to_irq(d, bind->machine_irq); - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; + if ( irq <= 0 ) + ret = -EPERM; - ret = -ESRCH; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_create_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + else + ret = -ESRCH; + + read_unlock(&currd->caps_lock); break; } @@ -605,23 +613,26 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); if ( ret ) break; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_destroy_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + + read_unlock(&currd->caps_lock); break; } diff --git a/xen/common/domctl.c b/xen/common/domctl.c index ba3667c4ca..74934245a0 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -695,6 +695,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -EINVAL; break; } + + iocaps_double_lock(d, true); + irq = pirq_access_permitted(current->domain, pirq); if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) ret = -EPERM; @@ -702,6 +705,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = irq_permit_access(d, irq); else ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); break; } #endif -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:16:57 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:16:57 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333094.1595438 (Exim 4.92) (envelope-from ) id 1wWvO5-00030g-IV; Tue, 09 Jun 2026 12:16:57 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333094.1595438; Tue, 09 Jun 2026 12:16:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvO5-00030Y-Fz; Tue, 09 Jun 2026 12:16:57 +0000 Received: by outflank-mailman (input) for mailman id 1333094; Tue, 09 Jun 2026 12:16:56 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvO4-00030S-6r for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:16:56 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvO4-001f90-1U for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:16:56 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvO4-00Ce0N-0U for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:16:56 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=2vHq5+uzPsV/kNsB/h5FwEId0a9LbnXCNFYC3EyKilM=; b=y365rbH5L90KSfP4gnw91pNc7l 5/PCpvVGqctW4dYlCcpIcHobFT031WzXbgjnEh3o4JvFitcCYwJHT1MwGY2vGLYCMPKHUjQjU0Bbd HYbD4MBU3wKTm7ZlSqCAwPbzECQqgIBGD5cktAvgV9t/lU1nqchThIUNNnGqMXLon4LY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] XSM/Flask: split the .iomem_mapping() hook Message-Id: Date: Tue, 09 Jun 2026 12:16:56 +0000 commit a0e384c64d1149a3048e3ab5031f3057e589358b Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 XSM/Flask: split the .iomem_mapping() hook It's used twice in entirely different situations. The use in do_domctl() wants to become an ordinary XSM_DM_PRIV invocation, while the one in vPCI code need to remain XSM_HOOK (it may plausibly become XSM_TARGET). For Flask, the same backing function will continue to be used for the time being. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit 6bb83b1aa01bb3baabc150a881849977c82146a4) --- xen/drivers/vpci/header.c | 2 +- xen/include/xsm/dummy.h | 7 +++++++ xen/include/xsm/xsm.h | 8 ++++++++ xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) diff --git a/xen/drivers/vpci/header.c b/xen/drivers/vpci/header.c index a3e8d0ec82..9fdd8c4874 100644 --- a/xen/drivers/vpci/header.c +++ b/xen/drivers/vpci/header.c @@ -67,7 +67,7 @@ static int cf_check map_range( return -EPERM; } - rc = xsm_iomem_mapping(XSM_HOOK, map->d, map_mfn, m_end, map->map); + rc = xsm_iomem_mapping_vpci(XSM_HOOK, map->d, map_mfn, m_end, map->map); if ( rc ) { printk(XENLOG_G_WARNING diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 561b078419..3a83392d15 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -580,6 +580,13 @@ static XSM_INLINE int cf_check xsm_iomem_mapping( return xsm_default_action(action, current->domain, d); } +static XSM_INLINE int cf_check xsm_iomem_mapping_vpci( + XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + XSM_ASSERT_ACTION(XSM_HOOK); + return xsm_default_action(action, current->domain, d); +} + static XSM_INLINE int cf_check xsm_pci_config_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 9a23d2827c..73b58f9ee3 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -118,6 +118,8 @@ struct xsm_ops { uint8_t allow); int (*iomem_mapping)(struct domain *d, uint64_t s, uint64_t e, uint8_t allow); + int (*iomem_mapping_vpci)(struct domain *d, uint64_t s, uint64_t e, + uint8_t allow); int (*pci_config_permission)(struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access); @@ -523,6 +525,12 @@ static inline int xsm_iomem_mapping( return alternative_call(xsm_ops.iomem_mapping, d, s, e, allow); } +static inline int xsm_iomem_mapping_vpci( + xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + return alternative_call(xsm_ops.iomem_mapping_vpci, d, s, e, allow); +} + static inline int xsm_pci_config_permission( xsm_default_t def, struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 8b7e01b506..c7d030768a 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -76,6 +76,7 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .irq_permission = xsm_irq_permission, .iomem_permission = xsm_iomem_permission, .iomem_mapping = xsm_iomem_mapping, + .iomem_mapping_vpci = xsm_iomem_mapping_vpci, .pci_config_permission = xsm_pci_config_permission, .get_vnumainfo = xsm_get_vnumainfo, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 094cb7691f..19f1451d0a 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1950,6 +1950,7 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .irq_permission = flask_irq_permission, .iomem_permission = flask_iomem_permission, .iomem_mapping = flask_iomem_mapping, + .iomem_mapping_vpci = flask_iomem_mapping, .pci_config_permission = flask_pci_config_permission, .resource_plug_core = flask_resource_plug_core, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:17:07 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:17:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333095.1595442 (Exim 4.92) (envelope-from ) id 1wWvOF-00032l-K8; Tue, 09 Jun 2026 12:17:07 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333095.1595442; Tue, 09 Jun 2026 12:17:07 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvOF-00032d-HP; Tue, 09 Jun 2026 12:17:07 +0000 Received: by outflank-mailman (input) for mailman id 1333095; Tue, 09 Jun 2026 12:17:06 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvOE-00032X-9g for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:17:06 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvOE-001f9F-1l for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:17:06 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvOE-00Ce6r-0m for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:17:06 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=XPsEzX9POHOXNHaS9PGAgDmeLBodOxU8DJOuJrzE3os=; b=WPqW6wVmq5DsBzAWXVblV9lQB6 1E55Z9Ev33frpoklpkL/pyZKRl2W2/ee9voNPhppnMpTSmucMRhutoDvKgSSTQFA/Y7wZtiwwxFBs qW1KmhSFS6mD0yVv8z/BzllU6gFz7Q4AMpObJlg+lFfp4GfbLwamGY/p7eVqkAPRvhI0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:17:06 +0000 commit d08d614d9c65bf65255d8be09139933d104945d6 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. Move the re-purposed dedicated XSM check as early as possible. Minimal "modernization": Switch "add" to bool and use %pd in log messages. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 5a81fb873cb0c7913995372d22660d6a2db0ec48) --- xen/common/domctl.c | 118 ++++++++++++++++++++++++------------------------ xen/include/xsm/dummy.h | 4 +- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 63 insertions(+), 61 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 74934245a0..301b9bc970 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -376,6 +376,66 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = true; goto domctl_out_unlock_domonly; + case XEN_DOMCTL_memory_mapping: + { + unsigned long gfn = op->u.memory_mapping.first_gfn; + unsigned long mfn = op->u.memory_mapping.first_mfn; + unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; + unsigned long mfn_end = mfn + nr_mfns - 1; + bool add = op->u.memory_mapping.add_mapping; + + ret = -EINVAL; + if ( mfn_end < mfn || /* Wrap? */ + ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || + (gfn + nr_mfns - 1) < gfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_mapping(XSM_DM_PRIV, d, mfn, mfn_end, add); + if ( ret || !paging_mode_translate(d) ) + goto domctl_out_unlock_domonly; + +#ifndef CONFIG_X86 /* XXX ARM!? */ + ret = -E2BIG; + /* Must break hypercall up as this could take a while. */ + if ( nr_mfns > 64 ) + goto domctl_out_unlock_domonly; +#endif + + iocaps_double_lock(d, false); + + ret = -EPERM; + if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || + !iomem_access_permitted(d, mfn, mfn_end) ) + /* Nothing. */; + else if ( add ) + { + printk(XENLOG_G_DEBUG + "memory_map:add: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 ) + printk(XENLOG_G_WARNING + "memory_map:fail: %pd gfn=%lx mfn=%lx nr=%lx ret:%ld\n", + d, gfn, mfn, nr_mfns, ret); + } + else + { + printk(XENLOG_G_DEBUG + "memory_map:remove: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 && is_hardware_domain(current->domain) ) + printk(XENLOG_ERR + "memory_map: error %ld removing %pd access to [%lx,%lx]\n", + ret, d, mfn, mfn_end); + } + + iocaps_double_unlock(d, false); + goto domctl_out_unlock_domonly; + } + default: /* Everything else handled further down. */ break; @@ -736,64 +796,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - case XEN_DOMCTL_memory_mapping: - { - unsigned long gfn = op->u.memory_mapping.first_gfn; - unsigned long mfn = op->u.memory_mapping.first_mfn; - unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; - unsigned long mfn_end = mfn + nr_mfns - 1; - int add = op->u.memory_mapping.add_mapping; - - ret = -EINVAL; - if ( mfn_end < mfn || /* wrap? */ - ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || - (gfn + nr_mfns - 1) < gfn ) /* wrap? */ - break; - -#ifndef CONFIG_X86 /* XXX ARM!? */ - ret = -E2BIG; - /* Must break hypercall up as this could take a while. */ - if ( nr_mfns > 64 ) - break; -#endif - - iocaps_double_lock(d, false); - - ret = -EPERM; - if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) || - (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || - !paging_mode_translate(d) ) - /* Nothing. */; - else if ( add ) - { - printk(XENLOG_G_DEBUG - "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 ) - printk(XENLOG_G_WARNING - "memory_map:fail: dom%d gfn=%lx mfn=%lx nr=%lx ret:%ld\n", - d->domain_id, gfn, mfn, nr_mfns, ret); - } - else - { - printk(XENLOG_G_DEBUG - "memory_map:remove: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 && is_hardware_domain(current->domain) ) - printk(XENLOG_ERR - "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", - ret, d->domain_id, mfn, mfn_end); - } - - iocaps_double_unlock(d, false); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 3a83392d15..c2475aa128 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,13 +168,13 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_ioport_mapping: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -576,7 +576,7 @@ static XSM_INLINE int cf_check xsm_iomem_permission( static XSM_INLINE int cf_check xsm_iomem_mapping( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 19f1451d0a..c7d3f28492 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -685,6 +685,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -692,7 +693,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:17:17 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:17:17 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333096.1595447 (Exim 4.92) (envelope-from ) id 1wWvOP-00034n-M7; Tue, 09 Jun 2026 12:17:17 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333096.1595447; Tue, 09 Jun 2026 12:17:17 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvOP-00034f-Ix; Tue, 09 Jun 2026 12:17:17 +0000 Received: by outflank-mailman (input) for mailman id 1333096; Tue, 09 Jun 2026 12:17:16 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvOO-00034Y-Db for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:17:16 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvOO-001f9c-2A for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:17:16 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvOO-00CeGl-15 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:17:16 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=uShA2lyh5XhvrjBKolz8/1PKcseoWqGqNk23lnWmub0=; b=w39EbKR+OzvsIeMSMjbTNRELKe gH5CEVN9OiB/SfWahJb64eIRFWYZkybzJUGoVRVU1D2IhJwEpE7CQbwLTezfTj6ezAiefhUyRC/CR ey9uFxzV1oCrw5Aaf5pWOGZI+nlXsem7d499WQVqM6GzWSjaSOcS2TxskFhmblNgRBq8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:17:16 +0000 commit 15f385cd5bf94d8b28113553d45c031dde5e39af Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the handling is in arch-specific code (x86 only), almost no code is being moved, but a 2nd (extensible to other sub-ops) invocation of arch_do_domctl() is being added. Move just the re-purposed dedicated XSM check as early as possible. In flask_domctl() don't put #ifdef around the moved case label. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9ac94138a5f31b5325fe4401e5cd9e377bbedcdb) --- xen/arch/x86/domctl.c | 9 ++++++--- xen/common/domctl.c | 4 ++++ xen/include/xsm/dummy.h | 4 ++-- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index bf8740c2d3..3fb2989126 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -663,12 +663,15 @@ long arch_do_domctl( break; } + ret = xsm_ioport_mapping(XSM_DM_PRIV, d, fmp, fmp + np - 1, add); + if ( ret ) + break; + hvm = &d->arch.hvm; iocaps_double_lock(d, true); - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || - (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) - ret = ret ?: -EPERM; + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) + ret = -EPERM; else if ( add ) { printk(XENLOG_G_INFO diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 301b9bc970..858e72a05a 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -436,6 +436,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_mapping: + ret = arch_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + default: /* Everything else handled further down. */ break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index c2475aa128..e4ae29e88d 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -167,13 +167,13 @@ static XSM_INLINE int cf_check xsm_domctl( XSM_ASSERT_ACTION(XSM_OTHER); switch ( cmd ) { - case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -772,7 +772,7 @@ static XSM_INLINE int cf_check xsm_ioport_permission( static XSM_INLINE int cf_check xsm_ioport_mapping( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index c7d3f28492..f094e05640 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -685,6 +685,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -703,7 +704,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: case XEN_DOMCTL_ioport_permission: - case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_gsi_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:17:27 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:17:27 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333097.1595449 (Exim 4.92) (envelope-from ) id 1wWvOZ-000389-Mv; Tue, 09 Jun 2026 12:17:27 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333097.1595449; Tue, 09 Jun 2026 12:17:27 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvOZ-000381-KG; Tue, 09 Jun 2026 12:17:27 +0000 Received: by outflank-mailman (input) for mailman id 1333097; Tue, 09 Jun 2026 12:17:26 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvOY-00037v-Gb for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:17:26 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvOY-001f9g-2S for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:17:26 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvOY-00CeRr-1T for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:17:26 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=MSbfumHKDYQWR6l14TlabqbA9j/YmY0x56W6v5IMPA0=; b=VRkucrJZnkMWMs9ZSoGyVpCxq0 WB4Y28VPTapTEvGtKNGfmv6ecLDS95xmqCJe9A2xxuJ3jhfzxvPVLecYNpvHNdcDPTH/jORKcZJi6 1I1WVtZYEkrP4QQpuoj30n2qQQFH1keADNMShlYPFxR0e7QiT0WUKpNAT4RCx4wm3v0Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:17:26 +0000 commit 7073cc4de69235623e596e79deb80705e08e4329 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. (It also already isn't used when pt_irq_{create,destroy}_bind() are invoked for PVH Dom0.) As the handling is in arch-specific code, no code is being moved, but the 2nd (extensible to other sub-ops like the ones here) invocation of arch_do_domctl() is being re-used. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith Acked-by: Julien Grall (cherry picked from commit e263eeaf71b961d0d6f987bf7a33c8517be1bae5) --- xen/arch/arm/domctl.c | 4 ++-- xen/arch/x86/domctl.c | 4 ++-- xen/common/domctl.c | 2 ++ xen/include/xsm/dummy.h | 8 +++----- xen/xsm/flask/hooks.c | 5 ++--- 5 files changed, 11 insertions(+), 12 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index 75c3df602a..6c9a3f9920 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -104,7 +104,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - rc = xsm_bind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; @@ -140,7 +140,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( irq != virq ) return -EINVAL; - rc = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 3fb2989126..9f8e8de5b5 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -575,7 +575,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_bind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; @@ -613,7 +613,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 858e72a05a..a5359f3814 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -437,6 +437,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_bind_pt_irq: + case XEN_DOMCTL_unbind_pt_irq: ret = arch_do_domctl(op, d, u_domctl); goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index e4ae29e88d..dfff3b52b3 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,13 +168,11 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: - return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -541,14 +539,14 @@ static XSM_INLINE int cf_check xsm_unmap_domain_pirq( static XSM_INLINE int cf_check xsm_bind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } static XSM_INLINE int cf_check xsm_unbind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index f094e05640..a5280e3334 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -683,10 +683,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ + case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -697,9 +699,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: - /* These have individual XSM hooks (arch/../domctl.c) */ - case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:17:37 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:17:37 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333098.1595453 (Exim 4.92) (envelope-from ) id 1wWvOj-0003Gu-Pi; Tue, 09 Jun 2026 12:17:37 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333098.1595453; Tue, 09 Jun 2026 12:17:37 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvOj-0003Gl-Mt; Tue, 09 Jun 2026 12:17:37 +0000 Received: by outflank-mailman (input) for mailman id 1333098; Tue, 09 Jun 2026 12:17:36 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvOi-0003Ft-JM for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:17:36 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvOi-001f9p-2j for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:17:36 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvOi-00Ced1-1l for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:17:36 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=/nFieEdGwsYBYlhV3z7h8KYnMCXYOFqgALFaLTB07+I=; b=BqGzB/4uTn2e9R+1QLL/+v+5wS e2nzlYH9JgguV4g/320vsM+pT41ZWdjSr0Nf1I5TurgkGveCF50gAY1OXuEAcmAZVw5QeTB0TSTR+ /wKXozGHuWCbQvaG6F7l27rh6TwMoWj8XBGbrKPwR3rBZDYKR2Vb+ORikyqRcxN1LjKg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:17:36 +0000 commit 3941b2ceb0131a0dc99a9779ff438d309445ca3a Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the I/O port handling is in arch-specific code (x86 only), no code is being moved, but the 2nd invocation of arch_do_domctl() is re-used. Move the re-purposed dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9f54e10bf3ab02c8d5dc3253d85c9b3258d1fc88) --- xen/arch/x86/domctl.c | 13 ++++++++---- xen/common/domctl.c | 54 ++++++++++++++++++++++++++----------------------- xen/include/xsm/dummy.h | 6 ++++-- xen/xsm/flask/hooks.c | 4 ++-- 4 files changed, 44 insertions(+), 33 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 9f8e8de5b5..f030bc91c0 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -233,12 +233,17 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + ret = -EINVAL; + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) + break; + + ret = xsm_ioport_permission(XSM_PRIV, d, fp, fp + np - 1, allow); + if ( ret ) + break; + iocaps_double_lock(d, true); - if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) - ret = -EINVAL; - else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || - xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) ) + if ( !ioports_access_permitted(currd, fp, fp + np - 1) ) ret = -EPERM; else if ( allow ) ret = ioports_permit_access(d, fp, fp + np - 1); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index a5359f3814..9ebf28fda6 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -376,6 +376,34 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = true; goto domctl_out_unlock_domonly; + case XEN_DOMCTL_iomem_permission: + { + unsigned long mfn = op->u.iomem_permission.first_mfn; + unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; + bool allow = op->u.iomem_permission.allow_access; + + ret = -EINVAL; + if ( (mfn + nr_mfns - 1) < mfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_permission(XSM_PRIV, d, mfn, mfn + nr_mfns - 1, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !iomem_access_permitted(current->domain, + mfn, mfn + nr_mfns - 1) ) + ret = -EPERM; + else if ( allow ) + ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); + else + ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_memory_mapping: { unsigned long gfn = op->u.memory_mapping.first_gfn; @@ -436,6 +464,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: @@ -777,31 +806,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif - case XEN_DOMCTL_iomem_permission: - { - unsigned long mfn = op->u.iomem_permission.first_mfn; - unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; - int allow = op->u.iomem_permission.allow_access; - - ret = -EINVAL; - if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ - break; - - iocaps_double_lock(d, true); - - if ( !iomem_access_permitted(current->domain, - mfn, mfn + nr_mfns - 1) || - xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) - ret = -EPERM; - else if ( allow ) - ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); - else - ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); - - iocaps_double_unlock(d, true); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index dfff3b52b3..8499167a36 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -170,7 +170,9 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -567,7 +569,7 @@ static XSM_INLINE int cf_check xsm_irq_permission( static XSM_INLINE int cf_check xsm_iomem_permission( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } @@ -763,7 +765,7 @@ static XSM_INLINE int cf_check xsm_priv_mapping( static XSM_INLINE int cf_check xsm_ioport_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index a5280e3334..294d966f87 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -686,7 +686,9 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -695,14 +697,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: - case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: - case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_gsi_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:17:47 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:17:47 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333099.1595458 (Exim 4.92) (envelope-from ) id 1wWvOt-0003Kz-R2; Tue, 09 Jun 2026 12:17:47 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333099.1595458; Tue, 09 Jun 2026 12:17:47 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvOt-0003Kr-OK; Tue, 09 Jun 2026 12:17:47 +0000 Received: by outflank-mailman (input) for mailman id 1333099; Tue, 09 Jun 2026 12:17:46 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvOs-0003Kl-MH for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:17:46 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvOs-001f9v-31 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:17:46 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvOs-00Cekm-22 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:17:46 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=BPh5Rn4QfGD7S26X7EwlRm45coGfzNlL9XNSpjuoHAA=; b=rj5V1+EKsZDq3v2baB+NYJMlUh j5h5kJc5x97SxPkoJy/A9pIGuI2CM5BcBxusa3koZGw79iK/4ZQzdOBAhgu7jfqki2QvHL0VI33My W3kscPlJSVbJJlhAyIT/VviFco4i8YyjmLNwp9oail+aVHmQfSEiVI5Ky4p2t4GEPKjw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] domctl: handle XEN_DOMCTL_{irq,gsi}_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:17:46 +0000 commit f1bbc0077e103f87549c830ec1dba8d2eac92be3 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: handle XEN_DOMCTL_{irq,gsi}_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the GSI handling is in arch-specific code (x86 only), no code is being moved there; the 2nd invocation of arch_do_domctl() is re-used. Move the re-purposed (XSM_HOOK -> XSM_PRIV, as xsm_domctl() is now bypassed) dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 6b71151cd84cafff1ea9e67a8022e7a3e41d811f) --- xen/arch/x86/domctl.c | 7 ++++-- xen/common/domctl.c | 60 +++++++++++++++++++++++++++---------------------- xen/include/xsm/dummy.h | 4 +++- xen/xsm/flask/hooks.c | 4 ++-- 4 files changed, 43 insertions(+), 32 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index f030bc91c0..b8bc0caaf2 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -272,10 +272,13 @@ long arch_do_domctl( break; } + ret = xsm_irq_permission(XSM_PRIV, d, irq, flags); + if ( ret ) + break; + iocaps_double_lock(d, true); - if ( !irq_access_permitted(currd, irq) || - xsm_irq_permission(XSM_HOOK, d, irq, flags) ) + if ( !irq_access_permitted(currd, irq) ) ret = -EPERM; else if ( flags ) ret = irq_permit_access(d, irq); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 9ebf28fda6..d8e22210c4 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -464,8 +464,41 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } +#ifdef CONFIG_HAS_PIRQ + case XEN_DOMCTL_irq_permission: + { + unsigned int pirq = op->u.irq_permission.pirq, irq; + bool allow = op->u.irq_permission.allow_access; + + ret = -EINVAL; + if ( pirq >= current->domain->nr_pirqs ) + goto domctl_out_unlock_domonly; + + irq = domain_pirq_to_irq(current->domain, pirq); + + ret = -EPERM; + if ( irq ) + ret = xsm_irq_permission(XSM_PRIV, d, irq, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !irq_access_permitted(current->domain, irq) ) + ret = -EPERM; + else if ( allow ) + ret = irq_permit_access(d, irq); + else + ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } +#endif + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: ret = arch_do_domctl(op, d, u_domctl); @@ -779,33 +812,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } break; -#ifdef CONFIG_HAS_PIRQ - case XEN_DOMCTL_irq_permission: - { - unsigned int pirq = op->u.irq_permission.pirq, irq; - int allow = op->u.irq_permission.allow_access; - - if ( pirq >= current->domain->nr_pirqs ) - { - ret = -EINVAL; - break; - } - - iocaps_double_lock(d, true); - - irq = pirq_access_permitted(current->domain, pirq); - if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) - ret = -EPERM; - else if ( allow ) - ret = irq_permit_access(d, irq); - else - ret = irq_deny_access(d, irq); - - iocaps_double_unlock(d, true); - break; - } -#endif - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 8499167a36..1289777ffd 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -170,9 +170,11 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -562,7 +564,7 @@ static XSM_INLINE int cf_check xsm_unmap_domain_irq( static XSM_INLINE int cf_check xsm_irq_permission( XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 294d966f87..b6ff190dc6 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -686,9 +686,11 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -696,14 +698,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: - case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: - case XEN_DOMCTL_gsi_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH /* -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:17:57 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:17:57 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333100.1595464 (Exim 4.92) (envelope-from ) id 1wWvP3-0003X8-Sw; Tue, 09 Jun 2026 12:17:57 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333100.1595464; Tue, 09 Jun 2026 12:17:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvP3-0003Wu-Pg; Tue, 09 Jun 2026 12:17:57 +0000 Received: by outflank-mailman (input) for mailman id 1333100; Tue, 09 Jun 2026 12:17:56 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvP2-0003Wi-PG for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:17:56 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvP3-001fA1-07 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:17:56 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvP2-00CeyG-2L for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:17:56 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=kdV6qGVb0NUjek0WCR+F20FtnMGqGlwYKsd4F9+d4nI=; b=lvZRN9vw3K9z5r7ecQEUApHc0C qxg4jYjjpHSMfzBkhSv8YofckI/D3e3OfP17DvpHbGaPyEd/vwlfdWJ0LQL45Aid6ZVFxHCOuY8cI 3AFouEAr/Z1itoUoyZXL24w38PYsGR9ga2ebyh+gCu3FxHVCmtPqp1QMkgqL0OE2noS0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] domctl/XSM: drop vm_event_control hook Message-Id: Date: Tue, 09 Jun 2026 12:17:56 +0000 commit 619b70fccb0c64c6468e16a3f701fe228a534920 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl/XSM: drop vm_event_control hook Integrate the checking with xsm_domctl(). Care needs to be taken with the GET_VERSION sub-op, which may be invoked with DOMID_INVALID, and which has been (and continues to be) bypassing XSM checking. Since the latter two parameters were unused, monitor_domctl() invoking the hook was actually redundant with the earlier xsm_domctl() (as can be seen nicely from the hunks changing xsm/flask/hooks.c). As a positive side effect, permissions are then checked at the same early point with and without Flask. While folding XEN_DOMCTL_monitor_op and XEN_DOMCTL_vm_event_op in flask_domctl(), also fold in XEN_DOMCTL_set_access_required. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit b4a7c17146f4363750d26cb2dcee08b480625a3d) --- xen/common/domctl.c | 17 +++++++++++++++++ xen/common/monitor.c | 5 ----- xen/common/vm_event.c | 9 ++++----- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 8 -------- xen/xsm/dummy.c | 2 -- xen/xsm/flask/hooks.c | 11 +---------- 7 files changed, 22 insertions(+), 37 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index d8e22210c4..396874acf2 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -496,6 +496,23 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif + case XEN_DOMCTL_vm_event_op: + if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) + { + /* No XSM check (and potentially d == NULL) here. */ + ret = vm_event_domctl(d, &op->u.vm_event_op); + if ( !ret ) + copyback = true; + goto domctl_out_unlock_domonly; + } + if ( !d ) + { + ret = -ESRCH; + goto domctl_out_unlock_domonly; + } + /* Other sub-ops handled further down. */ + break; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_gsi_permission: diff --git a/xen/common/monitor.c b/xen/common/monitor.c index d5c9ff1cbf..aec6391faf 100644 --- a/xen/common/monitor.c +++ b/xen/common/monitor.c @@ -30,16 +30,11 @@ int monitor_domctl(struct domain *d, struct xen_domctl_monitor_op *mop) { - int rc; bool requested_status = false; if ( unlikely(current->domain == d) ) /* no domain_pause() */ return -EPERM; - rc = xsm_vm_event_control(XSM_PRIV, d, mop->op, mop->event); - if ( unlikely(rc) ) - return rc; - switch ( mop->op ) { case XEN_DOMCTL_MONITOR_OP_ENABLE: diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c index b2787c0108..15eb8bf9b2 100644 --- a/xen/common/vm_event.c +++ b/xen/common/vm_event.c @@ -603,11 +603,10 @@ int vm_event_domctl(struct domain *d, struct xen_domctl_vm_event_op *vec) /* All other subops need to target a real domain. */ if ( unlikely(d == NULL) ) - return -ESRCH; - - rc = xsm_vm_event_control(XSM_PRIV, d, vec->mode, vec->op); - if ( rc ) - return rc; + { + ASSERT_UNREACHABLE(); + return -EILSEQ; + } if ( unlikely(d == current->domain) ) /* no domain_pause() */ { diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 1289777ffd..f0cba259d7 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -652,13 +652,6 @@ static XSM_INLINE int cf_check xsm_hvm_altp2mhvm_op( } } -static XSM_INLINE int cf_check xsm_vm_event_control( - XSM_DEFAULT_ARG struct domain *d, int mode, int op) -{ - XSM_ASSERT_ACTION(XSM_PRIV); - return xsm_default_action(action, current->domain, d); -} - #ifdef CONFIG_VM_EVENT static XSM_INLINE int cf_check xsm_mem_access(XSM_DEFAULT_ARG struct domain *d) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 73b58f9ee3..c8b07329ae 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -157,8 +157,6 @@ struct xsm_ops { int (*hvm_altp2mhvm_op)(struct domain *d, uint64_t mode, uint32_t op); int (*get_vnumainfo)(struct domain *d); - int (*vm_event_control)(struct domain *d, int mode, int op); - #ifdef CONFIG_VM_EVENT int (*mem_access)(struct domain *d); #endif @@ -657,12 +655,6 @@ static inline int xsm_get_vnumainfo(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.get_vnumainfo, d); } -static inline int xsm_vm_event_control( - xsm_default_t def, struct domain *d, int mode, int op) -{ - return alternative_call(xsm_ops.vm_event_control, d, mode, op); -} - #ifdef CONFIG_VM_EVENT static inline int xsm_mem_access(xsm_default_t def, struct domain *d) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index c7d030768a..ccdaa924d7 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -116,8 +116,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .remove_from_physmap = xsm_remove_from_physmap, .map_gmfn_foreign = xsm_map_gmfn_foreign, - .vm_event_control = xsm_vm_event_control, - #ifdef CONFIG_VM_EVENT .mem_access = xsm_mem_access, #endif diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index b6ff190dc6..1fa0b1a6c7 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -699,7 +699,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: - case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ @@ -793,9 +792,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__TRIGGER); case XEN_DOMCTL_set_access_required: - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); - case XEN_DOMCTL_monitor_op: + case XEN_DOMCTL_vm_event_op: return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); case XEN_DOMCTL_debug_op: @@ -1368,11 +1366,6 @@ static int cf_check flask_hvm_altp2mhvm_op(struct domain *d, uint64_t mode, uint return current_has_perm(d, SECCLASS_HVM, HVM__ALTP2MHVM_OP); } -static int cf_check flask_vm_event_control(struct domain *d, int mode, int op) -{ - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); -} - #ifdef CONFIG_VM_EVENT static int cf_check flask_mem_access(struct domain *d) { @@ -1971,8 +1964,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .do_xsm_op = do_flask_op, .get_vnumainfo = flask_get_vnumainfo, - .vm_event_control = flask_vm_event_control, - #ifdef CONFIG_VM_EVENT .mem_access = flask_mem_access, #endif -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:18:07 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:18:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333102.1595466 (Exim 4.92) (envelope-from ) id 1wWvPD-0003bJ-U1; Tue, 09 Jun 2026 12:18:07 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333102.1595466; Tue, 09 Jun 2026 12:18:07 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvPD-0003bB-R4; Tue, 09 Jun 2026 12:18:07 +0000 Received: by outflank-mailman (input) for mailman id 1333102; Tue, 09 Jun 2026 12:18:06 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvPC-0003b5-S5 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:18:06 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvPD-001fAP-0O for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:18:06 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvPC-00Cf67-2e for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:18:06 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=+6tBMs/yCcUcPFF8l4JilM5E3IIODKJCK64eIo+rh5w=; b=UH8M+IwnhIqM77wZPWL/uk2yJh bmLjz2Nz4O2hcXzk/+K1Ae/whS1/O8GsB0EZ7TV4Nm6zEkeTJgcYxmwU3d6vgrEy8Lf8bq0cqV/WA g48k24zfCx5XdYWg5b6mrwywJUpFAO6sROjdqam2DogbYzTbBRHJIWlwh66G6MHhMvIg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] domctl/XSM: pass full struct xen_domctl to xsm_domctl() Message-Id: Date: Tue, 09 Jun 2026 12:18:06 +0000 commit 83f644192726c4ee87977d9135840b67f04d56cd Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl/XSM: pass full struct xen_domctl to xsm_domctl() Subsequently some sub-ops will want to inspect their sub-sub-ops. Plus this way we don't need to pass SSIDref separately anymore for domain_create. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit 83f0e11ed16b5ceb42e47dcaab5afd35583ec5d7) --- xen/arch/x86/mm/paging.c | 2 +- xen/common/domctl.c | 4 +--- xen/include/xsm/dummy.h | 4 ++-- xen/include/xsm/xsm.h | 6 +++--- xen/xsm/flask/hooks.c | 10 +++++----- 5 files changed, 12 insertions(+), 14 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index 65455a6867..3545ddd1d0 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -735,7 +735,7 @@ long do_paging_domctl_cont( if ( d == NULL ) return -ESRCH; - ret = xsm_domctl(XSM_OTHER, d, op.cmd, 0 /* SSIDref not applicable */); + ret = xsm_domctl(XSM_OTHER, d, &op); if ( !ret ) { if ( domctl_lock_acquire() ) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 396874acf2..7a450c87ff 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -526,9 +526,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - ret = xsm_domctl(XSM_OTHER, d, op->cmd, - /* SSIDRef only applicable for cmd == createdomain */ - op->u.createdomain.ssidref); + ret = xsm_domctl(XSM_OTHER, d, op); if ( ret ) goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index f0cba259d7..c469331ea8 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,10 +162,10 @@ static XSM_INLINE int cf_check xsm_set_target( } static XSM_INLINE int cf_check xsm_domctl( - XSM_DEFAULT_ARG struct domain *d, unsigned int cmd, uint32_t ssidref) + XSM_DEFAULT_ARG struct domain *d, struct xen_domctl *op) { XSM_ASSERT_ACTION(XSM_OTHER); - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index c8b07329ae..4379a6e96b 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -61,7 +61,7 @@ struct xsm_ops { int (*sysctl_scheduler_op)(int op); #endif int (*set_target)(struct domain *d, struct domain *e); - int (*domctl)(struct domain *d, unsigned int cmd, uint32_t ssidref); + int (*domctl)(struct domain *d, struct xen_domctl *op); int (*sysctl)(int cmd); int (*readconsole)(uint32_t clear); @@ -260,9 +260,9 @@ static inline int xsm_set_target( } static inline int xsm_domctl(xsm_default_t def, struct domain *d, - unsigned int cmd, uint32_t ssidref) + struct xen_domctl *op) { - return alternative_call(xsm_ops.domctl, d, cmd, ssidref); + return alternative_call(xsm_ops.domctl, d, op); } static inline int xsm_sysctl(xsm_default_t def, int cmd) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 1fa0b1a6c7..ca4aa9d367 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -667,10 +667,9 @@ static int cf_check flask_set_target(struct domain *d, struct domain *t) return rc; } -static int cf_check flask_domctl(struct domain *d, unsigned int cmd, - uint32_t ssidref) +static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) { - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_createdomain: /* @@ -680,7 +679,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, * Note that d is NULL because we haven't even allocated memory for it * this early in XEN_DOMCTL_createdomain. */ - return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); + return avc_current_has_perm(op->u.createdomain.ssidref, SECCLASS_DOMAIN, + DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: @@ -855,7 +855,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SET_LLC_COLORS); default: - return avc_unknown_permission("domctl", cmd); + return avc_unknown_permission("domctl", op->cmd); } } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:18:18 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:18:18 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333103.1595470 (Exim 4.92) (envelope-from ) id 1wWvPO-0003do-0i; Tue, 09 Jun 2026 12:18:18 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333103.1595470; Tue, 09 Jun 2026 12:18:17 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvPN-0003dg-UN; Tue, 09 Jun 2026 12:18:17 +0000 Received: by outflank-mailman (input) for mailman id 1333103; Tue, 09 Jun 2026 12:18:17 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvPM-0003dZ-VB for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:18:16 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvPN-001fAj-0h for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:18:16 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvPM-00CfBI-2w for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:18:16 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=VeYCYk5yud6PoiTTph9S6cFCJ0SHv8nkQlh9DzfYG/o=; b=pEsuFJTEKFltdBMELJGa+sb6aF TZ+fd1H94HvPyHrdamJaEHLjah+/vYJGgQc+LQRc3ZKuM2nv4Pffzeo2I84V6rRf+hKuFNPSVK/Ys 2oP7mxKIbaxRzs7o1U8rmeqkeW/rbgLB8L7P0oQepKIsYa6AXj3S6GXMwzQ50HW321+E=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] domctl/XSM: drop scheduler_op hook Message-Id: Date: Tue, 09 Jun 2026 12:18:16 +0000 commit b48039e907a65ce0b85dfc32ceed0d0bad639319 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl/XSM: drop scheduler_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Juergen Gross (cherry picked from commit 3ba374d3886f0e1d835eafe62cc2fa20ca5376ad) --- xen/common/sched/core.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 7 ++++--- 5 files changed, 4 insertions(+), 22 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index adfdddde15..08175215a0 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -2074,10 +2074,6 @@ long sched_adjust(struct domain *d, struct xen_domctl_scheduler_op *op) { long ret; - ret = xsm_domctl_scheduler_op(XSM_HOOK, d, op->cmd); - if ( ret ) - return ret; - if ( op->sched_id != dom_scheduler(d)->sched_id ) return -EINVAL; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index c469331ea8..f4444b0488 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -141,13 +141,6 @@ static XSM_INLINE int cf_check xsm_getdomaininfo( return xsm_default_action(action, current->domain, d); } -static XSM_INLINE int cf_check xsm_domctl_scheduler_op( - XSM_DEFAULT_ARG struct domain *d, int cmd) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 4379a6e96b..941e768dd6 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -56,7 +56,6 @@ struct xsm_ops { struct xen_domctl_getdomaininfo *info); int (*domain_create)(struct domain *d, uint32_t ssidref); int (*getdomaininfo)(struct domain *d); - int (*domctl_scheduler_op)(struct domain *d, int op); #ifdef CONFIG_SYSCTL int (*sysctl_scheduler_op)(int op); #endif @@ -240,12 +239,6 @@ static inline int xsm_get_domain_state(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.get_domain_state, d); } -static inline int xsm_domctl_scheduler_op( - xsm_default_t def, struct domain *d, int cmd) -{ - return alternative_call(xsm_ops.domctl_scheduler_op, d, cmd); -} - #ifdef CONFIG_SYSCTL static inline int xsm_sysctl_scheduler_op(xsm_default_t def, int cmd) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index ccdaa924d7..5e58ccd260 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -18,7 +18,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .security_domaininfo = xsm_security_domaininfo, .domain_create = xsm_domain_create, .getdomaininfo = xsm_getdomaininfo, - .domctl_scheduler_op = xsm_domctl_scheduler_op, #ifdef CONFIG_SYSCTL .sysctl_scheduler_op = xsm_sysctl_scheduler_op, #endif diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index ca4aa9d367..f318f37fd9 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -609,7 +609,7 @@ static int cf_check flask_getdomaininfo(struct domain *d) return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO); } -static int cf_check flask_domctl_scheduler_op(struct domain *d, int op) +static int flask_domctl_scheduler_op(struct domain *d, int op) { switch ( op ) { @@ -697,7 +697,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return -EILSEQ; /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: #ifdef CONFIG_X86 @@ -745,6 +744,9 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_setdomainhandle: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE); + case XEN_DOMCTL_scheduler_op: + return flask_domctl_scheduler_op(d, op->u.scheduler_op.cmd); + case XEN_DOMCTL_set_ext_vcpucontext: case XEN_DOMCTL_set_vcpu_msrs: case XEN_DOMCTL_setvcpucontext: @@ -1884,7 +1886,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .security_domaininfo = flask_security_domaininfo, .domain_create = flask_domain_create, .getdomaininfo = flask_getdomaininfo, - .domctl_scheduler_op = flask_domctl_scheduler_op, #ifdef CONFIG_SYSCTL .sysctl_scheduler_op = flask_sysctl_scheduler_op, #endif -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:18:28 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:18:28 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333105.1595474 (Exim 4.92) (envelope-from ) id 1wWvPY-0003gN-2C; Tue, 09 Jun 2026 12:18:28 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333105.1595474; Tue, 09 Jun 2026 12:18:28 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvPX-0003gG-Vk; Tue, 09 Jun 2026 12:18:27 +0000 Received: by outflank-mailman (input) for mailman id 1333105; Tue, 09 Jun 2026 12:18:27 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvPX-0003gA-1p for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:18:27 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvPX-001fAp-0z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:18:27 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvPX-00CfL5-00 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:18:27 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=haqWkvGU4Vh1W6+tuzrVr7QU/m5kcHq4evUGhMzl/58=; b=yP7RStrEtTxllQ57XrpjFpT9MO cmZQ3CX592DIalvRIhmdIg31iVo+192YxyM/EhgW+Xusmj4iBEd5nFfsId9pbuVG048RALF70ABQ4 HK383orY9RcKqI9ZrnUL2d0coZXkYwG/ZVkgZSVyxWj1Ae0+Tfstuur19yxtBXFw4mOc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] domctl/XSM: drop shadow_control_op hook Message-Id: Date: Tue, 09 Jun 2026 12:18:27 +0000 commit 82887f1d254b077d765bb008015ddcd5298ca660 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl/XSM: drop shadow_control_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit d9d2758622422a4db0498a74c3dfd1c8168a8154) --- xen/arch/x86/mm/paging.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 13 +++++++------ 5 files changed, 7 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index 3545ddd1d0..6d4b4c802b 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -677,10 +677,6 @@ int paging_domctl(struct domain *d, struct xen_domctl_shadow_op *sc, return -EBUSY; } - rc = xsm_shadow_control(XSM_HOOK, d, sc->op); - if ( rc ) - return rc; - /* Code to handle log-dirty. Note that some log dirty operations * piggy-back on shadow operations. For example, when * XEN_DOMCTL_SHADOW_OP_OFF is called, it first checks whether log dirty diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index f4444b0488..63a390bac4 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -682,13 +682,6 @@ static XSM_INLINE int cf_check xsm_do_mca(XSM_DEFAULT_VOID) return xsm_default_action(action, current->domain, NULL); } -static XSM_INLINE int cf_check xsm_shadow_control( - XSM_DEFAULT_ARG struct domain *d, uint32_t op) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_mem_sharing_op( XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 941e768dd6..1bd195f6c8 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -172,7 +172,6 @@ struct xsm_ops { #ifdef CONFIG_X86 int (*do_mca)(void); - int (*shadow_control)(struct domain *d, uint32_t op); int (*mem_sharing_op)(struct domain *d, struct domain *cd, int op); int (*apic)(struct domain *d, int cmd); int (*machine_memory_map)(void); @@ -680,12 +679,6 @@ static inline int xsm_do_mca(xsm_default_t def) return alternative_call(xsm_ops.do_mca); } -static inline int xsm_shadow_control( - xsm_default_t def, struct domain *d, uint32_t op) -{ - return alternative_call(xsm_ops.shadow_control, d, op); -} - static inline int xsm_mem_sharing_op( xsm_default_t def, struct domain *d, struct domain *cd, int op) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 5e58ccd260..ae3318e596 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -130,7 +130,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .platform_op = xsm_platform_op, #ifdef CONFIG_X86 .do_mca = xsm_do_mca, - .shadow_control = xsm_shadow_control, .mem_sharing_op = xsm_mem_sharing_op, .apic = xsm_apic, .machine_memory_map = xsm_machine_memory_map, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index f318f37fd9..ac49a62719 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -40,6 +40,7 @@ #ifdef CONFIG_X86 #include +static int flask_shadow_control(struct domain *d, unsigned int op); #else #define pv_shim false #endif @@ -699,10 +700,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: -#ifdef CONFIG_X86 - /* These have individual XSM hooks (arch/x86/domctl.c) */ - case XEN_DOMCTL_shadow_op: -#endif #ifdef CONFIG_HAS_PASSTHROUGH /* * These have individual XSM hooks @@ -787,6 +784,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_get_address_size: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETADDRSIZE); +#ifdef CONFIG_X86 + case XEN_DOMCTL_shadow_op: + return flask_shadow_control(d, op->u.shadow_op.op); +#endif + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1603,7 +1605,7 @@ static int cf_check flask_do_mca(void) return domain_has_xen(current->domain, XEN__MCA_OP); } -static int cf_check flask_shadow_control(struct domain *d, uint32_t op) +static int flask_shadow_control(struct domain *d, unsigned int op) { uint32_t perm; @@ -1999,7 +2001,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .platform_op = flask_platform_op, #ifdef CONFIG_X86 .do_mca = flask_do_mca, - .shadow_control = flask_shadow_control, .mem_sharing_op = flask_mem_sharing_op, .apic = flask_apic, .machine_memory_map = flask_machine_memory_map, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:18:38 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:18:38 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333106.1595477 (Exim 4.92) (envelope-from ) id 1wWvPi-0003k0-3d; Tue, 09 Jun 2026 12:18:38 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333106.1595477; Tue, 09 Jun 2026 12:18:38 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvPi-0003js-15; Tue, 09 Jun 2026 12:18:38 +0000 Received: by outflank-mailman (input) for mailman id 1333106; Tue, 09 Jun 2026 12:18:37 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvPh-0003jl-4h for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:18:37 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvPh-001fAz-1H for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:18:37 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvPh-00CfX3-0I for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:18:37 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Os//IiGCFtL3m5xSTFPrNOZ2TKESXhhCIDHXMGFRgTE=; b=tHN81uu/E6SVXSCqYcLVSlENYx mnnRbVMfR+iqCxx1/q4XvZBTn39kItf8bfXOy9suG/SCXUJD1N8KmkVPiBOL7j1qF0um0keAgzOmt kaow+9kTYeZPPaP2Fz4GZqN0m0EI1zvdOH39Vq/5pYhF8OnVKl/AA/+3MegIQB5w0QqQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:18:37 +0000 commit e3b16b87a2df9419d0a6826cc80e78d26dacf0b0 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock iommu_get_device_group() uses its own locking. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 471b377747cb5eb0ea7c1ca48ac9d38027a9aa13) --- xen/common/domctl.c | 5 ++++- xen/drivers/passthrough/pci.c | 4 ++-- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 7a450c87ff..8d002ac914 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -513,6 +513,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) /* Other sub-ops handled further down. */ break; + case XEN_DOMCTL_get_device_group: + ret = iommu_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_gsi_permission: @@ -918,7 +922,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_assign_device: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_deassign_device: - case XEN_DOMCTL_get_device_group: ret = iommu_do_domctl(op, d, u_domctl); break; diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 7858c9418c..a7f7b2d20b 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1620,7 +1620,7 @@ static int iommu_get_device_group( if ( (pdev->seg != seg) || ((b == bus) && (df == devfn)) ) continue; - if ( xsm_get_device_group(XSM_HOOK, (seg << 16) | (b << 8) | df) ) + if ( xsm_get_device_group(XSM_PRIV, (seg << 16) | (b << 8) | df) ) continue; sdev_id = iommu_call(ops, get_device_group_id, seg, b, df); @@ -1690,7 +1690,7 @@ int iommu_do_pci_domctl( u32 max_sdevs; XEN_GUEST_HANDLE_64(uint32) sdevs; - ret = xsm_get_device_group(XSM_HOOK, domctl->u.get_device_group.machine_sbdf); + ret = xsm_get_device_group(XSM_PRIV, domctl->u.get_device_group.machine_sbdf); if ( ret ) break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 63a390bac4..cc28fa24bb 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,6 +162,7 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_get_domain_state: case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: @@ -401,7 +402,7 @@ static XSM_INLINE int cf_check xsm_get_vnumainfo( static XSM_INLINE int cf_check xsm_get_device_group( XSM_DEFAULT_ARG uint32_t machine_bdf) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index ac49a62719..064cdec14f 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -686,6 +686,7 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_get_domain_state: case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: @@ -705,7 +706,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) * These have individual XSM hooks * (drivers/passthrough/{pci,device_tree.c) */ - case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_assign_device: case XEN_DOMCTL_deassign_device: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:18:48 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:18:48 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333107.1595481 (Exim 4.92) (envelope-from ) id 1wWvPs-0003sS-58; Tue, 09 Jun 2026 12:18:48 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333107.1595481; Tue, 09 Jun 2026 12:18:48 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvPs-0003sK-2M; Tue, 09 Jun 2026 12:18:48 +0000 Received: by outflank-mailman (input) for mailman id 1333107; Tue, 09 Jun 2026 12:18:47 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvPr-0003sE-7n for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:18:47 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvPr-001fB5-1a for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:18:47 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvPr-00Cfc6-0b for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:18:47 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=p8wMOAvZp38M7hVYYTkXWanqplBEkeeg66FMziGKzH0=; b=ST/YkknQcA1QNXrW0m3veGDoAl ThU9qxE99e4XPd0jJppab27diZEF+HqSDYw2ekNXxjJdbZ+6AjCQgXts+DsKTYZDNj4UzO3fafXX9 8g3P+iQeYOevkCqFggPK5FKqwo4JL1F/xQEeG4OfxtCsdAKQ0SOc2vn4fodAcPS/NeqU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] domctl/XSM: drop {,de}assign_{,dt}device hooks Message-Id: Date: Tue, 09 Jun 2026 12:18:47 +0000 commit 1ea57a5866b0c1bb430159b914a46dcf0c06efe1 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl/XSM: drop {,de}assign_{,dt}device hooks Integrate the checking with xsm_domctl(). As a positive side effect, permissions are then checked at the same early point with and without Flask. As the DT device path needs fetching earlier (but must not be double fetched), cache it in a private field of the public interface struct. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit eab54f074f17c134fa6fa780f672393066e7b631) --- xen/common/domctl.c | 9 ++++ xen/drivers/passthrough/device_tree.c | 36 ++++++++-------- xen/drivers/passthrough/pci.c | 8 ---- xen/include/public/domctl.h | 5 ++- xen/include/xsm/dummy.h | 32 -------------- xen/include/xsm/xsm.h | 34 --------------- xen/xsm/dummy.c | 7 ---- xen/xsm/flask/hooks.c | 79 +++++++++++++++++++++++++---------- 8 files changed, 89 insertions(+), 121 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 8d002ac914..6abe5858fd 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -325,6 +325,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_deassign_device: if ( op->domain == DOMID_IO ) { +#ifdef CONFIG_HAS_DEVICE_TREE_DISCOVERY + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; +#endif d = dom_io; break; } @@ -332,6 +336,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) return -ESRCH; fallthrough; case XEN_DOMCTL_test_assign_device: +#ifdef CONFIG_HAS_DEVICE_TREE_DISCOVERY + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; + fallthrough; +#endif case XEN_DOMCTL_vm_event_op: if ( op->domain == DOMID_INVALID ) { diff --git a/xen/drivers/passthrough/device_tree.c b/xen/drivers/passthrough/device_tree.c index f5850a2607..ab1e07ac99 100644 --- a/xen/drivers/passthrough/device_tree.c +++ b/xen/drivers/passthrough/device_tree.c @@ -340,15 +340,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( (d && d->is_dying) || domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_assign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( domctl->cmd == XEN_DOMCTL_test_assign_device ) { @@ -396,15 +396,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_deassign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( d == dom_io ) { diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index a7f7b2d20b..8b0ee98abc 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1740,10 +1740,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_assign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); @@ -1785,10 +1781,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_deassign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h index 8f6708c0a7..7b1252556a 100644 --- a/xen/include/public/domctl.h +++ b/xen/include/public/domctl.h @@ -575,7 +575,10 @@ struct xen_domctl_assign_device { } pci; struct { uint32_t size; /* Length of the path */ - XEN_GUEST_HANDLE_64(char) path; /* path to the device tree node */ + XEN_GUEST_HANDLE_64(char) path; /* Path to the device tree node */ +#ifdef __XEN__ + struct dt_device_node *dev; /* Resolved device node of the above */ +#endif } dt; } u; }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index cc28fa24bb..d06006cb94 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -405,40 +405,8 @@ static XSM_INLINE int cf_check xsm_get_device_group( XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } - -static XSM_INLINE int cf_check xsm_assign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - #endif /* HAS_PASSTHROUGH && HAS_PCI */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) -static XSM_INLINE int cf_check xsm_assign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE_DISCOVERY */ - static XSM_INLINE int cf_check xsm_resource_plug_core(XSM_DEFAULT_VOID) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 1bd195f6c8..4443763295 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -124,13 +124,6 @@ struct xsm_ops { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) int (*get_device_group)(uint32_t machine_bdf); - int (*assign_device)(struct domain *d, uint32_t machine_bdf); - int (*deassign_device)(struct domain *d, uint32_t machine_bdf); -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) - int (*assign_dtdevice)(struct domain *d, const char *dtpath); - int (*deassign_dtdevice)(struct domain *d, const char *dtpath); #endif int (*resource_plug_core)(void); @@ -533,35 +526,8 @@ static inline int xsm_get_device_group(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.get_device_group, machine_bdf); } - -static inline int xsm_assign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.assign_device, d, machine_bdf); -} - -static inline int xsm_deassign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.deassign_device, d, machine_bdf); -} #endif /* HAS_PASSTHROUGH && HAS_PCI) */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) -static inline int xsm_assign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.assign_dtdevice, d, dtpath); -} - -static inline int xsm_deassign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.deassign_dtdevice, d, dtpath); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE_DISCOVERY */ - static inline int xsm_resource_plug_pci(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.resource_plug_pci, machine_bdf); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index ae3318e596..860233e4be 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -81,13 +81,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = xsm_get_device_group, - .assign_device = xsm_assign_device, - .deassign_device = xsm_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) - .assign_dtdevice = xsm_assign_dtdevice, - .deassign_dtdevice = xsm_deassign_dtdevice, #endif .resource_plug_core = xsm_resource_plug_core, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 064cdec14f..9ab185ff41 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -45,6 +45,17 @@ static int flask_shadow_control(struct domain *d, unsigned int op); #define pv_shim false #endif +#ifdef CONFIG_HAS_PASSTHROUGH +#ifdef CONFIG_HAS_PCI +static int flask_assign_device(struct domain *d, unsigned int machine_bdf); +static int flask_deassign_device(struct domain *d, unsigned int machine_bdf); +#endif +#ifdef CONFIG_HAS_DEVICE_TREE_DISCOVERY +static int flask_assign_dtdevice(struct domain *d, const char *dtpath); +static int flask_deassign_dtdevice(struct domain *d, const char *dtpath); +#endif +#endif /* CONFIG_HAS_PASSTHROUGH */ + static uint32_t domain_sid(const struct domain *dom) { struct domain_security_struct *dsec = dom->ssid; @@ -700,16 +711,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: - -#ifdef CONFIG_HAS_PASSTHROUGH - /* - * These have individual XSM hooks - * (drivers/passthrough/{pci,device_tree.c) - */ - case XEN_DOMCTL_test_assign_device: - case XEN_DOMCTL_assign_device: - case XEN_DOMCTL_deassign_device: -#endif return 0; case XEN_DOMCTL_destroydomain: @@ -789,6 +790,49 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return flask_shadow_control(d, op->u.shadow_op.op); #endif +#ifdef CONFIG_HAS_PASSTHROUGH + + case XEN_DOMCTL_test_assign_device: + case XEN_DOMCTL_assign_device: + case XEN_DOMCTL_deassign_device: + switch ( op->u.assign_device.dev ) + { +#ifdef CONFIG_HAS_PCI + case XEN_DOMCTL_DEV_PCI: + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_device( + d, op->u.assign_device.u.pci.machine_sbdf) + : flask_deassign_device( + d, op->u.assign_device.u.pci.machine_sbdf); +#endif + +#ifdef CONFIG_HAS_DEVICE_TREE_DISCOVERY + case XEN_DOMCTL_DEV_DT: + { + struct dt_device_node *dev; + int ret = dt_find_node_by_gpath(op->u.assign_device.u.dt.path, + op->u.assign_device.u.dt.size, + &dev); + + if ( ret ) + return ret; + + op->u.assign_device.u.dt.dev = dev; + + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_dtdevice(d, dt_node_full_name(dev)) + : flask_deassign_dtdevice(d, dt_node_full_name(dev)); + } +#endif + + default: + /* Unknown type. */ + break; + } + return avc_unknown_permission("assign_device", op->cmd); + +#endif /* CONFIG_HAS_PASSTHROUGH */ + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1416,7 +1460,7 @@ static int flask_test_assign_device(uint32_t machine_bdf) return avc_current_has_perm(rsid, SECCLASS_RESOURCE, RESOURCE__STAT_DEVICE, NULL); } -static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) +static int flask_assign_device(struct domain *d, uint32_t machine_bdf) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1446,7 +1490,7 @@ static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_device( +static int flask_deassign_device( struct domain *d, uint32_t machine_bdf) { uint32_t rsid; @@ -1478,7 +1522,7 @@ static int flask_test_assign_dtdevice(const char *dtpath) NULL); } -static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) +static int flask_assign_dtdevice(struct domain *d, const char *dtpath) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1508,7 +1552,7 @@ static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_dtdevice( +static int flask_deassign_dtdevice( struct domain *d, const char *dtpath) { uint32_t rsid; @@ -1989,13 +2033,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = flask_get_device_group, - .assign_device = flask_assign_device, - .deassign_device = flask_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) - .assign_dtdevice = flask_assign_dtdevice, - .deassign_dtdevice = flask_deassign_dtdevice, #endif .platform_op = flask_platform_op, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:18:58 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:18:58 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333108.1595486 (Exim 4.92) (envelope-from ) id 1wWvQ2-00040e-8I; Tue, 09 Jun 2026 12:18:58 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333108.1595486; Tue, 09 Jun 2026 12:18:58 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvQ2-00040W-5T; Tue, 09 Jun 2026 12:18:58 +0000 Received: by outflank-mailman (input) for mailman id 1333108; Tue, 09 Jun 2026 12:18:57 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvQ1-00040Q-Ae for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:18:57 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvQ1-001fBD-1s for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:18:57 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvQ1-00Cfl7-0s for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:18:57 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ZVCR5mFuk0ZRGQ4Kvk5Xn/txHWL+Yx9Tljo3G8JmLA4=; b=5nsRPub6+KRiMs4nM+svy0ZI0y gMOxaabrtB2CliVebO+0k54R1W3bMoHM9ObOsLw9zx3GyoN5rhFgGUM33qFYB8C0cBcAY7qO6Skje iiDjLxYHj8M41okquyTaF8Vpw4snlU0oYudLOZxAcaZa1U0VWcIbE98bkQa5Pm/KYoB0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:18:57 +0000 commit fcccf99e5e359017ff461588cbe573fbfc6e34ae Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock The only locking required here is that between checking d->target and setting it. To avoid the need for an explicit lock, use cmpxchgptr() to update d->target. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 4a93d1fb4f7f1231159688d428f7362d35d32ef6) --- xen/common/domctl.c | 54 ++++++++++++++++++++++--------------------------- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 5 +---- 3 files changed, 27 insertions(+), 35 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 6abe5858fd..36ef760c2c 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -505,6 +505,30 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif + case XEN_DOMCTL_set_target: + { + struct domain *e = get_domain_by_id(op->u.set_target.target); + + ret = -ESRCH; + if ( !e ) + goto domctl_out_unlock_domonly; + + if ( d == e ) + ret = -EINVAL; + else if ( !is_hvm_domain(e) ) + ret = -EOPNOTSUPP; + else + ret = xsm_set_target(XSM_PRIV, d, e); + + /* Hold reference on @e until we destroy @d. */ + if ( !ret && cmpxchgptr(&d->target, NULL, e) ) + ret = -EINVAL; + + if ( ret ) + put_domain(e); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_vm_event_op: if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) { @@ -844,36 +868,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; - case XEN_DOMCTL_set_target: - { - struct domain *e; - - ret = -ESRCH; - e = get_domain_by_id(op->u.set_target.target); - if ( e == NULL ) - break; - - ret = -EINVAL; - if ( (d == e) || (d->target != NULL) ) - { - put_domain(e); - break; - } - - ret = -EOPNOTSUPP; - if ( is_hvm_domain(e) ) - ret = xsm_set_target(XSM_HOOK, d, e); - if ( ret ) - { - put_domain(e); - break; - } - - /* Hold reference on @e until we destroy @d. */ - d->target = e; - break; - } - case XEN_DOMCTL_subscribe: d->suspend_evtchn = op->u.subscribe.port; break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index d06006cb94..d45d8b64fc 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -150,7 +150,7 @@ static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) static XSM_INLINE int cf_check xsm_set_target( XSM_DEFAULT_ARG struct domain *d, struct domain *e) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } @@ -170,6 +170,7 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 9ab185ff41..ae33e324bd 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -705,14 +705,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; - /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_set_target: - return 0; - case XEN_DOMCTL_destroydomain: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__DESTROY); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:19:08 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:19:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333109.1595490 (Exim 4.92) (envelope-from ) id 1wWvQC-000460-9i; Tue, 09 Jun 2026 12:19:08 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333109.1595490; Tue, 09 Jun 2026 12:19:08 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvQC-00045r-6z; Tue, 09 Jun 2026 12:19:08 +0000 Received: by outflank-mailman (input) for mailman id 1333109; Tue, 09 Jun 2026 12:19:07 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvQB-00045l-Dy for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:19:07 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvQB-001fBT-2B for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:19:07 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvQB-00Cfs9-19 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:19:07 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ETJ3hePev8DAGM4L8OCAElpHGfNJROEIVIVjsoFpCwI=; b=vnrktP1HPqDQFSCgWwnUTJnw1i JROv4DbwM1TvX4Zr+u3By7OpcW9NAEGu201IhYBiQhR0qcAGVMIlBEXC2vaAnyXVP1QWWIpzlk5EE GVgonGEZG2Zx6TfRcR09IF34yxPDMy1DOfPAqsM6Yesna3hoOaC/S6oFVBbRgWRx2gUI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI Message-Id: Date: Tue, 09 Jun 2026 12:19:07 +0000 commit bec5efc03ade5cb10a00f8122f0befe25fe6232e Author: Michal Orzel AuthorDate: Tue Apr 14 10:11:24 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI The ARM64_WORKAROUND_REPEAT_TLBI workaround is used to mitigate several errata where broadcast TLBI;DSB sequences don't provide all the architecturally required synchronization. The workaround performs more work than necessary, and can have significant overhead. This patch optimizes the workaround, as explained below. 1. All relevant errata only affect the ordering and/or completion of memory accesses which have been translated by an invalidated TLB entry. The actual invalidation of TLB entries is unaffected. 2. The existing workaround is applied to both broadcast and local TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for broadcast invalidation. 3. The existing workaround replaces every TLBI with a TLBI;DSB;TLBI sequence, whereas for all relevant errata it is only necessary to execute a single additional TLBI;DSB sequence after any number of TLBIs are completed by a DSB. For example, for a sequence of batched TLBIs: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH ... the existing workaround will expand this to: TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional DSB ISH ... whereas it is sufficient to have: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH TLBI [, ] // additional DSB ISH // additional Using a single additional TLBI and DSB at the end of the sequence can have significantly lower overhead as each DSB which completes a TLBI must synchronize with other PEs in the system, with potential performance effects both locally and system-wide. 4. The existing workaround repeats each specific TLBI operation, whereas for all relevant errata it is sufficient for the additional TLBI to use *any* operation which will be broadcast, regardless of which translation regime or stage of translation the operation applies to. For example, for a single TLBI: TLBI ALLE2IS DSB ISH ... the existing workaround will expand this to: TLBI ALLE2IS DSB ISH TLBI ALLE2IS // additional DSB ISH // additional ... whereas it is sufficient to have: TLBI ALLE2IS DSB ISH TLBI VALE1IS, XZR // additional DSB ISH // additional As the additional TLBI doesn't have to match a specific earlier TLBI, the additional TLBI can be implemented in separate code, with no memory of the earlier TLBIs. The additional TLBI can also use a cheaper TLBI operation. 5. The existing workaround is applied to both Stage-1 and Stage-2 TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for Stage-1 invalidation. Architecturally, TLBI operations which invalidate only Stage-2 information (e.g. IPAS2E1IS) are not required to invalidate TLB entries which combine information from Stage-1 and Stage-2 translation table entries, and consequently may not complete memory accesses translated by those combined entries. In these cases, completion of memory accesses is only guaranteed after subsequent invalidation of Stage-1 information (e.g. VMALLE1IS). Rework the workaround logic as follows: - add TLB_HELPER_LOCAL() to be used for local TLB ops without a workaround, - modify TLB_HELPER() workaround to use tlbi vale2is, xzr as a second TLBI, - drop TLB_HELPER_VA(). It's used only by __flush_xen_tlb_one_local which is local and does not need workaround and by __flush_xen_tlb_one. In the latter case, since it's used in a loop, we don't need a workaround in the middle. Add __tlb_repeat_sync with a workaround to be used at the end after DSB and before final ISB, - TLBI VALE2IS passing XZR is used as an additional TLBI. While there is an identity mapping there, it's used very rarely. The performance impact is therefore negligible. If things change in the future, we can revisit the decision. Signed-off-by: Michal Orzel Reviewed-by: Luca Fancellu Reviewed-by: Julien Grall (cherry picked from commit 7c502d7591519135765b8041cbd1c70e56e5a0b9) --- xen/arch/arm/include/asm/arm32/flushtlb.h | 3 + xen/arch/arm/include/asm/arm64/flushtlb.h | 108 ++++++++++++++++++------------ xen/arch/arm/include/asm/flushtlb.h | 1 + xen/arch/arm/include/asm/mmu/layout.h | 4 ++ 4 files changed, 75 insertions(+), 41 deletions(-) diff --git a/xen/arch/arm/include/asm/arm32/flushtlb.h b/xen/arch/arm/include/asm/arm32/flushtlb.h index 61c25a3189..5483be08fb 100644 --- a/xen/arch/arm/include/asm/arm32/flushtlb.h +++ b/xen/arch/arm/include/asm/arm32/flushtlb.h @@ -57,6 +57,9 @@ static inline void __flush_xen_tlb_one(vaddr_t va) asm volatile(STORE_CP32(0, TLBIMVAHIS) : : "r" (va) : "memory"); } +/* Only for ARM64_WORKAROUND_REPEAT_TLBI */ +static inline void __tlb_repeat_sync(void) {} + #endif /* __ASM_ARM_ARM32_FLUSHTLB_H__ */ /* * Local variables: diff --git a/xen/arch/arm/include/asm/arm64/flushtlb.h b/xen/arch/arm/include/asm/arm64/flushtlb.h index 3b99c11b50..1606b26bf2 100644 --- a/xen/arch/arm/include/asm/arm64/flushtlb.h +++ b/xen/arch/arm/include/asm/arm64/flushtlb.h @@ -12,9 +12,14 @@ * ARM64_WORKAROUND_REPEAT_TLBI: * Modification of the translation table for a virtual address might lead to * read-after-read ordering violation. - * The workaround repeats TLBI+DSB ISH operation for all the TLB flush - * operations. While this is strictly not necessary, we don't want to - * take any risk. + * The workaround repeats TLBI+DSB ISH operation for broadcast TLB flush + * operations. The workaround is not needed for local operations. + * + * It is sufficient for the additional TLBI to use *any* operation which will + * be broadcast, regardless of which translation regime or stage of translation + * the operation applies to. TLBI VALE2IS is used passing XZR. While there is + * an identity mapping there, it's only used during suspend/resume, CPU on/off, + * so the impact (performance if any) is negligible. * * For Xen page-tables the ISB will discard any instructions fetched * from the old mappings. @@ -26,69 +31,90 @@ * Note that for local TLB flush, using non-shareable (nsh) is sufficient * (see D5-4929 in ARM DDI 0487H.a). Although, the memory barrier in * for the workaround is left as inner-shareable to match with Linux - * v6.1-rc8. + * v6.19. */ -#define TLB_HELPER(name, tlbop, sh) \ +#define TLB_HELPER_LOCAL(name, tlbop) \ static inline void name(void) \ { \ asm_inline volatile ( \ - "dsb " # sh "st;" \ + "dsb nshst;" \ "tlbi " # tlbop ";" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ";", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - "dsb " # sh ";" \ + "dsb nsh;" \ "isb;" \ : : : "memory"); \ } -/* - * FLush TLB by VA. This will likely be used in a loop, so the caller - * is responsible to use the appropriate memory barriers before/after - * the sequence. - * - * See above about the ARM64_WORKAROUND_REPEAT_TLBI sequence. - */ -#define TLB_HELPER_VA(name, tlbop) \ -static inline void name(vaddr_t va) \ -{ \ - asm_inline volatile ( \ - "tlbi " # tlbop ", %0;" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ", %0;", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - : : "r" (va >> PAGE_SHIFT) : "memory"); \ +#define TLB_HELPER(name, tlbop) \ +static inline void name(void) \ +{ \ + asm_inline volatile ( \ + "dsb ishst;" \ + "tlbi " # tlbop ";" \ + ALTERNATIVE( \ + "nop; nop;", \ + "dsb ish;" \ + "tlbi vale2is, xzr;", \ + ARM64_WORKAROUND_REPEAT_TLBI, \ + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ + "dsb ish;" \ + "isb;" \ + : : : "memory"); \ } /* Flush local TLBs, current VMID only. */ -TLB_HELPER(flush_guest_tlb_local, vmalls12e1, nsh) +TLB_HELPER_LOCAL(flush_guest_tlb_local, vmalls12e1) /* Flush innershareable TLBs, current VMID only */ -TLB_HELPER(flush_guest_tlb, vmalls12e1is, ish) +TLB_HELPER(flush_guest_tlb, vmalls12e1is) /* Flush local TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb_local, alle1, nsh) +TLB_HELPER_LOCAL(flush_all_guests_tlb_local, alle1) /* Flush innershareable TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb, alle1is, ish) +TLB_HELPER(flush_all_guests_tlb, alle1is) /* Flush all hypervisor mappings from the TLB of the local processor. */ -TLB_HELPER(flush_xen_tlb_local, alle2, nsh) +TLB_HELPER_LOCAL(flush_xen_tlb_local, alle2) + +#undef TLB_HELPER_LOCAL +#undef TLB_HELPER + +/* + * FLush TLB by VA. This will likely be used in a loop, so the caller + * is responsible to use the appropriate memory barriers before/after + * the sequence. + */ /* Flush TLB of local processor for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one_local, vae2) +static inline void __flush_xen_tlb_one_local(vaddr_t va) +{ + asm_inline volatile ( + "tlbi vae2, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} /* Flush TLB of all processors in the inner-shareable domain for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one, vae2is) +static inline void __flush_xen_tlb_one(vaddr_t va) +{ + asm_inline volatile ( + "tlbi vae2is, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} -#undef TLB_HELPER -#undef TLB_HELPER_VA +/* + * ARM64_WORKAROUND_REPEAT_TLBI: + * For all relevant erratas it is only necessary to execute a single + * additional TLBI;DSB sequence after any number of TLBIs are completed by DSB. + */ +static inline void __tlb_repeat_sync(void) +{ + asm_inline volatile ( + ALTERNATIVE( + "nop; nop;", + "tlbi vale2is, xzr;" + "dsb ish;", + ARM64_WORKAROUND_REPEAT_TLBI, + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) + : : : "memory"); +} #endif /* __ASM_ARM_ARM64_FLUSHTLB_H__ */ /* diff --git a/xen/arch/arm/include/asm/flushtlb.h b/xen/arch/arm/include/asm/flushtlb.h index e45fb6d97b..c292c3c00d 100644 --- a/xen/arch/arm/include/asm/flushtlb.h +++ b/xen/arch/arm/include/asm/flushtlb.h @@ -65,6 +65,7 @@ static inline void flush_xen_tlb_range_va(vaddr_t va, va += PAGE_SIZE; } dsb(ish); /* Ensure the TLB invalidation has completed */ + __tlb_repeat_sync(); isb(); } diff --git a/xen/arch/arm/include/asm/mmu/layout.h b/xen/arch/arm/include/asm/mmu/layout.h index 19c0ec63a5..feafc14ebf 100644 --- a/xen/arch/arm/include/asm/mmu/layout.h +++ b/xen/arch/arm/include/asm/mmu/layout.h @@ -23,6 +23,10 @@ * * Reserved to identity map Xen * + * Note: As part of ARM64_WORKAROUND_REPEAT_TLBI, VA 0 is used for an extra + * TLBI operation given its rare use (only identity mapping) and thus + * negligible performance impact. + * * 0x00000a0000000000 - 0x00000a7fffffffff (512GB, L0 slot [20]) * (Relative offsets) * 0 - 2M Unmapped -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:19:19 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:19:19 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333110.1595495 (Exim 4.92) (envelope-from ) id 1wWvQN-00048M-Bl; Tue, 09 Jun 2026 12:19:19 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333110.1595495; Tue, 09 Jun 2026 12:19:19 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvQN-00048E-8U; Tue, 09 Jun 2026 12:19:19 +0000 Received: by outflank-mailman (input) for mailman id 1333110; Tue, 09 Jun 2026 12:19:17 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvQL-00047o-GW for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:19:17 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvQL-001fBq-2R for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:19:17 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvQL-00Cg25-1T for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:19:17 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=YQUNIJhYAqyX8YUdkD8g2hYopgZZP8gf6J+D1S89mYM=; b=FKFRuooYZzKoN0mf/nFGyFir3A OlYVofpow/95TL9rhklrpKxZKPgaHP7NL5iy7XFGIRRNG86pD36RtzDykg3eoL02cTauIZ1BsndMg finsvdm4UID56P1KR9TRodsfJODogBz+N0fuWSox0zZcwaz9T05QuwDcaKISkWEmvfOY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] xen/arm: Sync missing definitions for Arm CPUs with Linux Message-Id: Date: Tue, 09 Jun 2026 12:19:17 +0000 commit 8851d2e1089e0df6ee289cc1b18ef5e25739bbcb Author: Michal Orzel AuthorDate: Fri May 22 09:35:55 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 xen/arm: Sync missing definitions for Arm CPUs with Linux Synchronize with Linux kernel 7.0 definitions for the following CPUs: - Cortex-A76AE, - Cortex-A78AE, - Cortex-X1C, - Cortex-X3, - Neoverse-V2, - Cortex-X4, - Neoverse-V3AE, - Neoverse-V3, - Cortex-X925. These will be used for errata detection in subsequent patches. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit d54682a5b23d7a22a0f1aa74130bd1ed8a669db1) --- xen/arch/arm/include/asm/processor.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index ec23fd098b..907778683b 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -89,13 +89,22 @@ #define ARM_CPU_PART_CORTEX_A76 0xD0B #define ARM_CPU_PART_NEOVERSE_N1 0xD0C #define ARM_CPU_PART_CORTEX_A77 0xD0D +#define ARM_CPU_PART_CORTEX_A76AE 0xD0E #define ARM_CPU_PART_NEOVERSE_V1 0xD40 #define ARM_CPU_PART_CORTEX_A78 0xD41 +#define ARM_CPU_PART_CORTEX_A78AE 0xD42 #define ARM_CPU_PART_CORTEX_X1 0xD44 #define ARM_CPU_PART_CORTEX_A710 0xD47 #define ARM_CPU_PART_CORTEX_X2 0xD48 #define ARM_CPU_PART_NEOVERSE_N2 0xD49 #define ARM_CPU_PART_CORTEX_A78C 0xD4B +#define ARM_CPU_PART_CORTEX_X1C 0xD4C +#define ARM_CPU_PART_CORTEX_X3 0xD4E +#define ARM_CPU_PART_NEOVERSE_V2 0xD4F +#define ARM_CPU_PART_CORTEX_X4 0xD82 +#define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 +#define ARM_CPU_PART_NEOVERSE_V3 0xD84 +#define ARM_CPU_PART_CORTEX_X925 0xD85 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -110,13 +119,22 @@ #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) +#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE) #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1) #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) +#define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) #define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2) #define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2) #define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C) +#define MIDR_CORTEX_X1C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1C) +#define MIDR_CORTEX_X3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X3) +#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2) +#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4) +#define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) +#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) +#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:19:29 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:19:29 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333111.1595499 (Exim 4.92) (envelope-from ) id 1wWvQX-0004AV-DT; Tue, 09 Jun 2026 12:19:29 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333111.1595499; Tue, 09 Jun 2026 12:19:29 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvQX-0004AH-9r; Tue, 09 Jun 2026 12:19:29 +0000 Received: by outflank-mailman (input) for mailman id 1333111; Tue, 09 Jun 2026 12:19:27 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvQV-0004AA-JJ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:19:27 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvQV-001fBu-2j for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:19:27 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvQV-00CgB7-1j for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:19:27 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=84fBbf7WItgoPktn80K5fb0Jp1/F6iXDgBUTSijlh+I=; b=236S15+IMZE+JhkLlrgrap/bLb lZtaH3uNQGPTk1fseyuSLbs3GpZED3bTvgTGCv13r1/M9QPMDDIIQDJg7Xp7QP414vsf0ByJHbAlf WxkTEE0sPUJAjyg/MdixSGnsKyWRoo0ap6TFXpzx70WlYybazG0TSUTn/spmoLfHRe88=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] xen/arm: Add C1-Ultra definitions Message-Id: Date: Tue, 09 Jun 2026 12:19:27 +0000 commit 984c082ea93b955349163e0a0a8588139a42185a Author: Michal Orzel AuthorDate: Fri May 22 09:35:56 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 xen/arm: Add C1-Ultra definitions Add processor definitions for C1-Ultra. These will be used for errata detection in subsequent patches. These values can be found in the C1-Ultra TRM: https://developer.arm.com/documentation/108014/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 36ddaa7918d6ec0d06a31079c8a25a6ae3c69cbc) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 907778683b..72745cca62 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -105,6 +105,7 @@ #define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 +#define ARM_CPU_PART_C1_ULTRA 0xD8C #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -135,6 +136,7 @@ #define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) +#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:19:39 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:19:39 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333112.1595502 (Exim 4.92) (envelope-from ) id 1wWvQh-0004Cv-F6; Tue, 09 Jun 2026 12:19:39 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333112.1595502; Tue, 09 Jun 2026 12:19:39 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvQh-0004Cn-Ch; Tue, 09 Jun 2026 12:19:39 +0000 Received: by outflank-mailman (input) for mailman id 1333112; Tue, 09 Jun 2026 12:19:37 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvQf-0004Cg-Lt for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:19:37 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvQf-001fC3-2z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:19:37 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvQf-00CgHA-21 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:19:37 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=1Ger0BYVGmkXP7nymuEHihonaI6kFiuQAYYt6bg0/qk=; b=ix/2+jZZiuy1f+mTmNh1Puj0aU SaueeAKuRCiDKnnf1CQ4CMAYFvI1bY7kyV2tp5mDgBrBC0fKzasdhjI0zYsnUWCeYS+xvs9ihxgJC os9YPp/UjvTOWGrlG26EDOZqsdtAKZjxpwMH6CLxmm8vuK88aFV8L3vTX+6sPGJy72mc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] xen/arm: Add C1-Premium definitions Message-Id: Date: Tue, 09 Jun 2026 12:19:37 +0000 commit 781ee5198e57df57a6a6c884ade2573d7f363d02 Author: Michal Orzel AuthorDate: Fri May 22 09:35:57 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 xen/arm: Add C1-Premium definitions Add processor definitions for C1-Premium. These will be used for errata detection in subsequent patches. These values can be found in the C1-Premium TRM: https://developer.arm.com/documentation/109416/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 0315d10321518beb24c41bb595e9197cadec0693) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 72745cca62..25c5762c67 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -106,6 +106,7 @@ #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 #define ARM_CPU_PART_C1_ULTRA 0xD8C +#define ARM_CPU_PART_C1_PREMIUM 0xD90 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -137,6 +138,7 @@ #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) #define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) +#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:19:49 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:19:49 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333113.1595506 (Exim 4.92) (envelope-from ) id 1wWvQr-0004Ev-Gq; Tue, 09 Jun 2026 12:19:49 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333113.1595506; Tue, 09 Jun 2026 12:19:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvQr-0004Em-E3; Tue, 09 Jun 2026 12:19:49 +0000 Received: by outflank-mailman (input) for mailman id 1333113; Tue, 09 Jun 2026 12:19:47 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvQp-0004Eg-OY for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:19:47 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvQq-001fC9-02 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:19:47 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvQp-00CgNC-2G for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:19:47 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ww3wPyZqTbYldLZuLAltGGoASXe30leOKdAt80v3wMU=; b=x7cTLOcenUMI2++NvTs/VMHYen sBqMwRU8xhsPOPClr0jHX9KXm7vIjxEMsLiOxulis1f9oVgJU1obWMsTUURxQ+nCYqQgytyRAX65u pENfkw/CaUw0ObCdLVzc9cu0hMoQ6R348L56Uaxamz7eAfhntbpQt9R5H7dWr9hyfYIM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] xen/arm: Mitigate TLBI errata on various Arm CPUs Message-Id: Date: Tue, 09 Jun 2026 12:19:47 +0000 commit 929883468108e1e1fc7aff4b59b95303e2d8a3b7 Author: Michal Orzel AuthorDate: Fri May 22 09:35:58 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 xen/arm: Mitigate TLBI errata on various Arm CPUs A number of CPUs developed by Arm suffer from errata whereby a broadcast TLBI + DSB sequence may complete before the global observation of writes which are translated by an affected TLB entry. This can lead to memory corruption and potential privilege escalation. These errata ONLY affect the completion of memory accesses which have been translated by an invalidated TLB entry, and these errata DO NOT affect the actual invalidation of TLB entries. TLB entries are removed correctly. To mitigate this issue, Arm recommends that software follows each TLBI+DSB sequence with an additional TLBI+DSB, which will ensure that all memory write effects affected by the first TLBI have been globally observed. The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate the issue. Enable this workaround for affected CPUs. This is XSA-493 / CVE-2025-10263. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 161e8f61b5b0f2c205072c7bc699bfc37653999f) --- xen/arch/arm/Kconfig | 21 ++++++++++++ xen/arch/arm/cpuerrata.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+) diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index cf6af68299..dad922c51b 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -467,6 +467,27 @@ config ARM64_ERRATUM_1508412 If unsure, say Y. +config ARM64_ERRATUM_CVE_2025_10263 + bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" + default y + depends on ARM_64 + select ARM64_WORKAROUND_REPEAT_TLBI + help + This option adds a workaround for CVE-2025-10263. + + A broadcast TLBI on another PE may complete before affected memory + accesses are globally observed. This may permit bypass of Stage 1 + translation, Stage-2 translation, or GPT protection. + + The workaround repeats the TLBI VALE2IS, XZR + DSB ISH operation for all + the broadcast TLB flush operations. A single additional TLBI and DSB are + sufficient regardless of how many TLBIs are completed by the DSB. + + Note that software workarounds are required at all execution levels for + affected parts to fully mitigate this issue. + + If unsure, say Y. + endmenu config ARM64_HARDEN_BRANCH_PREDICTOR diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index 17cf134f1b..3a32183618 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -534,6 +534,92 @@ static const struct arm_cpu_capabilities arm_errata[] = { MIDR_RANGE(MIDR_NEOVERSE_N1, 0, 3 << MIDR_VARIANT_SHIFT), }, #endif +#ifdef CONFIG_ARM64_ERRATUM_CVE_2025_10263 + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X4), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_ULTRA), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM), + }, +#endif #ifdef CONFIG_ARM64_HARDEN_BRANCH_PREDICTOR { .capability = ARM_HARDEN_BRANCH_PREDICTOR, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:19:59 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:19:59 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333114.1595510 (Exim 4.92) (envelope-from ) id 1wWvR1-0004H3-IC; Tue, 09 Jun 2026 12:19:59 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333114.1595510; Tue, 09 Jun 2026 12:19:59 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvR1-0004Gw-FS; Tue, 09 Jun 2026 12:19:59 +0000 Received: by outflank-mailman (input) for mailman id 1333114; Tue, 09 Jun 2026 12:19:57 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvQz-0004Gi-Rm for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:19:57 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvR0-001fCF-0L for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:19:57 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvQz-00CgTi-2a for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:19:57 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=azMEolQGLDfZKlkmre5/WwIM2kx0WMg0/COY4wgrbSE=; b=SfzzzcNOut9Wm8FgcHkeYixxXm HRf8NJ0I7f+Mk92EdnOVlPG587xGqZG3L7SyaEcbYL4m4DJDaqzjo4tG0y/SDdrnXJ6wTl4JBoHcr JSSo9WRnXWAkmfzuiEyJD1GphLnRcv1v8T8cv15P+o6h2Q6CP+6NpSLBYTSYJ4a+thXc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] x86/mm: accurately track which vCPU page-tables are loaded Message-Id: Date: Tue, 09 Jun 2026 12:19:57 +0000 commit 3bdb2a4fb88620e00160000591694a4da6a940f8 Author: Roger Pau Monne AuthorDate: Mon Mar 16 11:03:22 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 x86/mm: accurately track which vCPU page-tables are loaded Neither current nor curr_vcpu per-CPU fields accurately track which page-tables are loaded. There are corner cases when dealing with shadow paging failures that switch to the idle vCPU page-tables without changing current or curr_vcpu per-CPU fields. Introduce a new per-CPU field that attempts to track which vCPU page-tables are loaded. Update such tracking when cr3 is changed, and do so in a region with interrupts disabled, as to avoid handling interrupts with a mismatch between the vCPU tracking field and the loaded page-tables. As a result of this newly more accurate tracking the mapcache override functionality can be removed: the dom0 PV builder was the only user of it, and it's updated here to properly signal which vCPU page-tables are loaded in the calls to switch_cr3_cr4(). Note the EFI page-tables have the Xen owned L4 slots copied from the idle page-tables, so for the effects of the mapcache the EFI page-tables could use the idle mapcache if it had one. Pass the idle vCPU in the switch_cr3_cr4() call that switches to the runtime EFI page-tables. There are known issues with the use of mapcache in NMI context.  This patch does not alter the behaviour. This is CVE-2026-42488 / XSA-494. Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference") Signed-off-by: Roger Pau Monné Acked-by: Andrew Cooper (cherry picked from commit 622c9a5ba95dae9b1084f16d0557ec64d1d12eaa) --- xen/arch/x86/domain_page.c | 48 +++++++++++++++--------------------- xen/arch/x86/flushtlb.c | 5 +++- xen/arch/x86/include/asm/domain.h | 1 - xen/arch/x86/include/asm/flushtlb.h | 2 +- xen/arch/x86/include/asm/processor.h | 3 +++ xen/arch/x86/mm.c | 4 +-- xen/arch/x86/pv/dom0_build.c | 12 +++------ xen/arch/x86/pv/domain.c | 13 ++++++++-- xen/arch/x86/smpboot.c | 1 + xen/common/efi/common-stub.c | 5 ---- xen/common/efi/runtime.c | 21 ++++++---------- xen/include/xen/efi.h | 1 - 12 files changed, 54 insertions(+), 62 deletions(-) diff --git a/xen/arch/x86/domain_page.c b/xen/arch/x86/domain_page.c index eac5e3304f..72c00194f3 100644 --- a/xen/arch/x86/domain_page.c +++ b/xen/arch/x86/domain_page.c @@ -18,48 +18,40 @@ #include #include -static DEFINE_PER_CPU(struct vcpu *, override); - static inline struct vcpu *mapcache_current_vcpu(void) { - /* In the common case we use the mapcache of the running VCPU. */ - struct vcpu *v = this_cpu(override) ?: current; - - /* - * When current isn't properly set up yet, this is equivalent to - * running in an idle vCPU (callers must check for NULL). - */ - if ( !v ) - return NULL; + struct vcpu *v = this_cpu(pgtable_vcpu); + struct vcpu *curr = current; /* - * When using efi runtime page tables, we have the equivalent of the idle - * domain's page tables but current may point at another domain's VCPU. - * Return NULL as though current is not properly set up yet. + * During early boot pgtable_vcpu is not set, callers must handle NULL. + * Non-PV domains don't have a mapcache, the directmap covers all physical + * address space. */ - if ( efi_rs_using_pgtables() ) + if ( !v || !is_pv_vcpu(v) ) return NULL; /* - * If guest_table is NULL, and we are running a paravirtualised guest, - * then it means we are running on the idle domain's page table and must - * therefore use its mapcache. + * If we are in a lazy context-switch state from a PV vCPU do a full switch + * to the idle vCPU now, otherwise an incoming FLUSH_VCPU_STATE IPI would + * change the page tables under our feet an invalidate any in-use mapcache + * entries. */ - if ( unlikely(pagetable_is_null(v->arch.guest_table)) && is_pv_vcpu(v) ) + if ( unlikely(this_cpu(curr_vcpu) != curr) ) { - /* If we really are idling, perform lazy context switch now. */ - if ( (v = idle_vcpu[smp_processor_id()]) == current ) - sync_local_execstate(); + ASSERT(curr == idle_vcpu[smp_processor_id()]); + sync_local_execstate(); /* We must now be running on the idle page table. */ ASSERT(cr3_pa(read_cr3()) == __pa(idle_pg_table)); } - return v; -} - -void __init mapcache_override_current(struct vcpu *v) -{ - this_cpu(override) = v; + /* + * At this point we can guarantee Xen is not in lazy context switch: either + * the code above will have synced the state, or an incoming + * FLUSH_VCPU_STATE IPI has done so behind our back. Use ACCESS_ONCE to + * ensure the compiler never returns the locally cached pgtable_vcpu value. + */ + return ACCESS_ONCE(this_cpu(pgtable_vcpu)); } #define mapcache_l2_entry(e) ((e) >> PAGETABLE_ORDER) diff --git a/xen/arch/x86/flushtlb.c b/xen/arch/x86/flushtlb.c index 09e676c151..928bca66b4 100644 --- a/xen/arch/x86/flushtlb.c +++ b/xen/arch/x86/flushtlb.c @@ -111,7 +111,9 @@ static void do_tlb_flush(void) local_irq_restore(flags); } -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) +DEFINE_PER_CPU(struct vcpu *, pgtable_vcpu); + +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4) { unsigned long flags, old_cr4; u32 t = 0; @@ -155,6 +157,7 @@ void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) if ( (old_cr4 & X86_CR4_PCIDE) > (cr4 & X86_CR4_PCIDE) ) cr3 |= X86_CR3_NOFLUSH; write_cr3(cr3); + this_cpu(pgtable_vcpu) = v; if ( old_cr4 != cr4 ) write_cr4(cr4); diff --git a/xen/arch/x86/include/asm/domain.h b/xen/arch/x86/include/asm/domain.h index 828f42c3e4..10d2b9fe25 100644 --- a/xen/arch/x86/include/asm/domain.h +++ b/xen/arch/x86/include/asm/domain.h @@ -75,7 +75,6 @@ struct mapcache_domain { int mapcache_domain_init(struct domain *d); int mapcache_vcpu_init(struct vcpu *v); -void mapcache_override_current(struct vcpu *v); /* x86/64: toggle guest between kernel and user modes. */ void toggle_guest_mode(struct vcpu *v); diff --git a/xen/arch/x86/include/asm/flushtlb.h b/xen/arch/x86/include/asm/flushtlb.h index 7bcbca2b7f..345677eb72 100644 --- a/xen/arch/x86/include/asm/flushtlb.h +++ b/xen/arch/x86/include/asm/flushtlb.h @@ -104,7 +104,7 @@ static inline void invlpg(const void *p) } /* Write pagetable base and implicitly tick the tlbflush clock. */ -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4); +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4); /* flush_* flag fields: */ /* diff --git a/xen/arch/x86/include/asm/processor.h b/xen/arch/x86/include/asm/processor.h index 2e087c6257..d2cacdfedb 100644 --- a/xen/arch/x86/include/asm/processor.h +++ b/xen/arch/x86/include/asm/processor.h @@ -328,6 +328,9 @@ DECLARE_PER_CPU(struct tss_page, tss_page); DECLARE_PER_CPU(root_pgentry_t *, root_pgt); +/* vCPU of the currently loaded page-tables. */ +DECLARE_PER_CPU(struct vcpu *, pgtable_vcpu); + extern void write_ptbase(struct vcpu *v); /* PAUSE (encoding: REP NOP) is a good thing to insert into busy-wait loops. */ diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 2b23bf2e7a..d02c9862d3 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -535,7 +535,7 @@ void write_ptbase(struct vcpu *v) cpu_info->pv_cr3 = __pa(this_cpu(root_pgt)); if ( new_cr4 & X86_CR4_PCIDE ) cpu_info->pv_cr3 |= get_pcid_bits(v, true); - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); } else { @@ -543,7 +543,7 @@ void write_ptbase(struct vcpu *v) cpu_info->use_pv_cr3 = false; cpu_info->xen_cr3 = 0; /* switch_cr3_cr4() serializes. */ - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); cpu_info->pv_cr3 = 0; } } diff --git a/xen/arch/x86/pv/dom0_build.c b/xen/arch/x86/pv/dom0_build.c index 37729091df..42bc530c0f 100644 --- a/xen/arch/x86/pv/dom0_build.c +++ b/xen/arch/x86/pv/dom0_build.c @@ -828,8 +828,7 @@ static int __init dom0_construct(const struct boot_domain *bd) update_cr3(v); /* We run on dom0's page tables for the final part of the build process. */ - switch_cr3_cr4(cr3_pa(v->arch.cr3), read_cr4()); - mapcache_override_current(v); + switch_cr3_cr4(v, cr3_pa(v->arch.cr3), read_cr4()); /* Copy the OS image and free temporary buffer. */ elf.dest_base = (void*)vkern_start; @@ -838,8 +837,7 @@ static int __init dom0_construct(const struct boot_domain *bd) rc = elf_load_binary(&elf); if ( rc < 0 ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Failed to load the kernel binary\n"); goto out; } @@ -850,8 +848,7 @@ static int __init dom0_construct(const struct boot_domain *bd) if ( (parms.virt_hypercall < v_start) || (parms.virt_hypercall >= v_end) ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Invalid HYPERCALL_PAGE field in ELF notes.\n"); return -EINVAL; } @@ -992,8 +989,7 @@ static int __init dom0_construct(const struct boot_domain *bd) #endif /* Return to idle domain's page tables. */ - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); update_domain_wallclock_time(d); diff --git a/xen/arch/x86/pv/domain.c b/xen/arch/x86/pv/domain.c index ef4f442e73..d9e52f5f88 100644 --- a/xen/arch/x86/pv/domain.c +++ b/xen/arch/x86/pv/domain.c @@ -451,6 +451,8 @@ static void _toggle_guest_pt(struct vcpu *v) pagetable_t old_shadow; unsigned long cr3; + ASSERT(local_irq_is_enabled()); + v->arch.flags ^= TF_kernel_mode; guest_update = v->arch.flags & TF_kernel_mode; old_shadow = update_cr3(v); @@ -473,15 +475,22 @@ static void _toggle_guest_pt(struct vcpu *v) { cr3 &= ~X86_CR3_NOFLUSH; + local_irq_disable(); if ( unlikely(mfn_eq(pagetable_get_mfn(old_shadow), maddr_to_mfn(cr3))) ) { - cr3 = idle_vcpu[v->processor]->arch.cr3; /* Also suppress runstate/time area updates below. */ guest_update = false; + + cr3 = idle_vcpu[v->processor]->arch.cr3; + this_cpu(pgtable_vcpu) = idle_vcpu[v->processor]; } + + write_cr3(cr3); + local_irq_enable(); } - write_cr3(cr3); + else + write_cr3(cr3); if ( !pagetable_is_null(old_shadow) ) shadow_put_top_level(v->domain, old_shadow); diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c index 27628800a8..b37feab3be 100644 --- a/xen/arch/x86/smpboot.c +++ b/xen/arch/x86/smpboot.c @@ -1063,6 +1063,7 @@ static int cpu_smpboot_alloc(unsigned int cpu) info->current_vcpu = idle_vcpu[cpu]; /* set_current() */ per_cpu(curr_vcpu, cpu) = idle_vcpu[cpu]; + per_cpu(pgtable_vcpu, cpu) = idle_vcpu[cpu]; gdt = per_cpu(gdt, cpu) ?: alloc_xenheap_pages(0, memflags); if ( gdt == NULL ) diff --git a/xen/common/efi/common-stub.c b/xen/common/efi/common-stub.c index 77f138a6c5..7b12005bea 100644 --- a/xen/common/efi/common-stub.c +++ b/xen/common/efi/common-stub.c @@ -7,11 +7,6 @@ bool efi_enabled(unsigned int feature) return false; } -bool efi_rs_using_pgtables(void) -{ - return false; -} - unsigned long efi_get_time(void) { BUG(); diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c index 30d649ca5c..feb09acf75 100644 --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -49,7 +49,6 @@ const CHAR16 *__read_mostly efi_fw_vendor; const EFI_RUNTIME_SERVICES *__read_mostly efi_rs; #ifndef CONFIG_ARM /* TODO - disabled until implemented on ARM */ static DEFINE_SPINLOCK(efi_rs_lock); -static unsigned int efi_rs_on_cpu = NR_CPUS; #endif UINTN __read_mostly efi_memmap_size; @@ -92,6 +91,11 @@ struct efi_rs_state efi_rs_enter(void) if ( mfn_eq(efi_l4_mfn, INVALID_MFN) ) return state; + /* + * If in lazy idle context switch state sync now to avoid an incoming + * FLUSH_VCPU_STATE IPI changing the loaded page-tables. + */ + sync_local_execstate(); state.cr3 = read_cr3(); save_fpu_enable(); asm volatile ( "fnclex; fldcw %0" :: "m" (fcw) ); @@ -99,8 +103,6 @@ struct efi_rs_state efi_rs_enter(void) spin_lock(&efi_rs_lock); - efi_rs_on_cpu = smp_processor_id(); - /* prevent fixup_page_fault() from doing anything */ irq_enter(); @@ -115,7 +117,8 @@ struct efi_rs_state efi_rs_enter(void) lgdt(&gdt_desc); } - switch_cr3_cr4(mfn_to_maddr(efi_l4_mfn), read_cr4()); + switch_cr3_cr4(idle_vcpu[smp_processor_id()], mfn_to_maddr(efi_l4_mfn), + read_cr4()); /* * At the time of writing (2022), no UEFI firwmare is CET-IBT compatible. @@ -143,7 +146,7 @@ void efi_rs_leave(struct efi_rs_state *state) if ( state->msr_s_cet ) wrmsrl(MSR_S_CET, state->msr_s_cet); - switch_cr3_cr4(state->cr3, read_cr4()); + switch_cr3_cr4(curr, state->cr3, read_cr4()); if ( is_pv_vcpu(curr) && !is_idle_vcpu(curr) ) { struct desc_ptr gdt_desc = { @@ -154,18 +157,10 @@ void efi_rs_leave(struct efi_rs_state *state) lgdt(&gdt_desc); } irq_exit(); - efi_rs_on_cpu = NR_CPUS; spin_unlock(&efi_rs_lock); vcpu_restore_fpu_nonlazy(curr, true); } -bool efi_rs_using_pgtables(void) -{ - return !mfn_eq(efi_l4_mfn, INVALID_MFN) && - (smp_processor_id() == efi_rs_on_cpu) && - (read_cr3() == mfn_to_maddr(efi_l4_mfn)); -} - unsigned long efi_get_time(void) { EFI_TIME time; diff --git a/xen/include/xen/efi.h b/xen/include/xen/efi.h index 723cb80852..9953197ee5 100644 --- a/xen/include/xen/efi.h +++ b/xen/include/xen/efi.h @@ -40,7 +40,6 @@ extern bool efi_secure_boot; void efi_init_memory(void); bool efi_boot_mem_unused(unsigned long *start, unsigned long *end); -bool efi_rs_using_pgtables(void); unsigned long efi_get_time(void); void efi_halt_system(void); void efi_reset_system(bool warm); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:20:09 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:20:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333117.1595513 (Exim 4.92) (envelope-from ) id 1wWvRB-0005Gz-Ju; Tue, 09 Jun 2026 12:20:09 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333117.1595513; Tue, 09 Jun 2026 12:20:09 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvRB-0005Gr-Gz; Tue, 09 Jun 2026 12:20:09 +0000 Received: by outflank-mailman (input) for mailman id 1333117; Tue, 09 Jun 2026 12:20:07 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvR9-0005Gi-UW for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:20:07 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvRA-001fCU-0d for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:20:07 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvR9-00Cge3-2q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:20:07 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=WiBjpzjnHIrQTQBabMKiBUa6J76f9ojvCx8Qqj1AamI=; b=uXt/YG19u6dHd+g0okqTqc9V7b pj0b3tW8gK/UGA7M5651LgIMHoWSdMIFw35oL1wEdf84Et3DBUMCbNuADaERR4m8AKmVkB2yfuDgg PL+MgZqMf1Xz0UbzHpTdfYcu9L51oVrfuvKOVexM5p3/9On5MLsLLY/OB9ESq5doXgAw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] Revert local CI adjustements Message-Id: Date: Tue, 09 Jun 2026 12:20:07 +0000 commit 29f3147966c5e17e686291d664d1b0c0ccdae849 Author: Andrew Cooper AuthorDate: Tue Jun 9 13:06:08 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 13:06:08 2026 +0100 Revert local CI adjustements This reverts commit 1b251cc02a24ed6e5ffdd71bc3f142f9a53551c3. Signed-off-by: Andrew Cooper --- .gitlab-ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e85d1fea7a..7974ac4e82 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -20,6 +20,9 @@ include: - local: 'automation/gitlab-ci/containers.yaml' rules: - if: $XEN_CI_REBUILD_CONTAINERS + - local: 'automation/gitlab-ci/analyze.yaml' + rules: + - if: $XEN_CI_REBUILD_CONTAINERS == null - local: 'automation/gitlab-ci/build.yaml' rules: - if: $XEN_CI_REBUILD_CONTAINERS == null -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:20:19 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:20:19 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333118.1595517 (Exim 4.92) (envelope-from ) id 1wWvRL-0005Js-MD; Tue, 09 Jun 2026 12:20:19 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333118.1595517; Tue, 09 Jun 2026 12:20:19 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvRL-0005Jk-Je; Tue, 09 Jun 2026 12:20:19 +0000 Received: by outflank-mailman (input) for mailman id 1333118; Tue, 09 Jun 2026 12:20:18 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvRK-0005Jd-Js for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:20:18 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvRK-001fEn-2o for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:20:18 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvRK-00Cgn0-1p for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:20:18 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=U5ZFzPl7Bh+aYATKeBuyrwvWISrv07f7NivcU0t6pq8=; b=FK1cm0TFFq/4SJjmZSOMpLAoBT S9t9P7UKjCDYEDfHA11S2b+kwQsGXyWzxBpMcCAo3esV4E5ZYnYevZoWSDBgZZ7diyIciM0PUAgaj 9EqjjwkUIqmpf7mUp1r2bD4s83yeEM/BxXzTKb4HymmntzMa29onhssoVKc5TsxQW+B0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] HACK: Disable Eclair, MacOS Message-Id: Date: Tue, 09 Jun 2026 12:20:18 +0000 commit 24ccd8302e8670b4c824dcb845b01d88a7a14aff Author: Andrew Cooper AuthorDate: Thu Jun 4 20:20:00 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 HACK: Disable Eclair, MacOS --- .gitlab-ci.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b3beb2ff9d..4f99f0d0c0 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -19,9 +19,6 @@ include: - local: 'automation/gitlab-ci/containers.yaml' rules: - if: $XEN_CI_REBUILD_CONTAINERS - - local: 'automation/gitlab-ci/analyze.yaml' - rules: - - if: $XEN_CI_REBUILD_CONTAINERS == null - local: 'automation/gitlab-ci/build.yaml' rules: - if: $XEN_CI_REBUILD_CONTAINERS == null -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:20:30 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:20:30 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333119.1595521 (Exim 4.92) (envelope-from ) id 1wWvRW-0005Ls-NX; Tue, 09 Jun 2026 12:20:30 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333119.1595521; Tue, 09 Jun 2026 12:20:30 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvRW-0005Lj-Kw; Tue, 09 Jun 2026 12:20:30 +0000 Received: by outflank-mailman (input) for mailman id 1333119; Tue, 09 Jun 2026 12:20:28 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvRU-0005Lb-Mv for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:20:28 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvRU-001fEt-36 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:20:28 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvRU-00Cgw7-27 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:20:28 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=+X4mcedIfUrKsdpgrGuqrJaGdDMQzLXzuX2b3Q4K0gI=; b=MoiBPA38cjyYtMpWRHuQRH8rqk jvxmx5bInVgm1m8ViCChrLGtiPAJ/t6jAFaIFZ42aOqHaho/KRhML4+wqkZ9Lu2FUF8cLaIABLymE Wj/UOC68+czgRf175URYFVF5Tr3l9uwEjk0aZNqTqS0zRhesVIseh3CTDVZkgA436PyA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] x86/HVM: add locking to I/O port translation list traversal Message-Id: Date: Tue, 09 Jun 2026 12:20:28 +0000 commit 493a937a9b3d2e74bb1dbbb1b6e0085a2a8e2ae6 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:21 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 x86/HVM: add locking to I/O port translation list traversal XEN_DOMCTL_ioport_mapping is usable by DM stubdoms, and hence we can't assume the list to be left unaltered while the guest (really: the hypervisor on behalf of the guest) is accessing it. This is XSA-491 / CVE-2026-42487. Fixes: 192c4dabc344 ("domctl and p2m changes for PCI passthru") Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 7787f8e9396d06026f72d3db13e836f365e085f8) --- xen/arch/x86/domctl.c | 8 ++++ xen/arch/x86/hvm/emulate.c | 1 - xen/arch/x86/hvm/hvm.c | 1 + xen/arch/x86/hvm/io.c | 72 +++++++++++++++++++++++++---------- xen/arch/x86/include/asm/hvm/domain.h | 1 + xen/arch/x86/include/asm/hvm/vcpu.h | 2 - 6 files changed, 61 insertions(+), 24 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 5f01111619..a8bd91c1f3 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -656,6 +656,7 @@ long arch_do_domctl( "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if (g2m_ioport->mport == fmp ) { @@ -677,11 +678,14 @@ long arch_do_domctl( g2m_ioport->np = np; list_add_tail(&g2m_ioport->list, &hvm->g2m_ioport_list); } + write_unlock(&hvm->g2m_ioport_lock); if ( !ret ) ret = ioports_permit_access(d, fmp, fmp + np - 1); if ( ret && !found && g2m_ioport ) { + write_lock(&hvm->g2m_ioport_lock); list_del(&g2m_ioport->list); + write_unlock(&hvm->g2m_ioport_lock); xfree(g2m_ioport); } } @@ -690,6 +694,8 @@ long arch_do_domctl( printk(XENLOG_G_INFO "ioport_map:remove: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if ( g2m_ioport->mport == fmp ) { @@ -697,6 +703,8 @@ long arch_do_domctl( xfree(g2m_ioport); break; } + write_unlock(&hvm->g2m_ioport_lock); + ret = ioports_deny_access(d, fmp, fmp + np - 1); if ( ret && is_hardware_domain(currd) ) printk(XENLOG_ERR diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c index 495c8fe3b3..660aff134f 100644 --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -159,7 +159,6 @@ void hvmemul_cancel(struct vcpu *v) hvio->mmio_insn_bytes = 0; hvio->mmio_access = (struct npfec){}; hvio->mmio_retry = false; - hvio->g2m_ioport = NULL; hvmemul_cache_disable(v); } diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index ba9a08bf54..ef1bbbf758 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -601,6 +601,7 @@ int hvm_domain_initialise(struct domain *d, spin_lock_init(&d->arch.hvm.irq_lock); spin_lock_init(&d->arch.hvm.uc_lock); spin_lock_init(&d->arch.hvm.write_map.lock); + rwlock_init(&d->arch.hvm.g2m_ioport_lock); rwlock_init(&d->arch.hvm.mmcfg_lock); INIT_LIST_HEAD(&d->arch.hvm.write_map.list); INIT_LIST_HEAD(&d->arch.hvm.g2m_ioport_list); diff --git a/xen/arch/x86/hvm/io.c b/xen/arch/x86/hvm/io.c index de6ee6c4dd..47ce09331d 100644 --- a/xen/arch/x86/hvm/io.c +++ b/xen/arch/x86/hvm/io.c @@ -144,36 +144,56 @@ bool handle_pio(uint16_t port, unsigned int size, int dir) return true; } -static bool cf_check g2m_portio_accept( - const struct hvm_io_handler *handler, const ioreq_t *p) +/* NB: Returns with the lock held in the success case. */ +static const struct g2m_ioport *g2m_portio_find_and_lock(struct hvm_domain *hvm, + uint64_t addr, + uint32_t size) { - struct vcpu *curr = current; - const struct hvm_domain *hvm = &curr->domain->arch.hvm; - struct hvm_vcpu_io *hvio = &curr->arch.hvm.hvm_io; - struct g2m_ioport *g2m_ioport; - unsigned int start, end; + const struct g2m_ioport *g2m_ioport; + + read_lock(&hvm->g2m_ioport_lock); list_for_each_entry( g2m_ioport, &hvm->g2m_ioport_list, list ) { - start = g2m_ioport->gport; - end = start + g2m_ioport->np; - if ( (p->addr >= start) && (p->addr + p->size <= end) ) - { - hvio->g2m_ioport = g2m_ioport; - return 1; - } + unsigned int start = g2m_ioport->gport; + + if ( addr >= start && addr + size <= start + g2m_ioport->np ) + return g2m_ioport; } - return 0; + read_unlock(&hvm->g2m_ioport_lock); + + return NULL; +} + +static bool cf_check g2m_portio_accept( + const struct hvm_io_handler *handler, const ioreq_t *p) +{ + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, p->addr, p->size); + + if ( !g2m_ioport ) + return false; + + read_unlock(&hvm->g2m_ioport_lock); + + return true; } static int cf_check g2m_portio_read( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t *data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -190,6 +210,8 @@ static int cf_check g2m_portio_read( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } @@ -197,9 +219,15 @@ static int cf_check g2m_portio_write( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -216,6 +244,8 @@ static int cf_check g2m_portio_write( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } diff --git a/xen/arch/x86/include/asm/hvm/domain.h b/xen/arch/x86/include/asm/hvm/domain.h index 333501d5f2..1b2c59b18b 100644 --- a/xen/arch/x86/include/asm/hvm/domain.h +++ b/xen/arch/x86/include/asm/hvm/domain.h @@ -125,6 +125,7 @@ struct hvm_domain { /* List of guest to machine IO ports mapping. */ struct list_head g2m_ioport_list; + rwlock_t g2m_ioport_lock; /* List of MMCFG regions trapped by Xen. */ struct list_head mmcfg_regions; diff --git a/xen/arch/x86/include/asm/hvm/vcpu.h b/xen/arch/x86/include/asm/hvm/vcpu.h index 196fed6d5d..b5a711e067 100644 --- a/xen/arch/x86/include/asm/hvm/vcpu.h +++ b/xen/arch/x86/include/asm/hvm/vcpu.h @@ -54,8 +54,6 @@ struct hvm_vcpu_io { unsigned long msix_unmask_address; unsigned long msix_snoop_address; unsigned long msix_snoop_gpa; - - const struct g2m_ioport *g2m_ioport; }; struct nestedvcpu { -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:20:40 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:20:40 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333121.1595526 (Exim 4.92) (envelope-from ) id 1wWvRg-0005O6-Ol; Tue, 09 Jun 2026 12:20:40 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333121.1595526; Tue, 09 Jun 2026 12:20:40 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvRg-0005Ny-MF; Tue, 09 Jun 2026 12:20:40 +0000 Received: by outflank-mailman (input) for mailman id 1333121; Tue, 09 Jun 2026 12:20:38 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvRe-0005Nj-Pw for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:20:38 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvRf-001fF0-09 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:20:38 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvRe-00Ch5k-2O for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:20:38 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=QYX1gt06aheKNM8f0aWBTl1JSbs2h2YesFr7bXuj+8A=; b=YUpyvdFxJ9iTOwBJT59S142Au9 GqFRfZKC21vUCkYiUxxmUORYlq86TGvh2XUuJ2kJA0UL0LTykOzzvtZh+Z1HH/zZlRk3NMwfq9Rcp ECQZA6HfzxmJiyp2f+RfhqfPyFpF4HjGm0TgfH5qahee1RiD+K/PCxE4e1+VgrMbXRig=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] sched: use sequence counter to enlighten vcpu_runstate_get() Message-Id: Date: Tue, 09 Jun 2026 12:20:38 +0000 commit 1927a7e49311cf36d2030b8087dc52b3d7ab6c8e Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 sched: use sequence counter to enlighten vcpu_runstate_get() Subsequently XEN_DOMCTL_getdomaininfo will want to invoke the function without holding a lock, thus allowing parallel execution of potentially many instances. As was learned from 228ab9992ffb ("domctl: improve locking during domain destruction"), reverted by d0887cc6b16e, such parallelism can result in severe lock contention on any (previously) inner lock. To avoid taking that risk replace the use of the scheduler lock in vcpu_runstate_get() by a newly introduced sequence counter. Convert the "no lock if current" property to "use a local counter instance", thus guaranteeing the loop to exit after the first iteration. Skeleton and commentary of the seqcount implementation based on / derived from Linux 6.11-rc. To have runstate_seq placed next to runstate in struct vcpu, without introducing a new obvious padding hole, yet while keeping the latter adjacent to runstate_guest{,_area} as well, move runstate down a little. This is part of XSA-492. Requested-by: Andrew Cooper Signed-off-by: Jan Beulich Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Juergen Gross (cherry picked from commit 1dc4d5d81822541a5cc82fa6387d2d73eebc7023) --- xen/common/sched/core.c | 47 +++++++-------- xen/include/xen/sched.h | 4 +- xen/include/xen/seqcount.h | 139 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 162 insertions(+), 28 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index d6296d99fd..f6736c6e43 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -281,13 +281,18 @@ static inline void vcpu_runstate_change( } delta = new_entry_time - v->runstate.state_entry_time; - if ( delta > 0 ) + + /* Serialization: ->schedule_lock (see ASSERT() above). */ + with_seq_write(&v->runstate_seq) { - v->runstate.time[v->runstate.state] += delta; - v->runstate.state_entry_time = new_entry_time; - } + if ( delta > 0 ) + { + v->runstate.time[v->runstate.state] += delta; + v->runstate.state_entry_time = new_entry_time; + } - v->runstate.state = new_state; + v->runstate.state = new_state; + } } void sched_guest_idle(void (*idle) (void), unsigned int cpu) @@ -307,30 +312,18 @@ void sched_guest_idle(void (*idle) (void), unsigned int cpu) void vcpu_runstate_get(const struct vcpu *v, struct vcpu_runstate_info *runstate) { - spinlock_t *lock; - s_time_t delta; - struct sched_unit *unit; + struct seqcount seq = SEQCNT_ZERO(); + const struct seqcount *s = likely(v == current) ? &seq : &v->runstate_seq; - rcu_read_lock(&sched_res_rculock); - - /* - * Be careful in case of an idle vcpu: the assignment to a unit might - * change even with the scheduling lock held, so be sure to use the - * correct unit for locking in order to avoid triggering an ASSERT() in - * the unlock function. - */ - unit = is_idle_vcpu(v) ? get_sched_res(v->processor)->sched_unit_idle - : v->sched_unit; - lock = likely(v == current) ? NULL : unit_schedule_lock_irq(unit); - memcpy(runstate, &v->runstate, sizeof(*runstate)); - delta = NOW() - runstate->state_entry_time; - if ( delta > 0 ) - runstate->time[runstate->state] += delta; - - if ( unlikely(lock != NULL) ) - unit_schedule_unlock_irq(lock, unit); + until_seq_read(s) + { + s_time_t delta; - rcu_read_unlock(&sched_res_rculock); + *runstate = v->runstate; + delta = NOW() - runstate->state_entry_time; + if ( delta > 0 ) + runstate->time[runstate->state] += delta; + } } uint64_t get_cpu_idle_time(unsigned int cpu) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index de621eb123..c49bd51a9a 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -16,6 +16,7 @@ #include #include #include +#include #include #include #include @@ -192,7 +193,6 @@ struct vcpu struct sched_unit *sched_unit; - struct vcpu_runstate_info runstate; #ifndef CONFIG_COMPAT # define runstate_guest(v) ((v)->runstate_guest) XEN_GUEST_HANDLE(vcpu_runstate_info_t) runstate_guest; /* guest address */ @@ -204,6 +204,8 @@ struct vcpu } runstate_guest; /* guest address */ #endif struct guest_area runstate_guest_area; + struct vcpu_runstate_info runstate; + struct seqcount runstate_seq; unsigned int new_state; /* Has the FPU been initialised? */ diff --git a/xen/include/xen/seqcount.h b/xen/include/xen/seqcount.h new file mode 100644 index 0000000000..b5faf422e4 --- /dev/null +++ b/xen/include/xen/seqcount.h @@ -0,0 +1,139 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef XEN_SEQCOUNT_H +#define XEN_SEQCOUNT_H + +#include +#include + +#include +#include + +/* + * Sequence counters (seqcount_t) + * + * This is the raw counting mechanism, without any writer protection. + * + * Write side critical sections must be serialized (and non-preemptible). + * + * If readers can be invoked from interrupt contexts, interrupts must also + * be respectively disabled before entering the write section. + * + * This mechanism can't be used if the protected data contains pointers, + * as the writer can invalidate a pointer that a reader is following. + */ +struct seqcount { + unsigned int sequence; +}; + +/* + * SEQCNT_ZERO() - initializer for seqcount_t + * @name: Name of the struct seqcount instance + */ +#define SEQCNT_ZERO() { .sequence = 0 } + +static inline unsigned int seqprop_sequence(const struct seqcount *s) +{ + return ACCESS_ONCE(s->sequence); +} + +/* + * read_seqcount_begin() - begin a seqcount read critical section + * @s: Pointer to struct seqcount + * + * Return: count to be passed to read_seqcount_retry() + */ +static inline unsigned int _read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq; + + while ((seq = seqprop_sequence(s)) & 1) + cpu_relax(); + + smp_rmb(); + + return seq; +} + +static always_inline unsigned int read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq = _read_seqcount_begin(s); + + block_lock_speculation(); + + return seq; +} + +/* + * read_seqcount_retry() - end a seqcount read critical section + * @s: Pointer to struct seqcount + * @start: count, from read_seqcount_begin() + * + * read_seqcount_retry closes the read critical section of given struct + * seqcount. If the critical section was invalid, it must be ignored + * (and typically retried). + * + * Return: true if a read section retry is required, else false + */ +static inline bool _read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + smp_rmb(); + return unlikely(seqprop_sequence(s) != start); +} + +static always_inline bool read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + return lock_evaluate_nospec(_read_seqcount_retry(s, start)); +} + +/* Loops until a consistent count has been observed across the loop body. */ +#define until_seq_read(seq) \ + for ( unsigned int retry_ = 1, count_; \ + retry_ && (count_ = read_seqcount_begin(seq), true); \ + retry_ = read_seqcount_retry(seq, count_) ) + +/* + * write_seqcount_begin() - start a struct seqcount write side critical section + * @s: Pointer to struct seqcount + * + * Context: sequence counter write side sections must be serialized. + * If readers can be invoked from interrupt context, interrupts must be + * respectively disabled. + */ +static inline void write_seqcount_begin(struct seqcount *s) +{ + add_sized(&s->sequence, 1); + smp_wmb(); +} + +/* + * write_seqcount_end() - end a struct seqcount write side critical section + * @s: Pointer to seqcount + */ +static inline void write_seqcount_end(struct seqcount *s) +{ + smp_wmb(); + add_sized(&s->sequence, 1); +} + +/* + * Not really a loop, but we need write_seqcount_{begin,end}() in the correct + * position. + */ +#define with_seq_write(seq) \ + for ( bool once_ = true; \ + once_ && (write_seqcount_begin(seq), true); \ + (write_seqcount_end(seq), once_ = false) ) + +#endif /* XEN_SEQCOUNT_H */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:20:50 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:20:50 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333123.1595530 (Exim 4.92) (envelope-from ) id 1wWvRq-0005Q5-QF; Tue, 09 Jun 2026 12:20:50 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333123.1595530; Tue, 09 Jun 2026 12:20:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvRq-0005Pw-Na; Tue, 09 Jun 2026 12:20:50 +0000 Received: by outflank-mailman (input) for mailman id 1333123; Tue, 09 Jun 2026 12:20:48 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvRo-0005Pn-SH for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:20:48 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvRp-001fF4-0P for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:20:48 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvRo-00ChFb-2f for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:20:48 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=zN5ZG6vAFkospJ2rbmOM3hPrfJUbwMfmAYUr7UWs9/k=; b=Z7EryXFwTyAJP053dgFdcyoxnR 2xzRO/xLWekGTJv4HHAh9i8FjwB/hqtKcXLKJaGqGs7iztm7lVAJRFUteXUCTI+HOh3UNHG6pTeQs uZk92hnhwhrxv/QBQri6k+Pyvanfuhf2W2fcg/zeYgbOmtZbP9ffC4OUv7DqTsic8uto=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:20:48 +0000 commit 634145d777ab416b6db01e28b8d16e42568d1cfa Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock getdomaininfo() is not called under consistently the same lock. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. (Callers not pausing the domain they want to retrieve information for already need to be aware that not all of the data returned can be relied on as being consistent; most data will also be stale by the time the caller gets to look at it.) Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. While moving, convert an assignment to an assertion: The domain in question was determined from the field which previously was "updated". This is part of XSA-492. Fixes: 5513bd0b4675 ("add xenstore domain flag to hypervisor") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 784bd4dc0bc440b978b80b6945c4bc380b28e32d) --- xen/common/domctl.c | 31 ++++++++++++++++++++----------- xen/include/xsm/dummy.h | 5 ++++- xen/xsm/flask/hooks.c | 6 +++++- 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 05abb581a0..f9fbc4a8f8 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -323,6 +323,26 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } + /* Handle sub-ops not requiring the domctl lock. */ + switch ( op->cmd ) + { + case XEN_DOMCTL_getdomaininfo: + ret = xsm_getdomaininfo(XSM_XS_PRIV, d); + if ( !ret ) + { + getdomaininfo(d, &op->u.getdomaininfo); + + ASSERT(op->domain == op->u.getdomaininfo.domain); + copyback = true; + } + + goto domctl_out_unlock_domonly; + + default: + /* Everything else handled further down. */ + break; + } + ret = xsm_domctl(XSM_OTHER, d, op->cmd, /* SSIDRef only applicable for cmd == createdomain */ op->u.createdomain.ssidref); @@ -539,17 +559,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = 1; break; - case XEN_DOMCTL_getdomaininfo: - ret = xsm_getdomaininfo(XSM_XS_PRIV, d); - if ( ret ) - break; - - getdomaininfo(d, &op->u.getdomaininfo); - - op->domain = op->u.getdomaininfo.domain; - copyback = 1; - break; - case XEN_DOMCTL_getvcpucontext: { vcpu_guest_context_u c = { .nat = NULL }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 6a2fc33c3b..66d98ff14c 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,8 +172,11 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); + case XEN_DOMCTL_getdomaininfo: - return xsm_default_action(XSM_XS_PRIV, current->domain, d); + ASSERT_UNREACHABLE(); + return -EILSEQ; + default: return xsm_default_action(XSM_PRIV, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 14d84df9ca..c6faebefcf 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -680,8 +680,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, */ return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); - /* These have individual XSM hooks (common/domctl.c) */ + /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + ASSERT_UNREACHABLE(); + return -EILSEQ; + + /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:21:00 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:21:00 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333125.1595534 (Exim 4.92) (envelope-from ) id 1wWvS0-0005Sq-SY; Tue, 09 Jun 2026 12:21:00 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333125.1595534; Tue, 09 Jun 2026 12:21:00 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvS0-0005Sj-Q5; Tue, 09 Jun 2026 12:21:00 +0000 Received: by outflank-mailman (input) for mailman id 1333125; Tue, 09 Jun 2026 12:20:59 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvRy-0005SV-Up for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:20:58 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvRz-001fF8-0f for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:20:58 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvRy-00ChQ3-2v for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:20:58 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=3cYY+XgbaopP3KXmvMBtpa0yZJeodD5tuq/WpxL+jrs=; b=B1FDYfyAxMJAVaQIlumHeQB2MD LFs2CcvgbacNg3JHMe1se7DmOA5FH1vsjSB63b4rPpn/CBx5yGfkfxZOgt5FhVXu53vh86jL+EsKd 0bFlG3guV037j9MMy2/LL7PqV90nbZbhBqdYEfdp7FQzqIy1itJXWym05WIfHGv2PkkA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] domain: locking for iomem_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:20:58 +0000 commit c1c16ad1a5553139c263392a28a96977942b9bff Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domain: locking for iomem_caps accesses In order to be able to pull at least the XEN_DOMCTL_iomem_mapping handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_iomem_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 960713dfd4a405e67e9f174302f8f9fd9e0e50dc) --- xen/common/domain.c | 6 ++++++ xen/common/domctl.c | 53 +++++++++++++++++++++++++++++++++++++++---------- xen/include/xen/iocap.h | 3 +++ xen/include/xen/sched.h | 1 + 4 files changed, 52 insertions(+), 11 deletions(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index d03f3e046f..96833c1715 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -386,10 +386,15 @@ static int late_hwdom_init(struct domain *d) * may be modified after this hypercall returns if a more complex * device model is desired. */ + write_lock(&dom0->caps_lock); rangeset_swap(d->irq_caps, dom0->irq_caps); rangeset_swap(d->iomem_caps, dom0->iomem_caps); #ifdef CONFIG_X86 rangeset_swap(d->arch.ioport_caps, dom0->arch.ioport_caps); +#endif + write_unlock(&dom0->caps_lock); + +#ifdef CONFIG_X86 setup_io_bitmap(d); setup_io_bitmap(dom0); #endif @@ -717,6 +722,7 @@ struct domain *domain_create(domid_t domid, rspin_lock_init_prof(d, domain_lock); rspin_lock_init_prof(d, page_alloc_lock); spin_lock_init(&d->hypercall_deadlock_mutex); + rwlock_init(&d->caps_lock); INIT_PAGE_LIST_HEAD(&d->page_list); INIT_PAGE_LIST_HEAD(&d->extra_page_list); INIT_PAGE_LIST_HEAD(&d->xenpage_list); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index f9fbc4a8f8..0badf74793 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -279,6 +279,35 @@ static struct vnuma_info *vnuma_init(const struct xen_domctl_vnuma *uinfo, return ERR_PTR(ret); } +void iocaps_double_lock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d->domain_id > currd->domain_id ) + read_lock(&currd->caps_lock); + + if ( write ) + write_lock(&d->caps_lock); + else + read_lock(&d->caps_lock); + + if ( d->domain_id < currd->domain_id ) + read_lock(&currd->caps_lock); +} + +void iocaps_double_unlock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d != currd ) + read_unlock(&currd->caps_lock); + + if ( write ) + write_unlock(&d->caps_lock); + else + read_unlock(&d->caps_lock); +} + long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) { long ret = 0; @@ -696,6 +725,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ break; + iocaps_double_lock(d, true); + if ( !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) || xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) @@ -704,6 +735,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); else ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); break; } @@ -728,19 +761,15 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; #endif + iocaps_double_lock(d, false); + ret = -EPERM; if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) ) - break; - - ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add); - if ( ret ) - break; - - if ( !paging_mode_translate(d) ) - break; - - if ( add ) + !iomem_access_permitted(d, mfn, mfn_end) || + (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || + !paging_mode_translate(d) ) + /* Nothing. */; + else if ( add ) { printk(XENLOG_G_DEBUG "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", @@ -764,6 +793,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", ret, d->domain_id, mfn, mfn_end); } + + iocaps_double_unlock(d, false); break; } diff --git a/xen/include/xen/iocap.h b/xen/include/xen/iocap.h index ffbc48b60f..cb36ebbeeb 100644 --- a/xen/include/xen/iocap.h +++ b/xen/include/xen/iocap.h @@ -12,6 +12,9 @@ #include #include +void iocaps_double_lock(struct domain *d, bool write); +void iocaps_double_unlock(struct domain *d, bool write); + static inline int iomem_permit_access(struct domain *d, unsigned long s, unsigned long e) { diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index c49bd51a9a..df8828706d 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -530,6 +530,7 @@ struct domain #endif /* I/O capabilities (access to IRQs and memory-mapped I/O). */ + rwlock_t caps_lock; struct rangeset *iomem_caps; struct rangeset *irq_caps; -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:21:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:21:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333129.1595539 (Exim 4.92) (envelope-from ) id 1wWvSA-0005V5-Ur; Tue, 09 Jun 2026 12:21:10 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333129.1595539; Tue, 09 Jun 2026 12:21:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvSA-0005Ux-Rl; Tue, 09 Jun 2026 12:21:10 +0000 Received: by outflank-mailman (input) for mailman id 1333129; Tue, 09 Jun 2026 12:21:09 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvS9-0005Uo-34 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:21:09 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvS9-001fFQ-0w for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:21:09 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvS8-00ChWc-3B for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:21:08 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=g+VJxFgW+IX3CSt7owxivxao4YjwqdfSw4T70LP/j/s=; b=SQRgoMvLjwJu0yJY9lD4pVtLMP xM/tOmXUT0QNfSo4gUL8fHWBQNYLKmTUSi6wgMJHi7rFqpElOel9Fc/EhIc5hkn0ItDNj/m30RBGT bFx6J3x1fZOD08adtnzyJRldE/51D9pJM9n8du17CMz/XgmzbPWqTxIW6tUxMkXJgkV4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] x86/domain: locking for ioport_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:21:08 +0000 commit aa133b1b9d25204e5b0a5fba45098f4d38f8ba37 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 x86/domain: locking for ioport_caps accesses In order to be able to pull at least the XEN_DOMCTL_ioport_mapping handling out of the domctl-locked region, the new separate (per-domain) lock is used to synchronize in particular with XEN_DOMCTL_ioport_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit c9f4586766c4ceeaf013fbc02ad79359c62102c3) --- xen/arch/x86/domctl.c | 21 ++++++++++++--------- xen/arch/x86/setup.c | 3 +++ 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index a8bd91c1f3..d470bbd0d2 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -226,6 +226,8 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + iocaps_double_lock(d, true); + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) ret = -EINVAL; else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || @@ -235,6 +237,8 @@ long arch_do_domctl( ret = ioports_permit_access(d, fp, fp + np - 1); else ret = ioports_deny_access(d, fp, fp + np - 1); + + iocaps_double_unlock(d, true); break; } @@ -641,16 +645,13 @@ long arch_do_domctl( break; } - ret = -EPERM; - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) - break; - - ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add); - if ( ret ) - break; - hvm = &d->arch.hvm; - if ( add ) + iocaps_double_lock(d, true); + + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || + (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) + ret = ret ?: -EPERM; + else if ( add ) { printk(XENLOG_G_INFO "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", @@ -711,6 +712,8 @@ long arch_do_domctl( "ioport_map: error %ld denying dom%d access to [%x,%x]\n", ret, d->domain_id, fmp, fmp + np - 1); } + + iocaps_double_unlock(d, true); break; } diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index e0c320e165..769b2a64b6 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -2273,9 +2273,12 @@ void __hwdom_init setup_io_bitmap(struct domain *d) return; bitmap_fill(d->arch.hvm.io_bitmap, 0x10000); + + read_lock(&d->caps_lock); if ( rangeset_report_ranges(d->arch.ioport_caps, 0, 0x10000, io_bitmap_cb, d) ) BUG(); + read_unlock(&d->caps_lock); /* * We need to trap 4-byte accesses to 0xcf8 (see admin_io_okay(), -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:21:21 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:21:21 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333130.1595543 (Exim 4.92) (envelope-from ) id 1wWvSL-0005XP-0R; Tue, 09 Jun 2026 12:21:21 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333130.1595543; Tue, 09 Jun 2026 12:21:20 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvSK-0005XF-TA; Tue, 09 Jun 2026 12:21:20 +0000 Received: by outflank-mailman (input) for mailman id 1333130; Tue, 09 Jun 2026 12:21:19 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvSJ-0005X5-3x for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:21:19 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvSJ-001fFr-1C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:21:19 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvSJ-00Chfd-0E for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:21:19 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=xT/Viln//vq8s8crDVB/lisu9/xcv0yrTfiBZtpegJI=; b=nfPqEvsFcib6KG7b5Gb0fwD526 LS4kA2i2QIXoQ1e1dqVEWLqYFjUjH7L4r9O0hYV6+VRh+BN+Fos1HDnnYKhXTeSk+yNNAyKZuhK6+ WuEMSyrKrLLG88//hwTGm2mE1fsVYdb6CVo48Okf2IcJvDcQb/Y46wvvlLICEs/aJhhI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] domain: locking for irq_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:21:19 +0000 commit 2a50079f71d32451671703e9b70aa04c9a3e5304 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domain: locking for irq_caps accesses In order to be able to pull at least the XEN_DOMCTL_{,un}bind_pt_irq handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_{irq,gsi}_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Reviewed-by: Julien Grall (cherry picked from commit 329edc090dd5c833213bad3f13f1cbc252bc15a2) --- xen/arch/arm/domctl.c | 37 +++++++++++++++++++++---------------- xen/arch/x86/domctl.c | 51 +++++++++++++++++++++++++++++++-------------------- xen/common/domctl.c | 5 +++++ 3 files changed, 57 insertions(+), 36 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index ad914c915f..75c3df602a 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -76,6 +76,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, case XEN_DOMCTL_bind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -107,21 +108,26 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - if ( !vgic_reserve_virq(d, virq) ) - return -EBUSY; - - rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); - if ( rc ) - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !vgic_reserve_virq(d, virq) ) + rc = -EBUSY; + else + { + rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); + if ( rc ) + vgic_free_virq(d, virq); + } + read_unlock(&currd->caps_lock); return rc; } case XEN_DOMCTL_unbind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -138,16 +144,15 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - rc = release_guest_irq(d, virq); - if ( rc ) - return rc; - - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !(rc = release_guest_irq(d, virq)) ) + vgic_free_virq(d, virq); - return 0; + read_unlock(&currd->caps_lock); + return rc; } case XEN_DOMCTL_vuart_op: diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index d470bbd0d2..4d680a9fa5 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -260,16 +260,17 @@ long arch_do_domctl( break; } - ret = -EPERM; + iocaps_double_lock(d, true); + if ( !irq_access_permitted(currd, irq) || xsm_irq_permission(XSM_HOOK, d, irq, flags) ) - break; - - if ( flags ) + ret = -EPERM; + else if ( flags ) ret = irq_permit_access(d, irq); else ret = irq_deny_access(d, irq); + iocaps_double_unlock(d, true); break; } @@ -572,20 +573,27 @@ long arch_do_domctl( break; irq = domain_pirq_to_irq(d, bind->machine_irq); - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; + if ( irq <= 0 ) + ret = -EPERM; - ret = -ESRCH; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_create_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + else + ret = -ESRCH; + + read_unlock(&currd->caps_lock); break; } @@ -598,23 +606,26 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); if ( ret ) break; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_destroy_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + + read_unlock(&currd->caps_lock); break; } diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 0badf74793..a31a026ecd 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -704,6 +704,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -EINVAL; break; } + + iocaps_double_lock(d, true); + irq = pirq_access_permitted(current->domain, pirq); if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) ret = -EPERM; @@ -711,6 +714,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = irq_permit_access(d, irq); else ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); break; } #endif -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:21:31 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:21:31 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333132.1595546 (Exim 4.92) (envelope-from ) id 1wWvSV-0005ZS-0t; Tue, 09 Jun 2026 12:21:31 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333132.1595546; Tue, 09 Jun 2026 12:21:30 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvSU-0005ZK-Ub; Tue, 09 Jun 2026 12:21:30 +0000 Received: by outflank-mailman (input) for mailman id 1333132; Tue, 09 Jun 2026 12:21:29 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvST-0005ZE-6g for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:21:29 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvST-001fFv-1T for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:21:29 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvST-00ChpY-0U for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:21:29 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=W5uhzEQnEVBMs/JMitWG+jwS895A66bsySNW4nlh3GU=; b=OjX/1bLQ2qVqr1Q24DLnJcR9Jf JGtt+cZUOn4DPTiLOBftybYaNOt/7ht1KrjSzHDZktCAO2OBkKuWpfjvsOjp2SHOKO4wm6XblwapD tXXWVXeGqtzomOL5fui14qcLzKVeN54bYRjdNne3h9nIi90DjTIPpolBPkqiiN7h6Fy0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] XSM/Flask: split the .iomem_mapping() hook Message-Id: Date: Tue, 09 Jun 2026 12:21:29 +0000 commit 724f4f49d68aeb1d2b9e153b887121aedc59e90f Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 XSM/Flask: split the .iomem_mapping() hook It's used twice in entirely different situations. The use in do_domctl() wants to become an ordinary XSM_DM_PRIV invocation, while the one in vPCI code need to remain XSM_HOOK (it may plausibly become XSM_TARGET). For Flask, the same backing function will continue to be used for the time being. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit 6bb83b1aa01bb3baabc150a881849977c82146a4) --- xen/drivers/vpci/header.c | 2 +- xen/include/xsm/dummy.h | 7 +++++++ xen/include/xsm/xsm.h | 8 ++++++++ xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) diff --git a/xen/drivers/vpci/header.c b/xen/drivers/vpci/header.c index b002eb2072..1f0ab9d177 100644 --- a/xen/drivers/vpci/header.c +++ b/xen/drivers/vpci/header.c @@ -67,7 +67,7 @@ static int cf_check map_range( return -EPERM; } - rc = xsm_iomem_mapping(XSM_HOOK, map->d, map_mfn, m_end, map->map); + rc = xsm_iomem_mapping_vpci(XSM_HOOK, map->d, map_mfn, m_end, map->map); if ( rc ) { printk(XENLOG_G_WARNING diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 66d98ff14c..04062a5f01 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -579,6 +579,13 @@ static XSM_INLINE int cf_check xsm_iomem_mapping( return xsm_default_action(action, current->domain, d); } +static XSM_INLINE int cf_check xsm_iomem_mapping_vpci( + XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + XSM_ASSERT_ACTION(XSM_HOOK); + return xsm_default_action(action, current->domain, d); +} + static XSM_INLINE int cf_check xsm_pci_config_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 4dbff9d866..41d3070570 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -116,6 +116,8 @@ struct xsm_ops { uint8_t allow); int (*iomem_mapping)(struct domain *d, uint64_t s, uint64_t e, uint8_t allow); + int (*iomem_mapping_vpci)(struct domain *d, uint64_t s, uint64_t e, + uint8_t allow); int (*pci_config_permission)(struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access); @@ -503,6 +505,12 @@ static inline int xsm_iomem_mapping( return alternative_call(xsm_ops.iomem_mapping, d, s, e, allow); } +static inline int xsm_iomem_mapping_vpci( + xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + return alternative_call(xsm_ops.iomem_mapping_vpci, d, s, e, allow); +} + static inline int xsm_pci_config_permission( xsm_default_t def, struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index e6ffa948f7..44a9e04ae7 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -72,6 +72,7 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .irq_permission = xsm_irq_permission, .iomem_permission = xsm_iomem_permission, .iomem_mapping = xsm_iomem_mapping, + .iomem_mapping_vpci = xsm_iomem_mapping_vpci, .pci_config_permission = xsm_pci_config_permission, .get_vnumainfo = xsm_get_vnumainfo, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index c6faebefcf..0c54407f75 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1932,6 +1932,7 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .irq_permission = flask_irq_permission, .iomem_permission = flask_iomem_permission, .iomem_mapping = flask_iomem_mapping, + .iomem_mapping_vpci = flask_iomem_mapping, .pci_config_permission = flask_pci_config_permission, .resource_plug_core = flask_resource_plug_core, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:21:40 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:21:40 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333135.1595550 (Exim 4.92) (envelope-from ) id 1wWvSe-0005bf-2M; Tue, 09 Jun 2026 12:21:40 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333135.1595550; Tue, 09 Jun 2026 12:21:40 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvSd-0005bW-Vw; Tue, 09 Jun 2026 12:21:39 +0000 Received: by outflank-mailman (input) for mailman id 1333135; Tue, 09 Jun 2026 12:21:39 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvSd-0005bQ-9L for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:21:39 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvSd-001fFz-1k for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:21:39 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvSd-00ChwS-0l for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:21:39 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6ijcHb7OEfOENzpL4cF3GKSyUO6ULVx5gxAcANIbcRg=; b=zYLJ9TMGZqS2ty12WKJ9zwMWBr N4J3V4G3yiX0zlOQ2NeiM+bgqKCAJGsg4s7rwj8tZxUWlwsGy6vUPcRmFUBdg6vB1XE/NMtyA9zmM u8zhCDAPEWsz0uiYfTYLywW853Y5hMoSuLwGpVpVB21IqZxFuF17WO2frGo3Ewr8zkoI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:21:39 +0000 commit e701842f7dbfa404dfc22732c69604d08161e19b Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. Move the re-purposed dedicated XSM check as early as possible. Minimal "modernization": Switch "add" to bool and use %pd in log messages. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 5a81fb873cb0c7913995372d22660d6a2db0ec48) --- xen/common/domctl.c | 118 ++++++++++++++++++++++++------------------------ xen/include/xsm/dummy.h | 4 +- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 63 insertions(+), 61 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index a31a026ecd..af54577bb8 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -367,6 +367,66 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; + case XEN_DOMCTL_memory_mapping: + { + unsigned long gfn = op->u.memory_mapping.first_gfn; + unsigned long mfn = op->u.memory_mapping.first_mfn; + unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; + unsigned long mfn_end = mfn + nr_mfns - 1; + bool add = op->u.memory_mapping.add_mapping; + + ret = -EINVAL; + if ( mfn_end < mfn || /* Wrap? */ + ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || + (gfn + nr_mfns - 1) < gfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_mapping(XSM_DM_PRIV, d, mfn, mfn_end, add); + if ( ret || !paging_mode_translate(d) ) + goto domctl_out_unlock_domonly; + +#ifndef CONFIG_X86 /* XXX ARM!? */ + ret = -E2BIG; + /* Must break hypercall up as this could take a while. */ + if ( nr_mfns > 64 ) + goto domctl_out_unlock_domonly; +#endif + + iocaps_double_lock(d, false); + + ret = -EPERM; + if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || + !iomem_access_permitted(d, mfn, mfn_end) ) + /* Nothing. */; + else if ( add ) + { + printk(XENLOG_G_DEBUG + "memory_map:add: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 ) + printk(XENLOG_G_WARNING + "memory_map:fail: %pd gfn=%lx mfn=%lx nr=%lx ret:%ld\n", + d, gfn, mfn, nr_mfns, ret); + } + else + { + printk(XENLOG_G_DEBUG + "memory_map:remove: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 && is_hardware_domain(current->domain) ) + printk(XENLOG_ERR + "memory_map: error %ld removing %pd access to [%lx,%lx]\n", + ret, d, mfn, mfn_end); + } + + iocaps_double_unlock(d, false); + goto domctl_out_unlock_domonly; + } + default: /* Everything else handled further down. */ break; @@ -745,64 +805,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - case XEN_DOMCTL_memory_mapping: - { - unsigned long gfn = op->u.memory_mapping.first_gfn; - unsigned long mfn = op->u.memory_mapping.first_mfn; - unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; - unsigned long mfn_end = mfn + nr_mfns - 1; - int add = op->u.memory_mapping.add_mapping; - - ret = -EINVAL; - if ( mfn_end < mfn || /* wrap? */ - ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || - (gfn + nr_mfns - 1) < gfn ) /* wrap? */ - break; - -#ifndef CONFIG_X86 /* XXX ARM!? */ - ret = -E2BIG; - /* Must break hypercall up as this could take a while. */ - if ( nr_mfns > 64 ) - break; -#endif - - iocaps_double_lock(d, false); - - ret = -EPERM; - if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) || - (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || - !paging_mode_translate(d) ) - /* Nothing. */; - else if ( add ) - { - printk(XENLOG_G_DEBUG - "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 ) - printk(XENLOG_G_WARNING - "memory_map:fail: dom%d gfn=%lx mfn=%lx nr=%lx ret:%ld\n", - d->domain_id, gfn, mfn, nr_mfns, ret); - } - else - { - printk(XENLOG_G_DEBUG - "memory_map:remove: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 && is_hardware_domain(current->domain) ) - printk(XENLOG_ERR - "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", - ret, d->domain_id, mfn, mfn_end); - } - - iocaps_double_unlock(d, false); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 04062a5f01..1a8d692245 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,12 +168,12 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_ioport_mapping: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -575,7 +575,7 @@ static XSM_INLINE int cf_check xsm_iomem_permission( static XSM_INLINE int cf_check xsm_iomem_mapping( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 0c54407f75..ae0e5c06a1 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -682,6 +682,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -689,7 +690,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:21:50 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:21:50 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333136.1595554 (Exim 4.92) (envelope-from ) id 1wWvSo-0005e8-53; Tue, 09 Jun 2026 12:21:50 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333136.1595554; Tue, 09 Jun 2026 12:21:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvSo-0005e0-2O; Tue, 09 Jun 2026 12:21:50 +0000 Received: by outflank-mailman (input) for mailman id 1333136; Tue, 09 Jun 2026 12:21:49 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvSn-0005ds-CG for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:21:49 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvSn-001fG3-21 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:21:49 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvSn-00Ci21-13 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:21:49 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=PX8rW84M6YugJ8ZLLLQUZBm+BRpbK5xiW4kQlWlKivk=; b=ULVpfQ254XwZo1Q0WM52gAp8nI mhSiRoLMxicuK5Z3wFZQxkYiYihjb52V3cvG8hOaKb6jlPRIT4RNyWvNJQqSwstVEOswqstwViYd5 L5byUX0HFBeGyIIugywMyANM9W/nqQfhSla2ZReLymY4c5uTkZXMZqHHmMNW6cAdcJT0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:21:49 +0000 commit f7ec26e3b703c509012a8937a32bc9be10223323 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the handling is in arch-specific code (x86 only), almost no code is being moved, but a 2nd (extensible to other sub-ops) invocation of arch_do_domctl() is being added. Move just the re-purposed dedicated XSM check as early as possible. In flask_domctl() don't put #ifdef around the moved case label. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9ac94138a5f31b5325fe4401e5cd9e377bbedcdb) --- xen/arch/x86/domctl.c | 9 ++++++--- xen/common/domctl.c | 4 ++++ xen/include/xsm/dummy.h | 4 ++-- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 4d680a9fa5..585a8a7601 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -656,12 +656,15 @@ long arch_do_domctl( break; } + ret = xsm_ioport_mapping(XSM_DM_PRIV, d, fmp, fmp + np - 1, add); + if ( ret ) + break; + hvm = &d->arch.hvm; iocaps_double_lock(d, true); - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || - (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) - ret = ret ?: -EPERM; + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) + ret = -EPERM; else if ( add ) { printk(XENLOG_G_INFO diff --git a/xen/common/domctl.c b/xen/common/domctl.c index af54577bb8..3bd55e76f6 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -427,6 +427,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_mapping: + ret = arch_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + default: /* Everything else handled further down. */ break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 1a8d692245..8a2c48ec14 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -167,12 +167,12 @@ static XSM_INLINE int cf_check xsm_domctl( XSM_ASSERT_ACTION(XSM_OTHER); switch ( cmd ) { - case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -771,7 +771,7 @@ static XSM_INLINE int cf_check xsm_ioport_permission( static XSM_INLINE int cf_check xsm_ioport_mapping( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index ae0e5c06a1..aaa42f083c 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -682,6 +682,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -700,7 +701,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: case XEN_DOMCTL_ioport_permission: - case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_gsi_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:22:00 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:22:00 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333138.1595558 (Exim 4.92) (envelope-from ) id 1wWvSy-0005gI-6P; Tue, 09 Jun 2026 12:22:00 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333138.1595558; Tue, 09 Jun 2026 12:22:00 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvSy-0005gA-3k; Tue, 09 Jun 2026 12:22:00 +0000 Received: by outflank-mailman (input) for mailman id 1333138; Tue, 09 Jun 2026 12:21:59 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvSx-0005g4-FK for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:21:59 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvSx-001fG7-2K for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:21:59 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvSx-00Ci9c-1K for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:21:59 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Nt9MYN+mQY/YzeH75aL15Czzb0rDgldRVxVbRPlSmkg=; b=fG4bg82PG3iXiiEm/wefT95mEQ EiJJCkvp6IvP/wbr2fm3Pxo249CirBFd5+jabzh0ibmoOXvorDGk/zH6fEGWfGpHbXJgIiCRCfdPW UygLMlT0V7VETLhmoy8qOp29oQNgvIDmU7sOAeLxl/Ejy+3oB/X47500bd3V6MPGhJ/8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:21:59 +0000 commit 4e53d41bee5d2f9b67b0234e3bda20496b289694 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. (It also already isn't used when pt_irq_{create,destroy}_bind() are invoked for PVH Dom0.) As the handling is in arch-specific code, no code is being moved, but the 2nd (extensible to other sub-ops like the ones here) invocation of arch_do_domctl() is being re-used. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith Acked-by: Julien Grall (cherry picked from commit e263eeaf71b961d0d6f987bf7a33c8517be1bae5) --- xen/arch/arm/domctl.c | 4 ++-- xen/arch/x86/domctl.c | 4 ++-- xen/common/domctl.c | 2 ++ xen/include/xsm/dummy.h | 8 +++----- xen/xsm/flask/hooks.c | 5 ++--- 5 files changed, 11 insertions(+), 12 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index 75c3df602a..6c9a3f9920 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -104,7 +104,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - rc = xsm_bind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; @@ -140,7 +140,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( irq != virq ) return -EINVAL; - rc = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 585a8a7601..77e612796f 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -568,7 +568,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_bind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; @@ -606,7 +606,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 3bd55e76f6..966e5dce7a 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -428,6 +428,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_bind_pt_irq: + case XEN_DOMCTL_unbind_pt_irq: ret = arch_do_domctl(op, d, u_domctl); goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 8a2c48ec14..8d9eecd6af 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,12 +168,10 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: - return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -540,14 +538,14 @@ static XSM_INLINE int cf_check xsm_unmap_domain_pirq( static XSM_INLINE int cf_check xsm_bind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } static XSM_INLINE int cf_check xsm_unbind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index aaa42f083c..0695c0dcf4 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -681,9 +681,11 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ + case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -694,9 +696,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: - /* These have individual XSM hooks (arch/../domctl.c) */ - case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:22:10 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:22:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333139.1595562 (Exim 4.92) (envelope-from ) id 1wWvT8-0005iT-7o; Tue, 09 Jun 2026 12:22:10 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333139.1595562; Tue, 09 Jun 2026 12:22:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvT8-0005iJ-58; Tue, 09 Jun 2026 12:22:10 +0000 Received: by outflank-mailman (input) for mailman id 1333139; Tue, 09 Jun 2026 12:22:09 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvT7-0005iD-Hu for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:22:09 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvT7-001fGS-2b for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:22:09 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvT7-00CiGq-1c for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:22:09 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=NIY4Yy8Mw4xz+fA7N02VwimIP3zGOLyoR7g6H/sdqhA=; b=YECXMx3kGY4aveL0KBcdttVW5x 38i7/U6rJM0hFUy74ytEA/w0hzZrybbKk2lSN4R11oap3pvgQ6VEuXTlXAoNQxztWAPLhens4v7rA dwj6cTwJfVWbEzjeGKzjqjHf4qij/TT5DLOlYjB4lcWsIvF0YV8w82Jg+MGNUFjwx2P8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:22:09 +0000 commit 1a7b04ab0efff2c666561bbfa6a3c0b2d15210c5 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the I/O port handling is in arch-specific code (x86 only), no code is being moved, but the 2nd invocation of arch_do_domctl() is re-used. Move the re-purposed dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9f54e10bf3ab02c8d5dc3253d85c9b3258d1fc88) --- xen/arch/x86/domctl.c | 13 ++++++++---- xen/common/domctl.c | 54 ++++++++++++++++++++++++++----------------------- xen/include/xsm/dummy.h | 6 ++++-- xen/xsm/flask/hooks.c | 4 ++-- 4 files changed, 44 insertions(+), 33 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 77e612796f..c772f1f788 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -226,12 +226,17 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + ret = -EINVAL; + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) + break; + + ret = xsm_ioport_permission(XSM_PRIV, d, fp, fp + np - 1, allow); + if ( ret ) + break; + iocaps_double_lock(d, true); - if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) - ret = -EINVAL; - else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || - xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) ) + if ( !ioports_access_permitted(currd, fp, fp + np - 1) ) ret = -EPERM; else if ( allow ) ret = ioports_permit_access(d, fp, fp + np - 1); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 966e5dce7a..38415ec243 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -367,6 +367,34 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; + case XEN_DOMCTL_iomem_permission: + { + unsigned long mfn = op->u.iomem_permission.first_mfn; + unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; + bool allow = op->u.iomem_permission.allow_access; + + ret = -EINVAL; + if ( (mfn + nr_mfns - 1) < mfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_permission(XSM_PRIV, d, mfn, mfn + nr_mfns - 1, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !iomem_access_permitted(current->domain, + mfn, mfn + nr_mfns - 1) ) + ret = -EPERM; + else if ( allow ) + ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); + else + ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_memory_mapping: { unsigned long gfn = op->u.memory_mapping.first_gfn; @@ -427,6 +455,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: @@ -786,31 +815,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif - case XEN_DOMCTL_iomem_permission: - { - unsigned long mfn = op->u.iomem_permission.first_mfn; - unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; - int allow = op->u.iomem_permission.allow_access; - - ret = -EINVAL; - if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ - break; - - iocaps_double_lock(d, true); - - if ( !iomem_access_permitted(current->domain, - mfn, mfn + nr_mfns - 1) || - xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) - ret = -EPERM; - else if ( allow ) - ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); - else - ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); - - iocaps_double_unlock(d, true); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 8d9eecd6af..2a00a438c8 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -169,7 +169,9 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -566,7 +568,7 @@ static XSM_INLINE int cf_check xsm_irq_permission( static XSM_INLINE int cf_check xsm_iomem_permission( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } @@ -762,7 +764,7 @@ static XSM_INLINE int cf_check xsm_priv_mapping( static XSM_INLINE int cf_check xsm_ioport_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 0695c0dcf4..5042f7e958 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -683,7 +683,9 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -692,14 +694,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: - case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: - case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_gsi_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:22:20 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:22:20 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333140.1595566 (Exim 4.92) (envelope-from ) id 1wWvTI-0005kj-8z; Tue, 09 Jun 2026 12:22:20 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333140.1595566; Tue, 09 Jun 2026 12:22:20 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvTI-0005kb-6R; Tue, 09 Jun 2026 12:22:20 +0000 Received: by outflank-mailman (input) for mailman id 1333140; Tue, 09 Jun 2026 12:22:19 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvTH-0005kU-Ke for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:22:19 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvTH-001fGo-2s for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:22:19 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvTH-00CiOO-1t for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:22:19 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=IFiggksHlT26Eujky4D492JvFmGo9b37oo+z6Nu2Yjw=; b=A6nOMzOJ7fa/uDaG9uRSnFtWhF cnZihs7e0zMGe9jaMGp0SVuwjL+fq/2c1FXyZleM6CejBSJ6YoYjyc9xxtZdvNru/+XID6YhDwPc8 KUB4ILtpYuWBH5lrv048GQUrAEzf2oLxtRl2nwAdHobkSyHgWpGXLZzdZ6Z3No3Q0VXk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] domctl: handle XEN_DOMCTL_{irq,gsi}_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:22:19 +0000 commit d1ffc533650b6f61f5ccdbdf1591143e59feb651 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl: handle XEN_DOMCTL_{irq,gsi}_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the GSI handling is in arch-specific code (x86 only), no code is being moved there; the 2nd invocation of arch_do_domctl() is re-used. Move the re-purposed (XSM_HOOK -> XSM_PRIV, as xsm_domctl() is now bypassed) dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 6b71151cd84cafff1ea9e67a8022e7a3e41d811f) --- xen/arch/x86/domctl.c | 7 ++++-- xen/common/domctl.c | 60 +++++++++++++++++++++++++++---------------------- xen/include/xsm/dummy.h | 4 +++- xen/xsm/flask/hooks.c | 4 ++-- 4 files changed, 43 insertions(+), 32 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index c772f1f788..3b92690f23 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -265,10 +265,13 @@ long arch_do_domctl( break; } + ret = xsm_irq_permission(XSM_PRIV, d, irq, flags); + if ( ret ) + break; + iocaps_double_lock(d, true); - if ( !irq_access_permitted(currd, irq) || - xsm_irq_permission(XSM_HOOK, d, irq, flags) ) + if ( !irq_access_permitted(currd, irq) ) ret = -EPERM; else if ( flags ) ret = irq_permit_access(d, irq); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 38415ec243..a0f816df55 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -455,8 +455,41 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } +#ifdef CONFIG_HAS_PIRQ + case XEN_DOMCTL_irq_permission: + { + unsigned int pirq = op->u.irq_permission.pirq, irq; + bool allow = op->u.irq_permission.allow_access; + + ret = -EINVAL; + if ( pirq >= current->domain->nr_pirqs ) + goto domctl_out_unlock_domonly; + + irq = domain_pirq_to_irq(current->domain, pirq); + + ret = -EPERM; + if ( irq ) + ret = xsm_irq_permission(XSM_PRIV, d, irq, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !irq_access_permitted(current->domain, irq) ) + ret = -EPERM; + else if ( allow ) + ret = irq_permit_access(d, irq); + else + ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } +#endif + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: ret = arch_do_domctl(op, d, u_domctl); @@ -788,33 +821,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } break; -#ifdef CONFIG_HAS_PIRQ - case XEN_DOMCTL_irq_permission: - { - unsigned int pirq = op->u.irq_permission.pirq, irq; - int allow = op->u.irq_permission.allow_access; - - if ( pirq >= current->domain->nr_pirqs ) - { - ret = -EINVAL; - break; - } - - iocaps_double_lock(d, true); - - irq = pirq_access_permitted(current->domain, pirq); - if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) - ret = -EPERM; - else if ( allow ) - ret = irq_permit_access(d, irq); - else - ret = irq_deny_access(d, irq); - - iocaps_double_unlock(d, true); - break; - } -#endif - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 2a00a438c8..0b4e1ee9be 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -169,9 +169,11 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -561,7 +563,7 @@ static XSM_INLINE int cf_check xsm_unmap_domain_irq( static XSM_INLINE int cf_check xsm_irq_permission( XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 5042f7e958..28c681eb34 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -683,9 +683,11 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -693,14 +695,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: - case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: - case XEN_DOMCTL_gsi_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH /* -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:22:30 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:22:30 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333142.1595569 (Exim 4.92) (envelope-from ) id 1wWvTS-0005nN-C0; Tue, 09 Jun 2026 12:22:30 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333142.1595569; Tue, 09 Jun 2026 12:22:30 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvTS-0005nF-9M; Tue, 09 Jun 2026 12:22:30 +0000 Received: by outflank-mailman (input) for mailman id 1333142; Tue, 09 Jun 2026 12:22:29 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvTR-0005n9-NZ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:22:29 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvTR-001fGs-39 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:22:29 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvTR-00CiVX-2A for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:22:29 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Pi3NYbayX0gFqGwkwzpP0Bj/jrkRXQA9x2ApmpvkCAI=; b=NV47TsKVTkF8cMOEvFVigp807p h/C/IIznh4ofLgex6G+1KgSZvI8+Hy0Z7sj8ErcavaSPgMqoLHsrcLArXBl9VybKohOC9RQx9twb4 Sy27H0/B5JHX98xfGT8i67Ny8HHPki3hsTFi2qg+lxwu+Szh7Zv7Nya+vgA+3pPAYOWY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] domctl/XSM: drop vm_event_control hook Message-Id: Date: Tue, 09 Jun 2026 12:22:29 +0000 commit c51d9a3f89cb85bac46750916a2d48c6fe58af37 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl/XSM: drop vm_event_control hook Integrate the checking with xsm_domctl(). Care needs to be taken with the GET_VERSION sub-op, which may be invoked with DOMID_INVALID, and which has been (and continues to be) bypassing XSM checking. Since the latter two parameters were unused, monitor_domctl() invoking the hook was actually redundant with the earlier xsm_domctl() (as can be seen nicely from the hunks changing xsm/flask/hooks.c). As a positive side effect, permissions are then checked at the same early point with and without Flask. While folding XEN_DOMCTL_monitor_op and XEN_DOMCTL_vm_event_op in flask_domctl(), also fold in XEN_DOMCTL_set_access_required. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit b4a7c17146f4363750d26cb2dcee08b480625a3d) --- xen/common/domctl.c | 17 +++++++++++++++++ xen/common/monitor.c | 5 ----- xen/common/vm_event.c | 9 ++++----- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 8 -------- xen/xsm/dummy.c | 2 -- xen/xsm/flask/hooks.c | 11 +---------- 7 files changed, 22 insertions(+), 37 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index a0f816df55..1bff00c50d 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -487,6 +487,23 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif + case XEN_DOMCTL_vm_event_op: + if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) + { + /* No XSM check (and potentially d == NULL) here. */ + ret = vm_event_domctl(d, &op->u.vm_event_op); + if ( !ret ) + copyback = true; + goto domctl_out_unlock_domonly; + } + if ( !d ) + { + ret = -ESRCH; + goto domctl_out_unlock_domonly; + } + /* Other sub-ops handled further down. */ + break; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_gsi_permission: diff --git a/xen/common/monitor.c b/xen/common/monitor.c index d5c9ff1cbf..aec6391faf 100644 --- a/xen/common/monitor.c +++ b/xen/common/monitor.c @@ -30,16 +30,11 @@ int monitor_domctl(struct domain *d, struct xen_domctl_monitor_op *mop) { - int rc; bool requested_status = false; if ( unlikely(current->domain == d) ) /* no domain_pause() */ return -EPERM; - rc = xsm_vm_event_control(XSM_PRIV, d, mop->op, mop->event); - if ( unlikely(rc) ) - return rc; - switch ( mop->op ) { case XEN_DOMCTL_MONITOR_OP_ENABLE: diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c index 1666ff615f..7aea0a78b2 100644 --- a/xen/common/vm_event.c +++ b/xen/common/vm_event.c @@ -602,11 +602,10 @@ int vm_event_domctl(struct domain *d, struct xen_domctl_vm_event_op *vec) /* All other subops need to target a real domain. */ if ( unlikely(d == NULL) ) - return -ESRCH; - - rc = xsm_vm_event_control(XSM_PRIV, d, vec->mode, vec->op); - if ( rc ) - return rc; + { + ASSERT_UNREACHABLE(); + return -EILSEQ; + } if ( unlikely(d == current->domain) ) /* no domain_pause() */ { diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 0b4e1ee9be..3f38138856 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -651,13 +651,6 @@ static XSM_INLINE int cf_check xsm_hvm_altp2mhvm_op( } } -static XSM_INLINE int cf_check xsm_vm_event_control( - XSM_DEFAULT_ARG struct domain *d, int mode, int op) -{ - XSM_ASSERT_ACTION(XSM_PRIV); - return xsm_default_action(action, current->domain, d); -} - #ifdef CONFIG_MEM_ACCESS static XSM_INLINE int cf_check xsm_mem_access(XSM_DEFAULT_ARG struct domain *d) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 41d3070570..ae3af5510d 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -153,8 +153,6 @@ struct xsm_ops { int (*hvm_altp2mhvm_op)(struct domain *d, uint64_t mode, uint32_t op); int (*get_vnumainfo)(struct domain *d); - int (*vm_event_control)(struct domain *d, int mode, int op); - #ifdef CONFIG_MEM_ACCESS int (*mem_access)(struct domain *d); #endif @@ -633,12 +631,6 @@ static inline int xsm_get_vnumainfo(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.get_vnumainfo, d); } -static inline int xsm_vm_event_control( - xsm_default_t def, struct domain *d, int mode, int op) -{ - return alternative_call(xsm_ops.vm_event_control, d, mode, op); -} - #ifdef CONFIG_MEM_ACCESS static inline int xsm_mem_access(xsm_default_t def, struct domain *d) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 44a9e04ae7..95170547fc 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -110,8 +110,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .remove_from_physmap = xsm_remove_from_physmap, .map_gmfn_foreign = xsm_map_gmfn_foreign, - .vm_event_control = xsm_vm_event_control, - #ifdef CONFIG_MEM_ACCESS .mem_access = xsm_mem_access, #endif diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 28c681eb34..8fb3a08682 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -696,7 +696,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: - case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ @@ -790,9 +789,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__TRIGGER); case XEN_DOMCTL_set_access_required: - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); - case XEN_DOMCTL_monitor_op: + case XEN_DOMCTL_vm_event_op: return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); case XEN_DOMCTL_debug_op: @@ -1359,11 +1357,6 @@ static int cf_check flask_hvm_altp2mhvm_op(struct domain *d, uint64_t mode, uint return current_has_perm(d, SECCLASS_HVM, HVM__ALTP2MHVM_OP); } -static int cf_check flask_vm_event_control(struct domain *d, int mode, int op) -{ - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); -} - #ifdef CONFIG_MEM_ACCESS static int cf_check flask_mem_access(struct domain *d) { @@ -1951,8 +1944,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .do_xsm_op = do_flask_op, .get_vnumainfo = flask_get_vnumainfo, - .vm_event_control = flask_vm_event_control, - #ifdef CONFIG_MEM_ACCESS .mem_access = flask_mem_access, #endif -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:22:40 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:22:40 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333143.1595573 (Exim 4.92) (envelope-from ) id 1wWvTc-0005r0-DR; Tue, 09 Jun 2026 12:22:40 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333143.1595573; Tue, 09 Jun 2026 12:22:40 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvTc-0005qs-Ak; Tue, 09 Jun 2026 12:22:40 +0000 Received: by outflank-mailman (input) for mailman id 1333143; Tue, 09 Jun 2026 12:22:39 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvTb-0005qk-QD for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:22:39 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvTc-001fGz-0D for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:22:39 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvTb-00CifM-2R for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:22:39 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=cGV6AkVKYUe0gfmmxXazQ45BYrhNkRSupauw9n1CeIw=; b=Qc50fWwZhq0ugwBRABIJwa9hBX h43esLiktLjMDIWQWwXqwRcsi+0D14a8AisuSVgwAT4tubywi9YZZWZSZzXohwuP07WDcHRnuo4To CQOJh5Rx2aHDH2dtxU2ycNkYYYBGTs8bCOyI8W+AmrprchnEIyfIXZmdmXsdFeNw/DzE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] domctl/XSM: pass full struct xen_domctl to xsm_domctl() Message-Id: Date: Tue, 09 Jun 2026 12:22:39 +0000 commit b8193cc781106a1fbc032c7cb9cce8a357ec44f8 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl/XSM: pass full struct xen_domctl to xsm_domctl() Subsequently some sub-ops will want to inspect their sub-sub-ops. Plus this way we don't need to pass SSIDref separately anymore for domain_create. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit 83f0e11ed16b5ceb42e47dcaab5afd35583ec5d7) --- xen/arch/x86/mm/paging.c | 2 +- xen/common/domctl.c | 4 +--- xen/include/xsm/dummy.h | 4 ++-- xen/include/xsm/xsm.h | 6 +++--- xen/xsm/flask/hooks.c | 10 +++++----- 5 files changed, 12 insertions(+), 14 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index c77f4c1dac..76a2e3114f 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -767,7 +767,7 @@ long do_paging_domctl_cont( if ( d == NULL ) return -ESRCH; - ret = xsm_domctl(XSM_OTHER, d, op.cmd, 0 /* SSIDref not applicable */); + ret = xsm_domctl(XSM_OTHER, d, &op); if ( !ret ) { if ( domctl_lock_acquire() ) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 1bff00c50d..601626f061 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -517,9 +517,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - ret = xsm_domctl(XSM_OTHER, d, op->cmd, - /* SSIDRef only applicable for cmd == createdomain */ - op->u.createdomain.ssidref); + ret = xsm_domctl(XSM_OTHER, d, op); if ( ret ) goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 3f38138856..fde5da4e41 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,10 +162,10 @@ static XSM_INLINE int cf_check xsm_set_target( } static XSM_INLINE int cf_check xsm_domctl( - XSM_DEFAULT_ARG struct domain *d, unsigned int cmd, uint32_t ssidref) + XSM_DEFAULT_ARG struct domain *d, struct xen_domctl *op) { XSM_ASSERT_ACTION(XSM_OTHER); - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index ae3af5510d..cf70ad630d 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -59,7 +59,7 @@ struct xsm_ops { int (*domctl_scheduler_op)(struct domain *d, int op); int (*sysctl_scheduler_op)(int op); int (*set_target)(struct domain *d, struct domain *e); - int (*domctl)(struct domain *d, unsigned int cmd, uint32_t ssidref); + int (*domctl)(struct domain *d, struct xen_domctl *op); int (*sysctl)(int cmd); int (*readconsole)(uint32_t clear); @@ -248,9 +248,9 @@ static inline int xsm_set_target( } static inline int xsm_domctl(xsm_default_t def, struct domain *d, - unsigned int cmd, uint32_t ssidref) + struct xen_domctl *op) { - return alternative_call(xsm_ops.domctl, d, cmd, ssidref); + return alternative_call(xsm_ops.domctl, d, op); } static inline int xsm_sysctl(xsm_default_t def, int cmd) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 8fb3a08682..9916520f03 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -665,10 +665,9 @@ static int cf_check flask_set_target(struct domain *d, struct domain *t) return rc; } -static int cf_check flask_domctl(struct domain *d, unsigned int cmd, - uint32_t ssidref) +static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) { - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_createdomain: /* @@ -678,7 +677,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, * Note that d is NULL because we haven't even allocated memory for it * this early in XEN_DOMCTL_createdomain. */ - return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); + return avc_current_has_perm(op->u.createdomain.ssidref, SECCLASS_DOMAIN, + DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: @@ -852,7 +852,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SET_LLC_COLORS); default: - return avc_unknown_permission("domctl", cmd); + return avc_unknown_permission("domctl", op->cmd); } } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:22:50 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:22:50 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333146.1595578 (Exim 4.92) (envelope-from ) id 1wWvTm-0005t9-Et; Tue, 09 Jun 2026 12:22:50 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333146.1595578; Tue, 09 Jun 2026 12:22:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvTm-0005t2-CC; Tue, 09 Jun 2026 12:22:50 +0000 Received: by outflank-mailman (input) for mailman id 1333146; Tue, 09 Jun 2026 12:22:49 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvTl-0005sv-TI for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:22:49 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvTm-001fH6-0V for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:22:49 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvTl-00Cikk-2k for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:22:49 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=cpBtu+dsQmNbn4v69NFtJhGa1fuvy5W9t41W0uwg5gI=; b=SiBNeuSEfwfVsPUJbLBA2l2vX9 ieLPrpIim99BaiA+sJ9DN0Exd4ntDPIkhh6rKOu0xvQixYUWwVjp6fjzHQSV3plaTSqCgvF2Dn2sd A2Ves0dSkg3+zQoTh1Qvugcbr5TFI5agFykzijERAato88S7cEWilaxxQbJ1EGGlelE8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] domctl/XSM: drop scheduler_op hook Message-Id: Date: Tue, 09 Jun 2026 12:22:49 +0000 commit 13865d78c32a36ed914ce71c1283988cd4fe5542 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl/XSM: drop scheduler_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Juergen Gross (cherry picked from commit 3ba374d3886f0e1d835eafe62cc2fa20ca5376ad) --- xen/common/sched/core.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 7 ++++--- 5 files changed, 4 insertions(+), 22 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index f6736c6e43..6cba57dba5 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -2056,10 +2056,6 @@ long sched_adjust(struct domain *d, struct xen_domctl_scheduler_op *op) { long ret; - ret = xsm_domctl_scheduler_op(XSM_HOOK, d, op->cmd); - if ( ret ) - return ret; - if ( op->sched_id != dom_scheduler(d)->sched_id ) return -EINVAL; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index fde5da4e41..c18bfbd046 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -141,13 +141,6 @@ static XSM_INLINE int cf_check xsm_getdomaininfo( return xsm_default_action(action, current->domain, d); } -static XSM_INLINE int cf_check xsm_domctl_scheduler_op( - XSM_DEFAULT_ARG struct domain *d, int cmd) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index cf70ad630d..93d924e13c 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -56,7 +56,6 @@ struct xsm_ops { struct xen_domctl_getdomaininfo *info); int (*domain_create)(struct domain *d, uint32_t ssidref); int (*getdomaininfo)(struct domain *d); - int (*domctl_scheduler_op)(struct domain *d, int op); int (*sysctl_scheduler_op)(int op); int (*set_target)(struct domain *d, struct domain *e); int (*domctl)(struct domain *d, struct xen_domctl *op); @@ -230,12 +229,6 @@ static inline int xsm_getdomaininfo(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.getdomaininfo, d); } -static inline int xsm_domctl_scheduler_op( - xsm_default_t def, struct domain *d, int cmd) -{ - return alternative_call(xsm_ops.domctl_scheduler_op, d, cmd); -} - static inline int xsm_sysctl_scheduler_op(xsm_default_t def, int cmd) { return alternative_call(xsm_ops.sysctl_scheduler_op, cmd); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 95170547fc..cb312eb7cb 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -18,7 +18,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .security_domaininfo = xsm_security_domaininfo, .domain_create = xsm_domain_create, .getdomaininfo = xsm_getdomaininfo, - .domctl_scheduler_op = xsm_domctl_scheduler_op, .sysctl_scheduler_op = xsm_sysctl_scheduler_op, .set_target = xsm_set_target, .domctl = xsm_domctl, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 9916520f03..383bf47c63 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -609,7 +609,7 @@ static int cf_check flask_getdomaininfo(struct domain *d) return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO); } -static int cf_check flask_domctl_scheduler_op(struct domain *d, int op) +static int flask_domctl_scheduler_op(struct domain *d, int op) { switch ( op ) { @@ -694,7 +694,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return -EILSEQ; /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: #ifdef CONFIG_X86 @@ -742,6 +741,9 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_setdomainhandle: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE); + case XEN_DOMCTL_scheduler_op: + return flask_domctl_scheduler_op(d, op->u.scheduler_op.cmd); + case XEN_DOMCTL_set_ext_vcpucontext: case XEN_DOMCTL_set_vcpu_msrs: case XEN_DOMCTL_setvcpucontext: @@ -1870,7 +1872,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .security_domaininfo = flask_security_domaininfo, .domain_create = flask_domain_create, .getdomaininfo = flask_getdomaininfo, - .domctl_scheduler_op = flask_domctl_scheduler_op, .sysctl_scheduler_op = flask_sysctl_scheduler_op, .set_target = flask_set_target, .domctl = flask_domctl, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:23:01 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:23:01 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333148.1595582 (Exim 4.92) (envelope-from ) id 1wWvTx-0005vK-GN; Tue, 09 Jun 2026 12:23:01 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333148.1595582; Tue, 09 Jun 2026 12:23:01 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvTx-0005vC-Dm; Tue, 09 Jun 2026 12:23:01 +0000 Received: by outflank-mailman (input) for mailman id 1333148; Tue, 09 Jun 2026 12:23:00 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvTv-0005v5-W9 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:22:59 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvTw-001fHL-0n for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:22:59 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvTv-00Cir9-31 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:22:59 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=3id/Fn34oVX2BhIDoeXD1HjTKb8g9iqaltixrceP5Kc=; b=w9v/tLB1/7tuQ13qoNGOxGrDof XK66BN03ACKK2mGOM/bGuin1Uj8hG2a7DdcAfvH9nQZn/SOdzyBYjnoqCK5oM8Q4IgDF4VSguyXr/ 8gqH3nANhhh8erkAmnvxQtGmU6ZBGOWqK2eDN5vtnccXZmt9sbKLLA6Vwc/9wzIs1gyI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] domctl/XSM: drop shadow_control_op hook Message-Id: Date: Tue, 09 Jun 2026 12:22:59 +0000 commit 5f17064d10ae1b8105449da73176a9e760c0e1a7 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl/XSM: drop shadow_control_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit d9d2758622422a4db0498a74c3dfd1c8168a8154) --- xen/arch/x86/mm/paging.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 13 +++++++------ 5 files changed, 7 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index 76a2e3114f..e29263752a 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -709,10 +709,6 @@ int paging_domctl(struct domain *d, struct xen_domctl_shadow_op *sc, return -EBUSY; } - rc = xsm_shadow_control(XSM_HOOK, d, sc->op); - if ( rc ) - return rc; - /* Code to handle log-dirty. Note that some log dirty operations * piggy-back on shadow operations. For example, when * XEN_DOMCTL_SHADOW_OP_OFF is called, it first checks whether log dirty diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index c18bfbd046..2a5d14d6bf 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -681,13 +681,6 @@ static XSM_INLINE int cf_check xsm_do_mca(XSM_DEFAULT_VOID) return xsm_default_action(action, current->domain, NULL); } -static XSM_INLINE int cf_check xsm_shadow_control( - XSM_DEFAULT_ARG struct domain *d, uint32_t op) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_mem_sharing_op( XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 93d924e13c..800bffc314 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -168,7 +168,6 @@ struct xsm_ops { #ifdef CONFIG_X86 int (*do_mca)(void); - int (*shadow_control)(struct domain *d, uint32_t op); int (*mem_sharing_op)(struct domain *d, struct domain *cd, int op); int (*apic)(struct domain *d, int cmd); int (*machine_memory_map)(void); @@ -656,12 +655,6 @@ static inline int xsm_do_mca(xsm_default_t def) return alternative_call(xsm_ops.do_mca); } -static inline int xsm_shadow_control( - xsm_default_t def, struct domain *d, uint32_t op) -{ - return alternative_call(xsm_ops.shadow_control, d, op); -} - static inline int xsm_mem_sharing_op( xsm_default_t def, struct domain *d, struct domain *cd, int op) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index cb312eb7cb..f4bcefc46b 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -124,7 +124,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .platform_op = xsm_platform_op, #ifdef CONFIG_X86 .do_mca = xsm_do_mca, - .shadow_control = xsm_shadow_control, .mem_sharing_op = xsm_mem_sharing_op, .apic = xsm_apic, .machine_memory_map = xsm_machine_memory_map, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 383bf47c63..e9cdc45456 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -40,6 +40,7 @@ #ifdef CONFIG_X86 #include +static int flask_shadow_control(struct domain *d, unsigned int op); #else #define pv_shim false #endif @@ -696,10 +697,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: -#ifdef CONFIG_X86 - /* These have individual XSM hooks (arch/x86/domctl.c) */ - case XEN_DOMCTL_shadow_op: -#endif #ifdef CONFIG_HAS_PASSTHROUGH /* * These have individual XSM hooks @@ -784,6 +781,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_get_address_size: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETADDRSIZE); +#ifdef CONFIG_X86 + case XEN_DOMCTL_shadow_op: + return flask_shadow_control(d, op->u.shadow_op.op); +#endif + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1594,7 +1596,7 @@ static int cf_check flask_do_mca(void) return domain_has_xen(current->domain, XEN__MCA_OP); } -static int cf_check flask_shadow_control(struct domain *d, uint32_t op) +static int flask_shadow_control(struct domain *d, unsigned int op) { uint32_t perm; @@ -1979,7 +1981,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .platform_op = flask_platform_op, #ifdef CONFIG_X86 .do_mca = flask_do_mca, - .shadow_control = flask_shadow_control, .mem_sharing_op = flask_mem_sharing_op, .apic = flask_apic, .machine_memory_map = flask_machine_memory_map, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:23:11 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:23:11 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333152.1595586 (Exim 4.92) (envelope-from ) id 1wWvU7-0005zn-LR; Tue, 09 Jun 2026 12:23:11 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333152.1595586; Tue, 09 Jun 2026 12:23:11 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvU7-0005zf-Ic; Tue, 09 Jun 2026 12:23:11 +0000 Received: by outflank-mailman (input) for mailman id 1333152; Tue, 09 Jun 2026 12:23:10 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvU6-0005zZ-2s for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:23:10 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvU6-001fHe-15 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:23:10 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvU6-00CixB-06 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:23:10 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=9aBif9O0e1AYOsINMmzJWmpMDaVcRXSp4xxJsmeeqkQ=; b=i2gtVNhbh+Nv9eCJVEiiePhHdF +Qaq1XctfWKzcfhzpGZIJMkmZPCnX4brWvun5QNPvQbT5fUgUemWJeupSiKp5Hj3ANJJrUzC4MNX6 QFFh/IA+8vGxucIQb6Q1pUSvIX4cJ/5yi63yGIvrWioLKkyYnA9iu5MY2LNgkTVhncHo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:23:10 +0000 commit c720b158d90c77ca629d9a60ae1ad69f46c3eb63 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock iommu_get_device_group() uses its own locking. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 471b377747cb5eb0ea7c1ca48ac9d38027a9aa13) --- xen/common/domctl.c | 5 ++++- xen/drivers/passthrough/pci.c | 4 ++-- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 601626f061..bc46dce585 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -504,6 +504,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) /* Other sub-ops handled further down. */ break; + case XEN_DOMCTL_get_device_group: + ret = iommu_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_gsi_permission: @@ -927,7 +931,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_assign_device: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_deassign_device: - case XEN_DOMCTL_get_device_group: ret = iommu_do_domctl(op, d, u_domctl); break; diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 7410dfdfcb..f41ba30426 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1626,7 +1626,7 @@ static int iommu_get_device_group( if ( (pdev->seg != seg) || ((b == bus) && (df == devfn)) ) continue; - if ( xsm_get_device_group(XSM_HOOK, (seg << 16) | (b << 8) | df) ) + if ( xsm_get_device_group(XSM_PRIV, (seg << 16) | (b << 8) | df) ) continue; sdev_id = iommu_call(ops, get_device_group_id, seg, b, df); @@ -1696,7 +1696,7 @@ int iommu_do_pci_domctl( u32 max_sdevs; XEN_GUEST_HANDLE_64(uint32) sdevs; - ret = xsm_get_device_group(XSM_HOOK, domctl->u.get_device_group.machine_sbdf); + ret = xsm_get_device_group(XSM_PRIV, domctl->u.get_device_group.machine_sbdf); if ( ret ) break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 2a5d14d6bf..1129b2ffc6 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,6 +162,7 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: @@ -400,7 +401,7 @@ static XSM_INLINE int cf_check xsm_get_vnumainfo( static XSM_INLINE int cf_check xsm_get_device_group( XSM_DEFAULT_ARG uint32_t machine_bdf) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index e9cdc45456..5561e0e8fd 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -684,6 +684,7 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: @@ -702,7 +703,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) * These have individual XSM hooks * (drivers/passthrough/{pci,device_tree.c) */ - case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_assign_device: case XEN_DOMCTL_deassign_device: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:23:21 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:23:21 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333153.1595589 (Exim 4.92) (envelope-from ) id 1wWvUH-00064g-Mb; Tue, 09 Jun 2026 12:23:21 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333153.1595589; Tue, 09 Jun 2026 12:23:21 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvUH-00064Y-K2; Tue, 09 Jun 2026 12:23:21 +0000 Received: by outflank-mailman (input) for mailman id 1333153; Tue, 09 Jun 2026 12:23:20 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvUG-000630-5o for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:23:20 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvUG-001fI5-1O for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:23:20 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvUG-00Cj2Z-0P for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:23:20 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=EcncEZEFvOIgkJiRHY9r0QVYnRX1p90NqmBJSKhZ5Hs=; b=Yi0ly0MzzHvOIhYXPdsbkQtQ8U USr8DHoy59OsTuYxYiOMSa0A5XvWlqsK9XOhkIveCTVbXaSM+fhgNb4NUc/aaj3RitMPhbm3Hwevj JFqNCeCq7Yp7xHvGLB3NerXBVf6NgR2aJCMJCrIRH/s/ndKPpZRq4V9qH+f3W27/VBjU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] domctl/XSM: drop {,de}assign_{,dt}device hooks Message-Id: Date: Tue, 09 Jun 2026 12:23:20 +0000 commit 324d0ee554943e774f8cc021ed259354b33fac1e Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl/XSM: drop {,de}assign_{,dt}device hooks Integrate the checking with xsm_domctl(). As a positive side effect, permissions are then checked at the same early point with and without Flask. As the DT device path needs fetching earlier (but must not be double fetched), cache it in a private field of the public interface struct. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit eab54f074f17c134fa6fa780f672393066e7b631) --- xen/common/domctl.c | 9 ++++ xen/drivers/passthrough/device_tree.c | 36 ++++++++-------- xen/drivers/passthrough/pci.c | 8 ---- xen/include/public/domctl.h | 5 ++- xen/include/xsm/dummy.h | 32 -------------- xen/include/xsm/xsm.h | 34 --------------- xen/xsm/dummy.c | 7 ---- xen/xsm/flask/hooks.c | 79 +++++++++++++++++++++++++---------- 8 files changed, 89 insertions(+), 121 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index bc46dce585..8dc4f48876 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -331,6 +331,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_deassign_device: if ( op->domain == DOMID_IO ) { +#ifdef CONFIG_HAS_DEVICE_TREE + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; +#endif d = dom_io; break; } @@ -338,6 +342,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) return -ESRCH; fallthrough; case XEN_DOMCTL_test_assign_device: +#ifdef CONFIG_HAS_DEVICE_TREE + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; + fallthrough; +#endif case XEN_DOMCTL_vm_event_op: if ( op->domain == DOMID_INVALID ) { diff --git a/xen/drivers/passthrough/device_tree.c b/xen/drivers/passthrough/device_tree.c index 075fb25a37..49b3a26628 100644 --- a/xen/drivers/passthrough/device_tree.c +++ b/xen/drivers/passthrough/device_tree.c @@ -279,15 +279,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( (d && d->is_dying) || domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_assign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( domctl->cmd == XEN_DOMCTL_test_assign_device ) { @@ -335,15 +335,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_deassign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( d == dom_io ) { diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index f41ba30426..494840681e 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1746,10 +1746,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_assign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); @@ -1791,10 +1787,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_deassign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h index e2d392d1e5..ee8fc0b784 100644 --- a/xen/include/public/domctl.h +++ b/xen/include/public/domctl.h @@ -567,7 +567,10 @@ struct xen_domctl_assign_device { } pci; struct { uint32_t size; /* Length of the path */ - XEN_GUEST_HANDLE_64(char) path; /* path to the device tree node */ + XEN_GUEST_HANDLE_64(char) path; /* Path to the device tree node */ +#ifdef __XEN__ + struct dt_device_node *dev; /* Resolved device node of the above */ +#endif } dt; } u; }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 1129b2ffc6..485cb70ca7 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -404,40 +404,8 @@ static XSM_INLINE int cf_check xsm_get_device_group( XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } - -static XSM_INLINE int cf_check xsm_assign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - #endif /* HAS_PASSTHROUGH && HAS_PCI */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) -static XSM_INLINE int cf_check xsm_assign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */ - static XSM_INLINE int cf_check xsm_resource_plug_core(XSM_DEFAULT_VOID) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 800bffc314..c7b3f1f618 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -122,13 +122,6 @@ struct xsm_ops { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) int (*get_device_group)(uint32_t machine_bdf); - int (*assign_device)(struct domain *d, uint32_t machine_bdf); - int (*deassign_device)(struct domain *d, uint32_t machine_bdf); -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - int (*assign_dtdevice)(struct domain *d, const char *dtpath); - int (*deassign_dtdevice)(struct domain *d, const char *dtpath); #endif int (*resource_plug_core)(void); @@ -513,35 +506,8 @@ static inline int xsm_get_device_group(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.get_device_group, machine_bdf); } - -static inline int xsm_assign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.assign_device, d, machine_bdf); -} - -static inline int xsm_deassign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.deassign_device, d, machine_bdf); -} #endif /* HAS_PASSTHROUGH && HAS_PCI) */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) -static inline int xsm_assign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.assign_dtdevice, d, dtpath); -} - -static inline int xsm_deassign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.deassign_dtdevice, d, dtpath); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */ - static inline int xsm_resource_plug_pci(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.resource_plug_pci, machine_bdf); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index f4bcefc46b..92fe9664a8 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -77,13 +77,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = xsm_get_device_group, - .assign_device = xsm_assign_device, - .deassign_device = xsm_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - .assign_dtdevice = xsm_assign_dtdevice, - .deassign_dtdevice = xsm_deassign_dtdevice, #endif .resource_plug_core = xsm_resource_plug_core, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 5561e0e8fd..49baa6dc0d 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -45,6 +45,17 @@ static int flask_shadow_control(struct domain *d, unsigned int op); #define pv_shim false #endif +#ifdef CONFIG_HAS_PASSTHROUGH +#ifdef CONFIG_HAS_PCI +static int flask_assign_device(struct domain *d, unsigned int machine_bdf); +static int flask_deassign_device(struct domain *d, unsigned int machine_bdf); +#endif +#ifdef CONFIG_HAS_DEVICE_TREE +static int flask_assign_dtdevice(struct domain *d, const char *dtpath); +static int flask_deassign_dtdevice(struct domain *d, const char *dtpath); +#endif +#endif /* CONFIG_HAS_PASSTHROUGH */ + static uint32_t domain_sid(const struct domain *dom) { struct domain_security_struct *dsec = dom->ssid; @@ -697,16 +708,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: - -#ifdef CONFIG_HAS_PASSTHROUGH - /* - * These have individual XSM hooks - * (drivers/passthrough/{pci,device_tree.c) - */ - case XEN_DOMCTL_test_assign_device: - case XEN_DOMCTL_assign_device: - case XEN_DOMCTL_deassign_device: -#endif return 0; case XEN_DOMCTL_destroydomain: @@ -786,6 +787,49 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return flask_shadow_control(d, op->u.shadow_op.op); #endif +#ifdef CONFIG_HAS_PASSTHROUGH + + case XEN_DOMCTL_test_assign_device: + case XEN_DOMCTL_assign_device: + case XEN_DOMCTL_deassign_device: + switch ( op->u.assign_device.dev ) + { +#ifdef CONFIG_HAS_PCI + case XEN_DOMCTL_DEV_PCI: + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_device( + d, op->u.assign_device.u.pci.machine_sbdf) + : flask_deassign_device( + d, op->u.assign_device.u.pci.machine_sbdf); +#endif + +#ifdef CONFIG_HAS_DEVICE_TREE + case XEN_DOMCTL_DEV_DT: + { + struct dt_device_node *dev; + int ret = dt_find_node_by_gpath(op->u.assign_device.u.dt.path, + op->u.assign_device.u.dt.size, + &dev); + + if ( ret ) + return ret; + + op->u.assign_device.u.dt.dev = dev; + + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_dtdevice(d, dt_node_full_name(dev)) + : flask_deassign_dtdevice(d, dt_node_full_name(dev)); + } +#endif + + default: + /* Unknown type. */ + break; + } + return avc_unknown_permission("assign_device", op->cmd); + +#endif /* CONFIG_HAS_PASSTHROUGH */ + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1407,7 +1451,7 @@ static int flask_test_assign_device(uint32_t machine_bdf) return avc_current_has_perm(rsid, SECCLASS_RESOURCE, RESOURCE__STAT_DEVICE, NULL); } -static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) +static int flask_assign_device(struct domain *d, uint32_t machine_bdf) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1437,7 +1481,7 @@ static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_device( +static int flask_deassign_device( struct domain *d, uint32_t machine_bdf) { uint32_t rsid; @@ -1469,7 +1513,7 @@ static int flask_test_assign_dtdevice(const char *dtpath) NULL); } -static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) +static int flask_assign_dtdevice(struct domain *d, const char *dtpath) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1499,7 +1543,7 @@ static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_dtdevice( +static int flask_deassign_dtdevice( struct domain *d, const char *dtpath) { uint32_t rsid; @@ -1969,13 +2013,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = flask_get_device_group, - .assign_device = flask_assign_device, - .deassign_device = flask_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - .assign_dtdevice = flask_assign_dtdevice, - .deassign_dtdevice = flask_deassign_dtdevice, #endif .platform_op = flask_platform_op, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:23:31 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:23:31 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333154.1595594 (Exim 4.92) (envelope-from ) id 1wWvUR-00066p-O7; Tue, 09 Jun 2026 12:23:31 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333154.1595594; Tue, 09 Jun 2026 12:23:31 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvUR-00066h-LW; Tue, 09 Jun 2026 12:23:31 +0000 Received: by outflank-mailman (input) for mailman id 1333154; Tue, 09 Jun 2026 12:23:30 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvUQ-00066X-96 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:23:30 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvUQ-001fID-1i for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:23:30 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvUQ-00Cj8g-0j for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:23:30 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=FXhW/3BaBv7vvrmUX/22DSvvPh1CaSAvoFjFF9otJy8=; b=3l2EG7a5aeKqWgAH7pxeCk0hpX XVFotwPWWVg1+8V31THDCPEU6OCE60Os4iOUNbAG228Htf8opJKqEHyPy8Q7epupGMgm4FS1D3il2 JwThfAu4kNCzNq+vJWjbK90fronhlBDEI0KWDTmHTAoGt/I4F37QFe+nXPu/RRHfJHLU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:23:30 +0000 commit 4fab10041498a08e38d68d6ad8d043000accb80b Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock The only locking required here is that between checking d->target and setting it. To avoid the need for an explicit lock, use cmpxchgptr() to update d->target. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 4a93d1fb4f7f1231159688d428f7362d35d32ef6) --- xen/common/domctl.c | 54 ++++++++++++++++++++++--------------------------- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 5 +---- 3 files changed, 27 insertions(+), 35 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 8dc4f48876..a186d145e8 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -496,6 +496,30 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif + case XEN_DOMCTL_set_target: + { + struct domain *e = get_domain_by_id(op->u.set_target.target); + + ret = -ESRCH; + if ( !e ) + goto domctl_out_unlock_domonly; + + if ( d == e ) + ret = -EINVAL; + else if ( !is_hvm_domain(e) ) + ret = -EOPNOTSUPP; + else + ret = xsm_set_target(XSM_PRIV, d, e); + + /* Hold reference on @e until we destroy @d. */ + if ( !ret && cmpxchgptr(&d->target, NULL, e) ) + ret = -EINVAL; + + if ( ret ) + put_domain(e); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_vm_event_op: if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) { @@ -853,36 +877,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; - case XEN_DOMCTL_set_target: - { - struct domain *e; - - ret = -ESRCH; - e = get_domain_by_id(op->u.set_target.target); - if ( e == NULL ) - break; - - ret = -EINVAL; - if ( (d == e) || (d->target != NULL) ) - { - put_domain(e); - break; - } - - ret = -EOPNOTSUPP; - if ( is_hvm_domain(e) ) - ret = xsm_set_target(XSM_HOOK, d, e); - if ( ret ) - { - put_domain(e); - break; - } - - /* Hold reference on @e until we destroy @d. */ - d->target = e; - break; - } - case XEN_DOMCTL_subscribe: d->suspend_evtchn = op->u.subscribe.port; break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 485cb70ca7..ec377ed9b2 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -150,7 +150,7 @@ static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) static XSM_INLINE int cf_check xsm_set_target( XSM_DEFAULT_ARG struct domain *d, struct domain *e) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } @@ -169,6 +169,7 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 49baa6dc0d..2c3bab1d18 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -702,14 +702,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; - /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_set_target: - return 0; - case XEN_DOMCTL_destroydomain: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__DESTROY); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:23:41 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:23:41 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333155.1595598 (Exim 4.92) (envelope-from ) id 1wWvUb-0006BU-Pk; Tue, 09 Jun 2026 12:23:41 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333155.1595598; Tue, 09 Jun 2026 12:23:41 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvUb-0006BM-Mx; Tue, 09 Jun 2026 12:23:41 +0000 Received: by outflank-mailman (input) for mailman id 1333155; Tue, 09 Jun 2026 12:23:40 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvUa-0006BF-C6 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:23:40 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvUa-001fIK-20 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:23:40 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvUa-00CjII-11 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:23:40 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=CGJRHe+VoaK7dK0E62dsHs2gtza7++QlPxhBBQ8sXQU=; b=6/8SPWaHVkZruwjmnIvKYjLt/a rDLE6PAjOD4VOPgx9+iYhWPP8z7AtPZ8CLc2rdUfBgJ/d4b1LqB2f8mRK7QKs0Hp9zpt3PISUCpfJ lRyUXeydP3fQboesw1lguvAQgwNgSOSE2veW6hoPg0eovaRU/SUYOzprTTTLEpNXopY8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI Message-Id: Date: Tue, 09 Jun 2026 12:23:40 +0000 commit c411e33d8c232e21ebbd447a3d101e212829aa08 Author: Michal Orzel AuthorDate: Tue Apr 14 10:11:24 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI The ARM64_WORKAROUND_REPEAT_TLBI workaround is used to mitigate several errata where broadcast TLBI;DSB sequences don't provide all the architecturally required synchronization. The workaround performs more work than necessary, and can have significant overhead. This patch optimizes the workaround, as explained below. 1. All relevant errata only affect the ordering and/or completion of memory accesses which have been translated by an invalidated TLB entry. The actual invalidation of TLB entries is unaffected. 2. The existing workaround is applied to both broadcast and local TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for broadcast invalidation. 3. The existing workaround replaces every TLBI with a TLBI;DSB;TLBI sequence, whereas for all relevant errata it is only necessary to execute a single additional TLBI;DSB sequence after any number of TLBIs are completed by a DSB. For example, for a sequence of batched TLBIs: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH ... the existing workaround will expand this to: TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional DSB ISH ... whereas it is sufficient to have: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH TLBI [, ] // additional DSB ISH // additional Using a single additional TLBI and DSB at the end of the sequence can have significantly lower overhead as each DSB which completes a TLBI must synchronize with other PEs in the system, with potential performance effects both locally and system-wide. 4. The existing workaround repeats each specific TLBI operation, whereas for all relevant errata it is sufficient for the additional TLBI to use *any* operation which will be broadcast, regardless of which translation regime or stage of translation the operation applies to. For example, for a single TLBI: TLBI ALLE2IS DSB ISH ... the existing workaround will expand this to: TLBI ALLE2IS DSB ISH TLBI ALLE2IS // additional DSB ISH // additional ... whereas it is sufficient to have: TLBI ALLE2IS DSB ISH TLBI VALE1IS, XZR // additional DSB ISH // additional As the additional TLBI doesn't have to match a specific earlier TLBI, the additional TLBI can be implemented in separate code, with no memory of the earlier TLBIs. The additional TLBI can also use a cheaper TLBI operation. 5. The existing workaround is applied to both Stage-1 and Stage-2 TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for Stage-1 invalidation. Architecturally, TLBI operations which invalidate only Stage-2 information (e.g. IPAS2E1IS) are not required to invalidate TLB entries which combine information from Stage-1 and Stage-2 translation table entries, and consequently may not complete memory accesses translated by those combined entries. In these cases, completion of memory accesses is only guaranteed after subsequent invalidation of Stage-1 information (e.g. VMALLE1IS). Rework the workaround logic as follows: - add TLB_HELPER_LOCAL() to be used for local TLB ops without a workaround, - modify TLB_HELPER() workaround to use tlbi vale2is, xzr as a second TLBI, - drop TLB_HELPER_VA(). It's used only by __flush_xen_tlb_one_local which is local and does not need workaround and by __flush_xen_tlb_one. In the latter case, since it's used in a loop, we don't need a workaround in the middle. Add __tlb_repeat_sync with a workaround to be used at the end after DSB and before final ISB, - TLBI VALE2IS passing XZR is used as an additional TLBI. While there is an identity mapping there, it's used very rarely. The performance impact is therefore negligible. If things change in the future, we can revisit the decision. Signed-off-by: Michal Orzel Reviewed-by: Luca Fancellu Reviewed-by: Julien Grall (cherry picked from commit 7c502d7591519135765b8041cbd1c70e56e5a0b9) --- xen/arch/arm/include/asm/arm32/flushtlb.h | 3 + xen/arch/arm/include/asm/arm64/flushtlb.h | 108 ++++++++++++++++++------------ xen/arch/arm/include/asm/flushtlb.h | 1 + xen/arch/arm/include/asm/mmu/layout.h | 4 ++ 4 files changed, 75 insertions(+), 41 deletions(-) diff --git a/xen/arch/arm/include/asm/arm32/flushtlb.h b/xen/arch/arm/include/asm/arm32/flushtlb.h index 61c25a3189..5483be08fb 100644 --- a/xen/arch/arm/include/asm/arm32/flushtlb.h +++ b/xen/arch/arm/include/asm/arm32/flushtlb.h @@ -57,6 +57,9 @@ static inline void __flush_xen_tlb_one(vaddr_t va) asm volatile(STORE_CP32(0, TLBIMVAHIS) : : "r" (va) : "memory"); } +/* Only for ARM64_WORKAROUND_REPEAT_TLBI */ +static inline void __tlb_repeat_sync(void) {} + #endif /* __ASM_ARM_ARM32_FLUSHTLB_H__ */ /* * Local variables: diff --git a/xen/arch/arm/include/asm/arm64/flushtlb.h b/xen/arch/arm/include/asm/arm64/flushtlb.h index 45642201d1..c1314be122 100644 --- a/xen/arch/arm/include/asm/arm64/flushtlb.h +++ b/xen/arch/arm/include/asm/arm64/flushtlb.h @@ -12,9 +12,14 @@ * ARM64_WORKAROUND_REPEAT_TLBI: * Modification of the translation table for a virtual address might lead to * read-after-read ordering violation. - * The workaround repeats TLBI+DSB ISH operation for all the TLB flush - * operations. While this is strictly not necessary, we don't want to - * take any risk. + * The workaround repeats TLBI+DSB ISH operation for broadcast TLB flush + * operations. The workaround is not needed for local operations. + * + * It is sufficient for the additional TLBI to use *any* operation which will + * be broadcast, regardless of which translation regime or stage of translation + * the operation applies to. TLBI VALE2IS is used passing XZR. While there is + * an identity mapping there, it's only used during suspend/resume, CPU on/off, + * so the impact (performance if any) is negligible. * * For Xen page-tables the ISB will discard any instructions fetched * from the old mappings. @@ -26,69 +31,90 @@ * Note that for local TLB flush, using non-shareable (nsh) is sufficient * (see D5-4929 in ARM DDI 0487H.a). Although, the memory barrier in * for the workaround is left as inner-shareable to match with Linux - * v6.1-rc8. + * v6.19. */ -#define TLB_HELPER(name, tlbop, sh) \ +#define TLB_HELPER_LOCAL(name, tlbop) \ static inline void name(void) \ { \ asm volatile( \ - "dsb " # sh "st;" \ + "dsb nshst;" \ "tlbi " # tlbop ";" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ";", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - "dsb " # sh ";" \ + "dsb nsh;" \ "isb;" \ : : : "memory"); \ } -/* - * FLush TLB by VA. This will likely be used in a loop, so the caller - * is responsible to use the appropriate memory barriers before/after - * the sequence. - * - * See above about the ARM64_WORKAROUND_REPEAT_TLBI sequence. - */ -#define TLB_HELPER_VA(name, tlbop) \ -static inline void name(vaddr_t va) \ -{ \ - asm volatile( \ - "tlbi " # tlbop ", %0;" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ", %0;", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - : : "r" (va >> PAGE_SHIFT) : "memory"); \ +#define TLB_HELPER(name, tlbop) \ +static inline void name(void) \ +{ \ + asm volatile ( \ + "dsb ishst;" \ + "tlbi " # tlbop ";" \ + ALTERNATIVE( \ + "nop; nop;", \ + "dsb ish;" \ + "tlbi vale2is, xzr;", \ + ARM64_WORKAROUND_REPEAT_TLBI, \ + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ + "dsb ish;" \ + "isb;" \ + : : : "memory"); \ } /* Flush local TLBs, current VMID only. */ -TLB_HELPER(flush_guest_tlb_local, vmalls12e1, nsh) +TLB_HELPER_LOCAL(flush_guest_tlb_local, vmalls12e1) /* Flush innershareable TLBs, current VMID only */ -TLB_HELPER(flush_guest_tlb, vmalls12e1is, ish) +TLB_HELPER(flush_guest_tlb, vmalls12e1is) /* Flush local TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb_local, alle1, nsh) +TLB_HELPER_LOCAL(flush_all_guests_tlb_local, alle1) /* Flush innershareable TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb, alle1is, ish) +TLB_HELPER(flush_all_guests_tlb, alle1is) /* Flush all hypervisor mappings from the TLB of the local processor. */ -TLB_HELPER(flush_xen_tlb_local, alle2, nsh) +TLB_HELPER_LOCAL(flush_xen_tlb_local, alle2) + +#undef TLB_HELPER_LOCAL +#undef TLB_HELPER + +/* + * FLush TLB by VA. This will likely be used in a loop, so the caller + * is responsible to use the appropriate memory barriers before/after + * the sequence. + */ /* Flush TLB of local processor for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one_local, vae2) +static inline void __flush_xen_tlb_one_local(vaddr_t va) +{ + asm volatile ( + "tlbi vae2, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} /* Flush TLB of all processors in the inner-shareable domain for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one, vae2is) +static inline void __flush_xen_tlb_one(vaddr_t va) +{ + asm volatile ( + "tlbi vae2is, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} -#undef TLB_HELPER -#undef TLB_HELPER_VA +/* + * ARM64_WORKAROUND_REPEAT_TLBI: + * For all relevant erratas it is only necessary to execute a single + * additional TLBI;DSB sequence after any number of TLBIs are completed by DSB. + */ +static inline void __tlb_repeat_sync(void) +{ + asm volatile ( + ALTERNATIVE( + "nop; nop;", + "tlbi vale2is, xzr;" + "dsb ish;", + ARM64_WORKAROUND_REPEAT_TLBI, + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) + : : : "memory"); +} #endif /* __ASM_ARM_ARM64_FLUSHTLB_H__ */ /* diff --git a/xen/arch/arm/include/asm/flushtlb.h b/xen/arch/arm/include/asm/flushtlb.h index e45fb6d97b..c292c3c00d 100644 --- a/xen/arch/arm/include/asm/flushtlb.h +++ b/xen/arch/arm/include/asm/flushtlb.h @@ -65,6 +65,7 @@ static inline void flush_xen_tlb_range_va(vaddr_t va, va += PAGE_SIZE; } dsb(ish); /* Ensure the TLB invalidation has completed */ + __tlb_repeat_sync(); isb(); } diff --git a/xen/arch/arm/include/asm/mmu/layout.h b/xen/arch/arm/include/asm/mmu/layout.h index 19c0ec63a5..feafc14ebf 100644 --- a/xen/arch/arm/include/asm/mmu/layout.h +++ b/xen/arch/arm/include/asm/mmu/layout.h @@ -23,6 +23,10 @@ * * Reserved to identity map Xen * + * Note: As part of ARM64_WORKAROUND_REPEAT_TLBI, VA 0 is used for an extra + * TLBI operation given its rare use (only identity mapping) and thus + * negligible performance impact. + * * 0x00000a0000000000 - 0x00000a7fffffffff (512GB, L0 slot [20]) * (Relative offsets) * 0 - 2M Unmapped -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:23:51 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:23:51 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333156.1595602 (Exim 4.92) (envelope-from ) id 1wWvUl-0006HD-SX; Tue, 09 Jun 2026 12:23:51 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333156.1595602; Tue, 09 Jun 2026 12:23:51 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvUl-0006H5-Q0; Tue, 09 Jun 2026 12:23:51 +0000 Received: by outflank-mailman (input) for mailman id 1333156; Tue, 09 Jun 2026 12:23:50 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvUk-0006Gr-Ez for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:23:50 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvUk-001fIO-2J for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:23:50 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvUk-00CjPD-1J for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:23:50 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=juPQkXuHRXFE3uwt7jwdLz8caHpYVqIVq18okQ4D7U0=; b=oTaWYJft5q99weToY9jQH0TVKJ pM4vSq8QxzlH63nWH0LW4RlPHAoDakrk6qJ5p9pRMPY4hfLFWmHJodWepcL5VIjgMxxdKCqesw4ul 0xxWr3yh6CGf2+ggW5DvMVkIu2OdtU2OeacRiFCWFlnp/dhuUXYoukuxTGuiI5vAyay8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] xen/arm: Sync missing definitions for Arm CPUs with Linux Message-Id: Date: Tue, 09 Jun 2026 12:23:50 +0000 commit c8fbbdc7ecb89b71c62d2b53ef290413285ee52c Author: Michal Orzel AuthorDate: Fri May 22 09:35:55 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 xen/arm: Sync missing definitions for Arm CPUs with Linux Synchronize with Linux kernel 7.0 definitions for the following CPUs: - Cortex-A76AE, - Cortex-A78AE, - Cortex-X1C, - Cortex-X3, - Neoverse-V2, - Cortex-X4, - Neoverse-V3AE, - Neoverse-V3, - Cortex-X925. These will be used for errata detection in subsequent patches. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit d54682a5b23d7a22a0f1aa74130bd1ed8a669db1) --- xen/arch/arm/include/asm/processor.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index ecf7f2e859..e344715082 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -89,13 +89,22 @@ #define ARM_CPU_PART_CORTEX_A76 0xD0B #define ARM_CPU_PART_NEOVERSE_N1 0xD0C #define ARM_CPU_PART_CORTEX_A77 0xD0D +#define ARM_CPU_PART_CORTEX_A76AE 0xD0E #define ARM_CPU_PART_NEOVERSE_V1 0xD40 #define ARM_CPU_PART_CORTEX_A78 0xD41 +#define ARM_CPU_PART_CORTEX_A78AE 0xD42 #define ARM_CPU_PART_CORTEX_X1 0xD44 #define ARM_CPU_PART_CORTEX_A710 0xD47 #define ARM_CPU_PART_CORTEX_X2 0xD48 #define ARM_CPU_PART_NEOVERSE_N2 0xD49 #define ARM_CPU_PART_CORTEX_A78C 0xD4B +#define ARM_CPU_PART_CORTEX_X1C 0xD4C +#define ARM_CPU_PART_CORTEX_X3 0xD4E +#define ARM_CPU_PART_NEOVERSE_V2 0xD4F +#define ARM_CPU_PART_CORTEX_X4 0xD82 +#define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 +#define ARM_CPU_PART_NEOVERSE_V3 0xD84 +#define ARM_CPU_PART_CORTEX_X925 0xD85 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -110,13 +119,22 @@ #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) +#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE) #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1) #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) +#define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) #define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2) #define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2) #define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C) +#define MIDR_CORTEX_X1C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1C) +#define MIDR_CORTEX_X3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X3) +#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2) +#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4) +#define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) +#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) +#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:24:01 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:24:01 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333157.1595605 (Exim 4.92) (envelope-from ) id 1wWvUv-0006Jg-U1; Tue, 09 Jun 2026 12:24:01 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333157.1595605; Tue, 09 Jun 2026 12:24:01 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvUv-0006JY-RN; Tue, 09 Jun 2026 12:24:01 +0000 Received: by outflank-mailman (input) for mailman id 1333157; Tue, 09 Jun 2026 12:24:00 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvUu-0006JF-HZ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:24:00 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvUu-001fIW-2Y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:24:00 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvUu-00CjWI-1a for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:24:00 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=TB/nxLnoOFJVS79jntiyLfcC0cti9UcDn8FSPUkFTOM=; b=EGF/xiacvTcJ0kjKuyrp0Vfyi2 fqKzE+hc073CYx/iuqIMN4zH5gkx5Syan2fS8vIu5QM2iq63D1mWwptbL+hjyPOcfFQQvWXt1rIzX 88oBapLDCFT+pQWuywq23mt258dpl4qFh4l/DI3JNH9Tuqt+K4++cmhq81onhs+Pxw0Q=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] xen/arm: Add C1-Ultra definitions Message-Id: Date: Tue, 09 Jun 2026 12:24:00 +0000 commit ff6ee97f42a6663388fe903d7613534a244a2ed0 Author: Michal Orzel AuthorDate: Fri May 22 09:35:56 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 xen/arm: Add C1-Ultra definitions Add processor definitions for C1-Ultra. These will be used for errata detection in subsequent patches. These values can be found in the C1-Ultra TRM: https://developer.arm.com/documentation/108014/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 36ddaa7918d6ec0d06a31079c8a25a6ae3c69cbc) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index e344715082..1f8b2184fa 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -105,6 +105,7 @@ #define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 +#define ARM_CPU_PART_C1_ULTRA 0xD8C #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -135,6 +136,7 @@ #define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) +#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:24:12 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:24:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333158.1595611 (Exim 4.92) (envelope-from ) id 1wWvV6-0006NA-0E; Tue, 09 Jun 2026 12:24:12 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333158.1595611; Tue, 09 Jun 2026 12:24:11 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvV5-0006Mx-Sp; Tue, 09 Jun 2026 12:24:11 +0000 Received: by outflank-mailman (input) for mailman id 1333158; Tue, 09 Jun 2026 12:24:10 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvV4-0006Mm-K9 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:24:10 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvV4-001fIm-2o for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:24:10 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvV4-00Cjdp-1q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:24:10 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=8kWr3J3wkmGTCwqnvpreEz0q7iyx82ztCWw/HMjc13M=; b=6pIq6eVueYOWrLs2cVCfmagklG 0/EFg7D8V1oaw5coxnJqRV3HCpJBt/4Ws/HCdrWXVVZ9Q8CJyaeq59hTPs10sxqrB62oEZlFw8BkY xYEyS+7TG73WPy7Cd2OZS6R6MBQkVvp7niiycpOH3SU0zAZYZCE8Zl5dZl/sgbf030YM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] xen/arm: Add C1-Premium definitions Message-Id: Date: Tue, 09 Jun 2026 12:24:10 +0000 commit d84ac74f8bc587b4aa04974a9f7f2a8fe837d838 Author: Michal Orzel AuthorDate: Fri May 22 09:35:57 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 xen/arm: Add C1-Premium definitions Add processor definitions for C1-Premium. These will be used for errata detection in subsequent patches. These values can be found in the C1-Premium TRM: https://developer.arm.com/documentation/109416/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 0315d10321518beb24c41bb595e9197cadec0693) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 1f8b2184fa..2405616534 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -106,6 +106,7 @@ #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 #define ARM_CPU_PART_C1_ULTRA 0xD8C +#define ARM_CPU_PART_C1_PREMIUM 0xD90 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -137,6 +138,7 @@ #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) #define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) +#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:24:22 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:24:22 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333159.1595614 (Exim 4.92) (envelope-from ) id 1wWvVG-0006Rf-0O; Tue, 09 Jun 2026 12:24:22 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333159.1595614; Tue, 09 Jun 2026 12:24:21 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvVF-0006RX-UB; Tue, 09 Jun 2026 12:24:21 +0000 Received: by outflank-mailman (input) for mailman id 1333159; Tue, 09 Jun 2026 12:24:20 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvVE-0006RI-Md for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:24:20 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvVE-001fJ6-34 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:24:20 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvVE-00Cjim-25 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:24:20 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=fRhqPu0uUklvmz5qt0qqkYaxxbV2pSws1j7NdDppFdw=; b=UKw3UB8swM2T2k3gPem1L6c+Ue kzXGIP308dSs4gW5VPiRn6NNnEb8ue4t4ER51qO7ywLE6KBBUpRb4+Js76YycvbAEixBT7HO9BTci WY/yFMw+rrawAHOg1vcXp9tWiMlcn0zQQlxmnRWBoJBq1eQF5ioM70uvxpeZrzirAAQU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] xen/arm: Mitigate TLBI errata on various Arm CPUs Message-Id: Date: Tue, 09 Jun 2026 12:24:20 +0000 commit 08ea7c4416ce45240871806cf41f070f9e890654 Author: Michal Orzel AuthorDate: Fri May 22 09:35:58 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 xen/arm: Mitigate TLBI errata on various Arm CPUs A number of CPUs developed by Arm suffer from errata whereby a broadcast TLBI + DSB sequence may complete before the global observation of writes which are translated by an affected TLB entry. This can lead to memory corruption and potential privilege escalation. These errata ONLY affect the completion of memory accesses which have been translated by an invalidated TLB entry, and these errata DO NOT affect the actual invalidation of TLB entries. TLB entries are removed correctly. To mitigate this issue, Arm recommends that software follows each TLBI+DSB sequence with an additional TLBI+DSB, which will ensure that all memory write effects affected by the first TLBI have been globally observed. The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate the issue. Enable this workaround for affected CPUs. This is XSA-493 / CVE-2025-10263. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 161e8f61b5b0f2c205072c7bc699bfc37653999f) --- xen/arch/arm/Kconfig | 21 ++++++++++++ xen/arch/arm/cpuerrata.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+) diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index a26d3e1182..a89995545f 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -467,6 +467,27 @@ config ARM64_ERRATUM_1508412 If unsure, say Y. +config ARM64_ERRATUM_CVE_2025_10263 + bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" + default y + depends on ARM_64 + select ARM64_WORKAROUND_REPEAT_TLBI + help + This option adds a workaround for CVE-2025-10263. + + A broadcast TLBI on another PE may complete before affected memory + accesses are globally observed. This may permit bypass of Stage 1 + translation, Stage-2 translation, or GPT protection. + + The workaround repeats the TLBI VALE2IS, XZR + DSB ISH operation for all + the broadcast TLB flush operations. A single additional TLBI and DSB are + sufficient regardless of how many TLBIs are completed by the DSB. + + Note that software workarounds are required at all execution levels for + affected parts to fully mitigate this issue. + + If unsure, say Y. + endmenu config ARM64_HARDEN_BRANCH_PREDICTOR diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index 17cf134f1b..3a32183618 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -534,6 +534,92 @@ static const struct arm_cpu_capabilities arm_errata[] = { MIDR_RANGE(MIDR_NEOVERSE_N1, 0, 3 << MIDR_VARIANT_SHIFT), }, #endif +#ifdef CONFIG_ARM64_ERRATUM_CVE_2025_10263 + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X4), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_ULTRA), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM), + }, +#endif #ifdef CONFIG_ARM64_HARDEN_BRANCH_PREDICTOR { .capability = ARM_HARDEN_BRANCH_PREDICTOR, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:24:32 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:24:32 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333160.1595618 (Exim 4.92) (envelope-from ) id 1wWvVQ-0006Uy-1v; Tue, 09 Jun 2026 12:24:32 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333160.1595618; Tue, 09 Jun 2026 12:24:32 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvVP-0006Ur-VZ; Tue, 09 Jun 2026 12:24:31 +0000 Received: by outflank-mailman (input) for mailman id 1333160; Tue, 09 Jun 2026 12:24:30 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvVO-0006Uj-Ps for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:24:30 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvVP-001fJC-0A for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:24:30 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvVO-00Cjqg-2Q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:24:30 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=M7vqyggzrxjukkIfYFBuize+IZFyUB0x4YpK0jlPlXk=; b=4rySoHoUtzT3zD8183R70MsaXJ FYiOa2+8eVDUK2ZKLa/AZNKJOIyxC/Qxb55XVFZYUrc+uDkx5I+x6r2Y/PZvBKdd4uBc0L8sD5294 nXA5yyY4f9XmDIYbkDm3tKdiSmLUOiSoW/MMvAwNabVoXdkuC5XtOHIYQ+7UE9vPZWrk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] x86/mm: accurately track which vCPU page-tables are loaded Message-Id: Date: Tue, 09 Jun 2026 12:24:30 +0000 commit 2653b35edb56af4fe5b677d473a89d6233afeae2 Author: Roger Pau Monne AuthorDate: Mon Mar 16 11:03:22 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 x86/mm: accurately track which vCPU page-tables are loaded Neither current nor curr_vcpu per-CPU fields accurately track which page-tables are loaded. There are corner cases when dealing with shadow paging failures that switch to the idle vCPU page-tables without changing current or curr_vcpu per-CPU fields. Introduce a new per-CPU field that attempts to track which vCPU page-tables are loaded. Update such tracking when cr3 is changed, and do so in a region with interrupts disabled, as to avoid handling interrupts with a mismatch between the vCPU tracking field and the loaded page-tables. As a result of this newly more accurate tracking the mapcache override functionality can be removed: the dom0 PV builder was the only user of it, and it's updated here to properly signal which vCPU page-tables are loaded in the calls to switch_cr3_cr4(). Note the EFI page-tables have the Xen owned L4 slots copied from the idle page-tables, so for the effects of the mapcache the EFI page-tables could use the idle mapcache if it had one. Pass the idle vCPU in the switch_cr3_cr4() call that switches to the runtime EFI page-tables. There are known issues with the use of mapcache in NMI context.  This patch does not alter the behaviour. This is CVE-2026-42488 / XSA-494. Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference") Signed-off-by: Roger Pau Monné Acked-by: Andrew Cooper (cherry picked from commit 622c9a5ba95dae9b1084f16d0557ec64d1d12eaa) --- xen/arch/x86/domain_page.c | 48 +++++++++++++++--------------------- xen/arch/x86/flushtlb.c | 5 +++- xen/arch/x86/include/asm/domain.h | 1 - xen/arch/x86/include/asm/flushtlb.h | 2 +- xen/arch/x86/include/asm/processor.h | 3 +++ xen/arch/x86/mm.c | 4 +-- xen/arch/x86/pv/dom0_build.c | 12 +++------ xen/arch/x86/pv/domain.c | 13 ++++++++-- xen/arch/x86/smpboot.c | 1 + xen/common/efi/common-stub.c | 5 ---- xen/common/efi/runtime.c | 21 ++++++---------- xen/include/xen/efi.h | 1 - 12 files changed, 54 insertions(+), 62 deletions(-) diff --git a/xen/arch/x86/domain_page.c b/xen/arch/x86/domain_page.c index eac5e3304f..72c00194f3 100644 --- a/xen/arch/x86/domain_page.c +++ b/xen/arch/x86/domain_page.c @@ -18,48 +18,40 @@ #include #include -static DEFINE_PER_CPU(struct vcpu *, override); - static inline struct vcpu *mapcache_current_vcpu(void) { - /* In the common case we use the mapcache of the running VCPU. */ - struct vcpu *v = this_cpu(override) ?: current; - - /* - * When current isn't properly set up yet, this is equivalent to - * running in an idle vCPU (callers must check for NULL). - */ - if ( !v ) - return NULL; + struct vcpu *v = this_cpu(pgtable_vcpu); + struct vcpu *curr = current; /* - * When using efi runtime page tables, we have the equivalent of the idle - * domain's page tables but current may point at another domain's VCPU. - * Return NULL as though current is not properly set up yet. + * During early boot pgtable_vcpu is not set, callers must handle NULL. + * Non-PV domains don't have a mapcache, the directmap covers all physical + * address space. */ - if ( efi_rs_using_pgtables() ) + if ( !v || !is_pv_vcpu(v) ) return NULL; /* - * If guest_table is NULL, and we are running a paravirtualised guest, - * then it means we are running on the idle domain's page table and must - * therefore use its mapcache. + * If we are in a lazy context-switch state from a PV vCPU do a full switch + * to the idle vCPU now, otherwise an incoming FLUSH_VCPU_STATE IPI would + * change the page tables under our feet an invalidate any in-use mapcache + * entries. */ - if ( unlikely(pagetable_is_null(v->arch.guest_table)) && is_pv_vcpu(v) ) + if ( unlikely(this_cpu(curr_vcpu) != curr) ) { - /* If we really are idling, perform lazy context switch now. */ - if ( (v = idle_vcpu[smp_processor_id()]) == current ) - sync_local_execstate(); + ASSERT(curr == idle_vcpu[smp_processor_id()]); + sync_local_execstate(); /* We must now be running on the idle page table. */ ASSERT(cr3_pa(read_cr3()) == __pa(idle_pg_table)); } - return v; -} - -void __init mapcache_override_current(struct vcpu *v) -{ - this_cpu(override) = v; + /* + * At this point we can guarantee Xen is not in lazy context switch: either + * the code above will have synced the state, or an incoming + * FLUSH_VCPU_STATE IPI has done so behind our back. Use ACCESS_ONCE to + * ensure the compiler never returns the locally cached pgtable_vcpu value. + */ + return ACCESS_ONCE(this_cpu(pgtable_vcpu)); } #define mapcache_l2_entry(e) ((e) >> PAGETABLE_ORDER) diff --git a/xen/arch/x86/flushtlb.c b/xen/arch/x86/flushtlb.c index 65be0474a8..16f1fab5c5 100644 --- a/xen/arch/x86/flushtlb.c +++ b/xen/arch/x86/flushtlb.c @@ -111,7 +111,9 @@ static void do_tlb_flush(void) local_irq_restore(flags); } -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) +DEFINE_PER_CPU(struct vcpu *, pgtable_vcpu); + +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4) { unsigned long flags, old_cr4; u32 t = 0; @@ -155,6 +157,7 @@ void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) if ( (old_cr4 & X86_CR4_PCIDE) > (cr4 & X86_CR4_PCIDE) ) cr3 |= X86_CR3_NOFLUSH; write_cr3(cr3); + this_cpu(pgtable_vcpu) = v; if ( old_cr4 != cr4 ) write_cr4(cr4); diff --git a/xen/arch/x86/include/asm/domain.h b/xen/arch/x86/include/asm/domain.h index b79d6badd7..f0370bc7bb 100644 --- a/xen/arch/x86/include/asm/domain.h +++ b/xen/arch/x86/include/asm/domain.h @@ -75,7 +75,6 @@ struct mapcache_domain { int mapcache_domain_init(struct domain *d); int mapcache_vcpu_init(struct vcpu *v); -void mapcache_override_current(struct vcpu *v); /* x86/64: toggle guest between kernel and user modes. */ void toggle_guest_mode(struct vcpu *v); diff --git a/xen/arch/x86/include/asm/flushtlb.h b/xen/arch/x86/include/asm/flushtlb.h index bb0ad58db4..75e291d93b 100644 --- a/xen/arch/x86/include/asm/flushtlb.h +++ b/xen/arch/x86/include/asm/flushtlb.h @@ -99,7 +99,7 @@ static inline unsigned long read_cr3(void) } /* Write pagetable base and implicitly tick the tlbflush clock. */ -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4); +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4); /* flush_* flag fields: */ /* diff --git a/xen/arch/x86/include/asm/processor.h b/xen/arch/x86/include/asm/processor.h index 98734f4d3f..4b52d68a6f 100644 --- a/xen/arch/x86/include/asm/processor.h +++ b/xen/arch/x86/include/asm/processor.h @@ -375,6 +375,9 @@ extern idt_entry_t *idt_tables[]; DECLARE_PER_CPU(root_pgentry_t *, root_pgt); +/* vCPU of the currently loaded page-tables. */ +DECLARE_PER_CPU(struct vcpu *, pgtable_vcpu); + extern void write_ptbase(struct vcpu *v); /* REP NOP (PAUSE) is a good thing to insert into busy-wait loops. */ diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 3430b13dcd..23496407f2 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -542,7 +542,7 @@ void write_ptbase(struct vcpu *v) cpu_info->pv_cr3 = __pa(this_cpu(root_pgt)); if ( new_cr4 & X86_CR4_PCIDE ) cpu_info->pv_cr3 |= get_pcid_bits(v, true); - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); } else { @@ -550,7 +550,7 @@ void write_ptbase(struct vcpu *v) cpu_info->use_pv_cr3 = false; cpu_info->xen_cr3 = 0; /* switch_cr3_cr4() serializes. */ - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); cpu_info->pv_cr3 = 0; } } diff --git a/xen/arch/x86/pv/dom0_build.c b/xen/arch/x86/pv/dom0_build.c index 5bc59b48a5..7ce82f199b 100644 --- a/xen/arch/x86/pv/dom0_build.c +++ b/xen/arch/x86/pv/dom0_build.c @@ -836,8 +836,7 @@ static int __init dom0_construct(struct boot_info *bi, struct domain *d) update_cr3(v); /* We run on dom0's page tables for the final part of the build process. */ - switch_cr3_cr4(cr3_pa(v->arch.cr3), read_cr4()); - mapcache_override_current(v); + switch_cr3_cr4(v, cr3_pa(v->arch.cr3), read_cr4()); /* Copy the OS image and free temporary buffer. */ elf.dest_base = (void*)vkern_start; @@ -846,8 +845,7 @@ static int __init dom0_construct(struct boot_info *bi, struct domain *d) rc = elf_load_binary(&elf); if ( rc < 0 ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Failed to load the kernel binary\n"); goto out; } @@ -858,8 +856,7 @@ static int __init dom0_construct(struct boot_info *bi, struct domain *d) if ( (parms.virt_hypercall < v_start) || (parms.virt_hypercall >= v_end) ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Invalid HYPERCALL_PAGE field in ELF notes.\n"); return -EINVAL; } @@ -1000,8 +997,7 @@ static int __init dom0_construct(struct boot_info *bi, struct domain *d) #endif /* Return to idle domain's page tables. */ - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); update_domain_wallclock_time(d); diff --git a/xen/arch/x86/pv/domain.c b/xen/arch/x86/pv/domain.c index 745c1dbb21..0f45ccafc2 100644 --- a/xen/arch/x86/pv/domain.c +++ b/xen/arch/x86/pv/domain.c @@ -449,6 +449,8 @@ static void _toggle_guest_pt(struct vcpu *v) pagetable_t old_shadow; unsigned long cr3; + ASSERT(local_irq_is_enabled()); + v->arch.flags ^= TF_kernel_mode; guest_update = v->arch.flags & TF_kernel_mode; old_shadow = update_cr3(v); @@ -471,15 +473,22 @@ static void _toggle_guest_pt(struct vcpu *v) { cr3 &= ~X86_CR3_NOFLUSH; + local_irq_disable(); if ( unlikely(mfn_eq(pagetable_get_mfn(old_shadow), maddr_to_mfn(cr3))) ) { - cr3 = idle_vcpu[v->processor]->arch.cr3; /* Also suppress runstate/time area updates below. */ guest_update = false; + + cr3 = idle_vcpu[v->processor]->arch.cr3; + this_cpu(pgtable_vcpu) = idle_vcpu[v->processor]; } + + write_cr3(cr3); + local_irq_enable(); } - write_cr3(cr3); + else + write_cr3(cr3); if ( !pagetable_is_null(old_shadow) ) shadow_put_top_level(v->domain, old_shadow); diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c index 8742e30561..fc0761150f 100644 --- a/xen/arch/x86/smpboot.c +++ b/xen/arch/x86/smpboot.c @@ -330,6 +330,7 @@ void asmlinkage start_secondary(void *unused) set_current(idle_vcpu[cpu]); this_cpu(curr_vcpu) = idle_vcpu[cpu]; + this_cpu(pgtable_vcpu) = idle_vcpu[cpu]; rdmsrl(MSR_EFER, this_cpu(efer)); init_shadow_spec_ctrl_state(); diff --git a/xen/common/efi/common-stub.c b/xen/common/efi/common-stub.c index 77f138a6c5..7b12005bea 100644 --- a/xen/common/efi/common-stub.c +++ b/xen/common/efi/common-stub.c @@ -7,11 +7,6 @@ bool efi_enabled(unsigned int feature) return false; } -bool efi_rs_using_pgtables(void) -{ - return false; -} - unsigned long efi_get_time(void) { BUG(); diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c index 7e1fce291d..af7f96fb7d 100644 --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -47,7 +47,6 @@ const CHAR16 *__read_mostly efi_fw_vendor; const EFI_RUNTIME_SERVICES *__read_mostly efi_rs; #ifndef CONFIG_ARM /* TODO - disabled until implemented on ARM */ static DEFINE_SPINLOCK(efi_rs_lock); -static unsigned int efi_rs_on_cpu = NR_CPUS; #endif UINTN __read_mostly efi_memmap_size; @@ -90,6 +89,11 @@ struct efi_rs_state efi_rs_enter(void) if ( mfn_eq(efi_l4_mfn, INVALID_MFN) ) return state; + /* + * If in lazy idle context switch state sync now to avoid an incoming + * FLUSH_VCPU_STATE IPI changing the loaded page-tables. + */ + sync_local_execstate(); state.cr3 = read_cr3(); save_fpu_enable(); asm volatile ( "fnclex; fldcw %0" :: "m" (fcw) ); @@ -97,8 +101,6 @@ struct efi_rs_state efi_rs_enter(void) spin_lock(&efi_rs_lock); - efi_rs_on_cpu = smp_processor_id(); - /* prevent fixup_page_fault() from doing anything */ irq_enter(); @@ -113,7 +115,8 @@ struct efi_rs_state efi_rs_enter(void) lgdt(&gdt_desc); } - switch_cr3_cr4(mfn_to_maddr(efi_l4_mfn), read_cr4()); + switch_cr3_cr4(idle_vcpu[smp_processor_id()], mfn_to_maddr(efi_l4_mfn), + read_cr4()); /* * At the time of writing (2022), no UEFI firwmare is CET-IBT compatible. @@ -141,7 +144,7 @@ void efi_rs_leave(struct efi_rs_state *state) if ( state->msr_s_cet ) wrmsrl(MSR_S_CET, state->msr_s_cet); - switch_cr3_cr4(state->cr3, read_cr4()); + switch_cr3_cr4(curr, state->cr3, read_cr4()); if ( is_pv_vcpu(curr) && !is_idle_vcpu(curr) ) { struct desc_ptr gdt_desc = { @@ -152,18 +155,10 @@ void efi_rs_leave(struct efi_rs_state *state) lgdt(&gdt_desc); } irq_exit(); - efi_rs_on_cpu = NR_CPUS; spin_unlock(&efi_rs_lock); vcpu_restore_fpu_nonlazy(curr, true); } -bool efi_rs_using_pgtables(void) -{ - return !mfn_eq(efi_l4_mfn, INVALID_MFN) && - (smp_processor_id() == efi_rs_on_cpu) && - (read_cr3() == mfn_to_maddr(efi_l4_mfn)); -} - unsigned long efi_get_time(void) { EFI_TIME time; diff --git a/xen/include/xen/efi.h b/xen/include/xen/efi.h index 160804e294..356be1705a 100644 --- a/xen/include/xen/efi.h +++ b/xen/include/xen/efi.h @@ -42,7 +42,6 @@ static inline bool efi_enabled(unsigned int feature) void efi_init_memory(void); bool efi_boot_mem_unused(unsigned long *start, unsigned long *end); -bool efi_rs_using_pgtables(void); unsigned long efi_get_time(void); void efi_halt_system(void); void efi_reset_system(bool warm); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:24:42 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:24:42 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333162.1595622 (Exim 4.92) (envelope-from ) id 1wWvVa-0006Xi-4h; Tue, 09 Jun 2026 12:24:42 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333162.1595622; Tue, 09 Jun 2026 12:24:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvVa-0006XY-1x; Tue, 09 Jun 2026 12:24:42 +0000 Received: by outflank-mailman (input) for mailman id 1333162; Tue, 09 Jun 2026 12:24:40 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvVY-0006XS-So for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:24:40 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvVZ-001fJG-0T for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:24:40 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvVY-00CjyS-2g for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:24:40 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=0rjiaPNn40TKTQ9Q9+Ge4aWbeBF94ma7ujKzclPOm7k=; b=uW0PhqQO/KIOlaj9u98B1o2Gqv yHWL4VYoN19Mx0D42mnaGKi26MnkeIe1XB1bb1ORyjWcBPmaFFEwDj46xykVX0pnFX8+C8Y0E3yvm y231HkMyg1f0rwS3UCdqhhBkhYVERqqZBj7DhhDiO/1zv7qeTfvoL4UxuMPfh16ewcVk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] Revert local CI adjustments Message-Id: Date: Tue, 09 Jun 2026 12:24:40 +0000 commit 0953c1890794c849771b4bd6e061a30a181d5c23 Author: Andrew Cooper AuthorDate: Tue Jun 9 13:08:15 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 13:08:15 2026 +0100 Revert local CI adjustments This reverts commit 24ccd8302e8670b4c824dcb845b01d88a7a14aff. Signed-off-by: Andrew Cooper --- .gitlab-ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4f99f0d0c0..b3beb2ff9d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -19,6 +19,9 @@ include: - local: 'automation/gitlab-ci/containers.yaml' rules: - if: $XEN_CI_REBUILD_CONTAINERS + - local: 'automation/gitlab-ci/analyze.yaml' + rules: + - if: $XEN_CI_REBUILD_CONTAINERS == null - local: 'automation/gitlab-ci/build.yaml' rules: - if: $XEN_CI_REBUILD_CONTAINERS == null -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:24:53 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:24:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333163.1595625 (Exim 4.92) (envelope-from ) id 1wWvVl-0006dG-5q; Tue, 09 Jun 2026 12:24:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333163.1595625; Tue, 09 Jun 2026 12:24:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvVl-0006d9-3I; Tue, 09 Jun 2026 12:24:53 +0000 Received: by outflank-mailman (input) for mailman id 1333163; Tue, 09 Jun 2026 12:24:51 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvVj-0006by-Ij for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:24:51 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvVj-001fJM-2g for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:24:51 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvVj-00CkAz-1g for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:24:51 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Y9z4J6bonEEzlBF4oYKoPYcTW6DNBXHsZvpe/ig02jU=; b=WZmlaYpasMvtuIMlYRuoFqmLrp v/3hu38SLM9gHVO2c3p4Nci0hjuGLtHHhVfHy/CaH5omEkkzpsn3XkKlpWEVMCr9wSg8gRgJsyorC RxiTOx7JC9PPYtOb1QDxGxsviZ1YLdNJRTo6CvNntoBWGYrGrppyRgp0XqXVojCmpyoU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] HACK: Disable Eclair, MacOS Message-Id: Date: Tue, 09 Jun 2026 12:24:51 +0000 commit e1eae714bf3d130f810f715bec1e08d6faa6ea3d Author: Andrew Cooper AuthorDate: Thu Jun 4 20:20:00 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:41:00 2026 +0100 HACK: Disable Eclair, MacOS --- .gitlab-ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b2fcf6c28f..716c3c5cdb 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -15,6 +15,5 @@ stages: - test include: - - 'automation/gitlab-ci/analyze.yaml' - 'automation/gitlab-ci/build.yaml' - 'automation/gitlab-ci/test.yaml' -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:25:03 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:25:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333164.1595630 (Exim 4.92) (envelope-from ) id 1wWvVv-0006fT-81; Tue, 09 Jun 2026 12:25:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333164.1595630; Tue, 09 Jun 2026 12:25:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvVv-0006fL-5A; Tue, 09 Jun 2026 12:25:03 +0000 Received: by outflank-mailman (input) for mailman id 1333164; Tue, 09 Jun 2026 12:25:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvVt-0006fD-Ld for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:25:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvVt-001fJT-2y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:25:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvVt-00CkFe-20 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:25:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=qYsHQFSAwRhr/MRLRG1HjlI7qpXXPTUUXstSIvXEbrY=; b=DPlI/tpA6Ijp9+VJhdicV0r3Dw XgQ9dN5WlysI9OO4/HlSVhZdoFcGXx67WT37eGXkKOMpEQ8vEPz0o2wuyPCxkC7Cv6Wl2CqAyNb8j kKvWUMebN2ECItMexNncUaPed3ZZU+GW5oFrUd4isOgfXg7Vtflmx4x3nexMdBbVmd5s=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] x86/HVM: add locking to I/O port translation list traversal Message-Id: Date: Tue, 09 Jun 2026 12:25:01 +0000 commit 792e70b85f23029f36e2457cd837db45aa7b64dd Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:26 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:41:00 2026 +0100 x86/HVM: add locking to I/O port translation list traversal XEN_DOMCTL_ioport_mapping is usable by DM stubdoms, and hence we can't assume the list to be left unaltered while the guest (really: the hypervisor on behalf of the guest) is accessing it. This is XSA-491 / CVE-2026-42487. Fixes: 192c4dabc344 ("domctl and p2m changes for PCI passthru") Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 7787f8e9396d06026f72d3db13e836f365e085f8) --- xen/arch/x86/domctl.c | 8 ++++ xen/arch/x86/hvm/emulate.c | 1 - xen/arch/x86/hvm/hvm.c | 1 + xen/arch/x86/hvm/io.c | 72 +++++++++++++++++++++++++---------- xen/arch/x86/include/asm/hvm/domain.h | 1 + xen/arch/x86/include/asm/hvm/vcpu.h | 2 - 6 files changed, 61 insertions(+), 24 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 8066f28e9d..35d7332d87 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -623,6 +623,7 @@ long arch_do_domctl( "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if (g2m_ioport->mport == fmp ) { @@ -644,11 +645,14 @@ long arch_do_domctl( g2m_ioport->np = np; list_add_tail(&g2m_ioport->list, &hvm->g2m_ioport_list); } + write_unlock(&hvm->g2m_ioport_lock); if ( !ret ) ret = ioports_permit_access(d, fmp, fmp + np - 1); if ( ret && !found && g2m_ioport ) { + write_lock(&hvm->g2m_ioport_lock); list_del(&g2m_ioport->list); + write_unlock(&hvm->g2m_ioport_lock); xfree(g2m_ioport); } } @@ -657,6 +661,8 @@ long arch_do_domctl( printk(XENLOG_G_INFO "ioport_map:remove: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if ( g2m_ioport->mport == fmp ) { @@ -664,6 +670,8 @@ long arch_do_domctl( xfree(g2m_ioport); break; } + write_unlock(&hvm->g2m_ioport_lock); + ret = ioports_deny_access(d, fmp, fmp + np - 1); if ( ret && is_hardware_domain(currd) ) printk(XENLOG_ERR diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c index 03e40ab9ff..4dde6a7b4a 100644 --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -159,7 +159,6 @@ void hvmemul_cancel(struct vcpu *v) hvio->mmio_insn_bytes = 0; hvio->mmio_access = (struct npfec){}; hvio->mmio_retry = false; - hvio->g2m_ioport = NULL; hvmemul_cache_disable(v); } diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 7c5a5314ba..232563a3f3 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -601,6 +601,7 @@ int hvm_domain_initialise(struct domain *d, spin_lock_init(&d->arch.hvm.irq_lock); spin_lock_init(&d->arch.hvm.uc_lock); spin_lock_init(&d->arch.hvm.write_map.lock); + rwlock_init(&d->arch.hvm.g2m_ioport_lock); rwlock_init(&d->arch.hvm.mmcfg_lock); INIT_LIST_HEAD(&d->arch.hvm.write_map.list); INIT_LIST_HEAD(&d->arch.hvm.g2m_ioport_list); diff --git a/xen/arch/x86/hvm/io.c b/xen/arch/x86/hvm/io.c index de6ee6c4dd..47ce09331d 100644 --- a/xen/arch/x86/hvm/io.c +++ b/xen/arch/x86/hvm/io.c @@ -144,36 +144,56 @@ bool handle_pio(uint16_t port, unsigned int size, int dir) return true; } -static bool cf_check g2m_portio_accept( - const struct hvm_io_handler *handler, const ioreq_t *p) +/* NB: Returns with the lock held in the success case. */ +static const struct g2m_ioport *g2m_portio_find_and_lock(struct hvm_domain *hvm, + uint64_t addr, + uint32_t size) { - struct vcpu *curr = current; - const struct hvm_domain *hvm = &curr->domain->arch.hvm; - struct hvm_vcpu_io *hvio = &curr->arch.hvm.hvm_io; - struct g2m_ioport *g2m_ioport; - unsigned int start, end; + const struct g2m_ioport *g2m_ioport; + + read_lock(&hvm->g2m_ioport_lock); list_for_each_entry( g2m_ioport, &hvm->g2m_ioport_list, list ) { - start = g2m_ioport->gport; - end = start + g2m_ioport->np; - if ( (p->addr >= start) && (p->addr + p->size <= end) ) - { - hvio->g2m_ioport = g2m_ioport; - return 1; - } + unsigned int start = g2m_ioport->gport; + + if ( addr >= start && addr + size <= start + g2m_ioport->np ) + return g2m_ioport; } - return 0; + read_unlock(&hvm->g2m_ioport_lock); + + return NULL; +} + +static bool cf_check g2m_portio_accept( + const struct hvm_io_handler *handler, const ioreq_t *p) +{ + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, p->addr, p->size); + + if ( !g2m_ioport ) + return false; + + read_unlock(&hvm->g2m_ioport_lock); + + return true; } static int cf_check g2m_portio_read( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t *data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -190,6 +210,8 @@ static int cf_check g2m_portio_read( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } @@ -197,9 +219,15 @@ static int cf_check g2m_portio_write( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -216,6 +244,8 @@ static int cf_check g2m_portio_write( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } diff --git a/xen/arch/x86/include/asm/hvm/domain.h b/xen/arch/x86/include/asm/hvm/domain.h index 333501d5f2..1b2c59b18b 100644 --- a/xen/arch/x86/include/asm/hvm/domain.h +++ b/xen/arch/x86/include/asm/hvm/domain.h @@ -125,6 +125,7 @@ struct hvm_domain { /* List of guest to machine IO ports mapping. */ struct list_head g2m_ioport_list; + rwlock_t g2m_ioport_lock; /* List of MMCFG regions trapped by Xen. */ struct list_head mmcfg_regions; diff --git a/xen/arch/x86/include/asm/hvm/vcpu.h b/xen/arch/x86/include/asm/hvm/vcpu.h index ddf9f8b831..32b50b4194 100644 --- a/xen/arch/x86/include/asm/hvm/vcpu.h +++ b/xen/arch/x86/include/asm/hvm/vcpu.h @@ -54,8 +54,6 @@ struct hvm_vcpu_io { unsigned long msix_unmask_address; unsigned long msix_snoop_address; unsigned long msix_snoop_gpa; - - const struct g2m_ioport *g2m_ioport; }; struct nestedvcpu { -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:25:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:25:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333165.1595634 (Exim 4.92) (envelope-from ) id 1wWvW5-0006iX-9T; Tue, 09 Jun 2026 12:25:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333165.1595634; Tue, 09 Jun 2026 12:25:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvW5-0006iP-6f; Tue, 09 Jun 2026 12:25:13 +0000 Received: by outflank-mailman (input) for mailman id 1333165; Tue, 09 Jun 2026 12:25:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvW3-0006iH-Oa for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:25:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvW4-001fKS-02 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:25:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvW3-00CkLI-2G for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:25:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=5gg+e/bkvMWttSm9kbUaAsmJ+Jwrt4Y7QXhp0u5HBQ4=; b=4mu8Xdq6cUlnr7Jeb579q0QbXb rlfXAf8IKQK5cTIhkiPaodu5kxM886xr0V9ClikvzkYp7YmhsLlu2k58BPEo4StG0QO5HTKb06Btk oN3Wi481blCAPltW5WnypgB0JIhEWegaO2zZ3DDs4vkgJzFvXnA78kXbilnqazNZiOxE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] xen/xsm: make getdomaininfo xsm dummy checks more stringent Message-Id: Date: Tue, 09 Jun 2026 12:25:11 +0000 commit 0ac39241895cdee87953dc7f830884c2f5123196 Author: Juergen Gross AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:38 2026 +0100 xen/xsm: make getdomaininfo xsm dummy checks more stringent Today the dummy XSM privilege checks for getdomaininfo are less stringent than possible: they basically rely on the general sysctl/domctl entry check to do all tests and then do the test with the XSM_HOOK privilege, which is an "allow all" default. Instead of XSM_HOOK use XSM_XS_PRIV, which is the privilege really wanted. Note that this test is still wider than the sysctl entry test, but there is no easy way to make both domctl and sysctl happy at the same time. Signed-off-by: Juergen Gross Acked-by: Daniel P. Smith master commit: 5793b84c5e8fb268f94e7fde7816799e66945a73 master date: 2024-12-16 13:06:55 +0100 --- xen/common/domctl.c | 2 +- xen/common/sysctl.c | 2 +- xen/include/xsm/dummy.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index ea16b75910..444e072fdc 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -539,7 +539,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; case XEN_DOMCTL_getdomaininfo: - ret = xsm_getdomaininfo(XSM_HOOK, d); + ret = xsm_getdomaininfo(XSM_XS_PRIV, d); if ( ret ) break; diff --git a/xen/common/sysctl.c b/xen/common/sysctl.c index d02f44fe3a..c2d99ae12e 100644 --- a/xen/common/sysctl.c +++ b/xen/common/sysctl.c @@ -89,7 +89,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl) if ( num_domains == op->u.getdomaininfolist.max_domains ) break; - if ( xsm_getdomaininfo(XSM_HOOK, d) ) + if ( xsm_getdomaininfo(XSM_XS_PRIV, d) ) continue; getdomaininfo(d, &info); diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 7956f27a29..f8a3c4b81e 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -137,7 +137,7 @@ static XSM_INLINE int cf_check xsm_domain_create( static XSM_INLINE int cf_check xsm_getdomaininfo( XSM_DEFAULT_ARG struct domain *d) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_XS_PRIV); return xsm_default_action(action, current->domain, d); } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:25:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:25:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333166.1595638 (Exim 4.92) (envelope-from ) id 1wWvWF-0006kr-B4; Tue, 09 Jun 2026 12:25:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333166.1595638; Tue, 09 Jun 2026 12:25:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvWF-0006kk-85; Tue, 09 Jun 2026 12:25:23 +0000 Received: by outflank-mailman (input) for mailman id 1333166; Tue, 09 Jun 2026 12:25:21 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvWD-0006kc-RR for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:25:21 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvWE-001fM4-0K for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:25:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvWD-00Ckbw-2X for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:25:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=/hgixHXUI1FsDQ4qIADDFr/UK8+4UD9Z/S2fT8w0pK8=; b=OIiKDnsqVQ6hspJTphJfVCWT1G ZcExLqhTwSq58FXqsn8I875sGwBCwEETvR1wE8kz1u8tEJcghKHs2z6v6tHmc1IBwXlNyxB3hD6Tl 2wDZtFFjVpih1AAubOnw/NQz7H2h+ldvqk1b9qbGT/sOn5oRN+1hc8wymPjl4fvlaiEw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] sched: use sequence counter to enlighten vcpu_runstate_get() Message-Id: Date: Tue, 09 Jun 2026 12:25:21 +0000 commit 27e32cc10055a313b41c337d7562609109b42f2b Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:49 2026 +0100 sched: use sequence counter to enlighten vcpu_runstate_get() Subsequently XEN_DOMCTL_getdomaininfo will want to invoke the function without holding a lock, thus allowing parallel execution of potentially many instances. As was learned from 228ab9992ffb ("domctl: improve locking during domain destruction"), reverted by d0887cc6b16e, such parallelism can result in severe lock contention on any (previously) inner lock. To avoid taking that risk replace the use of the scheduler lock in vcpu_runstate_get() by a newly introduced sequence counter. Convert the "no lock if current" property to "use a local counter instance", thus guaranteeing the loop to exit after the first iteration. Skeleton and commentary of the seqcount implementation based on / derived from Linux 6.11-rc. To have runstate_seq placed next to runstate in struct vcpu, without introducing a new obvious padding hole, yet while keeping the latter adjacent to runstate_guest{,_area} as well, move runstate down a little. This is part of XSA-492. Requested-by: Andrew Cooper Signed-off-by: Jan Beulich Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Juergen Gross (cherry picked from commit 1dc4d5d81822541a5cc82fa6387d2d73eebc7023) --- xen/common/sched/core.c | 47 +++++++-------- xen/include/xen/sched.h | 4 +- xen/include/xen/seqcount.h | 139 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 162 insertions(+), 28 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index c466711e9e..6477ec3455 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -280,13 +280,18 @@ static inline void vcpu_runstate_change( } delta = new_entry_time - v->runstate.state_entry_time; - if ( delta > 0 ) + + /* Serialization: ->schedule_lock (see ASSERT() above). */ + with_seq_write(&v->runstate_seq) { - v->runstate.time[v->runstate.state] += delta; - v->runstate.state_entry_time = new_entry_time; - } + if ( delta > 0 ) + { + v->runstate.time[v->runstate.state] += delta; + v->runstate.state_entry_time = new_entry_time; + } - v->runstate.state = new_state; + v->runstate.state = new_state; + } } void sched_guest_idle(void (*idle) (void), unsigned int cpu) @@ -306,30 +311,18 @@ void sched_guest_idle(void (*idle) (void), unsigned int cpu) void vcpu_runstate_get(const struct vcpu *v, struct vcpu_runstate_info *runstate) { - spinlock_t *lock; - s_time_t delta; - struct sched_unit *unit; + struct seqcount seq = SEQCNT_ZERO(); + const struct seqcount *s = likely(v == current) ? &seq : &v->runstate_seq; - rcu_read_lock(&sched_res_rculock); - - /* - * Be careful in case of an idle vcpu: the assignment to a unit might - * change even with the scheduling lock held, so be sure to use the - * correct unit for locking in order to avoid triggering an ASSERT() in - * the unlock function. - */ - unit = is_idle_vcpu(v) ? get_sched_res(v->processor)->sched_unit_idle - : v->sched_unit; - lock = likely(v == current) ? NULL : unit_schedule_lock_irq(unit); - memcpy(runstate, &v->runstate, sizeof(*runstate)); - delta = NOW() - runstate->state_entry_time; - if ( delta > 0 ) - runstate->time[runstate->state] += delta; - - if ( unlikely(lock != NULL) ) - unit_schedule_unlock_irq(lock, unit); + until_seq_read(s) + { + s_time_t delta; - rcu_read_unlock(&sched_res_rculock); + *runstate = v->runstate; + delta = NOW() - runstate->state_entry_time; + if ( delta > 0 ) + runstate->time[runstate->state] += delta; + } } uint64_t get_cpu_idle_time(unsigned int cpu) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 2a83b9dacf..88dc27024b 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -16,6 +16,7 @@ #include #include #include +#include #include #include #include @@ -192,7 +193,6 @@ struct vcpu struct sched_unit *sched_unit; - struct vcpu_runstate_info runstate; #ifndef CONFIG_COMPAT # define runstate_guest(v) ((v)->runstate_guest) XEN_GUEST_HANDLE(vcpu_runstate_info_t) runstate_guest; /* guest address */ @@ -204,6 +204,8 @@ struct vcpu } runstate_guest; /* guest address */ #endif struct guest_area runstate_guest_area; + struct vcpu_runstate_info runstate; + struct seqcount runstate_seq; unsigned int new_state; /* Has the FPU been initialised? */ diff --git a/xen/include/xen/seqcount.h b/xen/include/xen/seqcount.h new file mode 100644 index 0000000000..b5faf422e4 --- /dev/null +++ b/xen/include/xen/seqcount.h @@ -0,0 +1,139 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef XEN_SEQCOUNT_H +#define XEN_SEQCOUNT_H + +#include +#include + +#include +#include + +/* + * Sequence counters (seqcount_t) + * + * This is the raw counting mechanism, without any writer protection. + * + * Write side critical sections must be serialized (and non-preemptible). + * + * If readers can be invoked from interrupt contexts, interrupts must also + * be respectively disabled before entering the write section. + * + * This mechanism can't be used if the protected data contains pointers, + * as the writer can invalidate a pointer that a reader is following. + */ +struct seqcount { + unsigned int sequence; +}; + +/* + * SEQCNT_ZERO() - initializer for seqcount_t + * @name: Name of the struct seqcount instance + */ +#define SEQCNT_ZERO() { .sequence = 0 } + +static inline unsigned int seqprop_sequence(const struct seqcount *s) +{ + return ACCESS_ONCE(s->sequence); +} + +/* + * read_seqcount_begin() - begin a seqcount read critical section + * @s: Pointer to struct seqcount + * + * Return: count to be passed to read_seqcount_retry() + */ +static inline unsigned int _read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq; + + while ((seq = seqprop_sequence(s)) & 1) + cpu_relax(); + + smp_rmb(); + + return seq; +} + +static always_inline unsigned int read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq = _read_seqcount_begin(s); + + block_lock_speculation(); + + return seq; +} + +/* + * read_seqcount_retry() - end a seqcount read critical section + * @s: Pointer to struct seqcount + * @start: count, from read_seqcount_begin() + * + * read_seqcount_retry closes the read critical section of given struct + * seqcount. If the critical section was invalid, it must be ignored + * (and typically retried). + * + * Return: true if a read section retry is required, else false + */ +static inline bool _read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + smp_rmb(); + return unlikely(seqprop_sequence(s) != start); +} + +static always_inline bool read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + return lock_evaluate_nospec(_read_seqcount_retry(s, start)); +} + +/* Loops until a consistent count has been observed across the loop body. */ +#define until_seq_read(seq) \ + for ( unsigned int retry_ = 1, count_; \ + retry_ && (count_ = read_seqcount_begin(seq), true); \ + retry_ = read_seqcount_retry(seq, count_) ) + +/* + * write_seqcount_begin() - start a struct seqcount write side critical section + * @s: Pointer to struct seqcount + * + * Context: sequence counter write side sections must be serialized. + * If readers can be invoked from interrupt context, interrupts must be + * respectively disabled. + */ +static inline void write_seqcount_begin(struct seqcount *s) +{ + add_sized(&s->sequence, 1); + smp_wmb(); +} + +/* + * write_seqcount_end() - end a struct seqcount write side critical section + * @s: Pointer to seqcount + */ +static inline void write_seqcount_end(struct seqcount *s) +{ + smp_wmb(); + add_sized(&s->sequence, 1); +} + +/* + * Not really a loop, but we need write_seqcount_{begin,end}() in the correct + * position. + */ +#define with_seq_write(seq) \ + for ( bool once_ = true; \ + once_ && (write_seqcount_begin(seq), true); \ + (write_seqcount_end(seq), once_ = false) ) + +#endif /* XEN_SEQCOUNT_H */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:25:33 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:25:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333167.1595641 (Exim 4.92) (envelope-from ) id 1wWvWP-0006nS-E3; Tue, 09 Jun 2026 12:25:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333167.1595641; Tue, 09 Jun 2026 12:25:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvWP-0006nL-BY; Tue, 09 Jun 2026 12:25:33 +0000 Received: by outflank-mailman (input) for mailman id 1333167; Tue, 09 Jun 2026 12:25:31 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvWN-0006nE-UD for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:25:31 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvWO-001fM8-0b for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:25:31 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvWN-00Ckjh-2q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:25:31 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7qSqyzXAtNZt6mNSBOy/+tH2+S3R3uL4nc4pecfaMb0=; b=eDkXhYWKFffrrb1kZGcbvCSief SyEGxXMq7fwT0lb85l8IZaLiwNMpgvng5T/QiFBmraEpvapMERYr44vpjmCXfjI8Lrvxr6K3w5oym TortVQSwxVtdM+0IzO3/pxthguijiCqFDgY/Tje6v2smZoUE8tZPbT02sVVoVRqUoCo0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:25:31 +0000 commit 8f449eb5ac23152d770ba080174c9612854fb5ca Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:49 2026 +0100 domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock getdomaininfo() is not called under consistently the same lock. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. (Callers not pausing the domain they want to retrieve information for already need to be aware that not all of the data returned can be relied on as being consistent; most data will also be stale by the time the caller gets to look at it.) Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. While moving, convert an assignment to an assertion: The domain in question was determined from the field which previously was "updated". This is part of XSA-492. Fixes: 5513bd0b4675 ("add xenstore domain flag to hypervisor") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 784bd4dc0bc440b978b80b6945c4bc380b28e32d) --- xen/common/domctl.c | 31 ++++++++++++++++++++----------- xen/include/xsm/dummy.h | 5 ++++- xen/xsm/flask/hooks.c | 6 +++++- 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 444e072fdc..69a44bd0a8 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -322,6 +322,26 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } + /* Handle sub-ops not requiring the domctl lock. */ + switch ( op->cmd ) + { + case XEN_DOMCTL_getdomaininfo: + ret = xsm_getdomaininfo(XSM_XS_PRIV, d); + if ( !ret ) + { + getdomaininfo(d, &op->u.getdomaininfo); + + ASSERT(op->domain == op->u.getdomaininfo.domain); + copyback = true; + } + + goto domctl_out_unlock_domonly; + + default: + /* Everything else handled further down. */ + break; + } + ret = xsm_domctl(XSM_OTHER, d, op->cmd, /* SSIDRef only applicable for cmd == createdomain */ op->u.createdomain.ssidref); @@ -538,17 +558,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = 1; break; - case XEN_DOMCTL_getdomaininfo: - ret = xsm_getdomaininfo(XSM_XS_PRIV, d); - if ( ret ) - break; - - getdomaininfo(d, &op->u.getdomaininfo); - - op->domain = op->u.getdomaininfo.domain; - copyback = 1; - break; - case XEN_DOMCTL_getvcpucontext: { vcpu_guest_context_u c = { .nat = NULL }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index f8a3c4b81e..ad88d2fd91 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,8 +172,11 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); + case XEN_DOMCTL_getdomaininfo: - return xsm_default_action(XSM_XS_PRIV, current->domain, d); + ASSERT_UNREACHABLE(); + return -EILSEQ; + default: return xsm_default_action(XSM_PRIV, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 415edee251..308ac354aa 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -678,8 +678,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, */ return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); - /* These have individual XSM hooks (common/domctl.c) */ + /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + ASSERT_UNREACHABLE(); + return -EILSEQ; + + /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:25:43 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:25:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333168.1595646 (Exim 4.92) (envelope-from ) id 1wWvWZ-0006pS-Ff; Tue, 09 Jun 2026 12:25:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333168.1595646; Tue, 09 Jun 2026 12:25:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvWZ-0006pK-Cx; Tue, 09 Jun 2026 12:25:43 +0000 Received: by outflank-mailman (input) for mailman id 1333168; Tue, 09 Jun 2026 12:25:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvWY-0006pD-1I for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:25:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvWY-001fMF-0v for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:25:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvWX-00CksJ-39 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:25:41 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=aHl1MmLSby1ubmInKkgad9Pp5qdaP1OX8NoAsCqyCLk=; b=dQtaegY6STJ65ZvlEgMf+gaPRL RxOMEjiDGGlFgEO5wgdD6vb0LjDjdcT8GuDNNE1QJQXAYHLsQMYeFe2K3naBzOipqvG/9frued5M8 Vk4c3vJfT/yTieEcqzSPx6ilarvmi08+J8T0TefQoMgm8MDOaoUKFHIhYlHD/cKyiA1Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] domain: locking for iomem_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:25:41 +0000 commit f615fc1e9143d767bbb0e88760b7ae3c9a9041b2 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:49 2026 +0100 domain: locking for iomem_caps accesses In order to be able to pull at least the XEN_DOMCTL_iomem_mapping handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_iomem_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 960713dfd4a405e67e9f174302f8f9fd9e0e50dc) --- xen/common/domain.c | 6 ++++++ xen/common/domctl.c | 53 +++++++++++++++++++++++++++++++++++++++---------- xen/include/xen/iocap.h | 3 +++ xen/include/xen/sched.h | 1 + 4 files changed, 52 insertions(+), 11 deletions(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index 00c59a9baa..52a2139495 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -332,10 +332,15 @@ static int late_hwdom_init(struct domain *d) * may be modified after this hypercall returns if a more complex * device model is desired. */ + write_lock(&dom0->caps_lock); rangeset_swap(d->irq_caps, dom0->irq_caps); rangeset_swap(d->iomem_caps, dom0->iomem_caps); #ifdef CONFIG_X86 rangeset_swap(d->arch.ioport_caps, dom0->arch.ioport_caps); +#endif + write_unlock(&dom0->caps_lock); + +#ifdef CONFIG_X86 setup_io_bitmap(d); setup_io_bitmap(dom0); #endif @@ -636,6 +641,7 @@ struct domain *domain_create(domid_t domid, rspin_lock_init_prof(d, domain_lock); rspin_lock_init_prof(d, page_alloc_lock); spin_lock_init(&d->hypercall_deadlock_mutex); + rwlock_init(&d->caps_lock); INIT_PAGE_LIST_HEAD(&d->page_list); INIT_PAGE_LIST_HEAD(&d->extra_page_list); INIT_PAGE_LIST_HEAD(&d->xenpage_list); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 69a44bd0a8..94c9489307 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -278,6 +278,35 @@ static struct vnuma_info *vnuma_init(const struct xen_domctl_vnuma *uinfo, return ERR_PTR(ret); } +void iocaps_double_lock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d->domain_id > currd->domain_id ) + read_lock(&currd->caps_lock); + + if ( write ) + write_lock(&d->caps_lock); + else + read_lock(&d->caps_lock); + + if ( d->domain_id < currd->domain_id ) + read_lock(&currd->caps_lock); +} + +void iocaps_double_unlock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d != currd ) + read_unlock(&currd->caps_lock); + + if ( write ) + write_unlock(&d->caps_lock); + else + read_unlock(&d->caps_lock); +} + long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) { long ret = 0; @@ -695,6 +724,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ break; + iocaps_double_lock(d, true); + if ( !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) || xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) @@ -703,6 +734,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); else ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); break; } @@ -727,19 +760,15 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; #endif + iocaps_double_lock(d, false); + ret = -EPERM; if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) ) - break; - - ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add); - if ( ret ) - break; - - if ( !paging_mode_translate(d) ) - break; - - if ( add ) + !iomem_access_permitted(d, mfn, mfn_end) || + (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || + !paging_mode_translate(d) ) + /* Nothing. */; + else if ( add ) { printk(XENLOG_G_DEBUG "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", @@ -763,6 +792,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", ret, d->domain_id, mfn, mfn_end); } + + iocaps_double_unlock(d, false); break; } diff --git a/xen/include/xen/iocap.h b/xen/include/xen/iocap.h index ffbc48b60f..cb36ebbeeb 100644 --- a/xen/include/xen/iocap.h +++ b/xen/include/xen/iocap.h @@ -12,6 +12,9 @@ #include #include +void iocaps_double_lock(struct domain *d, bool write); +void iocaps_double_unlock(struct domain *d, bool write); + static inline int iomem_permit_access(struct domain *d, unsigned long s, unsigned long e) { diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 88dc27024b..331306fcbd 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -527,6 +527,7 @@ struct domain #endif /* I/O capabilities (access to IRQs and memory-mapped I/O). */ + rwlock_t caps_lock; struct rangeset *iomem_caps; struct rangeset *irq_caps; -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:25:53 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:25:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333169.1595649 (Exim 4.92) (envelope-from ) id 1wWvWj-0006sa-Gv; Tue, 09 Jun 2026 12:25:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333169.1595649; Tue, 09 Jun 2026 12:25:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvWj-0006sS-EN; Tue, 09 Jun 2026 12:25:53 +0000 Received: by outflank-mailman (input) for mailman id 1333169; Tue, 09 Jun 2026 12:25:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvWi-0006sJ-3n for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:25:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvWi-001fML-1B for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:25:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvWi-00Ckyb-0D for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:25:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=cyimVpjS1DXcOZnI8d8GtWeKtGOieLIcVgSnNEuuqyY=; b=gheWOPFhti3lOqr/XGxn2UqUa1 Uh8c4MmqrgkPx2oWbBtDg0VXRoLUIZa4pB5gGGO4xarJoVNWotI7+p1j7Mdaf1/FDB68+WhujOSI6 wqBd4+o8ZI2w1pnV9OiN0Quhg+ZDNAPJzolJ2bNVwgpxaqJh+PsY5iSnBL8UGtgffoGA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] x86/domain: locking for ioport_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:25:52 +0000 commit 3c45f671ee4472966c65b9b919aa720a3c0bda4b Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:49 2026 +0100 x86/domain: locking for ioport_caps accesses In order to be able to pull at least the XEN_DOMCTL_ioport_mapping handling out of the domctl-locked region, the new separate (per-domain) lock is used to synchronize in particular with XEN_DOMCTL_ioport_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit c9f4586766c4ceeaf013fbc02ad79359c62102c3) --- xen/arch/x86/domctl.c | 21 ++++++++++++--------- xen/arch/x86/setup.c | 3 +++ 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 35d7332d87..711068e472 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -225,6 +225,8 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + iocaps_double_lock(d, true); + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) ret = -EINVAL; else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || @@ -234,6 +236,8 @@ long arch_do_domctl( ret = ioports_permit_access(d, fp, fp + np - 1); else ret = ioports_deny_access(d, fp, fp + np - 1); + + iocaps_double_unlock(d, true); break; } @@ -608,16 +612,13 @@ long arch_do_domctl( break; } - ret = -EPERM; - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) - break; - - ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add); - if ( ret ) - break; - hvm = &d->arch.hvm; - if ( add ) + iocaps_double_lock(d, true); + + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || + (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) + ret = ret ?: -EPERM; + else if ( add ) { printk(XENLOG_G_INFO "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", @@ -678,6 +679,8 @@ long arch_do_domctl( "ioport_map: error %ld denying dom%d access to [%x,%x]\n", ret, d->domain_id, fmp, fmp + np - 1); } + + iocaps_double_unlock(d, true); break; } diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index a123f94e85..a5b0b9978d 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -2173,9 +2173,12 @@ void __hwdom_init setup_io_bitmap(struct domain *d) return; bitmap_fill(d->arch.hvm.io_bitmap, 0x10000); + + read_lock(&d->caps_lock); if ( rangeset_report_ranges(d->arch.ioport_caps, 0, 0x10000, io_bitmap_cb, d) ) BUG(); + read_unlock(&d->caps_lock); /* * We need to trap 4-byte accesses to 0xcf8 (see admin_io_okay(), -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:26:03 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:26:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333170.1595654 (Exim 4.92) (envelope-from ) id 1wWvWt-0006uf-IU; Tue, 09 Jun 2026 12:26:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333170.1595654; Tue, 09 Jun 2026 12:26:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvWt-0006uX-Fk; Tue, 09 Jun 2026 12:26:03 +0000 Received: by outflank-mailman (input) for mailman id 1333170; Tue, 09 Jun 2026 12:26:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvWs-0006uQ-6j for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:26:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvWs-001fMc-1T for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:26:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvWs-00Cl5t-0T for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:26:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6V9atNpspPtwIQ+PKnPy9biavRU1qMVrTgZeffnP8jQ=; b=R2jzGs0xopfpUktC5oKDuYoDqV +m2EOTH9eI7YEMAvUhXAv8FU7t/kjf9mwW8bksF1OOVWPNgZQ7peZuiBNLsv+XmT0LT5aZpvtyOub 5IodZSYBhhU10XZtFmG77Oc3tw02LoJjRHsTBHKa5pydLu/KIAdEyclopdbENZg/xlg0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] domain: locking for irq_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:26:02 +0000 commit 08afe7a8df7e2f688938fedf495a0bfcdf31b2a8 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:49 2026 +0100 domain: locking for irq_caps accesses In order to be able to pull at least the XEN_DOMCTL_{,un}bind_pt_irq handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_irq_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Reviewed-by: Julien Grall (cherry picked from commit 329edc090dd5c833213bad3f13f1cbc252bc15a2) --- xen/arch/arm/domctl.c | 37 +++++++++++++++++++++---------------- xen/arch/x86/domctl.c | 42 ++++++++++++++++++++++++++---------------- xen/common/domctl.c | 5 +++++ 3 files changed, 52 insertions(+), 32 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index 7a502afa6b..dd8c610f3d 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -76,6 +76,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, case XEN_DOMCTL_bind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -107,21 +108,26 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - if ( !vgic_reserve_virq(d, virq) ) - return -EBUSY; - - rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); - if ( rc ) - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !vgic_reserve_virq(d, virq) ) + rc = -EBUSY; + else + { + rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); + if ( rc ) + vgic_free_virq(d, virq); + } + read_unlock(&currd->caps_lock); return rc; } case XEN_DOMCTL_unbind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -138,16 +144,15 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - rc = release_guest_irq(d, virq); - if ( rc ) - return rc; - - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !(rc = release_guest_irq(d, virq)) ) + vgic_free_virq(d, virq); - return 0; + read_unlock(&currd->caps_lock); + return rc; } case XEN_DOMCTL_vuart_op: diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 711068e472..f20d174f5b 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -539,20 +539,27 @@ long arch_do_domctl( break; irq = domain_pirq_to_irq(d, bind->machine_irq); - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; + if ( irq <= 0 ) + ret = -EPERM; - ret = -ESRCH; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_create_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + else + ret = -ESRCH; + + read_unlock(&currd->caps_lock); break; } @@ -565,23 +572,26 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); if ( ret ) break; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_destroy_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + + read_unlock(&currd->caps_lock); break; } diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 94c9489307..7d0e78365a 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -703,6 +703,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -EINVAL; break; } + + iocaps_double_lock(d, true); + irq = pirq_access_permitted(current->domain, pirq); if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) ret = -EPERM; @@ -710,6 +713,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = irq_permit_access(d, irq); else ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); break; } #endif -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:26:15 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:26:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333172.1595658 (Exim 4.92) (envelope-from ) id 1wWvX3-0006wk-K2; Tue, 09 Jun 2026 12:26:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333172.1595658; Tue, 09 Jun 2026 12:26:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvX3-0006wd-HH; Tue, 09 Jun 2026 12:26:13 +0000 Received: by outflank-mailman (input) for mailman id 1333172; Tue, 09 Jun 2026 12:26:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvX2-0006wW-9O for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:26:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvX2-001fMg-1j for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:26:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvX2-00ClBb-0l for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:26:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=GdIP+Fhzap7Df6Ddcu0VXvcndZbLH3SHkdCP88d2VZc=; b=HR658+6AnzGNNEtaeNq/5KeWEC BmhigB2I9WAEN/Lv/KON3+JqKtAfYIV/y1MNG7yUeq/tZZb5ggmeFeQ4iI7n4+DoodCLvU9CkNVgr ChRIOStJ642QC77GZOWFzEwygljRU7vw/6XH3b5FYgfeAaZ6dQkPWFN166R/oaU+Mnx0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] XSM/Flask: split the .iomem_mapping() hook Message-Id: Date: Tue, 09 Jun 2026 12:26:12 +0000 commit a5b7170c3bde92729a61970367270aeb7983f190 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:49 2026 +0100 XSM/Flask: split the .iomem_mapping() hook It's used twice in entirely different situations. The use in do_domctl() wants to become an ordinary XSM_DM_PRIV invocation, while the one in vPCI code need to remain XSM_HOOK (it may plausibly become XSM_TARGET). For Flask, the same backing function will continue to be used for the time being. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit 6bb83b1aa01bb3baabc150a881849977c82146a4) --- xen/drivers/vpci/header.c | 2 +- xen/include/xsm/dummy.h | 7 +++++++ xen/include/xsm/xsm.h | 8 ++++++++ xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) diff --git a/xen/drivers/vpci/header.c b/xen/drivers/vpci/header.c index b002eb2072..1f0ab9d177 100644 --- a/xen/drivers/vpci/header.c +++ b/xen/drivers/vpci/header.c @@ -67,7 +67,7 @@ static int cf_check map_range( return -EPERM; } - rc = xsm_iomem_mapping(XSM_HOOK, map->d, map_mfn, m_end, map->map); + rc = xsm_iomem_mapping_vpci(XSM_HOOK, map->d, map_mfn, m_end, map->map); if ( rc ) { printk(XENLOG_G_WARNING diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index ad88d2fd91..47d409cf08 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -579,6 +579,13 @@ static XSM_INLINE int cf_check xsm_iomem_mapping( return xsm_default_action(action, current->domain, d); } +static XSM_INLINE int cf_check xsm_iomem_mapping_vpci( + XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + XSM_ASSERT_ACTION(XSM_HOOK); + return xsm_default_action(action, current->domain, d); +} + static XSM_INLINE int cf_check xsm_pci_config_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 5867ccceaf..fc30cf822f 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -117,6 +117,8 @@ struct xsm_ops { uint8_t allow); int (*iomem_mapping)(struct domain *d, uint64_t s, uint64_t e, uint8_t allow); + int (*iomem_mapping_vpci)(struct domain *d, uint64_t s, uint64_t e, + uint8_t allow); int (*pci_config_permission)(struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access); @@ -504,6 +506,12 @@ static inline int xsm_iomem_mapping( return alternative_call(xsm_ops.iomem_mapping, d, s, e, allow); } +static inline int xsm_iomem_mapping_vpci( + xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + return alternative_call(xsm_ops.iomem_mapping_vpci, d, s, e, allow); +} + static inline int xsm_pci_config_permission( xsm_default_t def, struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index e6ffa948f7..44a9e04ae7 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -72,6 +72,7 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .irq_permission = xsm_irq_permission, .iomem_permission = xsm_iomem_permission, .iomem_mapping = xsm_iomem_mapping, + .iomem_mapping_vpci = xsm_iomem_mapping_vpci, .pci_config_permission = xsm_pci_config_permission, .get_vnumainfo = xsm_get_vnumainfo, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 308ac354aa..6ca850d23e 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1921,6 +1921,7 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .irq_permission = flask_irq_permission, .iomem_permission = flask_iomem_permission, .iomem_mapping = flask_iomem_mapping, + .iomem_mapping_vpci = flask_iomem_mapping, .pci_config_permission = flask_pci_config_permission, .resource_plug_core = flask_resource_plug_core, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:26:22 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:26:22 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333173.1595662 (Exim 4.92) (envelope-from ) id 1wWvXC-00070c-O3; Tue, 09 Jun 2026 12:26:22 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333173.1595662; Tue, 09 Jun 2026 12:26:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvXC-00070V-L2; Tue, 09 Jun 2026 12:26:22 +0000 Received: by outflank-mailman (input) for mailman id 1333173; Tue, 09 Jun 2026 12:26:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvXC-00070P-Bn for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:26:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvXC-001fN4-1z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:26:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvXC-00ClJE-11 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:26:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6VoVcZocLaOU/4ojz040EkblfQHPNLSS4FJtRudo940=; b=D9OKykfBjMduHJ+om+OgbuxVEL Wuu+u1edbl93XJBIg1e1Thfi2STlDbAmk6Rx+hMX9TdnN2ldb8ulhdeRgggGjvgSqZA6ddNljdHpn 08aMHiQNxCOmXY2Xbf6a2XhR1HpXAwh3ukRFl60fsM/1+Ytz3Uds+hBKPokYPBFiye14=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:26:22 +0000 commit c49dc949ad314a461e12ecc7c5a622c1d4961ef0 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:49 2026 +0100 domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. Move the re-purposed dedicated XSM check as early as possible. Minimal "modernization": Switch "add" to bool and use %pd in log messages. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 5a81fb873cb0c7913995372d22660d6a2db0ec48) --- xen/common/domctl.c | 118 ++++++++++++++++++++++++------------------------ xen/include/xsm/dummy.h | 4 +- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 63 insertions(+), 61 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 7d0e78365a..a878867f01 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -366,6 +366,66 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; + case XEN_DOMCTL_memory_mapping: + { + unsigned long gfn = op->u.memory_mapping.first_gfn; + unsigned long mfn = op->u.memory_mapping.first_mfn; + unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; + unsigned long mfn_end = mfn + nr_mfns - 1; + bool add = op->u.memory_mapping.add_mapping; + + ret = -EINVAL; + if ( mfn_end < mfn || /* Wrap? */ + ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || + (gfn + nr_mfns - 1) < gfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_mapping(XSM_DM_PRIV, d, mfn, mfn_end, add); + if ( ret || !paging_mode_translate(d) ) + goto domctl_out_unlock_domonly; + +#ifndef CONFIG_X86 /* XXX ARM!? */ + ret = -E2BIG; + /* Must break hypercall up as this could take a while. */ + if ( nr_mfns > 64 ) + goto domctl_out_unlock_domonly; +#endif + + iocaps_double_lock(d, false); + + ret = -EPERM; + if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || + !iomem_access_permitted(d, mfn, mfn_end) ) + /* Nothing. */; + else if ( add ) + { + printk(XENLOG_G_DEBUG + "memory_map:add: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 ) + printk(XENLOG_G_WARNING + "memory_map:fail: %pd gfn=%lx mfn=%lx nr=%lx ret:%ld\n", + d, gfn, mfn, nr_mfns, ret); + } + else + { + printk(XENLOG_G_DEBUG + "memory_map:remove: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 && is_hardware_domain(current->domain) ) + printk(XENLOG_ERR + "memory_map: error %ld removing %pd access to [%lx,%lx]\n", + ret, d, mfn, mfn_end); + } + + iocaps_double_unlock(d, false); + goto domctl_out_unlock_domonly; + } + default: /* Everything else handled further down. */ break; @@ -744,64 +804,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - case XEN_DOMCTL_memory_mapping: - { - unsigned long gfn = op->u.memory_mapping.first_gfn; - unsigned long mfn = op->u.memory_mapping.first_mfn; - unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; - unsigned long mfn_end = mfn + nr_mfns - 1; - int add = op->u.memory_mapping.add_mapping; - - ret = -EINVAL; - if ( mfn_end < mfn || /* wrap? */ - ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || - (gfn + nr_mfns - 1) < gfn ) /* wrap? */ - break; - -#ifndef CONFIG_X86 /* XXX ARM!? */ - ret = -E2BIG; - /* Must break hypercall up as this could take a while. */ - if ( nr_mfns > 64 ) - break; -#endif - - iocaps_double_lock(d, false); - - ret = -EPERM; - if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) || - (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || - !paging_mode_translate(d) ) - /* Nothing. */; - else if ( add ) - { - printk(XENLOG_G_DEBUG - "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 ) - printk(XENLOG_G_WARNING - "memory_map:fail: dom%d gfn=%lx mfn=%lx nr=%lx ret:%ld\n", - d->domain_id, gfn, mfn, nr_mfns, ret); - } - else - { - printk(XENLOG_G_DEBUG - "memory_map:remove: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 && is_hardware_domain(current->domain) ) - printk(XENLOG_ERR - "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", - ret, d->domain_id, mfn, mfn_end); - } - - iocaps_double_unlock(d, false); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 47d409cf08..e023e1bb17 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,12 +168,12 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_ioport_mapping: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -575,7 +575,7 @@ static XSM_INLINE int cf_check xsm_iomem_permission( static XSM_INLINE int cf_check xsm_iomem_mapping( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 6ca850d23e..d43762f38b 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -680,6 +680,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -687,7 +688,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:26:32 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:26:32 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333174.1595665 (Exim 4.92) (envelope-from ) id 1wWvXM-00072b-PA; Tue, 09 Jun 2026 12:26:32 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333174.1595665; Tue, 09 Jun 2026 12:26:32 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvXM-00072U-Mb; Tue, 09 Jun 2026 12:26:32 +0000 Received: by outflank-mailman (input) for mailman id 1333174; Tue, 09 Jun 2026 12:26:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvXM-00072O-Eh for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:26:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvXM-001fN8-2H for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:26:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvXM-00ClRm-1I for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:26:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ijQ1RQj8EYcFIAm3auacEz8mn5m6ImH0781znavHg6o=; b=ARYAvRH/lbWj4q9qhFAwb1BWP/ QkgfFlQe51XMdnQ5MYWXVNf0wd5D402Y9J0lpHKBxRLJ7PtzUTC5J7QfygeVcesUw4JUmQ+fBoUzf lO6JtgcwK2DbfjQBXPN0UIe2gwR6wAp8fwqvKThE4nWF/1jQ1QoVgdf5exbmTSAt9KzY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:26:32 +0000 commit 2ba1d549351c5c5ecb65b24d00dfb7509eb9bbb2 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:49 2026 +0100 domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the handling is in arch-specific code (x86 only), almost no code is being moved, but a 2nd (extensible to other sub-ops) invocation of arch_do_domctl() is being added. Move just the re-purposed dedicated XSM check as early as possible. In flask_domctl() don't put #ifdef around the moved case label. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9ac94138a5f31b5325fe4401e5cd9e377bbedcdb) --- xen/arch/x86/domctl.c | 9 ++++++--- xen/common/domctl.c | 4 ++++ xen/include/xsm/dummy.h | 4 ++-- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index f20d174f5b..128a75caac 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -622,12 +622,15 @@ long arch_do_domctl( break; } + ret = xsm_ioport_mapping(XSM_DM_PRIV, d, fmp, fmp + np - 1, add); + if ( ret ) + break; + hvm = &d->arch.hvm; iocaps_double_lock(d, true); - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || - (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) - ret = ret ?: -EPERM; + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) + ret = -EPERM; else if ( add ) { printk(XENLOG_G_INFO diff --git a/xen/common/domctl.c b/xen/common/domctl.c index a878867f01..2f1235989b 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -426,6 +426,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_mapping: + ret = arch_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + default: /* Everything else handled further down. */ break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index e023e1bb17..65d36b74fc 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -167,12 +167,12 @@ static XSM_INLINE int cf_check xsm_domctl( XSM_ASSERT_ACTION(XSM_OTHER); switch ( cmd ) { - case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -771,7 +771,7 @@ static XSM_INLINE int cf_check xsm_ioport_permission( static XSM_INLINE int cf_check xsm_ioport_mapping( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index d43762f38b..52c15ca25c 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -680,6 +680,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -698,7 +699,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: case XEN_DOMCTL_ioport_permission: - case XEN_DOMCTL_ioport_mapping: #endif #ifdef CONFIG_HAS_PASSTHROUGH /* -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:26:43 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:26:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333175.1595670 (Exim 4.92) (envelope-from ) id 1wWvXX-00074b-R5; Tue, 09 Jun 2026 12:26:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333175.1595670; Tue, 09 Jun 2026 12:26:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvXX-00074S-O7; Tue, 09 Jun 2026 12:26:43 +0000 Received: by outflank-mailman (input) for mailman id 1333175; Tue, 09 Jun 2026 12:26:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvXW-00074M-Hb for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:26:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvXW-001fNE-2Y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:26:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvXW-00ClWq-1Z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:26:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=nAXpZVBubrtUnHE8/zfuwNaIvVTqtgaIBQln2tkeHMw=; b=wa0fGsoUmctGsQjyr89cTVHNVO 4mP6IRX9rvas7L0j2lrcHcwJpF0qgWwvfLUMUBLcDTqyGfiWEHNX/Ew/NQGLBzyOWtSRthzadFpx/ Iz6NZ5WyHlreFdhBW5vS8POX2knO+YReVG/Rqo9fsAmgS0SrCSXkw35uumW6mj6/kgOc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:26:42 +0000 commit d5f0523f8571a9873d3b9733cef62bf4820815a0 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. (It also already isn't used when pt_irq_{create,destroy}_bind() are invoked for PVH Dom0.) As the handling is in arch-specific code, no code is being moved, but the 2nd (extensible to other sub-ops like the ones here) invocation of arch_do_domctl() is being re-used. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith Acked-by: Julien Grall (cherry picked from commit e263eeaf71b961d0d6f987bf7a33c8517be1bae5) --- xen/arch/arm/domctl.c | 4 ++-- xen/arch/x86/domctl.c | 4 ++-- xen/common/domctl.c | 2 ++ xen/include/xsm/dummy.h | 8 +++----- xen/xsm/flask/hooks.c | 5 ++--- 5 files changed, 11 insertions(+), 12 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index dd8c610f3d..78325848ab 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -104,7 +104,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - rc = xsm_bind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; @@ -140,7 +140,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( irq != virq ) return -EINVAL; - rc = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 128a75caac..48ae07c29a 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -534,7 +534,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_bind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; @@ -572,7 +572,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 2f1235989b..447a66d8a6 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -427,6 +427,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_bind_pt_irq: + case XEN_DOMCTL_unbind_pt_irq: ret = arch_do_domctl(op, d, u_domctl); goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 65d36b74fc..eb88313a79 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,12 +168,10 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: - return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -540,14 +538,14 @@ static XSM_INLINE int cf_check xsm_unmap_domain_pirq( static XSM_INLINE int cf_check xsm_bind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } static XSM_INLINE int cf_check xsm_unbind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 52c15ca25c..a87f8d87a0 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -679,9 +679,11 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ + case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -692,9 +694,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: - /* These have individual XSM hooks (arch/../domctl.c) */ - case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:26:53 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:26:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333176.1595674 (Exim 4.92) (envelope-from ) id 1wWvXh-00077g-SB; Tue, 09 Jun 2026 12:26:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333176.1595674; Tue, 09 Jun 2026 12:26:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvXh-00077Y-PW; Tue, 09 Jun 2026 12:26:53 +0000 Received: by outflank-mailman (input) for mailman id 1333176; Tue, 09 Jun 2026 12:26:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvXg-00077R-KJ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:26:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvXg-001fNI-2p for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:26:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvXg-00Clc1-1r for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:26:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=92/bK+Iu+1mnHiYOTsCyWpseEty9Arw3HsVHuMAKSJ4=; b=R8AFSWTt7OJ9P1v68xs2LjEaIL XJspYVyAfZcijh62MEmcgGHup83ewDOK+6jAOFcb90VgRPDGg19eSSm6osHI5Jj/6BnSlGY4YxByR nup3ioFyaoegdPXGjRXY2hH/gL9rt5NXUJPyKdRDJFCZFZMmBcDG0VyAy7kUHOW/GgZg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:26:52 +0000 commit 3ca879ff749887429b5dc1be0a3a00bc2cc18938 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the I/O port handling is in arch-specific code (x86 only), no code is being moved, but the 2nd invocation of arch_do_domctl() is re-used. Move the re-purposed dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9f54e10bf3ab02c8d5dc3253d85c9b3258d1fc88) --- xen/arch/x86/domctl.c | 13 ++++++++---- xen/common/domctl.c | 54 ++++++++++++++++++++++++++----------------------- xen/include/xsm/dummy.h | 6 ++++-- xen/xsm/flask/hooks.c | 4 ++-- 4 files changed, 44 insertions(+), 33 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 48ae07c29a..0dc36be2ff 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -225,12 +225,17 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + ret = -EINVAL; + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) + break; + + ret = xsm_ioport_permission(XSM_PRIV, d, fp, fp + np - 1, allow); + if ( ret ) + break; + iocaps_double_lock(d, true); - if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) - ret = -EINVAL; - else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || - xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) ) + if ( !ioports_access_permitted(currd, fp, fp + np - 1) ) ret = -EPERM; else if ( allow ) ret = ioports_permit_access(d, fp, fp + np - 1); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 447a66d8a6..6b0316aa5e 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -366,6 +366,34 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; + case XEN_DOMCTL_iomem_permission: + { + unsigned long mfn = op->u.iomem_permission.first_mfn; + unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; + bool allow = op->u.iomem_permission.allow_access; + + ret = -EINVAL; + if ( (mfn + nr_mfns - 1) < mfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_permission(XSM_PRIV, d, mfn, mfn + nr_mfns - 1, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !iomem_access_permitted(current->domain, + mfn, mfn + nr_mfns - 1) ) + ret = -EPERM; + else if ( allow ) + ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); + else + ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_memory_mapping: { unsigned long gfn = op->u.memory_mapping.first_gfn; @@ -426,6 +454,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: @@ -785,31 +814,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif - case XEN_DOMCTL_iomem_permission: - { - unsigned long mfn = op->u.iomem_permission.first_mfn; - unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; - int allow = op->u.iomem_permission.allow_access; - - ret = -EINVAL; - if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ - break; - - iocaps_double_lock(d, true); - - if ( !iomem_access_permitted(current->domain, - mfn, mfn + nr_mfns - 1) || - xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) - ret = -EPERM; - else if ( allow ) - ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); - else - ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); - - iocaps_double_unlock(d, true); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index eb88313a79..6d2c9ddbb6 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -169,7 +169,9 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -566,7 +568,7 @@ static XSM_INLINE int cf_check xsm_irq_permission( static XSM_INLINE int cf_check xsm_iomem_permission( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } @@ -762,7 +764,7 @@ static XSM_INLINE int cf_check xsm_priv_mapping( static XSM_INLINE int cf_check xsm_ioport_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index a87f8d87a0..c301750134 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -681,7 +681,9 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -690,14 +692,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: - case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: - case XEN_DOMCTL_ioport_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH /* -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:27:03 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:27:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333178.1595677 (Exim 4.92) (envelope-from ) id 1wWvXr-0007BM-Uq; Tue, 09 Jun 2026 12:27:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333178.1595677; Tue, 09 Jun 2026 12:27:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvXr-0007BE-SH; Tue, 09 Jun 2026 12:27:03 +0000 Received: by outflank-mailman (input) for mailman id 1333178; Tue, 09 Jun 2026 12:27:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvXq-0007B7-NZ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:27:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvXq-001fNX-38 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:27:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvXq-00CllP-27 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:27:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=XMXwWwHLARGGMmLPIo2rDT+wYW4C/5HPN6wf93rwTJA=; b=DNYXOnNoaY57QErfpBamME0P9n wwCoh53exuUSFndO4zR19r9xNFM3TWN6yxVm5O0hgk0Nic4B5leFlntZhDZ6uzU/mXqjcjEyuwnV/ mr6HuF21YqCpSw3Dzpt72N16y134pk3SLfbalPa/sdVFYzmAcLpJ+B6viQKDUuFsub1Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] domctl: handle XEN_DOMCTL_irq_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:27:02 +0000 commit 2ff10f2acd12060b885153e50857e9e8847f4f8c Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl: handle XEN_DOMCTL_irq_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. Move the re-purposed (XSM_HOOK -> XSM_PRIV, as xsm_domctl() is now bypassed) dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/common/domctl.c | 59 +++++++++++++++++++++++++++---------------------- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 35 insertions(+), 29 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 6b0316aa5e..944878cdcf 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -454,6 +454,38 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } +#ifdef CONFIG_HAS_PIRQ + case XEN_DOMCTL_irq_permission: + { + unsigned int pirq = op->u.irq_permission.pirq, irq; + bool allow = op->u.irq_permission.allow_access; + + ret = -EINVAL; + if ( pirq >= current->domain->nr_pirqs ) + goto domctl_out_unlock_domonly; + + irq = domain_pirq_to_irq(current->domain, pirq); + + ret = -EPERM; + if ( irq ) + ret = xsm_irq_permission(XSM_PRIV, d, irq, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !irq_access_permitted(current->domain, irq) ) + ret = -EPERM; + else if ( allow ) + ret = irq_permit_access(d, irq); + else + ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } +#endif + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: @@ -787,33 +819,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } break; -#ifdef CONFIG_HAS_PIRQ - case XEN_DOMCTL_irq_permission: - { - unsigned int pirq = op->u.irq_permission.pirq, irq; - int allow = op->u.irq_permission.allow_access; - - if ( pirq >= current->domain->nr_pirqs ) - { - ret = -EINVAL; - break; - } - - iocaps_double_lock(d, true); - - irq = pirq_access_permitted(current->domain, pirq); - if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) - ret = -EPERM; - else if ( allow ) - ret = irq_permit_access(d, irq); - else - ret = irq_deny_access(d, irq); - - iocaps_double_unlock(d, true); - break; - } -#endif - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 6d2c9ddbb6..02829e806b 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,6 +172,7 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -561,7 +562,7 @@ static XSM_INLINE int cf_check xsm_unmap_domain_irq( static XSM_INLINE int cf_check xsm_irq_permission( XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index c301750134..270e682883 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -684,6 +684,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -691,7 +692,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: - case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:27:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:27:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333179.1595682 (Exim 4.92) (envelope-from ) id 1wWvY2-0007DO-0A; Tue, 09 Jun 2026 12:27:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333179.1595682; Tue, 09 Jun 2026 12:27:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvY1-0007DH-Tf; Tue, 09 Jun 2026 12:27:13 +0000 Received: by outflank-mailman (input) for mailman id 1333179; Tue, 09 Jun 2026 12:27:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvY0-0007DB-Q7 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:27:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvY1-001fNu-0B for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:27:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvY0-00Cluw-2Q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:27:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=HBdvwHsVVsyvZ/mDyWxU2gTlYY7gbvzoN2qZoQLI/KE=; b=nQIKEc1hsAmf6Ygov2TB1vgUCN oy9FZaCZyZlVwjVCH/eawQF20uBgzi1HkHTDV53IHgPFieAWNXYGepZHmV9098pB4wvsev1yzoke6 aTPOtXnpC4B8uoN16u7ajlkZehNLIHaw2lJYAIEUs9XsFQKFFXZSJc/s2HooM8ay0uI4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] domctl/XSM: drop vm_event_control hook Message-Id: Date: Tue, 09 Jun 2026 12:27:12 +0000 commit fc86e21be9af7f542e962e66785b9852c93d4fd3 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl/XSM: drop vm_event_control hook Integrate the checking with xsm_domctl(). Care needs to be taken with the GET_VERSION sub-op, which may be invoked with DOMID_INVALID, and which has been (and continues to be) bypassing XSM checking. Since the latter two parameters were unused, monitor_domctl() invoking the hook was actually redundant with the earlier xsm_domctl() (as can be seen nicely from the hunks changing xsm/flask/hooks.c). As a positive side effect, permissions are then checked at the same early point with and without Flask. While folding XEN_DOMCTL_monitor_op and XEN_DOMCTL_vm_event_op in flask_domctl(), also fold in XEN_DOMCTL_set_access_required. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit b4a7c17146f4363750d26cb2dcee08b480625a3d) --- xen/common/domctl.c | 17 +++++++++++++++++ xen/common/monitor.c | 5 ----- xen/common/vm_event.c | 9 ++++----- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 8 -------- xen/xsm/dummy.c | 2 -- xen/xsm/flask/hooks.c | 11 +---------- 7 files changed, 22 insertions(+), 37 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 944878cdcf..f1f0d60615 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -486,6 +486,23 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif + case XEN_DOMCTL_vm_event_op: + if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) + { + /* No XSM check (and potentially d == NULL) here. */ + ret = vm_event_domctl(d, &op->u.vm_event_op); + if ( !ret ) + copyback = true; + goto domctl_out_unlock_domonly; + } + if ( !d ) + { + ret = -ESRCH; + goto domctl_out_unlock_domonly; + } + /* Other sub-ops handled further down. */ + break; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: diff --git a/xen/common/monitor.c b/xen/common/monitor.c index d5c9ff1cbf..aec6391faf 100644 --- a/xen/common/monitor.c +++ b/xen/common/monitor.c @@ -30,16 +30,11 @@ int monitor_domctl(struct domain *d, struct xen_domctl_monitor_op *mop) { - int rc; bool requested_status = false; if ( unlikely(current->domain == d) ) /* no domain_pause() */ return -EPERM; - rc = xsm_vm_event_control(XSM_PRIV, d, mop->op, mop->event); - if ( unlikely(rc) ) - return rc; - switch ( mop->op ) { case XEN_DOMCTL_MONITOR_OP_ENABLE: diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c index 1666ff615f..7aea0a78b2 100644 --- a/xen/common/vm_event.c +++ b/xen/common/vm_event.c @@ -602,11 +602,10 @@ int vm_event_domctl(struct domain *d, struct xen_domctl_vm_event_op *vec) /* All other subops need to target a real domain. */ if ( unlikely(d == NULL) ) - return -ESRCH; - - rc = xsm_vm_event_control(XSM_PRIV, d, vec->mode, vec->op); - if ( rc ) - return rc; + { + ASSERT_UNREACHABLE(); + return -EILSEQ; + } if ( unlikely(d == current->domain) ) /* no domain_pause() */ { diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 02829e806b..f20be2e899 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -650,13 +650,6 @@ static XSM_INLINE int cf_check xsm_hvm_altp2mhvm_op( } } -static XSM_INLINE int cf_check xsm_vm_event_control( - XSM_DEFAULT_ARG struct domain *d, int mode, int op) -{ - XSM_ASSERT_ACTION(XSM_PRIV); - return xsm_default_action(action, current->domain, d); -} - #ifdef CONFIG_MEM_ACCESS static XSM_INLINE int cf_check xsm_mem_access(XSM_DEFAULT_ARG struct domain *d) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index fc30cf822f..f2bbe3ed8b 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -154,8 +154,6 @@ struct xsm_ops { int (*hvm_altp2mhvm_op)(struct domain *d, uint64_t mode, uint32_t op); int (*get_vnumainfo)(struct domain *d); - int (*vm_event_control)(struct domain *d, int mode, int op); - #ifdef CONFIG_MEM_ACCESS int (*mem_access)(struct domain *d); #endif @@ -634,12 +632,6 @@ static inline int xsm_get_vnumainfo(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.get_vnumainfo, d); } -static inline int xsm_vm_event_control( - xsm_default_t def, struct domain *d, int mode, int op) -{ - return alternative_call(xsm_ops.vm_event_control, d, mode, op); -} - #ifdef CONFIG_MEM_ACCESS static inline int xsm_mem_access(xsm_default_t def, struct domain *d) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 44a9e04ae7..95170547fc 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -110,8 +110,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .remove_from_physmap = xsm_remove_from_physmap, .map_gmfn_foreign = xsm_map_gmfn_foreign, - .vm_event_control = xsm_vm_event_control, - #ifdef CONFIG_MEM_ACCESS .mem_access = xsm_mem_access, #endif diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 270e682883..3fb4330f70 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -693,7 +693,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: - case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ @@ -787,9 +786,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__TRIGGER); case XEN_DOMCTL_set_access_required: - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); - case XEN_DOMCTL_monitor_op: + case XEN_DOMCTL_vm_event_op: return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); case XEN_DOMCTL_debug_op: @@ -1352,11 +1350,6 @@ static int cf_check flask_hvm_altp2mhvm_op(struct domain *d, uint64_t mode, uint return current_has_perm(d, SECCLASS_HVM, HVM__ALTP2MHVM_OP); } -static int cf_check flask_vm_event_control(struct domain *d, int mode, int op) -{ - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); -} - #ifdef CONFIG_MEM_ACCESS static int cf_check flask_mem_access(struct domain *d) { @@ -1940,8 +1933,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .do_xsm_op = do_flask_op, .get_vnumainfo = flask_get_vnumainfo, - .vm_event_control = flask_vm_event_control, - #ifdef CONFIG_MEM_ACCESS .mem_access = flask_mem_access, #endif -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:27:24 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:27:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333180.1595686 (Exim 4.92) (envelope-from ) id 1wWvYC-0007Fm-1d; Tue, 09 Jun 2026 12:27:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333180.1595686; Tue, 09 Jun 2026 12:27:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvYB-0007Fe-VE; Tue, 09 Jun 2026 12:27:23 +0000 Received: by outflank-mailman (input) for mailman id 1333180; Tue, 09 Jun 2026 12:27:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvYA-0007FX-Sh for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:27:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvYB-001fNy-0R for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:27:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvYA-00Cm2X-2h for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:27:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=q4X+Zc4ASGZuw6qpjRatEDbD8yfmy5iNY1ItjEk/qrk=; b=TiircwYU/WtvyBh9B3ocoFmUE9 g+bTCnw/888dgzSeyoCOLXA+Zs06DJUP/wn7dJ2aFeKNW/cgGfj1cvqi6vZQVtyGI5PNhF0vPCjQn jf87yTOS7nzNpMFsz8XBSXpELUsFjrTm0JpmSUTe+FS5Zd7qLvPH3w0+C8kSCO0/a8qk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] domctl/XSM: pass full struct xen_domctl to xsm_domctl() Message-Id: Date: Tue, 09 Jun 2026 12:27:22 +0000 commit 5c86d123d7580aba4305519c39da873ada5dd124 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl/XSM: pass full struct xen_domctl to xsm_domctl() Subsequently some sub-ops will want to inspect their sub-sub-ops. Plus this way we don't need to pass SSIDref separately anymore for domain_create. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit 83f0e11ed16b5ceb42e47dcaab5afd35583ec5d7) --- xen/arch/x86/mm/paging.c | 2 +- xen/common/domctl.c | 4 +--- xen/include/xsm/dummy.h | 4 ++-- xen/include/xsm/xsm.h | 6 +++--- xen/xsm/flask/hooks.c | 10 +++++----- 5 files changed, 12 insertions(+), 14 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index dd47bde5ce..e213171ea9 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -767,7 +767,7 @@ long do_paging_domctl_cont( if ( d == NULL ) return -ESRCH; - ret = xsm_domctl(XSM_OTHER, d, op.cmd, 0 /* SSIDref not applicable */); + ret = xsm_domctl(XSM_OTHER, d, &op); if ( !ret ) { if ( domctl_lock_acquire() ) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index f1f0d60615..4981ae5925 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -515,9 +515,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - ret = xsm_domctl(XSM_OTHER, d, op->cmd, - /* SSIDRef only applicable for cmd == createdomain */ - op->u.createdomain.ssidref); + ret = xsm_domctl(XSM_OTHER, d, op); if ( ret ) goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index f20be2e899..a941827105 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,10 +162,10 @@ static XSM_INLINE int cf_check xsm_set_target( } static XSM_INLINE int cf_check xsm_domctl( - XSM_DEFAULT_ARG struct domain *d, unsigned int cmd, uint32_t ssidref) + XSM_DEFAULT_ARG struct domain *d, struct xen_domctl *op) { XSM_ASSERT_ACTION(XSM_OTHER); - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index f2bbe3ed8b..e91fa49d7d 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -60,7 +60,7 @@ struct xsm_ops { int (*domctl_scheduler_op)(struct domain *d, int op); int (*sysctl_scheduler_op)(int op); int (*set_target)(struct domain *d, struct domain *e); - int (*domctl)(struct domain *d, unsigned int cmd, uint32_t ssidref); + int (*domctl)(struct domain *d, struct xen_domctl *op); int (*sysctl)(int cmd); int (*readconsole)(uint32_t clear); @@ -249,9 +249,9 @@ static inline int xsm_set_target( } static inline int xsm_domctl(xsm_default_t def, struct domain *d, - unsigned int cmd, uint32_t ssidref) + struct xen_domctl *op) { - return alternative_call(xsm_ops.domctl, d, cmd, ssidref); + return alternative_call(xsm_ops.domctl, d, op); } static inline int xsm_sysctl(xsm_default_t def, int cmd) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 3fb4330f70..97526b4211 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -663,10 +663,9 @@ static int cf_check flask_set_target(struct domain *d, struct domain *t) return rc; } -static int cf_check flask_domctl(struct domain *d, unsigned int cmd, - uint32_t ssidref) +static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) { - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_createdomain: /* @@ -676,7 +675,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, * Note that d is NULL because we haven't even allocated memory for it * this early in XEN_DOMCTL_createdomain. */ - return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); + return avc_current_has_perm(op->u.createdomain.ssidref, SECCLASS_DOMAIN, + DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: @@ -846,7 +846,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__DT_OVERLAY); default: - return avc_unknown_permission("domctl", cmd); + return avc_unknown_permission("domctl", op->cmd); } } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:27:34 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:27:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333183.1595690 (Exim 4.92) (envelope-from ) id 1wWvYM-0007Ik-2x; Tue, 09 Jun 2026 12:27:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333183.1595690; Tue, 09 Jun 2026 12:27:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvYM-0007Ic-0O; Tue, 09 Jun 2026 12:27:34 +0000 Received: by outflank-mailman (input) for mailman id 1333183; Tue, 09 Jun 2026 12:27:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvYK-0007IV-Vd for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:27:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvYL-001fO5-0k for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:27:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvYK-00CmAZ-2z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:27:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=cNlrHTOeJKFGr3XAfZ/1AY1bHVI58uR4QAFZ6vEqF4I=; b=HVx0xLA2zt1wV2J0OP+bsJ7Tvs dUwECgyHeULLT6GO2DvpEHT/H8lkAsAvfQMgD+HnQmyGmlxlpyXGNGFFePNAYN3YukxyJQu/oGdVL lu/Q8Ve5+vH9HLbIC/C4dzfHpHeME/DDCVBuDEc/hd62xJI50dYacqADEm/2K7g8Tl04=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] domctl/XSM: drop scheduler_op hook Message-Id: Date: Tue, 09 Jun 2026 12:27:32 +0000 commit c581c4008884ee555f2894e3c7ccf08759001dcc Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl/XSM: drop scheduler_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Juergen Gross (cherry picked from commit 3ba374d3886f0e1d835eafe62cc2fa20ca5376ad) --- xen/common/sched/core.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 7 ++++--- 5 files changed, 4 insertions(+), 22 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 6477ec3455..08e3bf48fc 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -2055,10 +2055,6 @@ long sched_adjust(struct domain *d, struct xen_domctl_scheduler_op *op) { long ret; - ret = xsm_domctl_scheduler_op(XSM_HOOK, d, op->cmd); - if ( ret ) - return ret; - if ( op->sched_id != dom_scheduler(d)->sched_id ) return -EINVAL; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index a941827105..8352d22d43 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -141,13 +141,6 @@ static XSM_INLINE int cf_check xsm_getdomaininfo( return xsm_default_action(action, current->domain, d); } -static XSM_INLINE int cf_check xsm_domctl_scheduler_op( - XSM_DEFAULT_ARG struct domain *d, int cmd) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index e91fa49d7d..d0e9c33927 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -57,7 +57,6 @@ struct xsm_ops { struct xen_domctl_getdomaininfo *info); int (*domain_create)(struct domain *d, uint32_t ssidref); int (*getdomaininfo)(struct domain *d); - int (*domctl_scheduler_op)(struct domain *d, int op); int (*sysctl_scheduler_op)(int op); int (*set_target)(struct domain *d, struct domain *e); int (*domctl)(struct domain *d, struct xen_domctl *op); @@ -231,12 +230,6 @@ static inline int xsm_getdomaininfo(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.getdomaininfo, d); } -static inline int xsm_domctl_scheduler_op( - xsm_default_t def, struct domain *d, int cmd) -{ - return alternative_call(xsm_ops.domctl_scheduler_op, d, cmd); -} - static inline int xsm_sysctl_scheduler_op(xsm_default_t def, int cmd) { return alternative_call(xsm_ops.sysctl_scheduler_op, cmd); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 95170547fc..cb312eb7cb 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -18,7 +18,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .security_domaininfo = xsm_security_domaininfo, .domain_create = xsm_domain_create, .getdomaininfo = xsm_getdomaininfo, - .domctl_scheduler_op = xsm_domctl_scheduler_op, .sysctl_scheduler_op = xsm_sysctl_scheduler_op, .set_target = xsm_set_target, .domctl = xsm_domctl, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 97526b4211..2b2bbb5627 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -607,7 +607,7 @@ static int cf_check flask_getdomaininfo(struct domain *d) return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO); } -static int cf_check flask_domctl_scheduler_op(struct domain *d, int op) +static int flask_domctl_scheduler_op(struct domain *d, int op) { switch ( op ) { @@ -691,7 +691,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return -EILSEQ; /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: #ifdef CONFIG_X86 @@ -739,6 +738,9 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_setdomainhandle: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE); + case XEN_DOMCTL_scheduler_op: + return flask_domctl_scheduler_op(d, op->u.scheduler_op.cmd); + case XEN_DOMCTL_set_ext_vcpucontext: case XEN_DOMCTL_set_vcpu_msrs: case XEN_DOMCTL_setvcpucontext: @@ -1859,7 +1861,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .security_domaininfo = flask_security_domaininfo, .domain_create = flask_domain_create, .getdomaininfo = flask_getdomaininfo, - .domctl_scheduler_op = flask_domctl_scheduler_op, .sysctl_scheduler_op = flask_sysctl_scheduler_op, .set_target = flask_set_target, .domctl = flask_domctl, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:27:44 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:27:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333184.1595693 (Exim 4.92) (envelope-from ) id 1wWvYW-0007PJ-5a; Tue, 09 Jun 2026 12:27:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333184.1595693; Tue, 09 Jun 2026 12:27:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvYW-0007PB-2z; Tue, 09 Jun 2026 12:27:44 +0000 Received: by outflank-mailman (input) for mailman id 1333184; Tue, 09 Jun 2026 12:27:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvYV-0007P4-1w for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:27:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvYV-001fO9-10 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:27:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvYV-00CmKf-02 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:27:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=tmdXCRBL9Up+YJ5/txYySHpKoYwsiX/3B+BUjSGjOnc=; b=mtZks2SpjjnLTwyW8ak5QYpMFr 3a/wyBQxG9hlQ3uFiadgcxf/3j26tCU4qBkx9W/dHJ3TLA8v9jljJuucqMKf0E4VIfhDoQXYvrYn0 aBIuLeb6Drh5smL+9E0puekvI4nOd9NWT7SM6e1Udiumh2KFG8EsGeQqROqoRUjMS/VU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] domctl/XSM: drop shadow_control_op hook Message-Id: Date: Tue, 09 Jun 2026 12:27:43 +0000 commit 7fcb12d5208e18124d14c81c55f193bd26cc6fc3 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl/XSM: drop shadow_control_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit d9d2758622422a4db0498a74c3dfd1c8168a8154) --- xen/arch/x86/mm/paging.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 13 +++++++------ 5 files changed, 7 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index e213171ea9..beb7b88e67 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -709,10 +709,6 @@ int paging_domctl(struct domain *d, struct xen_domctl_shadow_op *sc, return -EBUSY; } - rc = xsm_shadow_control(XSM_HOOK, d, sc->op); - if ( rc ) - return rc; - /* Code to handle log-dirty. Note that some log dirty operations * piggy-back on shadow operations. For example, when * XEN_DOMCTL_SHADOW_OP_OFF is called, it first checks whether log dirty diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 8352d22d43..8b3b648532 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -680,13 +680,6 @@ static XSM_INLINE int cf_check xsm_do_mca(XSM_DEFAULT_VOID) return xsm_default_action(action, current->domain, NULL); } -static XSM_INLINE int cf_check xsm_shadow_control( - XSM_DEFAULT_ARG struct domain *d, uint32_t op) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_mem_sharing_op( XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index d0e9c33927..d60917f93d 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -169,7 +169,6 @@ struct xsm_ops { #ifdef CONFIG_X86 int (*do_mca)(void); - int (*shadow_control)(struct domain *d, uint32_t op); int (*mem_sharing_op)(struct domain *d, struct domain *cd, int op); int (*apic)(struct domain *d, int cmd); int (*machine_memory_map)(void); @@ -657,12 +656,6 @@ static inline int xsm_do_mca(xsm_default_t def) return alternative_call(xsm_ops.do_mca); } -static inline int xsm_shadow_control( - xsm_default_t def, struct domain *d, uint32_t op) -{ - return alternative_call(xsm_ops.shadow_control, d, op); -} - static inline int xsm_mem_sharing_op( xsm_default_t def, struct domain *d, struct domain *cd, int op) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index cb312eb7cb..f4bcefc46b 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -124,7 +124,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .platform_op = xsm_platform_op, #ifdef CONFIG_X86 .do_mca = xsm_do_mca, - .shadow_control = xsm_shadow_control, .mem_sharing_op = xsm_mem_sharing_op, .apic = xsm_apic, .machine_memory_map = xsm_machine_memory_map, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 2b2bbb5627..96c13b71ef 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -40,6 +40,7 @@ #ifdef CONFIG_X86 #include +static int flask_shadow_control(struct domain *d, unsigned int op); #else #define pv_shim false #endif @@ -693,10 +694,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: -#ifdef CONFIG_X86 - /* These have individual XSM hooks (arch/x86/domctl.c) */ - case XEN_DOMCTL_shadow_op: -#endif #ifdef CONFIG_HAS_PASSTHROUGH /* * These have individual XSM hooks @@ -781,6 +778,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_get_address_size: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETADDRSIZE); +#ifdef CONFIG_X86 + case XEN_DOMCTL_shadow_op: + return flask_shadow_control(d, op->u.shadow_op.op); +#endif + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1587,7 +1589,7 @@ static int cf_check flask_do_mca(void) return domain_has_xen(current->domain, XEN__MCA_OP); } -static int cf_check flask_shadow_control(struct domain *d, uint32_t op) +static int flask_shadow_control(struct domain *d, unsigned int op) { uint32_t perm; @@ -1968,7 +1970,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .platform_op = flask_platform_op, #ifdef CONFIG_X86 .do_mca = flask_do_mca, - .shadow_control = flask_shadow_control, .mem_sharing_op = flask_mem_sharing_op, .apic = flask_apic, .machine_memory_map = flask_machine_memory_map, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:27:54 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:27:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333185.1595698 (Exim 4.92) (envelope-from ) id 1wWvYg-0007S8-70; Tue, 09 Jun 2026 12:27:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333185.1595698; Tue, 09 Jun 2026 12:27:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvYg-0007S0-4P; Tue, 09 Jun 2026 12:27:54 +0000 Received: by outflank-mailman (input) for mailman id 1333185; Tue, 09 Jun 2026 12:27:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvYf-0007Ru-4j for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:27:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvYf-001fOF-1H for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:27:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvYf-00CmVk-0J for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:27:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=n7f62wywWl6NWD6l/BR0UeO33OGCslUcmNoZRFXDXpU=; b=DSOVdoTTr6cLzGF33eHaBd2w5u B+FAf93Ayr53Qu3wM/5FBNTpNnQrnL2RVBlLUR59uU7ouJ8B9WXtpTkjuWtV1xUb6SPHXSpszHlS6 P0umsfIrkbhyCWMTAIa8qrCeq0KqswERB3uZYKh6MYF+VzzmV5BDoMCX4nDlw52ysMys=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:27:53 +0000 commit 4618e73b2565ba3c0d362c3055521dc6c0c8313f Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock iommu_get_device_group() uses its own locking. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 471b377747cb5eb0ea7c1ca48ac9d38027a9aa13) --- xen/common/domctl.c | 5 ++++- xen/drivers/passthrough/pci.c | 4 ++-- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 4981ae5925..ccf0550d41 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -503,6 +503,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) /* Other sub-ops handled further down. */ break; + case XEN_DOMCTL_get_device_group: + ret = iommu_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: @@ -925,7 +929,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_assign_device: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_deassign_device: - case XEN_DOMCTL_get_device_group: ret = iommu_do_domctl(op, d, u_domctl); break; diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index bd144aa59c..5cdc49ebf0 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1640,7 +1640,7 @@ static int iommu_get_device_group( if ( (pdev->seg != seg) || ((b == bus) && (df == devfn)) ) continue; - if ( xsm_get_device_group(XSM_HOOK, (seg << 16) | (b << 8) | df) ) + if ( xsm_get_device_group(XSM_PRIV, (seg << 16) | (b << 8) | df) ) continue; sdev_id = iommu_call(ops, get_device_group_id, seg, b, df); @@ -1710,7 +1710,7 @@ int iommu_do_pci_domctl( u32 max_sdevs; XEN_GUEST_HANDLE_64(uint32) sdevs; - ret = xsm_get_device_group(XSM_HOOK, domctl->u.get_device_group.machine_sbdf); + ret = xsm_get_device_group(XSM_PRIV, domctl->u.get_device_group.machine_sbdf); if ( ret ) break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 8b3b648532..d83a893219 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,6 +162,7 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: @@ -399,7 +400,7 @@ static XSM_INLINE int cf_check xsm_get_vnumainfo( static XSM_INLINE int cf_check xsm_get_device_group( XSM_DEFAULT_ARG uint32_t machine_bdf) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 96c13b71ef..32d156d441 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -682,6 +682,7 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: @@ -699,7 +700,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) * These have individual XSM hooks * (drivers/passthrough/{pci,device_tree.c) */ - case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_assign_device: case XEN_DOMCTL_deassign_device: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:28:04 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:28:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333186.1595702 (Exim 4.92) (envelope-from ) id 1wWvYq-0007Z2-8M; Tue, 09 Jun 2026 12:28:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333186.1595702; Tue, 09 Jun 2026 12:28:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvYq-0007Yu-5k; Tue, 09 Jun 2026 12:28:04 +0000 Received: by outflank-mailman (input) for mailman id 1333186; Tue, 09 Jun 2026 12:28:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvYp-0007Yn-7q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:28:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvYp-001fOd-1a for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:28:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvYp-00Cmez-0a for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:28:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=aJXtF1uBGcbNwN31vR7tPzr0fDEQBdj2W6NyBkIkQCI=; b=J0mxfhTDnuY++eWxPaBF/d3gn+ Dz7UH/SBA+Yw24LhAxrG5yf37q3iva78OvG5KX/CP/zb3bs3M8RYgri9rwO8XfOjSbSZkgd1JPhpl pCe68TiZIxaUDGjH54cF7fkD3mFngNPEraqV/k2gKVOCAoek94KdF/kSnKKoPO1nvEJo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] domctl/XSM: drop {,de}assign_{,dt}device hooks Message-Id: Date: Tue, 09 Jun 2026 12:28:03 +0000 commit 923d69856a10fff053f6450ae7ad91542db3064c Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl/XSM: drop {,de}assign_{,dt}device hooks Integrate the checking with xsm_domctl(). As a positive side effect, permissions are then checked at the same early point with and without Flask. As the DT device path needs fetching earlier (but must not be double fetched), cache it in a private field of the public interface struct. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit eab54f074f17c134fa6fa780f672393066e7b631) --- xen/common/domctl.c | 9 ++++ xen/drivers/passthrough/device_tree.c | 36 ++++++++-------- xen/drivers/passthrough/pci.c | 8 ---- xen/include/public/domctl.h | 5 ++- xen/include/xsm/dummy.h | 32 -------------- xen/include/xsm/xsm.h | 34 --------------- xen/xsm/dummy.c | 7 ---- xen/xsm/flask/hooks.c | 79 +++++++++++++++++++++++++---------- 8 files changed, 89 insertions(+), 121 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index ccf0550d41..760c4867bd 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -330,6 +330,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_deassign_device: if ( op->domain == DOMID_IO ) { +#ifdef CONFIG_HAS_DEVICE_TREE + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; +#endif d = dom_io; break; } @@ -337,6 +341,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) return -ESRCH; fallthrough; case XEN_DOMCTL_test_assign_device: +#ifdef CONFIG_HAS_DEVICE_TREE + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; + fallthrough; +#endif case XEN_DOMCTL_vm_event_op: if ( op->domain == DOMID_INVALID ) { diff --git a/xen/drivers/passthrough/device_tree.c b/xen/drivers/passthrough/device_tree.c index 075fb25a37..49b3a26628 100644 --- a/xen/drivers/passthrough/device_tree.c +++ b/xen/drivers/passthrough/device_tree.c @@ -279,15 +279,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( (d && d->is_dying) || domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_assign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( domctl->cmd == XEN_DOMCTL_test_assign_device ) { @@ -335,15 +335,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_deassign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( d == dom_io ) { diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 5cdc49ebf0..691406483f 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1760,10 +1760,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_assign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); @@ -1805,10 +1801,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_deassign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h index 2a49fe46ce..6f01865609 100644 --- a/xen/include/public/domctl.h +++ b/xen/include/public/domctl.h @@ -549,7 +549,10 @@ struct xen_domctl_assign_device { } pci; struct { uint32_t size; /* Length of the path */ - XEN_GUEST_HANDLE_64(char) path; /* path to the device tree node */ + XEN_GUEST_HANDLE_64(char) path; /* Path to the device tree node */ +#ifdef __XEN__ + struct dt_device_node *dev; /* Resolved device node of the above */ +#endif } dt; } u; }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index d83a893219..0947b3c7b1 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -403,40 +403,8 @@ static XSM_INLINE int cf_check xsm_get_device_group( XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } - -static XSM_INLINE int cf_check xsm_assign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - #endif /* HAS_PASSTHROUGH && HAS_PCI */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) -static XSM_INLINE int cf_check xsm_assign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */ - static XSM_INLINE int cf_check xsm_resource_plug_core(XSM_DEFAULT_VOID) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index d60917f93d..bf6d4e9772 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -123,13 +123,6 @@ struct xsm_ops { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) int (*get_device_group)(uint32_t machine_bdf); - int (*assign_device)(struct domain *d, uint32_t machine_bdf); - int (*deassign_device)(struct domain *d, uint32_t machine_bdf); -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - int (*assign_dtdevice)(struct domain *d, const char *dtpath); - int (*deassign_dtdevice)(struct domain *d, const char *dtpath); #endif int (*resource_plug_core)(void); @@ -514,35 +507,8 @@ static inline int xsm_get_device_group(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.get_device_group, machine_bdf); } - -static inline int xsm_assign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.assign_device, d, machine_bdf); -} - -static inline int xsm_deassign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.deassign_device, d, machine_bdf); -} #endif /* HAS_PASSTHROUGH && HAS_PCI) */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) -static inline int xsm_assign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.assign_dtdevice, d, dtpath); -} - -static inline int xsm_deassign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.deassign_dtdevice, d, dtpath); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */ - static inline int xsm_resource_plug_pci(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.resource_plug_pci, machine_bdf); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index f4bcefc46b..92fe9664a8 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -77,13 +77,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = xsm_get_device_group, - .assign_device = xsm_assign_device, - .deassign_device = xsm_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - .assign_dtdevice = xsm_assign_dtdevice, - .deassign_dtdevice = xsm_deassign_dtdevice, #endif .resource_plug_core = xsm_resource_plug_core, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 32d156d441..4b609d9929 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -45,6 +45,17 @@ static int flask_shadow_control(struct domain *d, unsigned int op); #define pv_shim false #endif +#ifdef CONFIG_HAS_PASSTHROUGH +#ifdef CONFIG_HAS_PCI +static int flask_assign_device(struct domain *d, unsigned int machine_bdf); +static int flask_deassign_device(struct domain *d, unsigned int machine_bdf); +#endif +#ifdef CONFIG_HAS_DEVICE_TREE +static int flask_assign_dtdevice(struct domain *d, const char *dtpath); +static int flask_deassign_dtdevice(struct domain *d, const char *dtpath); +#endif +#endif /* CONFIG_HAS_PASSTHROUGH */ + static uint32_t domain_sid(const struct domain *dom) { struct domain_security_struct *dsec = dom->ssid; @@ -694,16 +705,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: - -#ifdef CONFIG_HAS_PASSTHROUGH - /* - * These have individual XSM hooks - * (drivers/passthrough/{pci,device_tree.c) - */ - case XEN_DOMCTL_test_assign_device: - case XEN_DOMCTL_assign_device: - case XEN_DOMCTL_deassign_device: -#endif return 0; case XEN_DOMCTL_destroydomain: @@ -783,6 +784,49 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return flask_shadow_control(d, op->u.shadow_op.op); #endif +#ifdef CONFIG_HAS_PASSTHROUGH + + case XEN_DOMCTL_test_assign_device: + case XEN_DOMCTL_assign_device: + case XEN_DOMCTL_deassign_device: + switch ( op->u.assign_device.dev ) + { +#ifdef CONFIG_HAS_PCI + case XEN_DOMCTL_DEV_PCI: + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_device( + d, op->u.assign_device.u.pci.machine_sbdf) + : flask_deassign_device( + d, op->u.assign_device.u.pci.machine_sbdf); +#endif + +#ifdef CONFIG_HAS_DEVICE_TREE + case XEN_DOMCTL_DEV_DT: + { + struct dt_device_node *dev; + int ret = dt_find_node_by_gpath(op->u.assign_device.u.dt.path, + op->u.assign_device.u.dt.size, + &dev); + + if ( ret ) + return ret; + + op->u.assign_device.u.dt.dev = dev; + + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_dtdevice(d, dt_node_full_name(dev)) + : flask_deassign_dtdevice(d, dt_node_full_name(dev)); + } +#endif + + default: + /* Unknown type. */ + break; + } + return avc_unknown_permission("assign_device", op->cmd); + +#endif /* CONFIG_HAS_PASSTHROUGH */ + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1400,7 +1444,7 @@ static int flask_test_assign_device(uint32_t machine_bdf) return avc_current_has_perm(rsid, SECCLASS_RESOURCE, RESOURCE__STAT_DEVICE, NULL); } -static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) +static int flask_assign_device(struct domain *d, uint32_t machine_bdf) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1430,7 +1474,7 @@ static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_device( +static int flask_deassign_device( struct domain *d, uint32_t machine_bdf) { uint32_t rsid; @@ -1462,7 +1506,7 @@ static int flask_test_assign_dtdevice(const char *dtpath) NULL); } -static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) +static int flask_assign_dtdevice(struct domain *d, const char *dtpath) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1492,7 +1536,7 @@ static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_dtdevice( +static int flask_deassign_dtdevice( struct domain *d, const char *dtpath) { uint32_t rsid; @@ -1958,13 +2002,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = flask_get_device_group, - .assign_device = flask_assign_device, - .deassign_device = flask_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - .assign_dtdevice = flask_assign_dtdevice, - .deassign_dtdevice = flask_deassign_dtdevice, #endif .platform_op = flask_platform_op, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:28:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:28:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333187.1595707 (Exim 4.92) (envelope-from ) id 1wWvZ0-0007d3-Bu; Tue, 09 Jun 2026 12:28:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333187.1595707; Tue, 09 Jun 2026 12:28:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvZ0-0007cu-8S; Tue, 09 Jun 2026 12:28:14 +0000 Received: by outflank-mailman (input) for mailman id 1333187; Tue, 09 Jun 2026 12:28:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvYz-0007cm-Ah for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:28:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvYz-001fOx-1s for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:28:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvYz-00Cmmt-0s for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:28:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=os2elBznIWzBwcYVOI4ToxHwEdbJ9m2ig5ZfUJ35/Ns=; b=nSfQ8RDBHd+iDGY4/UUAn6F2Dz Yax/ISy8DOIygFqVE3ftMiqFeKq7RTNU+6mTe8+N9HCcbXQCOTofyiWhx4yVBz+g3PeBqEWlATKA7 4YcOh7q9lCR8GTFE8I1JfXjQrMUkUPL4ExsacFVtJO/7LTsWDR4PF7Fcxm6h5DcaLgc4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:28:13 +0000 commit 17bce447ad421a78bb7d9201f615dce6069be1b7 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock The only locking required here is that between checking d->target and setting it. To avoid the need for an explicit lock, use cmpxchgptr() to update d->target. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 4a93d1fb4f7f1231159688d428f7362d35d32ef6) --- xen/common/domctl.c | 54 ++++++++++++++++++++++--------------------------- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 5 +---- 3 files changed, 27 insertions(+), 35 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 760c4867bd..9d5f55161b 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -495,6 +495,30 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif + case XEN_DOMCTL_set_target: + { + struct domain *e = get_domain_by_id(op->u.set_target.target); + + ret = -ESRCH; + if ( !e ) + goto domctl_out_unlock_domonly; + + if ( d == e ) + ret = -EINVAL; + else if ( !is_hvm_domain(e) ) + ret = -EOPNOTSUPP; + else + ret = xsm_set_target(XSM_PRIV, d, e); + + /* Hold reference on @e until we destroy @d. */ + if ( !ret && cmpxchgptr(&d->target, NULL, e) ) + ret = -EINVAL; + + if ( ret ) + put_domain(e); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_vm_event_op: if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) { @@ -851,36 +875,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; - case XEN_DOMCTL_set_target: - { - struct domain *e; - - ret = -ESRCH; - e = get_domain_by_id(op->u.set_target.target); - if ( e == NULL ) - break; - - ret = -EINVAL; - if ( (d == e) || (d->target != NULL) ) - { - put_domain(e); - break; - } - - ret = -EOPNOTSUPP; - if ( is_hvm_domain(e) ) - ret = xsm_set_target(XSM_HOOK, d, e); - if ( ret ) - { - put_domain(e); - break; - } - - /* Hold reference on @e until we destroy @d. */ - d->target = e; - break; - } - case XEN_DOMCTL_subscribe: d->suspend_evtchn = op->u.subscribe.port; break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 0947b3c7b1..95c73f9894 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -150,7 +150,7 @@ static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) static XSM_INLINE int cf_check xsm_set_target( XSM_DEFAULT_ARG struct domain *d, struct domain *e) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } @@ -168,6 +168,7 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 4b609d9929..694c748694 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -699,14 +699,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; - /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_set_target: - return 0; - case XEN_DOMCTL_destroydomain: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__DESTROY); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:28:24 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:28:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333189.1595710 (Exim 4.92) (envelope-from ) id 1wWvZA-0007fY-CU; Tue, 09 Jun 2026 12:28:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333189.1595710; Tue, 09 Jun 2026 12:28:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvZA-0007fO-9p; Tue, 09 Jun 2026 12:28:24 +0000 Received: by outflank-mailman (input) for mailman id 1333189; Tue, 09 Jun 2026 12:28:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvZ9-0007fI-DZ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:28:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvZ9-001fP3-29 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:28:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvZ9-00Cmvp-19 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:28:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=CvYvcE0pAhKtJPmsEgiOXQwK5XrAgKgM163AwR2Youw=; b=0wShj811UaUFODK6btxXsH36OL Cn7EV825vda9nGH2C4Pu1gnMtWEy0jo6Tpb3nRnQd1XLh25VLi0nWXTj8wDg8my5x/RRIxPDsv1Ds mNxY+zqdh1MSTyWR+J1X59OMSVf1D24Z/h6fPqgBKm2Z+LK0lCK9JuL5NvBS62kS/ewo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI Message-Id: Date: Tue, 09 Jun 2026 12:28:23 +0000 commit 54bb4e99724bdf1f6a0a25dde1ab32a8ce9bc18f Author: Michal Orzel AuthorDate: Tue Apr 14 10:11:24 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI The ARM64_WORKAROUND_REPEAT_TLBI workaround is used to mitigate several errata where broadcast TLBI;DSB sequences don't provide all the architecturally required synchronization. The workaround performs more work than necessary, and can have significant overhead. This patch optimizes the workaround, as explained below. 1. All relevant errata only affect the ordering and/or completion of memory accesses which have been translated by an invalidated TLB entry. The actual invalidation of TLB entries is unaffected. 2. The existing workaround is applied to both broadcast and local TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for broadcast invalidation. 3. The existing workaround replaces every TLBI with a TLBI;DSB;TLBI sequence, whereas for all relevant errata it is only necessary to execute a single additional TLBI;DSB sequence after any number of TLBIs are completed by a DSB. For example, for a sequence of batched TLBIs: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH ... the existing workaround will expand this to: TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional DSB ISH ... whereas it is sufficient to have: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH TLBI [, ] // additional DSB ISH // additional Using a single additional TLBI and DSB at the end of the sequence can have significantly lower overhead as each DSB which completes a TLBI must synchronize with other PEs in the system, with potential performance effects both locally and system-wide. 4. The existing workaround repeats each specific TLBI operation, whereas for all relevant errata it is sufficient for the additional TLBI to use *any* operation which will be broadcast, regardless of which translation regime or stage of translation the operation applies to. For example, for a single TLBI: TLBI ALLE2IS DSB ISH ... the existing workaround will expand this to: TLBI ALLE2IS DSB ISH TLBI ALLE2IS // additional DSB ISH // additional ... whereas it is sufficient to have: TLBI ALLE2IS DSB ISH TLBI VALE1IS, XZR // additional DSB ISH // additional As the additional TLBI doesn't have to match a specific earlier TLBI, the additional TLBI can be implemented in separate code, with no memory of the earlier TLBIs. The additional TLBI can also use a cheaper TLBI operation. 5. The existing workaround is applied to both Stage-1 and Stage-2 TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for Stage-1 invalidation. Architecturally, TLBI operations which invalidate only Stage-2 information (e.g. IPAS2E1IS) are not required to invalidate TLB entries which combine information from Stage-1 and Stage-2 translation table entries, and consequently may not complete memory accesses translated by those combined entries. In these cases, completion of memory accesses is only guaranteed after subsequent invalidation of Stage-1 information (e.g. VMALLE1IS). Rework the workaround logic as follows: - add TLB_HELPER_LOCAL() to be used for local TLB ops without a workaround, - modify TLB_HELPER() workaround to use tlbi vale2is, xzr as a second TLBI, - drop TLB_HELPER_VA(). It's used only by __flush_xen_tlb_one_local which is local and does not need workaround and by __flush_xen_tlb_one. In the latter case, since it's used in a loop, we don't need a workaround in the middle. Add __tlb_repeat_sync with a workaround to be used at the end after DSB and before final ISB, - TLBI VALE2IS passing XZR is used as an additional TLBI. While there is an identity mapping there, it's used very rarely. The performance impact is therefore negligible. If things change in the future, we can revisit the decision. Signed-off-by: Michal Orzel Reviewed-by: Luca Fancellu Reviewed-by: Julien Grall (cherry picked from commit 7c502d7591519135765b8041cbd1c70e56e5a0b9) --- xen/arch/arm/include/asm/arm32/flushtlb.h | 3 + xen/arch/arm/include/asm/arm64/flushtlb.h | 108 ++++++++++++++++++------------ xen/arch/arm/include/asm/flushtlb.h | 1 + xen/arch/arm/include/asm/mmu/layout.h | 4 ++ 4 files changed, 75 insertions(+), 41 deletions(-) diff --git a/xen/arch/arm/include/asm/arm32/flushtlb.h b/xen/arch/arm/include/asm/arm32/flushtlb.h index 61c25a3189..5483be08fb 100644 --- a/xen/arch/arm/include/asm/arm32/flushtlb.h +++ b/xen/arch/arm/include/asm/arm32/flushtlb.h @@ -57,6 +57,9 @@ static inline void __flush_xen_tlb_one(vaddr_t va) asm volatile(STORE_CP32(0, TLBIMVAHIS) : : "r" (va) : "memory"); } +/* Only for ARM64_WORKAROUND_REPEAT_TLBI */ +static inline void __tlb_repeat_sync(void) {} + #endif /* __ASM_ARM_ARM32_FLUSHTLB_H__ */ /* * Local variables: diff --git a/xen/arch/arm/include/asm/arm64/flushtlb.h b/xen/arch/arm/include/asm/arm64/flushtlb.h index 45642201d1..c1314be122 100644 --- a/xen/arch/arm/include/asm/arm64/flushtlb.h +++ b/xen/arch/arm/include/asm/arm64/flushtlb.h @@ -12,9 +12,14 @@ * ARM64_WORKAROUND_REPEAT_TLBI: * Modification of the translation table for a virtual address might lead to * read-after-read ordering violation. - * The workaround repeats TLBI+DSB ISH operation for all the TLB flush - * operations. While this is strictly not necessary, we don't want to - * take any risk. + * The workaround repeats TLBI+DSB ISH operation for broadcast TLB flush + * operations. The workaround is not needed for local operations. + * + * It is sufficient for the additional TLBI to use *any* operation which will + * be broadcast, regardless of which translation regime or stage of translation + * the operation applies to. TLBI VALE2IS is used passing XZR. While there is + * an identity mapping there, it's only used during suspend/resume, CPU on/off, + * so the impact (performance if any) is negligible. * * For Xen page-tables the ISB will discard any instructions fetched * from the old mappings. @@ -26,69 +31,90 @@ * Note that for local TLB flush, using non-shareable (nsh) is sufficient * (see D5-4929 in ARM DDI 0487H.a). Although, the memory barrier in * for the workaround is left as inner-shareable to match with Linux - * v6.1-rc8. + * v6.19. */ -#define TLB_HELPER(name, tlbop, sh) \ +#define TLB_HELPER_LOCAL(name, tlbop) \ static inline void name(void) \ { \ asm volatile( \ - "dsb " # sh "st;" \ + "dsb nshst;" \ "tlbi " # tlbop ";" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ";", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - "dsb " # sh ";" \ + "dsb nsh;" \ "isb;" \ : : : "memory"); \ } -/* - * FLush TLB by VA. This will likely be used in a loop, so the caller - * is responsible to use the appropriate memory barriers before/after - * the sequence. - * - * See above about the ARM64_WORKAROUND_REPEAT_TLBI sequence. - */ -#define TLB_HELPER_VA(name, tlbop) \ -static inline void name(vaddr_t va) \ -{ \ - asm volatile( \ - "tlbi " # tlbop ", %0;" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ", %0;", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - : : "r" (va >> PAGE_SHIFT) : "memory"); \ +#define TLB_HELPER(name, tlbop) \ +static inline void name(void) \ +{ \ + asm volatile ( \ + "dsb ishst;" \ + "tlbi " # tlbop ";" \ + ALTERNATIVE( \ + "nop; nop;", \ + "dsb ish;" \ + "tlbi vale2is, xzr;", \ + ARM64_WORKAROUND_REPEAT_TLBI, \ + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ + "dsb ish;" \ + "isb;" \ + : : : "memory"); \ } /* Flush local TLBs, current VMID only. */ -TLB_HELPER(flush_guest_tlb_local, vmalls12e1, nsh) +TLB_HELPER_LOCAL(flush_guest_tlb_local, vmalls12e1) /* Flush innershareable TLBs, current VMID only */ -TLB_HELPER(flush_guest_tlb, vmalls12e1is, ish) +TLB_HELPER(flush_guest_tlb, vmalls12e1is) /* Flush local TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb_local, alle1, nsh) +TLB_HELPER_LOCAL(flush_all_guests_tlb_local, alle1) /* Flush innershareable TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb, alle1is, ish) +TLB_HELPER(flush_all_guests_tlb, alle1is) /* Flush all hypervisor mappings from the TLB of the local processor. */ -TLB_HELPER(flush_xen_tlb_local, alle2, nsh) +TLB_HELPER_LOCAL(flush_xen_tlb_local, alle2) + +#undef TLB_HELPER_LOCAL +#undef TLB_HELPER + +/* + * FLush TLB by VA. This will likely be used in a loop, so the caller + * is responsible to use the appropriate memory barriers before/after + * the sequence. + */ /* Flush TLB of local processor for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one_local, vae2) +static inline void __flush_xen_tlb_one_local(vaddr_t va) +{ + asm volatile ( + "tlbi vae2, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} /* Flush TLB of all processors in the inner-shareable domain for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one, vae2is) +static inline void __flush_xen_tlb_one(vaddr_t va) +{ + asm volatile ( + "tlbi vae2is, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} -#undef TLB_HELPER -#undef TLB_HELPER_VA +/* + * ARM64_WORKAROUND_REPEAT_TLBI: + * For all relevant erratas it is only necessary to execute a single + * additional TLBI;DSB sequence after any number of TLBIs are completed by DSB. + */ +static inline void __tlb_repeat_sync(void) +{ + asm volatile ( + ALTERNATIVE( + "nop; nop;", + "tlbi vale2is, xzr;" + "dsb ish;", + ARM64_WORKAROUND_REPEAT_TLBI, + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) + : : : "memory"); +} #endif /* __ASM_ARM_ARM64_FLUSHTLB_H__ */ /* diff --git a/xen/arch/arm/include/asm/flushtlb.h b/xen/arch/arm/include/asm/flushtlb.h index e45fb6d97b..c292c3c00d 100644 --- a/xen/arch/arm/include/asm/flushtlb.h +++ b/xen/arch/arm/include/asm/flushtlb.h @@ -65,6 +65,7 @@ static inline void flush_xen_tlb_range_va(vaddr_t va, va += PAGE_SIZE; } dsb(ish); /* Ensure the TLB invalidation has completed */ + __tlb_repeat_sync(); isb(); } diff --git a/xen/arch/arm/include/asm/mmu/layout.h b/xen/arch/arm/include/asm/mmu/layout.h index a3b546465b..74848725e9 100644 --- a/xen/arch/arm/include/asm/mmu/layout.h +++ b/xen/arch/arm/include/asm/mmu/layout.h @@ -23,6 +23,10 @@ * * Reserved to identity map Xen * + * Note: As part of ARM64_WORKAROUND_REPEAT_TLBI, VA 0 is used for an extra + * TLBI operation given its rare use (only identity mapping) and thus + * negligible performance impact. + * * 0x00000a0000000000 - 0x00000a7fffffffff (512GB, L0 slot [20]) * (Relative offsets) * 0 - 2M Unmapped -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:28:34 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:28:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333191.1595723 (Exim 4.92) (envelope-from ) id 1wWvZK-0007uS-KD; Tue, 09 Jun 2026 12:28:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333191.1595723; Tue, 09 Jun 2026 12:28:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvZK-0007uJ-HL; Tue, 09 Jun 2026 12:28:34 +0000 Received: by outflank-mailman (input) for mailman id 1333191; Tue, 09 Jun 2026 12:28:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvZJ-0007u7-Fm for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:28:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvZJ-001fP9-2O for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:28:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvZJ-00Cn0a-1Q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:28:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=jGfBRcDpEO4okOQprg7APBfDJlU1FmcjIu8ct8t31mI=; b=qWQSgqX9TTVKZdadPPyC6vjTL+ Pj03H8RwPMhF7sK6Ynsxgm30p7GHcqHlYqZxxUaUjAmdwlIjXkpsoIyCrZh6Hm71mNBCP2xmTxivE MFMXy0d6qWegBNmk8vcR/BE62RI81Fy7WQ5NKFakDEqNLt89ZRY1DZ+9Al8UB2bdvPn0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] xen/arm: Sync missing definitions for Arm CPUs with Linux Message-Id: Date: Tue, 09 Jun 2026 12:28:33 +0000 commit 1ea95e237d2b50514e3370382c1253a8852235e7 Author: Michal Orzel AuthorDate: Fri May 22 09:35:55 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 xen/arm: Sync missing definitions for Arm CPUs with Linux Synchronize with Linux kernel 7.0 definitions for the following CPUs: - Cortex-A76AE, - Cortex-A78AE, - Cortex-X1C, - Cortex-X3, - Neoverse-V2, - Cortex-X4, - Neoverse-V3AE, - Neoverse-V3, - Cortex-X925. These will be used for errata detection in subsequent patches. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit d54682a5b23d7a22a0f1aa74130bd1ed8a669db1) --- xen/arch/arm/include/asm/processor.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 2ca2662c02..5fda69344c 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -74,13 +74,22 @@ #define ARM_CPU_PART_CORTEX_A76 0xD0B #define ARM_CPU_PART_NEOVERSE_N1 0xD0C #define ARM_CPU_PART_CORTEX_A77 0xD0D +#define ARM_CPU_PART_CORTEX_A76AE 0xD0E #define ARM_CPU_PART_NEOVERSE_V1 0xD40 #define ARM_CPU_PART_CORTEX_A78 0xD41 +#define ARM_CPU_PART_CORTEX_A78AE 0xD42 #define ARM_CPU_PART_CORTEX_X1 0xD44 #define ARM_CPU_PART_CORTEX_A710 0xD47 #define ARM_CPU_PART_CORTEX_X2 0xD48 #define ARM_CPU_PART_NEOVERSE_N2 0xD49 #define ARM_CPU_PART_CORTEX_A78C 0xD4B +#define ARM_CPU_PART_CORTEX_X1C 0xD4C +#define ARM_CPU_PART_CORTEX_X3 0xD4E +#define ARM_CPU_PART_NEOVERSE_V2 0xD4F +#define ARM_CPU_PART_CORTEX_X4 0xD82 +#define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 +#define ARM_CPU_PART_NEOVERSE_V3 0xD84 +#define ARM_CPU_PART_CORTEX_X925 0xD85 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -95,13 +104,22 @@ #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) +#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE) #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1) #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) +#define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) #define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2) #define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2) #define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C) +#define MIDR_CORTEX_X1C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1C) +#define MIDR_CORTEX_X3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X3) +#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2) +#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4) +#define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) +#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) +#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:28:44 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:28:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333192.1595728 (Exim 4.92) (envelope-from ) id 1wWvZU-0007zK-MQ; Tue, 09 Jun 2026 12:28:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333192.1595728; Tue, 09 Jun 2026 12:28:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvZU-0007zC-Iq; Tue, 09 Jun 2026 12:28:44 +0000 Received: by outflank-mailman (input) for mailman id 1333192; Tue, 09 Jun 2026 12:28:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvZT-0007yl-IZ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:28:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvZT-001fPE-2f for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:28:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvZT-00Cn4h-1f for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:28:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Ck8Wpmjp+YDX3PIaASOsXN1tAvqJT4F4/ygetqGpZj8=; b=VNN/CFkxJXAhGkOQcZoymDX3dW CNbPM1OjWodbTlWuB2x5zWzhz/FeJJCwLXnsfJsxfxRyYFeAFOpG3Mr2Rww9xPZdgPDs0wQXunL9J 3kGxUIEOYEC/APZT/HDsOV7Gc3X3S/flOqi+EnjiOJtsZwqj6hpg5+jxdbGDBLuxIrQ0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] xen/arm: Add C1-Ultra definitions Message-Id: Date: Tue, 09 Jun 2026 12:28:43 +0000 commit 618173c1319431959a7b3f0500435e4e04f05dff Author: Michal Orzel AuthorDate: Fri May 22 09:35:56 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 xen/arm: Add C1-Ultra definitions Add processor definitions for C1-Ultra. These will be used for errata detection in subsequent patches. These values can be found in the C1-Ultra TRM: https://developer.arm.com/documentation/108014/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 36ddaa7918d6ec0d06a31079c8a25a6ae3c69cbc) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 5fda69344c..85a7469eba 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -90,6 +90,7 @@ #define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 +#define ARM_CPU_PART_C1_ULTRA 0xD8C #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -120,6 +121,7 @@ #define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) +#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:28:54 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:28:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333195.1595731 (Exim 4.92) (envelope-from ) id 1wWvZe-00089Q-OD; Tue, 09 Jun 2026 12:28:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333195.1595731; Tue, 09 Jun 2026 12:28:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvZe-00089H-Lc; Tue, 09 Jun 2026 12:28:54 +0000 Received: by outflank-mailman (input) for mailman id 1333195; Tue, 09 Jun 2026 12:28:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvZd-00088N-LZ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:28:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvZd-001fPK-2y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:28:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvZd-00CnBb-1x for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:28:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=XpjVmgGHP2f3EBbMSXvrXK/N8PcbqNrEAailMnA5LmA=; b=h3gugXFi3u7g1sW6M1is1isNkA cDKECzGOfu99pOh7AzcE1jwxHHIXX/51ccKpHbXJ2ZLfaE+XpZNqsqp2qNhY6Q6wkbSfIKTzHbHES U7S4iF4rqKM5IJ6ya4Tm8Gcv0DJZFGu5Ach/lopWYZtoJCG75b1OXLgvGwlPxFDw9JpA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] xen/arm: Add C1-Premium definitions Message-Id: Date: Tue, 09 Jun 2026 12:28:53 +0000 commit 52b28b0cf797079b29ad194407cd7c1b44fef576 Author: Michal Orzel AuthorDate: Fri May 22 09:35:57 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 xen/arm: Add C1-Premium definitions Add processor definitions for C1-Premium. These will be used for errata detection in subsequent patches. These values can be found in the C1-Premium TRM: https://developer.arm.com/documentation/109416/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 0315d10321518beb24c41bb595e9197cadec0693) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 85a7469eba..f89b061d44 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -91,6 +91,7 @@ #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 #define ARM_CPU_PART_C1_ULTRA 0xD8C +#define ARM_CPU_PART_C1_PREMIUM 0xD90 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -122,6 +123,7 @@ #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) #define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) +#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:29:04 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:29:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333197.1595734 (Exim 4.92) (envelope-from ) id 1wWvZo-0008GJ-PR; Tue, 09 Jun 2026 12:29:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333197.1595734; Tue, 09 Jun 2026 12:29:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvZo-0008GB-Mt; Tue, 09 Jun 2026 12:29:04 +0000 Received: by outflank-mailman (input) for mailman id 1333197; Tue, 09 Jun 2026 12:29:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvZn-0008G3-O7 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:29:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvZo-001fPd-00 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:29:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvZn-00CnK6-2E for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:29:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=9lDK+MOB+FUQvSnAo2zYKvGureyUTPhVEnlIe8pDtVs=; b=VyzqhyoJPzN0e4KDlmUq/lQonk 77m+XhYa0j3Vx3mErkd7FJmzcwY9jtIpAh3vgNoX7BNdxgV6jjoDk4U7J3ddU9MGUtGOcv7A7cTQD giUP6fmUFAsizp1mal/yfQfIvl7634YkulPPwh9UsTNJfxRjT1x7RmscRB5RtxgARQUQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] xen/arm: Mitigate TLBI errata on various Arm CPUs Message-Id: Date: Tue, 09 Jun 2026 12:29:03 +0000 commit a9c8547cc8d8522a83adfaa87d35d97e2b15f237 Author: Michal Orzel AuthorDate: Fri May 22 09:35:58 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 xen/arm: Mitigate TLBI errata on various Arm CPUs A number of CPUs developed by Arm suffer from errata whereby a broadcast TLBI + DSB sequence may complete before the global observation of writes which are translated by an affected TLB entry. This can lead to memory corruption and potential privilege escalation. These errata ONLY affect the completion of memory accesses which have been translated by an invalidated TLB entry, and these errata DO NOT affect the actual invalidation of TLB entries. TLB entries are removed correctly. To mitigate this issue, Arm recommends that software follows each TLBI+DSB sequence with an additional TLBI+DSB, which will ensure that all memory write effects affected by the first TLBI have been globally observed. The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate the issue. Enable this workaround for affected CPUs. This is XSA-493 / CVE-2025-10263. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 161e8f61b5b0f2c205072c7bc699bfc37653999f) --- xen/arch/arm/Kconfig | 21 ++++++++++++ xen/arch/arm/cpuerrata.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+) diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index 21d03d9f44..12aa8580c8 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -436,6 +436,27 @@ config ARM64_ERRATUM_1508412 If unsure, say Y. +config ARM64_ERRATUM_CVE_2025_10263 + bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" + default y + depends on ARM_64 + select ARM64_WORKAROUND_REPEAT_TLBI + help + This option adds a workaround for CVE-2025-10263. + + A broadcast TLBI on another PE may complete before affected memory + accesses are globally observed. This may permit bypass of Stage 1 + translation, Stage-2 translation, or GPT protection. + + The workaround repeats the TLBI VALE2IS, XZR + DSB ISH operation for all + the broadcast TLB flush operations. A single additional TLBI and DSB are + sufficient regardless of how many TLBIs are completed by the DSB. + + Note that software workarounds are required at all execution levels for + affected parts to fully mitigate this issue. + + If unsure, say Y. + endmenu config ARM64_HARDEN_BRANCH_PREDICTOR diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index 2b7101ea25..1fb0cf599f 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -535,6 +535,92 @@ static const struct arm_cpu_capabilities arm_errata[] = { MIDR_RANGE(MIDR_NEOVERSE_N1, 0, 3 << MIDR_VARIANT_SHIFT), }, #endif +#ifdef CONFIG_ARM64_ERRATUM_CVE_2025_10263 + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X4), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_ULTRA), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM), + }, +#endif #ifdef CONFIG_ARM64_HARDEN_BRANCH_PREDICTOR { .capability = ARM_HARDEN_BRANCH_PREDICTOR, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:29:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:29:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333198.1595739 (Exim 4.92) (envelope-from ) id 1wWvZy-0008L2-R0; Tue, 09 Jun 2026 12:29:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333198.1595739; Tue, 09 Jun 2026 12:29:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvZy-0008Ku-OF; Tue, 09 Jun 2026 12:29:14 +0000 Received: by outflank-mailman (input) for mailman id 1333198; Tue, 09 Jun 2026 12:29:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvZx-0008Jb-RJ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:29:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvZy-001fQ1-0J for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:29:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvZx-00CnSI-2Y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:29:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=3oAY8kY/cPBHnujzYv7d+GKvYZWlh9TV1BnZ0FXbdOk=; b=HTFlZqpv6lAwutsYGWHShIytXD 686+/gi88gzWaxnAk4hMikuGBpwa3bBrUu0JOudsiMJcOoU/WhQhSDM27jmsd2p5VBqXJ4xL9nanJ WXhqFGI45GOQdd+//rHlSfBDF5ruf0J3iRCNI9qVzo9BhP+tSIo/OVw1LmcirWCW6J+8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] x86/mm: accurately track which vCPU page-tables are loaded Message-Id: Date: Tue, 09 Jun 2026 12:29:13 +0000 commit 376de647729a611eba47086c7834655e8a64fcab Author: Roger Pau Monne AuthorDate: Mon Mar 16 11:03:22 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 x86/mm: accurately track which vCPU page-tables are loaded Neither current nor curr_vcpu per-CPU fields accurately track which page-tables are loaded. There are corner cases when dealing with shadow paging failures that switch to the idle vCPU page-tables without changing current or curr_vcpu per-CPU fields. Introduce a new per-CPU field that attempts to track which vCPU page-tables are loaded. Update such tracking when cr3 is changed, and do so in a region with interrupts disabled, as to avoid handling interrupts with a mismatch between the vCPU tracking field and the loaded page-tables. As a result of this newly more accurate tracking the mapcache override functionality can be removed: the dom0 PV builder was the only user of it, and it's updated here to properly signal which vCPU page-tables are loaded in the calls to switch_cr3_cr4(). Note the EFI page-tables have the Xen owned L4 slots copied from the idle page-tables, so for the effects of the mapcache the EFI page-tables could use the idle mapcache if it had one. Pass the idle vCPU in the switch_cr3_cr4() call that switches to the runtime EFI page-tables. There are known issues with the use of mapcache in NMI context.  This patch does not alter the behaviour. This is CVE-2026-42488 / XSA-494. Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference") Signed-off-by: Roger Pau Monné Acked-by: Andrew Cooper (cherry picked from commit 622c9a5ba95dae9b1084f16d0557ec64d1d12eaa) --- xen/arch/x86/domain_page.c | 48 +++++++++++++++--------------------- xen/arch/x86/flushtlb.c | 5 +++- xen/arch/x86/include/asm/domain.h | 1 - xen/arch/x86/include/asm/flushtlb.h | 2 +- xen/arch/x86/include/asm/processor.h | 3 +++ xen/arch/x86/mm.c | 4 +-- xen/arch/x86/pv/dom0_build.c | 12 +++------ xen/arch/x86/pv/domain.c | 13 ++++++++-- xen/arch/x86/smpboot.c | 1 + xen/common/efi/common-stub.c | 5 ---- xen/common/efi/runtime.c | 21 ++++++---------- xen/include/xen/efi.h | 1 - 12 files changed, 54 insertions(+), 62 deletions(-) diff --git a/xen/arch/x86/domain_page.c b/xen/arch/x86/domain_page.c index eac5e3304f..72c00194f3 100644 --- a/xen/arch/x86/domain_page.c +++ b/xen/arch/x86/domain_page.c @@ -18,48 +18,40 @@ #include #include -static DEFINE_PER_CPU(struct vcpu *, override); - static inline struct vcpu *mapcache_current_vcpu(void) { - /* In the common case we use the mapcache of the running VCPU. */ - struct vcpu *v = this_cpu(override) ?: current; - - /* - * When current isn't properly set up yet, this is equivalent to - * running in an idle vCPU (callers must check for NULL). - */ - if ( !v ) - return NULL; + struct vcpu *v = this_cpu(pgtable_vcpu); + struct vcpu *curr = current; /* - * When using efi runtime page tables, we have the equivalent of the idle - * domain's page tables but current may point at another domain's VCPU. - * Return NULL as though current is not properly set up yet. + * During early boot pgtable_vcpu is not set, callers must handle NULL. + * Non-PV domains don't have a mapcache, the directmap covers all physical + * address space. */ - if ( efi_rs_using_pgtables() ) + if ( !v || !is_pv_vcpu(v) ) return NULL; /* - * If guest_table is NULL, and we are running a paravirtualised guest, - * then it means we are running on the idle domain's page table and must - * therefore use its mapcache. + * If we are in a lazy context-switch state from a PV vCPU do a full switch + * to the idle vCPU now, otherwise an incoming FLUSH_VCPU_STATE IPI would + * change the page tables under our feet an invalidate any in-use mapcache + * entries. */ - if ( unlikely(pagetable_is_null(v->arch.guest_table)) && is_pv_vcpu(v) ) + if ( unlikely(this_cpu(curr_vcpu) != curr) ) { - /* If we really are idling, perform lazy context switch now. */ - if ( (v = idle_vcpu[smp_processor_id()]) == current ) - sync_local_execstate(); + ASSERT(curr == idle_vcpu[smp_processor_id()]); + sync_local_execstate(); /* We must now be running on the idle page table. */ ASSERT(cr3_pa(read_cr3()) == __pa(idle_pg_table)); } - return v; -} - -void __init mapcache_override_current(struct vcpu *v) -{ - this_cpu(override) = v; + /* + * At this point we can guarantee Xen is not in lazy context switch: either + * the code above will have synced the state, or an incoming + * FLUSH_VCPU_STATE IPI has done so behind our back. Use ACCESS_ONCE to + * ensure the compiler never returns the locally cached pgtable_vcpu value. + */ + return ACCESS_ONCE(this_cpu(pgtable_vcpu)); } #define mapcache_l2_entry(e) ((e) >> PAGETABLE_ORDER) diff --git a/xen/arch/x86/flushtlb.c b/xen/arch/x86/flushtlb.c index 18748b2bc8..cdefab2f08 100644 --- a/xen/arch/x86/flushtlb.c +++ b/xen/arch/x86/flushtlb.c @@ -111,7 +111,9 @@ static void do_tlb_flush(void) local_irq_restore(flags); } -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) +DEFINE_PER_CPU(struct vcpu *, pgtable_vcpu); + +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4) { unsigned long flags, old_cr4; u32 t = 0; @@ -155,6 +157,7 @@ void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) if ( (old_cr4 & X86_CR4_PCIDE) > (cr4 & X86_CR4_PCIDE) ) cr3 |= X86_CR3_NOFLUSH; write_cr3(cr3); + this_cpu(pgtable_vcpu) = v; if ( old_cr4 != cr4 ) write_cr4(cr4); diff --git a/xen/arch/x86/include/asm/domain.h b/xen/arch/x86/include/asm/domain.h index 21e6ca90d5..893117dcc6 100644 --- a/xen/arch/x86/include/asm/domain.h +++ b/xen/arch/x86/include/asm/domain.h @@ -75,7 +75,6 @@ struct mapcache_domain { int mapcache_domain_init(struct domain *d); int mapcache_vcpu_init(struct vcpu *v); -void mapcache_override_current(struct vcpu *v); /* x86/64: toggle guest between kernel and user modes. */ void toggle_guest_mode(struct vcpu *v); diff --git a/xen/arch/x86/include/asm/flushtlb.h b/xen/arch/x86/include/asm/flushtlb.h index bb0ad58db4..75e291d93b 100644 --- a/xen/arch/x86/include/asm/flushtlb.h +++ b/xen/arch/x86/include/asm/flushtlb.h @@ -99,7 +99,7 @@ static inline unsigned long read_cr3(void) } /* Write pagetable base and implicitly tick the tlbflush clock. */ -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4); +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4); /* flush_* flag fields: */ /* diff --git a/xen/arch/x86/include/asm/processor.h b/xen/arch/x86/include/asm/processor.h index 26da7f8974..e47302c5af 100644 --- a/xen/arch/x86/include/asm/processor.h +++ b/xen/arch/x86/include/asm/processor.h @@ -379,6 +379,9 @@ extern idt_entry_t *idt_tables[]; DECLARE_PER_CPU(root_pgentry_t *, root_pgt); +/* vCPU of the currently loaded page-tables. */ +DECLARE_PER_CPU(struct vcpu *, pgtable_vcpu); + extern void write_ptbase(struct vcpu *v); /* REP NOP (PAUSE) is a good thing to insert into busy-wait loops. */ diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 9861efbef9..ce62475f19 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -528,7 +528,7 @@ void write_ptbase(struct vcpu *v) cpu_info->pv_cr3 = __pa(this_cpu(root_pgt)); if ( new_cr4 & X86_CR4_PCIDE ) cpu_info->pv_cr3 |= get_pcid_bits(v, true); - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); } else { @@ -536,7 +536,7 @@ void write_ptbase(struct vcpu *v) cpu_info->use_pv_cr3 = false; cpu_info->xen_cr3 = 0; /* switch_cr3_cr4() serializes. */ - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); cpu_info->pv_cr3 = 0; } } diff --git a/xen/arch/x86/pv/dom0_build.c b/xen/arch/x86/pv/dom0_build.c index 07e9594493..fe326a83ad 100644 --- a/xen/arch/x86/pv/dom0_build.c +++ b/xen/arch/x86/pv/dom0_build.c @@ -815,8 +815,7 @@ static int __init dom0_construct(struct domain *d, update_cr3(v); /* We run on dom0's page tables for the final part of the build process. */ - switch_cr3_cr4(cr3_pa(v->arch.cr3), read_cr4()); - mapcache_override_current(v); + switch_cr3_cr4(v, cr3_pa(v->arch.cr3), read_cr4()); /* Copy the OS image and free temporary buffer. */ elf.dest_base = (void*)vkern_start; @@ -825,8 +824,7 @@ static int __init dom0_construct(struct domain *d, rc = elf_load_binary(&elf); if ( rc < 0 ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Failed to load the kernel binary\n"); goto out; } @@ -837,8 +835,7 @@ static int __init dom0_construct(struct domain *d, if ( (parms.virt_hypercall < v_start) || (parms.virt_hypercall >= v_end) ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Invalid HYPERCALL_PAGE field in ELF notes.\n"); return -EINVAL; } @@ -979,8 +976,7 @@ static int __init dom0_construct(struct domain *d, #endif /* Return to idle domain's page tables. */ - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); update_domain_wallclock_time(d); diff --git a/xen/arch/x86/pv/domain.c b/xen/arch/x86/pv/domain.c index 5302f7b366..6d037075d6 100644 --- a/xen/arch/x86/pv/domain.c +++ b/xen/arch/x86/pv/domain.c @@ -456,6 +456,8 @@ static void _toggle_guest_pt(struct vcpu *v) pagetable_t old_shadow; unsigned long cr3; + ASSERT(local_irq_is_enabled()); + v->arch.flags ^= TF_kernel_mode; guest_update = v->arch.flags & TF_kernel_mode; old_shadow = update_cr3(v); @@ -478,15 +480,22 @@ static void _toggle_guest_pt(struct vcpu *v) { cr3 &= ~X86_CR3_NOFLUSH; + local_irq_disable(); if ( unlikely(mfn_eq(pagetable_get_mfn(old_shadow), maddr_to_mfn(cr3))) ) { - cr3 = idle_vcpu[v->processor]->arch.cr3; /* Also suppress runstate/time area updates below. */ guest_update = false; + + cr3 = idle_vcpu[v->processor]->arch.cr3; + this_cpu(pgtable_vcpu) = idle_vcpu[v->processor]; } + + write_cr3(cr3); + local_irq_enable(); } - write_cr3(cr3); + else + write_cr3(cr3); if ( !pagetable_is_null(old_shadow) ) shadow_put_top_level(v->domain, old_shadow); diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c index df46150f2f..0b1e3841a5 100644 --- a/xen/arch/x86/smpboot.c +++ b/xen/arch/x86/smpboot.c @@ -327,6 +327,7 @@ void asmlinkage start_secondary(void *unused) set_current(idle_vcpu[cpu]); this_cpu(curr_vcpu) = idle_vcpu[cpu]; + this_cpu(pgtable_vcpu) = idle_vcpu[cpu]; rdmsrl(MSR_EFER, this_cpu(efer)); init_shadow_spec_ctrl_state(); diff --git a/xen/common/efi/common-stub.c b/xen/common/efi/common-stub.c index 77f138a6c5..7b12005bea 100644 --- a/xen/common/efi/common-stub.c +++ b/xen/common/efi/common-stub.c @@ -7,11 +7,6 @@ bool efi_enabled(unsigned int feature) return false; } -bool efi_rs_using_pgtables(void) -{ - return false; -} - unsigned long efi_get_time(void) { BUG(); diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c index d952c3ba78..1aa5ad4bf3 100644 --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -46,7 +46,6 @@ const CHAR16 *__read_mostly efi_fw_vendor; const EFI_RUNTIME_SERVICES *__read_mostly efi_rs; #ifndef CONFIG_ARM /* TODO - disabled until implemented on ARM */ static DEFINE_SPINLOCK(efi_rs_lock); -static unsigned int efi_rs_on_cpu = NR_CPUS; #endif UINTN __read_mostly efi_memmap_size; @@ -89,6 +88,11 @@ struct efi_rs_state efi_rs_enter(void) if ( mfn_eq(efi_l4_mfn, INVALID_MFN) ) return state; + /* + * If in lazy idle context switch state sync now to avoid an incoming + * FLUSH_VCPU_STATE IPI changing the loaded page-tables. + */ + sync_local_execstate(); state.cr3 = read_cr3(); save_fpu_enable(); asm volatile ( "fnclex; fldcw %0" :: "m" (fcw) ); @@ -96,8 +100,6 @@ struct efi_rs_state efi_rs_enter(void) spin_lock(&efi_rs_lock); - efi_rs_on_cpu = smp_processor_id(); - /* prevent fixup_page_fault() from doing anything */ irq_enter(); @@ -112,7 +114,8 @@ struct efi_rs_state efi_rs_enter(void) lgdt(&gdt_desc); } - switch_cr3_cr4(mfn_to_maddr(efi_l4_mfn), read_cr4()); + switch_cr3_cr4(idle_vcpu[smp_processor_id()], mfn_to_maddr(efi_l4_mfn), + read_cr4()); /* * At the time of writing (2022), no UEFI firwmare is CET-IBT compatible. @@ -140,7 +143,7 @@ void efi_rs_leave(struct efi_rs_state *state) if ( state->msr_s_cet ) wrmsrl(MSR_S_CET, state->msr_s_cet); - switch_cr3_cr4(state->cr3, read_cr4()); + switch_cr3_cr4(curr, state->cr3, read_cr4()); if ( is_pv_vcpu(curr) && !is_idle_vcpu(curr) ) { struct desc_ptr gdt_desc = { @@ -151,18 +154,10 @@ void efi_rs_leave(struct efi_rs_state *state) lgdt(&gdt_desc); } irq_exit(); - efi_rs_on_cpu = NR_CPUS; spin_unlock(&efi_rs_lock); vcpu_restore_fpu_nonlazy(curr, true); } -bool efi_rs_using_pgtables(void) -{ - return !mfn_eq(efi_l4_mfn, INVALID_MFN) && - (smp_processor_id() == efi_rs_on_cpu) && - (read_cr3() == mfn_to_maddr(efi_l4_mfn)); -} - unsigned long efi_get_time(void) { EFI_TIME time; diff --git a/xen/include/xen/efi.h b/xen/include/xen/efi.h index 160804e294..356be1705a 100644 --- a/xen/include/xen/efi.h +++ b/xen/include/xen/efi.h @@ -42,7 +42,6 @@ static inline bool efi_enabled(unsigned int feature) void efi_init_memory(void); bool efi_boot_mem_unused(unsigned long *start, unsigned long *end); -bool efi_rs_using_pgtables(void); unsigned long efi_get_time(void); void efi_halt_system(void); void efi_reset_system(bool warm); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:29:25 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:29:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333199.1595742 (Exim 4.92) (envelope-from ) id 1wWva9-0008R6-Sy; Tue, 09 Jun 2026 12:29:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333199.1595742; Tue, 09 Jun 2026 12:29:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWva9-0008Qy-Pd; Tue, 09 Jun 2026 12:29:25 +0000 Received: by outflank-mailman (input) for mailman id 1333199; Tue, 09 Jun 2026 12:29:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWva7-0008Py-Tt for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:29:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWva8-001fQ7-0Z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:29:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWva7-00CncU-2o for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:29:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ShrOiNwNgzCzytX9R3SkT/L3vHBHoeVLLarAhMmbHYs=; b=aP+t/GblfImqd3GwDvzkNgP1S8 /X+TYiEOxZqvTse1wGoeD/6Z7zFMx/ZMBHwKPQzxzYwBpW1W97VarlF6sDVc9k7vzjbxDNSGv4KJA y1SDm96zIVzPkdwrVr58meniNpuvEKew0x1957ODP4EeOZ4PA8BuugZp4sRlhiwqo2ts=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] Revert local CI adjustments Message-Id: Date: Tue, 09 Jun 2026 12:29:23 +0000 commit 96a8a2750afd6dab86b8ce1683ba7fea57b0823f Author: Andrew Cooper AuthorDate: Tue Jun 9 13:09:08 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 13:09:08 2026 +0100 Revert local CI adjustments This reverts commit e1eae714bf3d130f810f715bec1e08d6faa6ea3d. Signed-off-by: Andrew Cooper --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 716c3c5cdb..b2fcf6c28f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -15,5 +15,6 @@ stages: - test include: + - 'automation/gitlab-ci/analyze.yaml' - 'automation/gitlab-ci/build.yaml' - 'automation/gitlab-ci/test.yaml' -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:29:36 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:29:36 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333200.1595747 (Exim 4.92) (envelope-from ) id 1wWvaJ-0008W0-W2; Tue, 09 Jun 2026 12:29:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333200.1595747; Tue, 09 Jun 2026 12:29:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvaJ-0008Vs-TJ; Tue, 09 Jun 2026 12:29:35 +0000 Received: by outflank-mailman (input) for mailman id 1333200; Tue, 09 Jun 2026 12:29:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvaI-0008Vh-Jy for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:29:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvaI-001fQB-2o for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:29:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvaI-00CnmE-1p for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:29:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ectqSTaDJgEt7aOZNyvm4DDmNRsiPpoaVI3SVuxOwus=; b=3jtWGkm9/tQsIO2sNRVUbJVdXZ EOC+mGQ8u9wR2WUn7pZVD5gNrw9g8APfbgbnRj9rKaw/7Free40dNfdlCAs6fuX21P7z/xgTeXpmL dBO5Hf3x6wHDMElKGbT165GvYLUsjPdUXrfFDjPIYUC5Jl9B9jH5WB0OFR8c+iGRiuPc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] HACK: Disable Eclair, MacOS Message-Id: Date: Tue, 09 Jun 2026 12:29:34 +0000 commit 3f4d62dce7f5fe168e849d7fa6082853d07ad3bc Author: Andrew Cooper AuthorDate: Thu Jun 4 20:20:00 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:42:21 2026 +0100 HACK: Disable Eclair, MacOS --- .gitlab-ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ef4484e09a..da236e3347 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -10,6 +10,5 @@ stages: - test include: - - 'automation/gitlab-ci/analyze.yaml' - 'automation/gitlab-ci/build.yaml' - 'automation/gitlab-ci/test.yaml' -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:29:46 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:29:46 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333201.1595752 (Exim 4.92) (envelope-from ) id 1wWvaU-0000Bh-1f; Tue, 09 Jun 2026 12:29:46 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333201.1595752; Tue, 09 Jun 2026 12:29:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvaT-0000BW-Ue; Tue, 09 Jun 2026 12:29:45 +0000 Received: by outflank-mailman (input) for mailman id 1333201; Tue, 09 Jun 2026 12:29:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvaS-0000BK-Mo for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:29:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvaS-001fQH-35 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:29:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvaS-00Cnsw-27 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:29:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=tst83oudtN9njgvc8sJ/+xPOc6C1nYvxsjPhSJN3QkM=; b=yODocJ5R7ecPOYh3UzaYzjEtMj NjhkM0GTM6vAR6hsh5wm7HPq918587JL7lghgQB4ULCcwTsXMELOrauXtlgpz9FiTcf+JQEGD70zn NTnoZbwygijKDX4pBqMN5t7cGuBY/pC7x0V5xyLCAsoN+Hi4pGgxaWHAZjJor0ilBY78=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/HVM: add locking to I/O port translation list traversal Message-Id: Date: Tue, 09 Jun 2026 12:29:44 +0000 commit 4ef23e64ebf9ef5d22bdb53b8ab418ee18a49037 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:38 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:42:21 2026 +0100 x86/HVM: add locking to I/O port translation list traversal XEN_DOMCTL_ioport_mapping is usable by DM stubdoms, and hence we can't assume the list to be left unaltered while the guest (really: the hypervisor on behalf of the guest) is accessing it. This is XSA-491 / CVE-2026-42487. Fixes: 192c4dabc344 ("domctl and p2m changes for PCI passthru") Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 7787f8e9396d06026f72d3db13e836f365e085f8) --- xen/arch/x86/domctl.c | 8 ++++ xen/arch/x86/hvm/emulate.c | 1 - xen/arch/x86/hvm/hvm.c | 1 + xen/arch/x86/hvm/io.c | 72 +++++++++++++++++++++++++---------- xen/arch/x86/include/asm/hvm/domain.h | 1 + xen/arch/x86/include/asm/hvm/vcpu.h | 2 - 6 files changed, 61 insertions(+), 24 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 9bb90a83cf..877a6767a0 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -619,6 +619,7 @@ long arch_do_domctl( "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if (g2m_ioport->mport == fmp ) { @@ -640,11 +641,14 @@ long arch_do_domctl( g2m_ioport->np = np; list_add_tail(&g2m_ioport->list, &hvm->g2m_ioport_list); } + write_unlock(&hvm->g2m_ioport_lock); if ( !ret ) ret = ioports_permit_access(d, fmp, fmp + np - 1); if ( ret && !found && g2m_ioport ) { + write_lock(&hvm->g2m_ioport_lock); list_del(&g2m_ioport->list); + write_unlock(&hvm->g2m_ioport_lock); xfree(g2m_ioport); } } @@ -653,6 +657,8 @@ long arch_do_domctl( printk(XENLOG_G_INFO "ioport_map:remove: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if ( g2m_ioport->mport == fmp ) { @@ -660,6 +666,8 @@ long arch_do_domctl( xfree(g2m_ioport); break; } + write_unlock(&hvm->g2m_ioport_lock); + ret = ioports_deny_access(d, fmp, fmp + np - 1); if ( ret && is_hardware_domain(currd) ) printk(XENLOG_ERR diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c index aa77466a77..af443555cc 100644 --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -157,7 +157,6 @@ void hvmemul_cancel(struct vcpu *v) hvio->mmio_insn_bytes = 0; hvio->mmio_access = (struct npfec){}; hvio->mmio_retry = false; - hvio->g2m_ioport = NULL; hvmemul_cache_disable(v); } diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 3662e23cb6..f679fc0a44 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -596,6 +596,7 @@ int hvm_domain_initialise(struct domain *d, spin_lock_init(&d->arch.hvm.irq_lock); spin_lock_init(&d->arch.hvm.uc_lock); spin_lock_init(&d->arch.hvm.write_map.lock); + rwlock_init(&d->arch.hvm.g2m_ioport_lock); rwlock_init(&d->arch.hvm.mmcfg_lock); INIT_LIST_HEAD(&d->arch.hvm.write_map.list); INIT_LIST_HEAD(&d->arch.hvm.g2m_ioport_list); diff --git a/xen/arch/x86/hvm/io.c b/xen/arch/x86/hvm/io.c index d75af83ad0..1d676833c7 100644 --- a/xen/arch/x86/hvm/io.c +++ b/xen/arch/x86/hvm/io.c @@ -145,36 +145,56 @@ bool handle_pio(uint16_t port, unsigned int size, int dir) return true; } -static bool cf_check g2m_portio_accept( - const struct hvm_io_handler *handler, const ioreq_t *p) +/* NB: Returns with the lock held in the success case. */ +static const struct g2m_ioport *g2m_portio_find_and_lock(struct hvm_domain *hvm, + uint64_t addr, + uint32_t size) { - struct vcpu *curr = current; - const struct hvm_domain *hvm = &curr->domain->arch.hvm; - struct hvm_vcpu_io *hvio = &curr->arch.hvm.hvm_io; - struct g2m_ioport *g2m_ioport; - unsigned int start, end; + const struct g2m_ioport *g2m_ioport; + + read_lock(&hvm->g2m_ioport_lock); list_for_each_entry( g2m_ioport, &hvm->g2m_ioport_list, list ) { - start = g2m_ioport->gport; - end = start + g2m_ioport->np; - if ( (p->addr >= start) && (p->addr + p->size <= end) ) - { - hvio->g2m_ioport = g2m_ioport; - return 1; - } + unsigned int start = g2m_ioport->gport; + + if ( addr >= start && addr + size <= start + g2m_ioport->np ) + return g2m_ioport; } - return 0; + read_unlock(&hvm->g2m_ioport_lock); + + return NULL; +} + +static bool cf_check g2m_portio_accept( + const struct hvm_io_handler *handler, const ioreq_t *p) +{ + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, p->addr, p->size); + + if ( !g2m_ioport ) + return false; + + read_unlock(&hvm->g2m_ioport_lock); + + return true; } static int cf_check g2m_portio_read( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t *data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -191,6 +211,8 @@ static int cf_check g2m_portio_read( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } @@ -198,9 +220,15 @@ static int cf_check g2m_portio_write( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -217,6 +245,8 @@ static int cf_check g2m_portio_write( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } diff --git a/xen/arch/x86/include/asm/hvm/domain.h b/xen/arch/x86/include/asm/hvm/domain.h index 333501d5f2..1b2c59b18b 100644 --- a/xen/arch/x86/include/asm/hvm/domain.h +++ b/xen/arch/x86/include/asm/hvm/domain.h @@ -125,6 +125,7 @@ struct hvm_domain { /* List of guest to machine IO ports mapping. */ struct list_head g2m_ioport_list; + rwlock_t g2m_ioport_lock; /* List of MMCFG regions trapped by Xen. */ struct list_head mmcfg_regions; diff --git a/xen/arch/x86/include/asm/hvm/vcpu.h b/xen/arch/x86/include/asm/hvm/vcpu.h index 3985994298..4e61b87df3 100644 --- a/xen/arch/x86/include/asm/hvm/vcpu.h +++ b/xen/arch/x86/include/asm/hvm/vcpu.h @@ -54,8 +54,6 @@ struct hvm_vcpu_io { unsigned long msix_unmask_address; unsigned long msix_snoop_address; unsigned long msix_snoop_gpa; - - const struct g2m_ioport *g2m_ioport; }; struct nestedvcpu { -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:29:56 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:29:56 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333202.1595755 (Exim 4.92) (envelope-from ) id 1wWvae-0000E2-2s; Tue, 09 Jun 2026 12:29:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333202.1595755; Tue, 09 Jun 2026 12:29:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvad-0000Dn-W4; Tue, 09 Jun 2026 12:29:55 +0000 Received: by outflank-mailman (input) for mailman id 1333202; Tue, 09 Jun 2026 12:29:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvac-0000Df-PV for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:29:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvad-001fQL-08 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:29:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvac-00Co0c-2N for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:29:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=t02oeaoR08JxIBMzS4wxvHPXxgF4NFnlRVTYoDDKS9E=; b=bG0wQAT/KtlOmnehsfj6GFklRU gp1p9jb8jcWpHE0fWFIJlUY2kg40XUCbaCRn1m4dKL1zln4j2hlwh6VjNXoa9t8CawoS9wQ8WWZcA YVbgn8JB8oKXsJuM6Bx/eAkWMtgfeLsvur3Z14m92I1SXfyFG4cwH2DXsaJlVGyzQAog=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] xen/xsm: make getdomaininfo xsm dummy checks more stringent Message-Id: Date: Tue, 09 Jun 2026 12:29:54 +0000 commit b471a845b1f2c066cfc2a991d5eb3f89779cac41 Author: Juergen Gross AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:28:57 2026 +0100 xen/xsm: make getdomaininfo xsm dummy checks more stringent Today the dummy XSM privilege checks for getdomaininfo are less stringent than possible: they basically rely on the general sysctl/domctl entry check to do all tests and then do the test with the XSM_HOOK privilege, which is an "allow all" default. Instead of XSM_HOOK use XSM_XS_PRIV, which is the privilege really wanted. Note that this test is still wider than the sysctl entry test, but there is no easy way to make both domctl and sysctl happy at the same time. Signed-off-by: Juergen Gross Acked-by: Daniel P. Smith master commit: 5793b84c5e8fb268f94e7fde7816799e66945a73 master date: 2024-12-16 13:06:55 +0100 --- xen/common/domctl.c | 2 +- xen/common/sysctl.c | 2 +- xen/include/xsm/dummy.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 6cf78d4975..4c2773ed1f 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -535,7 +535,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; case XEN_DOMCTL_getdomaininfo: - ret = xsm_getdomaininfo(XSM_HOOK, d); + ret = xsm_getdomaininfo(XSM_XS_PRIV, d); if ( ret ) break; diff --git a/xen/common/sysctl.c b/xen/common/sysctl.c index 7cabfb0230..2d04a9e161 100644 --- a/xen/common/sysctl.c +++ b/xen/common/sysctl.c @@ -89,7 +89,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl) if ( num_domains == op->u.getdomaininfolist.max_domains ) break; - if ( xsm_getdomaininfo(XSM_HOOK, d) ) + if ( xsm_getdomaininfo(XSM_XS_PRIV, d) ) continue; getdomaininfo(d, &info); diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 3286befeca..4b5f07ad27 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -137,7 +137,7 @@ static XSM_INLINE int cf_check xsm_domain_create( static XSM_INLINE int cf_check xsm_getdomaininfo( XSM_DEFAULT_ARG struct domain *d) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_XS_PRIV); return xsm_default_action(action, current->domain, d); } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:30:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:30:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333203.1595758 (Exim 4.92) (envelope-from ) id 1wWvao-000138-3w; Tue, 09 Jun 2026 12:30:06 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333203.1595758; Tue, 09 Jun 2026 12:30:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvao-000132-1C; Tue, 09 Jun 2026 12:30:06 +0000 Received: by outflank-mailman (input) for mailman id 1333203; Tue, 09 Jun 2026 12:30:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvam-0000q8-SS for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:30:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvan-001fQl-0Q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:30:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvam-00Co69-2g for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:30:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Mqbx+EmDqiUNPSz0OmXTnEok3z0EV3Q5NTHw2gKGIl4=; b=gQ+WjueviKYfzZaHl84+VsNe5P ++MnMqHQlohJM4tS1bVMPsYD7BMD/dK21Kwej8TInFSEzSISNfAYYlNA+blcoArpwdhXhhnbbQkB8 ZfTBRQbOTab/HwgI3yEJWgKZCXEVN3FPQD5yr5tZhl/EkXyPMAspVcXEoy4f4EYS69ic=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] sched: use sequence counter to enlighten vcpu_runstate_get() Message-Id: Date: Tue, 09 Jun 2026 12:30:04 +0000 commit 3786cf1cc1ca118393972c6a98b701222dfc23d9 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:00 2026 +0100 sched: use sequence counter to enlighten vcpu_runstate_get() Subsequently XEN_DOMCTL_getdomaininfo will want to invoke the function without holding a lock, thus allowing parallel execution of potentially many instances. As was learned from 228ab9992ffb ("domctl: improve locking during domain destruction"), reverted by d0887cc6b16e, such parallelism can result in severe lock contention on any (previously) inner lock. To avoid taking that risk replace the use of the scheduler lock in vcpu_runstate_get() by a newly introduced sequence counter. Convert the "no lock if current" property to "use a local counter instance", thus guaranteeing the loop to exit after the first iteration. Skeleton and commentary of the seqcount implementation based on / derived from Linux 6.11-rc. To have runstate_seq placed next to runstate in struct vcpu, without introducing a new obvious padding hole, yet while keeping the latter adjacent to runstate_guest{,_area} as well, move runstate down a little. This is part of XSA-492. Requested-by: Andrew Cooper Signed-off-by: Jan Beulich Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Juergen Gross (cherry picked from commit 1dc4d5d81822541a5cc82fa6387d2d73eebc7023) --- xen/common/sched/core.c | 47 +++++++-------- xen/include/xen/sched.h | 4 +- xen/include/xen/seqcount.h | 139 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 162 insertions(+), 28 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index cbaa292bb2..3e6e35a1e6 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -280,13 +280,18 @@ static inline void vcpu_runstate_change( } delta = new_entry_time - v->runstate.state_entry_time; - if ( delta > 0 ) + + /* Serialization: ->schedule_lock (see ASSERT() above). */ + with_seq_write(&v->runstate_seq) { - v->runstate.time[v->runstate.state] += delta; - v->runstate.state_entry_time = new_entry_time; - } + if ( delta > 0 ) + { + v->runstate.time[v->runstate.state] += delta; + v->runstate.state_entry_time = new_entry_time; + } - v->runstate.state = new_state; + v->runstate.state = new_state; + } } void sched_guest_idle(void (*idle) (void), unsigned int cpu) @@ -306,30 +311,18 @@ void sched_guest_idle(void (*idle) (void), unsigned int cpu) void vcpu_runstate_get(const struct vcpu *v, struct vcpu_runstate_info *runstate) { - spinlock_t *lock; - s_time_t delta; - struct sched_unit *unit; + struct seqcount seq = SEQCNT_ZERO(); + const struct seqcount *s = likely(v == current) ? &seq : &v->runstate_seq; - rcu_read_lock(&sched_res_rculock); - - /* - * Be careful in case of an idle vcpu: the assignment to a unit might - * change even with the scheduling lock held, so be sure to use the - * correct unit for locking in order to avoid triggering an ASSERT() in - * the unlock function. - */ - unit = is_idle_vcpu(v) ? get_sched_res(v->processor)->sched_unit_idle - : v->sched_unit; - lock = likely(v == current) ? NULL : unit_schedule_lock_irq(unit); - memcpy(runstate, &v->runstate, sizeof(*runstate)); - delta = NOW() - runstate->state_entry_time; - if ( delta > 0 ) - runstate->time[runstate->state] += delta; - - if ( unlikely(lock != NULL) ) - unit_schedule_unlock_irq(lock, unit); + until_seq_read(s) + { + s_time_t delta; - rcu_read_unlock(&sched_res_rculock); + *runstate = v->runstate; + delta = NOW() - runstate->state_entry_time; + if ( delta > 0 ) + runstate->time[runstate->state] += delta; + } } uint64_t get_cpu_idle_time(unsigned int cpu) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 3609ef88c4..e041ac9e08 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -16,6 +16,7 @@ #include #include #include +#include #include #include #include @@ -192,7 +193,6 @@ struct vcpu struct sched_unit *sched_unit; - struct vcpu_runstate_info runstate; #ifndef CONFIG_COMPAT # define runstate_guest(v) ((v)->runstate_guest) XEN_GUEST_HANDLE(vcpu_runstate_info_t) runstate_guest; /* guest address */ @@ -204,6 +204,8 @@ struct vcpu } runstate_guest; /* guest address */ #endif struct guest_area runstate_guest_area; + struct vcpu_runstate_info runstate; + struct seqcount runstate_seq; unsigned int new_state; /* Has the FPU been initialised? */ diff --git a/xen/include/xen/seqcount.h b/xen/include/xen/seqcount.h new file mode 100644 index 0000000000..b5faf422e4 --- /dev/null +++ b/xen/include/xen/seqcount.h @@ -0,0 +1,139 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef XEN_SEQCOUNT_H +#define XEN_SEQCOUNT_H + +#include +#include + +#include +#include + +/* + * Sequence counters (seqcount_t) + * + * This is the raw counting mechanism, without any writer protection. + * + * Write side critical sections must be serialized (and non-preemptible). + * + * If readers can be invoked from interrupt contexts, interrupts must also + * be respectively disabled before entering the write section. + * + * This mechanism can't be used if the protected data contains pointers, + * as the writer can invalidate a pointer that a reader is following. + */ +struct seqcount { + unsigned int sequence; +}; + +/* + * SEQCNT_ZERO() - initializer for seqcount_t + * @name: Name of the struct seqcount instance + */ +#define SEQCNT_ZERO() { .sequence = 0 } + +static inline unsigned int seqprop_sequence(const struct seqcount *s) +{ + return ACCESS_ONCE(s->sequence); +} + +/* + * read_seqcount_begin() - begin a seqcount read critical section + * @s: Pointer to struct seqcount + * + * Return: count to be passed to read_seqcount_retry() + */ +static inline unsigned int _read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq; + + while ((seq = seqprop_sequence(s)) & 1) + cpu_relax(); + + smp_rmb(); + + return seq; +} + +static always_inline unsigned int read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq = _read_seqcount_begin(s); + + block_lock_speculation(); + + return seq; +} + +/* + * read_seqcount_retry() - end a seqcount read critical section + * @s: Pointer to struct seqcount + * @start: count, from read_seqcount_begin() + * + * read_seqcount_retry closes the read critical section of given struct + * seqcount. If the critical section was invalid, it must be ignored + * (and typically retried). + * + * Return: true if a read section retry is required, else false + */ +static inline bool _read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + smp_rmb(); + return unlikely(seqprop_sequence(s) != start); +} + +static always_inline bool read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + return lock_evaluate_nospec(_read_seqcount_retry(s, start)); +} + +/* Loops until a consistent count has been observed across the loop body. */ +#define until_seq_read(seq) \ + for ( unsigned int retry_ = 1, count_; \ + retry_ && (count_ = read_seqcount_begin(seq), true); \ + retry_ = read_seqcount_retry(seq, count_) ) + +/* + * write_seqcount_begin() - start a struct seqcount write side critical section + * @s: Pointer to struct seqcount + * + * Context: sequence counter write side sections must be serialized. + * If readers can be invoked from interrupt context, interrupts must be + * respectively disabled. + */ +static inline void write_seqcount_begin(struct seqcount *s) +{ + add_sized(&s->sequence, 1); + smp_wmb(); +} + +/* + * write_seqcount_end() - end a struct seqcount write side critical section + * @s: Pointer to seqcount + */ +static inline void write_seqcount_end(struct seqcount *s) +{ + smp_wmb(); + add_sized(&s->sequence, 1); +} + +/* + * Not really a loop, but we need write_seqcount_{begin,end}() in the correct + * position. + */ +#define with_seq_write(seq) \ + for ( bool once_ = true; \ + once_ && (write_seqcount_begin(seq), true); \ + (write_seqcount_end(seq), once_ = false) ) + +#endif /* XEN_SEQCOUNT_H */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:30:16 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:30:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333204.1595763 (Exim 4.92) (envelope-from ) id 1wWvay-0001Gy-5k; Tue, 09 Jun 2026 12:30:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333204.1595763; Tue, 09 Jun 2026 12:30:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvay-0001Gq-2a; Tue, 09 Jun 2026 12:30:16 +0000 Received: by outflank-mailman (input) for mailman id 1333204; Tue, 09 Jun 2026 12:30:15 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvaw-0001Gh-VH for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:30:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvax-001fT4-0i for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:30:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvaw-00CoGD-2w for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:30:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=OvI3pw1u4mWh5CvLsH+YUlIrK5xCDlraeRTvrLjJIu8=; b=GBGjeKTttNCBlU8bJtta8OHWJ/ QsxWeaf2a0wxRrGXsP4ne2IoTrxjAPQkEtiadTLDNz2kvkME+SZAwuX4aN7BXjx5+f7q8XR5slo/V hc/mXOCTj71bspeAQIuXUbMgUn3tqVCMk6s12b2/rA9E2FNN7wSXj+TTShWKE7oyMWss=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:30:14 +0000 commit 64327f3e892380a97358943df2de5907fd83b0b1 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:00 2026 +0100 domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock getdomaininfo() is not called under consistently the same lock. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. (Callers not pausing the domain they want to retrieve information for already need to be aware that not all of the data returned can be relied on as being consistent; most data will also be stale by the time the caller gets to look at it.) Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. While moving, convert an assignment to an assertion: The domain in question was determined from the field which previously was "updated". This is part of XSA-492. Fixes: 5513bd0b4675 ("add xenstore domain flag to hypervisor") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 784bd4dc0bc440b978b80b6945c4bc380b28e32d) --- xen/common/domctl.c | 31 ++++++++++++++++++++----------- xen/include/xsm/dummy.h | 5 ++++- xen/xsm/flask/hooks.c | 6 +++++- 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 4c2773ed1f..f1cdb4b61b 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -318,6 +318,26 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) return -ESRCH; } + /* Handle sub-ops not requiring the domctl lock. */ + switch ( op->cmd ) + { + case XEN_DOMCTL_getdomaininfo: + ret = xsm_getdomaininfo(XSM_XS_PRIV, d); + if ( !ret ) + { + getdomaininfo(d, &op->u.getdomaininfo); + + ASSERT(op->domain == op->u.getdomaininfo.domain); + copyback = true; + } + + goto domctl_out_unlock_domonly; + + default: + /* Everything else handled further down. */ + break; + } + ret = xsm_domctl(XSM_OTHER, d, op->cmd, /* SSIDRef only applicable for cmd == createdomain */ op->u.createdomain.ssidref); @@ -534,17 +554,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = 1; break; - case XEN_DOMCTL_getdomaininfo: - ret = xsm_getdomaininfo(XSM_XS_PRIV, d); - if ( ret ) - break; - - getdomaininfo(d, &op->u.getdomaininfo); - - op->domain = op->u.getdomaininfo.domain; - copyback = 1; - break; - case XEN_DOMCTL_getvcpucontext: { vcpu_guest_context_u c = { .nat = NULL }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 4b5f07ad27..2ed193689f 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,8 +172,11 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); + case XEN_DOMCTL_getdomaininfo: - return xsm_default_action(XSM_XS_PRIV, current->domain, d); + ASSERT_UNREACHABLE(); + return -EILSEQ; + default: return xsm_default_action(XSM_PRIV, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 35237a00c4..556bc60a6a 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -678,8 +678,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, */ return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); - /* These have individual XSM hooks (common/domctl.c) */ + /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + ASSERT_UNREACHABLE(); + return -EILSEQ; + + /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:30:27 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:30:27 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333205.1595766 (Exim 4.92) (envelope-from ) id 1wWvb9-0001Jz-8n; Tue, 09 Jun 2026 12:30:27 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333205.1595766; Tue, 09 Jun 2026 12:30:27 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvb9-0001Jr-6D; Tue, 09 Jun 2026 12:30:27 +0000 Received: by outflank-mailman (input) for mailman id 1333205; Tue, 09 Jun 2026 12:30:25 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvb7-0001Jf-1l for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:30:25 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvb7-001fT8-0y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:30:25 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvb7-00CoSm-00 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:30:25 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Qif01sOBHPcqgRsv5kMc3yiNrGRyh1VKxp5loQxMRzI=; b=nh6yEnGZq/lJZsdbHhGuuiDrtt ACn7NjqSyxM5kS/pyA8haMUY1QFH41bPjvi1G/ZZBGXThJgnw6uaYcjwrXhTcS+lAquOnGXcbiUnF cVo7HY24BiKrJY+cMP9XypWqkA1TtUpJIESgCBPMMVTz9xORZqKNmmmBYcG/7pXr8U6k=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] domain: locking for iomem_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:30:25 +0000 commit f91eab583f97f413e525f71bae2de3b94f44b666 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:00 2026 +0100 domain: locking for iomem_caps accesses In order to be able to pull at least the XEN_DOMCTL_iomem_mapping handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_iomem_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 960713dfd4a405e67e9f174302f8f9fd9e0e50dc) --- xen/common/domain.c | 6 ++++++ xen/common/domctl.c | 53 +++++++++++++++++++++++++++++++++++++++---------- xen/include/xen/iocap.h | 3 +++ xen/include/xen/sched.h | 1 + 4 files changed, 52 insertions(+), 11 deletions(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index 62832a5860..68a5112283 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -332,10 +332,15 @@ static int late_hwdom_init(struct domain *d) * may be modified after this hypercall returns if a more complex * device model is desired. */ + write_lock(&dom0->caps_lock); rangeset_swap(d->irq_caps, dom0->irq_caps); rangeset_swap(d->iomem_caps, dom0->iomem_caps); #ifdef CONFIG_X86 rangeset_swap(d->arch.ioport_caps, dom0->arch.ioport_caps); +#endif + write_unlock(&dom0->caps_lock); + +#ifdef CONFIG_X86 setup_io_bitmap(d); setup_io_bitmap(dom0); #endif @@ -631,6 +636,7 @@ struct domain *domain_create(domid_t domid, spin_lock_init_prof(d, domain_lock); spin_lock_init_prof(d, page_alloc_lock); spin_lock_init(&d->hypercall_deadlock_mutex); + rwlock_init(&d->caps_lock); INIT_PAGE_LIST_HEAD(&d->page_list); INIT_PAGE_LIST_HEAD(&d->extra_page_list); INIT_PAGE_LIST_HEAD(&d->xenpage_list); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index f1cdb4b61b..7b7096f5ea 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -278,6 +278,35 @@ static struct vnuma_info *vnuma_init(const struct xen_domctl_vnuma *uinfo, return ERR_PTR(ret); } +void iocaps_double_lock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d->domain_id > currd->domain_id ) + read_lock(&currd->caps_lock); + + if ( write ) + write_lock(&d->caps_lock); + else + read_lock(&d->caps_lock); + + if ( d->domain_id < currd->domain_id ) + read_lock(&currd->caps_lock); +} + +void iocaps_double_unlock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d != currd ) + read_unlock(&currd->caps_lock); + + if ( write ) + write_unlock(&d->caps_lock); + else + read_unlock(&d->caps_lock); +} + long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) { long ret = 0; @@ -689,6 +718,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ break; + iocaps_double_lock(d, true); + if ( !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) || xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) @@ -697,6 +728,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); else ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); break; } @@ -721,19 +754,15 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; #endif + iocaps_double_lock(d, false); + ret = -EPERM; if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) ) - break; - - ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add); - if ( ret ) - break; - - if ( !paging_mode_translate(d) ) - break; - - if ( add ) + !iomem_access_permitted(d, mfn, mfn_end) || + (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || + !paging_mode_translate(d) ) + /* Nothing. */; + else if ( add ) { printk(XENLOG_G_DEBUG "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", @@ -757,6 +786,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", ret, d->domain_id, mfn, mfn_end); } + + iocaps_double_unlock(d, false); break; } diff --git a/xen/include/xen/iocap.h b/xen/include/xen/iocap.h index ffbc48b60f..cb36ebbeeb 100644 --- a/xen/include/xen/iocap.h +++ b/xen/include/xen/iocap.h @@ -12,6 +12,9 @@ #include #include +void iocaps_double_lock(struct domain *d, bool write); +void iocaps_double_unlock(struct domain *d, bool write); + static inline int iomem_permit_access(struct domain *d, unsigned long s, unsigned long e) { diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index e041ac9e08..12127debb4 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -493,6 +493,7 @@ struct domain #endif /* I/O capabilities (access to IRQs and memory-mapped I/O). */ + rwlock_t caps_lock; struct rangeset *iomem_caps; struct rangeset *irq_caps; -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:30:36 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:30:36 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333206.1595770 (Exim 4.92) (envelope-from ) id 1wWvbI-0001M8-AD; Tue, 09 Jun 2026 12:30:36 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333206.1595770; Tue, 09 Jun 2026 12:30:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvbI-0001M0-7Z; Tue, 09 Jun 2026 12:30:36 +0000 Received: by outflank-mailman (input) for mailman id 1333206; Tue, 09 Jun 2026 12:30:35 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvbH-0001Lq-4j for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:30:35 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvbH-001fTF-1H for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:30:35 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvbH-00CoZu-0G for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:30:35 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=M2r7Da8REwb+r1+Uux4pznE0p+WGBLf5kD5a5BvnD/I=; b=Pak5GrLsIp0/Hzyb0inYvX5jly lZD2BoyLjm4BYbpmO7bnsaf4qvf0GgBc4xIwcwpGUR59bSzVsqkmfKqxnQSzIBte5pJQ5Di1yrO3T Pfhe0lpRVLzuaw7zf/rdUVRHHWzjYcl4OmTjfjbAtp0F+Pd0ASaYWmmKSBvnKXl4oAi4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/domain: locking for ioport_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:30:35 +0000 commit 12659bf43eb3d8b5840b4b9496da792b3f708759 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:00 2026 +0100 x86/domain: locking for ioport_caps accesses In order to be able to pull at least the XEN_DOMCTL_ioport_mapping handling out of the domctl-locked region, the new separate (per-domain) lock is used to synchronize in particular with XEN_DOMCTL_ioport_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit c9f4586766c4ceeaf013fbc02ad79359c62102c3) --- xen/arch/x86/domctl.c | 21 ++++++++++++--------- xen/arch/x86/setup.c | 3 +++ 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 877a6767a0..2c264722ad 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -225,6 +225,8 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + iocaps_double_lock(d, true); + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) ret = -EINVAL; else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || @@ -234,6 +236,8 @@ long arch_do_domctl( ret = ioports_permit_access(d, fp, fp + np - 1); else ret = ioports_deny_access(d, fp, fp + np - 1); + + iocaps_double_unlock(d, true); break; } @@ -604,16 +608,13 @@ long arch_do_domctl( break; } - ret = -EPERM; - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) - break; - - ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add); - if ( ret ) - break; - hvm = &d->arch.hvm; - if ( add ) + iocaps_double_lock(d, true); + + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || + (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) + ret = ret ?: -EPERM; + else if ( add ) { printk(XENLOG_G_INFO "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", @@ -674,6 +675,8 @@ long arch_do_domctl( "ioport_map: error %ld denying dom%d access to [%x,%x]\n", ret, d->domain_id, fmp, fmp + np - 1); } + + iocaps_double_unlock(d, true); break; } diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 8a79fc1d8c..999b7c6824 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -2144,9 +2144,12 @@ void __hwdom_init setup_io_bitmap(struct domain *d) return; bitmap_fill(d->arch.hvm.io_bitmap, 0x10000); + + read_lock(&d->caps_lock); if ( rangeset_report_ranges(d->arch.ioport_caps, 0, 0x10000, io_bitmap_cb, d) ) BUG(); + read_unlock(&d->caps_lock); /* * We need to trap 4-byte accesses to 0xcf8 (see admin_io_okay(), -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:30:46 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:30:46 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333207.1595776 (Exim 4.92) (envelope-from ) id 1wWvbS-0001OQ-CC; Tue, 09 Jun 2026 12:30:46 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333207.1595776; Tue, 09 Jun 2026 12:30:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvbS-0001OI-8v; Tue, 09 Jun 2026 12:30:46 +0000 Received: by outflank-mailman (input) for mailman id 1333207; Tue, 09 Jun 2026 12:30:45 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvbR-0001OA-7i for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:30:45 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvbR-001fTM-1Y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:30:45 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvbR-00Cogy-0a for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:30:45 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=MqJ9qIegkdpR6t9r2O7a4JTHeFdYh4ewwQFeWtLxnvI=; b=Wo7JU1vchPpn+J5VzEZUX8mLIA 1HzeyYo9da/QNwsRiS4qYGCYcb/gPd9D60V4n6zdqbXMY+BJPJJvPWTZcZ8T62U68zYsVs2O4dQRn ovu/MM2RUh+o3iXuiX8zoWENHYsltQlGLWdzJW+mn4FVtktVUDw/Wib6YwHQGCksIDss=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] domain: locking for irq_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:30:45 +0000 commit bc1a888dbea6bde481281e1204dd5bcd8115732d Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:00 2026 +0100 domain: locking for irq_caps accesses In order to be able to pull at least the XEN_DOMCTL_{,un}bind_pt_irq handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_irq_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Reviewed-by: Julien Grall (cherry picked from commit 329edc090dd5c833213bad3f13f1cbc252bc15a2) --- xen/arch/arm/domctl.c | 37 +++++++++++++++++++++---------------- xen/arch/x86/domctl.c | 42 ++++++++++++++++++++++++++---------------- xen/common/domctl.c | 5 +++++ 3 files changed, 52 insertions(+), 32 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index 8e9851e560..d9a1a93778 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -75,6 +75,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, case XEN_DOMCTL_bind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -106,21 +107,26 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - if ( !vgic_reserve_virq(d, virq) ) - return -EBUSY; - - rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); - if ( rc ) - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !vgic_reserve_virq(d, virq) ) + rc = -EBUSY; + else + { + rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); + if ( rc ) + vgic_free_virq(d, virq); + } + read_unlock(&currd->caps_lock); return rc; } case XEN_DOMCTL_unbind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -137,16 +143,15 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - rc = release_guest_irq(d, virq); - if ( rc ) - return rc; - - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !(rc = release_guest_irq(d, virq)) ) + vgic_free_virq(d, virq); - return 0; + read_unlock(&currd->caps_lock); + return rc; } case XEN_DOMCTL_vuart_op: diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 2c264722ad..abc2b5ef47 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -535,20 +535,27 @@ long arch_do_domctl( break; irq = domain_pirq_to_irq(d, bind->machine_irq); - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; + if ( irq <= 0 ) + ret = -EPERM; - ret = -ESRCH; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_create_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + else + ret = -ESRCH; + + read_unlock(&currd->caps_lock); break; } @@ -561,23 +568,26 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); if ( ret ) break; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_destroy_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + + read_unlock(&currd->caps_lock); break; } diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 7b7096f5ea..2ae0c78f22 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -698,6 +698,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -EINVAL; break; } + + iocaps_double_lock(d, true); + irq = pirq_access_permitted(current->domain, pirq); if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) ret = -EPERM; @@ -705,6 +708,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = irq_permit_access(d, irq); else ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); break; } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:30:56 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:30:56 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333208.1595779 (Exim 4.92) (envelope-from ) id 1wWvbc-0001Qd-Cy; Tue, 09 Jun 2026 12:30:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333208.1595779; Tue, 09 Jun 2026 12:30:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvbc-0001QV-AU; Tue, 09 Jun 2026 12:30:56 +0000 Received: by outflank-mailman (input) for mailman id 1333208; Tue, 09 Jun 2026 12:30:55 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvbb-0001QG-A8 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:30:55 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvbb-001fTQ-1o for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:30:55 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvbb-00Colt-0q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:30:55 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=uC539egQkQcV/95RrxUi+m2ztiH4fiGy20u+FUpiSQo=; b=v5I0mf0sTuElCimZlNAERGZbK1 wreZMsq+NJ3Uqj7g1AuoSB8YxFFBkt68cKPIW3auM9wiIpXqPU+K7Aeu0vdUlzm8kG3LYMjchaeN1 sNVzdoHEzIKN1sg8GzsEMrHupd0uaEiBDypSsID6wcJkFRRAKewE8WmcosvdzaFXLk5A=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] XSM/Flask: split the .iomem_mapping() hook Message-Id: Date: Tue, 09 Jun 2026 12:30:55 +0000 commit 2fc05f315a7e02fa6289aa0ce3154211afec5f24 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:00 2026 +0100 XSM/Flask: split the .iomem_mapping() hook It's used twice in entirely different situations. The use in do_domctl() wants to become an ordinary XSM_DM_PRIV invocation, while the one in vPCI code need to remain XSM_HOOK (it may plausibly become XSM_TARGET). For Flask, the same backing function will continue to be used for the time being. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit 6bb83b1aa01bb3baabc150a881849977c82146a4) --- xen/drivers/vpci/header.c | 2 +- xen/include/xsm/dummy.h | 7 +++++++ xen/include/xsm/xsm.h | 8 ++++++++ xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) diff --git a/xen/drivers/vpci/header.c b/xen/drivers/vpci/header.c index 767c1ba718..6766a8208e 100644 --- a/xen/drivers/vpci/header.c +++ b/xen/drivers/vpci/header.c @@ -54,7 +54,7 @@ static int cf_check map_range( return -EPERM; } - rc = xsm_iomem_mapping(XSM_HOOK, map->d, s, e, map->map); + rc = xsm_iomem_mapping_vpci(XSM_HOOK, map->d, s, e, map->map); if ( rc ) { printk(XENLOG_G_WARNING diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 2ed193689f..4160d85ec0 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -579,6 +579,13 @@ static XSM_INLINE int cf_check xsm_iomem_mapping( return xsm_default_action(action, current->domain, d); } +static XSM_INLINE int cf_check xsm_iomem_mapping_vpci( + XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + XSM_ASSERT_ACTION(XSM_HOOK); + return xsm_default_action(action, current->domain, d); +} + static XSM_INLINE int cf_check xsm_pci_config_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 5867ccceaf..fc30cf822f 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -117,6 +117,8 @@ struct xsm_ops { uint8_t allow); int (*iomem_mapping)(struct domain *d, uint64_t s, uint64_t e, uint8_t allow); + int (*iomem_mapping_vpci)(struct domain *d, uint64_t s, uint64_t e, + uint8_t allow); int (*pci_config_permission)(struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access); @@ -504,6 +506,12 @@ static inline int xsm_iomem_mapping( return alternative_call(xsm_ops.iomem_mapping, d, s, e, allow); } +static inline int xsm_iomem_mapping_vpci( + xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + return alternative_call(xsm_ops.iomem_mapping_vpci, d, s, e, allow); +} + static inline int xsm_pci_config_permission( xsm_default_t def, struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index e6ffa948f7..44a9e04ae7 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -72,6 +72,7 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .irq_permission = xsm_irq_permission, .iomem_permission = xsm_iomem_permission, .iomem_mapping = xsm_iomem_mapping, + .iomem_mapping_vpci = xsm_iomem_mapping_vpci, .pci_config_permission = xsm_pci_config_permission, .get_vnumainfo = xsm_get_vnumainfo, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 556bc60a6a..640464f312 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1918,6 +1918,7 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .irq_permission = flask_irq_permission, .iomem_permission = flask_iomem_permission, .iomem_mapping = flask_iomem_mapping, + .iomem_mapping_vpci = flask_iomem_mapping, .pci_config_permission = flask_pci_config_permission, .resource_plug_core = flask_resource_plug_core, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:31:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:31:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333209.1595783 (Exim 4.92) (envelope-from ) id 1wWvbm-0001T0-EX; Tue, 09 Jun 2026 12:31:06 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333209.1595783; Tue, 09 Jun 2026 12:31:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvbm-0001Ss-Br; Tue, 09 Jun 2026 12:31:06 +0000 Received: by outflank-mailman (input) for mailman id 1333209; Tue, 09 Jun 2026 12:31:05 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvbl-0001Sl-D1 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:31:05 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvbl-001fTj-25 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:31:05 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvbl-00Covk-16 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:31:05 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=X+6yHXaY96+W9p6yzNmv5NUGaJitL1U7uUlViGByX5E=; b=3SPUEu8V+kFGPuvyPUtr69uyhh Y2YFjiNldMlGvSaaUMNgwCza70/kxYfdMwfrEC0pf88U5+K1Rl93jHBO5Rhzfr5pNjN3ZeCoZtSgD qWBWdp0sG/aOcd+GXi/Fw57Dv2AtLmDF35/+pgBlHNG5hFxWYn1IoE+m1ZCcAKd8XKQU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:31:05 +0000 commit 86dd2e3eb66d7d214747663aa0d1c35e8d6eca92 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:00 2026 +0100 domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. Move the re-purposed dedicated XSM check as early as possible. Minimal "modernization": Switch "add" to bool and use %pd in log messages. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 5a81fb873cb0c7913995372d22660d6a2db0ec48) --- xen/common/domctl.c | 118 ++++++++++++++++++++++++------------------------ xen/include/xsm/dummy.h | 4 +- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 63 insertions(+), 61 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 2ae0c78f22..1e13a0b485 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -362,6 +362,66 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; + case XEN_DOMCTL_memory_mapping: + { + unsigned long gfn = op->u.memory_mapping.first_gfn; + unsigned long mfn = op->u.memory_mapping.first_mfn; + unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; + unsigned long mfn_end = mfn + nr_mfns - 1; + bool add = op->u.memory_mapping.add_mapping; + + ret = -EINVAL; + if ( mfn_end < mfn || /* Wrap? */ + ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || + (gfn + nr_mfns - 1) < gfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_mapping(XSM_DM_PRIV, d, mfn, mfn_end, add); + if ( ret || !paging_mode_translate(d) ) + goto domctl_out_unlock_domonly; + +#ifndef CONFIG_X86 /* XXX ARM!? */ + ret = -E2BIG; + /* Must break hypercall up as this could take a while. */ + if ( nr_mfns > 64 ) + goto domctl_out_unlock_domonly; +#endif + + iocaps_double_lock(d, false); + + ret = -EPERM; + if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || + !iomem_access_permitted(d, mfn, mfn_end) ) + /* Nothing. */; + else if ( add ) + { + printk(XENLOG_G_DEBUG + "memory_map:add: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 ) + printk(XENLOG_G_WARNING + "memory_map:fail: %pd gfn=%lx mfn=%lx nr=%lx ret:%ld\n", + d, gfn, mfn, nr_mfns, ret); + } + else + { + printk(XENLOG_G_DEBUG + "memory_map:remove: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 && is_hardware_domain(current->domain) ) + printk(XENLOG_ERR + "memory_map: error %ld removing %pd access to [%lx,%lx]\n", + ret, d, mfn, mfn_end); + } + + iocaps_double_unlock(d, false); + goto domctl_out_unlock_domonly; + } + default: /* Everything else handled further down. */ break; @@ -738,64 +798,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - case XEN_DOMCTL_memory_mapping: - { - unsigned long gfn = op->u.memory_mapping.first_gfn; - unsigned long mfn = op->u.memory_mapping.first_mfn; - unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; - unsigned long mfn_end = mfn + nr_mfns - 1; - int add = op->u.memory_mapping.add_mapping; - - ret = -EINVAL; - if ( mfn_end < mfn || /* wrap? */ - ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || - (gfn + nr_mfns - 1) < gfn ) /* wrap? */ - break; - -#ifndef CONFIG_X86 /* XXX ARM!? */ - ret = -E2BIG; - /* Must break hypercall up as this could take a while. */ - if ( nr_mfns > 64 ) - break; -#endif - - iocaps_double_lock(d, false); - - ret = -EPERM; - if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) || - (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || - !paging_mode_translate(d) ) - /* Nothing. */; - else if ( add ) - { - printk(XENLOG_G_DEBUG - "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 ) - printk(XENLOG_G_WARNING - "memory_map:fail: dom%d gfn=%lx mfn=%lx nr=%lx ret:%ld\n", - d->domain_id, gfn, mfn, nr_mfns, ret); - } - else - { - printk(XENLOG_G_DEBUG - "memory_map:remove: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 && is_hardware_domain(current->domain) ) - printk(XENLOG_ERR - "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", - ret, d->domain_id, mfn, mfn_end); - } - - iocaps_double_unlock(d, false); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 4160d85ec0..c5f5a38f7d 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,12 +168,12 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_ioport_mapping: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -575,7 +575,7 @@ static XSM_INLINE int cf_check xsm_iomem_permission( static XSM_INLINE int cf_check xsm_iomem_mapping( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 640464f312..201db0fa50 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -680,6 +680,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -687,7 +688,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:31:18 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:31:18 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333210.1595787 (Exim 4.92) (envelope-from ) id 1wWvbw-0001VX-HT; Tue, 09 Jun 2026 12:31:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333210.1595787; Tue, 09 Jun 2026 12:31:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvbw-0001VO-EZ; Tue, 09 Jun 2026 12:31:16 +0000 Received: by outflank-mailman (input) for mailman id 1333210; Tue, 09 Jun 2026 12:31:15 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvbv-0001VG-Gu for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:31:15 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvbv-001fU6-2O for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:31:15 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvbv-00Cp4q-1P for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:31:15 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6VllzBMioX3ZpbZmHkVGV5JMgm26LCGElODknXlF5cg=; b=QCv+FUkSONbrMaSkTWLJeU06uY HhevHLDJbI4Ra7rlBWF93nZuhKn7d/3S7XrL3f3fG79E5I5vPW2ICUSOmdFs20V25HGRm5qX/5xJh HW5wUOl4TDp1Bd+8WaTrvEdKztcvNau9U/WAow/AZtYZUVEtpHxZgBykAtgGjRAKYT8I=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:31:15 +0000 commit 53ff9705c103f7d79b7795f56d836a980a5240b6 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:00 2026 +0100 domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the handling is in arch-specific code (x86 only), almost no code is being moved, but a 2nd (extensible to other sub-ops) invocation of arch_do_domctl() is being added. Move just the re-purposed dedicated XSM check as early as possible. In flask_domctl() don't put #ifdef around the moved case label. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9ac94138a5f31b5325fe4401e5cd9e377bbedcdb) --- xen/arch/x86/domctl.c | 9 ++++++--- xen/common/domctl.c | 4 ++++ xen/include/xsm/dummy.h | 4 ++-- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index abc2b5ef47..8bb3e694f8 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -618,12 +618,15 @@ long arch_do_domctl( break; } + ret = xsm_ioport_mapping(XSM_DM_PRIV, d, fmp, fmp + np - 1, add); + if ( ret ) + break; + hvm = &d->arch.hvm; iocaps_double_lock(d, true); - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || - (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) - ret = ret ?: -EPERM; + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) + ret = -EPERM; else if ( add ) { printk(XENLOG_G_INFO diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 1e13a0b485..88b5aab418 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -422,6 +422,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_mapping: + ret = arch_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + default: /* Everything else handled further down. */ break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index c5f5a38f7d..42d5ebe013 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -167,12 +167,12 @@ static XSM_INLINE int cf_check xsm_domctl( XSM_ASSERT_ACTION(XSM_OTHER); switch ( cmd ) { - case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -771,7 +771,7 @@ static XSM_INLINE int cf_check xsm_ioport_permission( static XSM_INLINE int cf_check xsm_ioport_mapping( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 201db0fa50..0c687aa9e7 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -680,6 +680,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -698,7 +699,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: case XEN_DOMCTL_ioport_permission: - case XEN_DOMCTL_ioport_mapping: #endif #ifdef CONFIG_HAS_PASSTHROUGH /* -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:31:26 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:31:26 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333211.1595791 (Exim 4.92) (envelope-from ) id 1wWvc6-0001Xr-IQ; Tue, 09 Jun 2026 12:31:26 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333211.1595791; Tue, 09 Jun 2026 12:31:26 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvc6-0001Xj-Fv; Tue, 09 Jun 2026 12:31:26 +0000 Received: by outflank-mailman (input) for mailman id 1333211; Tue, 09 Jun 2026 12:31:25 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvc5-0001Xd-JT for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:31:25 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvc5-001fUE-2k for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:31:25 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvc5-00CpHO-1k for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:31:25 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=pzOjP99YykhrJquhBniPuLmL3z/35ND8fIZ/UTbkymE=; b=giN9aySZR5MgPVEpGjP37YJgS4 w6k0+m+PwMElOw4Sutw0mx16FPoK8+rEPV/yv1jNLuK76piqedowG3Zh/QIlV6HNUaut3mE1bDXpQ FklW5+krUXAXjqlAF/06itEJLXYvsse/RD2JQnt8cVIEdbY5GCYkoHg3ZUN2fymXoQAQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:31:25 +0000 commit 1f1cafe4f4a87a10023b2393596661004bb7bb14 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. (It also already isn't used when pt_irq_{create,destroy}_bind() are invoked for PVH Dom0.) As the handling is in arch-specific code, no code is being moved, but the 2nd (extensible to other sub-ops like the ones here) invocation of arch_do_domctl() is being re-used. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith Acked-by: Julien Grall (cherry picked from commit e263eeaf71b961d0d6f987bf7a33c8517be1bae5) --- xen/arch/arm/domctl.c | 4 ++-- xen/arch/x86/domctl.c | 4 ++-- xen/common/domctl.c | 2 ++ xen/include/xsm/dummy.h | 8 +++----- xen/xsm/flask/hooks.c | 5 ++--- 5 files changed, 11 insertions(+), 12 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index d9a1a93778..b596076c32 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -103,7 +103,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - rc = xsm_bind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; @@ -139,7 +139,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( irq != virq ) return -EINVAL; - rc = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 8bb3e694f8..91f407af98 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -530,7 +530,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_bind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; @@ -568,7 +568,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 88b5aab418..08a844fe25 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -423,6 +423,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_bind_pt_irq: + case XEN_DOMCTL_unbind_pt_irq: ret = arch_do_domctl(op, d, u_domctl); goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 42d5ebe013..7fc106c536 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,12 +168,10 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: - return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -540,14 +538,14 @@ static XSM_INLINE int cf_check xsm_unmap_domain_pirq( static XSM_INLINE int cf_check xsm_bind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } static XSM_INLINE int cf_check xsm_unbind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 0c687aa9e7..87dee85ea6 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -679,9 +679,11 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ + case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -692,9 +694,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: - /* These have individual XSM hooks (arch/../domctl.c) */ - case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:31:36 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:31:36 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333212.1595795 (Exim 4.92) (envelope-from ) id 1wWvcG-0001a0-K5; Tue, 09 Jun 2026 12:31:36 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333212.1595795; Tue, 09 Jun 2026 12:31:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvcG-0001Zs-HN; Tue, 09 Jun 2026 12:31:36 +0000 Received: by outflank-mailman (input) for mailman id 1333212; Tue, 09 Jun 2026 12:31:35 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvcF-0001Zf-Mf for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:31:35 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvcF-001fUI-34 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:31:35 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvcF-00CpRF-24 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:31:35 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ArgrHARi8jJGHGw0GiHDAJ7kEW9YkM4jVdrWIHlFE6I=; b=Grt1ML6aMlW8sfqrhXkFfXMobE AXmNMVn7mXUWl05OcNUqHcS1US4sgHczjVOG7cM6ZQedhh9sx/xcwQsXQq11uo3K8uwcDa1qWdvst iDLcddBLNj9dMtkoG82XutQemRaumqPf0wdKW7hEwEG75TKuBQE6ofxdagqN7FbIVhH0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:31:35 +0000 commit c76ed41837259c481945fcf153136f7f3128ff0b Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the I/O port handling is in arch-specific code (x86 only), no code is being moved, but the 2nd invocation of arch_do_domctl() is re-used. Move the re-purposed dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9f54e10bf3ab02c8d5dc3253d85c9b3258d1fc88) --- xen/arch/x86/domctl.c | 13 ++++++++---- xen/common/domctl.c | 54 ++++++++++++++++++++++++++----------------------- xen/include/xsm/dummy.h | 6 ++++-- xen/xsm/flask/hooks.c | 4 ++-- 4 files changed, 44 insertions(+), 33 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 91f407af98..cc956a354c 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -225,12 +225,17 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + ret = -EINVAL; + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) + break; + + ret = xsm_ioport_permission(XSM_PRIV, d, fp, fp + np - 1, allow); + if ( ret ) + break; + iocaps_double_lock(d, true); - if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) - ret = -EINVAL; - else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || - xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) ) + if ( !ioports_access_permitted(currd, fp, fp + np - 1) ) ret = -EPERM; else if ( allow ) ret = ioports_permit_access(d, fp, fp + np - 1); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 08a844fe25..1072d78f35 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -362,6 +362,34 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; + case XEN_DOMCTL_iomem_permission: + { + unsigned long mfn = op->u.iomem_permission.first_mfn; + unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; + bool allow = op->u.iomem_permission.allow_access; + + ret = -EINVAL; + if ( (mfn + nr_mfns - 1) < mfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_permission(XSM_PRIV, d, mfn, mfn + nr_mfns - 1, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !iomem_access_permitted(current->domain, + mfn, mfn + nr_mfns - 1) ) + ret = -EPERM; + else if ( allow ) + ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); + else + ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_memory_mapping: { unsigned long gfn = op->u.memory_mapping.first_gfn; @@ -422,6 +450,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: @@ -779,31 +808,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - case XEN_DOMCTL_iomem_permission: - { - unsigned long mfn = op->u.iomem_permission.first_mfn; - unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; - int allow = op->u.iomem_permission.allow_access; - - ret = -EINVAL; - if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ - break; - - iocaps_double_lock(d, true); - - if ( !iomem_access_permitted(current->domain, - mfn, mfn + nr_mfns - 1) || - xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) - ret = -EPERM; - else if ( allow ) - ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); - else - ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); - - iocaps_double_unlock(d, true); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 7fc106c536..9a65f31c51 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -169,7 +169,9 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -566,7 +568,7 @@ static XSM_INLINE int cf_check xsm_irq_permission( static XSM_INLINE int cf_check xsm_iomem_permission( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } @@ -762,7 +764,7 @@ static XSM_INLINE int cf_check xsm_priv_mapping( static XSM_INLINE int cf_check xsm_ioport_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 87dee85ea6..949a4a4878 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -681,7 +681,9 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -690,14 +692,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: - case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: - case XEN_DOMCTL_ioport_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH /* -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:31:46 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:31:46 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333214.1595799 (Exim 4.92) (envelope-from ) id 1wWvcQ-0001c9-LS; Tue, 09 Jun 2026 12:31:46 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333214.1595799; Tue, 09 Jun 2026 12:31:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvcQ-0001c1-Io; Tue, 09 Jun 2026 12:31:46 +0000 Received: by outflank-mailman (input) for mailman id 1333214; Tue, 09 Jun 2026 12:31:45 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvcP-0001bt-PN for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:31:45 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvcQ-001fUM-06 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:31:45 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvcP-00Cpat-2M for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:31:45 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=A5rVjyqOSHl9XhKhSUmlEtqs5rWWJwJof8wGfylbIUk=; b=0h3HoHfftNSRF866mz6zlLxLFT 2w/QDW8+IdC5HcpJ4r+bT2JKBc3qFOVjieyORGIqjrr9V/pQlG80ZA15cPFR5mXDrlXPI1KXDfc32 5ADr5LFiMeAUGrmeDAJ5jy2h3KAScPavnlT1MJPoPpCShbocge2SgjqCfNQPm4VxZ1LE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] domctl: handle XEN_DOMCTL_irq_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:31:45 +0000 commit 45d368d2c4f808f393ae52582890c0eb05be04cc Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl: handle XEN_DOMCTL_irq_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. Move the re-purposed (XSM_HOOK -> XSM_PRIV, as xsm_domctl() is now bypassed) dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/common/domctl.c | 55 +++++++++++++++++++++++++++---------------------- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 33 insertions(+), 27 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 1072d78f35..5bcd4a32cd 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -450,6 +450,36 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_irq_permission: + { + unsigned int pirq = op->u.irq_permission.pirq, irq; + bool allow = op->u.irq_permission.allow_access; + + ret = -EINVAL; + if ( pirq >= current->domain->nr_pirqs ) + goto domctl_out_unlock_domonly; + + irq = domain_pirq_to_irq(current->domain, pirq); + + ret = -EPERM; + if ( irq ) + ret = xsm_irq_permission(XSM_PRIV, d, irq, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !irq_access_permitted(current->domain, irq) ) + ret = -EPERM; + else if ( allow ) + ret = irq_permit_access(d, irq); + else + ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: @@ -783,31 +813,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } break; - case XEN_DOMCTL_irq_permission: - { - unsigned int pirq = op->u.irq_permission.pirq, irq; - int allow = op->u.irq_permission.allow_access; - - if ( pirq >= current->domain->nr_pirqs ) - { - ret = -EINVAL; - break; - } - - iocaps_double_lock(d, true); - - irq = pirq_access_permitted(current->domain, pirq); - if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) - ret = -EPERM; - else if ( allow ) - ret = irq_permit_access(d, irq); - else - ret = irq_deny_access(d, irq); - - iocaps_double_unlock(d, true); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 9a65f31c51..0af668910b 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,6 +172,7 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -561,7 +562,7 @@ static XSM_INLINE int cf_check xsm_unmap_domain_irq( static XSM_INLINE int cf_check xsm_irq_permission( XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 949a4a4878..4aa91a3dd6 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -684,6 +684,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -691,7 +692,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: - case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:31:56 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:31:56 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333215.1595803 (Exim 4.92) (envelope-from ) id 1wWvca-0001eO-Ml; Tue, 09 Jun 2026 12:31:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333215.1595803; Tue, 09 Jun 2026 12:31:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvca-0001eG-K7; Tue, 09 Jun 2026 12:31:56 +0000 Received: by outflank-mailman (input) for mailman id 1333215; Tue, 09 Jun 2026 12:31:55 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvcZ-0001eA-TK for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:31:55 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvca-001fUQ-0W for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:31:55 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvcZ-00Cpg7-2k for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:31:55 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=1Hv0bAc17ckY7bqXNUsOpi6f19bF5plTxEgG8tHyBGA=; b=l7YyTr6f0sDyJTKbLMKKWiN7ef 5KphEONOLwJuXtmxomkOWpb6Rg4PnzKQkpMIMP4Bj7C/P2WE8X9mfKt4mDLAQr2VcUCdep7m14O8L 6E7RlxU1rBq/DCugz04blTYQ7xjiV5bTRVEtew4OUjm4nmZ5idkCtsPQFXcJvUUeTNqk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] domctl/XSM: drop vm_event_control hook Message-Id: Date: Tue, 09 Jun 2026 12:31:55 +0000 commit 9abd8482f15eb12bc3c1f7f57e26b625c93e0e05 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl/XSM: drop vm_event_control hook Integrate the checking with xsm_domctl(). Care needs to be taken with the GET_VERSION sub-op, which may be invoked with DOMID_INVALID, and which has been (and continues to be) bypassing XSM checking. Since the latter two parameters were unused, monitor_domctl() invoking the hook was actually redundant with the earlier xsm_domctl() (as can be seen nicely from the hunks changing xsm/flask/hooks.c). As a positive side effect, permissions are then checked at the same early point with and without Flask. While folding XEN_DOMCTL_monitor_op and XEN_DOMCTL_vm_event_op in flask_domctl(), also fold in XEN_DOMCTL_set_access_required. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit b4a7c17146f4363750d26cb2dcee08b480625a3d) --- xen/common/domctl.c | 17 +++++++++++++++++ xen/common/monitor.c | 5 ----- xen/common/vm_event.c | 9 ++++----- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 8 -------- xen/xsm/dummy.c | 2 -- xen/xsm/flask/hooks.c | 11 +---------- 7 files changed, 22 insertions(+), 37 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 5bcd4a32cd..c68ffb7337 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -480,6 +480,23 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_vm_event_op: + if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) + { + /* No XSM check (and potentially d == NULL) here. */ + ret = vm_event_domctl(d, &op->u.vm_event_op); + if ( !ret ) + copyback = true; + goto domctl_out_unlock_domonly; + } + if ( !d ) + { + ret = -ESRCH; + goto domctl_out_unlock_domonly; + } + /* Other sub-ops handled further down. */ + break; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: diff --git a/xen/common/monitor.c b/xen/common/monitor.c index d5c9ff1cbf..aec6391faf 100644 --- a/xen/common/monitor.c +++ b/xen/common/monitor.c @@ -30,16 +30,11 @@ int monitor_domctl(struct domain *d, struct xen_domctl_monitor_op *mop) { - int rc; bool requested_status = false; if ( unlikely(current->domain == d) ) /* no domain_pause() */ return -EPERM; - rc = xsm_vm_event_control(XSM_PRIV, d, mop->op, mop->event); - if ( unlikely(rc) ) - return rc; - switch ( mop->op ) { case XEN_DOMCTL_MONITOR_OP_ENABLE: diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c index 71d2898174..8f4bfc0936 100644 --- a/xen/common/vm_event.c +++ b/xen/common/vm_event.c @@ -602,11 +602,10 @@ int vm_event_domctl(struct domain *d, struct xen_domctl_vm_event_op *vec) /* All other subops need to target a real domain. */ if ( unlikely(d == NULL) ) - return -ESRCH; - - rc = xsm_vm_event_control(XSM_PRIV, d, vec->mode, vec->op); - if ( rc ) - return rc; + { + ASSERT_UNREACHABLE(); + return -EILSEQ; + } if ( unlikely(d == current->domain) ) /* no domain_pause() */ { diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 0af668910b..981cd3bf18 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -650,13 +650,6 @@ static XSM_INLINE int cf_check xsm_hvm_altp2mhvm_op( } } -static XSM_INLINE int cf_check xsm_vm_event_control( - XSM_DEFAULT_ARG struct domain *d, int mode, int op) -{ - XSM_ASSERT_ACTION(XSM_PRIV); - return xsm_default_action(action, current->domain, d); -} - #ifdef CONFIG_MEM_ACCESS static XSM_INLINE int cf_check xsm_mem_access(XSM_DEFAULT_ARG struct domain *d) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index fc30cf822f..f2bbe3ed8b 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -154,8 +154,6 @@ struct xsm_ops { int (*hvm_altp2mhvm_op)(struct domain *d, uint64_t mode, uint32_t op); int (*get_vnumainfo)(struct domain *d); - int (*vm_event_control)(struct domain *d, int mode, int op); - #ifdef CONFIG_MEM_ACCESS int (*mem_access)(struct domain *d); #endif @@ -634,12 +632,6 @@ static inline int xsm_get_vnumainfo(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.get_vnumainfo, d); } -static inline int xsm_vm_event_control( - xsm_default_t def, struct domain *d, int mode, int op) -{ - return alternative_call(xsm_ops.vm_event_control, d, mode, op); -} - #ifdef CONFIG_MEM_ACCESS static inline int xsm_mem_access(xsm_default_t def, struct domain *d) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 44a9e04ae7..95170547fc 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -110,8 +110,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .remove_from_physmap = xsm_remove_from_physmap, .map_gmfn_foreign = xsm_map_gmfn_foreign, - .vm_event_control = xsm_vm_event_control, - #ifdef CONFIG_MEM_ACCESS .mem_access = xsm_mem_access, #endif diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 4aa91a3dd6..7d9ebe3d6b 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -693,7 +693,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: - case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ @@ -787,9 +786,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__TRIGGER); case XEN_DOMCTL_set_access_required: - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); - case XEN_DOMCTL_monitor_op: + case XEN_DOMCTL_vm_event_op: return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); case XEN_DOMCTL_debug_op: @@ -1349,11 +1347,6 @@ static int cf_check flask_hvm_altp2mhvm_op(struct domain *d, uint64_t mode, uint return current_has_perm(d, SECCLASS_HVM, HVM__ALTP2MHVM_OP); } -static int cf_check flask_vm_event_control(struct domain *d, int mode, int op) -{ - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); -} - #ifdef CONFIG_MEM_ACCESS static int cf_check flask_mem_access(struct domain *d) { @@ -1937,8 +1930,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .do_xsm_op = do_flask_op, .get_vnumainfo = flask_get_vnumainfo, - .vm_event_control = flask_vm_event_control, - #ifdef CONFIG_MEM_ACCESS .mem_access = flask_mem_access, #endif -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:32:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:32:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333216.1595806 (Exim 4.92) (envelope-from ) id 1wWvck-0001jO-PQ; Tue, 09 Jun 2026 12:32:06 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333216.1595806; Tue, 09 Jun 2026 12:32:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvck-0001jG-Mv; Tue, 09 Jun 2026 12:32:06 +0000 Received: by outflank-mailman (input) for mailman id 1333216; Tue, 09 Jun 2026 12:32:06 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvck-0001iz-0F for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:32:06 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvck-001fUf-0n for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:32:05 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvcj-00Cplz-32 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:32:05 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=gqfY6XBltuzgGuTa3gw58K2PhMoBLXVGpiJNfrW48xI=; b=6yX45utF4WyI2n59tukqeQ1WNa lfplWy7lcLJ7poq/cLOI7v/UtvxBZNSHcZnNvgZo7fkb6iZOX+VloTVoaANuGh6ZAd4WrPyhahCJ+ GJJYbz+9MtoRVDJAp5bKcuDfw2aac8cWwz9o+rECdMgS+DFnZUQRyXEAx0AGk6YzSwzw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] domctl/XSM: pass full struct xen_domctl to xsm_domctl() Message-Id: Date: Tue, 09 Jun 2026 12:32:05 +0000 commit 8fe1695361d4a839e9f9095f070c7d5019664251 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl/XSM: pass full struct xen_domctl to xsm_domctl() Subsequently some sub-ops will want to inspect their sub-sub-ops. Plus this way we don't need to pass SSIDref separately anymore for domain_create. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit 83f0e11ed16b5ceb42e47dcaab5afd35583ec5d7) --- xen/arch/x86/mm/paging.c | 2 +- xen/common/domctl.c | 4 +--- xen/include/xsm/dummy.h | 4 ++-- xen/include/xsm/xsm.h | 6 +++--- xen/xsm/flask/hooks.c | 10 +++++----- 5 files changed, 12 insertions(+), 14 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index 3a309bc74b..d8d953cde8 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -767,7 +767,7 @@ long do_paging_domctl_cont( if ( d == NULL ) return -ESRCH; - ret = xsm_domctl(XSM_OTHER, d, op.cmd, 0 /* SSIDref not applicable */); + ret = xsm_domctl(XSM_OTHER, d, &op); if ( !ret ) { if ( domctl_lock_acquire() ) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index c68ffb7337..e918602153 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -509,9 +509,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - ret = xsm_domctl(XSM_OTHER, d, op->cmd, - /* SSIDRef only applicable for cmd == createdomain */ - op->u.createdomain.ssidref); + ret = xsm_domctl(XSM_OTHER, d, op); if ( ret ) goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 981cd3bf18..7427da1b44 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,10 +162,10 @@ static XSM_INLINE int cf_check xsm_set_target( } static XSM_INLINE int cf_check xsm_domctl( - XSM_DEFAULT_ARG struct domain *d, unsigned int cmd, uint32_t ssidref) + XSM_DEFAULT_ARG struct domain *d, struct xen_domctl *op) { XSM_ASSERT_ACTION(XSM_OTHER); - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index f2bbe3ed8b..e91fa49d7d 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -60,7 +60,7 @@ struct xsm_ops { int (*domctl_scheduler_op)(struct domain *d, int op); int (*sysctl_scheduler_op)(int op); int (*set_target)(struct domain *d, struct domain *e); - int (*domctl)(struct domain *d, unsigned int cmd, uint32_t ssidref); + int (*domctl)(struct domain *d, struct xen_domctl *op); int (*sysctl)(int cmd); int (*readconsole)(uint32_t clear); @@ -249,9 +249,9 @@ static inline int xsm_set_target( } static inline int xsm_domctl(xsm_default_t def, struct domain *d, - unsigned int cmd, uint32_t ssidref) + struct xen_domctl *op) { - return alternative_call(xsm_ops.domctl, d, cmd, ssidref); + return alternative_call(xsm_ops.domctl, d, op); } static inline int xsm_sysctl(xsm_default_t def, int cmd) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 7d9ebe3d6b..360b28a2d9 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -663,10 +663,9 @@ static int cf_check flask_set_target(struct domain *d, struct domain *t) return rc; } -static int cf_check flask_domctl(struct domain *d, unsigned int cmd, - uint32_t ssidref) +static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) { - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_createdomain: /* @@ -676,7 +675,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, * Note that d is NULL because we haven't even allocated memory for it * this early in XEN_DOMCTL_createdomain. */ - return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); + return avc_current_has_perm(op->u.createdomain.ssidref, SECCLASS_DOMAIN, + DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: @@ -843,7 +843,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETPAGINGMEMPOOL); default: - return avc_unknown_permission("domctl", cmd); + return avc_unknown_permission("domctl", op->cmd); } } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:32:16 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:32:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333217.1595812 (Exim 4.92) (envelope-from ) id 1wWvcu-0001mX-RV; Tue, 09 Jun 2026 12:32:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333217.1595812; Tue, 09 Jun 2026 12:32:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvcu-0001mO-OJ; Tue, 09 Jun 2026 12:32:16 +0000 Received: by outflank-mailman (input) for mailman id 1333217; Tue, 09 Jun 2026 12:32:16 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvcu-0001mI-2h for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:32:16 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvcu-001fUz-14 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:32:16 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvcu-00Cprw-06 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:32:16 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Re7/v9//T+RRLiTGNvQG2WcrfdWcadl3WbvGX6pHjno=; b=nM61QfB0SljFI8yRtpBOpfnVK/ n5c1dnFKD64YStgzjVy51bBxsg3+oH6Mc6RiJNFS8JoCQDvacOQiBtoy+nf/zPIuzMfg7KTuh9MlH uOs4sutvV/H1TYCjD6gNTI4R0gLIuxHoW8Z25oGksorwkRlcctauKI8WHUULEN6nnx7Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] domctl/XSM: drop scheduler_op hook Message-Id: Date: Tue, 09 Jun 2026 12:32:16 +0000 commit c5501d5ae8e9494d11a3b5464efeb3f50ff84075 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl/XSM: drop scheduler_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Juergen Gross (cherry picked from commit 3ba374d3886f0e1d835eafe62cc2fa20ca5376ad) --- xen/common/sched/core.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 7 ++++--- 5 files changed, 4 insertions(+), 22 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 3e6e35a1e6..89de385a6f 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -2058,10 +2058,6 @@ long sched_adjust(struct domain *d, struct xen_domctl_scheduler_op *op) { long ret; - ret = xsm_domctl_scheduler_op(XSM_HOOK, d, op->cmd); - if ( ret ) - return ret; - if ( op->sched_id != dom_scheduler(d)->sched_id ) return -EINVAL; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 7427da1b44..dbd26489d8 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -141,13 +141,6 @@ static XSM_INLINE int cf_check xsm_getdomaininfo( return xsm_default_action(action, current->domain, d); } -static XSM_INLINE int cf_check xsm_domctl_scheduler_op( - XSM_DEFAULT_ARG struct domain *d, int cmd) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index e91fa49d7d..d0e9c33927 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -57,7 +57,6 @@ struct xsm_ops { struct xen_domctl_getdomaininfo *info); int (*domain_create)(struct domain *d, uint32_t ssidref); int (*getdomaininfo)(struct domain *d); - int (*domctl_scheduler_op)(struct domain *d, int op); int (*sysctl_scheduler_op)(int op); int (*set_target)(struct domain *d, struct domain *e); int (*domctl)(struct domain *d, struct xen_domctl *op); @@ -231,12 +230,6 @@ static inline int xsm_getdomaininfo(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.getdomaininfo, d); } -static inline int xsm_domctl_scheduler_op( - xsm_default_t def, struct domain *d, int cmd) -{ - return alternative_call(xsm_ops.domctl_scheduler_op, d, cmd); -} - static inline int xsm_sysctl_scheduler_op(xsm_default_t def, int cmd) { return alternative_call(xsm_ops.sysctl_scheduler_op, cmd); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 95170547fc..cb312eb7cb 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -18,7 +18,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .security_domaininfo = xsm_security_domaininfo, .domain_create = xsm_domain_create, .getdomaininfo = xsm_getdomaininfo, - .domctl_scheduler_op = xsm_domctl_scheduler_op, .sysctl_scheduler_op = xsm_sysctl_scheduler_op, .set_target = xsm_set_target, .domctl = xsm_domctl, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 360b28a2d9..23c54bc69b 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -607,7 +607,7 @@ static int cf_check flask_getdomaininfo(struct domain *d) return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO); } -static int cf_check flask_domctl_scheduler_op(struct domain *d, int op) +static int flask_domctl_scheduler_op(struct domain *d, int op) { switch ( op ) { @@ -691,7 +691,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return -EILSEQ; /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: #ifdef CONFIG_X86 @@ -739,6 +738,9 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_setdomainhandle: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE); + case XEN_DOMCTL_scheduler_op: + return flask_domctl_scheduler_op(d, op->u.scheduler_op.cmd); + case XEN_DOMCTL_set_ext_vcpucontext: case XEN_DOMCTL_set_vcpu_msrs: case XEN_DOMCTL_setvcpucontext: @@ -1856,7 +1858,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .security_domaininfo = flask_security_domaininfo, .domain_create = flask_domain_create, .getdomaininfo = flask_getdomaininfo, - .domctl_scheduler_op = flask_domctl_scheduler_op, .sysctl_scheduler_op = flask_sysctl_scheduler_op, .set_target = flask_set_target, .domctl = flask_domctl, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:32:26 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:32:26 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333218.1595815 (Exim 4.92) (envelope-from ) id 1wWvd4-0001qI-SO; Tue, 09 Jun 2026 12:32:26 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333218.1595815; Tue, 09 Jun 2026 12:32:26 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvd4-0001qA-Pe; Tue, 09 Jun 2026 12:32:26 +0000 Received: by outflank-mailman (input) for mailman id 1333218; Tue, 09 Jun 2026 12:32:26 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvd4-0001q3-5T for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:32:26 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvd4-001fV3-1M for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:32:26 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvd4-00Cpz4-0N for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:32:26 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=DOWkVbqWB1WSagUMXayMgeONXNaXqRbHC8Wa9iHjqRc=; b=W3NukxffBonEJw5yXgYDeaE3YD 4Hs5qDLjgEAGwIfiead2mWAut+z/A0AwRhb6/C+mCejoWEALvJaZOGMGaz6q810w5f5uoaG9p4Z41 AwsEbedsyk1MpcuosQvHSHLtJcdEZ9EmCdhXK2Su8J+HNRZOjhkaFIl4J92oi1fleD0s=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] domctl/XSM: drop shadow_control_op hook Message-Id: Date: Tue, 09 Jun 2026 12:32:26 +0000 commit 35742996499584e400e896c2e1ee8f6ad45a8748 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl/XSM: drop shadow_control_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit d9d2758622422a4db0498a74c3dfd1c8168a8154) --- xen/arch/x86/mm/paging.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 13 +++++++------ 5 files changed, 7 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index d8d953cde8..3209aa1b55 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -709,10 +709,6 @@ int paging_domctl(struct domain *d, struct xen_domctl_shadow_op *sc, return -EBUSY; } - rc = xsm_shadow_control(XSM_HOOK, d, sc->op); - if ( rc ) - return rc; - /* Code to handle log-dirty. Note that some log dirty operations * piggy-back on shadow operations. For example, when * XEN_DOMCTL_SHADOW_OP_OFF is called, it first checks whether log dirty diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index dbd26489d8..847aeb0e1a 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -680,13 +680,6 @@ static XSM_INLINE int cf_check xsm_do_mca(XSM_DEFAULT_VOID) return xsm_default_action(action, current->domain, NULL); } -static XSM_INLINE int cf_check xsm_shadow_control( - XSM_DEFAULT_ARG struct domain *d, uint32_t op) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_mem_sharing_op( XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index d0e9c33927..d60917f93d 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -169,7 +169,6 @@ struct xsm_ops { #ifdef CONFIG_X86 int (*do_mca)(void); - int (*shadow_control)(struct domain *d, uint32_t op); int (*mem_sharing_op)(struct domain *d, struct domain *cd, int op); int (*apic)(struct domain *d, int cmd); int (*machine_memory_map)(void); @@ -657,12 +656,6 @@ static inline int xsm_do_mca(xsm_default_t def) return alternative_call(xsm_ops.do_mca); } -static inline int xsm_shadow_control( - xsm_default_t def, struct domain *d, uint32_t op) -{ - return alternative_call(xsm_ops.shadow_control, d, op); -} - static inline int xsm_mem_sharing_op( xsm_default_t def, struct domain *d, struct domain *cd, int op) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index cb312eb7cb..f4bcefc46b 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -124,7 +124,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .platform_op = xsm_platform_op, #ifdef CONFIG_X86 .do_mca = xsm_do_mca, - .shadow_control = xsm_shadow_control, .mem_sharing_op = xsm_mem_sharing_op, .apic = xsm_apic, .machine_memory_map = xsm_machine_memory_map, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 23c54bc69b..cf800881f4 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -40,6 +40,7 @@ #ifdef CONFIG_X86 #include +static int flask_shadow_control(struct domain *d, unsigned int op); #else #define pv_shim false #endif @@ -693,10 +694,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: -#ifdef CONFIG_X86 - /* These have individual XSM hooks (arch/x86/domctl.c) */ - case XEN_DOMCTL_shadow_op: -#endif #ifdef CONFIG_HAS_PASSTHROUGH /* * These have individual XSM hooks @@ -781,6 +778,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_get_address_size: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETADDRSIZE); +#ifdef CONFIG_X86 + case XEN_DOMCTL_shadow_op: + return flask_shadow_control(d, op->u.shadow_op.op); +#endif + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1584,7 +1586,7 @@ static int cf_check flask_do_mca(void) return domain_has_xen(current->domain, XEN__MCA_OP); } -static int cf_check flask_shadow_control(struct domain *d, uint32_t op) +static int flask_shadow_control(struct domain *d, unsigned int op) { uint32_t perm; @@ -1965,7 +1967,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .platform_op = flask_platform_op, #ifdef CONFIG_X86 .do_mca = flask_do_mca, - .shadow_control = flask_shadow_control, .mem_sharing_op = flask_mem_sharing_op, .apic = flask_apic, .machine_memory_map = flask_machine_memory_map, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:32:36 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:32:36 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333220.1595818 (Exim 4.92) (envelope-from ) id 1wWvdE-0001uz-TW; Tue, 09 Jun 2026 12:32:36 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333220.1595818; Tue, 09 Jun 2026 12:32:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvdE-0001uq-Qy; Tue, 09 Jun 2026 12:32:36 +0000 Received: by outflank-mailman (input) for mailman id 1333220; Tue, 09 Jun 2026 12:32:36 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvdE-0001uh-8j for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:32:36 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvdE-001fVA-1g for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:32:36 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvdE-00Cq5W-0f for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:32:36 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=zVusFRND1klTU6mmhU6u9Rl0aIjrIw7S9tBrNCjfTWQ=; b=wsim7xeB0rKztSSM6Qlgl12jLf lS0chAlyUulaIUHLraEw0OFQpRoB95P4t/ngNd92Kj2ubADokxy/XuDPvveOxodOU5lLiePl/TIhV unFcMSpnnGmmoMBdC0pG6e76w4dmX4vg7eCnoQ/tUjGXPWN6VDKSV/QYoEyEjlKd1dXI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:32:36 +0000 commit 4594a6b216e43b7630b1002985d6ac997b1c0510 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock iommu_get_device_group() uses its own locking. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 471b377747cb5eb0ea7c1ca48ac9d38027a9aa13) --- xen/common/domctl.c | 5 ++++- xen/drivers/passthrough/pci.c | 4 ++-- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index e918602153..2aad346eca 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -497,6 +497,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) /* Other sub-ops handled further down. */ break; + case XEN_DOMCTL_get_device_group: + ret = iommu_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: @@ -919,7 +923,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_assign_device: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_deassign_device: - case XEN_DOMCTL_get_device_group: ret = iommu_do_domctl(op, d, u_domctl); break; diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 25ea1dc421..c199735b24 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1512,7 +1512,7 @@ static int iommu_get_device_group( if ( (pdev->seg != seg) || ((b == bus) && (df == devfn)) ) continue; - if ( xsm_get_device_group(XSM_HOOK, (seg << 16) | (b << 8) | df) ) + if ( xsm_get_device_group(XSM_PRIV, (seg << 16) | (b << 8) | df) ) continue; sdev_id = iommu_call(ops, get_device_group_id, seg, b, df); @@ -1582,7 +1582,7 @@ int iommu_do_pci_domctl( u32 max_sdevs; XEN_GUEST_HANDLE_64(uint32) sdevs; - ret = xsm_get_device_group(XSM_HOOK, domctl->u.get_device_group.machine_sbdf); + ret = xsm_get_device_group(XSM_PRIV, domctl->u.get_device_group.machine_sbdf); if ( ret ) break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 847aeb0e1a..7e8d3b2893 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,6 +162,7 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: @@ -399,7 +400,7 @@ static XSM_INLINE int cf_check xsm_get_vnumainfo( static XSM_INLINE int cf_check xsm_get_device_group( XSM_DEFAULT_ARG uint32_t machine_bdf) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index cf800881f4..fc80576b09 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -682,6 +682,7 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: @@ -699,7 +700,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) * These have individual XSM hooks * (drivers/passthrough/{pci,device_tree.c) */ - case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_assign_device: case XEN_DOMCTL_deassign_device: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:32:48 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:32:48 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333221.1595823 (Exim 4.92) (envelope-from ) id 1wWvdQ-00020L-0F; Tue, 09 Jun 2026 12:32:48 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333221.1595823; Tue, 09 Jun 2026 12:32:47 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvdP-00020E-SP; Tue, 09 Jun 2026 12:32:47 +0000 Received: by outflank-mailman (input) for mailman id 1333221; Tue, 09 Jun 2026 12:32:46 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvdO-000207-Bc for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:32:46 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvdO-001fVE-1y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:32:46 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvdO-00CqBx-0z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:32:46 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=CHFbX/6pKzuGDR+AAjEUNFAl99N0OBLESJ+S2DbAA6A=; b=K1b58ItmKLKkJ+LY0bubScidxk lh/IMybTS1FC6NBknAOKyIrS18MFJAaSSR2MTq5uMeF3qcT6vO52vSs4I6R9obRg6X9OGLVJcAWxz TkG3WQO43yRwkEDm6AxzkUvaMzzzl2RwV9mI2ubtct0DVs89Finw1wHdkbYX1rxXB0ew=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] domctl/XSM: drop {,de}assign_{,dt}device hooks Message-Id: Date: Tue, 09 Jun 2026 12:32:46 +0000 commit 2c48c89c9d6a078ed8ac2dcde447e2c7146926fb Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl/XSM: drop {,de}assign_{,dt}device hooks Integrate the checking with xsm_domctl(). As a positive side effect, permissions are then checked at the same early point with and without Flask. As the DT device path needs fetching earlier (but must not be double fetched), cache it in a private field of the public interface struct. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit eab54f074f17c134fa6fa780f672393066e7b631) --- xen/common/domctl.c | 9 ++++ xen/drivers/passthrough/device_tree.c | 36 ++++++++-------- xen/drivers/passthrough/pci.c | 8 ---- xen/include/public/domctl.h | 5 ++- xen/include/xsm/dummy.h | 32 -------------- xen/include/xsm/xsm.h | 34 --------------- xen/xsm/dummy.c | 7 ---- xen/xsm/flask/hooks.c | 79 +++++++++++++++++++++++++---------- 8 files changed, 89 insertions(+), 121 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 2aad346eca..f3db0a5c4e 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -326,6 +326,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_deassign_device: if ( op->domain == DOMID_IO ) { +#ifdef CONFIG_HAS_DEVICE_TREE + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; +#endif d = dom_io; break; } @@ -333,6 +337,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) return -ESRCH; /* fall through */ case XEN_DOMCTL_test_assign_device: +#ifdef CONFIG_HAS_DEVICE_TREE + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; + fallthrough; +#endif case XEN_DOMCTL_vm_event_op: if ( op->domain == DOMID_INVALID ) { diff --git a/xen/drivers/passthrough/device_tree.c b/xen/drivers/passthrough/device_tree.c index 075fb25a37..49b3a26628 100644 --- a/xen/drivers/passthrough/device_tree.c +++ b/xen/drivers/passthrough/device_tree.c @@ -279,15 +279,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( (d && d->is_dying) || domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_assign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( domctl->cmd == XEN_DOMCTL_test_assign_device ) { @@ -335,15 +335,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_deassign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( d == dom_io ) { diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index c199735b24..8d015214fa 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1632,10 +1632,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_assign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); @@ -1677,10 +1673,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_deassign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h index a33f9ec32b..67b708d768 100644 --- a/xen/include/public/domctl.h +++ b/xen/include/public/domctl.h @@ -531,7 +531,10 @@ struct xen_domctl_assign_device { } pci; struct { uint32_t size; /* Length of the path */ - XEN_GUEST_HANDLE_64(char) path; /* path to the device tree node */ + XEN_GUEST_HANDLE_64(char) path; /* Path to the device tree node */ +#ifdef __XEN__ + struct dt_device_node *dev; /* Resolved device node of the above */ +#endif } dt; } u; }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 7e8d3b2893..21e06f368d 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -403,40 +403,8 @@ static XSM_INLINE int cf_check xsm_get_device_group( XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } - -static XSM_INLINE int cf_check xsm_assign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - #endif /* HAS_PASSTHROUGH && HAS_PCI */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) -static XSM_INLINE int cf_check xsm_assign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */ - static XSM_INLINE int cf_check xsm_resource_plug_core(XSM_DEFAULT_VOID) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index d60917f93d..bf6d4e9772 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -123,13 +123,6 @@ struct xsm_ops { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) int (*get_device_group)(uint32_t machine_bdf); - int (*assign_device)(struct domain *d, uint32_t machine_bdf); - int (*deassign_device)(struct domain *d, uint32_t machine_bdf); -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - int (*assign_dtdevice)(struct domain *d, const char *dtpath); - int (*deassign_dtdevice)(struct domain *d, const char *dtpath); #endif int (*resource_plug_core)(void); @@ -514,35 +507,8 @@ static inline int xsm_get_device_group(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.get_device_group, machine_bdf); } - -static inline int xsm_assign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.assign_device, d, machine_bdf); -} - -static inline int xsm_deassign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.deassign_device, d, machine_bdf); -} #endif /* HAS_PASSTHROUGH && HAS_PCI) */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) -static inline int xsm_assign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.assign_dtdevice, d, dtpath); -} - -static inline int xsm_deassign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.deassign_dtdevice, d, dtpath); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */ - static inline int xsm_resource_plug_pci(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.resource_plug_pci, machine_bdf); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index f4bcefc46b..92fe9664a8 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -77,13 +77,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = xsm_get_device_group, - .assign_device = xsm_assign_device, - .deassign_device = xsm_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - .assign_dtdevice = xsm_assign_dtdevice, - .deassign_dtdevice = xsm_deassign_dtdevice, #endif .resource_plug_core = xsm_resource_plug_core, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index fc80576b09..f2248e32bf 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -45,6 +45,17 @@ static int flask_shadow_control(struct domain *d, unsigned int op); #define pv_shim false #endif +#ifdef CONFIG_HAS_PASSTHROUGH +#ifdef CONFIG_HAS_PCI +static int flask_assign_device(struct domain *d, unsigned int machine_bdf); +static int flask_deassign_device(struct domain *d, unsigned int machine_bdf); +#endif +#ifdef CONFIG_HAS_DEVICE_TREE +static int flask_assign_dtdevice(struct domain *d, const char *dtpath); +static int flask_deassign_dtdevice(struct domain *d, const char *dtpath); +#endif +#endif /* CONFIG_HAS_PASSTHROUGH */ + static uint32_t domain_sid(const struct domain *dom) { struct domain_security_struct *dsec = dom->ssid; @@ -694,16 +705,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: - -#ifdef CONFIG_HAS_PASSTHROUGH - /* - * These have individual XSM hooks - * (drivers/passthrough/{pci,device_tree.c) - */ - case XEN_DOMCTL_test_assign_device: - case XEN_DOMCTL_assign_device: - case XEN_DOMCTL_deassign_device: -#endif return 0; case XEN_DOMCTL_destroydomain: @@ -783,6 +784,49 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return flask_shadow_control(d, op->u.shadow_op.op); #endif +#ifdef CONFIG_HAS_PASSTHROUGH + + case XEN_DOMCTL_test_assign_device: + case XEN_DOMCTL_assign_device: + case XEN_DOMCTL_deassign_device: + switch ( op->u.assign_device.dev ) + { +#ifdef CONFIG_HAS_PCI + case XEN_DOMCTL_DEV_PCI: + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_device( + d, op->u.assign_device.u.pci.machine_sbdf) + : flask_deassign_device( + d, op->u.assign_device.u.pci.machine_sbdf); +#endif + +#ifdef CONFIG_HAS_DEVICE_TREE + case XEN_DOMCTL_DEV_DT: + { + struct dt_device_node *dev; + int ret = dt_find_node_by_gpath(op->u.assign_device.u.dt.path, + op->u.assign_device.u.dt.size, + &dev); + + if ( ret ) + return ret; + + op->u.assign_device.u.dt.dev = dev; + + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_dtdevice(d, dt_node_full_name(dev)) + : flask_deassign_dtdevice(d, dt_node_full_name(dev)); + } +#endif + + default: + /* Unknown type. */ + break; + } + return avc_unknown_permission("assign_device", op->cmd); + +#endif /* CONFIG_HAS_PASSTHROUGH */ + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1397,7 +1441,7 @@ static int flask_test_assign_device(uint32_t machine_bdf) return avc_current_has_perm(rsid, SECCLASS_RESOURCE, RESOURCE__STAT_DEVICE, NULL); } -static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) +static int flask_assign_device(struct domain *d, uint32_t machine_bdf) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1427,7 +1471,7 @@ static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_device( +static int flask_deassign_device( struct domain *d, uint32_t machine_bdf) { uint32_t rsid; @@ -1459,7 +1503,7 @@ static int flask_test_assign_dtdevice(const char *dtpath) NULL); } -static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) +static int flask_assign_dtdevice(struct domain *d, const char *dtpath) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1489,7 +1533,7 @@ static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_dtdevice( +static int flask_deassign_dtdevice( struct domain *d, const char *dtpath) { uint32_t rsid; @@ -1955,13 +1999,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = flask_get_device_group, - .assign_device = flask_assign_device, - .deassign_device = flask_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - .assign_dtdevice = flask_assign_dtdevice, - .deassign_dtdevice = flask_deassign_dtdevice, #endif .platform_op = flask_platform_op, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:32:58 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:32:58 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333222.1595827 (Exim 4.92) (envelope-from ) id 1wWvda-00025K-2A; Tue, 09 Jun 2026 12:32:58 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333222.1595827; Tue, 09 Jun 2026 12:32:58 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvdZ-00025C-Vg; Tue, 09 Jun 2026 12:32:57 +0000 Received: by outflank-mailman (input) for mailman id 1333222; Tue, 09 Jun 2026 12:32:56 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvdY-000254-E9 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:32:56 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvdY-001fVK-2E for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:32:56 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvdY-00CqJn-1F for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:32:56 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=lNSphBIyEdX/q1j6t0bLPVuO4/XN7pBb04SF6L8xMd0=; b=C2P0KgQP+ODb/B/6QowffUrHsV zXVx0j4M4Dw/uLYCYdciQ+F+z+hgg5qfJIpSomrYt6LO8YgCMp/Zfs+bnI1IYIBujxL9dECZSDpBq 2N+gEcnw3iRDjaPNwrbp6aye7HfsbzEpFsoQoFcupm+h9dummOPtccBDus6KjGh5alTc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:32:56 +0000 commit 28cef2926da281d369bfcecd9c54d7656b5b2e0c Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock The only locking required here is that between checking d->target and setting it. To avoid the need for an explicit lock, use cmpxchgptr() to update d->target. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 4a93d1fb4f7f1231159688d428f7362d35d32ef6) --- xen/common/domctl.c | 54 ++++++++++++++++++++++--------------------------- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 5 +---- 3 files changed, 27 insertions(+), 35 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index f3db0a5c4e..b0c1d905fe 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -489,6 +489,30 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_set_target: + { + struct domain *e = get_domain_by_id(op->u.set_target.target); + + ret = -ESRCH; + if ( !e ) + goto domctl_out_unlock_domonly; + + if ( d == e ) + ret = -EINVAL; + else if ( !is_hvm_domain(e) ) + ret = -EOPNOTSUPP; + else + ret = xsm_set_target(XSM_PRIV, d, e); + + /* Hold reference on @e until we destroy @d. */ + if ( !ret && cmpxchgptr(&d->target, NULL, e) ) + ret = -EINVAL; + + if ( ret ) + put_domain(e); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_vm_event_op: if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) { @@ -845,36 +869,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; - case XEN_DOMCTL_set_target: - { - struct domain *e; - - ret = -ESRCH; - e = get_domain_by_id(op->u.set_target.target); - if ( e == NULL ) - break; - - ret = -EINVAL; - if ( (d == e) || (d->target != NULL) ) - { - put_domain(e); - break; - } - - ret = -EOPNOTSUPP; - if ( is_hvm_domain(e) ) - ret = xsm_set_target(XSM_HOOK, d, e); - if ( ret ) - { - put_domain(e); - break; - } - - /* Hold reference on @e until we destroy @d. */ - d->target = e; - break; - } - case XEN_DOMCTL_subscribe: d->suspend_evtchn = op->u.subscribe.port; break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 21e06f368d..718d3c4a2a 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -150,7 +150,7 @@ static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) static XSM_INLINE int cf_check xsm_set_target( XSM_DEFAULT_ARG struct domain *d, struct domain *e) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } @@ -168,6 +168,7 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index f2248e32bf..d8e2b12b14 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -699,14 +699,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; - /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_set_target: - return 0; - case XEN_DOMCTL_destroydomain: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__DESTROY); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:33:08 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:33:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333223.1595831 (Exim 4.92) (envelope-from ) id 1wWvdk-000299-3q; Tue, 09 Jun 2026 12:33:08 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333223.1595831; Tue, 09 Jun 2026 12:33:08 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvdk-000292-0n; Tue, 09 Jun 2026 12:33:08 +0000 Received: by outflank-mailman (input) for mailman id 1333223; Tue, 09 Jun 2026 12:33:06 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvdi-00028t-HJ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:33:06 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvdi-001fVo-2W for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:33:06 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvdi-00CqPx-1X for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:33:06 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=BaFJPeYKEDzEWYnFDstQeNzGc1HDQ+SaJP0E7VD5D08=; b=UNjgHyGIjLoBR/Dx1hgxmQtufs lJ8RZ0I5waRZY3690aAb81H2tsVSuQpuH4aKehefM8pU3OEmluqVFHy/PYT5LuvauZsa/R+3ac127 rkfkEjgtAhp8rdqGsRJJxYQFWHrz6+hkmpCARwUSO+HgFiysgr9HQ8BwzrTAZqOeEJqA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI Message-Id: Date: Tue, 09 Jun 2026 12:33:06 +0000 commit 9fe35345a7e8efed0b6a1934d7db88ca26ad5668 Author: Michal Orzel AuthorDate: Tue Apr 14 10:11:24 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI The ARM64_WORKAROUND_REPEAT_TLBI workaround is used to mitigate several errata where broadcast TLBI;DSB sequences don't provide all the architecturally required synchronization. The workaround performs more work than necessary, and can have significant overhead. This patch optimizes the workaround, as explained below. 1. All relevant errata only affect the ordering and/or completion of memory accesses which have been translated by an invalidated TLB entry. The actual invalidation of TLB entries is unaffected. 2. The existing workaround is applied to both broadcast and local TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for broadcast invalidation. 3. The existing workaround replaces every TLBI with a TLBI;DSB;TLBI sequence, whereas for all relevant errata it is only necessary to execute a single additional TLBI;DSB sequence after any number of TLBIs are completed by a DSB. For example, for a sequence of batched TLBIs: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH ... the existing workaround will expand this to: TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional DSB ISH ... whereas it is sufficient to have: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH TLBI [, ] // additional DSB ISH // additional Using a single additional TLBI and DSB at the end of the sequence can have significantly lower overhead as each DSB which completes a TLBI must synchronize with other PEs in the system, with potential performance effects both locally and system-wide. 4. The existing workaround repeats each specific TLBI operation, whereas for all relevant errata it is sufficient for the additional TLBI to use *any* operation which will be broadcast, regardless of which translation regime or stage of translation the operation applies to. For example, for a single TLBI: TLBI ALLE2IS DSB ISH ... the existing workaround will expand this to: TLBI ALLE2IS DSB ISH TLBI ALLE2IS // additional DSB ISH // additional ... whereas it is sufficient to have: TLBI ALLE2IS DSB ISH TLBI VALE1IS, XZR // additional DSB ISH // additional As the additional TLBI doesn't have to match a specific earlier TLBI, the additional TLBI can be implemented in separate code, with no memory of the earlier TLBIs. The additional TLBI can also use a cheaper TLBI operation. 5. The existing workaround is applied to both Stage-1 and Stage-2 TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for Stage-1 invalidation. Architecturally, TLBI operations which invalidate only Stage-2 information (e.g. IPAS2E1IS) are not required to invalidate TLB entries which combine information from Stage-1 and Stage-2 translation table entries, and consequently may not complete memory accesses translated by those combined entries. In these cases, completion of memory accesses is only guaranteed after subsequent invalidation of Stage-1 information (e.g. VMALLE1IS). Rework the workaround logic as follows: - add TLB_HELPER_LOCAL() to be used for local TLB ops without a workaround, - modify TLB_HELPER() workaround to use tlbi vale2is, xzr as a second TLBI, - drop TLB_HELPER_VA(). It's used only by __flush_xen_tlb_one_local which is local and does not need workaround and by __flush_xen_tlb_one. In the latter case, since it's used in a loop, we don't need a workaround in the middle. Add __tlb_repeat_sync with a workaround to be used at the end after DSB and before final ISB, - TLBI VALE2IS passing XZR is used as an additional TLBI. While there is an identity mapping there, it's used very rarely. The performance impact is therefore negligible. If things change in the future, we can revisit the decision. Signed-off-by: Michal Orzel Reviewed-by: Luca Fancellu Reviewed-by: Julien Grall (cherry picked from commit 7c502d7591519135765b8041cbd1c70e56e5a0b9) --- xen/arch/arm/include/asm/arm32/flushtlb.h | 3 + xen/arch/arm/include/asm/arm64/flushtlb.h | 108 ++++++++++++++++++------------ xen/arch/arm/include/asm/flushtlb.h | 1 + xen/arch/arm/include/asm/mmu/layout.h | 4 ++ 4 files changed, 75 insertions(+), 41 deletions(-) diff --git a/xen/arch/arm/include/asm/arm32/flushtlb.h b/xen/arch/arm/include/asm/arm32/flushtlb.h index 61c25a3189..5483be08fb 100644 --- a/xen/arch/arm/include/asm/arm32/flushtlb.h +++ b/xen/arch/arm/include/asm/arm32/flushtlb.h @@ -57,6 +57,9 @@ static inline void __flush_xen_tlb_one(vaddr_t va) asm volatile(STORE_CP32(0, TLBIMVAHIS) : : "r" (va) : "memory"); } +/* Only for ARM64_WORKAROUND_REPEAT_TLBI */ +static inline void __tlb_repeat_sync(void) {} + #endif /* __ASM_ARM_ARM32_FLUSHTLB_H__ */ /* * Local variables: diff --git a/xen/arch/arm/include/asm/arm64/flushtlb.h b/xen/arch/arm/include/asm/arm64/flushtlb.h index 45642201d1..c1314be122 100644 --- a/xen/arch/arm/include/asm/arm64/flushtlb.h +++ b/xen/arch/arm/include/asm/arm64/flushtlb.h @@ -12,9 +12,14 @@ * ARM64_WORKAROUND_REPEAT_TLBI: * Modification of the translation table for a virtual address might lead to * read-after-read ordering violation. - * The workaround repeats TLBI+DSB ISH operation for all the TLB flush - * operations. While this is strictly not necessary, we don't want to - * take any risk. + * The workaround repeats TLBI+DSB ISH operation for broadcast TLB flush + * operations. The workaround is not needed for local operations. + * + * It is sufficient for the additional TLBI to use *any* operation which will + * be broadcast, regardless of which translation regime or stage of translation + * the operation applies to. TLBI VALE2IS is used passing XZR. While there is + * an identity mapping there, it's only used during suspend/resume, CPU on/off, + * so the impact (performance if any) is negligible. * * For Xen page-tables the ISB will discard any instructions fetched * from the old mappings. @@ -26,69 +31,90 @@ * Note that for local TLB flush, using non-shareable (nsh) is sufficient * (see D5-4929 in ARM DDI 0487H.a). Although, the memory barrier in * for the workaround is left as inner-shareable to match with Linux - * v6.1-rc8. + * v6.19. */ -#define TLB_HELPER(name, tlbop, sh) \ +#define TLB_HELPER_LOCAL(name, tlbop) \ static inline void name(void) \ { \ asm volatile( \ - "dsb " # sh "st;" \ + "dsb nshst;" \ "tlbi " # tlbop ";" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ";", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - "dsb " # sh ";" \ + "dsb nsh;" \ "isb;" \ : : : "memory"); \ } -/* - * FLush TLB by VA. This will likely be used in a loop, so the caller - * is responsible to use the appropriate memory barriers before/after - * the sequence. - * - * See above about the ARM64_WORKAROUND_REPEAT_TLBI sequence. - */ -#define TLB_HELPER_VA(name, tlbop) \ -static inline void name(vaddr_t va) \ -{ \ - asm volatile( \ - "tlbi " # tlbop ", %0;" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ", %0;", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - : : "r" (va >> PAGE_SHIFT) : "memory"); \ +#define TLB_HELPER(name, tlbop) \ +static inline void name(void) \ +{ \ + asm volatile ( \ + "dsb ishst;" \ + "tlbi " # tlbop ";" \ + ALTERNATIVE( \ + "nop; nop;", \ + "dsb ish;" \ + "tlbi vale2is, xzr;", \ + ARM64_WORKAROUND_REPEAT_TLBI, \ + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ + "dsb ish;" \ + "isb;" \ + : : : "memory"); \ } /* Flush local TLBs, current VMID only. */ -TLB_HELPER(flush_guest_tlb_local, vmalls12e1, nsh) +TLB_HELPER_LOCAL(flush_guest_tlb_local, vmalls12e1) /* Flush innershareable TLBs, current VMID only */ -TLB_HELPER(flush_guest_tlb, vmalls12e1is, ish) +TLB_HELPER(flush_guest_tlb, vmalls12e1is) /* Flush local TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb_local, alle1, nsh) +TLB_HELPER_LOCAL(flush_all_guests_tlb_local, alle1) /* Flush innershareable TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb, alle1is, ish) +TLB_HELPER(flush_all_guests_tlb, alle1is) /* Flush all hypervisor mappings from the TLB of the local processor. */ -TLB_HELPER(flush_xen_tlb_local, alle2, nsh) +TLB_HELPER_LOCAL(flush_xen_tlb_local, alle2) + +#undef TLB_HELPER_LOCAL +#undef TLB_HELPER + +/* + * FLush TLB by VA. This will likely be used in a loop, so the caller + * is responsible to use the appropriate memory barriers before/after + * the sequence. + */ /* Flush TLB of local processor for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one_local, vae2) +static inline void __flush_xen_tlb_one_local(vaddr_t va) +{ + asm volatile ( + "tlbi vae2, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} /* Flush TLB of all processors in the inner-shareable domain for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one, vae2is) +static inline void __flush_xen_tlb_one(vaddr_t va) +{ + asm volatile ( + "tlbi vae2is, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} -#undef TLB_HELPER -#undef TLB_HELPER_VA +/* + * ARM64_WORKAROUND_REPEAT_TLBI: + * For all relevant erratas it is only necessary to execute a single + * additional TLBI;DSB sequence after any number of TLBIs are completed by DSB. + */ +static inline void __tlb_repeat_sync(void) +{ + asm volatile ( + ALTERNATIVE( + "nop; nop;", + "tlbi vale2is, xzr;" + "dsb ish;", + ARM64_WORKAROUND_REPEAT_TLBI, + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) + : : : "memory"); +} #endif /* __ASM_ARM_ARM64_FLUSHTLB_H__ */ /* diff --git a/xen/arch/arm/include/asm/flushtlb.h b/xen/arch/arm/include/asm/flushtlb.h index e45fb6d97b..c292c3c00d 100644 --- a/xen/arch/arm/include/asm/flushtlb.h +++ b/xen/arch/arm/include/asm/flushtlb.h @@ -65,6 +65,7 @@ static inline void flush_xen_tlb_range_va(vaddr_t va, va += PAGE_SIZE; } dsb(ish); /* Ensure the TLB invalidation has completed */ + __tlb_repeat_sync(); isb(); } diff --git a/xen/arch/arm/include/asm/mmu/layout.h b/xen/arch/arm/include/asm/mmu/layout.h index da6be276ac..d5c58b49a2 100644 --- a/xen/arch/arm/include/asm/mmu/layout.h +++ b/xen/arch/arm/include/asm/mmu/layout.h @@ -23,6 +23,10 @@ * * Reserved to identity map Xen * + * Note: As part of ARM64_WORKAROUND_REPEAT_TLBI, VA 0 is used for an extra + * TLBI operation given its rare use (only identity mapping) and thus + * negligible performance impact. + * * 0x0000020000000000 - 0x0000027fffffffff (512GB, L0 slot [4]) * (Relative offsets) * 0 - 2M Unmapped -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:33:18 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:33:18 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333224.1595835 (Exim 4.92) (envelope-from ) id 1wWvdu-0002Cf-4v; Tue, 09 Jun 2026 12:33:18 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333224.1595835; Tue, 09 Jun 2026 12:33:18 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvdu-0002CX-2B; Tue, 09 Jun 2026 12:33:18 +0000 Received: by outflank-mailman (input) for mailman id 1333224; Tue, 09 Jun 2026 12:33:16 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvds-0002CO-K6 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:33:16 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvds-001fWD-2o for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:33:16 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvds-00CqbN-1o for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:33:16 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Ja3UoV+2hhJ97t9uVh294jFhYmW5dawOsfAyy4L4mqw=; b=rIoHfCVxdJQ6hAciqdE3aQ5nhj IBM+mXRH5MnyDkceO6+/LS8Ao4Fssnd0jORw+KIezADK+QppEEkjeZD4q/JNtTlgXLDksEcz7S8YN DiEN6wsZ1q3YiCpQmcSi7Yi81jl0TK1ixwhytF6nI1cdfgx9LXjt66KkELNabcc9M45I=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] xen/arm: Sync missing definitions for Arm CPUs with Linux Message-Id: Date: Tue, 09 Jun 2026 12:33:16 +0000 commit 49659a2259a80a22f4c3ee04f814daeafe7c94ab Author: Michal Orzel AuthorDate: Fri May 22 09:35:55 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 xen/arm: Sync missing definitions for Arm CPUs with Linux Synchronize with Linux kernel 7.0 definitions for the following CPUs: - Cortex-A76AE, - Cortex-A78AE, - Cortex-X1C, - Cortex-X3, - Neoverse-V2, - Cortex-X4, - Neoverse-V3AE, - Neoverse-V3, - Cortex-X925. These will be used for errata detection in subsequent patches. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit d54682a5b23d7a22a0f1aa74130bd1ed8a669db1) --- xen/arch/arm/include/asm/processor.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 8e02410465..e1620d5798 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -74,13 +74,22 @@ #define ARM_CPU_PART_CORTEX_A76 0xD0B #define ARM_CPU_PART_NEOVERSE_N1 0xD0C #define ARM_CPU_PART_CORTEX_A77 0xD0D +#define ARM_CPU_PART_CORTEX_A76AE 0xD0E #define ARM_CPU_PART_NEOVERSE_V1 0xD40 #define ARM_CPU_PART_CORTEX_A78 0xD41 +#define ARM_CPU_PART_CORTEX_A78AE 0xD42 #define ARM_CPU_PART_CORTEX_X1 0xD44 #define ARM_CPU_PART_CORTEX_A710 0xD47 #define ARM_CPU_PART_CORTEX_X2 0xD48 #define ARM_CPU_PART_NEOVERSE_N2 0xD49 #define ARM_CPU_PART_CORTEX_A78C 0xD4B +#define ARM_CPU_PART_CORTEX_X1C 0xD4C +#define ARM_CPU_PART_CORTEX_X3 0xD4E +#define ARM_CPU_PART_NEOVERSE_V2 0xD4F +#define ARM_CPU_PART_CORTEX_X4 0xD82 +#define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 +#define ARM_CPU_PART_NEOVERSE_V3 0xD84 +#define ARM_CPU_PART_CORTEX_X925 0xD85 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -95,13 +104,22 @@ #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) +#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE) #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1) #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) +#define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) #define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2) #define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2) #define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C) +#define MIDR_CORTEX_X1C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1C) +#define MIDR_CORTEX_X3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X3) +#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2) +#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4) +#define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) +#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) +#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:33:28 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:33:28 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333225.1595838 (Exim 4.92) (envelope-from ) id 1wWve4-0002Hd-6N; Tue, 09 Jun 2026 12:33:28 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333225.1595838; Tue, 09 Jun 2026 12:33:28 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWve4-0002HX-3U; Tue, 09 Jun 2026 12:33:28 +0000 Received: by outflank-mailman (input) for mailman id 1333225; Tue, 09 Jun 2026 12:33:26 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWve2-0002HP-Md for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:33:26 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWve2-001fWL-34 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:33:26 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWve2-00CqkT-25 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:33:26 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=O90EH4IkquTOnNgOzFEV4WLIlgpnqYjmlL18bdfn+zM=; b=MOnsxKXgO9WfG+k1x4MbkZGH3E HebZJBo/hC8C1COUOj+8Aka84FHSmasASCVfj0zGzuYkOQ2meH0luuWL14RyAhO86y6Bmy1jnGhIz 40e4YTad67YgnucmEjn2FkCK4HNkYerOAW06ubEloPVI1urldEOYZiQ5XDp9fePE5184=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] xen/arm: Add C1-Ultra definitions Message-Id: Date: Tue, 09 Jun 2026 12:33:26 +0000 commit 1c2e5eb9a1ee1b7af55bbb1bf7507e200c593134 Author: Michal Orzel AuthorDate: Fri May 22 09:35:56 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 xen/arm: Add C1-Ultra definitions Add processor definitions for C1-Ultra. These will be used for errata detection in subsequent patches. These values can be found in the C1-Ultra TRM: https://developer.arm.com/documentation/108014/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 36ddaa7918d6ec0d06a31079c8a25a6ae3c69cbc) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index e1620d5798..a2104c2caf 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -90,6 +90,7 @@ #define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 +#define ARM_CPU_PART_C1_ULTRA 0xD8C #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -120,6 +121,7 @@ #define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) +#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:33:38 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:33:38 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333226.1595842 (Exim 4.92) (envelope-from ) id 1wWveE-0002Mb-8s; Tue, 09 Jun 2026 12:33:38 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333226.1595842; Tue, 09 Jun 2026 12:33:38 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWveE-0002MT-6L; Tue, 09 Jun 2026 12:33:38 +0000 Received: by outflank-mailman (input) for mailman id 1333226; Tue, 09 Jun 2026 12:33:36 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWveC-0002MN-PG for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:33:36 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWveD-001fWQ-07 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:33:36 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWveC-00Cqvv-2L for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:33:36 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=htm7xDtVwYceYdovVcuOr7KdgGBHa+2ZGmZ3BGLtlyw=; b=eybwyD8mbZOfDvWM9II4KHm9kJ bEz4D//moL3dzfx96Da27exxIiP7GAwSdCJ4dNi5JvH5v/foH0Z/AionEwjdEmzzRPBmSIIXVyzuX H8G3EY7Et+v+7F6e7JMRsRXVA+BwZx9xnQNCNQRD6V3DikGKIjCtKC55yYqQ7X47riVI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] xen/arm: Add C1-Premium definitions Message-Id: Date: Tue, 09 Jun 2026 12:33:36 +0000 commit 57b2611107edf07996235166b5214639c9f0253a Author: Michal Orzel AuthorDate: Fri May 22 09:35:57 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 xen/arm: Add C1-Premium definitions Add processor definitions for C1-Premium. These will be used for errata detection in subsequent patches. These values can be found in the C1-Premium TRM: https://developer.arm.com/documentation/109416/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 0315d10321518beb24c41bb595e9197cadec0693) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index a2104c2caf..3f086beed1 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -91,6 +91,7 @@ #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 #define ARM_CPU_PART_C1_ULTRA 0xD8C +#define ARM_CPU_PART_C1_PREMIUM 0xD90 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -122,6 +123,7 @@ #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) #define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) +#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:33:48 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:33:48 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333227.1595846 (Exim 4.92) (envelope-from ) id 1wWveO-0002RD-AG; Tue, 09 Jun 2026 12:33:48 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333227.1595846; Tue, 09 Jun 2026 12:33:48 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWveO-0002R5-7d; Tue, 09 Jun 2026 12:33:48 +0000 Received: by outflank-mailman (input) for mailman id 1333227; Tue, 09 Jun 2026 12:33:46 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWveM-0002Qy-Rk for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:33:46 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWveN-001fWU-0M for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:33:46 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWveM-00Cr5A-2d for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:33:46 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=uDUXok5GIrXNNuyw0uGYmoErme2fN2a/QBZNp/x/Xsc=; b=uWSR444rb8AkJEGeuNUYEsp03y KKYbBe1bLq+DdGls4SZXHi59A0zrwqBreV5g/xLb/XIW9W/kp0XQzdVAMTZKBj9QYA66mnAkyQDht kk/dCqP9XUT/sdpBOXLL3EDirv23Ypdob9Pdvt8Q3r5r3C4wQqW9FpWA/SIGOUbWZ7JM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] xen/arm: Mitigate TLBI errata on various Arm CPUs Message-Id: Date: Tue, 09 Jun 2026 12:33:46 +0000 commit bb9856e5e4c75576876409cd567b9ab72dac1e23 Author: Michal Orzel AuthorDate: Fri May 22 09:35:58 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 xen/arm: Mitigate TLBI errata on various Arm CPUs A number of CPUs developed by Arm suffer from errata whereby a broadcast TLBI + DSB sequence may complete before the global observation of writes which are translated by an affected TLB entry. This can lead to memory corruption and potential privilege escalation. These errata ONLY affect the completion of memory accesses which have been translated by an invalidated TLB entry, and these errata DO NOT affect the actual invalidation of TLB entries. TLB entries are removed correctly. To mitigate this issue, Arm recommends that software follows each TLBI+DSB sequence with an additional TLBI+DSB, which will ensure that all memory write effects affected by the first TLBI have been globally observed. The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate the issue. Enable this workaround for affected CPUs. This is XSA-493 / CVE-2025-10263. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 161e8f61b5b0f2c205072c7bc699bfc37653999f) --- xen/arch/arm/Kconfig | 21 ++++++++++++ xen/arch/arm/cpuerrata.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+) diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index 2939db429b..3eddc9c1e6 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -383,6 +383,27 @@ config ARM64_ERRATUM_1508412 If unsure, say Y. +config ARM64_ERRATUM_CVE_2025_10263 + bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" + default y + depends on ARM_64 + select ARM64_WORKAROUND_REPEAT_TLBI + help + This option adds a workaround for CVE-2025-10263. + + A broadcast TLBI on another PE may complete before affected memory + accesses are globally observed. This may permit bypass of Stage 1 + translation, Stage-2 translation, or GPT protection. + + The workaround repeats the TLBI VALE2IS, XZR + DSB ISH operation for all + the broadcast TLB flush operations. A single additional TLBI and DSB are + sufficient regardless of how many TLBIs are completed by the DSB. + + Note that software workarounds are required at all execution levels for + affected parts to fully mitigate this issue. + + If unsure, say Y. + endmenu config ARM64_HARDEN_BRANCH_PREDICTOR diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index 9137958fb6..99517b5298 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -536,6 +536,92 @@ static const struct arm_cpu_capabilities arm_errata[] = { MIDR_RANGE(MIDR_NEOVERSE_N1, 0, 3 << MIDR_VARIANT_SHIFT), }, #endif +#ifdef CONFIG_ARM64_ERRATUM_CVE_2025_10263 + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X4), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_ULTRA), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM), + }, +#endif #ifdef CONFIG_ARM64_HARDEN_BRANCH_PREDICTOR { .capability = ARM_HARDEN_BRANCH_PREDICTOR, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:33:58 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:33:58 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333228.1595851 (Exim 4.92) (envelope-from ) id 1wWveY-0002UY-BU; Tue, 09 Jun 2026 12:33:58 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333228.1595851; Tue, 09 Jun 2026 12:33:58 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWveY-0002UR-8y; Tue, 09 Jun 2026 12:33:58 +0000 Received: by outflank-mailman (input) for mailman id 1333228; Tue, 09 Jun 2026 12:33:57 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWveW-0002UL-VD for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:33:56 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWveX-001fWY-0g for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:33:56 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWveW-00CrEy-2w for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:33:56 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=O0MrD3xdS8F4uiqSe2P+I/7keN1c646RhA9woD4LhIU=; b=BZlNxoV9SWblTRIcSlpTYS2xkN FrfmvdHC5F/iVTqRtgqmdLGLMlK0GBuM1L9TxvfUjl+/Hmwwv1a2+2D46mEudi5qL7xlseJlYjcge Ep2lZHf3vcq9NtryuaKmJA+Ua/8chvzK/LcHTPGhsLaNJQNFQ+6sKWEn4lGymKcIFviY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/mm: accurately track which vCPU page-tables are loaded Message-Id: Date: Tue, 09 Jun 2026 12:33:56 +0000 commit 07f3beb32ff63a497a82f07b37c2c23587a46da9 Author: Roger Pau Monne AuthorDate: Mon Mar 16 11:03:22 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 x86/mm: accurately track which vCPU page-tables are loaded Neither current nor curr_vcpu per-CPU fields accurately track which page-tables are loaded. There are corner cases when dealing with shadow paging failures that switch to the idle vCPU page-tables without changing current or curr_vcpu per-CPU fields. Introduce a new per-CPU field that attempts to track which vCPU page-tables are loaded. Update such tracking when cr3 is changed, and do so in a region with interrupts disabled, as to avoid handling interrupts with a mismatch between the vCPU tracking field and the loaded page-tables. As a result of this newly more accurate tracking the mapcache override functionality can be removed: the dom0 PV builder was the only user of it, and it's updated here to properly signal which vCPU page-tables are loaded in the calls to switch_cr3_cr4(). Note the EFI page-tables have the Xen owned L4 slots copied from the idle page-tables, so for the effects of the mapcache the EFI page-tables could use the idle mapcache if it had one. Pass the idle vCPU in the switch_cr3_cr4() call that switches to the runtime EFI page-tables. There are known issues with the use of mapcache in NMI context.  This patch does not alter the behaviour. This is CVE-2026-42488 / XSA-494. Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference") Signed-off-by: Roger Pau Monné Acked-by: Andrew Cooper (cherry picked from commit 622c9a5ba95dae9b1084f16d0557ec64d1d12eaa) --- xen/arch/x86/domain_page.c | 48 +++++++++++++++--------------------- xen/arch/x86/flushtlb.c | 5 +++- xen/arch/x86/include/asm/domain.h | 1 - xen/arch/x86/include/asm/flushtlb.h | 2 +- xen/arch/x86/include/asm/processor.h | 3 +++ xen/arch/x86/mm.c | 4 +-- xen/arch/x86/pv/dom0_build.c | 12 +++------ xen/arch/x86/pv/domain.c | 13 ++++++++-- xen/arch/x86/smpboot.c | 1 + xen/common/efi/common-stub.c | 5 ---- xen/common/efi/runtime.c | 21 ++++++---------- xen/include/xen/efi.h | 1 - 12 files changed, 54 insertions(+), 62 deletions(-) diff --git a/xen/arch/x86/domain_page.c b/xen/arch/x86/domain_page.c index eac5e3304f..72c00194f3 100644 --- a/xen/arch/x86/domain_page.c +++ b/xen/arch/x86/domain_page.c @@ -18,48 +18,40 @@ #include #include -static DEFINE_PER_CPU(struct vcpu *, override); - static inline struct vcpu *mapcache_current_vcpu(void) { - /* In the common case we use the mapcache of the running VCPU. */ - struct vcpu *v = this_cpu(override) ?: current; - - /* - * When current isn't properly set up yet, this is equivalent to - * running in an idle vCPU (callers must check for NULL). - */ - if ( !v ) - return NULL; + struct vcpu *v = this_cpu(pgtable_vcpu); + struct vcpu *curr = current; /* - * When using efi runtime page tables, we have the equivalent of the idle - * domain's page tables but current may point at another domain's VCPU. - * Return NULL as though current is not properly set up yet. + * During early boot pgtable_vcpu is not set, callers must handle NULL. + * Non-PV domains don't have a mapcache, the directmap covers all physical + * address space. */ - if ( efi_rs_using_pgtables() ) + if ( !v || !is_pv_vcpu(v) ) return NULL; /* - * If guest_table is NULL, and we are running a paravirtualised guest, - * then it means we are running on the idle domain's page table and must - * therefore use its mapcache. + * If we are in a lazy context-switch state from a PV vCPU do a full switch + * to the idle vCPU now, otherwise an incoming FLUSH_VCPU_STATE IPI would + * change the page tables under our feet an invalidate any in-use mapcache + * entries. */ - if ( unlikely(pagetable_is_null(v->arch.guest_table)) && is_pv_vcpu(v) ) + if ( unlikely(this_cpu(curr_vcpu) != curr) ) { - /* If we really are idling, perform lazy context switch now. */ - if ( (v = idle_vcpu[smp_processor_id()]) == current ) - sync_local_execstate(); + ASSERT(curr == idle_vcpu[smp_processor_id()]); + sync_local_execstate(); /* We must now be running on the idle page table. */ ASSERT(cr3_pa(read_cr3()) == __pa(idle_pg_table)); } - return v; -} - -void __init mapcache_override_current(struct vcpu *v) -{ - this_cpu(override) = v; + /* + * At this point we can guarantee Xen is not in lazy context switch: either + * the code above will have synced the state, or an incoming + * FLUSH_VCPU_STATE IPI has done so behind our back. Use ACCESS_ONCE to + * ensure the compiler never returns the locally cached pgtable_vcpu value. + */ + return ACCESS_ONCE(this_cpu(pgtable_vcpu)); } #define mapcache_l2_entry(e) ((e) >> PAGETABLE_ORDER) diff --git a/xen/arch/x86/flushtlb.c b/xen/arch/x86/flushtlb.c index 18748b2bc8..cdefab2f08 100644 --- a/xen/arch/x86/flushtlb.c +++ b/xen/arch/x86/flushtlb.c @@ -111,7 +111,9 @@ static void do_tlb_flush(void) local_irq_restore(flags); } -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) +DEFINE_PER_CPU(struct vcpu *, pgtable_vcpu); + +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4) { unsigned long flags, old_cr4; u32 t = 0; @@ -155,6 +157,7 @@ void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) if ( (old_cr4 & X86_CR4_PCIDE) > (cr4 & X86_CR4_PCIDE) ) cr3 |= X86_CR3_NOFLUSH; write_cr3(cr3); + this_cpu(pgtable_vcpu) = v; if ( old_cr4 != cr4 ) write_cr4(cr4); diff --git a/xen/arch/x86/include/asm/domain.h b/xen/arch/x86/include/asm/domain.h index 0d2d2b6623..85fba8b3c5 100644 --- a/xen/arch/x86/include/asm/domain.h +++ b/xen/arch/x86/include/asm/domain.h @@ -76,7 +76,6 @@ struct mapcache_domain { int mapcache_domain_init(struct domain *); int mapcache_vcpu_init(struct vcpu *); -void mapcache_override_current(struct vcpu *); /* x86/64: toggle guest between kernel and user modes. */ void toggle_guest_mode(struct vcpu *); diff --git a/xen/arch/x86/include/asm/flushtlb.h b/xen/arch/x86/include/asm/flushtlb.h index a461ee36ff..821ffe3e8b 100644 --- a/xen/arch/x86/include/asm/flushtlb.h +++ b/xen/arch/x86/include/asm/flushtlb.h @@ -99,7 +99,7 @@ static inline unsigned long read_cr3(void) } /* Write pagetable base and implicitly tick the tlbflush clock. */ -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4); +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4); /* flush_* flag fields: */ /* diff --git a/xen/arch/x86/include/asm/processor.h b/xen/arch/x86/include/asm/processor.h index c5e5c72341..c6e0c858bf 100644 --- a/xen/arch/x86/include/asm/processor.h +++ b/xen/arch/x86/include/asm/processor.h @@ -372,6 +372,9 @@ extern idt_entry_t *idt_tables[]; DECLARE_PER_CPU(root_pgentry_t *, root_pgt); +/* vCPU of the currently loaded page-tables. */ +DECLARE_PER_CPU(struct vcpu *, pgtable_vcpu); + extern void write_ptbase(struct vcpu *v); /* REP NOP (PAUSE) is a good thing to insert into busy-wait loops. */ diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 3635f90684..484b989042 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -528,7 +528,7 @@ void write_ptbase(struct vcpu *v) cpu_info->pv_cr3 = __pa(this_cpu(root_pgt)); if ( new_cr4 & X86_CR4_PCIDE ) cpu_info->pv_cr3 |= get_pcid_bits(v, true); - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); } else { @@ -536,7 +536,7 @@ void write_ptbase(struct vcpu *v) cpu_info->use_pv_cr3 = false; cpu_info->xen_cr3 = 0; /* switch_cr3_cr4() serializes. */ - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); cpu_info->pv_cr3 = 0; } } diff --git a/xen/arch/x86/pv/dom0_build.c b/xen/arch/x86/pv/dom0_build.c index 3b28ae45d1..0f9e614ce7 100644 --- a/xen/arch/x86/pv/dom0_build.c +++ b/xen/arch/x86/pv/dom0_build.c @@ -812,8 +812,7 @@ static int __init dom0_construct(struct domain *d, update_cr3(v); /* We run on dom0's page tables for the final part of the build process. */ - switch_cr3_cr4(cr3_pa(v->arch.cr3), read_cr4()); - mapcache_override_current(v); + switch_cr3_cr4(v, cr3_pa(v->arch.cr3), read_cr4()); /* Copy the OS image and free temporary buffer. */ elf.dest_base = (void*)vkern_start; @@ -822,8 +821,7 @@ static int __init dom0_construct(struct domain *d, rc = elf_load_binary(&elf); if ( rc < 0 ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Failed to load the kernel binary\n"); goto out; } @@ -834,8 +832,7 @@ static int __init dom0_construct(struct domain *d, if ( (parms.virt_hypercall < v_start) || (parms.virt_hypercall >= v_end) ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Invalid HYPERCALL_PAGE field in ELF notes.\n"); return -EINVAL; } @@ -976,8 +973,7 @@ static int __init dom0_construct(struct domain *d, #endif /* Return to idle domain's page tables. */ - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); update_domain_wallclock_time(d); diff --git a/xen/arch/x86/pv/domain.c b/xen/arch/x86/pv/domain.c index 2a445bb17b..5cd467d7a6 100644 --- a/xen/arch/x86/pv/domain.c +++ b/xen/arch/x86/pv/domain.c @@ -428,6 +428,8 @@ static void _toggle_guest_pt(struct vcpu *v) pagetable_t old_shadow; unsigned long cr3; + ASSERT(local_irq_is_enabled()); + v->arch.flags ^= TF_kernel_mode; guest_update = v->arch.flags & TF_kernel_mode; old_shadow = update_cr3(v); @@ -450,15 +452,22 @@ static void _toggle_guest_pt(struct vcpu *v) { cr3 &= ~X86_CR3_NOFLUSH; + local_irq_disable(); if ( unlikely(mfn_eq(pagetable_get_mfn(old_shadow), maddr_to_mfn(cr3))) ) { - cr3 = idle_vcpu[v->processor]->arch.cr3; /* Also suppress runstate/time area updates below. */ guest_update = false; + + cr3 = idle_vcpu[v->processor]->arch.cr3; + this_cpu(pgtable_vcpu) = idle_vcpu[v->processor]; } + + write_cr3(cr3); + local_irq_enable(); } - write_cr3(cr3); + else + write_cr3(cr3); if ( !pagetable_is_null(old_shadow) ) shadow_put_top_level(v->domain, old_shadow); diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c index ec4956e104..a585d4df5c 100644 --- a/xen/arch/x86/smpboot.c +++ b/xen/arch/x86/smpboot.c @@ -324,6 +324,7 @@ void start_secondary(void *unused) set_current(idle_vcpu[cpu]); this_cpu(curr_vcpu) = idle_vcpu[cpu]; + this_cpu(pgtable_vcpu) = idle_vcpu[cpu]; rdmsrl(MSR_EFER, this_cpu(efer)); init_shadow_spec_ctrl_state(); diff --git a/xen/common/efi/common-stub.c b/xen/common/efi/common-stub.c index 5a91fe28cc..aaeb916c0f 100644 --- a/xen/common/efi/common-stub.c +++ b/xen/common/efi/common-stub.c @@ -7,11 +7,6 @@ bool efi_enabled(unsigned int feature) return false; } -bool efi_rs_using_pgtables(void) -{ - return false; -} - unsigned long efi_get_time(void) { BUG(); diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c index 5cb7504c96..db21b9a802 100644 --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -46,7 +46,6 @@ const CHAR16 *__read_mostly efi_fw_vendor; const EFI_RUNTIME_SERVICES *__read_mostly efi_rs; #ifndef CONFIG_ARM /* TODO - disabled until implemented on ARM */ static DEFINE_SPINLOCK(efi_rs_lock); -static unsigned int efi_rs_on_cpu = NR_CPUS; #endif UINTN __read_mostly efi_memmap_size; @@ -89,6 +88,11 @@ struct efi_rs_state efi_rs_enter(void) if ( mfn_eq(efi_l4_mfn, INVALID_MFN) ) return state; + /* + * If in lazy idle context switch state sync now to avoid an incoming + * FLUSH_VCPU_STATE IPI changing the loaded page-tables. + */ + sync_local_execstate(); state.cr3 = read_cr3(); save_fpu_enable(); asm volatile ( "fnclex; fldcw %0" :: "m" (fcw) ); @@ -96,8 +100,6 @@ struct efi_rs_state efi_rs_enter(void) spin_lock(&efi_rs_lock); - efi_rs_on_cpu = smp_processor_id(); - /* prevent fixup_page_fault() from doing anything */ irq_enter(); @@ -112,7 +114,8 @@ struct efi_rs_state efi_rs_enter(void) lgdt(&gdt_desc); } - switch_cr3_cr4(mfn_to_maddr(efi_l4_mfn), read_cr4()); + switch_cr3_cr4(idle_vcpu[smp_processor_id()], mfn_to_maddr(efi_l4_mfn), + read_cr4()); /* * At the time of writing (2022), no UEFI firwmare is CET-IBT compatible. @@ -140,7 +143,7 @@ void efi_rs_leave(struct efi_rs_state *state) if ( state->msr_s_cet ) wrmsrl(MSR_S_CET, state->msr_s_cet); - switch_cr3_cr4(state->cr3, read_cr4()); + switch_cr3_cr4(curr, state->cr3, read_cr4()); if ( is_pv_vcpu(curr) && !is_idle_vcpu(curr) ) { struct desc_ptr gdt_desc = { @@ -151,18 +154,10 @@ void efi_rs_leave(struct efi_rs_state *state) lgdt(&gdt_desc); } irq_exit(); - efi_rs_on_cpu = NR_CPUS; spin_unlock(&efi_rs_lock); vcpu_restore_fpu_nonlazy(curr, true); } -bool efi_rs_using_pgtables(void) -{ - return !mfn_eq(efi_l4_mfn, INVALID_MFN) && - (smp_processor_id() == efi_rs_on_cpu) && - (read_cr3() == mfn_to_maddr(efi_l4_mfn)); -} - unsigned long efi_get_time(void) { EFI_TIME time; diff --git a/xen/include/xen/efi.h b/xen/include/xen/efi.h index 942d2e9491..383b382fb0 100644 --- a/xen/include/xen/efi.h +++ b/xen/include/xen/efi.h @@ -34,7 +34,6 @@ struct compat_pf_efi_runtime_call; bool efi_enabled(unsigned int feature); void efi_init_memory(void); bool efi_boot_mem_unused(unsigned long *start, unsigned long *end); -bool efi_rs_using_pgtables(void); unsigned long efi_get_time(void); void efi_halt_system(void); void efi_reset_system(bool warm); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:34:08 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:34:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333229.1595854 (Exim 4.92) (envelope-from ) id 1wWvei-0002WY-DG; Tue, 09 Jun 2026 12:34:08 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333229.1595854; Tue, 09 Jun 2026 12:34:08 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvei-0002WQ-AS; Tue, 09 Jun 2026 12:34:08 +0000 Received: by outflank-mailman (input) for mailman id 1333229; Tue, 09 Jun 2026 12:34:07 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWveh-0002WK-1l for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:34:07 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWveh-001fWs-0y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:34:07 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWveg-00CrVU-3B for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:34:06 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=073CHLVqqL6alI9rL/Gacd/g9C9pJ8Cuvmbp1McEa70=; b=vyAcRRsx2qw42hJ7ti23TGlwhl JkdD8JoMuWuEG6Gv4dNPNix6drIJ5VsPV9P8MAhbH117NFy3lGd3j95Ohi1GL5x5ipUg99aspN7oo 0af1X+vFaiSVjYFENJnnw+rjVBGrYGcVXYNuPaDHcqfYupSJSpuKpLHlPxIDxbwTuGTE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] Revert local CI adjustments Message-Id: Date: Tue, 09 Jun 2026 12:34:06 +0000 commit f8cc168c4cdfe73da4e7bcb4b575ffc376523bcc Author: Andrew Cooper AuthorDate: Tue Jun 9 13:09:55 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 13:09:55 2026 +0100 Revert local CI adjustments This reverts commit 3f4d62dce7f5fe168e849d7fa6082853d07ad3bc. Signed-off-by: Andrew Cooper --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index da236e3347..ef4484e09a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -10,5 +10,6 @@ stages: - test include: + - 'automation/gitlab-ci/analyze.yaml' - 'automation/gitlab-ci/build.yaml' - 'automation/gitlab-ci/test.yaml' -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:34:19 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:34:19 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333230.1595859 (Exim 4.92) (envelope-from ) id 1wWvet-0002ZM-GK; Tue, 09 Jun 2026 12:34:19 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333230.1595859; Tue, 09 Jun 2026 12:34:19 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvet-0002ZE-DB; Tue, 09 Jun 2026 12:34:19 +0000 Received: by outflank-mailman (input) for mailman id 1333230; Tue, 09 Jun 2026 12:34:17 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWver-0002Ys-RC for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:34:17 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWves-001fXC-07 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:34:17 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWver-00CrkL-2I for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:34:17 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=LZJoW0KteyzdvJas2d7u5Q1n2x77dQTad+LsKYc0ZNQ=; b=LVEm0Pl4BPtUDU0dwCeOp05bJ0 1Z+e7/eSXLoIxZLNqJXTWZ6lj+TWjn50ZPKrYry0jjkp/u8h8eweB32Oza5CmEh6g+sFZ/YE5WeBO cK94incQZBSB7KmdyPTmfeijVwp4vmRORCnrHjPVNoevZdhvsuxwCIzsPWPVl+M6x9sg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/HVM: add locking to I/O port translation list traversal Message-Id: Date: Tue, 09 Jun 2026 12:34:17 +0000 commit 4c11789f6ea307c2567251f63812a62be3438377 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:48 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:45:56 2026 +0100 x86/HVM: add locking to I/O port translation list traversal XEN_DOMCTL_ioport_mapping is usable by DM stubdoms, and hence we can't assume the list to be left unaltered while the guest (really: the hypervisor on behalf of the guest) is accessing it. This is XSA-491 / CVE-2026-42487. Fixes: 192c4dabc344 ("domctl and p2m changes for PCI passthru") Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 7787f8e9396d06026f72d3db13e836f365e085f8) --- xen/arch/x86/domctl.c | 8 ++++ xen/arch/x86/hvm/emulate.c | 1 - xen/arch/x86/hvm/hvm.c | 1 + xen/arch/x86/hvm/io.c | 72 +++++++++++++++++++++++++---------- xen/arch/x86/include/asm/hvm/domain.h | 1 + xen/arch/x86/include/asm/hvm/vcpu.h | 2 - 6 files changed, 61 insertions(+), 24 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 1ce12b79e6..c9e2dcab66 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -620,6 +620,7 @@ long arch_do_domctl( "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if (g2m_ioport->mport == fmp ) { @@ -641,11 +642,14 @@ long arch_do_domctl( g2m_ioport->np = np; list_add_tail(&g2m_ioport->list, &hvm->g2m_ioport_list); } + write_unlock(&hvm->g2m_ioport_lock); if ( !ret ) ret = ioports_permit_access(d, fmp, fmp + np - 1); if ( ret && !found && g2m_ioport ) { + write_lock(&hvm->g2m_ioport_lock); list_del(&g2m_ioport->list); + write_unlock(&hvm->g2m_ioport_lock); xfree(g2m_ioport); } } @@ -654,6 +658,8 @@ long arch_do_domctl( printk(XENLOG_G_INFO "ioport_map:remove: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if ( g2m_ioport->mport == fmp ) { @@ -661,6 +667,8 @@ long arch_do_domctl( xfree(g2m_ioport); break; } + write_unlock(&hvm->g2m_ioport_lock); + ret = ioports_deny_access(d, fmp, fmp + np - 1); if ( ret && is_hardware_domain(currd) ) printk(XENLOG_ERR diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c index 27928dc3f3..464c43d035 100644 --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -145,7 +145,6 @@ void hvmemul_cancel(struct vcpu *v) hvio->mmio_insn_bytes = 0; hvio->mmio_access = (struct npfec){}; hvio->mmio_retry = false; - hvio->g2m_ioport = NULL; hvmemul_cache_disable(v); } diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 4454b158b6..dd879c9070 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -588,6 +588,7 @@ int hvm_domain_initialise(struct domain *d, spin_lock_init(&d->arch.hvm.irq_lock); spin_lock_init(&d->arch.hvm.uc_lock); spin_lock_init(&d->arch.hvm.write_map.lock); + rwlock_init(&d->arch.hvm.g2m_ioport_lock); rwlock_init(&d->arch.hvm.mmcfg_lock); INIT_LIST_HEAD(&d->arch.hvm.write_map.list); INIT_LIST_HEAD(&d->arch.hvm.g2m_ioport_list); diff --git a/xen/arch/x86/hvm/io.c b/xen/arch/x86/hvm/io.c index 0309d05cfd..aeb1d5b94f 100644 --- a/xen/arch/x86/hvm/io.c +++ b/xen/arch/x86/hvm/io.c @@ -157,36 +157,56 @@ bool handle_pio(uint16_t port, unsigned int size, int dir) return true; } -static bool cf_check g2m_portio_accept( - const struct hvm_io_handler *handler, const ioreq_t *p) +/* NB: Returns with the lock held in the success case. */ +static const struct g2m_ioport *g2m_portio_find_and_lock(struct hvm_domain *hvm, + uint64_t addr, + uint32_t size) { - struct vcpu *curr = current; - const struct hvm_domain *hvm = &curr->domain->arch.hvm; - struct hvm_vcpu_io *hvio = &curr->arch.hvm.hvm_io; - struct g2m_ioport *g2m_ioport; - unsigned int start, end; + const struct g2m_ioport *g2m_ioport; + + read_lock(&hvm->g2m_ioport_lock); list_for_each_entry( g2m_ioport, &hvm->g2m_ioport_list, list ) { - start = g2m_ioport->gport; - end = start + g2m_ioport->np; - if ( (p->addr >= start) && (p->addr + p->size <= end) ) - { - hvio->g2m_ioport = g2m_ioport; - return 1; - } + unsigned int start = g2m_ioport->gport; + + if ( addr >= start && addr + size <= start + g2m_ioport->np ) + return g2m_ioport; } - return 0; + read_unlock(&hvm->g2m_ioport_lock); + + return NULL; +} + +static bool cf_check g2m_portio_accept( + const struct hvm_io_handler *handler, const ioreq_t *p) +{ + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, p->addr, p->size); + + if ( !g2m_ioport ) + return false; + + read_unlock(&hvm->g2m_ioport_lock); + + return true; } static int cf_check g2m_portio_read( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t *data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -203,6 +223,8 @@ static int cf_check g2m_portio_read( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } @@ -210,9 +232,15 @@ static int cf_check g2m_portio_write( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -229,6 +257,8 @@ static int cf_check g2m_portio_write( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } diff --git a/xen/arch/x86/include/asm/hvm/domain.h b/xen/arch/x86/include/asm/hvm/domain.h index 0b86329ea3..c45fa0ff2b 100644 --- a/xen/arch/x86/include/asm/hvm/domain.h +++ b/xen/arch/x86/include/asm/hvm/domain.h @@ -136,6 +136,7 @@ struct hvm_domain { /* List of guest to machine IO ports mapping. */ struct list_head g2m_ioport_list; + rwlock_t g2m_ioport_lock; /* List of MMCFG regions trapped by Xen. */ struct list_head mmcfg_regions; diff --git a/xen/arch/x86/include/asm/hvm/vcpu.h b/xen/arch/x86/include/asm/hvm/vcpu.h index 8adf4555c2..b4044d6a57 100644 --- a/xen/arch/x86/include/asm/hvm/vcpu.h +++ b/xen/arch/x86/include/asm/hvm/vcpu.h @@ -76,8 +76,6 @@ struct hvm_vcpu_io { unsigned long msix_unmask_address; unsigned long msix_snoop_address; unsigned long msix_snoop_gpa; - - const struct g2m_ioport *g2m_ioport; }; struct nestedvcpu { -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:34:29 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:34:29 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333231.1595863 (Exim 4.92) (envelope-from ) id 1wWvf3-0002bP-HG; Tue, 09 Jun 2026 12:34:29 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333231.1595863; Tue, 09 Jun 2026 12:34:29 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvf3-0002bH-EX; Tue, 09 Jun 2026 12:34:29 +0000 Received: by outflank-mailman (input) for mailman id 1333231; Tue, 09 Jun 2026 12:34:27 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvf1-0002bA-SF for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:34:27 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvf2-001fXG-0P for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:34:27 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvf1-00CrtD-2d for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:34:27 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=pc4mw9dOwX8AHV5dKqN7z9pOpQo6xZkLQRtFBwOkNCY=; b=lS42F7QDOqidqCqQtwJXXJmMaV 8p3kXnxaV4naRdusHAvQlZGkj/FSv5LiEST/6+UGXc5jk+/Bez0rYCbc+wfeSjl7t8489Em8AiXbX +B+3A3t3nkjERmd7TM4dK2RtymNXN1soTyxirWpzOFzeAAJZ2gy6KoOiZaOTGr1umBFA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] xen/xsm: make getdomaininfo xsm dummy checks more stringent Message-Id: Date: Tue, 09 Jun 2026 12:34:27 +0000 commit c5915a56fb49d635447586b121f5dcd44537935e Author: Juergen Gross AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:10 2026 +0100 xen/xsm: make getdomaininfo xsm dummy checks more stringent Today the dummy XSM privilege checks for getdomaininfo are less stringent than possible: they basically rely on the general sysctl/domctl entry check to do all tests and then do the test with the XSM_HOOK privilege, which is an "allow all" default. Instead of XSM_HOOK use XSM_XS_PRIV, which is the privilege really wanted. Note that this test is still wider than the sysctl entry test, but there is no easy way to make both domctl and sysctl happy at the same time. Signed-off-by: Juergen Gross Acked-by: Daniel P. Smith master commit: 5793b84c5e8fb268f94e7fde7816799e66945a73 master date: 2024-12-16 13:06:55 +0100 --- xen/common/domctl.c | 2 +- xen/common/sysctl.c | 2 +- xen/include/xsm/dummy.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 96ca55a421..5824398183 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -556,7 +556,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( d == NULL ) goto getdomaininfo_out; - ret = xsm_getdomaininfo(XSM_HOOK, d); + ret = xsm_getdomaininfo(XSM_XS_PRIV, d); if ( ret ) goto getdomaininfo_out; diff --git a/xen/common/sysctl.c b/xen/common/sysctl.c index 0cbfe8bd44..4c7551c5d9 100644 --- a/xen/common/sysctl.c +++ b/xen/common/sysctl.c @@ -89,7 +89,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl) if ( num_domains == op->u.getdomaininfolist.max_domains ) break; - if ( xsm_getdomaininfo(XSM_HOOK, d) ) + if ( xsm_getdomaininfo(XSM_XS_PRIV, d) ) continue; getdomaininfo(d, &info); diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 3286befeca..4b5f07ad27 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -137,7 +137,7 @@ static XSM_INLINE int cf_check xsm_domain_create( static XSM_INLINE int cf_check xsm_getdomaininfo( XSM_DEFAULT_ARG struct domain *d) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_XS_PRIV); return xsm_default_action(action, current->domain, d); } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:34:39 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:34:39 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333232.1595866 (Exim 4.92) (envelope-from ) id 1wWvfD-0002dO-IT; Tue, 09 Jun 2026 12:34:39 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333232.1595866; Tue, 09 Jun 2026 12:34:39 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvfD-0002dG-Fu; Tue, 09 Jun 2026 12:34:39 +0000 Received: by outflank-mailman (input) for mailman id 1333232; Tue, 09 Jun 2026 12:34:38 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvfB-0002dA-VI for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:34:37 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvfC-001fXK-0i for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:34:37 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvfB-00Cs5E-2w for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:34:37 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=u/MPpw2NLPYqf4GKYzoiJQKNjbTRfuI93xam6wZzKBo=; b=i/qjjzDZ4RE3qbl2jp9YkzCL5Q TyZRF7aJ3lVCuAOdEaN+Fz5CQOfCeFz9+ZXqY4dlbzZN3vFncssgaQve9sN2mFlmANND99VcplH6p fVQD3CrARGrEB3A7ydotoXmjS/BnY4vhkXxlZhq4pWrtxkx3b1i8h+wYidtIfu6EAXZE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] sched: use sequence counter to enlighten vcpu_runstate_get() Message-Id: Date: Tue, 09 Jun 2026 12:34:37 +0000 commit b08478bb00b43d1d91068afc75740ab03d1d77b1 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 sched: use sequence counter to enlighten vcpu_runstate_get() Subsequently XEN_DOMCTL_getdomaininfo will want to invoke the function without holding a lock, thus allowing parallel execution of potentially many instances. As was learned from 228ab9992ffb ("domctl: improve locking during domain destruction"), reverted by d0887cc6b16e, such parallelism can result in severe lock contention on any (previously) inner lock. To avoid taking that risk replace the use of the scheduler lock in vcpu_runstate_get() by a newly introduced sequence counter. Convert the "no lock if current" property to "use a local counter instance", thus guaranteeing the loop to exit after the first iteration. Skeleton and commentary of the seqcount implementation based on / derived from Linux 6.11-rc. To have runstate_seq placed next to runstate in struct vcpu, without introducing a new obvious padding hole, yet while keeping the latter adjacent to runstate_guest{,_area} as well, move runstate down a little. This is part of XSA-492. Requested-by: Andrew Cooper Signed-off-by: Jan Beulich Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Juergen Gross (cherry picked from commit 1dc4d5d81822541a5cc82fa6387d2d73eebc7023) --- xen/common/sched/core.c | 47 +++++++-------- xen/include/xen/sched.h | 4 +- xen/include/xen/seqcount.h | 139 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 162 insertions(+), 28 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 8c6c26b562..e277329c78 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -280,13 +280,18 @@ static inline void vcpu_runstate_change( } delta = new_entry_time - v->runstate.state_entry_time; - if ( delta > 0 ) + + /* Serialization: ->schedule_lock (see ASSERT() above). */ + with_seq_write(&v->runstate_seq) { - v->runstate.time[v->runstate.state] += delta; - v->runstate.state_entry_time = new_entry_time; - } + if ( delta > 0 ) + { + v->runstate.time[v->runstate.state] += delta; + v->runstate.state_entry_time = new_entry_time; + } - v->runstate.state = new_state; + v->runstate.state = new_state; + } } void sched_guest_idle(void (*idle) (void), unsigned int cpu) @@ -306,30 +311,18 @@ void sched_guest_idle(void (*idle) (void), unsigned int cpu) void vcpu_runstate_get(const struct vcpu *v, struct vcpu_runstate_info *runstate) { - spinlock_t *lock; - s_time_t delta; - struct sched_unit *unit; + struct seqcount seq = SEQCNT_ZERO(); + const struct seqcount *s = likely(v == current) ? &seq : &v->runstate_seq; - rcu_read_lock(&sched_res_rculock); - - /* - * Be careful in case of an idle vcpu: the assignment to a unit might - * change even with the scheduling lock held, so be sure to use the - * correct unit for locking in order to avoid triggering an ASSERT() in - * the unlock function. - */ - unit = is_idle_vcpu(v) ? get_sched_res(v->processor)->sched_unit_idle - : v->sched_unit; - lock = likely(v == current) ? NULL : unit_schedule_lock_irq(unit); - memcpy(runstate, &v->runstate, sizeof(*runstate)); - delta = NOW() - runstate->state_entry_time; - if ( delta > 0 ) - runstate->time[runstate->state] += delta; - - if ( unlikely(lock != NULL) ) - unit_schedule_unlock_irq(lock, unit); + until_seq_read(s) + { + s_time_t delta; - rcu_read_unlock(&sched_res_rculock); + *runstate = v->runstate; + delta = NOW() - runstate->state_entry_time; + if ( delta > 0 ) + runstate->time[runstate->state] += delta; + } } uint64_t get_cpu_idle_time(unsigned int cpu) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 072e4846aa..100e95d21e 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -16,6 +16,7 @@ #include #include #include +#include #include #include #include @@ -191,7 +192,6 @@ struct vcpu struct sched_unit *sched_unit; - struct vcpu_runstate_info runstate; #ifndef CONFIG_COMPAT # define runstate_guest(v) ((v)->runstate_guest) XEN_GUEST_HANDLE(vcpu_runstate_info_t) runstate_guest; /* guest address */ @@ -202,6 +202,8 @@ struct vcpu XEN_GUEST_HANDLE(vcpu_runstate_info_compat_t) compat; } runstate_guest; /* guest address */ #endif + struct vcpu_runstate_info runstate; + struct seqcount runstate_seq; unsigned int new_state; /* Has the FPU been initialised? */ diff --git a/xen/include/xen/seqcount.h b/xen/include/xen/seqcount.h new file mode 100644 index 0000000000..b5faf422e4 --- /dev/null +++ b/xen/include/xen/seqcount.h @@ -0,0 +1,139 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef XEN_SEQCOUNT_H +#define XEN_SEQCOUNT_H + +#include +#include + +#include +#include + +/* + * Sequence counters (seqcount_t) + * + * This is the raw counting mechanism, without any writer protection. + * + * Write side critical sections must be serialized (and non-preemptible). + * + * If readers can be invoked from interrupt contexts, interrupts must also + * be respectively disabled before entering the write section. + * + * This mechanism can't be used if the protected data contains pointers, + * as the writer can invalidate a pointer that a reader is following. + */ +struct seqcount { + unsigned int sequence; +}; + +/* + * SEQCNT_ZERO() - initializer for seqcount_t + * @name: Name of the struct seqcount instance + */ +#define SEQCNT_ZERO() { .sequence = 0 } + +static inline unsigned int seqprop_sequence(const struct seqcount *s) +{ + return ACCESS_ONCE(s->sequence); +} + +/* + * read_seqcount_begin() - begin a seqcount read critical section + * @s: Pointer to struct seqcount + * + * Return: count to be passed to read_seqcount_retry() + */ +static inline unsigned int _read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq; + + while ((seq = seqprop_sequence(s)) & 1) + cpu_relax(); + + smp_rmb(); + + return seq; +} + +static always_inline unsigned int read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq = _read_seqcount_begin(s); + + block_lock_speculation(); + + return seq; +} + +/* + * read_seqcount_retry() - end a seqcount read critical section + * @s: Pointer to struct seqcount + * @start: count, from read_seqcount_begin() + * + * read_seqcount_retry closes the read critical section of given struct + * seqcount. If the critical section was invalid, it must be ignored + * (and typically retried). + * + * Return: true if a read section retry is required, else false + */ +static inline bool _read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + smp_rmb(); + return unlikely(seqprop_sequence(s) != start); +} + +static always_inline bool read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + return lock_evaluate_nospec(_read_seqcount_retry(s, start)); +} + +/* Loops until a consistent count has been observed across the loop body. */ +#define until_seq_read(seq) \ + for ( unsigned int retry_ = 1, count_; \ + retry_ && (count_ = read_seqcount_begin(seq), true); \ + retry_ = read_seqcount_retry(seq, count_) ) + +/* + * write_seqcount_begin() - start a struct seqcount write side critical section + * @s: Pointer to struct seqcount + * + * Context: sequence counter write side sections must be serialized. + * If readers can be invoked from interrupt context, interrupts must be + * respectively disabled. + */ +static inline void write_seqcount_begin(struct seqcount *s) +{ + add_sized(&s->sequence, 1); + smp_wmb(); +} + +/* + * write_seqcount_end() - end a struct seqcount write side critical section + * @s: Pointer to seqcount + */ +static inline void write_seqcount_end(struct seqcount *s) +{ + smp_wmb(); + add_sized(&s->sequence, 1); +} + +/* + * Not really a loop, but we need write_seqcount_{begin,end}() in the correct + * position. + */ +#define with_seq_write(seq) \ + for ( bool once_ = true; \ + once_ && (write_seqcount_begin(seq), true); \ + (write_seqcount_end(seq), once_ = false) ) + +#endif /* XEN_SEQCOUNT_H */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:34:49 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:34:49 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333233.1595871 (Exim 4.92) (envelope-from ) id 1wWvfN-0002fQ-KM; Tue, 09 Jun 2026 12:34:49 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333233.1595871; Tue, 09 Jun 2026 12:34:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvfN-0002fI-HL; Tue, 09 Jun 2026 12:34:49 +0000 Received: by outflank-mailman (input) for mailman id 1333233; Tue, 09 Jun 2026 12:34:48 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvfM-0002fB-1t for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:34:48 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvfM-001fXS-0y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:34:48 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvfM-00CsDZ-00 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:34:48 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RGTFGmdPYchtOXTULMC02X/lrsr1J/FQw7ymKt89AV4=; b=1ToO0ExscvAdkgghv0/zX9hMz3 9E9p2/ivqxm0JVyoq2cFq7+o+3ECBDTEtUjKnOTtH82jFBpe8PnxYh6lIdGAwllTS55ghXnlubLjZ V18Gx75kAGxVwI+0jNv79947sMcLhpWGXGqa0B3gU1mvOkZuIeuj5pPlQ4JygnJwoRYs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:34:48 +0000 commit fc4b4423afc1001f9840f6dc7f77427ce9d23d7f Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock getdomaininfo() is not called under consistently the same lock. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. (Callers not pausing the domain they want to retrieve information for already need to be aware that not all of the data returned can be relied on as being consistent; most data will also be stale by the time the caller gets to look at it.) Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Fixes: 5513bd0b4675 ("add xenstore domain flag to hypervisor") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 784bd4dc0bc440b978b80b6945c4bc380b28e32d) --- xen/common/domctl.c | 91 +++++++++++++++++++++++++++---------------------- xen/include/xsm/dummy.h | 5 ++- xen/xsm/flask/hooks.c | 6 +++- 3 files changed, 59 insertions(+), 43 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 5824398183..5f0ad71660 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -318,6 +318,56 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) return -ESRCH; } + /* Handle sub-ops not requiring the domctl lock. */ + switch ( op->cmd ) + { + case XEN_DOMCTL_getdomaininfo: + { + domid_t dom = DOMID_INVALID; + + if ( !d ) + { + ret = -EINVAL; + if ( op->domain >= DOMID_FIRST_RESERVED ) + goto domctl_out_unlock_domonly; + + rcu_read_lock(&domlist_read_lock); + + dom = op->domain; + for_each_domain ( d ) + if ( d->domain_id >= dom ) + break; + } + + ret = -ESRCH; + if ( !d ) + goto getdomaininfo_out; + + ret = xsm_getdomaininfo(XSM_XS_PRIV, d); + if ( !ret ) + { + getdomaininfo(d, &op->u.getdomaininfo); + + op->domain = op->u.getdomaininfo.domain; + copyback = true; + + getdomaininfo_out: + /* When d was non-NULL upon entry, no cleanup is needed. */ + if ( dom == DOMID_INVALID ) + goto domctl_out_unlock_domonly; + + rcu_read_unlock(&domlist_read_lock); + d = NULL; + } + + goto domctl_out_unlock_domonly; + } + + default: + /* Everything else handled further down. */ + break; + } + ret = xsm_domctl(XSM_OTHER, d, op->cmd, /* SSIDRef only applicable for cmd == createdomain */ op->u.createdomain.ssidref); @@ -534,47 +584,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = 1; break; - case XEN_DOMCTL_getdomaininfo: - { - domid_t dom = DOMID_INVALID; - - if ( !d ) - { - ret = -EINVAL; - if ( op->domain >= DOMID_FIRST_RESERVED ) - break; - - rcu_read_lock(&domlist_read_lock); - - dom = op->domain; - for_each_domain ( d ) - if ( d->domain_id >= dom ) - break; - } - - ret = -ESRCH; - if ( d == NULL ) - goto getdomaininfo_out; - - ret = xsm_getdomaininfo(XSM_XS_PRIV, d); - if ( ret ) - goto getdomaininfo_out; - - getdomaininfo(d, &op->u.getdomaininfo); - - op->domain = op->u.getdomaininfo.domain; - copyback = 1; - - getdomaininfo_out: - /* When d was non-NULL upon entry, no cleanup is needed. */ - if ( dom == DOMID_INVALID ) - break; - - rcu_read_unlock(&domlist_read_lock); - d = NULL; - break; - } - case XEN_DOMCTL_getvcpucontext: { vcpu_guest_context_u c = { .nat = NULL }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 4b5f07ad27..2ed193689f 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,8 +172,11 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); + case XEN_DOMCTL_getdomaininfo: - return xsm_default_action(XSM_XS_PRIV, current->domain, d); + ASSERT_UNREACHABLE(); + return -EILSEQ; + default: return xsm_default_action(XSM_PRIV, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 42857c2122..c4c0ed596f 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -678,8 +678,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, */ return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); - /* These have individual XSM hooks (common/domctl.c) */ + /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + ASSERT_UNREACHABLE(); + return -EILSEQ; + + /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:34:59 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:34:59 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333234.1595875 (Exim 4.92) (envelope-from ) id 1wWvfX-0002hx-NU; Tue, 09 Jun 2026 12:34:59 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333234.1595875; Tue, 09 Jun 2026 12:34:59 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvfX-0002hp-KY; Tue, 09 Jun 2026 12:34:59 +0000 Received: by outflank-mailman (input) for mailman id 1333234; Tue, 09 Jun 2026 12:34:58 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvfW-0002hj-4a for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:34:58 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvfW-001fXW-1G for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:34:58 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvfW-00CsT8-0H for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:34:58 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=BZExN5zSYAgvaC2z+I8sX9orvLQVApJo5HCg6qz+VXs=; b=cSTDl++iZ0/EUe7cPzvbHzQpX1 VZOIfjlxIrSbB6FYAksySxgI0Wa+AlODHNkzcFX4HoBU4nOkGBUehBihiP/ivr9tQXJiMpUiTFr+F 6UKjgyN3VUs+9qmimqv6GTj8MVK0JOWNTLXDeR6yXid4XrJ1EbFrG9JPaixFoAfZZZ+I=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] domain: locking for iomem_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:34:58 +0000 commit 037e662ba5653fd6c096a2b2556d9ce1e1b03f28 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domain: locking for iomem_caps accesses In order to be able to pull at least the XEN_DOMCTL_iomem_mapping handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_iomem_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 960713dfd4a405e67e9f174302f8f9fd9e0e50dc) --- xen/common/domain.c | 6 ++++++ xen/common/domctl.c | 53 +++++++++++++++++++++++++++++++++++++++---------- xen/include/xen/iocap.h | 3 +++ xen/include/xen/sched.h | 1 + 4 files changed, 52 insertions(+), 11 deletions(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index 13a1674ce4..a6dc665fa6 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -332,10 +332,15 @@ static int late_hwdom_init(struct domain *d) * may be modified after this hypercall returns if a more complex * device model is desired. */ + write_lock(&dom0->caps_lock); rangeset_swap(d->irq_caps, dom0->irq_caps); rangeset_swap(d->iomem_caps, dom0->iomem_caps); #ifdef CONFIG_X86 rangeset_swap(d->arch.ioport_caps, dom0->arch.ioport_caps); +#endif + write_unlock(&dom0->caps_lock); + +#ifdef CONFIG_X86 setup_io_bitmap(d); setup_io_bitmap(dom0); #endif @@ -602,6 +607,7 @@ struct domain *domain_create(domid_t domid, spin_lock_init_prof(d, domain_lock); spin_lock_init_prof(d, page_alloc_lock); spin_lock_init(&d->hypercall_deadlock_mutex); + rwlock_init(&d->caps_lock); INIT_PAGE_LIST_HEAD(&d->page_list); INIT_PAGE_LIST_HEAD(&d->extra_page_list); INIT_PAGE_LIST_HEAD(&d->xenpage_list); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 5f0ad71660..96a6e4f9d8 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -278,6 +278,35 @@ static struct vnuma_info *vnuma_init(const struct xen_domctl_vnuma *uinfo, return ERR_PTR(ret); } +void iocaps_double_lock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d->domain_id > currd->domain_id ) + read_lock(&currd->caps_lock); + + if ( write ) + write_lock(&d->caps_lock); + else + read_lock(&d->caps_lock); + + if ( d->domain_id < currd->domain_id ) + read_lock(&currd->caps_lock); +} + +void iocaps_double_unlock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d != currd ) + read_unlock(&currd->caps_lock); + + if ( write ) + write_unlock(&d->caps_lock); + else + read_unlock(&d->caps_lock); +} + long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) { long ret = 0; @@ -719,6 +748,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ break; + iocaps_double_lock(d, true); + if ( !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) || xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) @@ -727,6 +758,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); else ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); break; } @@ -751,19 +784,15 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; #endif + iocaps_double_lock(d, false); + ret = -EPERM; if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) ) - break; - - ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add); - if ( ret ) - break; - - if ( !paging_mode_translate(d) ) - break; - - if ( add ) + !iomem_access_permitted(d, mfn, mfn_end) || + (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || + !paging_mode_translate(d) ) + /* Nothing. */; + else if ( add ) { printk(XENLOG_G_DEBUG "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", @@ -787,6 +816,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", ret, d->domain_id, mfn, mfn_end); } + + iocaps_double_unlock(d, false); break; } diff --git a/xen/include/xen/iocap.h b/xen/include/xen/iocap.h index ffbc48b60f..cb36ebbeeb 100644 --- a/xen/include/xen/iocap.h +++ b/xen/include/xen/iocap.h @@ -12,6 +12,9 @@ #include #include +void iocaps_double_lock(struct domain *d, bool write); +void iocaps_double_unlock(struct domain *d, bool write); + static inline int iomem_permit_access(struct domain *d, unsigned long s, unsigned long e) { diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 100e95d21e..c5aa5d9611 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -492,6 +492,7 @@ struct domain #endif /* I/O capabilities (access to IRQs and memory-mapped I/O). */ + rwlock_t caps_lock; struct rangeset *iomem_caps; struct rangeset *irq_caps; -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:35:09 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:35:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333235.1595878 (Exim 4.92) (envelope-from ) id 1wWvfh-0002jw-OW; Tue, 09 Jun 2026 12:35:09 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333235.1595878; Tue, 09 Jun 2026 12:35:09 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvfh-0002jp-Ly; Tue, 09 Jun 2026 12:35:09 +0000 Received: by outflank-mailman (input) for mailman id 1333235; Tue, 09 Jun 2026 12:35:08 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvfg-0002ji-7e for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:35:08 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvfg-001fXl-1Z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:35:08 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvfg-00Cse9-0Y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:35:08 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=WRP0CMSZitsshd+v+/Jvw4cXIdsK+bTZuxrSfuHlTas=; b=ylvxdIqHQzVcJE0TvryWjZQfIz dAJztkLS3eKrRr3IS477Q1181FpawJe7elNWgkS/mI/ywgha4kr89dFabIwdq38Uly1ob2Y1bwlbt lOXYOVdomZr/O5pPKGMGLTDVCAwSBkTv5RYwkJL9LsoD9OshaVFLW/1L9g/dbyNrJEio=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/domain: locking for ioport_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:35:08 +0000 commit eb8153a3cc1cf1f0ea1bd87b84356bc6bd4aae6f Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 x86/domain: locking for ioport_caps accesses In order to be able to pull at least the XEN_DOMCTL_ioport_mapping handling out of the domctl-locked region, the new separate (per-domain) lock is used to synchronize in particular with XEN_DOMCTL_ioport_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit c9f4586766c4ceeaf013fbc02ad79359c62102c3) --- xen/arch/x86/domctl.c | 21 ++++++++++++--------- xen/arch/x86/setup.c | 4 ++++ 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index c9e2dcab66..35c44391aa 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -226,6 +226,8 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + iocaps_double_lock(d, true); + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) ret = -EINVAL; else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || @@ -235,6 +237,8 @@ long arch_do_domctl( ret = ioports_permit_access(d, fp, fp + np - 1); else ret = ioports_deny_access(d, fp, fp + np - 1); + + iocaps_double_unlock(d, true); break; } @@ -605,16 +609,13 @@ long arch_do_domctl( break; } - ret = -EPERM; - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) - break; - - ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add); - if ( ret ) - break; - hvm = &d->arch.hvm; - if ( add ) + iocaps_double_lock(d, true); + + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || + (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) + ret = ret ?: -EPERM; + else if ( add ) { printk(XENLOG_G_INFO "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", @@ -675,6 +676,8 @@ long arch_do_domctl( "ioport_map: error %ld denying dom%d access to [%x,%x]\n", ret, d->domain_id, fmp, fmp + np - 1); } + + iocaps_double_unlock(d, true); break; } diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 2d2eb791e4..c42e053df4 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -2103,9 +2103,13 @@ void __hwdom_init setup_io_bitmap(struct domain *d) if ( is_hvm_domain(d) ) { bitmap_fill(d->arch.hvm.io_bitmap, 0x10000); + + read_lock(&d->caps_lock); rc = rangeset_report_ranges(d->arch.ioport_caps, 0, 0x10000, io_bitmap_cb, d); BUG_ON(rc); + read_unlock(&d->caps_lock); + /* * NB: we need to trap accesses to 0xcf8 in order to intercept * 4 byte accesses, that need to be handled by Xen in order to -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:35:19 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:35:19 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333236.1595883 (Exim 4.92) (envelope-from ) id 1wWvfr-0002mC-QF; Tue, 09 Jun 2026 12:35:19 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333236.1595883; Tue, 09 Jun 2026 12:35:19 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvfr-0002m4-NX; Tue, 09 Jun 2026 12:35:19 +0000 Received: by outflank-mailman (input) for mailman id 1333236; Tue, 09 Jun 2026 12:35:18 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvfq-0002ly-AP for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:35:18 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvfq-001fa7-1q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:35:18 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvfq-00CsmO-0s for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:35:18 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=r4eQ0K2lLgxIyOkhkVoZygJsQiQ4N4H15c4CHs7Yl7A=; b=whihDQQVoWEHirn0OCenaAzCOK HpnbSmrfkWEmWeXwcUx0dFbqAN7HKW6dKv6p4DYuIMkym9mzNTAtyNOELQxlYpHD/IaKk6GgctEyG SNhyUI+uUV8VeLqDHfco2lppjfbjZpEg5FbyGK+3iFhVGTVYZJSiWITNFGnITQMW5FEY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] domain: locking for irq_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:35:18 +0000 commit 0a5149863d711e1af964f858f2f089bd25a5f541 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domain: locking for irq_caps accesses In order to be able to pull at least the XEN_DOMCTL_{,un}bind_pt_irq handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_irq_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Reviewed-by: Julien Grall (cherry picked from commit 329edc090dd5c833213bad3f13f1cbc252bc15a2) --- xen/arch/arm/domctl.c | 37 +++++++++++++++++++++---------------- xen/arch/x86/domctl.c | 42 ++++++++++++++++++++++++++---------------- xen/common/domctl.c | 5 +++++ 3 files changed, 52 insertions(+), 32 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index 1baf25c3d9..5508661fcf 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -74,6 +74,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, case XEN_DOMCTL_bind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -105,21 +106,26 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - if ( !vgic_reserve_virq(d, virq) ) - return -EBUSY; - - rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); - if ( rc ) - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !vgic_reserve_virq(d, virq) ) + rc = -EBUSY; + else + { + rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); + if ( rc ) + vgic_free_virq(d, virq); + } + read_unlock(&currd->caps_lock); return rc; } case XEN_DOMCTL_unbind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -136,16 +142,15 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - rc = release_guest_irq(d, virq); - if ( rc ) - return rc; - - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !(rc = release_guest_irq(d, virq)) ) + vgic_free_virq(d, virq); - return 0; + read_unlock(&currd->caps_lock); + return rc; } case XEN_DOMCTL_vuart_op: diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 35c44391aa..cb568bb1fe 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -536,20 +536,27 @@ long arch_do_domctl( break; irq = domain_pirq_to_irq(d, bind->machine_irq); - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; + if ( irq <= 0 ) + ret = -EPERM; - ret = -ESRCH; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_create_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + else + ret = -ESRCH; + + read_unlock(&currd->caps_lock); break; } @@ -562,23 +569,26 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); if ( ret ) break; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_destroy_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + + read_unlock(&currd->caps_lock); break; } diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 96a6e4f9d8..e1237f03bb 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -728,6 +728,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -EINVAL; break; } + + iocaps_double_lock(d, true); + irq = pirq_access_permitted(current->domain, pirq); if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) ret = -EPERM; @@ -735,6 +738,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = irq_permit_access(d, irq); else ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); break; } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:35:29 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:35:29 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333237.1595887 (Exim 4.92) (envelope-from ) id 1wWvg1-0002oD-Rg; Tue, 09 Jun 2026 12:35:29 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333237.1595887; Tue, 09 Jun 2026 12:35:29 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvg1-0002o5-Os; Tue, 09 Jun 2026 12:35:29 +0000 Received: by outflank-mailman (input) for mailman id 1333237; Tue, 09 Jun 2026 12:35:28 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvg0-0002nx-DB for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:35:28 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvg0-001faD-27 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:35:28 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvg0-00Csw0-19 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:35:28 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Z8V+crSyDCQvUSEDSJ5WhmqTg6LBZoBHF7fGbInFouo=; b=Sq4DklDi/dDd/FLOZcBvCfpqHN yNx9fcSConQ/GMgTqgCE54t3rWJmBRfNqAO4h7kymFY1tFdgw9GcXSqxGYaJA23mWOy7xf+HndjSZ Vrj/6Q6jPSlyxAJiU5TGbUhX/L5T3u+1rBm4JA8Rs7ITecwVO96vhZZzSRQIQMoLuNgY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:35:28 +0000 commit 95bfcd4084442791e8e8fbe4c7153bcf0d6b711a Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. Move the re-purposed dedicated XSM check as early as possible. Minimal "modernization": Switch "add" to bool and use %pd in log messages. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 5a81fb873cb0c7913995372d22660d6a2db0ec48) --- xen/common/domctl.c | 118 ++++++++++++++++++++++++------------------------ xen/include/xsm/dummy.h | 4 +- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 63 insertions(+), 61 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index e1237f03bb..d2545569b7 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -392,6 +392,66 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_memory_mapping: + { + unsigned long gfn = op->u.memory_mapping.first_gfn; + unsigned long mfn = op->u.memory_mapping.first_mfn; + unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; + unsigned long mfn_end = mfn + nr_mfns - 1; + bool add = op->u.memory_mapping.add_mapping; + + ret = -EINVAL; + if ( mfn_end < mfn || /* Wrap? */ + ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || + (gfn + nr_mfns - 1) < gfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_mapping(XSM_DM_PRIV, d, mfn, mfn_end, add); + if ( ret || !paging_mode_translate(d) ) + goto domctl_out_unlock_domonly; + +#ifndef CONFIG_X86 /* XXX ARM!? */ + ret = -E2BIG; + /* Must break hypercall up as this could take a while. */ + if ( nr_mfns > 64 ) + goto domctl_out_unlock_domonly; +#endif + + iocaps_double_lock(d, false); + + ret = -EPERM; + if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || + !iomem_access_permitted(d, mfn, mfn_end) ) + /* Nothing. */; + else if ( add ) + { + printk(XENLOG_G_DEBUG + "memory_map:add: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 ) + printk(XENLOG_G_WARNING + "memory_map:fail: %pd gfn=%lx mfn=%lx nr=%lx ret:%ld\n", + d, gfn, mfn, nr_mfns, ret); + } + else + { + printk(XENLOG_G_DEBUG + "memory_map:remove: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 && is_hardware_domain(current->domain) ) + printk(XENLOG_ERR + "memory_map: error %ld removing %pd access to [%lx,%lx]\n", + ret, d, mfn, mfn_end); + } + + iocaps_double_unlock(d, false); + goto domctl_out_unlock_domonly; + } + default: /* Everything else handled further down. */ break; @@ -768,64 +828,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - case XEN_DOMCTL_memory_mapping: - { - unsigned long gfn = op->u.memory_mapping.first_gfn; - unsigned long mfn = op->u.memory_mapping.first_mfn; - unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; - unsigned long mfn_end = mfn + nr_mfns - 1; - int add = op->u.memory_mapping.add_mapping; - - ret = -EINVAL; - if ( mfn_end < mfn || /* wrap? */ - ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || - (gfn + nr_mfns - 1) < gfn ) /* wrap? */ - break; - -#ifndef CONFIG_X86 /* XXX ARM!? */ - ret = -E2BIG; - /* Must break hypercall up as this could take a while. */ - if ( nr_mfns > 64 ) - break; -#endif - - iocaps_double_lock(d, false); - - ret = -EPERM; - if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) || - (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || - !paging_mode_translate(d) ) - /* Nothing. */; - else if ( add ) - { - printk(XENLOG_G_DEBUG - "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 ) - printk(XENLOG_G_WARNING - "memory_map:fail: dom%d gfn=%lx mfn=%lx nr=%lx ret:%ld\n", - d->domain_id, gfn, mfn, nr_mfns, ret); - } - else - { - printk(XENLOG_G_DEBUG - "memory_map:remove: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 && is_hardware_domain(current->domain) ) - printk(XENLOG_ERR - "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", - ret, d->domain_id, mfn, mfn_end); - } - - iocaps_double_unlock(d, false); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 2ed193689f..7c45a330ae 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,12 +168,12 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_ioport_mapping: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -575,7 +575,7 @@ static XSM_INLINE int cf_check xsm_iomem_permission( static XSM_INLINE int cf_check xsm_iomem_mapping( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index c4c0ed596f..a9d8140f10 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -680,6 +680,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -687,7 +688,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:35:39 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:35:39 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333238.1595891 (Exim 4.92) (envelope-from ) id 1wWvgB-0002qf-UG; Tue, 09 Jun 2026 12:35:39 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333238.1595891; Tue, 09 Jun 2026 12:35:39 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvgB-0002qX-RW; Tue, 09 Jun 2026 12:35:39 +0000 Received: by outflank-mailman (input) for mailman id 1333238; Tue, 09 Jun 2026 12:35:38 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvgA-0002qR-G8 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:35:38 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvgA-001faK-2Q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:35:38 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvgA-00Ct4F-1Q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:35:38 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=lP8lm7U7nmMhfvmzTmCuNJ7g4QAwW0aTCcIbuK8vg48=; b=5c4BfVegod7djl2OLh1sxKNgI7 gTXB22XfUsXOe0CPzZ2yEmgv/pRxsoHvPRi0etYXLhr2Ad/8ZtiWYMAGnlFVyVdBgET8Ja6CfekHA 7qL8Ic+clJDH+O7lu2vg8x67UEIaH1kfF+4LusY/t9TPl9pDsXTrxWA8fFerfJDluyQE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:35:38 +0000 commit e4a65bd4230abaae48d4f4b72f0c3028541c9c57 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the handling is in arch-specific code (x86 only), almost no code is being moved, but a 2nd (extensible to other sub-ops) invocation of arch_do_domctl() is being added. Move just the re-purposed dedicated XSM check as early as possible. In flask_domctl() don't put #ifdef around the moved case label. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9ac94138a5f31b5325fe4401e5cd9e377bbedcdb) --- xen/arch/x86/domctl.c | 9 ++++++--- xen/common/domctl.c | 4 ++++ xen/include/xsm/dummy.h | 4 ++-- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index cb568bb1fe..12d8768da3 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -619,12 +619,15 @@ long arch_do_domctl( break; } + ret = xsm_ioport_mapping(XSM_DM_PRIV, d, fmp, fmp + np - 1, add); + if ( ret ) + break; + hvm = &d->arch.hvm; iocaps_double_lock(d, true); - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || - (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) - ret = ret ?: -EPERM; + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) + ret = -EPERM; else if ( add ) { printk(XENLOG_G_INFO diff --git a/xen/common/domctl.c b/xen/common/domctl.c index d2545569b7..0f3bb6087a 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -452,6 +452,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_mapping: + ret = arch_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + default: /* Everything else handled further down. */ break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 7c45a330ae..60dc474b2b 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -167,12 +167,12 @@ static XSM_INLINE int cf_check xsm_domctl( XSM_ASSERT_ACTION(XSM_OTHER); switch ( cmd ) { - case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -764,7 +764,7 @@ static XSM_INLINE int cf_check xsm_ioport_permission( static XSM_INLINE int cf_check xsm_ioport_mapping( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index a9d8140f10..bfdc5da2cd 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -680,6 +680,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -698,7 +699,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: case XEN_DOMCTL_ioport_permission: - case XEN_DOMCTL_ioport_mapping: #endif #ifdef CONFIG_HAS_PASSTHROUGH /* -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:35:50 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:35:50 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333239.1595895 (Exim 4.92) (envelope-from ) id 1wWvgL-0002sg-Vd; Tue, 09 Jun 2026 12:35:49 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333239.1595895; Tue, 09 Jun 2026 12:35:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvgL-0002sY-Sy; Tue, 09 Jun 2026 12:35:49 +0000 Received: by outflank-mailman (input) for mailman id 1333239; Tue, 09 Jun 2026 12:35:48 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvgK-0002sR-J3 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:35:48 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvgK-001faO-2h for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:35:48 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvgK-00Ct9v-1j for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:35:48 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=kk5RZz0TQGpHVYZUfKWIM8F38jue/6xY+5ebGgC/CL4=; b=hmSxVuGRwfheXT87jPN4tk+Hol Ge8KJdKY9iG8AUYpM9Hh7S9QcvuYUQTD/3LMCXzYVXymsHIk0UBSCK/uJ3G2Fw1TPeUYWFiXdU6+E 6MUyN9VIWRxbvYQWj7NkVy57HFpy0slJwcjE2w8Xv+tuEdP+YN1z34i1bu2vAlt0iYXc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:35:48 +0000 commit 43013fe6b62db276fdce162a221c06d3f29bc223 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. (It also already isn't used when pt_irq_{create,destroy}_bind() are invoked for PVH Dom0.) As the handling is in arch-specific code, no code is being moved, but the 2nd (extensible to other sub-ops like the ones here) invocation of arch_do_domctl() is being re-used. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith Acked-by: Julien Grall (cherry picked from commit e263eeaf71b961d0d6f987bf7a33c8517be1bae5) --- xen/arch/arm/domctl.c | 4 ++-- xen/arch/x86/domctl.c | 4 ++-- xen/common/domctl.c | 2 ++ xen/include/xsm/dummy.h | 8 +++----- xen/xsm/flask/hooks.c | 5 ++--- 5 files changed, 11 insertions(+), 12 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index 5508661fcf..cd93636ac1 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -102,7 +102,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - rc = xsm_bind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; @@ -138,7 +138,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( irq != virq ) return -EINVAL; - rc = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 12d8768da3..12f1e85c30 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -531,7 +531,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_bind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; @@ -569,7 +569,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 0f3bb6087a..f9d9ab5e38 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -453,6 +453,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_bind_pt_irq: + case XEN_DOMCTL_unbind_pt_irq: ret = arch_do_domctl(op, d, u_domctl); goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 60dc474b2b..6cdba38c83 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,12 +168,10 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: - return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -540,14 +538,14 @@ static XSM_INLINE int cf_check xsm_unmap_domain_pirq( static XSM_INLINE int cf_check xsm_bind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } static XSM_INLINE int cf_check xsm_unbind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index bfdc5da2cd..19e3bfd9c7 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -679,9 +679,11 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ + case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -692,9 +694,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: - /* These have individual XSM hooks (arch/../domctl.c) */ - case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:35:59 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:35:59 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333240.1595899 (Exim 4.92) (envelope-from ) id 1wWvgV-0002uk-0v; Tue, 09 Jun 2026 12:35:59 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333240.1595899; Tue, 09 Jun 2026 12:35:58 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvgU-0002ua-UK; Tue, 09 Jun 2026 12:35:58 +0000 Received: by outflank-mailman (input) for mailman id 1333240; Tue, 09 Jun 2026 12:35:58 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvgU-0002uU-Lf for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:35:58 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvgU-001faX-2x for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:35:58 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvgU-00CtJr-1z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:35:58 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=49DOIuKpPs59H+V7mmjf5vRn9eEN2MwSBjD2bspfjwU=; b=0WLi/QUNQ3iOTinyJk79yIYKdh BMSLtKCJupGWcP6kKS22HExuzHvVi00KIu/oNhAkVMEMOmRbllyVbtYWhrXy4B+TMbTEzOkFsBxIx R/5krSw2Q0XMtEYMOy7o7ft8LiIHhdxjjTw1Ko0x8M1kYRUhgYHSkMreffWJM+4Hhf/0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:35:58 +0000 commit d6d9f96182b468fe47ab247ec5b5f3ee4f221960 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the I/O port handling is in arch-specific code (x86 only), no code is being moved, but the 2nd invocation of arch_do_domctl() is re-used. Move the re-purposed dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9f54e10bf3ab02c8d5dc3253d85c9b3258d1fc88) --- xen/arch/x86/domctl.c | 13 ++++++++---- xen/common/domctl.c | 54 ++++++++++++++++++++++++++----------------------- xen/include/xsm/dummy.h | 6 ++++-- xen/xsm/flask/hooks.c | 4 ++-- 4 files changed, 44 insertions(+), 33 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 12f1e85c30..b3fcc06fd6 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -226,12 +226,17 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + ret = -EINVAL; + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) + break; + + ret = xsm_ioport_permission(XSM_PRIV, d, fp, fp + np - 1, allow); + if ( ret ) + break; + iocaps_double_lock(d, true); - if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) - ret = -EINVAL; - else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || - xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) ) + if ( !ioports_access_permitted(currd, fp, fp + np - 1) ) ret = -EPERM; else if ( allow ) ret = ioports_permit_access(d, fp, fp + np - 1); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index f9d9ab5e38..ccb8c5b438 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -392,6 +392,34 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_iomem_permission: + { + unsigned long mfn = op->u.iomem_permission.first_mfn; + unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; + bool allow = op->u.iomem_permission.allow_access; + + ret = -EINVAL; + if ( (mfn + nr_mfns - 1) < mfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_permission(XSM_PRIV, d, mfn, mfn + nr_mfns - 1, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !iomem_access_permitted(current->domain, + mfn, mfn + nr_mfns - 1) ) + ret = -EPERM; + else if ( allow ) + ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); + else + ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_memory_mapping: { unsigned long gfn = op->u.memory_mapping.first_gfn; @@ -452,6 +480,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: @@ -809,31 +838,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - case XEN_DOMCTL_iomem_permission: - { - unsigned long mfn = op->u.iomem_permission.first_mfn; - unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; - int allow = op->u.iomem_permission.allow_access; - - ret = -EINVAL; - if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ - break; - - iocaps_double_lock(d, true); - - if ( !iomem_access_permitted(current->domain, - mfn, mfn + nr_mfns - 1) || - xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) - ret = -EPERM; - else if ( allow ) - ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); - else - ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); - - iocaps_double_unlock(d, true); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 6cdba38c83..f49ee244cf 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -169,7 +169,9 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -566,7 +568,7 @@ static XSM_INLINE int cf_check xsm_irq_permission( static XSM_INLINE int cf_check xsm_iomem_permission( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } @@ -755,7 +757,7 @@ static XSM_INLINE int cf_check xsm_priv_mapping( static XSM_INLINE int cf_check xsm_ioport_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 19e3bfd9c7..3a8f5ac6e2 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -681,7 +681,9 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -690,14 +692,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: - case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: - case XEN_DOMCTL_ioport_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH /* -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:36:09 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:36:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333241.1595903 (Exim 4.92) (envelope-from ) id 1wWvgf-0002wk-22; Tue, 09 Jun 2026 12:36:09 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333241.1595903; Tue, 09 Jun 2026 12:36:09 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvge-0002wb-Vh; Tue, 09 Jun 2026 12:36:08 +0000 Received: by outflank-mailman (input) for mailman id 1333241; Tue, 09 Jun 2026 12:36:08 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvge-0002wV-Of for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:36:08 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvgf-001fam-03 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:36:08 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvge-00CtT5-2H for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:36:08 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=P9mP+stlCpWoCorydx2ZqNeZF3bdf7JI5fVYi0gzT+8=; b=jLtMgZSMRu8xZKbB5+v/Ra7Upy 6p/P7ef/aFHHt5f2gq6ruJgS1vl/1pHxRlmuNlzYGXZ2rAQQ1AABNLQ4O3/TexfZh0QA0OkaXQ0qB Y8FuyKzZ6ezUhDjnePY01zM61v/sKkcciBsABNK9zyCyr2kUoq7la6G3u9Eh5LxBoN1E=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] domctl: handle XEN_DOMCTL_irq_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:36:08 +0000 commit 6789ab98fc908ffcd83c7417f22a973f39b5fcf9 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domctl: handle XEN_DOMCTL_irq_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. Move the re-purposed (XSM_HOOK -> XSM_PRIV, as xsm_domctl() is now bypassed) dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/common/domctl.c | 55 +++++++++++++++++++++++++++---------------------- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 33 insertions(+), 27 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index ccb8c5b438..ebc97aa843 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -480,6 +480,36 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_irq_permission: + { + unsigned int pirq = op->u.irq_permission.pirq, irq; + bool allow = op->u.irq_permission.allow_access; + + ret = -EINVAL; + if ( pirq >= current->domain->nr_pirqs ) + goto domctl_out_unlock_domonly; + + irq = domain_pirq_to_irq(current->domain, pirq); + + ret = -EPERM; + if ( irq ) + ret = xsm_irq_permission(XSM_PRIV, d, irq, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !irq_access_permitted(current->domain, irq) ) + ret = -EPERM; + else if ( allow ) + ret = irq_permit_access(d, irq); + else + ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: @@ -813,31 +843,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } break; - case XEN_DOMCTL_irq_permission: - { - unsigned int pirq = op->u.irq_permission.pirq, irq; - int allow = op->u.irq_permission.allow_access; - - if ( pirq >= current->domain->nr_pirqs ) - { - ret = -EINVAL; - break; - } - - iocaps_double_lock(d, true); - - irq = pirq_access_permitted(current->domain, pirq); - if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) - ret = -EPERM; - else if ( allow ) - ret = irq_permit_access(d, irq); - else - ret = irq_deny_access(d, irq); - - iocaps_double_unlock(d, true); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index f49ee244cf..9e45b0e535 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,6 +172,7 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -561,7 +562,7 @@ static XSM_INLINE int cf_check xsm_unmap_domain_irq( static XSM_INLINE int cf_check xsm_irq_permission( XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 3a8f5ac6e2..b0308369c9 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -684,6 +684,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -691,7 +692,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: - case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:36:22 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:36:22 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333242.1595906 (Exim 4.92) (envelope-from ) id 1wWvgq-0002yx-3U; Tue, 09 Jun 2026 12:36:20 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333242.1595906; Tue, 09 Jun 2026 12:36:20 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvgq-0002yp-0p; Tue, 09 Jun 2026 12:36:20 +0000 Received: by outflank-mailman (input) for mailman id 1333242; Tue, 09 Jun 2026 12:36:18 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvgo-0002yi-Sb for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:36:18 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvgp-001fbA-0K for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:36:18 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvgo-00Ctb2-2Z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:36:18 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=txqsHFlxobUTOzH0W8NwBvXkcNxWfehGPoADPZRa60c=; b=rfp+n2uqaA//lqSjhlCMb09YXy 3NJgBOXPXNJgpO3YdPm3zZvWj1n8f6vQBuKjtKAvS0fB6M0ogoDEf7dA4mO7SciWttsJ3uQj2xlZ6 burh55FtDJPMzJrZiZwLyKyOVvNuhKsdZHnmmPdrxaeK9SFEx4z0TXrT5872pTQHM74U=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] domctl/XSM: drop vm_event_control hook Message-Id: Date: Tue, 09 Jun 2026 12:36:18 +0000 commit a0119e1fd676b350491a0e6441eae63fa144d2f9 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domctl/XSM: drop vm_event_control hook Integrate the checking with xsm_domctl(). Care needs to be taken with the GET_VERSION sub-op, which may be invoked with DOMID_INVALID, and which has been (and continues to be) bypassing XSM checking. Since the latter two parameters were unused, monitor_domctl() invoking the hook was actually redundant with the earlier xsm_domctl() (as can be seen nicely from the hunks changing xsm/flask/hooks.c). As a positive side effect, permissions are then checked at the same early point with and without Flask. While folding XEN_DOMCTL_monitor_op and XEN_DOMCTL_vm_event_op in flask_domctl(), also fold in XEN_DOMCTL_set_access_required. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit b4a7c17146f4363750d26cb2dcee08b480625a3d) --- xen/common/domctl.c | 17 +++++++++++++++++ xen/common/monitor.c | 5 ----- xen/common/vm_event.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 8 -------- xen/xsm/dummy.c | 2 -- xen/xsm/flask/hooks.c | 11 +---------- 7 files changed, 18 insertions(+), 36 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index ebc97aa843..03851eb221 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -510,6 +510,23 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_vm_event_op: + if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) + { + /* No XSM check (and potentially d == NULL) here. */ + ret = vm_event_domctl(d, &op->u.vm_event_op); + if ( !ret ) + copyback = true; + goto domctl_out_unlock_domonly; + } + if ( !d ) + { + ret = -ESRCH; + goto domctl_out_unlock_domonly; + } + /* Other sub-ops handled further down. */ + break; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: diff --git a/xen/common/monitor.c b/xen/common/monitor.c index d5c9ff1cbf..aec6391faf 100644 --- a/xen/common/monitor.c +++ b/xen/common/monitor.c @@ -30,16 +30,11 @@ int monitor_domctl(struct domain *d, struct xen_domctl_monitor_op *mop) { - int rc; bool requested_status = false; if ( unlikely(current->domain == d) ) /* no domain_pause() */ return -EPERM; - rc = xsm_vm_event_control(XSM_PRIV, d, mop->op, mop->event); - if ( unlikely(rc) ) - return rc; - switch ( mop->op ) { case XEN_DOMCTL_MONITOR_OP_ENABLE: diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c index ecf49c38a9..6af5f13f45 100644 --- a/xen/common/vm_event.c +++ b/xen/common/vm_event.c @@ -600,10 +600,6 @@ int vm_event_domctl(struct domain *d, struct xen_domctl_vm_event_op *vec) return 0; } - rc = xsm_vm_event_control(XSM_PRIV, d, vec->mode, vec->op); - if ( rc ) - return rc; - if ( unlikely(d == current->domain) ) /* no domain_pause() */ { gdprintk(XENLOG_INFO, "Tried to do a memory event op on itself.\n"); diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 9e45b0e535..0613345669 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -643,13 +643,6 @@ static XSM_INLINE int cf_check xsm_hvm_altp2mhvm_op( } } -static XSM_INLINE int cf_check xsm_vm_event_control( - XSM_DEFAULT_ARG struct domain *d, int mode, int op) -{ - XSM_ASSERT_ACTION(XSM_PRIV); - return xsm_default_action(action, current->domain, d); -} - #ifdef CONFIG_MEM_ACCESS static XSM_INLINE int cf_check xsm_mem_access(XSM_DEFAULT_ARG struct domain *d) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 627c0d2731..2a3b94afd5 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -152,8 +152,6 @@ struct xsm_ops { int (*hvm_altp2mhvm_op)(struct domain *d, uint64_t mode, uint32_t op); int (*get_vnumainfo)(struct domain *d); - int (*vm_event_control)(struct domain *d, int mode, int op); - #ifdef CONFIG_MEM_ACCESS int (*mem_access)(struct domain *d); #endif @@ -626,12 +624,6 @@ static inline int xsm_get_vnumainfo(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.get_vnumainfo, d); } -static inline int xsm_vm_event_control( - xsm_default_t def, struct domain *d, int mode, int op) -{ - return alternative_call(xsm_ops.vm_event_control, d, mode, op); -} - #ifdef CONFIG_MEM_ACCESS static inline int xsm_mem_access(xsm_default_t def, struct domain *d) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index e6ffa948f7..fba0672fdd 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -109,8 +109,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .remove_from_physmap = xsm_remove_from_physmap, .map_gmfn_foreign = xsm_map_gmfn_foreign, - .vm_event_control = xsm_vm_event_control, - #ifdef CONFIG_MEM_ACCESS .mem_access = xsm_mem_access, #endif diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index b0308369c9..8ebbf08a42 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -693,7 +693,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: - case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ @@ -787,9 +786,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__TRIGGER); case XEN_DOMCTL_set_access_required: - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); - case XEN_DOMCTL_monitor_op: + case XEN_DOMCTL_vm_event_op: return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); case XEN_DOMCTL_debug_op: @@ -1346,11 +1344,6 @@ static int cf_check flask_hvm_altp2mhvm_op(struct domain *d, uint64_t mode, uint return current_has_perm(d, SECCLASS_HVM, HVM__ALTP2MHVM_OP); } -static int cf_check flask_vm_event_control(struct domain *d, int mode, int op) -{ - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); -} - #ifdef CONFIG_MEM_ACCESS static int cf_check flask_mem_access(struct domain *d) { @@ -1929,8 +1922,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .do_xsm_op = do_flask_op, .get_vnumainfo = flask_get_vnumainfo, - .vm_event_control = flask_vm_event_control, - #ifdef CONFIG_MEM_ACCESS .mem_access = flask_mem_access, #endif -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:36:30 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:36:30 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333243.1595911 (Exim 4.92) (envelope-from ) id 1wWvh0-00031Q-6j; Tue, 09 Jun 2026 12:36:30 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333243.1595911; Tue, 09 Jun 2026 12:36:30 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvh0-00031I-3k; Tue, 09 Jun 2026 12:36:30 +0000 Received: by outflank-mailman (input) for mailman id 1333243; Tue, 09 Jun 2026 12:36:28 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvgy-00031C-U7 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:36:28 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvgz-001fbE-0a for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:36:28 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvgy-00Ctno-2q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:36:28 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=wXfMSaQZpY2+fG/O9r/5EeyDV5it79lQaCofi+HLxgw=; b=LArPByli+OoKm225Da5D2eGRGR JRpg3IPJvsCTO0roMrk1bjxnyE4orYfr6fgQZ6BBqhvg1fT4vNhuCIQII6uqWFUcyP60hr7Vzd9tX 9xhTWLwWCCjniJM9IjWOFR2ch2EVn3+3e+1a0b3kqV/LadYMq9zDcH3u2vDgRROG8vr8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] domctl/XSM: pass full struct xen_domctl to xsm_domctl() Message-Id: Date: Tue, 09 Jun 2026 12:36:28 +0000 commit 53cd1f0cf5529791cb4c175f84e61616603d6dfe Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domctl/XSM: pass full struct xen_domctl to xsm_domctl() Subsequently some sub-ops will want to inspect their sub-sub-ops. Plus this way we don't need to pass SSIDref separately anymore for domain_create. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit 83f0e11ed16b5ceb42e47dcaab5afd35583ec5d7) --- xen/arch/x86/mm/paging.c | 2 +- xen/common/domctl.c | 4 +--- xen/include/xsm/dummy.h | 4 ++-- xen/include/xsm/xsm.h | 6 +++--- xen/xsm/flask/hooks.c | 10 +++++----- 5 files changed, 12 insertions(+), 14 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index d7785420bb..8414b631ef 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -779,7 +779,7 @@ long do_paging_domctl_cont( if ( d == NULL ) return -ESRCH; - ret = xsm_domctl(XSM_OTHER, d, op.cmd, 0 /* SSIDref not applicable */); + ret = xsm_domctl(XSM_OTHER, d, &op); if ( !ret ) { if ( domctl_lock_acquire() ) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 03851eb221..c4dd88c353 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -539,9 +539,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - ret = xsm_domctl(XSM_OTHER, d, op->cmd, - /* SSIDRef only applicable for cmd == createdomain */ - op->u.createdomain.ssidref); + ret = xsm_domctl(XSM_OTHER, d, op); if ( ret ) goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 0613345669..4d92bce52b 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,10 +162,10 @@ static XSM_INLINE int cf_check xsm_set_target( } static XSM_INLINE int cf_check xsm_domctl( - XSM_DEFAULT_ARG struct domain *d, unsigned int cmd, uint32_t ssidref) + XSM_DEFAULT_ARG struct domain *d, struct xen_domctl *op) { XSM_ASSERT_ACTION(XSM_OTHER); - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 2a3b94afd5..4e1860c328 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -60,7 +60,7 @@ struct xsm_ops { int (*domctl_scheduler_op)(struct domain *d, int op); int (*sysctl_scheduler_op)(int op); int (*set_target)(struct domain *d, struct domain *e); - int (*domctl)(struct domain *d, unsigned int cmd, uint32_t ssidref); + int (*domctl)(struct domain *d, struct xen_domctl *op); int (*sysctl)(int cmd); int (*readconsole)(uint32_t clear); @@ -247,9 +247,9 @@ static inline int xsm_set_target( } static inline int xsm_domctl(xsm_default_t def, struct domain *d, - unsigned int cmd, uint32_t ssidref) + struct xen_domctl *op) { - return alternative_call(xsm_ops.domctl, d, cmd, ssidref); + return alternative_call(xsm_ops.domctl, d, op); } static inline int xsm_sysctl(xsm_default_t def, int cmd) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 8ebbf08a42..7a13cecbdd 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -663,10 +663,9 @@ static int cf_check flask_set_target(struct domain *d, struct domain *t) return rc; } -static int cf_check flask_domctl(struct domain *d, unsigned int cmd, - uint32_t ssidref) +static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) { - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_createdomain: /* @@ -676,7 +675,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, * Note that d is NULL because we haven't even allocated memory for it * this early in XEN_DOMCTL_createdomain. */ - return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); + return avc_current_has_perm(op->u.createdomain.ssidref, SECCLASS_DOMAIN, + DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: @@ -840,7 +840,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETPAGINGMEMPOOL); default: - return avc_unknown_permission("domctl", cmd); + return avc_unknown_permission("domctl", op->cmd); } } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:36:40 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:36:40 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333244.1595915 (Exim 4.92) (envelope-from ) id 1wWvhA-00033N-7t; Tue, 09 Jun 2026 12:36:40 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333244.1595915; Tue, 09 Jun 2026 12:36:40 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvhA-00033F-57; Tue, 09 Jun 2026 12:36:40 +0000 Received: by outflank-mailman (input) for mailman id 1333244; Tue, 09 Jun 2026 12:36:39 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvh9-000339-0i for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:36:39 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvh9-001fbI-0s for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:36:38 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvh8-00Ctyl-37 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:36:38 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=MfgiemNzEiwacLfp9Oq8cBOEYh3Co0Upn7G9PfNMX3s=; b=M5ZNAE9skqHl/r3vF6de/70HiD Fvaioe3OAK3H3LQl+AbSdNdMKPXaSOeJVc/o/gHi1D3tldYoyIEic++J4AGPKLrnfBU5v8+alwxA4 C7fFFrOINJLUXzJO7xt46zVzEDvbvydXeE0yHnBv4kqyCuQy3fbz8y0rKE7ulUfsZvMk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] domctl/XSM: drop scheduler_op hook Message-Id: Date: Tue, 09 Jun 2026 12:36:38 +0000 commit ffc0d278e73e145fc147237ac0aa42e8a7e68c7b Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 domctl/XSM: drop scheduler_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Juergen Gross (cherry picked from commit 3ba374d3886f0e1d835eafe62cc2fa20ca5376ad) --- xen/common/sched/core.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 7 ++++--- 5 files changed, 4 insertions(+), 22 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index e277329c78..87484361e8 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -2058,10 +2058,6 @@ long sched_adjust(struct domain *d, struct xen_domctl_scheduler_op *op) { long ret; - ret = xsm_domctl_scheduler_op(XSM_HOOK, d, op->cmd); - if ( ret ) - return ret; - if ( op->sched_id != dom_scheduler(d)->sched_id ) return -EINVAL; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 4d92bce52b..ded7d2b698 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -141,13 +141,6 @@ static XSM_INLINE int cf_check xsm_getdomaininfo( return xsm_default_action(action, current->domain, d); } -static XSM_INLINE int cf_check xsm_domctl_scheduler_op( - XSM_DEFAULT_ARG struct domain *d, int cmd) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 4e1860c328..ed5b9e1308 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -57,7 +57,6 @@ struct xsm_ops { struct xen_domctl_getdomaininfo *info); int (*domain_create)(struct domain *d, uint32_t ssidref); int (*getdomaininfo)(struct domain *d); - int (*domctl_scheduler_op)(struct domain *d, int op); int (*sysctl_scheduler_op)(int op); int (*set_target)(struct domain *d, struct domain *e); int (*domctl)(struct domain *d, struct xen_domctl *op); @@ -229,12 +228,6 @@ static inline int xsm_getdomaininfo(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.getdomaininfo, d); } -static inline int xsm_domctl_scheduler_op( - xsm_default_t def, struct domain *d, int cmd) -{ - return alternative_call(xsm_ops.domctl_scheduler_op, d, cmd); -} - static inline int xsm_sysctl_scheduler_op(xsm_default_t def, int cmd) { return alternative_call(xsm_ops.sysctl_scheduler_op, cmd); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index fba0672fdd..57ec4b26b3 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -18,7 +18,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .security_domaininfo = xsm_security_domaininfo, .domain_create = xsm_domain_create, .getdomaininfo = xsm_getdomaininfo, - .domctl_scheduler_op = xsm_domctl_scheduler_op, .sysctl_scheduler_op = xsm_sysctl_scheduler_op, .set_target = xsm_set_target, .domctl = xsm_domctl, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 7a13cecbdd..d04bb34f2e 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -607,7 +607,7 @@ static int cf_check flask_getdomaininfo(struct domain *d) return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO); } -static int cf_check flask_domctl_scheduler_op(struct domain *d, int op) +static int flask_domctl_scheduler_op(struct domain *d, int op) { switch ( op ) { @@ -691,7 +691,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return -EILSEQ; /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: #ifdef CONFIG_X86 @@ -739,6 +738,9 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_setdomainhandle: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE); + case XEN_DOMCTL_scheduler_op: + return flask_domctl_scheduler_op(d, op->u.scheduler_op.cmd); + case XEN_DOMCTL_set_ext_vcpucontext: case XEN_DOMCTL_set_vcpu_msrs: case XEN_DOMCTL_setvcpucontext: @@ -1849,7 +1851,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .security_domaininfo = flask_security_domaininfo, .domain_create = flask_domain_create, .getdomaininfo = flask_getdomaininfo, - .domctl_scheduler_op = flask_domctl_scheduler_op, .sysctl_scheduler_op = flask_sysctl_scheduler_op, .set_target = flask_set_target, .domctl = flask_domctl, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:36:50 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:36:50 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333245.1595919 (Exim 4.92) (envelope-from ) id 1wWvhK-00035N-9M; Tue, 09 Jun 2026 12:36:50 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333245.1595919; Tue, 09 Jun 2026 12:36:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvhK-00035F-6a; Tue, 09 Jun 2026 12:36:50 +0000 Received: by outflank-mailman (input) for mailman id 1333245; Tue, 09 Jun 2026 12:36:49 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvhJ-000358-3d for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:36:49 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvhJ-001fbM-1A for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:36:49 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvhJ-00Cu72-0B for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:36:49 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=a3ZI6m3twJy9wSbX8t4DpmOVByp6N10NTt4fYBadn5U=; b=nt5jbzBbw6Wj23d2A2TbBdlOx9 oLCQ1grXY3mt8DkySwhTgxSREx+YjQLxgWgMuv59gN5nWvSIYj1e5+hO2jF9aFoehcBYfE4ybP4Mh aSeA4jZRy27bmN/I767sVbbQhrhF9PUhaQOaeM3CgAhEzN9DtGB09N6bv5dcr/+hi9+Q=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] domctl/XSM: drop shadow_control_op hook Message-Id: Date: Tue, 09 Jun 2026 12:36:49 +0000 commit 4aa3ccc4f9ee7bd16ef7a3502c46369d03c188d5 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 domctl/XSM: drop shadow_control_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit d9d2758622422a4db0498a74c3dfd1c8168a8154) --- xen/arch/x86/mm/paging.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 13 +++++++------ 5 files changed, 7 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index 8414b631ef..b8ef65cfb8 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -721,10 +721,6 @@ int paging_domctl(struct domain *d, struct xen_domctl_shadow_op *sc, return -EBUSY; } - rc = xsm_shadow_control(XSM_HOOK, d, sc->op); - if ( rc ) - return rc; - /* Code to handle log-dirty. Note that some log dirty operations * piggy-back on shadow operations. For example, when * XEN_DOMCTL_SHADOW_OP_OFF is called, it first checks whether log dirty diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index ded7d2b698..f532e01c48 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -673,13 +673,6 @@ static XSM_INLINE int cf_check xsm_do_mca(XSM_DEFAULT_VOID) return xsm_default_action(action, current->domain, NULL); } -static XSM_INLINE int cf_check xsm_shadow_control( - XSM_DEFAULT_ARG struct domain *d, uint32_t op) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_mem_sharing_op( XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index ed5b9e1308..be968a3b5f 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -167,7 +167,6 @@ struct xsm_ops { #ifdef CONFIG_X86 int (*do_mca)(void); - int (*shadow_control)(struct domain *d, uint32_t op); int (*mem_sharing_op)(struct domain *d, struct domain *cd, int op); int (*apic)(struct domain *d, int cmd); int (*machine_memory_map)(void); @@ -649,12 +648,6 @@ static inline int xsm_do_mca(xsm_default_t def) return alternative_call(xsm_ops.do_mca); } -static inline int xsm_shadow_control( - xsm_default_t def, struct domain *d, uint32_t op) -{ - return alternative_call(xsm_ops.shadow_control, d, op); -} - static inline int xsm_mem_sharing_op( xsm_default_t def, struct domain *d, struct domain *cd, int op) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 57ec4b26b3..d7c30d030c 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -123,7 +123,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .platform_op = xsm_platform_op, #ifdef CONFIG_X86 .do_mca = xsm_do_mca, - .shadow_control = xsm_shadow_control, .mem_sharing_op = xsm_mem_sharing_op, .apic = xsm_apic, .machine_memory_map = xsm_machine_memory_map, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index d04bb34f2e..742a439bd6 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -40,6 +40,7 @@ #ifdef CONFIG_X86 #include +static int flask_shadow_control(struct domain *d, unsigned int op); #else #define pv_shim false #endif @@ -693,10 +694,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: -#ifdef CONFIG_X86 - /* These have individual XSM hooks (arch/x86/domctl.c) */ - case XEN_DOMCTL_shadow_op: -#endif #ifdef CONFIG_HAS_PASSTHROUGH /* * These have individual XSM hooks @@ -781,6 +778,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_get_address_size: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETADDRSIZE); +#ifdef CONFIG_X86 + case XEN_DOMCTL_shadow_op: + return flask_shadow_control(d, op->u.shadow_op.op); +#endif + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1577,7 +1579,7 @@ static int cf_check flask_do_mca(void) return domain_has_xen(current->domain, XEN__MCA_OP); } -static int cf_check flask_shadow_control(struct domain *d, uint32_t op) +static int flask_shadow_control(struct domain *d, unsigned int op) { uint32_t perm; @@ -1957,7 +1959,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .platform_op = flask_platform_op, #ifdef CONFIG_X86 .do_mca = flask_do_mca, - .shadow_control = flask_shadow_control, .mem_sharing_op = flask_mem_sharing_op, .apic = flask_apic, .machine_memory_map = flask_machine_memory_map, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:37:00 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:37:00 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333246.1595922 (Exim 4.92) (envelope-from ) id 1wWvhU-00037N-AS; Tue, 09 Jun 2026 12:37:00 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333246.1595922; Tue, 09 Jun 2026 12:37:00 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvhU-00037F-7y; Tue, 09 Jun 2026 12:37:00 +0000 Received: by outflank-mailman (input) for mailman id 1333246; Tue, 09 Jun 2026 12:36:59 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvhT-000379-6M for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:36:59 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvhT-001fbQ-1R for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:36:59 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvhT-00CuFR-0S for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:36:59 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=zCODusX9YAaHUmIq3ZulAcvF769NdLZFrm7FMkT5qzA=; b=kS5csG9OsKmlJZB0b9pVJj+0Q4 JH4GJuh/5Vfn/aLdGTYvUbgtPMFjlsl7/R9ETnINqILCSlpZo3YZ3Uooo/5lQoy3HVvh5cXEiBezF UlNDcZJRoB65Svf8JeDPvXeC2LP8HFxb/sHDq3O//VdF1TqHmCLQvSzziCUhgCMoDrI8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:36:59 +0000 commit 9609fecb5b97c3063873f892e2b6bbe868ce8bb6 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock iommu_get_device_group() uses its own locking. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 471b377747cb5eb0ea7c1ca48ac9d38027a9aa13) --- xen/common/domctl.c | 5 ++++- xen/drivers/passthrough/pci.c | 4 ++-- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index c4dd88c353..f0dd5b595e 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -527,6 +527,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) /* Other sub-ops handled further down. */ break; + case XEN_DOMCTL_get_device_group: + ret = iommu_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: @@ -949,7 +953,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_assign_device: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_deassign_device: - case XEN_DOMCTL_get_device_group: ret = iommu_do_domctl(op, d, u_domctl); break; diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index cfe2934a6e..1131950078 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1513,7 +1513,7 @@ static int iommu_get_device_group( if ( (pdev->seg != seg) || ((b == bus) && (df == devfn)) ) continue; - if ( xsm_get_device_group(XSM_HOOK, (seg << 16) | (b << 8) | df) ) + if ( xsm_get_device_group(XSM_PRIV, (seg << 16) | (b << 8) | df) ) continue; sdev_id = iommu_call(ops, get_device_group_id, seg, b, df); @@ -1583,7 +1583,7 @@ int iommu_do_pci_domctl( u32 max_sdevs; XEN_GUEST_HANDLE_64(uint32) sdevs; - ret = xsm_get_device_group(XSM_HOOK, domctl->u.get_device_group.machine_sbdf); + ret = xsm_get_device_group(XSM_PRIV, domctl->u.get_device_group.machine_sbdf); if ( ret ) break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index f532e01c48..3fb36887d6 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,6 +162,7 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: @@ -399,7 +400,7 @@ static XSM_INLINE int cf_check xsm_get_vnumainfo( static XSM_INLINE int cf_check xsm_get_device_group( XSM_DEFAULT_ARG uint32_t machine_bdf) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 742a439bd6..33d6df7ff9 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -682,6 +682,7 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: @@ -699,7 +700,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) * These have individual XSM hooks * (drivers/passthrough/{pci,device_tree.c) */ - case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_assign_device: case XEN_DOMCTL_deassign_device: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:37:10 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:37:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333247.1595927 (Exim 4.92) (envelope-from ) id 1wWvhe-00039S-Cj; Tue, 09 Jun 2026 12:37:10 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333247.1595927; Tue, 09 Jun 2026 12:37:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvhe-00039L-9N; Tue, 09 Jun 2026 12:37:10 +0000 Received: by outflank-mailman (input) for mailman id 1333247; Tue, 09 Jun 2026 12:37:09 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvhd-00039F-9j for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:37:09 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvhd-001fbf-1l for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:37:09 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvhd-00CuOD-0l for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:37:09 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=03jNUSRi2ueModmFlESnr79G1AmHDfuWsSyMgq08CwA=; b=ulk/crHzy1DXuNiQFdy7CBf0+O sXS0H/t3LpsdUfM5+9kKs+HNW5YCq/sJ9FyvvOxpDHMI5FccOqpeUl/orITsW6JEwzIZPcz5pdaEi 0SjmIzJ1+EBHC25yuVDkvnUBhL+8+U8l6kC9dpf/TW4sfkL4vCa2mTQSXYN8hiRTTGmk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] domctl/XSM: drop {,de}assign_{,dt}device hooks Message-Id: Date: Tue, 09 Jun 2026 12:37:09 +0000 commit 0818baa5e949450486d76891ba74f7b07d537e61 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 domctl/XSM: drop {,de}assign_{,dt}device hooks Integrate the checking with xsm_domctl(). As a positive side effect, permissions are then checked at the same early point with and without Flask. As the DT device path needs fetching earlier (but must not be double fetched), cache it in a private field of the public interface struct. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit eab54f074f17c134fa6fa780f672393066e7b631) --- xen/common/domctl.c | 9 ++++ xen/drivers/passthrough/device_tree.c | 36 ++++++++-------- xen/drivers/passthrough/pci.c | 8 ---- xen/include/public/domctl.h | 5 ++- xen/include/xsm/dummy.h | 32 -------------- xen/include/xsm/xsm.h | 34 --------------- xen/xsm/dummy.c | 7 ---- xen/xsm/flask/hooks.c | 79 +++++++++++++++++++++++++---------- 8 files changed, 89 insertions(+), 121 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index f0dd5b595e..de327f6fd3 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -326,6 +326,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_deassign_device: if ( op->domain == DOMID_IO ) { +#ifdef CONFIG_HAS_DEVICE_TREE + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; +#endif d = dom_io; break; } @@ -333,6 +337,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) return -ESRCH; /* fall through */ case XEN_DOMCTL_test_assign_device: +#ifdef CONFIG_HAS_DEVICE_TREE + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; + fallthrough; +#endif case XEN_DOMCTL_vm_event_op: if ( op->domain == DOMID_INVALID ) { diff --git a/xen/drivers/passthrough/device_tree.c b/xen/drivers/passthrough/device_tree.c index 1c32d7b50c..acfda2c8c6 100644 --- a/xen/drivers/passthrough/device_tree.c +++ b/xen/drivers/passthrough/device_tree.c @@ -213,15 +213,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( (d && d->is_dying) || domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_assign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( domctl->cmd == XEN_DOMCTL_test_assign_device ) { @@ -262,15 +262,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_deassign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( d == dom_io ) return -EINVAL; diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 1131950078..3e3ee2df08 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1633,10 +1633,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_assign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); @@ -1678,10 +1674,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_deassign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h index 7ba3a56520..1af7b3d41a 100644 --- a/xen/include/public/domctl.h +++ b/xen/include/public/domctl.h @@ -531,7 +531,10 @@ struct xen_domctl_assign_device { } pci; struct { uint32_t size; /* Length of the path */ - XEN_GUEST_HANDLE_64(char) path; /* path to the device tree node */ + XEN_GUEST_HANDLE_64(char) path; /* Path to the device tree node */ +#ifdef __XEN__ + struct dt_device_node *dev; /* Resolved device node of the above */ +#endif } dt; } u; }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 3fb36887d6..d97e6bcf5b 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -403,40 +403,8 @@ static XSM_INLINE int cf_check xsm_get_device_group( XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } - -static XSM_INLINE int cf_check xsm_assign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - #endif /* HAS_PASSTHROUGH && HAS_PCI */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) -static XSM_INLINE int cf_check xsm_assign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */ - static XSM_INLINE int cf_check xsm_resource_plug_core(XSM_DEFAULT_VOID) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index be968a3b5f..102880da9e 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -121,13 +121,6 @@ struct xsm_ops { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) int (*get_device_group)(uint32_t machine_bdf); - int (*assign_device)(struct domain *d, uint32_t machine_bdf); - int (*deassign_device)(struct domain *d, uint32_t machine_bdf); -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - int (*assign_dtdevice)(struct domain *d, const char *dtpath); - int (*deassign_dtdevice)(struct domain *d, const char *dtpath); #endif int (*resource_plug_core)(void); @@ -506,35 +499,8 @@ static inline int xsm_get_device_group(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.get_device_group, machine_bdf); } - -static inline int xsm_assign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.assign_device, d, machine_bdf); -} - -static inline int xsm_deassign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.deassign_device, d, machine_bdf); -} #endif /* HAS_PASSTHROUGH && HAS_PCI) */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) -static inline int xsm_assign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.assign_dtdevice, d, dtpath); -} - -static inline int xsm_deassign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.deassign_dtdevice, d, dtpath); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */ - static inline int xsm_resource_plug_pci(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.resource_plug_pci, machine_bdf); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index d7c30d030c..49598bf08a 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -76,13 +76,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = xsm_get_device_group, - .assign_device = xsm_assign_device, - .deassign_device = xsm_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - .assign_dtdevice = xsm_assign_dtdevice, - .deassign_dtdevice = xsm_deassign_dtdevice, #endif .resource_plug_core = xsm_resource_plug_core, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 33d6df7ff9..3ecf9b3538 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -45,6 +45,17 @@ static int flask_shadow_control(struct domain *d, unsigned int op); #define pv_shim false #endif +#ifdef CONFIG_HAS_PASSTHROUGH +#ifdef CONFIG_HAS_PCI +static int flask_assign_device(struct domain *d, unsigned int machine_bdf); +static int flask_deassign_device(struct domain *d, unsigned int machine_bdf); +#endif +#ifdef CONFIG_HAS_DEVICE_TREE +static int flask_assign_dtdevice(struct domain *d, const char *dtpath); +static int flask_deassign_dtdevice(struct domain *d, const char *dtpath); +#endif +#endif /* CONFIG_HAS_PASSTHROUGH */ + static uint32_t domain_sid(const struct domain *dom) { struct domain_security_struct *dsec = dom->ssid; @@ -694,16 +705,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: - -#ifdef CONFIG_HAS_PASSTHROUGH - /* - * These have individual XSM hooks - * (drivers/passthrough/{pci,device_tree.c) - */ - case XEN_DOMCTL_test_assign_device: - case XEN_DOMCTL_assign_device: - case XEN_DOMCTL_deassign_device: -#endif return 0; case XEN_DOMCTL_destroydomain: @@ -783,6 +784,49 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return flask_shadow_control(d, op->u.shadow_op.op); #endif +#ifdef CONFIG_HAS_PASSTHROUGH + + case XEN_DOMCTL_test_assign_device: + case XEN_DOMCTL_assign_device: + case XEN_DOMCTL_deassign_device: + switch ( op->u.assign_device.dev ) + { +#ifdef CONFIG_HAS_PCI + case XEN_DOMCTL_DEV_PCI: + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_device( + d, op->u.assign_device.u.pci.machine_sbdf) + : flask_deassign_device( + d, op->u.assign_device.u.pci.machine_sbdf); +#endif + +#ifdef CONFIG_HAS_DEVICE_TREE + case XEN_DOMCTL_DEV_DT: + { + struct dt_device_node *dev; + int ret = dt_find_node_by_gpath(op->u.assign_device.u.dt.path, + op->u.assign_device.u.dt.size, + &dev); + + if ( ret ) + return ret; + + op->u.assign_device.u.dt.dev = dev; + + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_dtdevice(d, dt_node_full_name(dev)) + : flask_deassign_dtdevice(d, dt_node_full_name(dev)); + } +#endif + + default: + /* Unknown type. */ + break; + } + return avc_unknown_permission("assign_device", op->cmd); + +#endif /* CONFIG_HAS_PASSTHROUGH */ + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1394,7 +1438,7 @@ static int flask_test_assign_device(uint32_t machine_bdf) return avc_current_has_perm(rsid, SECCLASS_RESOURCE, RESOURCE__STAT_DEVICE, NULL); } -static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) +static int flask_assign_device(struct domain *d, uint32_t machine_bdf) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1424,7 +1468,7 @@ static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_device( +static int flask_deassign_device( struct domain *d, uint32_t machine_bdf) { uint32_t rsid; @@ -1456,7 +1500,7 @@ static int flask_test_assign_dtdevice(const char *dtpath) NULL); } -static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) +static int flask_assign_dtdevice(struct domain *d, const char *dtpath) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1486,7 +1530,7 @@ static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_dtdevice( +static int flask_deassign_dtdevice( struct domain *d, const char *dtpath) { uint32_t rsid; @@ -1947,13 +1991,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = flask_get_device_group, - .assign_device = flask_assign_device, - .deassign_device = flask_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - .assign_dtdevice = flask_assign_dtdevice, - .deassign_dtdevice = flask_deassign_dtdevice, #endif .platform_op = flask_platform_op, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:37:20 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:37:20 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333248.1595931 (Exim 4.92) (envelope-from ) id 1wWvho-0003C8-Fb; Tue, 09 Jun 2026 12:37:20 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333248.1595931; Tue, 09 Jun 2026 12:37:20 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvho-0003By-Cp; Tue, 09 Jun 2026 12:37:20 +0000 Received: by outflank-mailman (input) for mailman id 1333248; Tue, 09 Jun 2026 12:37:19 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvhn-0003Bq-CH for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:37:19 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvhn-001fc2-21 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:37:19 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvhn-00CuX5-13 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:37:19 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=rZuyIGGK7DYH/E/bmcRvk50jhqwFRiN816yhafZ8u9I=; b=O3BuIYXXRrAzUfG9F+Gs28w/MA BWA0115IGKnIoYon1kFQDNlnfwxcdwkL9Jo/KJvjEAI42C8VDtaiYoNHs67S/9l+tvvo0Ni+BbEdP aHaixmTquYnV/G9FJLN0WKD3IknO/OvS7EG+cH/0lGvUhpOmZ4VpLx2EBkQuYILyKbJI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:37:19 +0000 commit 272126388a1491353a2433af2aadebdca1ac6b4c Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock The only locking required here is that between checking d->target and setting it. To avoid the need for an explicit lock, use cmpxchgptr() to update d->target. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 4a93d1fb4f7f1231159688d428f7362d35d32ef6) --- xen/common/domctl.c | 54 ++++++++++++++++++++++--------------------------- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 5 +---- 3 files changed, 27 insertions(+), 35 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index de327f6fd3..ce8f6aae61 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -519,6 +519,30 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_set_target: + { + struct domain *e = get_domain_by_id(op->u.set_target.target); + + ret = -ESRCH; + if ( !e ) + goto domctl_out_unlock_domonly; + + if ( d == e ) + ret = -EINVAL; + else if ( !is_hvm_domain(e) ) + ret = -EOPNOTSUPP; + else + ret = xsm_set_target(XSM_PRIV, d, e); + + /* Hold reference on @e until we destroy @d. */ + if ( !ret && cmpxchgptr(&d->target, NULL, e) ) + ret = -EINVAL; + + if ( ret ) + put_domain(e); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_vm_event_op: if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) { @@ -875,36 +899,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; - case XEN_DOMCTL_set_target: - { - struct domain *e; - - ret = -ESRCH; - e = get_domain_by_id(op->u.set_target.target); - if ( e == NULL ) - break; - - ret = -EINVAL; - if ( (d == e) || (d->target != NULL) ) - { - put_domain(e); - break; - } - - ret = -EOPNOTSUPP; - if ( is_hvm_domain(e) ) - ret = xsm_set_target(XSM_HOOK, d, e); - if ( ret ) - { - put_domain(e); - break; - } - - /* Hold reference on @e until we destroy @d. */ - d->target = e; - break; - } - case XEN_DOMCTL_subscribe: d->suspend_evtchn = op->u.subscribe.port; break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index d97e6bcf5b..8ed7c3dacf 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -150,7 +150,7 @@ static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) static XSM_INLINE int cf_check xsm_set_target( XSM_DEFAULT_ARG struct domain *d, struct domain *e) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } @@ -168,6 +168,7 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 3ecf9b3538..2df93b01b4 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -699,14 +699,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; - /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_set_target: - return 0; - case XEN_DOMCTL_destroydomain: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__DESTROY); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:37:30 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:37:30 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333249.1595935 (Exim 4.92) (envelope-from ) id 1wWvhy-0003Ff-H9; Tue, 09 Jun 2026 12:37:30 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333249.1595935; Tue, 09 Jun 2026 12:37:30 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvhy-0003FX-EF; Tue, 09 Jun 2026 12:37:30 +0000 Received: by outflank-mailman (input) for mailman id 1333249; Tue, 09 Jun 2026 12:37:29 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvhx-0003E6-Eo for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:37:29 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvhx-001fc6-2H for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:37:29 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvhx-00Cufb-1I for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:37:29 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=OWTZHfwkgiI2mItlqGi69UFSxZX7jDHGw7wt7+saWu8=; b=Y+ssFu1EwLVAwhX44Wzn8cK8Ht azP1lA3okfz3F0l28Q3HwwpC5cTmBD7AiKQmAFSBBIszTotjsL3b0I40bUjdi07aog/kzsSPKjXti 0fZFsmyaW6naDgxcrPb4J4a/KD3VfWGbQvGbmVgpUBSTMzaObKtiFB5V20c84gqJnikU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] xen/arm64: flushtlb: Reduce scope of barrier for local TLB flush Message-Id: Date: Tue, 09 Jun 2026 12:37:29 +0000 commit 4ba0e07469f516e9e24dd50f2cb6d3ba0245d166 Author: Julien Grall AuthorDate: Tue Jan 24 19:25:19 2023 +0000 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 xen/arm64: flushtlb: Reduce scope of barrier for local TLB flush Per D5-4929 in ARM DDI 0487H.a: "A DSB NSH is sufficient to ensure completion of TLB maintenance instructions that apply to a single PE. A DSB ISH is sufficient to ensure completion of TLB maintenance instructions that apply to PEs in the same Inner Shareable domain. " This means barrier after local TLB flushes could be reduced to non-shareable. Note that the scope of the barrier in the workaround has not been changed because Linux v6.1-rc8 is also using 'ish' and I couldn't find anything in the Neoverse N1 suggesting that a 'nsh' would be sufficient. Signed-off-by: Julien Grall Reviewed-by: Michal Orzel Tested-by: Henry Wang (cherry picked from commit 7c438851475482bf73fcf451551d1cb718d4904c) xen/arm: Remove stray semicolon at VREG_REG_HELPERS/TLB_HELPER* callers This is inconsistent with the rest of the code where macros are used to define functions, as it results in an empty declaration (i.e. semicolon with nothing before it) after function definition. This is also not allowed by C99. Take the opportunity to undefine TLB_HELPER* macros after last use. Signed-off-by: Michal Orzel Reviewed-by: Stefano Stabellini (cherry picked from commit 6044b485ba5b0e4073a773402cedc2f2fae540ad) --- xen/arch/arm/include/asm/arm64/flushtlb.h | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/xen/arch/arm/include/asm/arm64/flushtlb.h b/xen/arch/arm/include/asm/arm64/flushtlb.h index 7c54315187..fcc0788c30 100644 --- a/xen/arch/arm/include/asm/arm64/flushtlb.h +++ b/xen/arch/arm/include/asm/arm64/flushtlb.h @@ -12,8 +12,9 @@ * ARM64_WORKAROUND_REPEAT_TLBI: * Modification of the translation table for a virtual address might lead to * read-after-read ordering violation. - * The workaround repeats TLBI+DSB operation for all the TLB flush operations. - * While this is stricly not necessary, we don't want to take any risk. + * The workaround repeats TLBI+DSB ISH operation for all the TLB flush + * operations. While this is strictly not necessary, we don't want to + * take any risk. * * For Xen page-tables the ISB will discard any instructions fetched * from the old mappings. @@ -21,12 +22,17 @@ * For the Stage-2 page-tables the ISB ensures the completion of the DSB * (and therefore the TLB invalidation) before continuing. So we know * the TLBs cannot contain an entry for a mapping we may have removed. + * + * Note that for local TLB flush, using non-shareable (nsh) is sufficient + * (see D5-4929 in ARM DDI 0487H.a). Although, the memory barrier in + * for the workaround is left as inner-shareable to match with Linux + * v6.1-rc8. */ -#define TLB_HELPER(name, tlbop) \ +#define TLB_HELPER(name, tlbop, sh) \ static inline void name(void) \ { \ asm volatile( \ - "dsb ishst;" \ + "dsb " # sh "st;" \ "tlbi " # tlbop ";" \ ALTERNATIVE( \ "nop; nop;", \ @@ -34,25 +40,25 @@ static inline void name(void) \ "tlbi " # tlbop ";", \ ARM64_WORKAROUND_REPEAT_TLBI, \ CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - "dsb ish;" \ + "dsb " # sh ";" \ "isb;" \ : : : "memory"); \ } /* Flush local TLBs, current VMID only. */ -TLB_HELPER(flush_guest_tlb_local, vmalls12e1); +TLB_HELPER(flush_guest_tlb_local, vmalls12e1, nsh) /* Flush innershareable TLBs, current VMID only */ -TLB_HELPER(flush_guest_tlb, vmalls12e1is); +TLB_HELPER(flush_guest_tlb, vmalls12e1is, ish) /* Flush local TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb_local, alle1); +TLB_HELPER(flush_all_guests_tlb_local, alle1, nsh) /* Flush innershareable TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb, alle1is); +TLB_HELPER(flush_all_guests_tlb, alle1is, ish) /* Flush all hypervisor mappings from the TLB of the local processor. */ -TLB_HELPER(flush_xen_tlb_local, alle2); +TLB_HELPER(flush_xen_tlb_local, alle2, nsh) /* Flush TLB of local processor for address va. */ static inline void __flush_xen_tlb_one_local(vaddr_t va) @@ -66,6 +72,8 @@ static inline void __flush_xen_tlb_one(vaddr_t va) asm volatile("tlbi vae2is, %0;" : : "r" (va>>PAGE_SHIFT) : "memory"); } +#undef TLB_HELPER + #endif /* __ASM_ARM_ARM64_FLUSHTLB_H__ */ /* * Local variables: -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:37:40 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:37:40 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333250.1595939 (Exim 4.92) (envelope-from ) id 1wWvi8-0003JL-IH; Tue, 09 Jun 2026 12:37:40 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333250.1595939; Tue, 09 Jun 2026 12:37:40 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvi8-0003JD-Fc; Tue, 09 Jun 2026 12:37:40 +0000 Received: by outflank-mailman (input) for mailman id 1333250; Tue, 09 Jun 2026 12:37:39 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvi7-0003J7-HM for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:37:39 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvi7-001fcD-2Y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:37:39 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvi7-00CulY-1Z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:37:39 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=M5NXhuIwGA7m0GEQmanEqJ0UEa3+ZwW19E8SnMNgbk0=; b=CIBGzp+B7mnH9P9RFDLGGVaRBP 3q8GSuit1mhJl+QYZlKND3h5iuX/B5cbOGkbh1FlmfiuTP+ABA2BX6tI62WLVKhhJssWM768QUa0t hb+tYlEtuXxKWUhUXuZJldHgUZd1VEj646qvKHAeiloZLRVhPA08oXfEWRmS801NPGwY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] xen/arm64: flushtlb: Implement the TLBI repeat workaround for TLB flush by VA Message-Id: Date: Tue, 09 Jun 2026 12:37:39 +0000 commit 95b9e5a188f6132711f47a24d05dc1816e189daf Author: Julien Grall AuthorDate: Tue Jan 24 19:25:50 2023 +0000 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 xen/arm64: flushtlb: Implement the TLBI repeat workaround for TLB flush by VA Looking at the Neoverse N1 errata document, it is not clear to me why the TLBI repeat workaround is not applied for TLB flush by VA. The TLB flush by VA helpers are used in flush_xen_tlb_range_va_local() and flush_xen_tlb_range_va(). So if the range size is a fixed size smaller than a PAGE_SIZE, it would be possible that the compiler remove the loop and therefore replicate the sequence described in the erratum 1286807. So the TLBI repeat workaround should also be applied for the TLB flush by VA helpers. Fixes: 22e323d115d8 ("xen/arm: Add workaround for Cortex-A76/Neoverse-N1 erratum #1286807") Signed-off-by: Julien Grall Reviewed-by: Michal Orzel Tested-by: Henry Wang (cherry picked from commit cbfaf6ccd2cb5d1b2bc6efe5c6f4ba5cccce5689) xen/arm: Remove stray semicolon at VREG_REG_HELPERS/TLB_HELPER* callers This is inconsistent with the rest of the code where macros are used to define functions, as it results in an empty declaration (i.e. semicolon with nothing before it) after function definition. This is also not allowed by C99. Take the opportunity to undefine TLB_HELPER* macros after last use. Signed-off-by: Michal Orzel Reviewed-by: Stefano Stabellini (cherry picked from commit 6044b485ba5b0e4073a773402cedc2f2fae540ad) --- xen/arch/arm/include/asm/arm64/flushtlb.h | 32 +++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/xen/arch/arm/include/asm/arm64/flushtlb.h b/xen/arch/arm/include/asm/arm64/flushtlb.h index fcc0788c30..56c6fc763b 100644 --- a/xen/arch/arm/include/asm/arm64/flushtlb.h +++ b/xen/arch/arm/include/asm/arm64/flushtlb.h @@ -45,6 +45,27 @@ static inline void name(void) \ : : : "memory"); \ } +/* + * FLush TLB by VA. This will likely be used in a loop, so the caller + * is responsible to use the appropriate memory barriers before/after + * the sequence. + * + * See above about the ARM64_WORKAROUND_REPEAT_TLBI sequence. + */ +#define TLB_HELPER_VA(name, tlbop) \ +static inline void name(vaddr_t va) \ +{ \ + asm volatile( \ + "tlbi " # tlbop ", %0;" \ + ALTERNATIVE( \ + "nop; nop;", \ + "dsb ish;" \ + "tlbi " # tlbop ", %0;", \ + ARM64_WORKAROUND_REPEAT_TLBI, \ + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ + : : "r" (va >> PAGE_SHIFT) : "memory"); \ +} + /* Flush local TLBs, current VMID only. */ TLB_HELPER(flush_guest_tlb_local, vmalls12e1, nsh) @@ -61,18 +82,13 @@ TLB_HELPER(flush_all_guests_tlb, alle1is, ish) TLB_HELPER(flush_xen_tlb_local, alle2, nsh) /* Flush TLB of local processor for address va. */ -static inline void __flush_xen_tlb_one_local(vaddr_t va) -{ - asm volatile("tlbi vae2, %0;" : : "r" (va>>PAGE_SHIFT) : "memory"); -} +TLB_HELPER_VA(__flush_xen_tlb_one_local, vae2) /* Flush TLB of all processors in the inner-shareable domain for address va. */ -static inline void __flush_xen_tlb_one(vaddr_t va) -{ - asm volatile("tlbi vae2is, %0;" : : "r" (va>>PAGE_SHIFT) : "memory"); -} +TLB_HELPER_VA(__flush_xen_tlb_one, vae2is) #undef TLB_HELPER +#undef TLB_HELPER_VA #endif /* __ASM_ARM_ARM64_FLUSHTLB_H__ */ /* -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:37:50 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:37:50 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333251.1595943 (Exim 4.92) (envelope-from ) id 1wWviI-0003LJ-Jr; Tue, 09 Jun 2026 12:37:50 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333251.1595943; Tue, 09 Jun 2026 12:37:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWviI-0003LB-H5; Tue, 09 Jun 2026 12:37:50 +0000 Received: by outflank-mailman (input) for mailman id 1333251; Tue, 09 Jun 2026 12:37:49 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWviH-0003L5-K1 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:37:49 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWviH-001fcJ-2n for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:37:49 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWviH-00CutY-1p for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:37:49 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=mqs9PvzBqQyXDgRgRONUn1lKvQLcnaQi0B8auPRUHdU=; b=K6FgkVSrVfHXpTljTY7GZNuDzx xjg+d3ZHgqgDC0cVnJiR1VLyLbIUSm9Qzpiv4LO3sOL2btqSbZIRAR5YKT4vEwmoUem+Uzl+17BVu dA18b04CVI2tAVrSG78k5apvcGkJPvZ3SiO/ZUbI/s+54Are5u9vTYUrCRTUIrX3RGVM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] xen/arm32: flushtlb: Reduce scope of barrier for local TLB flush Message-Id: Date: Tue, 09 Jun 2026 12:37:49 +0000 commit 08157db12beb4a9698f4a13cba0884c4fe86f832 Author: Julien Grall AuthorDate: Tue Jan 24 19:26:09 2023 +0000 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 xen/arm32: flushtlb: Reduce scope of barrier for local TLB flush Per G5-9224 in ARM DDI 0487I.a: "A DSB NSH is sufficient to ensure completion of TLB maintenance instructions that apply to a single PE. A DSB ISH is sufficient to ensure completion of TLB maintenance instructions that apply to PEs in the same Inner Shareable domain. " This is quoting the Armv8 specification because I couldn't find an explicit statement in the Armv7 specification. Instead, I could find bits in various places that confirm the same implementation. Furthermore, Linux has been using 'nsh' since 2013 (62cbbc42e001 "ARM: tlb: reduce scope of barrier domains for TLB invalidation"). This means barrier after local TLB flushes could be reduced to non-shareable. Signed-off-by: Julien Grall Reviewed-by: Michal Orzel Tested-by: Henry Wang (cherry picked from commit d56c70b6e1fe2b4ee836ca4449a3277cbbeb0ddc) xen/arm: Remove stray semicolon at VREG_REG_HELPERS/TLB_HELPER* callers This is inconsistent with the rest of the code where macros are used to define functions, as it results in an empty declaration (i.e. semicolon with nothing before it) after function definition. This is also not allowed by C99. Take the opportunity to undefine TLB_HELPER* macros after last use. Signed-off-by: Michal Orzel Reviewed-by: Stefano Stabellini (cherry picked from commit 6044b485ba5b0e4073a773402cedc2f2fae540ad) --- xen/arch/arm/include/asm/arm32/flushtlb.h | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/xen/arch/arm/include/asm/arm32/flushtlb.h b/xen/arch/arm/include/asm/arm32/flushtlb.h index 9085e65011..22ee3b317b 100644 --- a/xen/arch/arm/include/asm/arm32/flushtlb.h +++ b/xen/arch/arm/include/asm/arm32/flushtlb.h @@ -15,30 +15,35 @@ * For the Stage-2 page-tables the ISB ensures the completion of the DSB * (and therefore the TLB invalidation) before continuing. So we know * the TLBs cannot contain an entry for a mapping we may have removed. + * + * Note that for local TLB flush, using non-shareable (nsh) is sufficient + * (see G5-9224 in ARM DDI 0487I.a). */ -#define TLB_HELPER(name, tlbop) \ -static inline void name(void) \ -{ \ - dsb(ishst); \ - WRITE_CP32(0, tlbop); \ - dsb(ish); \ - isb(); \ +#define TLB_HELPER(name, tlbop, sh) \ +static inline void name(void) \ +{ \ + dsb(sh ## st); \ + WRITE_CP32(0, tlbop); \ + dsb(sh); \ + isb(); \ } /* Flush local TLBs, current VMID only */ -TLB_HELPER(flush_guest_tlb_local, TLBIALL); +TLB_HELPER(flush_guest_tlb_local, TLBIALL, nsh) /* Flush inner shareable TLBs, current VMID only */ -TLB_HELPER(flush_guest_tlb, TLBIALLIS); +TLB_HELPER(flush_guest_tlb, TLBIALLIS, ish) /* Flush local TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb_local, TLBIALLNSNH); +TLB_HELPER(flush_all_guests_tlb_local, TLBIALLNSNH, nsh) /* Flush innershareable TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb, TLBIALLNSNHIS); +TLB_HELPER(flush_all_guests_tlb, TLBIALLNSNHIS, ish) /* Flush all hypervisor mappings from the TLB of the local processor. */ -TLB_HELPER(flush_xen_tlb_local, TLBIALLH); +TLB_HELPER(flush_xen_tlb_local, TLBIALLH, nsh) + +#undef TLB_HELPER /* Flush TLB of local processor for address va. */ static inline void __flush_xen_tlb_one_local(vaddr_t va) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:38:00 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:38:00 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333252.1595947 (Exim 4.92) (envelope-from ) id 1wWviS-0003NO-Lp; Tue, 09 Jun 2026 12:38:00 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333252.1595947; Tue, 09 Jun 2026 12:38:00 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWviS-0003NA-Ie; Tue, 09 Jun 2026 12:38:00 +0000 Received: by outflank-mailman (input) for mailman id 1333252; Tue, 09 Jun 2026 12:37:59 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWviR-0003N4-Mq for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:37:59 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWviR-001fcY-34 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:37:59 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWviR-00Cv1U-25 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:37:59 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=B2M1pk1C0b+5Hv2qelpuy7xwaYRBQNcw6uIrlWoTC/M=; b=AT8Hpp7WMwUgo24XxpzQ1Dcln/ vyhVEvndd9Pzjfuqstc1kxoj/j7X7iTcFDKFQpKZBS3GLECiNJoZMnLPjJGny9E+CTR7mGb9o1QkW Usg0dSNKwlS2DUZqqxwGPME0FPjuDvql35nbY1k/E7jOJvmIGL8up70G7ouickc48ywg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] xen/arm: flushtlb: Reduce scope of barrier for the TLB range flush Message-Id: Date: Tue, 09 Jun 2026 12:37:59 +0000 commit 333c263bbad55928dcb3cc49e5ab1e30c6fc7be8 Author: Julien Grall AuthorDate: Tue Jan 24 19:26:29 2023 +0000 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 xen/arm: flushtlb: Reduce scope of barrier for the TLB range flush At the moment, flush_xen_tlb_range_va{,_local}() are using system wide memory barrier. This is quite expensive and unnecessary. For the local version, a non-shareable barrier is sufficient. For the SMP version, an inner-shareable barrier is sufficient. Furthermore, the initial barrier only needs to a store barrier. For the full explanation of the sequence see asm/arm{32,64}/flushtlb.h. Signed-off-by: Julien Grall Reviewed-by: Michal Orzel Reviewed-by: Henry Wang (cherry picked from commit 5e5d1a43e18468399448ff8dec687342d48f56da) --- xen/arch/arm/include/asm/flushtlb.h | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/xen/arch/arm/include/asm/flushtlb.h b/xen/arch/arm/include/asm/flushtlb.h index 125a141975..e45fb6d97b 100644 --- a/xen/arch/arm/include/asm/flushtlb.h +++ b/xen/arch/arm/include/asm/flushtlb.h @@ -37,13 +37,14 @@ static inline void flush_xen_tlb_range_va_local(vaddr_t va, { vaddr_t end = va + size; - dsb(sy); /* Ensure preceding are visible */ + /* See asm/arm{32,64}/flushtlb.h for the explanation of the sequence. */ + dsb(nshst); /* Ensure prior page-tables updates have completed */ while ( va < end ) { __flush_xen_tlb_one_local(va); va += PAGE_SIZE; } - dsb(sy); /* Ensure completion of the TLB flush */ + dsb(nsh); /* Ensure the TLB invalidation has completed */ isb(); } @@ -56,13 +57,14 @@ static inline void flush_xen_tlb_range_va(vaddr_t va, { vaddr_t end = va + size; - dsb(sy); /* Ensure preceding are visible */ + /* See asm/arm{32,64}/flushtlb.h for the explanation of the sequence. */ + dsb(ishst); /* Ensure prior page-tables updates have completed */ while ( va < end ) { __flush_xen_tlb_one(va); va += PAGE_SIZE; } - dsb(sy); /* Ensure completion of the TLB flush */ + dsb(ish); /* Ensure the TLB invalidation has completed */ isb(); } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:38:10 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:38:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333253.1595951 (Exim 4.92) (envelope-from ) id 1wWvic-0003Po-Oe; Tue, 09 Jun 2026 12:38:10 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333253.1595951; Tue, 09 Jun 2026 12:38:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvic-0003Pg-Ld; Tue, 09 Jun 2026 12:38:10 +0000 Received: by outflank-mailman (input) for mailman id 1333253; Tue, 09 Jun 2026 12:38:09 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvib-0003PY-PW for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:38:09 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvic-001fcn-08 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:38:09 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvib-00Cv9A-2M for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:38:09 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=xGclAB07RgRDd9TS0tjKmW4qDjkbT5+LX5s+kbsyDAw=; b=oY+2nUnnNGdGJrVaml6z7XK2JU ipjRhWB8CtFk1BybGGjKbCG6kQhCRhrLJdVZv0edaTP5EbPmsXAf8/GlN1vIZka8oSfS1WxzAe46E CCfoirZfVxK8n2l22tvDnrwi/rIvzDoUuH914kyz1CA3QjYChwqL2r/4bnCP49BZRViU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI Message-Id: Date: Tue, 09 Jun 2026 12:38:09 +0000 commit 16f1d36545f8271be13b4714df1cc53f6a8c0b0d Author: Michal Orzel AuthorDate: Tue Apr 14 10:11:24 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI The ARM64_WORKAROUND_REPEAT_TLBI workaround is used to mitigate several errata where broadcast TLBI;DSB sequences don't provide all the architecturally required synchronization. The workaround performs more work than necessary, and can have significant overhead. This patch optimizes the workaround, as explained below. 1. All relevant errata only affect the ordering and/or completion of memory accesses which have been translated by an invalidated TLB entry. The actual invalidation of TLB entries is unaffected. 2. The existing workaround is applied to both broadcast and local TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for broadcast invalidation. 3. The existing workaround replaces every TLBI with a TLBI;DSB;TLBI sequence, whereas for all relevant errata it is only necessary to execute a single additional TLBI;DSB sequence after any number of TLBIs are completed by a DSB. For example, for a sequence of batched TLBIs: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH ... the existing workaround will expand this to: TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional DSB ISH ... whereas it is sufficient to have: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH TLBI [, ] // additional DSB ISH // additional Using a single additional TLBI and DSB at the end of the sequence can have significantly lower overhead as each DSB which completes a TLBI must synchronize with other PEs in the system, with potential performance effects both locally and system-wide. 4. The existing workaround repeats each specific TLBI operation, whereas for all relevant errata it is sufficient for the additional TLBI to use *any* operation which will be broadcast, regardless of which translation regime or stage of translation the operation applies to. For example, for a single TLBI: TLBI ALLE2IS DSB ISH ... the existing workaround will expand this to: TLBI ALLE2IS DSB ISH TLBI ALLE2IS // additional DSB ISH // additional ... whereas it is sufficient to have: TLBI ALLE2IS DSB ISH TLBI VALE1IS, XZR // additional DSB ISH // additional As the additional TLBI doesn't have to match a specific earlier TLBI, the additional TLBI can be implemented in separate code, with no memory of the earlier TLBIs. The additional TLBI can also use a cheaper TLBI operation. 5. The existing workaround is applied to both Stage-1 and Stage-2 TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for Stage-1 invalidation. Architecturally, TLBI operations which invalidate only Stage-2 information (e.g. IPAS2E1IS) are not required to invalidate TLB entries which combine information from Stage-1 and Stage-2 translation table entries, and consequently may not complete memory accesses translated by those combined entries. In these cases, completion of memory accesses is only guaranteed after subsequent invalidation of Stage-1 information (e.g. VMALLE1IS). Rework the workaround logic as follows: - add TLB_HELPER_LOCAL() to be used for local TLB ops without a workaround, - modify TLB_HELPER() workaround to use tlbi vale2is, xzr as a second TLBI, - drop TLB_HELPER_VA(). It's used only by __flush_xen_tlb_one_local which is local and does not need workaround and by __flush_xen_tlb_one. In the latter case, since it's used in a loop, we don't need a workaround in the middle. Add __tlb_repeat_sync with a workaround to be used at the end after DSB and before final ISB, - TLBI VALE2IS passing XZR is used as an additional TLBI. While there is an identity mapping there, it's used very rarely. The performance impact is therefore negligible. If things change in the future, we can revisit the decision. Signed-off-by: Michal Orzel Reviewed-by: Luca Fancellu Reviewed-by: Julien Grall (cherry picked from commit 7c502d7591519135765b8041cbd1c70e56e5a0b9) --- xen/arch/arm/include/asm/arm32/flushtlb.h | 3 + xen/arch/arm/include/asm/arm64/flushtlb.h | 108 ++++++++++++++++++------------ xen/arch/arm/include/asm/flushtlb.h | 1 + 3 files changed, 71 insertions(+), 41 deletions(-) diff --git a/xen/arch/arm/include/asm/arm32/flushtlb.h b/xen/arch/arm/include/asm/arm32/flushtlb.h index 22ee3b317b..749a9b07da 100644 --- a/xen/arch/arm/include/asm/arm32/flushtlb.h +++ b/xen/arch/arm/include/asm/arm32/flushtlb.h @@ -57,6 +57,9 @@ static inline void __flush_xen_tlb_one(vaddr_t va) asm volatile(STORE_CP32(0, TLBIMVAHIS) : : "r" (va) : "memory"); } +/* Only for ARM64_WORKAROUND_REPEAT_TLBI */ +static inline void __tlb_repeat_sync(void) {} + #endif /* __ASM_ARM_ARM32_FLUSHTLB_H__ */ /* * Local variables: diff --git a/xen/arch/arm/include/asm/arm64/flushtlb.h b/xen/arch/arm/include/asm/arm64/flushtlb.h index 56c6fc763b..7ef6d3f331 100644 --- a/xen/arch/arm/include/asm/arm64/flushtlb.h +++ b/xen/arch/arm/include/asm/arm64/flushtlb.h @@ -12,9 +12,14 @@ * ARM64_WORKAROUND_REPEAT_TLBI: * Modification of the translation table for a virtual address might lead to * read-after-read ordering violation. - * The workaround repeats TLBI+DSB ISH operation for all the TLB flush - * operations. While this is strictly not necessary, we don't want to - * take any risk. + * The workaround repeats TLBI+DSB ISH operation for broadcast TLB flush + * operations. The workaround is not needed for local operations. + * + * It is sufficient for the additional TLBI to use *any* operation which will + * be broadcast, regardless of which translation regime or stage of translation + * the operation applies to. TLBI VALE2IS is used passing XZR. While there is + * an identity mapping there, it's only used during suspend/resume, CPU on/off, + * so the impact (performance if any) is negligible. * * For Xen page-tables the ISB will discard any instructions fetched * from the old mappings. @@ -26,69 +31,90 @@ * Note that for local TLB flush, using non-shareable (nsh) is sufficient * (see D5-4929 in ARM DDI 0487H.a). Although, the memory barrier in * for the workaround is left as inner-shareable to match with Linux - * v6.1-rc8. + * v6.19. */ -#define TLB_HELPER(name, tlbop, sh) \ +#define TLB_HELPER_LOCAL(name, tlbop) \ static inline void name(void) \ { \ asm volatile( \ - "dsb " # sh "st;" \ + "dsb nshst;" \ "tlbi " # tlbop ";" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ";", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - "dsb " # sh ";" \ + "dsb nsh;" \ "isb;" \ : : : "memory"); \ } -/* - * FLush TLB by VA. This will likely be used in a loop, so the caller - * is responsible to use the appropriate memory barriers before/after - * the sequence. - * - * See above about the ARM64_WORKAROUND_REPEAT_TLBI sequence. - */ -#define TLB_HELPER_VA(name, tlbop) \ -static inline void name(vaddr_t va) \ -{ \ - asm volatile( \ - "tlbi " # tlbop ", %0;" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ", %0;", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - : : "r" (va >> PAGE_SHIFT) : "memory"); \ +#define TLB_HELPER(name, tlbop) \ +static inline void name(void) \ +{ \ + asm volatile ( \ + "dsb ishst;" \ + "tlbi " # tlbop ";" \ + ALTERNATIVE( \ + "nop; nop;", \ + "dsb ish;" \ + "tlbi vale2is, xzr;", \ + ARM64_WORKAROUND_REPEAT_TLBI, \ + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ + "dsb ish;" \ + "isb;" \ + : : : "memory"); \ } /* Flush local TLBs, current VMID only. */ -TLB_HELPER(flush_guest_tlb_local, vmalls12e1, nsh) +TLB_HELPER_LOCAL(flush_guest_tlb_local, vmalls12e1) /* Flush innershareable TLBs, current VMID only */ -TLB_HELPER(flush_guest_tlb, vmalls12e1is, ish) +TLB_HELPER(flush_guest_tlb, vmalls12e1is) /* Flush local TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb_local, alle1, nsh) +TLB_HELPER_LOCAL(flush_all_guests_tlb_local, alle1) /* Flush innershareable TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb, alle1is, ish) +TLB_HELPER(flush_all_guests_tlb, alle1is) /* Flush all hypervisor mappings from the TLB of the local processor. */ -TLB_HELPER(flush_xen_tlb_local, alle2, nsh) +TLB_HELPER_LOCAL(flush_xen_tlb_local, alle2) + +#undef TLB_HELPER_LOCAL +#undef TLB_HELPER + +/* + * FLush TLB by VA. This will likely be used in a loop, so the caller + * is responsible to use the appropriate memory barriers before/after + * the sequence. + */ /* Flush TLB of local processor for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one_local, vae2) +static inline void __flush_xen_tlb_one_local(vaddr_t va) +{ + asm volatile ( + "tlbi vae2, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} /* Flush TLB of all processors in the inner-shareable domain for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one, vae2is) +static inline void __flush_xen_tlb_one(vaddr_t va) +{ + asm volatile ( + "tlbi vae2is, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} -#undef TLB_HELPER -#undef TLB_HELPER_VA +/* + * ARM64_WORKAROUND_REPEAT_TLBI: + * For all relevant erratas it is only necessary to execute a single + * additional TLBI;DSB sequence after any number of TLBIs are completed by DSB. + */ +static inline void __tlb_repeat_sync(void) +{ + asm volatile ( + ALTERNATIVE( + "nop; nop;", + "tlbi vale2is, xzr;" + "dsb ish;", + ARM64_WORKAROUND_REPEAT_TLBI, + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) + : : : "memory"); +} #endif /* __ASM_ARM_ARM64_FLUSHTLB_H__ */ /* diff --git a/xen/arch/arm/include/asm/flushtlb.h b/xen/arch/arm/include/asm/flushtlb.h index e45fb6d97b..c292c3c00d 100644 --- a/xen/arch/arm/include/asm/flushtlb.h +++ b/xen/arch/arm/include/asm/flushtlb.h @@ -65,6 +65,7 @@ static inline void flush_xen_tlb_range_va(vaddr_t va, va += PAGE_SIZE; } dsb(ish); /* Ensure the TLB invalidation has completed */ + __tlb_repeat_sync(); isb(); } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:38:20 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:38:20 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333254.1595955 (Exim 4.92) (envelope-from ) id 1wWvim-0003S9-Pc; Tue, 09 Jun 2026 12:38:20 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333254.1595955; Tue, 09 Jun 2026 12:38:20 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvim-0003S1-N6; Tue, 09 Jun 2026 12:38:20 +0000 Received: by outflank-mailman (input) for mailman id 1333254; Tue, 09 Jun 2026 12:38:19 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvil-0003Ru-S0 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:38:19 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvim-001fd9-0O for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:38:19 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvil-00CvHB-2d for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:38:19 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=311Qg/M/KCUNTwh2teF4eCV+RLwrAmjnV7ZWpgvHGXU=; b=fngaw+xRE7U4x7ioQDXGd3RWG/ LCKMN5912eMqhclfM0HL4ujEUx5YHd8W24VCeuofRSECyDGCN+XLlonu1vPCG/+9VjUknNXQitGKu TdhaQDnr/PE5P/lxy9LgB5Rw7RlTwirdynivn+q7gQzvSe4nsYDiMzt7ifGztnuKVK9M=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] xen/arm: Sync missing definitions for Arm CPUs with Linux Message-Id: Date: Tue, 09 Jun 2026 12:38:19 +0000 commit 33937ea4816af9cd14ea4c736dabb25e36920a27 Author: Michal Orzel AuthorDate: Fri May 22 09:35:55 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 xen/arm: Sync missing definitions for Arm CPUs with Linux Synchronize with Linux kernel 7.0 definitions for the following CPUs: - Cortex-A76AE, - Cortex-A78AE, - Cortex-X1C, - Cortex-X3, - Neoverse-V2, - Cortex-X4, - Neoverse-V3AE, - Neoverse-V3, - Cortex-X925. These will be used for errata detection in subsequent patches. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit d54682a5b23d7a22a0f1aa74130bd1ed8a669db1) --- xen/arch/arm/include/asm/processor.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 1dd81d7d52..af086ebe98 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -74,13 +74,22 @@ #define ARM_CPU_PART_CORTEX_A76 0xD0B #define ARM_CPU_PART_NEOVERSE_N1 0xD0C #define ARM_CPU_PART_CORTEX_A77 0xD0D +#define ARM_CPU_PART_CORTEX_A76AE 0xD0E #define ARM_CPU_PART_NEOVERSE_V1 0xD40 #define ARM_CPU_PART_CORTEX_A78 0xD41 +#define ARM_CPU_PART_CORTEX_A78AE 0xD42 #define ARM_CPU_PART_CORTEX_X1 0xD44 #define ARM_CPU_PART_CORTEX_A710 0xD47 #define ARM_CPU_PART_CORTEX_X2 0xD48 #define ARM_CPU_PART_NEOVERSE_N2 0xD49 #define ARM_CPU_PART_CORTEX_A78C 0xD4B +#define ARM_CPU_PART_CORTEX_X1C 0xD4C +#define ARM_CPU_PART_CORTEX_X3 0xD4E +#define ARM_CPU_PART_NEOVERSE_V2 0xD4F +#define ARM_CPU_PART_CORTEX_X4 0xD82 +#define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 +#define ARM_CPU_PART_NEOVERSE_V3 0xD84 +#define ARM_CPU_PART_CORTEX_X925 0xD85 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -95,13 +104,22 @@ #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) +#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE) #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1) #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) +#define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) #define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2) #define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2) #define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C) +#define MIDR_CORTEX_X1C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1C) +#define MIDR_CORTEX_X3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X3) +#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2) +#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4) +#define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) +#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) +#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:38:30 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:38:30 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333255.1595958 (Exim 4.92) (envelope-from ) id 1wWviw-0003U8-R5; Tue, 09 Jun 2026 12:38:30 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333255.1595958; Tue, 09 Jun 2026 12:38:30 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWviw-0003U0-OT; Tue, 09 Jun 2026 12:38:30 +0000 Received: by outflank-mailman (input) for mailman id 1333255; Tue, 09 Jun 2026 12:38:29 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWviv-0003Tt-Ud for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:38:29 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWviw-001fdF-0d for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:38:29 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWviv-00CvSG-2t for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:38:29 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ifFlOu3N19DZv+a6BmoSremz3ROe9rE7vWEJviZ3kDc=; b=0zlBteVpvIH0iRR2U45QwX5Er8 PrFk2+7qtXoK1o5da6Z6DykGXiPwuJV/fryjbrsa8i/5JTG5D0EUNaHnmQlNZLiAF9aB+Zx88DtOM hKEGxbmh0d9/dv4rdpypN1ltMOFrklwrdXtjakOzH1ZpeTVUShnmERyjLzHlCEVKiIf0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] xen/arm: Add C1-Ultra definitions Message-Id: Date: Tue, 09 Jun 2026 12:38:29 +0000 commit c76e89264fc04b0b826793ce41381e1022f3a4b0 Author: Michal Orzel AuthorDate: Fri May 22 09:35:56 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 xen/arm: Add C1-Ultra definitions Add processor definitions for C1-Ultra. These will be used for errata detection in subsequent patches. These values can be found in the C1-Ultra TRM: https://developer.arm.com/documentation/108014/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 36ddaa7918d6ec0d06a31079c8a25a6ae3c69cbc) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index af086ebe98..935dd61762 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -90,6 +90,7 @@ #define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 +#define ARM_CPU_PART_C1_ULTRA 0xD8C #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -120,6 +121,7 @@ #define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) +#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:38:40 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:38:40 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333256.1595963 (Exim 4.92) (envelope-from ) id 1wWvj6-0003Yq-SQ; Tue, 09 Jun 2026 12:38:40 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333256.1595963; Tue, 09 Jun 2026 12:38:40 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvj6-0003Yi-Pm; Tue, 09 Jun 2026 12:38:40 +0000 Received: by outflank-mailman (input) for mailman id 1333256; Tue, 09 Jun 2026 12:38:40 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvj6-0003Yc-17 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:38:40 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvj6-001fdK-0u for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:38:40 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvj5-00CvZS-39 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:38:39 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=TrJv4HTH28ZcaSo7Z6wUEBANvl9d+EIhKlaPU6rob2E=; b=we9VYNVZaV5N1Xvxi9mvxapgfi GaDPt9OVFmCTphrZzX52tmXCWeoqO482m/XRZBgYQhH/47ZAwBzdOnP1OXHqIrN0Ev48keBVfqGJ5 zc6uOrdZmOTTYYaVfJWRFHVEnhDl9iUPZW7U67J+a3zjWrK2B895k/teNCPmarOHdJ4I=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] xen/arm: Add C1-Premium definitions Message-Id: Date: Tue, 09 Jun 2026 12:38:39 +0000 commit a0371b3dedeb7035a508b5ec6d7bb6e73985c938 Author: Michal Orzel AuthorDate: Fri May 22 09:35:57 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 xen/arm: Add C1-Premium definitions Add processor definitions for C1-Premium. These will be used for errata detection in subsequent patches. These values can be found in the C1-Premium TRM: https://developer.arm.com/documentation/109416/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 0315d10321518beb24c41bb595e9197cadec0693) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 935dd61762..ea4cdfb3e7 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -91,6 +91,7 @@ #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 #define ARM_CPU_PART_C1_ULTRA 0xD8C +#define ARM_CPU_PART_C1_PREMIUM 0xD90 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -122,6 +123,7 @@ #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) #define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) +#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:38:50 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:38:50 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333257.1595967 (Exim 4.92) (envelope-from ) id 1wWvjG-0003gR-UK; Tue, 09 Jun 2026 12:38:50 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333257.1595967; Tue, 09 Jun 2026 12:38:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvjG-0003gJ-R6; Tue, 09 Jun 2026 12:38:50 +0000 Received: by outflank-mailman (input) for mailman id 1333257; Tue, 09 Jun 2026 12:38:50 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvjG-0003g9-3q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:38:50 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvjG-001fdO-1B for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:38:50 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvjG-00CviC-0C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:38:50 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=xaqOpC8lOWy9Nutdx7no5ft80ijraJWCE71P15cXYNI=; b=EWPi814Uo14g3ETeOwAKTvURuH rawt7hf0HRowcVRbPOHt6lIPWokonhI9GITjLqAjK1n+49yGj7l/3IMr27Yv3u4Z2TJhlgVE3K8Ll alfTWnS3VUA/sJ2SRlxAAfgOWQEy3OKeqX1G6318fDTJNiJ5biMRCweZPsorMIiprB0E=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] xen/arm: Mitigate TLBI errata on various Arm CPUs Message-Id: Date: Tue, 09 Jun 2026 12:38:50 +0000 commit 9e60576dbeaa01985319876e8f8c54f2a165dcac Author: Michal Orzel AuthorDate: Fri May 22 09:35:58 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 xen/arm: Mitigate TLBI errata on various Arm CPUs A number of CPUs developed by Arm suffer from errata whereby a broadcast TLBI + DSB sequence may complete before the global observation of writes which are translated by an affected TLB entry. This can lead to memory corruption and potential privilege escalation. These errata ONLY affect the completion of memory accesses which have been translated by an invalidated TLB entry, and these errata DO NOT affect the actual invalidation of TLB entries. TLB entries are removed correctly. To mitigate this issue, Arm recommends that software follows each TLBI+DSB sequence with an additional TLBI+DSB, which will ensure that all memory write effects affected by the first TLBI have been globally observed. The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate the issue. Enable this workaround for affected CPUs. This is XSA-493 / CVE-2025-10263. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 161e8f61b5b0f2c205072c7bc699bfc37653999f) --- xen/arch/arm/Kconfig | 21 ++++++++++++ xen/arch/arm/cpuerrata.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+) diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index 87d541c411..29076297ad 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -339,6 +339,27 @@ config ARM64_ERRATUM_1508412 If unsure, say Y. +config ARM64_ERRATUM_CVE_2025_10263 + bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" + default y + depends on ARM_64 + select ARM64_WORKAROUND_REPEAT_TLBI + help + This option adds a workaround for CVE-2025-10263. + + A broadcast TLBI on another PE may complete before affected memory + accesses are globally observed. This may permit bypass of Stage 1 + translation, Stage-2 translation, or GPT protection. + + The workaround repeats the TLBI VALE2IS, XZR + DSB ISH operation for all + the broadcast TLB flush operations. A single additional TLBI and DSB are + sufficient regardless of how many TLBIs are completed by the DSB. + + Note that software workarounds are required at all execution levels for + affected parts to fully mitigate this issue. + + If unsure, say Y. + endmenu config ARM64_HARDEN_BRANCH_PREDICTOR diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index ea680fac2e..33736342fb 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -534,6 +534,92 @@ static const struct arm_cpu_capabilities arm_errata[] = { MIDR_RANGE(MIDR_NEOVERSE_N1, 0, 3 << MIDR_VARIANT_SHIFT), }, #endif +#ifdef CONFIG_ARM64_ERRATUM_CVE_2025_10263 + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X4), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_ULTRA), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM), + }, +#endif #ifdef CONFIG_ARM64_HARDEN_BRANCH_PREDICTOR { .capability = ARM_HARDEN_BRANCH_PREDICTOR, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:39:02 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:39:02 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333258.1595971 (Exim 4.92) (envelope-from ) id 1wWvjS-0003n4-0q; Tue, 09 Jun 2026 12:39:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333258.1595971; Tue, 09 Jun 2026 12:39:01 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvjR-0003mw-Tu; Tue, 09 Jun 2026 12:39:01 +0000 Received: by outflank-mailman (input) for mailman id 1333258; Tue, 09 Jun 2026 12:39:00 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvjQ-0003mo-7Q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:39:00 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvjQ-001fdV-1V for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:39:00 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvjQ-00Cvr3-0W for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:39:00 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=L1IDE8HxSq+d58fqUP3drL/xllr/IrJbz40Rccw7F4s=; b=gPE/+zD3QQOozHqMN/7AsWdHpd T4ay0XJb93hyF7LSEq9byCMLE2Tq1jWnEHZqxXsLL47tLdpzMz+H9nSjWvfz6Y8VEyuLgXLsDS2J4 Xexr2thALLJQH+Gs5TvwGuxw33FnICyMNsFI4+fF8+aHBw2or+X+LKF4JvusHVb5cEsY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/mm: accurately track which vCPU page-tables are loaded Message-Id: Date: Tue, 09 Jun 2026 12:39:00 +0000 commit 5dfbc0b77f9669bcf9180c227b86a9429efe12c7 Author: Roger Pau Monne AuthorDate: Mon Mar 16 11:03:22 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 x86/mm: accurately track which vCPU page-tables are loaded Neither current nor curr_vcpu per-CPU fields accurately track which page-tables are loaded. There are corner cases when dealing with shadow paging failures that switch to the idle vCPU page-tables without changing current or curr_vcpu per-CPU fields. Introduce a new per-CPU field that attempts to track which vCPU page-tables are loaded. Update such tracking when cr3 is changed, and do so in a region with interrupts disabled, as to avoid handling interrupts with a mismatch between the vCPU tracking field and the loaded page-tables. As a result of this newly more accurate tracking the mapcache override functionality can be removed: the dom0 PV builder was the only user of it, and it's updated here to properly signal which vCPU page-tables are loaded in the calls to switch_cr3_cr4(). Note the EFI page-tables have the Xen owned L4 slots copied from the idle page-tables, so for the effects of the mapcache the EFI page-tables could use the idle mapcache if it had one. Pass the idle vCPU in the switch_cr3_cr4() call that switches to the runtime EFI page-tables. There are known issues with the use of mapcache in NMI context.  This patch does not alter the behaviour. This is CVE-2026-42488 / XSA-494. Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference") Signed-off-by: Roger Pau Monné Acked-by: Andrew Cooper (cherry picked from commit 622c9a5ba95dae9b1084f16d0557ec64d1d12eaa) --- xen/arch/x86/domain_page.c | 48 +++++++++++++++--------------------- xen/arch/x86/flushtlb.c | 5 +++- xen/arch/x86/include/asm/domain.h | 1 - xen/arch/x86/include/asm/flushtlb.h | 2 +- xen/arch/x86/include/asm/processor.h | 3 +++ xen/arch/x86/mm.c | 4 +-- xen/arch/x86/pv/dom0_build.c | 12 +++------ xen/arch/x86/pv/domain.c | 13 ++++++++-- xen/arch/x86/smpboot.c | 1 + xen/common/efi/common-stub.c | 5 ---- xen/common/efi/runtime.c | 21 ++++++---------- xen/include/xen/efi.h | 1 - 12 files changed, 54 insertions(+), 62 deletions(-) diff --git a/xen/arch/x86/domain_page.c b/xen/arch/x86/domain_page.c index eac5e3304f..72c00194f3 100644 --- a/xen/arch/x86/domain_page.c +++ b/xen/arch/x86/domain_page.c @@ -18,48 +18,40 @@ #include #include -static DEFINE_PER_CPU(struct vcpu *, override); - static inline struct vcpu *mapcache_current_vcpu(void) { - /* In the common case we use the mapcache of the running VCPU. */ - struct vcpu *v = this_cpu(override) ?: current; - - /* - * When current isn't properly set up yet, this is equivalent to - * running in an idle vCPU (callers must check for NULL). - */ - if ( !v ) - return NULL; + struct vcpu *v = this_cpu(pgtable_vcpu); + struct vcpu *curr = current; /* - * When using efi runtime page tables, we have the equivalent of the idle - * domain's page tables but current may point at another domain's VCPU. - * Return NULL as though current is not properly set up yet. + * During early boot pgtable_vcpu is not set, callers must handle NULL. + * Non-PV domains don't have a mapcache, the directmap covers all physical + * address space. */ - if ( efi_rs_using_pgtables() ) + if ( !v || !is_pv_vcpu(v) ) return NULL; /* - * If guest_table is NULL, and we are running a paravirtualised guest, - * then it means we are running on the idle domain's page table and must - * therefore use its mapcache. + * If we are in a lazy context-switch state from a PV vCPU do a full switch + * to the idle vCPU now, otherwise an incoming FLUSH_VCPU_STATE IPI would + * change the page tables under our feet an invalidate any in-use mapcache + * entries. */ - if ( unlikely(pagetable_is_null(v->arch.guest_table)) && is_pv_vcpu(v) ) + if ( unlikely(this_cpu(curr_vcpu) != curr) ) { - /* If we really are idling, perform lazy context switch now. */ - if ( (v = idle_vcpu[smp_processor_id()]) == current ) - sync_local_execstate(); + ASSERT(curr == idle_vcpu[smp_processor_id()]); + sync_local_execstate(); /* We must now be running on the idle page table. */ ASSERT(cr3_pa(read_cr3()) == __pa(idle_pg_table)); } - return v; -} - -void __init mapcache_override_current(struct vcpu *v) -{ - this_cpu(override) = v; + /* + * At this point we can guarantee Xen is not in lazy context switch: either + * the code above will have synced the state, or an incoming + * FLUSH_VCPU_STATE IPI has done so behind our back. Use ACCESS_ONCE to + * ensure the compiler never returns the locally cached pgtable_vcpu value. + */ + return ACCESS_ONCE(this_cpu(pgtable_vcpu)); } #define mapcache_l2_entry(e) ((e) >> PAGETABLE_ORDER) diff --git a/xen/arch/x86/flushtlb.c b/xen/arch/x86/flushtlb.c index 18748b2bc8..cdefab2f08 100644 --- a/xen/arch/x86/flushtlb.c +++ b/xen/arch/x86/flushtlb.c @@ -111,7 +111,9 @@ static void do_tlb_flush(void) local_irq_restore(flags); } -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) +DEFINE_PER_CPU(struct vcpu *, pgtable_vcpu); + +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4) { unsigned long flags, old_cr4; u32 t = 0; @@ -155,6 +157,7 @@ void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) if ( (old_cr4 & X86_CR4_PCIDE) > (cr4 & X86_CR4_PCIDE) ) cr3 |= X86_CR3_NOFLUSH; write_cr3(cr3); + this_cpu(pgtable_vcpu) = v; if ( old_cr4 != cr4 ) write_cr4(cr4); diff --git a/xen/arch/x86/include/asm/domain.h b/xen/arch/x86/include/asm/domain.h index f90a268b01..588b56b3fd 100644 --- a/xen/arch/x86/include/asm/domain.h +++ b/xen/arch/x86/include/asm/domain.h @@ -76,7 +76,6 @@ struct mapcache_domain { int mapcache_domain_init(struct domain *); int mapcache_vcpu_init(struct vcpu *); -void mapcache_override_current(struct vcpu *); /* x86/64: toggle guest between kernel and user modes. */ void toggle_guest_mode(struct vcpu *); diff --git a/xen/arch/x86/include/asm/flushtlb.h b/xen/arch/x86/include/asm/flushtlb.h index a461ee36ff..821ffe3e8b 100644 --- a/xen/arch/x86/include/asm/flushtlb.h +++ b/xen/arch/x86/include/asm/flushtlb.h @@ -99,7 +99,7 @@ static inline unsigned long read_cr3(void) } /* Write pagetable base and implicitly tick the tlbflush clock. */ -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4); +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4); /* flush_* flag fields: */ /* diff --git a/xen/arch/x86/include/asm/processor.h b/xen/arch/x86/include/asm/processor.h index 07328d44bf..4309441944 100644 --- a/xen/arch/x86/include/asm/processor.h +++ b/xen/arch/x86/include/asm/processor.h @@ -465,6 +465,9 @@ extern idt_entry_t *idt_tables[]; DECLARE_PER_CPU(root_pgentry_t *, root_pgt); +/* vCPU of the currently loaded page-tables. */ +DECLARE_PER_CPU(struct vcpu *, pgtable_vcpu); + extern void write_ptbase(struct vcpu *v); /* REP NOP (PAUSE) is a good thing to insert into busy-wait loops. */ diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index d31b8d56ff..4dbe86017c 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -546,7 +546,7 @@ void write_ptbase(struct vcpu *v) cpu_info->pv_cr3 = __pa(this_cpu(root_pgt)); if ( new_cr4 & X86_CR4_PCIDE ) cpu_info->pv_cr3 |= get_pcid_bits(v, true); - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); } else { @@ -554,7 +554,7 @@ void write_ptbase(struct vcpu *v) cpu_info->use_pv_cr3 = false; cpu_info->xen_cr3 = 0; /* switch_cr3_cr4() serializes. */ - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); cpu_info->pv_cr3 = 0; } } diff --git a/xen/arch/x86/pv/dom0_build.c b/xen/arch/x86/pv/dom0_build.c index 3e74cf4ea2..25267f4edc 100644 --- a/xen/arch/x86/pv/dom0_build.c +++ b/xen/arch/x86/pv/dom0_build.c @@ -811,8 +811,7 @@ int __init dom0_construct_pv(struct domain *d, update_cr3(v); /* We run on dom0's page tables for the final part of the build process. */ - switch_cr3_cr4(cr3_pa(v->arch.cr3), read_cr4()); - mapcache_override_current(v); + switch_cr3_cr4(v, cr3_pa(v->arch.cr3), read_cr4()); /* Copy the OS image and free temporary buffer. */ elf.dest_base = (void*)vkern_start; @@ -821,8 +820,7 @@ int __init dom0_construct_pv(struct domain *d, rc = elf_load_binary(&elf); if ( rc < 0 ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Failed to load the kernel binary\n"); goto out; } @@ -833,8 +831,7 @@ int __init dom0_construct_pv(struct domain *d, if ( (parms.virt_hypercall < v_start) || (parms.virt_hypercall >= v_end) ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Invalid HYPERCALL_PAGE field in ELF notes.\n"); return -EINVAL; } @@ -975,8 +972,7 @@ int __init dom0_construct_pv(struct domain *d, #endif /* Return to idle domain's page tables. */ - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); update_domain_wallclock_time(d); diff --git a/xen/arch/x86/pv/domain.c b/xen/arch/x86/pv/domain.c index 2a445bb17b..5cd467d7a6 100644 --- a/xen/arch/x86/pv/domain.c +++ b/xen/arch/x86/pv/domain.c @@ -428,6 +428,8 @@ static void _toggle_guest_pt(struct vcpu *v) pagetable_t old_shadow; unsigned long cr3; + ASSERT(local_irq_is_enabled()); + v->arch.flags ^= TF_kernel_mode; guest_update = v->arch.flags & TF_kernel_mode; old_shadow = update_cr3(v); @@ -450,15 +452,22 @@ static void _toggle_guest_pt(struct vcpu *v) { cr3 &= ~X86_CR3_NOFLUSH; + local_irq_disable(); if ( unlikely(mfn_eq(pagetable_get_mfn(old_shadow), maddr_to_mfn(cr3))) ) { - cr3 = idle_vcpu[v->processor]->arch.cr3; /* Also suppress runstate/time area updates below. */ guest_update = false; + + cr3 = idle_vcpu[v->processor]->arch.cr3; + this_cpu(pgtable_vcpu) = idle_vcpu[v->processor]; } + + write_cr3(cr3); + local_irq_enable(); } - write_cr3(cr3); + else + write_cr3(cr3); if ( !pagetable_is_null(old_shadow) ) shadow_put_top_level(v->domain, old_shadow); diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c index 7aa899dac3..a8a4739f5d 100644 --- a/xen/arch/x86/smpboot.c +++ b/xen/arch/x86/smpboot.c @@ -335,6 +335,7 @@ void start_secondary(void *unused) set_current(idle_vcpu[cpu]); this_cpu(curr_vcpu) = idle_vcpu[cpu]; + this_cpu(pgtable_vcpu) = idle_vcpu[cpu]; rdmsrl(MSR_EFER, this_cpu(efer)); init_shadow_spec_ctrl_state(); diff --git a/xen/common/efi/common-stub.c b/xen/common/efi/common-stub.c index 5a91fe28cc..aaeb916c0f 100644 --- a/xen/common/efi/common-stub.c +++ b/xen/common/efi/common-stub.c @@ -7,11 +7,6 @@ bool efi_enabled(unsigned int feature) return false; } -bool efi_rs_using_pgtables(void) -{ - return false; -} - unsigned long efi_get_time(void) { BUG(); diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c index 13b0975866..a83dfaf3bf 100644 --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -46,7 +46,6 @@ const CHAR16 *__read_mostly efi_fw_vendor; const EFI_RUNTIME_SERVICES *__read_mostly efi_rs; #ifndef CONFIG_ARM /* TODO - disabled until implemented on ARM */ static DEFINE_SPINLOCK(efi_rs_lock); -static unsigned int efi_rs_on_cpu = NR_CPUS; #endif UINTN __read_mostly efi_memmap_size; @@ -89,6 +88,11 @@ struct efi_rs_state efi_rs_enter(void) if ( mfn_eq(efi_l4_mfn, INVALID_MFN) ) return state; + /* + * If in lazy idle context switch state sync now to avoid an incoming + * FLUSH_VCPU_STATE IPI changing the loaded page-tables. + */ + sync_local_execstate(); state.cr3 = read_cr3(); save_fpu_enable(); asm volatile ( "fnclex; fldcw %0" :: "m" (fcw) ); @@ -96,8 +100,6 @@ struct efi_rs_state efi_rs_enter(void) spin_lock(&efi_rs_lock); - efi_rs_on_cpu = smp_processor_id(); - /* prevent fixup_page_fault() from doing anything */ irq_enter(); @@ -112,7 +114,8 @@ struct efi_rs_state efi_rs_enter(void) lgdt(&gdt_desc); } - switch_cr3_cr4(mfn_to_maddr(efi_l4_mfn), read_cr4()); + switch_cr3_cr4(idle_vcpu[smp_processor_id()], mfn_to_maddr(efi_l4_mfn), + read_cr4()); /* * At the time of writing (2022), no UEFI firwmare is CET-IBT compatible. @@ -140,7 +143,7 @@ void efi_rs_leave(struct efi_rs_state *state) if ( state->msr_s_cet ) wrmsrl(MSR_S_CET, state->msr_s_cet); - switch_cr3_cr4(state->cr3, read_cr4()); + switch_cr3_cr4(curr, state->cr3, read_cr4()); if ( is_pv_vcpu(curr) && !is_idle_vcpu(curr) ) { struct desc_ptr gdt_desc = { @@ -151,18 +154,10 @@ void efi_rs_leave(struct efi_rs_state *state) lgdt(&gdt_desc); } irq_exit(); - efi_rs_on_cpu = NR_CPUS; spin_unlock(&efi_rs_lock); vcpu_restore_fpu_nonlazy(curr, true); } -bool efi_rs_using_pgtables(void) -{ - return !mfn_eq(efi_l4_mfn, INVALID_MFN) && - (smp_processor_id() == efi_rs_on_cpu) && - (read_cr3() == mfn_to_maddr(efi_l4_mfn)); -} - unsigned long efi_get_time(void) { EFI_TIME time; diff --git a/xen/include/xen/efi.h b/xen/include/xen/efi.h index 94a7e547f9..fe2f3b3941 100644 --- a/xen/include/xen/efi.h +++ b/xen/include/xen/efi.h @@ -34,7 +34,6 @@ struct compat_pf_efi_runtime_call; bool efi_enabled(unsigned int feature); void efi_init_memory(void); bool efi_boot_mem_unused(unsigned long *start, unsigned long *end); -bool efi_rs_using_pgtables(void); unsigned long efi_get_time(void); void efi_halt_system(void); void efi_reset_system(bool warm); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:44:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:44:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333261.1595975 (Exim 4.92) (envelope-from ) id 1wWvoK-0005Qa-Br; Tue, 09 Jun 2026 12:44:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333261.1595975; Tue, 09 Jun 2026 12:44:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvoK-0005QS-9G; Tue, 09 Jun 2026 12:44:04 +0000 Received: by outflank-mailman (input) for mailman id 1333261; Tue, 09 Jun 2026 12:44:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvoI-0005QM-Ll for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:44:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvoI-001fiw-2j for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:44:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvoI-00D2Hi-1e for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:44:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=9whzMOY53Rpcw5XF+v6nXaT+BcNx554w1r+Cx8pWkPk=; b=1jFY6OndE8K85E/eDeSHjRSwjr CENyV6tnQnVMQIqd7eRTyYXHktLqW/m/HuJJJ5lR/5K+y0ZC37Z2srlQ8ldvYFkYapCBzty6nWJUB hwZclxS2sUsIxSPvW3GFeU6hXOq2D96EB5KbO778Q+x+ZhJ5h7GzyNsDgKc5W8tOzGK8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/hvm: Partially revert ("xen/mem_access: wrap memory access when VM_EVENT=n") Message-Id: Date: Tue, 09 Jun 2026 12:44:02 +0000 commit d2ddd2beff0feda877cc6d8a0e9ca97e848bcb78 Author: Andrew Cooper AuthorDate: Fri Jun 5 20:28:35 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 10:07:05 2026 +0100 x86/hvm: Partially revert ("xen/mem_access: wrap memory access when VM_EVENT=n") It is erroneous to check current like this; most commonly, introspection is dom0 issuing hypercalls against domU. The use of vm_event_is_enabled() is only for the IS_ENABLED(CONFIG_VM_EVENT) short circut, so just use that directly. Reported-by: Hady Azzam Fixes: b18e38e42da6 ("xen/mem_access: wrap memory access when VM_EVENT=n") Signed-off-by: Andrew Cooper Reviewed-by: Jason Andryuk Tested-by: Hady Azzam Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/hvm/hvm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index f759a397c5..cbcef18449 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -4789,7 +4789,7 @@ static int do_altp2m_op( break; case HVMOP_altp2m_set_mem_access: - if ( !vm_event_is_enabled(current) ) + if ( !IS_ENABLED(CONFIG_VM_EVENT) ) { rc = -EOPNOTSUPP; break; @@ -4804,7 +4804,7 @@ static int do_altp2m_op( break; case HVMOP_altp2m_set_mem_access_multi: - if ( !vm_event_is_enabled(current) ) + if ( !IS_ENABLED(CONFIG_VM_EVENT) ) { rc = -EOPNOTSUPP; break; @@ -4841,7 +4841,7 @@ static int do_altp2m_op( break; case HVMOP_altp2m_get_mem_access: - if ( !vm_event_is_enabled(current) ) + if ( !IS_ENABLED(CONFIG_VM_EVENT) ) { rc = -EOPNOTSUPP; break; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:44:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:44:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333262.1595979 (Exim 4.92) (envelope-from ) id 1wWvoU-0005SZ-Dq; Tue, 09 Jun 2026 12:44:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333262.1595979; Tue, 09 Jun 2026 12:44:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvoU-0005SR-Al; Tue, 09 Jun 2026 12:44:14 +0000 Received: by outflank-mailman (input) for mailman id 1333262; Tue, 09 Jun 2026 12:44:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvoS-0005SI-Mb for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:44:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvoS-001fj1-33 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:44:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvoS-00D2Xa-23 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:44:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=f309yGCv4E/3jzmPz3Ac7G8oEe+6/T2hXSwfFZZkzfU=; b=EIECOxCIPRXMJBWxNJ4wos2eSY Kywo/2MTkNp2XAV4Uq1OEUsa4nZJ14Z4k4CyaldAnOt/P3nTr25PlvwgLhfavcF9xGAJGqHqvK+F6 PpArkPkpWMpy9Wd8p0XLy0ez31QKuEEp3ieNEr/8vGKf1mktScmt3/KiOr/P6QtruqoI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/configure: Detect the presence of liblz4 Message-Id: Date: Tue, 09 Jun 2026 12:44:12 +0000 commit 924c0ff17fca4f4527e8076f8d6b88dd39176dc8 Author: Andrew Cooper AuthorDate: Tue May 5 12:42:00 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 14:06:40 2026 +0100 tools/configure: Detect the presence of liblz4 As with other compression libraries, group liblz4 into ZLIB_{CFLAGS,LIBS}. Add the packages to the Debian Trixie build containers for coverage. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- automation/build/debian/13-arm64v8.dockerfile | 1 + automation/build/debian/13-x86_64.dockerfile | 1 + tools/configure | 79 +++++++++++++++++++++++++++ tools/configure.ac | 4 ++ 4 files changed, 85 insertions(+) diff --git a/automation/build/debian/13-arm64v8.dockerfile b/automation/build/debian/13-arm64v8.dockerfile index b9062ee8b4..ee9bb841eb 100644 --- a/automation/build/debian/13-arm64v8.dockerfile +++ b/automation/build/debian/13-arm64v8.dockerfile @@ -28,6 +28,7 @@ RUN <&6; } ZLIB_LIBS="$ZLIB_LIBS $libzstd_LIBS" fi +pkg_failed=no +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for liblz4" >&5 +printf %s "checking for liblz4... " >&6; } + +if test -n "$liblz4_CFLAGS"; then + pkg_cv_liblz4_CFLAGS="$liblz4_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"liblz4\""; } >&5 + ($PKG_CONFIG --exists --print-errors "liblz4") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_liblz4_CFLAGS=`$PKG_CONFIG --cflags "liblz4" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$liblz4_LIBS"; then + pkg_cv_liblz4_LIBS="$liblz4_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"liblz4\""; } >&5 + ($PKG_CONFIG --exists --print-errors "liblz4") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_liblz4_LIBS=`$PKG_CONFIG --libs "liblz4" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + liblz4_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "liblz4" 2>&1` + else + liblz4_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "liblz4" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$liblz4_PKG_ERRORS" >&5 + + true +elif test $pkg_failed = untried; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } + true +else + liblz4_CFLAGS=$pkg_cv_liblz4_CFLAGS + liblz4_LIBS=$pkg_cv_liblz4_LIBS + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +printf "%s\n" "yes" >&6; } + ZLIB_CFLAGS="$ZLIB_CFLAGS -DHAVE_LZ4 $liblz4_CFLAGS" + ZLIB_LIBS="$ZLIB_LIBS $liblz4_LIBS" +fi + ac_fn_c_check_header_compile "$LINENO" "ext2fs/ext2fs.h" "ac_cv_header_ext2fs_ext2fs_h" "$ac_includes_default" diff --git a/tools/configure.ac b/tools/configure.ac index ecd45e782e..74b9f56025 100644 --- a/tools/configure.ac +++ b/tools/configure.ac @@ -403,6 +403,10 @@ PKG_CHECK_MODULES([libzstd], [libzstd], [ZLIB_CFLAGS="$ZLIB_CFLAGS -DHAVE_ZSTD $libzstd_CFLAGS" ZLIB_LIBS="$ZLIB_LIBS $libzstd_LIBS"], [true]) +PKG_CHECK_MODULES([liblz4], [liblz4], + [ZLIB_CFLAGS="$ZLIB_CFLAGS -DHAVE_LZ4 $liblz4_CFLAGS" + ZLIB_LIBS="$ZLIB_LIBS $liblz4_LIBS"], + [true]) AC_SUBST([ZLIB_CFLAGS]) AC_SUBST([ZLIB_LIBS]) AX_CHECK_EXTFS -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:44:24 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:44:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333263.1595982 (Exim 4.92) (envelope-from ) id 1wWvoe-0005Uq-FE; Tue, 09 Jun 2026 12:44:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333263.1595982; Tue, 09 Jun 2026 12:44:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvoe-0005Ui-CB; Tue, 09 Jun 2026 12:44:24 +0000 Received: by outflank-mailman (input) for mailman id 1333263; Tue, 09 Jun 2026 12:44:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvoc-0005Ub-PV for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:44:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvod-001fjL-06 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:44:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvoc-00D2hv-2K for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:44:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=naGEDwR1h+L3vsE74411eJ6g0t+mirucgAWvj4XNJuY=; b=Mc+3iqP6xahPBz7nc99UqeCogh +9715LnFRDmEz0vydqTnBrRHBkEXacmoIZ+xPHX6p5HH8x0PeEKgkDaH2eCS8Nt52RVvm3CFZ5tzA AcjNLQMBFXtt7ZeqV5OgOdh8KzzvctPwi7E9qairIH0K7EeLMtGt2n/XuV5rQefo6Qq0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/libs/guest: Use the system liblz4 in the bzimage loader Message-Id: Date: Tue, 09 Jun 2026 12:44:22 +0000 commit 38492dc098a19e851a916a9e441008083538bc69 Author: Andrew Cooper AuthorDate: Tue May 5 12:52:03 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 14:06:40 2026 +0100 tools/libs/guest: Use the system liblz4 in the bzimage loader Right now lz4, unlike every other compression scheme, unconditionally uses Xen's unsafe decompressor. Make it consistent with all other compression schemes by using liblz4. The unsafe decompression is still required for the MiniOS build, so rename xg_dom_decompress_lz4.c to xg_dom_decompress_unsafe_lz4.c and drop the non-MiniOS content. Signed-off-by: Andrew Cooper Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- CHANGELOG.md | 1 + tools/libs/guest/Makefile.common | 2 +- tools/libs/guest/xg_dom_bzimageloader.c | 128 ++++++++++++++++++++- tools/libs/guest/xg_dom_decompress.h | 6 - tools/libs/guest/xg_dom_decompress_lz4.c | 143 ------------------------ tools/libs/guest/xg_dom_decompress_unsafe.h | 2 + tools/libs/guest/xg_dom_decompress_unsafe_lz4.c | 39 +++++++ 7 files changed, 170 insertions(+), 151 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1db3efc486..5cf19372a3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) represent a wildcard input. - On x86: - Enable pf-fixup option by default for PVH dom0. + - The libxenguest bzImage loader now uses the system liblz4 library. ### Added - Support for per-domain Xenstore quota in C xenstored (includes diff --git a/tools/libs/guest/Makefile.common b/tools/libs/guest/Makefile.common index b928a4a246..86b1f160e5 100644 --- a/tools/libs/guest/Makefile.common +++ b/tools/libs/guest/Makefile.common @@ -46,7 +46,6 @@ OBJS-y += xg_dom_core.o OBJS-y += xg_dom_boot.o OBJS-y += xg_dom_elfloader.o OBJS-$(CONFIG_X86) += xg_dom_bzimageloader.o -OBJS-$(CONFIG_X86) += xg_dom_decompress_lz4.o OBJS-$(CONFIG_X86) += xg_dom_hvmloader.o OBJS-$(CONFIG_ARM) += xg_dom_armzimageloader.o OBJS-y += xg_dom_binloader.o @@ -59,6 +58,7 @@ OBJS-$(CONFIG_ARM) += xg_dom_arm.o ifeq ($(CONFIG_LIBXC_MINIOS),y) OBJS-y += xg_dom_decompress_unsafe.o OBJS-y += xg_dom_decompress_unsafe_bzip2.o +OBJS-y += xg_dom_decompress_unsafe_lz4.o OBJS-y += xg_dom_decompress_unsafe_lzma.o OBJS-y += xg_dom_decompress_unsafe_lzo1x.o OBJS-y += xg_dom_decompress_unsafe_xz.o diff --git a/tools/libs/guest/xg_dom_bzimageloader.c b/tools/libs/guest/xg_dom_bzimageloader.c index 1fb4e5a1f7..32b3c682a4 100644 --- a/tools/libs/guest/xg_dom_bzimageloader.c +++ b/tools/libs/guest/xg_dom_bzimageloader.c @@ -32,7 +32,6 @@ #include #include "xg_private.h" -#include "xg_dom_decompress.h" #include @@ -623,6 +622,133 @@ static int xc_try_zstd_decode( #endif +#if defined(HAVE_LZ4) + +#include + +#define ARCHIVE_MAGICNUMBER 0x184C2102 + +static int xc_try_lz4_decode(struct xc_dom_image *dom, void **blob, size_t *size) +{ + size_t outsize, insize; + unsigned char *outbuf = NULL, *inp = *blob, *outp; + uint32_t chunksize; + + /* Magic, descriptor byte, and trailing size field. */ + if ( *size <= 8 ) + { + DOMPRINTF("LZ4: insufficient input data"); + goto err; + } + + insize = *size - 4; + outsize = get_unaligned_le32(*blob + insize); + + if ( xc_dom_kernel_check_size(dom, outsize) ) + { + DOMPRINTF("LZ4: output too large"); + goto err; + } + + outbuf = malloc(outsize); + if ( !outbuf ) + { + DOMPRINTF("LZ4: failed to alloc memory"); + goto err; + } + outp = outbuf; + + chunksize = get_unaligned_le32(inp); + if ( chunksize == ARCHIVE_MAGICNUMBER ) + { + inp += 4; + insize -= 4; + } + else + { + DOMPRINTF("LZ4: invalid header"); + goto err; + } + + for ( ;; ) + { + int dst_len, len; + + if ( insize < 4 ) + { + DOMPRINTF("LZ4: missing data"); + goto err; + } + + chunksize = get_unaligned_le32(inp); + inp += 4; + insize -= 4; + + if ( chunksize == ARCHIVE_MAGICNUMBER ) + continue; + + if ( chunksize > insize ) + { + DOMPRINTF("LZ4: insufficient input data"); + goto err; + } + + dst_len = outsize - (outp - outbuf); + len = LZ4_decompress_safe((const void *)inp, + (void *)outp, chunksize, dst_len); + + if ( len < 0 ) + { + DOMPRINTF("LZ4: decoding failed"); + goto err; + } + + outp += len; + inp += chunksize; + insize -= chunksize; + + if ( insize == 0 ) + break; + } + + if ( (outp - outbuf) != outsize ) + { + DOMPRINTF("LZ4: got 0x%zx bytes instead of 0x%zx", + outp - outbuf, outsize); + goto err; + } + + if ( xc_dom_register_external(dom, outbuf, outsize) ) + { + DOMPRINTF("LZ4: error registering stream output"); + goto err; + } + + DOMPRINTF("%s: LZ4 decompress OK, 0x%zx -> 0x%zx", + __FUNCTION__, insize, outsize); + + *blob = outbuf; + *size = outsize; + + return 0; + + err: + free(outbuf); + return -1; +} + +#else /* !defined(HAVE_LZ4) */ + +static int xc_try_lz4_decode(struct xc_dom_image *dom, void **blob, size_t *size) +{ + xc_dom_panic(dom->xch, XC_INTERNAL_ERROR, + "%s: LZ4 decompress support unavailable\n", + __FUNCTION__); + return -1; +} + +#endif + #endif /* !__MINIOS__ */ struct setup_header { diff --git a/tools/libs/guest/xg_dom_decompress.h b/tools/libs/guest/xg_dom_decompress.h deleted file mode 100644 index d7a45f730d..0000000000 --- a/tools/libs/guest/xg_dom_decompress.h +++ /dev/null @@ -1,6 +0,0 @@ -#ifdef __MINIOS__ -# include "xg_dom_decompress_unsafe.h" -#endif - -int xc_try_lz4_decode(struct xc_dom_image *dom, void **blob, size_t *size); - diff --git a/tools/libs/guest/xg_dom_decompress_lz4.c b/tools/libs/guest/xg_dom_decompress_lz4.c deleted file mode 100644 index 53ef0bf328..0000000000 --- a/tools/libs/guest/xg_dom_decompress_lz4.c +++ /dev/null @@ -1,143 +0,0 @@ -#include -#include -#include -#include - -#include INCLUDE_ENDIAN_H - -#define XG_NEED_UNALIGNED -#include "xg_private.h" -#include "xg_dom_decompress.h" - -#define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS - -typedef uint8_t u8; -typedef uint16_t u16; -typedef uint32_t u32; -typedef uint64_t u64; - -#define likely(a) a -#define unlikely(a) a - -static inline uint16_t le16_to_cpu(uint16_t v) -{ -#if BYTE_ORDER == BIG_ENDIAN - return __builtin_bswap16(v); -#else - return v; -#endif -} - -#include "../../xen/include/xen/lz4.h" -#include "../../xen/common/decompress.h" - -#ifndef __MINIOS__ - -#include "../../xen/common/lz4/decompress.c" - -#define ARCHIVE_MAGICNUMBER 0x184C2102 - -int xc_try_lz4_decode( - struct xc_dom_image *dom, void **blob, size_t *psize) -{ - int ret = -1; - unsigned char *inp = *blob, *output, *outp; - ssize_t size = *psize - 4; - size_t out_len, dest_len, chunksize; - const char *msg; - - if (size < 4) { - msg = "input too small"; - goto exit_0; - } - - out_len = get_unaligned_le32(inp + size); - if (xc_dom_kernel_check_size(dom, out_len)) { - msg = "Decompressed image too large"; - goto exit_0; - } - - output = malloc(out_len); - if (!output) { - msg = "Could not allocate output buffer"; - goto exit_0; - } - outp = output; - - chunksize = get_unaligned_le32(inp); - if (chunksize == ARCHIVE_MAGICNUMBER) { - inp += 4; - size -= 4; - } else { - msg = "invalid header"; - goto exit_2; - } - - for (;;) { - if (size < 4) { - msg = "missing data"; - goto exit_2; - } - chunksize = get_unaligned_le32(inp); - if (chunksize == ARCHIVE_MAGICNUMBER) { - inp += 4; - size -= 4; - continue; - } - inp += 4; - size -= 4; - if (chunksize > size) { - msg = "insufficient input data"; - goto exit_2; - } - - dest_len = out_len - (outp - output); - ret = lz4_decompress_unknownoutputsize(inp, chunksize, outp, - &dest_len); - if (ret < 0) { - msg = "decoding failed"; - goto exit_2; - } - - ret = -1; - outp += dest_len; - size -= chunksize; - - if (size == 0) - { - if ( xc_dom_register_external(dom, output, out_len) ) - { - msg = "Error registering stream output"; - goto exit_2; - } - *blob = output; - *psize = out_len; - return 0; - } - - if (size < 0) { - msg = "data corrupted"; - goto exit_2; - } - - inp += chunksize; - } - -exit_2: - free(output); -exit_0: - DOMPRINTF("LZ4 decompression error: %s\n", msg); - return ret; -} - -#else /* __MINIOS__ */ - -#include "../../xen/common/unlz4.c" - -int xc_try_lz4_decode( - struct xc_dom_image *dom, void **blob, size_t *size) -{ - return xc_dom_decompress_unsafe(unlz4, dom, blob, size); -} - -#endif diff --git a/tools/libs/guest/xg_dom_decompress_unsafe.h b/tools/libs/guest/xg_dom_decompress_unsafe.h index ac6b94288d..5bc2222076 100644 --- a/tools/libs/guest/xg_dom_decompress_unsafe.h +++ b/tools/libs/guest/xg_dom_decompress_unsafe.h @@ -16,6 +16,8 @@ int xc_dom_decompress_unsafe( int xc_try_bzip2_decode(struct xc_dom_image *dom, void **blob, size_t *size) __attribute__((visibility("internal"))); +int xc_try_lz4_decode(struct xc_dom_image *dom, void **blob, size_t *size) + __attribute__((visibility("internal"))); int xc_try_lzma_decode(struct xc_dom_image *dom, void **blob, size_t *size) __attribute__((visibility("internal"))); int xc_try_lzo1x_decode(struct xc_dom_image *dom, void **blob, size_t *size) diff --git a/tools/libs/guest/xg_dom_decompress_unsafe_lz4.c b/tools/libs/guest/xg_dom_decompress_unsafe_lz4.c new file mode 100644 index 0000000000..405143aa61 --- /dev/null +++ b/tools/libs/guest/xg_dom_decompress_unsafe_lz4.c @@ -0,0 +1,39 @@ +#include +#include +#include +#include + +#include INCLUDE_ENDIAN_H + +#define XG_NEED_UNALIGNED +#include "xg_private.h" +#include "xg_dom_decompress.h" + +#define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS + +typedef uint8_t u8; +typedef uint16_t u16; +typedef uint32_t u32; +typedef uint64_t u64; + +#define likely(a) a +#define unlikely(a) a + +static inline uint16_t le16_to_cpu(uint16_t v) +{ +#if BYTE_ORDER == BIG_ENDIAN + return __builtin_bswap16(v); +#else + return v; +#endif +} + +#include "../../xen/include/xen/lz4.h" +#include "../../xen/common/decompress.h" +#include "../../xen/common/unlz4.c" + +int xc_try_lz4_decode( + struct xc_dom_image *dom, void **blob, size_t *size) +{ + return xc_dom_decompress_unsafe(unlz4, dom, blob, size); +} -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:44:34 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:44:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333264.1595987 (Exim 4.92) (envelope-from ) id 1wWvoo-0005XJ-I6; Tue, 09 Jun 2026 12:44:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333264.1595987; Tue, 09 Jun 2026 12:44:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvoo-0005XB-FU; Tue, 09 Jun 2026 12:44:34 +0000 Received: by outflank-mailman (input) for mailman id 1333264; Tue, 09 Jun 2026 12:44:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvom-0005X4-SP for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:44:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvon-001fjR-0O for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:44:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvom-00D30j-2c for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:44:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=VrJjvbN9wZTr6KcuSGZOu7PFnFejAeBnE8XpAjVkipg=; b=2GOm+SWrNJUviddOeVRuX3OyI/ HTJJ8TsnIRtaPXTZtXzCUkpdHJFd/GWcGRQu+ZCovN99440pA13BvGjmnrlVgY2sTdlY+ROoqbtUE oDnoF0xjd2BecCvN8dhBaAce47oxfzu7IOQjsJA37+5dJgO2b35OZck+4vsU5KwiSLbw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] docs: remove non-breaking space from xen-command-line Message-Id: Date: Tue, 09 Jun 2026 12:44:32 +0000 commit f12caafc04328f979a805378a703fc718ede59a4 Author: Roger Pau Monne AuthorDate: Mon Jun 8 10:24:40 2026 +0200 Commit: Andrew Cooper CommitDate: Mon Jun 8 14:06:40 2026 +0100 docs: remove non-breaking space from xen-command-line Fixes rendering of the generated html. Fixes: 31d9c88a3857 ("pdx: introduce command line compression toggle") Signed-of-by: Roger Pau Monné Acked-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- docs/misc/xen-command-line.pandoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 93c2a73f4a..1c711fa980 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2082,7 +2082,7 @@ for all of them (`true`), only for those subject to XPTI (`xpti`) or for those not subject to XPTI (`no-xpti`). The feature is used only in case INVPCID is supported and not disabled via `invpcid=false`. -### pdx-compress +### pdx-compress > `= ` > Default: `true` if CONFIG_PDX_NONE is unset -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:44:44 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:44:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333265.1595991 (Exim 4.92) (envelope-from ) id 1wWvoy-0005ZG-JY; Tue, 09 Jun 2026 12:44:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333265.1595991; Tue, 09 Jun 2026 12:44:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvoy-0005Z6-Gp; Tue, 09 Jun 2026 12:44:44 +0000 Received: by outflank-mailman (input) for mailman id 1333265; Tue, 09 Jun 2026 12:44:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvow-0005Yz-VB for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:44:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvox-001fjV-0h for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:44:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvow-00D3FR-2u for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:44:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=BVWuWoRpKf/CFLq+W1+wPIxUKqoB2HOGKzbRBDBrut4=; b=2P0CjhoWCEUz0eJgBBviyLLIh2 t6HfJSgFkjly9TSGAQuKiVJ5KJGsSKI1JXhsXf2wCtCbQZhe+4eFdToAXJPTYKE1dTXhddeMMjYJb fSTiXhvoqHFvwlD0kLdpfBG3WQeCR30hSlzsIspQfA5MdQJQI7tQchJ3Yy+BPzq5yp0I=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: Drop test-artifacts/Makefile Message-Id: Date: Tue, 09 Jun 2026 12:44:42 +0000 commit e58d8aa17197800d6bf1206cbb5053fba7526ad7 Author: Andrew Cooper AuthorDate: Fri Jun 5 13:38:40 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 14:06:40 2026 +0100 CI: Drop test-artifacts/Makefile This is unused since commit 3c0c177ff904 ("CI: Switch qemu-arm* jobs to using the distro provided QEMU"), and wants never to return. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- automation/tests-artifacts/Makefile | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/automation/tests-artifacts/Makefile b/automation/tests-artifacts/Makefile deleted file mode 100644 index 80a60a94f3..0000000000 --- a/automation/tests-artifacts/Makefile +++ /dev/null @@ -1,19 +0,0 @@ - -# the base of where these containers will appear -REGISTRY := registry.gitlab.com/xen-project/xen/tests-artifacts -CONTAINERS = $(subst .dockerfile,,$(wildcard */*.dockerfile)) - -help: - @echo "Containers to build and export tests artifacts." - @echo "To build one run 'make ARTIFACT/VERSION'. Available containers:" - @$(foreach file,$(sort $(CONTAINERS)),echo ${file};) - @echo "To push container builds, set the env var PUSH" - -%: %.dockerfile ## Builds containers - $(DOCKER_CMD) build --pull -t $(REGISTRY)/$(@D):$(@F) -f $< $( Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:44:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333266.1595996 (Exim 4.92) (envelope-from ) id 1wWvp8-0005bG-L4; Tue, 09 Jun 2026 12:44:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333266.1595996; Tue, 09 Jun 2026 12:44:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvp8-0005b8-I7; Tue, 09 Jun 2026 12:44:54 +0000 Received: by outflank-mailman (input) for mailman id 1333266; Tue, 09 Jun 2026 12:44:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvp7-0005az-26 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:44:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvp7-001fjb-10 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:44:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvp6-00D3ZR-3C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:44:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=8avOhWsIZph7VLyIUrVdgvgc1JNh5O0Mv62zoUGkLAw=; b=zY7Al9m20YCHncQ6kGuweW0Wi5 4rrL3s6qCNh/OL8/FjreBLqxm7KOfW1ddbKkOj12Q88X2kcO2jQHdYOgkbDj7c/1s3A59xa3/rrK5 1NQfivhlN5PiIkShNpRdDdYj0UpVvoNirmzODnqYaclOK//G+OgsJksrrqSd5hSgTQx8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: Swap ocaml-nox for ocaml in newer Debian/Ubuntu Message-Id: Date: Tue, 09 Jun 2026 12:44:52 +0000 commit fdcc559661cf41390fe2b15b4ad09bd6518fa5f3 Author: Andrew Cooper AuthorDate: Fri Jun 5 14:19:57 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 14:06:40 2026 +0100 CI: Swap ocaml-nox for ocaml in newer Debian/Ubuntu Ocaml 4.08 and earlier had the compiler package depend on graphics, and therefore on X. Ocaml 4.09 and later dropped this dependency. Debian and Ubuntu versions with Ocaml 4.08 and earlier (which are Debian Bullseye/11, and Ubuntu Focal/20.04 and earlier) had ocaml-nox packages with this dependency stripped, which we use to keep the size of the containers down. In newer versions of Debian and Ubuntu, ocaml-nox is just a transitional package referring back to ocaml. Ubuntu Resolute/26.04 has finally removed this transitional package. For all versions where ocaml-nox is just a transitional package, swap to the ocaml package. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- automation/build/debian/12-arm64v8.dockerfile | 2 +- automation/build/debian/12-x86_32.dockerfile | 2 +- automation/build/debian/12-x86_64.dockerfile | 2 +- automation/build/debian/13-arm64v8.dockerfile | 2 +- automation/build/debian/13-x86_32.dockerfile | 2 +- automation/build/debian/13-x86_64.dockerfile | 2 +- automation/build/ubuntu/22.04-x86_64.dockerfile | 2 +- automation/build/ubuntu/24.04-x86_64.dockerfile | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/automation/build/debian/12-arm64v8.dockerfile b/automation/build/debian/12-arm64v8.dockerfile index c0e08a010f..5cc4de822c 100644 --- a/automation/build/debian/12-arm64v8.dockerfile +++ b/automation/build/debian/12-arm64v8.dockerfile @@ -46,7 +46,7 @@ RUN < Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:45:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333267.1596000 (Exim 4.92) (envelope-from ) id 1wWvpJ-0005dJ-MN; Tue, 09 Jun 2026 12:45:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333267.1596000; Tue, 09 Jun 2026 12:45:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvpJ-0005dB-JU; Tue, 09 Jun 2026 12:45:05 +0000 Received: by outflank-mailman (input) for mailman id 1333267; Tue, 09 Jun 2026 12:45:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvpI-0005d3-2L for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:45:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvpI-001fk3-13 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:45:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvpH-00D3v3-0H for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:45:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=CplUmdRC5cBQlxkfyeXIvDP98okEO5bk+5a26AeVCUw=; b=GixfqeYDGwukAdTSaTp7VP+DR/ VQcrsQNpuZAnsVqOGO2fL0AwcIjvYSdjPaJ//IEfeEO/5cPJ44F2Xc+RqDgb25ptYk2zNOFj1NeBJ d9dy4XzkOsl6sSl4YB45CA/NMYKjw3DS0UOnIfAoaCMFVKIUvMB0LQvn5U4cSlRHCM/c=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: Drop Ubuntu 16.04 Message-Id: Date: Tue, 09 Jun 2026 12:45:03 +0000 commit def7f9ef58c17f93fc3608e3feb6fec70c80d037 Author: Andrew Cooper AuthorDate: Fri Jun 5 13:27:40 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 14:06:40 2026 +0100 CI: Drop Ubuntu 16.04 Ubuntu 16.04 is now fully out of support. Introduce an 18.04 GCC Debug job in lieu of losing the 16.04 job. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- automation/build/ubuntu/16.04-x86_64.dockerfile | 65 ------------------------- automation/gitlab-ci/build.yaml | 11 ++--- 2 files changed, 3 insertions(+), 73 deletions(-) diff --git a/automation/build/ubuntu/16.04-x86_64.dockerfile b/automation/build/ubuntu/16.04-x86_64.dockerfile deleted file mode 100644 index 72a46389fa..0000000000 --- a/automation/build/ubuntu/16.04-x86_64.dockerfile +++ /dev/null @@ -1,65 +0,0 @@ -# syntax=docker/dockerfile:1 -FROM --platform=linux/amd64 ubuntu:16.04 -LABEL maintainer.name="The Xen Project" -LABEL maintainer.email="xen-devel@lists.xenproject.org" - -ENV DEBIAN_FRONTEND=noninteractive - -RUN < Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:45:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333268.1596002 (Exim 4.92) (envelope-from ) id 1wWvpT-0005fD-NQ; Tue, 09 Jun 2026 12:45:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333268.1596002; Tue, 09 Jun 2026 12:45:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvpT-0005f6-Kr; Tue, 09 Jun 2026 12:45:15 +0000 Received: by outflank-mailman (input) for mailman id 1333268; Tue, 09 Jun 2026 12:45:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvpS-0005ez-5C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:45:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvpS-001fmS-1K for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:45:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvpS-00D45B-0L for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:45:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=jhNDm//YEq1wQsM/DBLJqo8EKFnWnFuhA4f8bPZXqyE=; b=lLkNsn/jkouiXb9CADYf4o4gYb MRHPYbaSQbAr36BOSH6iPkq62fc6nufjzyPF54czykkT4n6V8Keo2WgE9ysrAxoiExDRBqJJFotLp 1TAu7Tx9dEAN1/kBGMmR8KorYBGlFif4l7JL5BT/uOOGWRUs9oSG9eMYqrM06sp0PTr4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: Add Ubuntu 26.04 Message-Id: Date: Tue, 09 Jun 2026 12:45:14 +0000 commit 58d797e1ac4ae2e5abdd3030fa02d771b087f022 Author: Andrew Cooper AuthorDate: Fri Jun 5 13:37:30 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 14:06:40 2026 +0100 CI: Add Ubuntu 26.04 Swap yajl for json-c, given the deprecation of the former. Add lz4. Add 26.04 GCC/Clang debug/non-debug jobs. Drop the 24.04 debug jobs to keep the overall job count down. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- automation/build/ubuntu/26.04-x86_64.dockerfile | 75 +++++++++++++++++++++++++ automation/gitlab-ci/build.yaml | 22 ++++++-- 2 files changed, 91 insertions(+), 6 deletions(-) diff --git a/automation/build/ubuntu/26.04-x86_64.dockerfile b/automation/build/ubuntu/26.04-x86_64.dockerfile new file mode 100644 index 0000000000..be7298e5e8 --- /dev/null +++ b/automation/build/ubuntu/26.04-x86_64.dockerfile @@ -0,0 +1,75 @@ +# syntax=docker/dockerfile:1 +FROM --platform=linux/amd64 ubuntu:26.04 +LABEL maintainer.name="The Xen Project" +LABEL maintainer.email="xen-devel@lists.xenproject.org" + +ENV DEBIAN_FRONTEND=noninteractive + +RUN < Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:45:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333269.1596008 (Exim 4.92) (envelope-from ) id 1wWvpd-0005ib-PP; Tue, 09 Jun 2026 12:45:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333269.1596008; Tue, 09 Jun 2026 12:45:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvpd-0005iS-MM; Tue, 09 Jun 2026 12:45:25 +0000 Received: by outflank-mailman (input) for mailman id 1333269; Tue, 09 Jun 2026 12:45:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvpc-0005iM-9p for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:45:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvpc-001fmW-1n for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:45:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvpc-00D4PI-0b for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:45:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=WhvyvzqK4/ucpufUeG2bSiOy+xpq5BfcPOhpngtS92M=; b=DxxXpLceZvSlFkQxX8o3hfmrG3 txo/jOS+gmb/onM/In9FpHbPAWbVj4R16ipo1ZNLQ/fybBjWKbWHN9jPBhWWDPWojP2qEk2eG6eUP h9kTiMR2QvETqIcf7IN/qsRfv6fVZ6js4XMkSG7idN2BTjHHXHi7H4d+GBx/NwGY0n5E=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: Update Fedora to 43 Message-Id: Date: Tue, 09 Jun 2026 12:45:24 +0000 commit 58eaf63b82bc9665df0b976293b8f4c032c564d5 Author: Andrew Cooper AuthorDate: Fri Jun 5 13:41:31 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 14:06:40 2026 +0100 CI: Update Fedora to 43 Swap yajl for json-c, given the deprecation of the former. Add lz4. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- automation/build/fedora/41-x86_64.dockerfile | 78 --------------------------- automation/build/fedora/43-x86_64.dockerfile | 79 ++++++++++++++++++++++++++++ automation/gitlab-ci/build.yaml | 8 +-- 3 files changed, 83 insertions(+), 82 deletions(-) diff --git a/automation/build/fedora/41-x86_64.dockerfile b/automation/build/fedora/41-x86_64.dockerfile deleted file mode 100644 index e33329aedc..0000000000 --- a/automation/build/fedora/41-x86_64.dockerfile +++ /dev/null @@ -1,78 +0,0 @@ -# syntax=docker/dockerfile:1 -FROM --platform=linux/amd64 fedora:41 -LABEL maintainer.name="The Xen Project" -LABEL maintainer.email="xen-devel@lists.xenproject.org" - -RUN < Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:45:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333270.1596012 (Exim 4.92) (envelope-from ) id 1wWvpn-0005l6-SM; Tue, 09 Jun 2026 12:45:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333270.1596012; Tue, 09 Jun 2026 12:45:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvpn-0005kw-P2; Tue, 09 Jun 2026 12:45:35 +0000 Received: by outflank-mailman (input) for mailman id 1333270; Tue, 09 Jun 2026 12:45:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvpm-0005kp-CV for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:45:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvpm-001fmc-23 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:45:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvpm-00D4cO-14 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:45:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=V+4lQ4wtl7/TNDyma8M6Gi4lOF0h5wvKjCXXO6Aflro=; b=RsYqpd73fB66Ww5YkqErxbt8oU WHUy1kYN4Ha8TOkVlWdHTKlOU9IYesr7LjxsLGHkFuy0Aj9JbuAGKvoi+9HX0Yuz+QlcV99LyOaE6 m6BpSbnSh4O4ec0gr0QZ8lU3vba4s/DKUpS8+dBOMT1yAu+VS2ZptwrAdwZ0S7gSJB7g=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: Update Opensuse 15.6 to 16.0 Message-Id: Date: Tue, 09 Jun 2026 12:45:34 +0000 commit 37df17d2f903503c619713eb01e488f2cb1a257f Author: Andrew Cooper AuthorDate: Fri Jun 5 13:47:24 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 14:06:40 2026 +0100 CI: Update Opensuse 15.6 to 16.0 The default version of python is 3.13, so drop the 3.11 overrides. Swap yajl for json-c, given the deprecation of the former. Add lz4. bin86/dev86 are no longer available. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- .../build/opensuse/leap-15.6-x86_64.dockerfile | 81 ---------------------- .../build/opensuse/leap-16.0-x86_64.dockerfile | 78 +++++++++++++++++++++ automation/gitlab-ci/build.yaml | 16 ++--- 3 files changed, 86 insertions(+), 89 deletions(-) diff --git a/automation/build/opensuse/leap-15.6-x86_64.dockerfile b/automation/build/opensuse/leap-15.6-x86_64.dockerfile deleted file mode 100644 index 33db3ecd63..0000000000 --- a/automation/build/opensuse/leap-15.6-x86_64.dockerfile +++ /dev/null @@ -1,81 +0,0 @@ -# syntax=docker/dockerfile:1 -FROM --platform=linux/amd64 opensuse/leap:15.6 -LABEL maintainer.name="The Xen Project" -LABEL maintainer.email="xen-devel@lists.xenproject.org" - -ENV PYTHON=python3.11 -ENV XEN_TARGET_ARCH=x86_64 - -RUN < Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:45:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333271.1596014 (Exim 4.92) (envelope-from ) id 1wWvpx-0005n5-T6; Tue, 09 Jun 2026 12:45:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333271.1596014; Tue, 09 Jun 2026 12:45:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvpx-0005mx-QQ; Tue, 09 Jun 2026 12:45:45 +0000 Received: by outflank-mailman (input) for mailman id 1333271; Tue, 09 Jun 2026 12:45:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvpw-0005mq-F4 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:45:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvpw-001fmj-2J for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:45:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvpw-00D4sv-1K for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:45:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=3H0B1cR2eNHgrkiUgFEvzcG+3OzSKv9vWQ3F4wlteY8=; b=uZ6ZfTiBpcIIkhKtiOsri5u3zF F7wNmR/ZXFWrBtyngcSEtYLMTpfNvrqekgiBBInnWcvFjAPNh9AufkVpZznSrptKQi3CETAvKYJhy DnCq4by5aVJ7ZUwgZp0Zvwv08ZSM36NIB+sMTJu7N/9TMGb+s1gQlsWYkDN16tJszDXk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] Revert recent ARGO changes Message-Id: Date: Tue, 09 Jun 2026 12:45:44 +0000 commit ccd8c65794144b522efcccc165f829d766dc8efa Author: Andrew Cooper AuthorDate: Mon Jun 8 23:02:08 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 8 23:03:22 2026 +0100 Revert recent ARGO changes This reverts commit 3c4e804607a5a1254b168d88572cb9ec311543a9. This reverts commit 957f0f0b739142513f517979f4301b8d0dd1e855. This reverts commit 2bc9bc1978ad02e03d16026ad2d2e9641ddc29fb. This reverts commit 03ebee6ed8105ff6ad12d6df428dfd4cab647691. This reverts commit a9720605b6a556e76be7b4d5a59559942cb1852e. These were committed without a maintainer ack, and therefore in contravention of policy. Signed-off-by: Andrew Cooper --- xen/common/Kconfig | 6 ------ xen/common/argo.c | 22 ++++++++++++---------- 2 files changed, 12 insertions(+), 16 deletions(-) diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 79b7fa62e7..5ff71480ee 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -491,12 +491,6 @@ config ARGO If unsure, say N. -config ARGO_DEBUG - bool "Argo: enable debug traces (UNSUPPORTED)" - depends on ARGO - help - Enables extra debug traces for Argo debugging. - source "common/sched/Kconfig" config CRYPTO diff --git a/xen/common/argo.c b/xen/common/argo.c index b9b362064e..28626e00a8 100644 --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -318,10 +318,11 @@ static DEFINE_RWLOCK(L1_global_argo_rwlock); /* L1 */ ((LOCKING_Read_L1 && spin_is_locked(&(d)->argo->send_L2_lock)) || \ LOCKING_Write_L1) +#define ARGO_DEBUG 0 #define argo_dprintk(fmt, args...) \ do { \ - if ( IS_ENABLED(CONFIG_ARGO_DEBUG) ) \ - gprintk(XENLOG_DEBUG, "argo: " fmt, ##args);\ + if ( ARGO_DEBUG ) \ + printk(XENLOG_DEBUG "argo: " fmt, ##args); \ } while ( 0 ) /* @@ -473,7 +474,7 @@ ring_unmap(const struct domain *d, struct argo_ring_info *ring_info) continue; ASSERT(!mfn_eq(ring_info->mfns[i], INVALID_MFN)); - argo_dprintk("unmapping page %"PRI_mfn" from %p\n", + argo_dprintk(XENLOG_ERR "argo: unmapping page %"PRI_mfn" from %p\n", mfn_x(ring_info->mfns[i]), ring_info->mfn_mapping[i]); unmap_domain_page_global(ring_info->mfn_mapping[i]); @@ -1466,7 +1467,7 @@ find_ring_mfns(struct domain *d, struct argo_ring_info *ring_info, if ( ring_info->mfns ) { /* Ring already existed: drop the previous mapping. */ - argo_dprintk("vm%u re-register existing ring " + argo_dprintk("argo: vm%u re-register existing ring " "(vm%u:%x vm%u) clears mapping\n", d->domain_id, ring_info->id.domain_id, ring_info->id.aport, ring_info->id.partner_id); @@ -1526,7 +1527,7 @@ find_ring_mfns(struct domain *d, struct argo_ring_info *ring_info, { ASSERT(ring_info->nmfns == NPAGES_RING(len)); - argo_dprintk("vm%u ring (vm%u:%x vm%u) %p " + argo_dprintk("argo: vm%u ring (vm%u:%x vm%u) %p " "mfn_mapping %p len %u nmfns %u\n", d->domain_id, ring_info->id.domain_id, ring_info->id.aport, ring_info->id.partner_id, ring_info, @@ -1740,7 +1741,7 @@ register_ring(struct domain *currd, list_add(&ring_info->node, &currd->argo->ring_hash[hash_index(&ring_info->id)]); - argo_dprintk("vm%u registering ring (vm%u:%x vm%u)\n", + argo_dprintk("argo: vm%u registering ring (vm%u:%x vm%u)\n", currd->domain_id, ring_id.domain_id, ring_id.aport, ring_id.partner_id); } @@ -1780,7 +1781,7 @@ register_ring(struct domain *currd, goto out_unlock2; } - argo_dprintk("vm%u re-registering existing ring (vm%u:%x vm%u)\n", + argo_dprintk("argo: vm%u re-registering existing ring (vm%u:%x vm%u)\n", currd->domain_id, ring_id.domain_id, ring_id.aport, ring_id.partner_id); } @@ -2033,9 +2034,10 @@ sendv(struct domain *src_d, xen_argo_addr_t *src_addr, src_id.domain_id); if ( !ring_info ) { - argo_dprintk("vm%u connection refused, src (vm%u:%x) dst (vm%u:%x)\n", - current->domain->domain_id, src_id.domain_id, src_id.aport, - dst_addr->domain_id, dst_addr->aport); + gprintk(XENLOG_ERR, + "argo: vm%u connection refused, src (vm%u:%x) dst (vm%u:%x)\n", + current->domain->domain_id, src_id.domain_id, src_id.aport, + dst_addr->domain_id, dst_addr->aport); ret = -ECONNREFUSED; } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:45:55 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:45:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333272.1596020 (Exim 4.92) (envelope-from ) id 1wWvq7-0005p8-Uv; Tue, 09 Jun 2026 12:45:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333272.1596020; Tue, 09 Jun 2026 12:45:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvq7-0005oz-Rj; Tue, 09 Jun 2026 12:45:55 +0000 Received: by outflank-mailman (input) for mailman id 1333272; Tue, 09 Jun 2026 12:45:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvq6-0005oo-K6 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:45:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvq6-001fmn-2o for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:45:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvq6-00D58i-1h for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:45:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=av/bs77Bn4nSe1giM72GKfG1LWc1E6XieOHoRaA7Olw=; b=1f+7SLsqJciYc/qvDV1gRWMxrG sz77zc34JwPwMPJXCT26E7/aqteRvEuRzaQU7YmeMQm53wWrm8pPpd/9aO8QpcgbnaIqETHBoP3I/ AZRmDP0dR4lF4iM1DYVBsf2lZUgN/hpiT7XKIFD5A74RJ6048GKFRnT6Rrjh0IlNZ5Hc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/pdx: fix off-by-one index in offset mask calculation Message-Id: Date: Tue, 09 Jun 2026 12:45:54 +0000 commit edf942201dd112dee6b040f7eb0bf2b8a7608047 Author: Roger Pau Monne AuthorDate: Tue Jun 9 10:19:51 2026 +0200 Commit: Roger Pau Monne CommitDate: Tue Jun 9 11:43:24 2026 +0200 xen/pdx: fix off-by-one index in offset mask calculation Adjust the mask calculation in case the last range is merged with the previous one, as then the mask must be calculated from the previous range, which the current one has been merged into. Instead of fixing the off-by-one in place, move the calculation of the bit change mask to the next loop, after the ranges have been merged. This simplifies the logic by consolidating mask calculation in a single place, possibly making it less error prone in the future. Also add a test case that triggers the bug being fixed by this commit. Fixes: c5c45bcbd6a1 ("pdx: introduce a new compression algorithm based on region offsets") Signed-off-by: Roger Pau Monné Acked-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- tools/tests/pdx/test-pdx.c | 14 ++++++++++++++ xen/common/pdx.c | 13 ++++++------- 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/tools/tests/pdx/test-pdx.c b/tools/tests/pdx/test-pdx.c index d783186577..4de8d43d86 100644 --- a/tools/tests/pdx/test-pdx.c +++ b/tools/tests/pdx/test-pdx.c @@ -191,6 +191,20 @@ int main(int argc, char **argv) }, .compress = false, }, + /* + * Dell R740, dual socket. Merging of ranges causes mask differences + * in PDX offset mode. Useful for checking mask calculations. + */ + { + .ranges = { + { .start = 0x0000000UL, .end = 0x0080000UL }, + { .start = 0x0100000UL, .end = 0x3070000UL }, + { .start = 0x3070000UL, .end = 0x3870000UL }, + { .start = 0x3870000UL, .end = 0x6870000UL }, + { .start = 0x6870000UL, .end = 0x7070000UL }, + }, + .compress = false, + }, }; int ret_code = EXIT_SUCCESS; diff --git a/xen/common/pdx.c b/xen/common/pdx.c index 7e070ff962..e7e16e193e 100644 --- a/xen/common/pdx.c +++ b/xen/common/pdx.c @@ -391,10 +391,7 @@ bool __init pfn_pdx_compression_setup(paddr_t base) if ( !i || ranges[i].base_pfn >= (ranges[i - 1].base_pfn + ranges[i - 1].pages) ) - { - mask |= pdx_region_mask(ranges[i].base_pfn, ranges[i].pages); continue; - } ranges[i - 1].pages = ranges[i].base_pfn + ranges[i].pages - ranges[i - 1].base_pfn; @@ -402,19 +399,21 @@ bool __init pfn_pdx_compression_setup(paddr_t base) if ( i + 1 < nr_ranges ) memmove(&ranges[i], &ranges[i + 1], (nr_ranges - (i + 1)) * sizeof(ranges[0])); - else /* last range */ - mask |= pdx_region_mask(ranges[i].base_pfn, ranges[i].pages); nr_ranges--; i--; } /* - * Populate a mask with the non-equal bits of the different ranges, do this - * to calculate the maximum PFN shift to use as the lookup table index. + * Populate two masks: one with the non-equal bits of the different ranges, + * another with the bits that change inside ranges. Do this to calculate + * the maximum PFN shift to use as the lookup table index. */ for ( i = 0; i < nr_ranges; i++ ) + { + mask |= pdx_region_mask(ranges[i].base_pfn, ranges[i].pages); for ( unsigned int j = i + 1; j < nr_ranges; j++ ) idx_mask |= ranges[i].base_pfn ^ ranges[j].base_pfn; + } /* Mask out the bits that change inside of ranges. */ idx_mask &= ~mask; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:46:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:46:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333273.1596023 (Exim 4.92) (envelope-from ) id 1wWvqH-0005sC-Vl; Tue, 09 Jun 2026 12:46:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333273.1596023; Tue, 09 Jun 2026 12:46:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvqH-0005s4-T1; Tue, 09 Jun 2026 12:46:05 +0000 Received: by outflank-mailman (input) for mailman id 1333273; Tue, 09 Jun 2026 12:46:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvqG-0005rx-Mn for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:46:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvqG-001fn5-34 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:46:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvqG-00D5LL-25 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:46:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=8P5UOuulF73ATbZkEXm4dgBZC7iqtPRTFJVqKK5gNwA=; b=KNGh1XNPfqGOjBffGs+3R+AUMl zUUC4x+SKQRhVnyDX8j43IHpyNe+O38qHvEa7UqC8UjECAzMvF4jfYqma8aT2PzX8YiQmdYMKJUdS cAsMatOcdIVHLjjeP2lWO/2xwUlKr0BYDcu836LfcWCqN2j3gp5tjyZ+4mjRcJ1BuemI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/sched: remove duplicate trace.h include Message-Id: Date: Tue, 09 Jun 2026 12:46:04 +0000 commit 53859e27ff1a931df9fb28c2223447e2764bd7d3 Author: Furkan Caliskan AuthorDate: Sun May 31 17:08:19 2026 +0300 Commit: Roger Pau Monne CommitDate: Tue Jun 9 12:07:46 2026 +0200 xen/sched: remove duplicate trace.h include Fixes: 8726c0557752 ("xen: add real time scheduler rtds") Signed-off-by: Furkan Caliskan Reviewed-by: Juergen Gross Release-Acked-by: Oleksii Kurochko --- xen/common/sched/rt.c | 1 - 1 file changed, 1 deletion(-) diff --git a/xen/common/sched/rt.c b/xen/common/sched/rt.c index 4b637aa9db..b9a3e7720e 100644 --- a/xen/common/sched/rt.c +++ b/xen/common/sched/rt.c @@ -26,7 +26,6 @@ #include #include #include -#include #include #include -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:46:16 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:46:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333274.1596027 (Exim 4.92) (envelope-from ) id 1wWvqS-0005vD-10; Tue, 09 Jun 2026 12:46:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333274.1596027; Tue, 09 Jun 2026 12:46:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvqR-0005v6-UO; Tue, 09 Jun 2026 12:46:15 +0000 Received: by outflank-mailman (input) for mailman id 1333274; Tue, 09 Jun 2026 12:46:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvqQ-0005tv-PI for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:46:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvqR-001fnP-07 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:46:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvqQ-00D5XN-2M for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:46:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ccKkX1ZRg+AJT1AZf044aMEXGV5iAmTMYCVUK1ntp2w=; b=cg9blWsIBlJsXfcMrY6HY8K8kh ukDJ3Ak/B+8Gn1cXALQC6xl8PK4ha2P/9eFR4hQOw+m4bfiqPq4+h84yp+VcYGloNtHtcy3P5rf6U xRT1bbqVP2jPLuLWE4XKn8qj+6NFf6Hpt8Pp9AFToBFyaNhBtArmQcjJ3QIBtWX7Edfs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/ocaml: silence ocaml_deprecated_auto_include alert Message-Id: Date: Tue, 09 Jun 2026 12:46:14 +0000 commit c3cf7c41214ac180902ca7dc826047774d3c5fb1 Author: Guillaume Thouvenin AuthorDate: Tue Jun 9 09:36:35 2026 +0200 Commit: Roger Pau Monne CommitDate: Tue Jun 9 12:14:43 2026 +0200 tools/ocaml: silence ocaml_deprecated_auto_include alert Ocaml's lib directory layout changed in 5.0: the unix and dynlink libraries have been moved out of the standard library directory into subdirectories. The compiler still locates them automatically but emits an ocaml_deprecated_auto_include alert when doing so. This patch sets the paths explicitly with -I +unix and -I +dynlink to silence the alert. Signed-off-by: Guillaume Thouvenin Reviewed-by: Andrii Sultanov Tested-by: Andrii Sultanov Acked-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- tools/ocaml/common.make | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/ocaml/common.make b/tools/ocaml/common.make index c7eefceeb4..0e6714e25a 100644 --- a/tools/ocaml/common.make +++ b/tools/ocaml/common.make @@ -11,6 +11,7 @@ OCAMLFIND ?= ocamlfind CFLAGS += -fPIC -I$(shell ocamlc -where) +OCAMLINCLUDE += -I +unix -I +dynlink OCAMLOPTFLAGS = -g -ccopt "$(LDFLAGS)" -dtypes $(OCAMLINCLUDE) -w F -warn-error F OCAMLCFLAGS += -g $(OCAMLINCLUDE) -w F -warn-error F -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:55:10 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:55:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333275.1596031 (Exim 4.92) (envelope-from ) id 1wWvyx-0008Ex-LE; Tue, 09 Jun 2026 12:55:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333275.1596031; Tue, 09 Jun 2026 12:55:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvyx-0008Ep-Ib; Tue, 09 Jun 2026 12:55:03 +0000 Received: by outflank-mailman (input) for mailman id 1333275; Tue, 09 Jun 2026 12:55:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvyw-0008Ej-S7 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:55:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvyx-001fuo-0H for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:55:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvyw-00DIGo-2J for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:55:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7HB36z0asNoctseLPTZsZpVmcjRkh8Y7QQYTf/m+JcI=; b=wySzrMfbizc7m0l8jgF9PV6fJh 6aFzTfNtv41/7GQAjp1gMCaBtqe4JIc/FJTo5FJJxCwwO8jNzBty29kHSr9p9vWjAYxN04sxMs/9o 1ZA2e/rPtYgYVHtJINQS+QXZK0bMTwwtM5IrP5em4WWksfRQNGAZ9bSE476loEaufI1A=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/HVM: add locking to I/O port translation list traversal Message-Id: Date: Tue, 09 Jun 2026 12:55:02 +0000 commit 4c11789f6ea307c2567251f63812a62be3438377 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:48 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:45:56 2026 +0100 x86/HVM: add locking to I/O port translation list traversal XEN_DOMCTL_ioport_mapping is usable by DM stubdoms, and hence we can't assume the list to be left unaltered while the guest (really: the hypervisor on behalf of the guest) is accessing it. This is XSA-491 / CVE-2026-42487. Fixes: 192c4dabc344 ("domctl and p2m changes for PCI passthru") Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 7787f8e9396d06026f72d3db13e836f365e085f8) --- xen/arch/x86/domctl.c | 8 ++++ xen/arch/x86/hvm/emulate.c | 1 - xen/arch/x86/hvm/hvm.c | 1 + xen/arch/x86/hvm/io.c | 72 +++++++++++++++++++++++++---------- xen/arch/x86/include/asm/hvm/domain.h | 1 + xen/arch/x86/include/asm/hvm/vcpu.h | 2 - 6 files changed, 61 insertions(+), 24 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 1ce12b79e6..c9e2dcab66 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -620,6 +620,7 @@ long arch_do_domctl( "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if (g2m_ioport->mport == fmp ) { @@ -641,11 +642,14 @@ long arch_do_domctl( g2m_ioport->np = np; list_add_tail(&g2m_ioport->list, &hvm->g2m_ioport_list); } + write_unlock(&hvm->g2m_ioport_lock); if ( !ret ) ret = ioports_permit_access(d, fmp, fmp + np - 1); if ( ret && !found && g2m_ioport ) { + write_lock(&hvm->g2m_ioport_lock); list_del(&g2m_ioport->list); + write_unlock(&hvm->g2m_ioport_lock); xfree(g2m_ioport); } } @@ -654,6 +658,8 @@ long arch_do_domctl( printk(XENLOG_G_INFO "ioport_map:remove: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if ( g2m_ioport->mport == fmp ) { @@ -661,6 +667,8 @@ long arch_do_domctl( xfree(g2m_ioport); break; } + write_unlock(&hvm->g2m_ioport_lock); + ret = ioports_deny_access(d, fmp, fmp + np - 1); if ( ret && is_hardware_domain(currd) ) printk(XENLOG_ERR diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c index 27928dc3f3..464c43d035 100644 --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -145,7 +145,6 @@ void hvmemul_cancel(struct vcpu *v) hvio->mmio_insn_bytes = 0; hvio->mmio_access = (struct npfec){}; hvio->mmio_retry = false; - hvio->g2m_ioport = NULL; hvmemul_cache_disable(v); } diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 4454b158b6..dd879c9070 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -588,6 +588,7 @@ int hvm_domain_initialise(struct domain *d, spin_lock_init(&d->arch.hvm.irq_lock); spin_lock_init(&d->arch.hvm.uc_lock); spin_lock_init(&d->arch.hvm.write_map.lock); + rwlock_init(&d->arch.hvm.g2m_ioport_lock); rwlock_init(&d->arch.hvm.mmcfg_lock); INIT_LIST_HEAD(&d->arch.hvm.write_map.list); INIT_LIST_HEAD(&d->arch.hvm.g2m_ioport_list); diff --git a/xen/arch/x86/hvm/io.c b/xen/arch/x86/hvm/io.c index 0309d05cfd..aeb1d5b94f 100644 --- a/xen/arch/x86/hvm/io.c +++ b/xen/arch/x86/hvm/io.c @@ -157,36 +157,56 @@ bool handle_pio(uint16_t port, unsigned int size, int dir) return true; } -static bool cf_check g2m_portio_accept( - const struct hvm_io_handler *handler, const ioreq_t *p) +/* NB: Returns with the lock held in the success case. */ +static const struct g2m_ioport *g2m_portio_find_and_lock(struct hvm_domain *hvm, + uint64_t addr, + uint32_t size) { - struct vcpu *curr = current; - const struct hvm_domain *hvm = &curr->domain->arch.hvm; - struct hvm_vcpu_io *hvio = &curr->arch.hvm.hvm_io; - struct g2m_ioport *g2m_ioport; - unsigned int start, end; + const struct g2m_ioport *g2m_ioport; + + read_lock(&hvm->g2m_ioport_lock); list_for_each_entry( g2m_ioport, &hvm->g2m_ioport_list, list ) { - start = g2m_ioport->gport; - end = start + g2m_ioport->np; - if ( (p->addr >= start) && (p->addr + p->size <= end) ) - { - hvio->g2m_ioport = g2m_ioport; - return 1; - } + unsigned int start = g2m_ioport->gport; + + if ( addr >= start && addr + size <= start + g2m_ioport->np ) + return g2m_ioport; } - return 0; + read_unlock(&hvm->g2m_ioport_lock); + + return NULL; +} + +static bool cf_check g2m_portio_accept( + const struct hvm_io_handler *handler, const ioreq_t *p) +{ + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, p->addr, p->size); + + if ( !g2m_ioport ) + return false; + + read_unlock(&hvm->g2m_ioport_lock); + + return true; } static int cf_check g2m_portio_read( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t *data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -203,6 +223,8 @@ static int cf_check g2m_portio_read( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } @@ -210,9 +232,15 @@ static int cf_check g2m_portio_write( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -229,6 +257,8 @@ static int cf_check g2m_portio_write( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } diff --git a/xen/arch/x86/include/asm/hvm/domain.h b/xen/arch/x86/include/asm/hvm/domain.h index 0b86329ea3..c45fa0ff2b 100644 --- a/xen/arch/x86/include/asm/hvm/domain.h +++ b/xen/arch/x86/include/asm/hvm/domain.h @@ -136,6 +136,7 @@ struct hvm_domain { /* List of guest to machine IO ports mapping. */ struct list_head g2m_ioport_list; + rwlock_t g2m_ioport_lock; /* List of MMCFG regions trapped by Xen. */ struct list_head mmcfg_regions; diff --git a/xen/arch/x86/include/asm/hvm/vcpu.h b/xen/arch/x86/include/asm/hvm/vcpu.h index 8adf4555c2..b4044d6a57 100644 --- a/xen/arch/x86/include/asm/hvm/vcpu.h +++ b/xen/arch/x86/include/asm/hvm/vcpu.h @@ -76,8 +76,6 @@ struct hvm_vcpu_io { unsigned long msix_unmask_address; unsigned long msix_snoop_address; unsigned long msix_snoop_gpa; - - const struct g2m_ioport *g2m_ioport; }; struct nestedvcpu { -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:55:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:55:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333276.1596035 (Exim 4.92) (envelope-from ) id 1wWvz7-0008IE-O1; Tue, 09 Jun 2026 12:55:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333276.1596035; Tue, 09 Jun 2026 12:55:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvz7-0008I6-LM; Tue, 09 Jun 2026 12:55:13 +0000 Received: by outflank-mailman (input) for mailman id 1333276; Tue, 09 Jun 2026 12:55:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvz6-0008I0-UK for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:55:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvz7-001fxA-0b for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:55:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvz6-00DIWu-2n for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:55:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RGkGl/Nepgi3nCUFBZatVRAdn+lXQ8pRodI1X+tGrOQ=; b=JsLxXiipTNQrv0zVM+olpcp7gq j+/Vxj8FJgFO2CpA1LrrRbN87jxcPlAhxjIeN9o6/uski13ogVQHv2C9ktS1eeBL+wi8qcLWzTvq7 erYIuHHKI0lrUndB0nGeKiq3sgGofcqok6KhTr4+whSLTg/IDvzhoc5G85RbIHDIHDLU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] xen/xsm: make getdomaininfo xsm dummy checks more stringent Message-Id: Date: Tue, 09 Jun 2026 12:55:12 +0000 commit c5915a56fb49d635447586b121f5dcd44537935e Author: Juergen Gross AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:10 2026 +0100 xen/xsm: make getdomaininfo xsm dummy checks more stringent Today the dummy XSM privilege checks for getdomaininfo are less stringent than possible: they basically rely on the general sysctl/domctl entry check to do all tests and then do the test with the XSM_HOOK privilege, which is an "allow all" default. Instead of XSM_HOOK use XSM_XS_PRIV, which is the privilege really wanted. Note that this test is still wider than the sysctl entry test, but there is no easy way to make both domctl and sysctl happy at the same time. Signed-off-by: Juergen Gross Acked-by: Daniel P. Smith master commit: 5793b84c5e8fb268f94e7fde7816799e66945a73 master date: 2024-12-16 13:06:55 +0100 --- xen/common/domctl.c | 2 +- xen/common/sysctl.c | 2 +- xen/include/xsm/dummy.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 96ca55a421..5824398183 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -556,7 +556,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( d == NULL ) goto getdomaininfo_out; - ret = xsm_getdomaininfo(XSM_HOOK, d); + ret = xsm_getdomaininfo(XSM_XS_PRIV, d); if ( ret ) goto getdomaininfo_out; diff --git a/xen/common/sysctl.c b/xen/common/sysctl.c index 0cbfe8bd44..4c7551c5d9 100644 --- a/xen/common/sysctl.c +++ b/xen/common/sysctl.c @@ -89,7 +89,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl) if ( num_domains == op->u.getdomaininfolist.max_domains ) break; - if ( xsm_getdomaininfo(XSM_HOOK, d) ) + if ( xsm_getdomaininfo(XSM_XS_PRIV, d) ) continue; getdomaininfo(d, &info); diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 3286befeca..4b5f07ad27 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -137,7 +137,7 @@ static XSM_INLINE int cf_check xsm_domain_create( static XSM_INLINE int cf_check xsm_getdomaininfo( XSM_DEFAULT_ARG struct domain *d) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_XS_PRIV); return xsm_default_action(action, current->domain, d); } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:55:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:55:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333277.1596038 (Exim 4.92) (envelope-from ) id 1wWvzH-0008Ln-PN; Tue, 09 Jun 2026 12:55:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333277.1596038; Tue, 09 Jun 2026 12:55:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvzH-0008Lg-Mh; Tue, 09 Jun 2026 12:55:23 +0000 Received: by outflank-mailman (input) for mailman id 1333277; Tue, 09 Jun 2026 12:55:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvzH-0008LZ-23 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:55:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvzH-001fxG-10 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:55:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvzG-00DIi2-3A for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:55:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=rFzwuJcZ4U4HOFhFQSCzcGvP3V5Ep/6LN8zIVHm/Ywo=; b=COcaUxMjhNLJ6hMWlFaQUvs7bs fTqX5Dmc3wfWAtFuRtmZDDHwt2fM4gscVhFjrk26KGOgVYqmjk+Xc2Wk8dPhRBBrkyR0oxa2HabP3 v4CkKDoEzXb5BaUZ7q4IudZoiyovlosQxG8DbqZKhoLUDwGbMcmoTzIQvZkIDPdCdxvg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] sched: use sequence counter to enlighten vcpu_runstate_get() Message-Id: Date: Tue, 09 Jun 2026 12:55:22 +0000 commit b08478bb00b43d1d91068afc75740ab03d1d77b1 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 sched: use sequence counter to enlighten vcpu_runstate_get() Subsequently XEN_DOMCTL_getdomaininfo will want to invoke the function without holding a lock, thus allowing parallel execution of potentially many instances. As was learned from 228ab9992ffb ("domctl: improve locking during domain destruction"), reverted by d0887cc6b16e, such parallelism can result in severe lock contention on any (previously) inner lock. To avoid taking that risk replace the use of the scheduler lock in vcpu_runstate_get() by a newly introduced sequence counter. Convert the "no lock if current" property to "use a local counter instance", thus guaranteeing the loop to exit after the first iteration. Skeleton and commentary of the seqcount implementation based on / derived from Linux 6.11-rc. To have runstate_seq placed next to runstate in struct vcpu, without introducing a new obvious padding hole, yet while keeping the latter adjacent to runstate_guest{,_area} as well, move runstate down a little. This is part of XSA-492. Requested-by: Andrew Cooper Signed-off-by: Jan Beulich Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Juergen Gross (cherry picked from commit 1dc4d5d81822541a5cc82fa6387d2d73eebc7023) --- xen/common/sched/core.c | 47 +++++++-------- xen/include/xen/sched.h | 4 +- xen/include/xen/seqcount.h | 139 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 162 insertions(+), 28 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 8c6c26b562..e277329c78 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -280,13 +280,18 @@ static inline void vcpu_runstate_change( } delta = new_entry_time - v->runstate.state_entry_time; - if ( delta > 0 ) + + /* Serialization: ->schedule_lock (see ASSERT() above). */ + with_seq_write(&v->runstate_seq) { - v->runstate.time[v->runstate.state] += delta; - v->runstate.state_entry_time = new_entry_time; - } + if ( delta > 0 ) + { + v->runstate.time[v->runstate.state] += delta; + v->runstate.state_entry_time = new_entry_time; + } - v->runstate.state = new_state; + v->runstate.state = new_state; + } } void sched_guest_idle(void (*idle) (void), unsigned int cpu) @@ -306,30 +311,18 @@ void sched_guest_idle(void (*idle) (void), unsigned int cpu) void vcpu_runstate_get(const struct vcpu *v, struct vcpu_runstate_info *runstate) { - spinlock_t *lock; - s_time_t delta; - struct sched_unit *unit; + struct seqcount seq = SEQCNT_ZERO(); + const struct seqcount *s = likely(v == current) ? &seq : &v->runstate_seq; - rcu_read_lock(&sched_res_rculock); - - /* - * Be careful in case of an idle vcpu: the assignment to a unit might - * change even with the scheduling lock held, so be sure to use the - * correct unit for locking in order to avoid triggering an ASSERT() in - * the unlock function. - */ - unit = is_idle_vcpu(v) ? get_sched_res(v->processor)->sched_unit_idle - : v->sched_unit; - lock = likely(v == current) ? NULL : unit_schedule_lock_irq(unit); - memcpy(runstate, &v->runstate, sizeof(*runstate)); - delta = NOW() - runstate->state_entry_time; - if ( delta > 0 ) - runstate->time[runstate->state] += delta; - - if ( unlikely(lock != NULL) ) - unit_schedule_unlock_irq(lock, unit); + until_seq_read(s) + { + s_time_t delta; - rcu_read_unlock(&sched_res_rculock); + *runstate = v->runstate; + delta = NOW() - runstate->state_entry_time; + if ( delta > 0 ) + runstate->time[runstate->state] += delta; + } } uint64_t get_cpu_idle_time(unsigned int cpu) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 072e4846aa..100e95d21e 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -16,6 +16,7 @@ #include #include #include +#include #include #include #include @@ -191,7 +192,6 @@ struct vcpu struct sched_unit *sched_unit; - struct vcpu_runstate_info runstate; #ifndef CONFIG_COMPAT # define runstate_guest(v) ((v)->runstate_guest) XEN_GUEST_HANDLE(vcpu_runstate_info_t) runstate_guest; /* guest address */ @@ -202,6 +202,8 @@ struct vcpu XEN_GUEST_HANDLE(vcpu_runstate_info_compat_t) compat; } runstate_guest; /* guest address */ #endif + struct vcpu_runstate_info runstate; + struct seqcount runstate_seq; unsigned int new_state; /* Has the FPU been initialised? */ diff --git a/xen/include/xen/seqcount.h b/xen/include/xen/seqcount.h new file mode 100644 index 0000000000..b5faf422e4 --- /dev/null +++ b/xen/include/xen/seqcount.h @@ -0,0 +1,139 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef XEN_SEQCOUNT_H +#define XEN_SEQCOUNT_H + +#include +#include + +#include +#include + +/* + * Sequence counters (seqcount_t) + * + * This is the raw counting mechanism, without any writer protection. + * + * Write side critical sections must be serialized (and non-preemptible). + * + * If readers can be invoked from interrupt contexts, interrupts must also + * be respectively disabled before entering the write section. + * + * This mechanism can't be used if the protected data contains pointers, + * as the writer can invalidate a pointer that a reader is following. + */ +struct seqcount { + unsigned int sequence; +}; + +/* + * SEQCNT_ZERO() - initializer for seqcount_t + * @name: Name of the struct seqcount instance + */ +#define SEQCNT_ZERO() { .sequence = 0 } + +static inline unsigned int seqprop_sequence(const struct seqcount *s) +{ + return ACCESS_ONCE(s->sequence); +} + +/* + * read_seqcount_begin() - begin a seqcount read critical section + * @s: Pointer to struct seqcount + * + * Return: count to be passed to read_seqcount_retry() + */ +static inline unsigned int _read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq; + + while ((seq = seqprop_sequence(s)) & 1) + cpu_relax(); + + smp_rmb(); + + return seq; +} + +static always_inline unsigned int read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq = _read_seqcount_begin(s); + + block_lock_speculation(); + + return seq; +} + +/* + * read_seqcount_retry() - end a seqcount read critical section + * @s: Pointer to struct seqcount + * @start: count, from read_seqcount_begin() + * + * read_seqcount_retry closes the read critical section of given struct + * seqcount. If the critical section was invalid, it must be ignored + * (and typically retried). + * + * Return: true if a read section retry is required, else false + */ +static inline bool _read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + smp_rmb(); + return unlikely(seqprop_sequence(s) != start); +} + +static always_inline bool read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + return lock_evaluate_nospec(_read_seqcount_retry(s, start)); +} + +/* Loops until a consistent count has been observed across the loop body. */ +#define until_seq_read(seq) \ + for ( unsigned int retry_ = 1, count_; \ + retry_ && (count_ = read_seqcount_begin(seq), true); \ + retry_ = read_seqcount_retry(seq, count_) ) + +/* + * write_seqcount_begin() - start a struct seqcount write side critical section + * @s: Pointer to struct seqcount + * + * Context: sequence counter write side sections must be serialized. + * If readers can be invoked from interrupt context, interrupts must be + * respectively disabled. + */ +static inline void write_seqcount_begin(struct seqcount *s) +{ + add_sized(&s->sequence, 1); + smp_wmb(); +} + +/* + * write_seqcount_end() - end a struct seqcount write side critical section + * @s: Pointer to seqcount + */ +static inline void write_seqcount_end(struct seqcount *s) +{ + smp_wmb(); + add_sized(&s->sequence, 1); +} + +/* + * Not really a loop, but we need write_seqcount_{begin,end}() in the correct + * position. + */ +#define with_seq_write(seq) \ + for ( bool once_ = true; \ + once_ && (write_seqcount_begin(seq), true); \ + (write_seqcount_end(seq), once_ = false) ) + +#endif /* XEN_SEQCOUNT_H */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:55:33 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:55:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333278.1596043 (Exim 4.92) (envelope-from ) id 1wWvzR-0008Os-R3; Tue, 09 Jun 2026 12:55:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333278.1596043; Tue, 09 Jun 2026 12:55:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvzR-0008Ok-OG; Tue, 09 Jun 2026 12:55:33 +0000 Received: by outflank-mailman (input) for mailman id 1333278; Tue, 09 Jun 2026 12:55:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvzR-0008NZ-4s for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:55:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvzR-001fxM-1H for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:55:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvzR-00DIwb-0I for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:55:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=kltAjEGLl6/CeiCSq9cUGkYSIPsrSuDRje7ijXMdcms=; b=Sj8qCfiDlz/vpCUHf/MP84twc6 ENSvJIwCgTFJ5mDzgQcVRlEpIAucPSLXwKTDYNiML+Ylem75rNjCfS6kBBttBeLd2EmWnPCi31ufR fem12+QyyB3WA2XopTj9ZOEITgRYx/wHqvzhaxqQAhkSUG4fOMDmaLJJ52HeAjAgs3v8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:55:33 +0000 commit fc4b4423afc1001f9840f6dc7f77427ce9d23d7f Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock getdomaininfo() is not called under consistently the same lock. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. (Callers not pausing the domain they want to retrieve information for already need to be aware that not all of the data returned can be relied on as being consistent; most data will also be stale by the time the caller gets to look at it.) Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Fixes: 5513bd0b4675 ("add xenstore domain flag to hypervisor") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 784bd4dc0bc440b978b80b6945c4bc380b28e32d) --- xen/common/domctl.c | 91 +++++++++++++++++++++++++++---------------------- xen/include/xsm/dummy.h | 5 ++- xen/xsm/flask/hooks.c | 6 +++- 3 files changed, 59 insertions(+), 43 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 5824398183..5f0ad71660 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -318,6 +318,56 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) return -ESRCH; } + /* Handle sub-ops not requiring the domctl lock. */ + switch ( op->cmd ) + { + case XEN_DOMCTL_getdomaininfo: + { + domid_t dom = DOMID_INVALID; + + if ( !d ) + { + ret = -EINVAL; + if ( op->domain >= DOMID_FIRST_RESERVED ) + goto domctl_out_unlock_domonly; + + rcu_read_lock(&domlist_read_lock); + + dom = op->domain; + for_each_domain ( d ) + if ( d->domain_id >= dom ) + break; + } + + ret = -ESRCH; + if ( !d ) + goto getdomaininfo_out; + + ret = xsm_getdomaininfo(XSM_XS_PRIV, d); + if ( !ret ) + { + getdomaininfo(d, &op->u.getdomaininfo); + + op->domain = op->u.getdomaininfo.domain; + copyback = true; + + getdomaininfo_out: + /* When d was non-NULL upon entry, no cleanup is needed. */ + if ( dom == DOMID_INVALID ) + goto domctl_out_unlock_domonly; + + rcu_read_unlock(&domlist_read_lock); + d = NULL; + } + + goto domctl_out_unlock_domonly; + } + + default: + /* Everything else handled further down. */ + break; + } + ret = xsm_domctl(XSM_OTHER, d, op->cmd, /* SSIDRef only applicable for cmd == createdomain */ op->u.createdomain.ssidref); @@ -534,47 +584,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = 1; break; - case XEN_DOMCTL_getdomaininfo: - { - domid_t dom = DOMID_INVALID; - - if ( !d ) - { - ret = -EINVAL; - if ( op->domain >= DOMID_FIRST_RESERVED ) - break; - - rcu_read_lock(&domlist_read_lock); - - dom = op->domain; - for_each_domain ( d ) - if ( d->domain_id >= dom ) - break; - } - - ret = -ESRCH; - if ( d == NULL ) - goto getdomaininfo_out; - - ret = xsm_getdomaininfo(XSM_XS_PRIV, d); - if ( ret ) - goto getdomaininfo_out; - - getdomaininfo(d, &op->u.getdomaininfo); - - op->domain = op->u.getdomaininfo.domain; - copyback = 1; - - getdomaininfo_out: - /* When d was non-NULL upon entry, no cleanup is needed. */ - if ( dom == DOMID_INVALID ) - break; - - rcu_read_unlock(&domlist_read_lock); - d = NULL; - break; - } - case XEN_DOMCTL_getvcpucontext: { vcpu_guest_context_u c = { .nat = NULL }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 4b5f07ad27..2ed193689f 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,8 +172,11 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); + case XEN_DOMCTL_getdomaininfo: - return xsm_default_action(XSM_XS_PRIV, current->domain, d); + ASSERT_UNREACHABLE(); + return -EILSEQ; + default: return xsm_default_action(XSM_PRIV, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 42857c2122..c4c0ed596f 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -678,8 +678,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, */ return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); - /* These have individual XSM hooks (common/domctl.c) */ + /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + ASSERT_UNREACHABLE(); + return -EILSEQ; + + /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:55:43 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:55:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333279.1596047 (Exim 4.92) (envelope-from ) id 1wWvzb-0008Rt-SB; Tue, 09 Jun 2026 12:55:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333279.1596047; Tue, 09 Jun 2026 12:55:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvzb-0008Rl-Pb; Tue, 09 Jun 2026 12:55:43 +0000 Received: by outflank-mailman (input) for mailman id 1333279; Tue, 09 Jun 2026 12:55:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvzb-0008Rf-8A for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:55:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvzb-001fxY-1a for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:55:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvzb-00DJ8J-0a for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:55:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=N1q2C2c5l7mZAgu3szm3zsRGmuXIFFQK60aGg8lLzUQ=; b=aWSRj62uBPOdk63Vo7ssbF91ou o1XklzRMSWIfeizfISh23zhMwViFJUzZRuOvXNsbi0NMz4RSH+Bp9njdBWFNaDY0YoVcb/d25oJSp CbaQB3XuQw90/n5p8MFbli28NGVvWZHQras1rZJkZYQJSbamJ/g8PNwSxnvgjJuUGuoE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] domain: locking for iomem_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:55:43 +0000 commit 037e662ba5653fd6c096a2b2556d9ce1e1b03f28 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domain: locking for iomem_caps accesses In order to be able to pull at least the XEN_DOMCTL_iomem_mapping handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_iomem_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 960713dfd4a405e67e9f174302f8f9fd9e0e50dc) --- xen/common/domain.c | 6 ++++++ xen/common/domctl.c | 53 +++++++++++++++++++++++++++++++++++++++---------- xen/include/xen/iocap.h | 3 +++ xen/include/xen/sched.h | 1 + 4 files changed, 52 insertions(+), 11 deletions(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index 13a1674ce4..a6dc665fa6 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -332,10 +332,15 @@ static int late_hwdom_init(struct domain *d) * may be modified after this hypercall returns if a more complex * device model is desired. */ + write_lock(&dom0->caps_lock); rangeset_swap(d->irq_caps, dom0->irq_caps); rangeset_swap(d->iomem_caps, dom0->iomem_caps); #ifdef CONFIG_X86 rangeset_swap(d->arch.ioport_caps, dom0->arch.ioport_caps); +#endif + write_unlock(&dom0->caps_lock); + +#ifdef CONFIG_X86 setup_io_bitmap(d); setup_io_bitmap(dom0); #endif @@ -602,6 +607,7 @@ struct domain *domain_create(domid_t domid, spin_lock_init_prof(d, domain_lock); spin_lock_init_prof(d, page_alloc_lock); spin_lock_init(&d->hypercall_deadlock_mutex); + rwlock_init(&d->caps_lock); INIT_PAGE_LIST_HEAD(&d->page_list); INIT_PAGE_LIST_HEAD(&d->extra_page_list); INIT_PAGE_LIST_HEAD(&d->xenpage_list); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 5f0ad71660..96a6e4f9d8 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -278,6 +278,35 @@ static struct vnuma_info *vnuma_init(const struct xen_domctl_vnuma *uinfo, return ERR_PTR(ret); } +void iocaps_double_lock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d->domain_id > currd->domain_id ) + read_lock(&currd->caps_lock); + + if ( write ) + write_lock(&d->caps_lock); + else + read_lock(&d->caps_lock); + + if ( d->domain_id < currd->domain_id ) + read_lock(&currd->caps_lock); +} + +void iocaps_double_unlock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d != currd ) + read_unlock(&currd->caps_lock); + + if ( write ) + write_unlock(&d->caps_lock); + else + read_unlock(&d->caps_lock); +} + long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) { long ret = 0; @@ -719,6 +748,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ break; + iocaps_double_lock(d, true); + if ( !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) || xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) @@ -727,6 +758,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); else ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); break; } @@ -751,19 +784,15 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; #endif + iocaps_double_lock(d, false); + ret = -EPERM; if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) ) - break; - - ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add); - if ( ret ) - break; - - if ( !paging_mode_translate(d) ) - break; - - if ( add ) + !iomem_access_permitted(d, mfn, mfn_end) || + (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || + !paging_mode_translate(d) ) + /* Nothing. */; + else if ( add ) { printk(XENLOG_G_DEBUG "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", @@ -787,6 +816,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", ret, d->domain_id, mfn, mfn_end); } + + iocaps_double_unlock(d, false); break; } diff --git a/xen/include/xen/iocap.h b/xen/include/xen/iocap.h index ffbc48b60f..cb36ebbeeb 100644 --- a/xen/include/xen/iocap.h +++ b/xen/include/xen/iocap.h @@ -12,6 +12,9 @@ #include #include +void iocaps_double_lock(struct domain *d, bool write); +void iocaps_double_unlock(struct domain *d, bool write); + static inline int iomem_permit_access(struct domain *d, unsigned long s, unsigned long e) { diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 100e95d21e..c5aa5d9611 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -492,6 +492,7 @@ struct domain #endif /* I/O capabilities (access to IRQs and memory-mapped I/O). */ + rwlock_t caps_lock; struct rangeset *iomem_caps; struct rangeset *irq_caps; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:55:53 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:55:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333280.1596051 (Exim 4.92) (envelope-from ) id 1wWvzl-0008VV-Uy; Tue, 09 Jun 2026 12:55:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333280.1596051; Tue, 09 Jun 2026 12:55:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvzl-0008VN-SI; Tue, 09 Jun 2026 12:55:53 +0000 Received: by outflank-mailman (input) for mailman id 1333280; Tue, 09 Jun 2026 12:55:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvzl-0008VH-B2 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:55:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvzl-001fxc-1t for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:55:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvzl-00DJNZ-0s for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:55:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ZDn/RL1S8EPxm+V7g+MPs3pezuBcDsO35E95/57PjNQ=; b=Z/eBp+nfHNX3QYqPvwG1UuaBxJ 0ntbdD+lj6bB4/pHrLsKp5XVwVzdxcW2/rNklBzpAYGzVc1OBN5ff6jcY9WeSqyZE+oJY1y3acbFc lPrpo/iuVvcGnlkgzJodr2ykLWj3fq7b67YkzalpQLeAQC6cGaIK0uBR+tdZITJkRHnQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/domain: locking for ioport_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:55:53 +0000 commit eb8153a3cc1cf1f0ea1bd87b84356bc6bd4aae6f Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 x86/domain: locking for ioport_caps accesses In order to be able to pull at least the XEN_DOMCTL_ioport_mapping handling out of the domctl-locked region, the new separate (per-domain) lock is used to synchronize in particular with XEN_DOMCTL_ioport_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit c9f4586766c4ceeaf013fbc02ad79359c62102c3) --- xen/arch/x86/domctl.c | 21 ++++++++++++--------- xen/arch/x86/setup.c | 4 ++++ 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index c9e2dcab66..35c44391aa 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -226,6 +226,8 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + iocaps_double_lock(d, true); + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) ret = -EINVAL; else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || @@ -235,6 +237,8 @@ long arch_do_domctl( ret = ioports_permit_access(d, fp, fp + np - 1); else ret = ioports_deny_access(d, fp, fp + np - 1); + + iocaps_double_unlock(d, true); break; } @@ -605,16 +609,13 @@ long arch_do_domctl( break; } - ret = -EPERM; - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) - break; - - ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add); - if ( ret ) - break; - hvm = &d->arch.hvm; - if ( add ) + iocaps_double_lock(d, true); + + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || + (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) + ret = ret ?: -EPERM; + else if ( add ) { printk(XENLOG_G_INFO "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", @@ -675,6 +676,8 @@ long arch_do_domctl( "ioport_map: error %ld denying dom%d access to [%x,%x]\n", ret, d->domain_id, fmp, fmp + np - 1); } + + iocaps_double_unlock(d, true); break; } diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 2d2eb791e4..c42e053df4 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -2103,9 +2103,13 @@ void __hwdom_init setup_io_bitmap(struct domain *d) if ( is_hvm_domain(d) ) { bitmap_fill(d->arch.hvm.io_bitmap, 0x10000); + + read_lock(&d->caps_lock); rc = rangeset_report_ranges(d->arch.ioport_caps, 0, 0x10000, io_bitmap_cb, d); BUG_ON(rc); + read_unlock(&d->caps_lock); + /* * NB: we need to trap accesses to 0xcf8 in order to intercept * 4 byte accesses, that need to be handled by Xen in order to -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:56:04 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:56:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333281.1596055 (Exim 4.92) (envelope-from ) id 1wWvzw-000078-08; Tue, 09 Jun 2026 12:56:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333281.1596055; Tue, 09 Jun 2026 12:56:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvzv-000071-Te; Tue, 09 Jun 2026 12:56:03 +0000 Received: by outflank-mailman (input) for mailman id 1333281; Tue, 09 Jun 2026 12:56:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWvzv-00006v-Dx for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:56:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWvzv-001fxr-2C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:56:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWvzv-00DJWs-1B for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:56:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=WOXxBzfNoIzLfN6GFY4dRC8dytvkbo3bMhrxcyg8F0E=; b=HgzhOCGoVHyab/+q2/qbo5SUTO tTGWt8DKQVvC0UmPPEizjVUpHB8xqvZrgOGMqpPkZ0n3mXjvNiTBPZ3isd5jYaz9Vugs7iUnvlHal d8d0J0dU9/kCK2Ktd40qr8tVaanh/+lucDZAny6WFGQcOXXjVAQyh3tE4W6YGR7OvHiE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] domain: locking for irq_caps accesses Message-Id: Date: Tue, 09 Jun 2026 12:56:03 +0000 commit 0a5149863d711e1af964f858f2f089bd25a5f541 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domain: locking for irq_caps accesses In order to be able to pull at least the XEN_DOMCTL_{,un}bind_pt_irq handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_irq_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Reviewed-by: Julien Grall (cherry picked from commit 329edc090dd5c833213bad3f13f1cbc252bc15a2) --- xen/arch/arm/domctl.c | 37 +++++++++++++++++++++---------------- xen/arch/x86/domctl.c | 42 ++++++++++++++++++++++++++---------------- xen/common/domctl.c | 5 +++++ 3 files changed, 52 insertions(+), 32 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index 1baf25c3d9..5508661fcf 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -74,6 +74,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, case XEN_DOMCTL_bind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -105,21 +106,26 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - if ( !vgic_reserve_virq(d, virq) ) - return -EBUSY; - - rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); - if ( rc ) - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !vgic_reserve_virq(d, virq) ) + rc = -EBUSY; + else + { + rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); + if ( rc ) + vgic_free_virq(d, virq); + } + read_unlock(&currd->caps_lock); return rc; } case XEN_DOMCTL_unbind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -136,16 +142,15 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - rc = release_guest_irq(d, virq); - if ( rc ) - return rc; - - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !(rc = release_guest_irq(d, virq)) ) + vgic_free_virq(d, virq); - return 0; + read_unlock(&currd->caps_lock); + return rc; } case XEN_DOMCTL_vuart_op: diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 35c44391aa..cb568bb1fe 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -536,20 +536,27 @@ long arch_do_domctl( break; irq = domain_pirq_to_irq(d, bind->machine_irq); - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; + if ( irq <= 0 ) + ret = -EPERM; - ret = -ESRCH; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_create_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + else + ret = -ESRCH; + + read_unlock(&currd->caps_lock); break; } @@ -562,23 +569,26 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); if ( ret ) break; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_destroy_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + + read_unlock(&currd->caps_lock); break; } diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 96a6e4f9d8..e1237f03bb 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -728,6 +728,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -EINVAL; break; } + + iocaps_double_lock(d, true); + irq = pirq_access_permitted(current->domain, pirq); if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) ret = -EPERM; @@ -735,6 +738,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = irq_permit_access(d, irq); else ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); break; } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:56:15 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:56:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333282.1596059 (Exim 4.92) (envelope-from ) id 1wWw07-00009I-1W; Tue, 09 Jun 2026 12:56:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333282.1596059; Tue, 09 Jun 2026 12:56:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw06-00009A-VD; Tue, 09 Jun 2026 12:56:14 +0000 Received: by outflank-mailman (input) for mailman id 1333282; Tue, 09 Jun 2026 12:56:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw05-000094-HD for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:56:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw05-001fyB-2W for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:56:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw05-00DJjL-1V for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:56:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=1koKw/aPNa8he0DejmP3PA4H11H5HYBego/VFHfQiwg=; b=hRWc4uheQ+khrEdkXddm1XvWdo R1xeEUO486q7rKYsymZwKJq/i3/tbb40LL1wpVMrpituRzB9Py/2fWWXNs6j6uF6CSW9dUouSsyKx z8yhCA3RrxeErlhlSc9/5D+78pPIevnL/Eg5qyqUc+gl8/ywVSnt89dDscfp2NjP4Rek=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:56:13 +0000 commit 95bfcd4084442791e8e8fbe4c7153bcf0d6b711a Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. Move the re-purposed dedicated XSM check as early as possible. Minimal "modernization": Switch "add" to bool and use %pd in log messages. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 5a81fb873cb0c7913995372d22660d6a2db0ec48) --- xen/common/domctl.c | 118 ++++++++++++++++++++++++------------------------ xen/include/xsm/dummy.h | 4 +- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 63 insertions(+), 61 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index e1237f03bb..d2545569b7 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -392,6 +392,66 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_memory_mapping: + { + unsigned long gfn = op->u.memory_mapping.first_gfn; + unsigned long mfn = op->u.memory_mapping.first_mfn; + unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; + unsigned long mfn_end = mfn + nr_mfns - 1; + bool add = op->u.memory_mapping.add_mapping; + + ret = -EINVAL; + if ( mfn_end < mfn || /* Wrap? */ + ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || + (gfn + nr_mfns - 1) < gfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_mapping(XSM_DM_PRIV, d, mfn, mfn_end, add); + if ( ret || !paging_mode_translate(d) ) + goto domctl_out_unlock_domonly; + +#ifndef CONFIG_X86 /* XXX ARM!? */ + ret = -E2BIG; + /* Must break hypercall up as this could take a while. */ + if ( nr_mfns > 64 ) + goto domctl_out_unlock_domonly; +#endif + + iocaps_double_lock(d, false); + + ret = -EPERM; + if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || + !iomem_access_permitted(d, mfn, mfn_end) ) + /* Nothing. */; + else if ( add ) + { + printk(XENLOG_G_DEBUG + "memory_map:add: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 ) + printk(XENLOG_G_WARNING + "memory_map:fail: %pd gfn=%lx mfn=%lx nr=%lx ret:%ld\n", + d, gfn, mfn, nr_mfns, ret); + } + else + { + printk(XENLOG_G_DEBUG + "memory_map:remove: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 && is_hardware_domain(current->domain) ) + printk(XENLOG_ERR + "memory_map: error %ld removing %pd access to [%lx,%lx]\n", + ret, d, mfn, mfn_end); + } + + iocaps_double_unlock(d, false); + goto domctl_out_unlock_domonly; + } + default: /* Everything else handled further down. */ break; @@ -768,64 +828,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - case XEN_DOMCTL_memory_mapping: - { - unsigned long gfn = op->u.memory_mapping.first_gfn; - unsigned long mfn = op->u.memory_mapping.first_mfn; - unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; - unsigned long mfn_end = mfn + nr_mfns - 1; - int add = op->u.memory_mapping.add_mapping; - - ret = -EINVAL; - if ( mfn_end < mfn || /* wrap? */ - ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || - (gfn + nr_mfns - 1) < gfn ) /* wrap? */ - break; - -#ifndef CONFIG_X86 /* XXX ARM!? */ - ret = -E2BIG; - /* Must break hypercall up as this could take a while. */ - if ( nr_mfns > 64 ) - break; -#endif - - iocaps_double_lock(d, false); - - ret = -EPERM; - if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) || - (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || - !paging_mode_translate(d) ) - /* Nothing. */; - else if ( add ) - { - printk(XENLOG_G_DEBUG - "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 ) - printk(XENLOG_G_WARNING - "memory_map:fail: dom%d gfn=%lx mfn=%lx nr=%lx ret:%ld\n", - d->domain_id, gfn, mfn, nr_mfns, ret); - } - else - { - printk(XENLOG_G_DEBUG - "memory_map:remove: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 && is_hardware_domain(current->domain) ) - printk(XENLOG_ERR - "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", - ret, d->domain_id, mfn, mfn_end); - } - - iocaps_double_unlock(d, false); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 2ed193689f..7c45a330ae 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,12 +168,12 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_ioport_mapping: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -575,7 +575,7 @@ static XSM_INLINE int cf_check xsm_iomem_permission( static XSM_INLINE int cf_check xsm_iomem_mapping( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index c4c0ed596f..a9d8140f10 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -680,6 +680,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -687,7 +688,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:56:25 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:56:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333283.1596063 (Exim 4.92) (envelope-from ) id 1wWw0H-0000Cp-2y; Tue, 09 Jun 2026 12:56:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333283.1596063; Tue, 09 Jun 2026 12:56:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw0H-0000Ch-0L; Tue, 09 Jun 2026 12:56:25 +0000 Received: by outflank-mailman (input) for mailman id 1333283; Tue, 09 Jun 2026 12:56:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw0F-0000Ca-Jq for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:56:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw0F-001fyJ-2n for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:56:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw0F-00DK0n-1p for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:56:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=W6X/XMoS02ZLeDBkZ7K7XPojOkggXlZPwT+tWDFBB2M=; b=bAel0HGx/hVRq8n6T/aoaDVvzR m1bFAeLzpuvEp4YsKwOwtV9atF0WwQHnHbJ1QajarhG1q3fRkeYWauPg1oNZG+uloC8Lf1LnWzM6N dUG7d51MDRlNb5kBx7W7UR50JTqCjv2/wLNtBpv8QKv5SAf7lluFR3ULKfwEpvObiIbY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:56:23 +0000 commit e4a65bd4230abaae48d4f4b72f0c3028541c9c57 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the handling is in arch-specific code (x86 only), almost no code is being moved, but a 2nd (extensible to other sub-ops) invocation of arch_do_domctl() is being added. Move just the re-purposed dedicated XSM check as early as possible. In flask_domctl() don't put #ifdef around the moved case label. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9ac94138a5f31b5325fe4401e5cd9e377bbedcdb) --- xen/arch/x86/domctl.c | 9 ++++++--- xen/common/domctl.c | 4 ++++ xen/include/xsm/dummy.h | 4 ++-- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index cb568bb1fe..12d8768da3 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -619,12 +619,15 @@ long arch_do_domctl( break; } + ret = xsm_ioport_mapping(XSM_DM_PRIV, d, fmp, fmp + np - 1, add); + if ( ret ) + break; + hvm = &d->arch.hvm; iocaps_double_lock(d, true); - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || - (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) - ret = ret ?: -EPERM; + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) + ret = -EPERM; else if ( add ) { printk(XENLOG_G_INFO diff --git a/xen/common/domctl.c b/xen/common/domctl.c index d2545569b7..0f3bb6087a 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -452,6 +452,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_mapping: + ret = arch_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + default: /* Everything else handled further down. */ break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 7c45a330ae..60dc474b2b 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -167,12 +167,12 @@ static XSM_INLINE int cf_check xsm_domctl( XSM_ASSERT_ACTION(XSM_OTHER); switch ( cmd ) { - case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -764,7 +764,7 @@ static XSM_INLINE int cf_check xsm_ioport_permission( static XSM_INLINE int cf_check xsm_ioport_mapping( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index a9d8140f10..bfdc5da2cd 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -680,6 +680,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -698,7 +699,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: case XEN_DOMCTL_ioport_permission: - case XEN_DOMCTL_ioport_mapping: #endif #ifdef CONFIG_HAS_PASSTHROUGH /* -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:56:35 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:56:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333284.1596066 (Exim 4.92) (envelope-from ) id 1wWw0R-0000Gg-5V; Tue, 09 Jun 2026 12:56:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333284.1596066; Tue, 09 Jun 2026 12:56:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw0R-0000GY-2x; Tue, 09 Jun 2026 12:56:35 +0000 Received: by outflank-mailman (input) for mailman id 1333284; Tue, 09 Jun 2026 12:56:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw0P-0000FG-Mp for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:56:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw0P-001fyN-35 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:56:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw0P-00DKDu-26 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:56:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RB15KLeHIfjSM8NeO7pyP1T5/5HEA8Q69yXKp9InoSo=; b=taqKwmSTCAybNh+4Kgkqw1OsAP 0FoCeqOdqzwNsvTEzYkTePFaT56f+6NkD8N9dgCNUwPxCw/Fj2IR1t/g0TSy7789n+lZy1NDyVAfk NnSVj6ZYbuLQ/jqnzU6tAFHvghWPK5hgRkcXlr8+Vo/Ef8u28V8ncXzRbHXSxKzEC8yo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:56:33 +0000 commit 43013fe6b62db276fdce162a221c06d3f29bc223 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. (It also already isn't used when pt_irq_{create,destroy}_bind() are invoked for PVH Dom0.) As the handling is in arch-specific code, no code is being moved, but the 2nd (extensible to other sub-ops like the ones here) invocation of arch_do_domctl() is being re-used. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith Acked-by: Julien Grall (cherry picked from commit e263eeaf71b961d0d6f987bf7a33c8517be1bae5) --- xen/arch/arm/domctl.c | 4 ++-- xen/arch/x86/domctl.c | 4 ++-- xen/common/domctl.c | 2 ++ xen/include/xsm/dummy.h | 8 +++----- xen/xsm/flask/hooks.c | 5 ++--- 5 files changed, 11 insertions(+), 12 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index 5508661fcf..cd93636ac1 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -102,7 +102,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - rc = xsm_bind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; @@ -138,7 +138,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( irq != virq ) return -EINVAL; - rc = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 12d8768da3..12f1e85c30 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -531,7 +531,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_bind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; @@ -569,7 +569,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 0f3bb6087a..f9d9ab5e38 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -453,6 +453,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_bind_pt_irq: + case XEN_DOMCTL_unbind_pt_irq: ret = arch_do_domctl(op, d, u_domctl); goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 60dc474b2b..6cdba38c83 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,12 +168,10 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: - return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -540,14 +538,14 @@ static XSM_INLINE int cf_check xsm_unmap_domain_pirq( static XSM_INLINE int cf_check xsm_bind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } static XSM_INLINE int cf_check xsm_unbind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index bfdc5da2cd..19e3bfd9c7 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -679,9 +679,11 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ + case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -692,9 +694,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: - /* These have individual XSM hooks (arch/../domctl.c) */ - case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:56:45 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:56:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333285.1596071 (Exim 4.92) (envelope-from ) id 1wWw0b-0000Ic-6x; Tue, 09 Jun 2026 12:56:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333285.1596071; Tue, 09 Jun 2026 12:56:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw0b-0000IU-4L; Tue, 09 Jun 2026 12:56:45 +0000 Received: by outflank-mailman (input) for mailman id 1333285; Tue, 09 Jun 2026 12:56:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw0Z-0000IO-Ps for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:56:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw0a-001fyS-0A for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:56:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw0Z-00DKTi-2P for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:56:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=LA3lXZoORPlLu+vFr9+CfeCjeUbDQ8JwWd9MiOJyH9s=; b=sp4BRk99A7ahCsJH52BBJzciz7 7xje30i1Zg4N1EJKxWTQCEARWlVw/a4OhpQTzr7hyNlJwqUY1P0e4ge2iNQqgmV+ilPbWWT1bT9mb yJfOjC4qGCI9mgzlaCAFPe49c3+IxHbhttxgUHX4BYpsAvaFksw2MUd1o9AjSgYDembQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:56:43 +0000 commit d6d9f96182b468fe47ab247ec5b5f3ee4f221960 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the I/O port handling is in arch-specific code (x86 only), no code is being moved, but the 2nd invocation of arch_do_domctl() is re-used. Move the re-purposed dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9f54e10bf3ab02c8d5dc3253d85c9b3258d1fc88) --- xen/arch/x86/domctl.c | 13 ++++++++---- xen/common/domctl.c | 54 ++++++++++++++++++++++++++----------------------- xen/include/xsm/dummy.h | 6 ++++-- xen/xsm/flask/hooks.c | 4 ++-- 4 files changed, 44 insertions(+), 33 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 12f1e85c30..b3fcc06fd6 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -226,12 +226,17 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + ret = -EINVAL; + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) + break; + + ret = xsm_ioport_permission(XSM_PRIV, d, fp, fp + np - 1, allow); + if ( ret ) + break; + iocaps_double_lock(d, true); - if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) - ret = -EINVAL; - else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || - xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) ) + if ( !ioports_access_permitted(currd, fp, fp + np - 1) ) ret = -EPERM; else if ( allow ) ret = ioports_permit_access(d, fp, fp + np - 1); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index f9d9ab5e38..ccb8c5b438 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -392,6 +392,34 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_iomem_permission: + { + unsigned long mfn = op->u.iomem_permission.first_mfn; + unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; + bool allow = op->u.iomem_permission.allow_access; + + ret = -EINVAL; + if ( (mfn + nr_mfns - 1) < mfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_permission(XSM_PRIV, d, mfn, mfn + nr_mfns - 1, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !iomem_access_permitted(current->domain, + mfn, mfn + nr_mfns - 1) ) + ret = -EPERM; + else if ( allow ) + ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); + else + ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_memory_mapping: { unsigned long gfn = op->u.memory_mapping.first_gfn; @@ -452,6 +480,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: @@ -809,31 +838,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - case XEN_DOMCTL_iomem_permission: - { - unsigned long mfn = op->u.iomem_permission.first_mfn; - unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; - int allow = op->u.iomem_permission.allow_access; - - ret = -EINVAL; - if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ - break; - - iocaps_double_lock(d, true); - - if ( !iomem_access_permitted(current->domain, - mfn, mfn + nr_mfns - 1) || - xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) - ret = -EPERM; - else if ( allow ) - ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); - else - ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); - - iocaps_double_unlock(d, true); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 6cdba38c83..f49ee244cf 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -169,7 +169,9 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -566,7 +568,7 @@ static XSM_INLINE int cf_check xsm_irq_permission( static XSM_INLINE int cf_check xsm_iomem_permission( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } @@ -755,7 +757,7 @@ static XSM_INLINE int cf_check xsm_priv_mapping( static XSM_INLINE int cf_check xsm_ioport_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 19e3bfd9c7..3a8f5ac6e2 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -681,7 +681,9 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -690,14 +692,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: - case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: - case XEN_DOMCTL_ioport_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH /* -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:56:55 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:56:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333286.1596075 (Exim 4.92) (envelope-from ) id 1wWw0l-0000Lh-8e; Tue, 09 Jun 2026 12:56:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333286.1596075; Tue, 09 Jun 2026 12:56:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw0l-0000LY-5n; Tue, 09 Jun 2026 12:56:55 +0000 Received: by outflank-mailman (input) for mailman id 1333286; Tue, 09 Jun 2026 12:56:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw0j-0000KM-Su for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:56:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw0k-001fyb-0T for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:56:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw0j-00DKdc-2h for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:56:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=0ltKZqn+0AwTgBgy1mSpUa9vbh21Pc9GHXekE9XRXsE=; b=fTLu/uvd0eugkr/wt8ZJpcIaol uX2ZKJZaYPEIZhe7fRzgHKyM2OZl3prCA5lQ4zxZ4MYMEO9BZZ+zpOGFsDANh5rgzj2cjOrisQAIw JbeQoBV/ddi02jagoCAFgmKLR+sPeAufroIUX9PG3qycNiFMQk82LVxqSgkLILL6WNbU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] domctl: handle XEN_DOMCTL_irq_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:56:53 +0000 commit 6789ab98fc908ffcd83c7417f22a973f39b5fcf9 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domctl: handle XEN_DOMCTL_irq_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. Move the re-purposed (XSM_HOOK -> XSM_PRIV, as xsm_domctl() is now bypassed) dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/common/domctl.c | 55 +++++++++++++++++++++++++++---------------------- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 33 insertions(+), 27 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index ccb8c5b438..ebc97aa843 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -480,6 +480,36 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_irq_permission: + { + unsigned int pirq = op->u.irq_permission.pirq, irq; + bool allow = op->u.irq_permission.allow_access; + + ret = -EINVAL; + if ( pirq >= current->domain->nr_pirqs ) + goto domctl_out_unlock_domonly; + + irq = domain_pirq_to_irq(current->domain, pirq); + + ret = -EPERM; + if ( irq ) + ret = xsm_irq_permission(XSM_PRIV, d, irq, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !irq_access_permitted(current->domain, irq) ) + ret = -EPERM; + else if ( allow ) + ret = irq_permit_access(d, irq); + else + ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: @@ -813,31 +843,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } break; - case XEN_DOMCTL_irq_permission: - { - unsigned int pirq = op->u.irq_permission.pirq, irq; - int allow = op->u.irq_permission.allow_access; - - if ( pirq >= current->domain->nr_pirqs ) - { - ret = -EINVAL; - break; - } - - iocaps_double_lock(d, true); - - irq = pirq_access_permitted(current->domain, pirq); - if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) - ret = -EPERM; - else if ( allow ) - ret = irq_permit_access(d, irq); - else - ret = irq_deny_access(d, irq); - - iocaps_double_unlock(d, true); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index f49ee244cf..9e45b0e535 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,6 +172,7 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -561,7 +562,7 @@ static XSM_INLINE int cf_check xsm_unmap_domain_irq( static XSM_INLINE int cf_check xsm_irq_permission( XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 3a8f5ac6e2..b0308369c9 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -684,6 +684,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -691,7 +692,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: - case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:57:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:57:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333287.1596079 (Exim 4.92) (envelope-from ) id 1wWw0v-0000Nv-9f; Tue, 09 Jun 2026 12:57:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333287.1596079; Tue, 09 Jun 2026 12:57:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw0v-0000Nn-78; Tue, 09 Jun 2026 12:57:05 +0000 Received: by outflank-mailman (input) for mailman id 1333287; Tue, 09 Jun 2026 12:57:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw0t-0000Nh-W2 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:57:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw0u-001fyq-0m for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:57:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw0t-00DKqW-2z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:57:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=2f/amrYkcoIFwU16w+gQu6PjCdjLzM1eh52nA1E2NyM=; b=JTZeSxGiUoqHnN8CCDHzeS2IRj /EV7b3XzeySagAeHFzT7Vr/06r5mKbFZpbwGPUnk1CsCXrXWUq39Q1lLPBDwuIwAllmMZxnJt/5i/ k5415NvP7sGVJcyC7ok+Ob3P2MXu3p0QSnh2UPlJKzVtqCK2q57zep4zbpVA+T3HZIiM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] domctl/XSM: drop vm_event_control hook Message-Id: Date: Tue, 09 Jun 2026 12:57:03 +0000 commit a0119e1fd676b350491a0e6441eae63fa144d2f9 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domctl/XSM: drop vm_event_control hook Integrate the checking with xsm_domctl(). Care needs to be taken with the GET_VERSION sub-op, which may be invoked with DOMID_INVALID, and which has been (and continues to be) bypassing XSM checking. Since the latter two parameters were unused, monitor_domctl() invoking the hook was actually redundant with the earlier xsm_domctl() (as can be seen nicely from the hunks changing xsm/flask/hooks.c). As a positive side effect, permissions are then checked at the same early point with and without Flask. While folding XEN_DOMCTL_monitor_op and XEN_DOMCTL_vm_event_op in flask_domctl(), also fold in XEN_DOMCTL_set_access_required. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit b4a7c17146f4363750d26cb2dcee08b480625a3d) --- xen/common/domctl.c | 17 +++++++++++++++++ xen/common/monitor.c | 5 ----- xen/common/vm_event.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 8 -------- xen/xsm/dummy.c | 2 -- xen/xsm/flask/hooks.c | 11 +---------- 7 files changed, 18 insertions(+), 36 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index ebc97aa843..03851eb221 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -510,6 +510,23 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_vm_event_op: + if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) + { + /* No XSM check (and potentially d == NULL) here. */ + ret = vm_event_domctl(d, &op->u.vm_event_op); + if ( !ret ) + copyback = true; + goto domctl_out_unlock_domonly; + } + if ( !d ) + { + ret = -ESRCH; + goto domctl_out_unlock_domonly; + } + /* Other sub-ops handled further down. */ + break; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: diff --git a/xen/common/monitor.c b/xen/common/monitor.c index d5c9ff1cbf..aec6391faf 100644 --- a/xen/common/monitor.c +++ b/xen/common/monitor.c @@ -30,16 +30,11 @@ int monitor_domctl(struct domain *d, struct xen_domctl_monitor_op *mop) { - int rc; bool requested_status = false; if ( unlikely(current->domain == d) ) /* no domain_pause() */ return -EPERM; - rc = xsm_vm_event_control(XSM_PRIV, d, mop->op, mop->event); - if ( unlikely(rc) ) - return rc; - switch ( mop->op ) { case XEN_DOMCTL_MONITOR_OP_ENABLE: diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c index ecf49c38a9..6af5f13f45 100644 --- a/xen/common/vm_event.c +++ b/xen/common/vm_event.c @@ -600,10 +600,6 @@ int vm_event_domctl(struct domain *d, struct xen_domctl_vm_event_op *vec) return 0; } - rc = xsm_vm_event_control(XSM_PRIV, d, vec->mode, vec->op); - if ( rc ) - return rc; - if ( unlikely(d == current->domain) ) /* no domain_pause() */ { gdprintk(XENLOG_INFO, "Tried to do a memory event op on itself.\n"); diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 9e45b0e535..0613345669 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -643,13 +643,6 @@ static XSM_INLINE int cf_check xsm_hvm_altp2mhvm_op( } } -static XSM_INLINE int cf_check xsm_vm_event_control( - XSM_DEFAULT_ARG struct domain *d, int mode, int op) -{ - XSM_ASSERT_ACTION(XSM_PRIV); - return xsm_default_action(action, current->domain, d); -} - #ifdef CONFIG_MEM_ACCESS static XSM_INLINE int cf_check xsm_mem_access(XSM_DEFAULT_ARG struct domain *d) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 627c0d2731..2a3b94afd5 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -152,8 +152,6 @@ struct xsm_ops { int (*hvm_altp2mhvm_op)(struct domain *d, uint64_t mode, uint32_t op); int (*get_vnumainfo)(struct domain *d); - int (*vm_event_control)(struct domain *d, int mode, int op); - #ifdef CONFIG_MEM_ACCESS int (*mem_access)(struct domain *d); #endif @@ -626,12 +624,6 @@ static inline int xsm_get_vnumainfo(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.get_vnumainfo, d); } -static inline int xsm_vm_event_control( - xsm_default_t def, struct domain *d, int mode, int op) -{ - return alternative_call(xsm_ops.vm_event_control, d, mode, op); -} - #ifdef CONFIG_MEM_ACCESS static inline int xsm_mem_access(xsm_default_t def, struct domain *d) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index e6ffa948f7..fba0672fdd 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -109,8 +109,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .remove_from_physmap = xsm_remove_from_physmap, .map_gmfn_foreign = xsm_map_gmfn_foreign, - .vm_event_control = xsm_vm_event_control, - #ifdef CONFIG_MEM_ACCESS .mem_access = xsm_mem_access, #endif diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index b0308369c9..8ebbf08a42 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -693,7 +693,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: - case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ @@ -787,9 +786,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__TRIGGER); case XEN_DOMCTL_set_access_required: - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); - case XEN_DOMCTL_monitor_op: + case XEN_DOMCTL_vm_event_op: return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); case XEN_DOMCTL_debug_op: @@ -1346,11 +1344,6 @@ static int cf_check flask_hvm_altp2mhvm_op(struct domain *d, uint64_t mode, uint return current_has_perm(d, SECCLASS_HVM, HVM__ALTP2MHVM_OP); } -static int cf_check flask_vm_event_control(struct domain *d, int mode, int op) -{ - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); -} - #ifdef CONFIG_MEM_ACCESS static int cf_check flask_mem_access(struct domain *d) { @@ -1929,8 +1922,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .do_xsm_op = do_flask_op, .get_vnumainfo = flask_get_vnumainfo, - .vm_event_control = flask_vm_event_control, - #ifdef CONFIG_MEM_ACCESS .mem_access = flask_mem_access, #endif -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:57:15 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:57:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333288.1596082 (Exim 4.92) (envelope-from ) id 1wWw15-0000QX-CI; Tue, 09 Jun 2026 12:57:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333288.1596082; Tue, 09 Jun 2026 12:57:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw15-0000QP-9h; Tue, 09 Jun 2026 12:57:15 +0000 Received: by outflank-mailman (input) for mailman id 1333288; Tue, 09 Jun 2026 12:57:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw14-0000QI-2T for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:57:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw14-001fzD-13 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:57:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw14-00DL20-05 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:57:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=mYVUk+nU4vY4Bk8g8K+mbP5WfN2tK7P5QOtUpt8jes0=; b=RVkPqnJ7EtAvCEpjEoWoZsfMTS XCUY1uX6DkIb83zfRtnMD1x30MUIIJBgEROrUbRVSvgYB4+036nmbMo7JQqNSmvVNTZyszHEZqhHe Qg36tSw0Shd17AQaB8pnE+ya8nOVyRe1cyGiWLBMDsGi5mt9hbEuIvAPJMVS02cfZ9BU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] domctl/XSM: pass full struct xen_domctl to xsm_domctl() Message-Id: Date: Tue, 09 Jun 2026 12:57:14 +0000 commit 53cd1f0cf5529791cb4c175f84e61616603d6dfe Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:12 2026 +0100 domctl/XSM: pass full struct xen_domctl to xsm_domctl() Subsequently some sub-ops will want to inspect their sub-sub-ops. Plus this way we don't need to pass SSIDref separately anymore for domain_create. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit 83f0e11ed16b5ceb42e47dcaab5afd35583ec5d7) --- xen/arch/x86/mm/paging.c | 2 +- xen/common/domctl.c | 4 +--- xen/include/xsm/dummy.h | 4 ++-- xen/include/xsm/xsm.h | 6 +++--- xen/xsm/flask/hooks.c | 10 +++++----- 5 files changed, 12 insertions(+), 14 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index d7785420bb..8414b631ef 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -779,7 +779,7 @@ long do_paging_domctl_cont( if ( d == NULL ) return -ESRCH; - ret = xsm_domctl(XSM_OTHER, d, op.cmd, 0 /* SSIDref not applicable */); + ret = xsm_domctl(XSM_OTHER, d, &op); if ( !ret ) { if ( domctl_lock_acquire() ) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 03851eb221..c4dd88c353 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -539,9 +539,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - ret = xsm_domctl(XSM_OTHER, d, op->cmd, - /* SSIDRef only applicable for cmd == createdomain */ - op->u.createdomain.ssidref); + ret = xsm_domctl(XSM_OTHER, d, op); if ( ret ) goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 0613345669..4d92bce52b 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,10 +162,10 @@ static XSM_INLINE int cf_check xsm_set_target( } static XSM_INLINE int cf_check xsm_domctl( - XSM_DEFAULT_ARG struct domain *d, unsigned int cmd, uint32_t ssidref) + XSM_DEFAULT_ARG struct domain *d, struct xen_domctl *op) { XSM_ASSERT_ACTION(XSM_OTHER); - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 2a3b94afd5..4e1860c328 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -60,7 +60,7 @@ struct xsm_ops { int (*domctl_scheduler_op)(struct domain *d, int op); int (*sysctl_scheduler_op)(int op); int (*set_target)(struct domain *d, struct domain *e); - int (*domctl)(struct domain *d, unsigned int cmd, uint32_t ssidref); + int (*domctl)(struct domain *d, struct xen_domctl *op); int (*sysctl)(int cmd); int (*readconsole)(uint32_t clear); @@ -247,9 +247,9 @@ static inline int xsm_set_target( } static inline int xsm_domctl(xsm_default_t def, struct domain *d, - unsigned int cmd, uint32_t ssidref) + struct xen_domctl *op) { - return alternative_call(xsm_ops.domctl, d, cmd, ssidref); + return alternative_call(xsm_ops.domctl, d, op); } static inline int xsm_sysctl(xsm_default_t def, int cmd) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 8ebbf08a42..7a13cecbdd 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -663,10 +663,9 @@ static int cf_check flask_set_target(struct domain *d, struct domain *t) return rc; } -static int cf_check flask_domctl(struct domain *d, unsigned int cmd, - uint32_t ssidref) +static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) { - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_createdomain: /* @@ -676,7 +675,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, * Note that d is NULL because we haven't even allocated memory for it * this early in XEN_DOMCTL_createdomain. */ - return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); + return avc_current_has_perm(op->u.createdomain.ssidref, SECCLASS_DOMAIN, + DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: @@ -840,7 +840,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETPAGINGMEMPOOL); default: - return avc_unknown_permission("domctl", cmd); + return avc_unknown_permission("domctl", op->cmd); } } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:57:25 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:57:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333289.1596087 (Exim 4.92) (envelope-from ) id 1wWw1F-0000Ts-Dd; Tue, 09 Jun 2026 12:57:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333289.1596087; Tue, 09 Jun 2026 12:57:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw1F-0000Tl-B2; Tue, 09 Jun 2026 12:57:25 +0000 Received: by outflank-mailman (input) for mailman id 1333289; Tue, 09 Jun 2026 12:57:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw1E-0000Tf-5N for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:57:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw1E-001fzH-1L for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:57:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw1E-00DL8y-0N for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:57:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=xgP+wNzf/CxagG3IirIfU8ybUukM6/M7jzY3iz1j/zQ=; b=t17NKKwHxJCel6jnjSmfp1zQWv 5GmGgb8JnR/OLJd42DNZltVTeuQw3hDWzuA3q5q8slZEoVkT3CtUGK8iUGJ8J6x4SJ+hhSZ8L4BJK X9uvNACy3td+8jxRvKC8OIa619W83njtXPS685Smj8RXqhOz6IiIohp5i/WAi1l7QL7w=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] domctl/XSM: drop scheduler_op hook Message-Id: Date: Tue, 09 Jun 2026 12:57:24 +0000 commit ffc0d278e73e145fc147237ac0aa42e8a7e68c7b Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 domctl/XSM: drop scheduler_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Juergen Gross (cherry picked from commit 3ba374d3886f0e1d835eafe62cc2fa20ca5376ad) --- xen/common/sched/core.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 7 ++++--- 5 files changed, 4 insertions(+), 22 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index e277329c78..87484361e8 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -2058,10 +2058,6 @@ long sched_adjust(struct domain *d, struct xen_domctl_scheduler_op *op) { long ret; - ret = xsm_domctl_scheduler_op(XSM_HOOK, d, op->cmd); - if ( ret ) - return ret; - if ( op->sched_id != dom_scheduler(d)->sched_id ) return -EINVAL; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 4d92bce52b..ded7d2b698 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -141,13 +141,6 @@ static XSM_INLINE int cf_check xsm_getdomaininfo( return xsm_default_action(action, current->domain, d); } -static XSM_INLINE int cf_check xsm_domctl_scheduler_op( - XSM_DEFAULT_ARG struct domain *d, int cmd) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 4e1860c328..ed5b9e1308 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -57,7 +57,6 @@ struct xsm_ops { struct xen_domctl_getdomaininfo *info); int (*domain_create)(struct domain *d, uint32_t ssidref); int (*getdomaininfo)(struct domain *d); - int (*domctl_scheduler_op)(struct domain *d, int op); int (*sysctl_scheduler_op)(int op); int (*set_target)(struct domain *d, struct domain *e); int (*domctl)(struct domain *d, struct xen_domctl *op); @@ -229,12 +228,6 @@ static inline int xsm_getdomaininfo(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.getdomaininfo, d); } -static inline int xsm_domctl_scheduler_op( - xsm_default_t def, struct domain *d, int cmd) -{ - return alternative_call(xsm_ops.domctl_scheduler_op, d, cmd); -} - static inline int xsm_sysctl_scheduler_op(xsm_default_t def, int cmd) { return alternative_call(xsm_ops.sysctl_scheduler_op, cmd); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index fba0672fdd..57ec4b26b3 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -18,7 +18,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .security_domaininfo = xsm_security_domaininfo, .domain_create = xsm_domain_create, .getdomaininfo = xsm_getdomaininfo, - .domctl_scheduler_op = xsm_domctl_scheduler_op, .sysctl_scheduler_op = xsm_sysctl_scheduler_op, .set_target = xsm_set_target, .domctl = xsm_domctl, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 7a13cecbdd..d04bb34f2e 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -607,7 +607,7 @@ static int cf_check flask_getdomaininfo(struct domain *d) return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO); } -static int cf_check flask_domctl_scheduler_op(struct domain *d, int op) +static int flask_domctl_scheduler_op(struct domain *d, int op) { switch ( op ) { @@ -691,7 +691,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return -EILSEQ; /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: #ifdef CONFIG_X86 @@ -739,6 +738,9 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_setdomainhandle: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE); + case XEN_DOMCTL_scheduler_op: + return flask_domctl_scheduler_op(d, op->u.scheduler_op.cmd); + case XEN_DOMCTL_set_ext_vcpucontext: case XEN_DOMCTL_set_vcpu_msrs: case XEN_DOMCTL_setvcpucontext: @@ -1849,7 +1851,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .security_domaininfo = flask_security_domaininfo, .domain_create = flask_domain_create, .getdomaininfo = flask_getdomaininfo, - .domctl_scheduler_op = flask_domctl_scheduler_op, .sysctl_scheduler_op = flask_sysctl_scheduler_op, .set_target = flask_set_target, .domctl = flask_domctl, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:57:35 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:57:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333290.1596090 (Exim 4.92) (envelope-from ) id 1wWw1P-0000XM-FX; Tue, 09 Jun 2026 12:57:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333290.1596090; Tue, 09 Jun 2026 12:57:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw1P-0000XC-CP; Tue, 09 Jun 2026 12:57:35 +0000 Received: by outflank-mailman (input) for mailman id 1333290; Tue, 09 Jun 2026 12:57:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw1O-0000X4-8f for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:57:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw1O-001fzO-1f for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:57:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw1O-00DLMa-0g for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:57:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=L2e2Io+v5jqRKHM+mhhr12/wow97HO7XL41pzNUCCEk=; b=njN3JHEXkh8bGeHf+ZM0R4JT3O 9qJoJuIuJZFVxYwVGaMAX+AhfpBigu6/+mYCdyk01L3TH71QvxRvg9EBR3/98i7lIR096mrWWFcJW 1uTGH311Yo0eWOR8j2CfbsF0rn88KigyQSM657tcTSVixVIKH64nTJcyQmeKvmUeFM0Q=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] domctl/XSM: drop shadow_control_op hook Message-Id: Date: Tue, 09 Jun 2026 12:57:34 +0000 commit 4aa3ccc4f9ee7bd16ef7a3502c46369d03c188d5 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 domctl/XSM: drop shadow_control_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit d9d2758622422a4db0498a74c3dfd1c8168a8154) --- xen/arch/x86/mm/paging.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 13 +++++++------ 5 files changed, 7 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index 8414b631ef..b8ef65cfb8 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -721,10 +721,6 @@ int paging_domctl(struct domain *d, struct xen_domctl_shadow_op *sc, return -EBUSY; } - rc = xsm_shadow_control(XSM_HOOK, d, sc->op); - if ( rc ) - return rc; - /* Code to handle log-dirty. Note that some log dirty operations * piggy-back on shadow operations. For example, when * XEN_DOMCTL_SHADOW_OP_OFF is called, it first checks whether log dirty diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index ded7d2b698..f532e01c48 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -673,13 +673,6 @@ static XSM_INLINE int cf_check xsm_do_mca(XSM_DEFAULT_VOID) return xsm_default_action(action, current->domain, NULL); } -static XSM_INLINE int cf_check xsm_shadow_control( - XSM_DEFAULT_ARG struct domain *d, uint32_t op) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_mem_sharing_op( XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index ed5b9e1308..be968a3b5f 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -167,7 +167,6 @@ struct xsm_ops { #ifdef CONFIG_X86 int (*do_mca)(void); - int (*shadow_control)(struct domain *d, uint32_t op); int (*mem_sharing_op)(struct domain *d, struct domain *cd, int op); int (*apic)(struct domain *d, int cmd); int (*machine_memory_map)(void); @@ -649,12 +648,6 @@ static inline int xsm_do_mca(xsm_default_t def) return alternative_call(xsm_ops.do_mca); } -static inline int xsm_shadow_control( - xsm_default_t def, struct domain *d, uint32_t op) -{ - return alternative_call(xsm_ops.shadow_control, d, op); -} - static inline int xsm_mem_sharing_op( xsm_default_t def, struct domain *d, struct domain *cd, int op) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 57ec4b26b3..d7c30d030c 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -123,7 +123,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .platform_op = xsm_platform_op, #ifdef CONFIG_X86 .do_mca = xsm_do_mca, - .shadow_control = xsm_shadow_control, .mem_sharing_op = xsm_mem_sharing_op, .apic = xsm_apic, .machine_memory_map = xsm_machine_memory_map, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index d04bb34f2e..742a439bd6 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -40,6 +40,7 @@ #ifdef CONFIG_X86 #include +static int flask_shadow_control(struct domain *d, unsigned int op); #else #define pv_shim false #endif @@ -693,10 +694,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: -#ifdef CONFIG_X86 - /* These have individual XSM hooks (arch/x86/domctl.c) */ - case XEN_DOMCTL_shadow_op: -#endif #ifdef CONFIG_HAS_PASSTHROUGH /* * These have individual XSM hooks @@ -781,6 +778,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_get_address_size: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETADDRSIZE); +#ifdef CONFIG_X86 + case XEN_DOMCTL_shadow_op: + return flask_shadow_control(d, op->u.shadow_op.op); +#endif + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1577,7 +1579,7 @@ static int cf_check flask_do_mca(void) return domain_has_xen(current->domain, XEN__MCA_OP); } -static int cf_check flask_shadow_control(struct domain *d, uint32_t op) +static int flask_shadow_control(struct domain *d, unsigned int op) { uint32_t perm; @@ -1957,7 +1959,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .platform_op = flask_platform_op, #ifdef CONFIG_X86 .do_mca = flask_do_mca, - .shadow_control = flask_shadow_control, .mem_sharing_op = flask_mem_sharing_op, .apic = flask_apic, .machine_memory_map = flask_machine_memory_map, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:57:45 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:57:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333291.1596094 (Exim 4.92) (envelope-from ) id 1wWw1Z-0000ar-GQ; Tue, 09 Jun 2026 12:57:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333291.1596094; Tue, 09 Jun 2026 12:57:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw1Z-0000aj-Dj; Tue, 09 Jun 2026 12:57:45 +0000 Received: by outflank-mailman (input) for mailman id 1333291; Tue, 09 Jun 2026 12:57:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw1Y-0000ad-BJ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:57:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw1Y-001fzU-1w for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:57:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw1Y-00DLXV-0y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:57:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=5GzVP5fyQLxuTHBudpaIY4HGIEooeC9JzSOTYA2oMD8=; b=NzqAuT6CwaTxWQCmOxcKAdE6p1 YBnDXcEmYJCD5P0GDQuO0t7Ga6RF+BMvYt+np/6z9kbdccoJOdQaetEPNihpLVSvcX5ayx20Lv5+W lNI4BHCGKqymGT0ohppO/b/CvrW+adQmoCZmipMT48Qj5NjCFnLscbi/sLR07M++wjMQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:57:44 +0000 commit 9609fecb5b97c3063873f892e2b6bbe868ce8bb6 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock iommu_get_device_group() uses its own locking. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 471b377747cb5eb0ea7c1ca48ac9d38027a9aa13) --- xen/common/domctl.c | 5 ++++- xen/drivers/passthrough/pci.c | 4 ++-- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index c4dd88c353..f0dd5b595e 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -527,6 +527,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) /* Other sub-ops handled further down. */ break; + case XEN_DOMCTL_get_device_group: + ret = iommu_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: @@ -949,7 +953,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_assign_device: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_deassign_device: - case XEN_DOMCTL_get_device_group: ret = iommu_do_domctl(op, d, u_domctl); break; diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index cfe2934a6e..1131950078 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1513,7 +1513,7 @@ static int iommu_get_device_group( if ( (pdev->seg != seg) || ((b == bus) && (df == devfn)) ) continue; - if ( xsm_get_device_group(XSM_HOOK, (seg << 16) | (b << 8) | df) ) + if ( xsm_get_device_group(XSM_PRIV, (seg << 16) | (b << 8) | df) ) continue; sdev_id = iommu_call(ops, get_device_group_id, seg, b, df); @@ -1583,7 +1583,7 @@ int iommu_do_pci_domctl( u32 max_sdevs; XEN_GUEST_HANDLE_64(uint32) sdevs; - ret = xsm_get_device_group(XSM_HOOK, domctl->u.get_device_group.machine_sbdf); + ret = xsm_get_device_group(XSM_PRIV, domctl->u.get_device_group.machine_sbdf); if ( ret ) break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index f532e01c48..3fb36887d6 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,6 +162,7 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: @@ -399,7 +400,7 @@ static XSM_INLINE int cf_check xsm_get_vnumainfo( static XSM_INLINE int cf_check xsm_get_device_group( XSM_DEFAULT_ARG uint32_t machine_bdf) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 742a439bd6..33d6df7ff9 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -682,6 +682,7 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: @@ -699,7 +700,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) * These have individual XSM hooks * (drivers/passthrough/{pci,device_tree.c) */ - case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_assign_device: case XEN_DOMCTL_deassign_device: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:57:55 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:57:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333292.1596099 (Exim 4.92) (envelope-from ) id 1wWw1j-0000cq-Hl; Tue, 09 Jun 2026 12:57:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333292.1596099; Tue, 09 Jun 2026 12:57:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw1j-0000ci-FB; Tue, 09 Jun 2026 12:57:55 +0000 Received: by outflank-mailman (input) for mailman id 1333292; Tue, 09 Jun 2026 12:57:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw1i-0000cb-EG for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:57:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw1i-001fzf-2E for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:57:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw1i-00DLrh-1F for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:57:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=QTa5itQQL8esZ2otzYUN7X1Y6VXNcLdFNJwGxTnXa+M=; b=g1X2sLwUx/b9eaaPO1iEouDOwA gh51XFsxR8u3ZIwHi95YKyfVRNkbH6G9M4YNiCYGDoNjuMgpNeTL8I0CjEs6jkXYKpynSg3AadOp2 Dx1De8Mtc3K7CGG9WqaGlYgUdHsqWXeLdKUPYSNJvKCgX/jHfOweouBYlyGO+QUNc9NY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] domctl/XSM: drop {,de}assign_{,dt}device hooks Message-Id: Date: Tue, 09 Jun 2026 12:57:54 +0000 commit 0818baa5e949450486d76891ba74f7b07d537e61 Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 domctl/XSM: drop {,de}assign_{,dt}device hooks Integrate the checking with xsm_domctl(). As a positive side effect, permissions are then checked at the same early point with and without Flask. As the DT device path needs fetching earlier (but must not be double fetched), cache it in a private field of the public interface struct. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit eab54f074f17c134fa6fa780f672393066e7b631) --- xen/common/domctl.c | 9 ++++ xen/drivers/passthrough/device_tree.c | 36 ++++++++-------- xen/drivers/passthrough/pci.c | 8 ---- xen/include/public/domctl.h | 5 ++- xen/include/xsm/dummy.h | 32 -------------- xen/include/xsm/xsm.h | 34 --------------- xen/xsm/dummy.c | 7 ---- xen/xsm/flask/hooks.c | 79 +++++++++++++++++++++++++---------- 8 files changed, 89 insertions(+), 121 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index f0dd5b595e..de327f6fd3 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -326,6 +326,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_deassign_device: if ( op->domain == DOMID_IO ) { +#ifdef CONFIG_HAS_DEVICE_TREE + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; +#endif d = dom_io; break; } @@ -333,6 +337,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) return -ESRCH; /* fall through */ case XEN_DOMCTL_test_assign_device: +#ifdef CONFIG_HAS_DEVICE_TREE + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; + fallthrough; +#endif case XEN_DOMCTL_vm_event_op: if ( op->domain == DOMID_INVALID ) { diff --git a/xen/drivers/passthrough/device_tree.c b/xen/drivers/passthrough/device_tree.c index 1c32d7b50c..acfda2c8c6 100644 --- a/xen/drivers/passthrough/device_tree.c +++ b/xen/drivers/passthrough/device_tree.c @@ -213,15 +213,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( (d && d->is_dying) || domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_assign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( domctl->cmd == XEN_DOMCTL_test_assign_device ) { @@ -262,15 +262,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_deassign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( d == dom_io ) return -EINVAL; diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 1131950078..3e3ee2df08 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1633,10 +1633,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_assign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); @@ -1678,10 +1674,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_deassign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h index 7ba3a56520..1af7b3d41a 100644 --- a/xen/include/public/domctl.h +++ b/xen/include/public/domctl.h @@ -531,7 +531,10 @@ struct xen_domctl_assign_device { } pci; struct { uint32_t size; /* Length of the path */ - XEN_GUEST_HANDLE_64(char) path; /* path to the device tree node */ + XEN_GUEST_HANDLE_64(char) path; /* Path to the device tree node */ +#ifdef __XEN__ + struct dt_device_node *dev; /* Resolved device node of the above */ +#endif } dt; } u; }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 3fb36887d6..d97e6bcf5b 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -403,40 +403,8 @@ static XSM_INLINE int cf_check xsm_get_device_group( XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } - -static XSM_INLINE int cf_check xsm_assign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - #endif /* HAS_PASSTHROUGH && HAS_PCI */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) -static XSM_INLINE int cf_check xsm_assign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */ - static XSM_INLINE int cf_check xsm_resource_plug_core(XSM_DEFAULT_VOID) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index be968a3b5f..102880da9e 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -121,13 +121,6 @@ struct xsm_ops { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) int (*get_device_group)(uint32_t machine_bdf); - int (*assign_device)(struct domain *d, uint32_t machine_bdf); - int (*deassign_device)(struct domain *d, uint32_t machine_bdf); -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - int (*assign_dtdevice)(struct domain *d, const char *dtpath); - int (*deassign_dtdevice)(struct domain *d, const char *dtpath); #endif int (*resource_plug_core)(void); @@ -506,35 +499,8 @@ static inline int xsm_get_device_group(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.get_device_group, machine_bdf); } - -static inline int xsm_assign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.assign_device, d, machine_bdf); -} - -static inline int xsm_deassign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.deassign_device, d, machine_bdf); -} #endif /* HAS_PASSTHROUGH && HAS_PCI) */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) -static inline int xsm_assign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.assign_dtdevice, d, dtpath); -} - -static inline int xsm_deassign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.deassign_dtdevice, d, dtpath); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */ - static inline int xsm_resource_plug_pci(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.resource_plug_pci, machine_bdf); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index d7c30d030c..49598bf08a 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -76,13 +76,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = xsm_get_device_group, - .assign_device = xsm_assign_device, - .deassign_device = xsm_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - .assign_dtdevice = xsm_assign_dtdevice, - .deassign_dtdevice = xsm_deassign_dtdevice, #endif .resource_plug_core = xsm_resource_plug_core, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 33d6df7ff9..3ecf9b3538 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -45,6 +45,17 @@ static int flask_shadow_control(struct domain *d, unsigned int op); #define pv_shim false #endif +#ifdef CONFIG_HAS_PASSTHROUGH +#ifdef CONFIG_HAS_PCI +static int flask_assign_device(struct domain *d, unsigned int machine_bdf); +static int flask_deassign_device(struct domain *d, unsigned int machine_bdf); +#endif +#ifdef CONFIG_HAS_DEVICE_TREE +static int flask_assign_dtdevice(struct domain *d, const char *dtpath); +static int flask_deassign_dtdevice(struct domain *d, const char *dtpath); +#endif +#endif /* CONFIG_HAS_PASSTHROUGH */ + static uint32_t domain_sid(const struct domain *dom) { struct domain_security_struct *dsec = dom->ssid; @@ -694,16 +705,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: - -#ifdef CONFIG_HAS_PASSTHROUGH - /* - * These have individual XSM hooks - * (drivers/passthrough/{pci,device_tree.c) - */ - case XEN_DOMCTL_test_assign_device: - case XEN_DOMCTL_assign_device: - case XEN_DOMCTL_deassign_device: -#endif return 0; case XEN_DOMCTL_destroydomain: @@ -783,6 +784,49 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return flask_shadow_control(d, op->u.shadow_op.op); #endif +#ifdef CONFIG_HAS_PASSTHROUGH + + case XEN_DOMCTL_test_assign_device: + case XEN_DOMCTL_assign_device: + case XEN_DOMCTL_deassign_device: + switch ( op->u.assign_device.dev ) + { +#ifdef CONFIG_HAS_PCI + case XEN_DOMCTL_DEV_PCI: + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_device( + d, op->u.assign_device.u.pci.machine_sbdf) + : flask_deassign_device( + d, op->u.assign_device.u.pci.machine_sbdf); +#endif + +#ifdef CONFIG_HAS_DEVICE_TREE + case XEN_DOMCTL_DEV_DT: + { + struct dt_device_node *dev; + int ret = dt_find_node_by_gpath(op->u.assign_device.u.dt.path, + op->u.assign_device.u.dt.size, + &dev); + + if ( ret ) + return ret; + + op->u.assign_device.u.dt.dev = dev; + + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_dtdevice(d, dt_node_full_name(dev)) + : flask_deassign_dtdevice(d, dt_node_full_name(dev)); + } +#endif + + default: + /* Unknown type. */ + break; + } + return avc_unknown_permission("assign_device", op->cmd); + +#endif /* CONFIG_HAS_PASSTHROUGH */ + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1394,7 +1438,7 @@ static int flask_test_assign_device(uint32_t machine_bdf) return avc_current_has_perm(rsid, SECCLASS_RESOURCE, RESOURCE__STAT_DEVICE, NULL); } -static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) +static int flask_assign_device(struct domain *d, uint32_t machine_bdf) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1424,7 +1468,7 @@ static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_device( +static int flask_deassign_device( struct domain *d, uint32_t machine_bdf) { uint32_t rsid; @@ -1456,7 +1500,7 @@ static int flask_test_assign_dtdevice(const char *dtpath) NULL); } -static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) +static int flask_assign_dtdevice(struct domain *d, const char *dtpath) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1486,7 +1530,7 @@ static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_dtdevice( +static int flask_deassign_dtdevice( struct domain *d, const char *dtpath) { uint32_t rsid; @@ -1947,13 +1991,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = flask_get_device_group, - .assign_device = flask_assign_device, - .deassign_device = flask_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - .assign_dtdevice = flask_assign_dtdevice, - .deassign_dtdevice = flask_deassign_dtdevice, #endif .platform_op = flask_platform_op, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:58:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:58:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333293.1596103 (Exim 4.92) (envelope-from ) id 1wWw1t-0000fP-Kb; Tue, 09 Jun 2026 12:58:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333293.1596103; Tue, 09 Jun 2026 12:58:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw1t-0000fI-Hz; Tue, 09 Jun 2026 12:58:05 +0000 Received: by outflank-mailman (input) for mailman id 1333293; Tue, 09 Jun 2026 12:58:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw1s-0000fA-Gt for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:58:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw1s-001g03-2V for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:58:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw1s-00DM8E-1W for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:58:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=0N+tF+vhz+BbgxR76sXWKPL5YBwd3W0E+axTnLOaT0c=; b=hZWdpyZEN8wcRjorHTC+KDR0SA IN0qggnYelkdH/b4jRd0D9z1E9if0FyA6D3pRcjVlyZQ0GHTiKuDZVr+ORzO1ZvwZevxqcqKSQl03 Df85CmkuS9cwyJgCw9X8W5LSp/BMythdxViQqDpd7QWzjcWD7FjGnVnJs55jGSfxL914=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 12:58:04 +0000 commit 272126388a1491353a2433af2aadebdca1ac6b4c Author: Jan Beulich AuthorDate: Thu Jun 4 21:42:55 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock The only locking required here is that between checking d->target and setting it. To avoid the need for an explicit lock, use cmpxchgptr() to update d->target. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 4a93d1fb4f7f1231159688d428f7362d35d32ef6) --- xen/common/domctl.c | 54 ++++++++++++++++++++++--------------------------- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 5 +---- 3 files changed, 27 insertions(+), 35 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index de327f6fd3..ce8f6aae61 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -519,6 +519,30 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_set_target: + { + struct domain *e = get_domain_by_id(op->u.set_target.target); + + ret = -ESRCH; + if ( !e ) + goto domctl_out_unlock_domonly; + + if ( d == e ) + ret = -EINVAL; + else if ( !is_hvm_domain(e) ) + ret = -EOPNOTSUPP; + else + ret = xsm_set_target(XSM_PRIV, d, e); + + /* Hold reference on @e until we destroy @d. */ + if ( !ret && cmpxchgptr(&d->target, NULL, e) ) + ret = -EINVAL; + + if ( ret ) + put_domain(e); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_vm_event_op: if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) { @@ -875,36 +899,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; - case XEN_DOMCTL_set_target: - { - struct domain *e; - - ret = -ESRCH; - e = get_domain_by_id(op->u.set_target.target); - if ( e == NULL ) - break; - - ret = -EINVAL; - if ( (d == e) || (d->target != NULL) ) - { - put_domain(e); - break; - } - - ret = -EOPNOTSUPP; - if ( is_hvm_domain(e) ) - ret = xsm_set_target(XSM_HOOK, d, e); - if ( ret ) - { - put_domain(e); - break; - } - - /* Hold reference on @e until we destroy @d. */ - d->target = e; - break; - } - case XEN_DOMCTL_subscribe: d->suspend_evtchn = op->u.subscribe.port; break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index d97e6bcf5b..8ed7c3dacf 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -150,7 +150,7 @@ static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) static XSM_INLINE int cf_check xsm_set_target( XSM_DEFAULT_ARG struct domain *d, struct domain *e) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } @@ -168,6 +168,7 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 3ecf9b3538..2df93b01b4 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -699,14 +699,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; - /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_set_target: - return 0; - case XEN_DOMCTL_destroydomain: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__DESTROY); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:58:15 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:58:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333294.1596107 (Exim 4.92) (envelope-from ) id 1wWw23-0000kC-M0; Tue, 09 Jun 2026 12:58:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333294.1596107; Tue, 09 Jun 2026 12:58:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw23-0000k4-JQ; Tue, 09 Jun 2026 12:58:15 +0000 Received: by outflank-mailman (input) for mailman id 1333294; Tue, 09 Jun 2026 12:58:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw22-0000jy-Jp for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:58:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw22-001g0N-2m for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:58:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw22-00DMOX-1o for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:58:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=AT3kwpKJB2Bd61KlA7rPvcc4+vQTolOhv7RouEijugc=; b=tN+RKg0RFwzjMMCaO3o78sxJqf El3ccLzPvaGjW3+e2RL8Dc5+M3x7paNwjw+3lmsek9mUAO6QgWqvxGnP28oOTepaEWWe1HJK0Kv5l 6N0dNe7RiU2G9R7Oo6SuuPYuQRzzxUYZfw/g8ozeBoZ4JUkxP6flDyB8ehCD+WRBSxK4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] xen/arm64: flushtlb: Reduce scope of barrier for local TLB flush Message-Id: Date: Tue, 09 Jun 2026 12:58:14 +0000 commit 4ba0e07469f516e9e24dd50f2cb6d3ba0245d166 Author: Julien Grall AuthorDate: Tue Jan 24 19:25:19 2023 +0000 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 xen/arm64: flushtlb: Reduce scope of barrier for local TLB flush Per D5-4929 in ARM DDI 0487H.a: "A DSB NSH is sufficient to ensure completion of TLB maintenance instructions that apply to a single PE. A DSB ISH is sufficient to ensure completion of TLB maintenance instructions that apply to PEs in the same Inner Shareable domain. " This means barrier after local TLB flushes could be reduced to non-shareable. Note that the scope of the barrier in the workaround has not been changed because Linux v6.1-rc8 is also using 'ish' and I couldn't find anything in the Neoverse N1 suggesting that a 'nsh' would be sufficient. Signed-off-by: Julien Grall Reviewed-by: Michal Orzel Tested-by: Henry Wang (cherry picked from commit 7c438851475482bf73fcf451551d1cb718d4904c) xen/arm: Remove stray semicolon at VREG_REG_HELPERS/TLB_HELPER* callers This is inconsistent with the rest of the code where macros are used to define functions, as it results in an empty declaration (i.e. semicolon with nothing before it) after function definition. This is also not allowed by C99. Take the opportunity to undefine TLB_HELPER* macros after last use. Signed-off-by: Michal Orzel Reviewed-by: Stefano Stabellini (cherry picked from commit 6044b485ba5b0e4073a773402cedc2f2fae540ad) --- xen/arch/arm/include/asm/arm64/flushtlb.h | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/xen/arch/arm/include/asm/arm64/flushtlb.h b/xen/arch/arm/include/asm/arm64/flushtlb.h index 7c54315187..fcc0788c30 100644 --- a/xen/arch/arm/include/asm/arm64/flushtlb.h +++ b/xen/arch/arm/include/asm/arm64/flushtlb.h @@ -12,8 +12,9 @@ * ARM64_WORKAROUND_REPEAT_TLBI: * Modification of the translation table for a virtual address might lead to * read-after-read ordering violation. - * The workaround repeats TLBI+DSB operation for all the TLB flush operations. - * While this is stricly not necessary, we don't want to take any risk. + * The workaround repeats TLBI+DSB ISH operation for all the TLB flush + * operations. While this is strictly not necessary, we don't want to + * take any risk. * * For Xen page-tables the ISB will discard any instructions fetched * from the old mappings. @@ -21,12 +22,17 @@ * For the Stage-2 page-tables the ISB ensures the completion of the DSB * (and therefore the TLB invalidation) before continuing. So we know * the TLBs cannot contain an entry for a mapping we may have removed. + * + * Note that for local TLB flush, using non-shareable (nsh) is sufficient + * (see D5-4929 in ARM DDI 0487H.a). Although, the memory barrier in + * for the workaround is left as inner-shareable to match with Linux + * v6.1-rc8. */ -#define TLB_HELPER(name, tlbop) \ +#define TLB_HELPER(name, tlbop, sh) \ static inline void name(void) \ { \ asm volatile( \ - "dsb ishst;" \ + "dsb " # sh "st;" \ "tlbi " # tlbop ";" \ ALTERNATIVE( \ "nop; nop;", \ @@ -34,25 +40,25 @@ static inline void name(void) \ "tlbi " # tlbop ";", \ ARM64_WORKAROUND_REPEAT_TLBI, \ CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - "dsb ish;" \ + "dsb " # sh ";" \ "isb;" \ : : : "memory"); \ } /* Flush local TLBs, current VMID only. */ -TLB_HELPER(flush_guest_tlb_local, vmalls12e1); +TLB_HELPER(flush_guest_tlb_local, vmalls12e1, nsh) /* Flush innershareable TLBs, current VMID only */ -TLB_HELPER(flush_guest_tlb, vmalls12e1is); +TLB_HELPER(flush_guest_tlb, vmalls12e1is, ish) /* Flush local TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb_local, alle1); +TLB_HELPER(flush_all_guests_tlb_local, alle1, nsh) /* Flush innershareable TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb, alle1is); +TLB_HELPER(flush_all_guests_tlb, alle1is, ish) /* Flush all hypervisor mappings from the TLB of the local processor. */ -TLB_HELPER(flush_xen_tlb_local, alle2); +TLB_HELPER(flush_xen_tlb_local, alle2, nsh) /* Flush TLB of local processor for address va. */ static inline void __flush_xen_tlb_one_local(vaddr_t va) @@ -66,6 +72,8 @@ static inline void __flush_xen_tlb_one(vaddr_t va) asm volatile("tlbi vae2is, %0;" : : "r" (va>>PAGE_SHIFT) : "memory"); } +#undef TLB_HELPER + #endif /* __ASM_ARM_ARM64_FLUSHTLB_H__ */ /* * Local variables: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:58:25 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:58:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333295.1596110 (Exim 4.92) (envelope-from ) id 1wWw2D-0000oE-NT; Tue, 09 Jun 2026 12:58:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333295.1596110; Tue, 09 Jun 2026 12:58:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw2D-0000o6-Ko; Tue, 09 Jun 2026 12:58:25 +0000 Received: by outflank-mailman (input) for mailman id 1333295; Tue, 09 Jun 2026 12:58:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw2C-0000o0-MF for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:58:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw2C-001g0T-32 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:58:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw2C-00DMdg-23 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:58:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=XpB+fXLj5ChGCI66N+b2BI1Ovy1MVMasbfe7XX78gTw=; b=DGqwRPo5bd14sEmTNwNkAcwCkp 35/G0+oy6I1112ehJMuM82YvYLnukAlnYlLPE6RBw/gmPa6PWfbzBskV9k6lG3s/dMz8wAeSlf4e8 ayfkRG9QSwRi8/pPHYsYqMU3R5xwALVZ0439e3v8aXc/HWjp/RndnO1bhW0vffFJIf6Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] xen/arm64: flushtlb: Implement the TLBI repeat workaround for TLB flush by VA Message-Id: Date: Tue, 09 Jun 2026 12:58:24 +0000 commit 95b9e5a188f6132711f47a24d05dc1816e189daf Author: Julien Grall AuthorDate: Tue Jan 24 19:25:50 2023 +0000 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 xen/arm64: flushtlb: Implement the TLBI repeat workaround for TLB flush by VA Looking at the Neoverse N1 errata document, it is not clear to me why the TLBI repeat workaround is not applied for TLB flush by VA. The TLB flush by VA helpers are used in flush_xen_tlb_range_va_local() and flush_xen_tlb_range_va(). So if the range size is a fixed size smaller than a PAGE_SIZE, it would be possible that the compiler remove the loop and therefore replicate the sequence described in the erratum 1286807. So the TLBI repeat workaround should also be applied for the TLB flush by VA helpers. Fixes: 22e323d115d8 ("xen/arm: Add workaround for Cortex-A76/Neoverse-N1 erratum #1286807") Signed-off-by: Julien Grall Reviewed-by: Michal Orzel Tested-by: Henry Wang (cherry picked from commit cbfaf6ccd2cb5d1b2bc6efe5c6f4ba5cccce5689) xen/arm: Remove stray semicolon at VREG_REG_HELPERS/TLB_HELPER* callers This is inconsistent with the rest of the code where macros are used to define functions, as it results in an empty declaration (i.e. semicolon with nothing before it) after function definition. This is also not allowed by C99. Take the opportunity to undefine TLB_HELPER* macros after last use. Signed-off-by: Michal Orzel Reviewed-by: Stefano Stabellini (cherry picked from commit 6044b485ba5b0e4073a773402cedc2f2fae540ad) --- xen/arch/arm/include/asm/arm64/flushtlb.h | 32 +++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/xen/arch/arm/include/asm/arm64/flushtlb.h b/xen/arch/arm/include/asm/arm64/flushtlb.h index fcc0788c30..56c6fc763b 100644 --- a/xen/arch/arm/include/asm/arm64/flushtlb.h +++ b/xen/arch/arm/include/asm/arm64/flushtlb.h @@ -45,6 +45,27 @@ static inline void name(void) \ : : : "memory"); \ } +/* + * FLush TLB by VA. This will likely be used in a loop, so the caller + * is responsible to use the appropriate memory barriers before/after + * the sequence. + * + * See above about the ARM64_WORKAROUND_REPEAT_TLBI sequence. + */ +#define TLB_HELPER_VA(name, tlbop) \ +static inline void name(vaddr_t va) \ +{ \ + asm volatile( \ + "tlbi " # tlbop ", %0;" \ + ALTERNATIVE( \ + "nop; nop;", \ + "dsb ish;" \ + "tlbi " # tlbop ", %0;", \ + ARM64_WORKAROUND_REPEAT_TLBI, \ + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ + : : "r" (va >> PAGE_SHIFT) : "memory"); \ +} + /* Flush local TLBs, current VMID only. */ TLB_HELPER(flush_guest_tlb_local, vmalls12e1, nsh) @@ -61,18 +82,13 @@ TLB_HELPER(flush_all_guests_tlb, alle1is, ish) TLB_HELPER(flush_xen_tlb_local, alle2, nsh) /* Flush TLB of local processor for address va. */ -static inline void __flush_xen_tlb_one_local(vaddr_t va) -{ - asm volatile("tlbi vae2, %0;" : : "r" (va>>PAGE_SHIFT) : "memory"); -} +TLB_HELPER_VA(__flush_xen_tlb_one_local, vae2) /* Flush TLB of all processors in the inner-shareable domain for address va. */ -static inline void __flush_xen_tlb_one(vaddr_t va) -{ - asm volatile("tlbi vae2is, %0;" : : "r" (va>>PAGE_SHIFT) : "memory"); -} +TLB_HELPER_VA(__flush_xen_tlb_one, vae2is) #undef TLB_HELPER +#undef TLB_HELPER_VA #endif /* __ASM_ARM_ARM64_FLUSHTLB_H__ */ /* -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:58:35 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:58:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333296.1596115 (Exim 4.92) (envelope-from ) id 1wWw2N-0000s3-Oz; Tue, 09 Jun 2026 12:58:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333296.1596115; Tue, 09 Jun 2026 12:58:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw2N-0000rv-MG; Tue, 09 Jun 2026 12:58:35 +0000 Received: by outflank-mailman (input) for mailman id 1333296; Tue, 09 Jun 2026 12:58:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw2M-0000rp-P6 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:58:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw2N-001g0X-05 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:58:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw2M-00DMws-2J for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:58:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=h0wm2DSvDdOi+tI9nhjat80MewOutpKVb/p3Okpl/uI=; b=66f7jestX9eJ4O+hdMHzjYBzuo /tUePvAo9faYVs3ll00FLm9P/6uziyAieia6qrHyAfWV12x8RQbff+vWwN9g9LGFmc+n57yYDvRdz YYXVzWAzQYGrBS/Dk3d4C1vkp05aD5djKsOdQVk0KnMidmynAjXQTgYA+5Gc9h0K+a44=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] xen/arm32: flushtlb: Reduce scope of barrier for local TLB flush Message-Id: Date: Tue, 09 Jun 2026 12:58:34 +0000 commit 08157db12beb4a9698f4a13cba0884c4fe86f832 Author: Julien Grall AuthorDate: Tue Jan 24 19:26:09 2023 +0000 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 xen/arm32: flushtlb: Reduce scope of barrier for local TLB flush Per G5-9224 in ARM DDI 0487I.a: "A DSB NSH is sufficient to ensure completion of TLB maintenance instructions that apply to a single PE. A DSB ISH is sufficient to ensure completion of TLB maintenance instructions that apply to PEs in the same Inner Shareable domain. " This is quoting the Armv8 specification because I couldn't find an explicit statement in the Armv7 specification. Instead, I could find bits in various places that confirm the same implementation. Furthermore, Linux has been using 'nsh' since 2013 (62cbbc42e001 "ARM: tlb: reduce scope of barrier domains for TLB invalidation"). This means barrier after local TLB flushes could be reduced to non-shareable. Signed-off-by: Julien Grall Reviewed-by: Michal Orzel Tested-by: Henry Wang (cherry picked from commit d56c70b6e1fe2b4ee836ca4449a3277cbbeb0ddc) xen/arm: Remove stray semicolon at VREG_REG_HELPERS/TLB_HELPER* callers This is inconsistent with the rest of the code where macros are used to define functions, as it results in an empty declaration (i.e. semicolon with nothing before it) after function definition. This is also not allowed by C99. Take the opportunity to undefine TLB_HELPER* macros after last use. Signed-off-by: Michal Orzel Reviewed-by: Stefano Stabellini (cherry picked from commit 6044b485ba5b0e4073a773402cedc2f2fae540ad) --- xen/arch/arm/include/asm/arm32/flushtlb.h | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/xen/arch/arm/include/asm/arm32/flushtlb.h b/xen/arch/arm/include/asm/arm32/flushtlb.h index 9085e65011..22ee3b317b 100644 --- a/xen/arch/arm/include/asm/arm32/flushtlb.h +++ b/xen/arch/arm/include/asm/arm32/flushtlb.h @@ -15,30 +15,35 @@ * For the Stage-2 page-tables the ISB ensures the completion of the DSB * (and therefore the TLB invalidation) before continuing. So we know * the TLBs cannot contain an entry for a mapping we may have removed. + * + * Note that for local TLB flush, using non-shareable (nsh) is sufficient + * (see G5-9224 in ARM DDI 0487I.a). */ -#define TLB_HELPER(name, tlbop) \ -static inline void name(void) \ -{ \ - dsb(ishst); \ - WRITE_CP32(0, tlbop); \ - dsb(ish); \ - isb(); \ +#define TLB_HELPER(name, tlbop, sh) \ +static inline void name(void) \ +{ \ + dsb(sh ## st); \ + WRITE_CP32(0, tlbop); \ + dsb(sh); \ + isb(); \ } /* Flush local TLBs, current VMID only */ -TLB_HELPER(flush_guest_tlb_local, TLBIALL); +TLB_HELPER(flush_guest_tlb_local, TLBIALL, nsh) /* Flush inner shareable TLBs, current VMID only */ -TLB_HELPER(flush_guest_tlb, TLBIALLIS); +TLB_HELPER(flush_guest_tlb, TLBIALLIS, ish) /* Flush local TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb_local, TLBIALLNSNH); +TLB_HELPER(flush_all_guests_tlb_local, TLBIALLNSNH, nsh) /* Flush innershareable TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb, TLBIALLNSNHIS); +TLB_HELPER(flush_all_guests_tlb, TLBIALLNSNHIS, ish) /* Flush all hypervisor mappings from the TLB of the local processor. */ -TLB_HELPER(flush_xen_tlb_local, TLBIALLH); +TLB_HELPER(flush_xen_tlb_local, TLBIALLH, nsh) + +#undef TLB_HELPER /* Flush TLB of local processor for address va. */ static inline void __flush_xen_tlb_one_local(vaddr_t va) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:58:46 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:58:46 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333297.1596119 (Exim 4.92) (envelope-from ) id 1wWw2Y-0000uA-QH; Tue, 09 Jun 2026 12:58:46 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333297.1596119; Tue, 09 Jun 2026 12:58:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw2Y-0000u2-Nd; Tue, 09 Jun 2026 12:58:46 +0000 Received: by outflank-mailman (input) for mailman id 1333297; Tue, 09 Jun 2026 12:58:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw2W-0000tu-S0 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:58:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw2X-001g0c-0M for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:58:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw2W-00DN4g-2a for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:58:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=MXoWbSxE1FqfYrNa1MS9t+jfdwWFPHwM0N8J7TC8s08=; b=hBKkk7gNDAT0YXE74q+jHJienD QaKv8KwOtSpLpZB2zilr6z/cXdB6nFFOeGOEOYD30vdUOKKJzeKGdLaI7Ls0nbDqcFUKfiB4DbstP 9enC5zkqJ4MWRIdU+jL48N4eJTI3fL6/hOFfaVhK+qwalUIhZbr2z5WzIJhSoXjvC27w=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] xen/arm: flushtlb: Reduce scope of barrier for the TLB range flush Message-Id: Date: Tue, 09 Jun 2026 12:58:44 +0000 commit 333c263bbad55928dcb3cc49e5ab1e30c6fc7be8 Author: Julien Grall AuthorDate: Tue Jan 24 19:26:29 2023 +0000 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 xen/arm: flushtlb: Reduce scope of barrier for the TLB range flush At the moment, flush_xen_tlb_range_va{,_local}() are using system wide memory barrier. This is quite expensive and unnecessary. For the local version, a non-shareable barrier is sufficient. For the SMP version, an inner-shareable barrier is sufficient. Furthermore, the initial barrier only needs to a store barrier. For the full explanation of the sequence see asm/arm{32,64}/flushtlb.h. Signed-off-by: Julien Grall Reviewed-by: Michal Orzel Reviewed-by: Henry Wang (cherry picked from commit 5e5d1a43e18468399448ff8dec687342d48f56da) --- xen/arch/arm/include/asm/flushtlb.h | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/xen/arch/arm/include/asm/flushtlb.h b/xen/arch/arm/include/asm/flushtlb.h index 125a141975..e45fb6d97b 100644 --- a/xen/arch/arm/include/asm/flushtlb.h +++ b/xen/arch/arm/include/asm/flushtlb.h @@ -37,13 +37,14 @@ static inline void flush_xen_tlb_range_va_local(vaddr_t va, { vaddr_t end = va + size; - dsb(sy); /* Ensure preceding are visible */ + /* See asm/arm{32,64}/flushtlb.h for the explanation of the sequence. */ + dsb(nshst); /* Ensure prior page-tables updates have completed */ while ( va < end ) { __flush_xen_tlb_one_local(va); va += PAGE_SIZE; } - dsb(sy); /* Ensure completion of the TLB flush */ + dsb(nsh); /* Ensure the TLB invalidation has completed */ isb(); } @@ -56,13 +57,14 @@ static inline void flush_xen_tlb_range_va(vaddr_t va, { vaddr_t end = va + size; - dsb(sy); /* Ensure preceding are visible */ + /* See asm/arm{32,64}/flushtlb.h for the explanation of the sequence. */ + dsb(ishst); /* Ensure prior page-tables updates have completed */ while ( va < end ) { __flush_xen_tlb_one(va); va += PAGE_SIZE; } - dsb(sy); /* Ensure completion of the TLB flush */ + dsb(ish); /* Ensure the TLB invalidation has completed */ isb(); } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:58:56 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:58:56 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333298.1596123 (Exim 4.92) (envelope-from ) id 1wWw2i-0000xi-St; Tue, 09 Jun 2026 12:58:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333298.1596123; Tue, 09 Jun 2026 12:58:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw2i-0000xa-QB; Tue, 09 Jun 2026 12:58:56 +0000 Received: by outflank-mailman (input) for mailman id 1333298; Tue, 09 Jun 2026 12:58:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw2g-0000xT-US for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:58:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw2h-001g0g-0c for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:58:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw2g-00DNHt-2s for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:58:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6/6T4dSlFO2K5rFmnGmjrTwGPWNDP6MHpznu/r56r0c=; b=UUuxRmxWVNnrgzt+nnmF6jhgo6 ktVsEozQQGxefJ+2FVp96S9yWfwgvTPNwhvGitpWWc1UVgl/UxVnUo8eLhqXpMT5leI+d1lsZK+qV xibu0bJNvzgj3xqODGzeP/0oZwpm8S5o6zz6dkmnrQBAZXlyTGvC4DeoDo+cLmhA5xyo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI Message-Id: Date: Tue, 09 Jun 2026 12:58:54 +0000 commit 16f1d36545f8271be13b4714df1cc53f6a8c0b0d Author: Michal Orzel AuthorDate: Tue Apr 14 10:11:24 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI The ARM64_WORKAROUND_REPEAT_TLBI workaround is used to mitigate several errata where broadcast TLBI;DSB sequences don't provide all the architecturally required synchronization. The workaround performs more work than necessary, and can have significant overhead. This patch optimizes the workaround, as explained below. 1. All relevant errata only affect the ordering and/or completion of memory accesses which have been translated by an invalidated TLB entry. The actual invalidation of TLB entries is unaffected. 2. The existing workaround is applied to both broadcast and local TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for broadcast invalidation. 3. The existing workaround replaces every TLBI with a TLBI;DSB;TLBI sequence, whereas for all relevant errata it is only necessary to execute a single additional TLBI;DSB sequence after any number of TLBIs are completed by a DSB. For example, for a sequence of batched TLBIs: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH ... the existing workaround will expand this to: TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional DSB ISH ... whereas it is sufficient to have: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH TLBI [, ] // additional DSB ISH // additional Using a single additional TLBI and DSB at the end of the sequence can have significantly lower overhead as each DSB which completes a TLBI must synchronize with other PEs in the system, with potential performance effects both locally and system-wide. 4. The existing workaround repeats each specific TLBI operation, whereas for all relevant errata it is sufficient for the additional TLBI to use *any* operation which will be broadcast, regardless of which translation regime or stage of translation the operation applies to. For example, for a single TLBI: TLBI ALLE2IS DSB ISH ... the existing workaround will expand this to: TLBI ALLE2IS DSB ISH TLBI ALLE2IS // additional DSB ISH // additional ... whereas it is sufficient to have: TLBI ALLE2IS DSB ISH TLBI VALE1IS, XZR // additional DSB ISH // additional As the additional TLBI doesn't have to match a specific earlier TLBI, the additional TLBI can be implemented in separate code, with no memory of the earlier TLBIs. The additional TLBI can also use a cheaper TLBI operation. 5. The existing workaround is applied to both Stage-1 and Stage-2 TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for Stage-1 invalidation. Architecturally, TLBI operations which invalidate only Stage-2 information (e.g. IPAS2E1IS) are not required to invalidate TLB entries which combine information from Stage-1 and Stage-2 translation table entries, and consequently may not complete memory accesses translated by those combined entries. In these cases, completion of memory accesses is only guaranteed after subsequent invalidation of Stage-1 information (e.g. VMALLE1IS). Rework the workaround logic as follows: - add TLB_HELPER_LOCAL() to be used for local TLB ops without a workaround, - modify TLB_HELPER() workaround to use tlbi vale2is, xzr as a second TLBI, - drop TLB_HELPER_VA(). It's used only by __flush_xen_tlb_one_local which is local and does not need workaround and by __flush_xen_tlb_one. In the latter case, since it's used in a loop, we don't need a workaround in the middle. Add __tlb_repeat_sync with a workaround to be used at the end after DSB and before final ISB, - TLBI VALE2IS passing XZR is used as an additional TLBI. While there is an identity mapping there, it's used very rarely. The performance impact is therefore negligible. If things change in the future, we can revisit the decision. Signed-off-by: Michal Orzel Reviewed-by: Luca Fancellu Reviewed-by: Julien Grall (cherry picked from commit 7c502d7591519135765b8041cbd1c70e56e5a0b9) --- xen/arch/arm/include/asm/arm32/flushtlb.h | 3 + xen/arch/arm/include/asm/arm64/flushtlb.h | 108 ++++++++++++++++++------------ xen/arch/arm/include/asm/flushtlb.h | 1 + 3 files changed, 71 insertions(+), 41 deletions(-) diff --git a/xen/arch/arm/include/asm/arm32/flushtlb.h b/xen/arch/arm/include/asm/arm32/flushtlb.h index 22ee3b317b..749a9b07da 100644 --- a/xen/arch/arm/include/asm/arm32/flushtlb.h +++ b/xen/arch/arm/include/asm/arm32/flushtlb.h @@ -57,6 +57,9 @@ static inline void __flush_xen_tlb_one(vaddr_t va) asm volatile(STORE_CP32(0, TLBIMVAHIS) : : "r" (va) : "memory"); } +/* Only for ARM64_WORKAROUND_REPEAT_TLBI */ +static inline void __tlb_repeat_sync(void) {} + #endif /* __ASM_ARM_ARM32_FLUSHTLB_H__ */ /* * Local variables: diff --git a/xen/arch/arm/include/asm/arm64/flushtlb.h b/xen/arch/arm/include/asm/arm64/flushtlb.h index 56c6fc763b..7ef6d3f331 100644 --- a/xen/arch/arm/include/asm/arm64/flushtlb.h +++ b/xen/arch/arm/include/asm/arm64/flushtlb.h @@ -12,9 +12,14 @@ * ARM64_WORKAROUND_REPEAT_TLBI: * Modification of the translation table for a virtual address might lead to * read-after-read ordering violation. - * The workaround repeats TLBI+DSB ISH operation for all the TLB flush - * operations. While this is strictly not necessary, we don't want to - * take any risk. + * The workaround repeats TLBI+DSB ISH operation for broadcast TLB flush + * operations. The workaround is not needed for local operations. + * + * It is sufficient for the additional TLBI to use *any* operation which will + * be broadcast, regardless of which translation regime or stage of translation + * the operation applies to. TLBI VALE2IS is used passing XZR. While there is + * an identity mapping there, it's only used during suspend/resume, CPU on/off, + * so the impact (performance if any) is negligible. * * For Xen page-tables the ISB will discard any instructions fetched * from the old mappings. @@ -26,69 +31,90 @@ * Note that for local TLB flush, using non-shareable (nsh) is sufficient * (see D5-4929 in ARM DDI 0487H.a). Although, the memory barrier in * for the workaround is left as inner-shareable to match with Linux - * v6.1-rc8. + * v6.19. */ -#define TLB_HELPER(name, tlbop, sh) \ +#define TLB_HELPER_LOCAL(name, tlbop) \ static inline void name(void) \ { \ asm volatile( \ - "dsb " # sh "st;" \ + "dsb nshst;" \ "tlbi " # tlbop ";" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ";", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - "dsb " # sh ";" \ + "dsb nsh;" \ "isb;" \ : : : "memory"); \ } -/* - * FLush TLB by VA. This will likely be used in a loop, so the caller - * is responsible to use the appropriate memory barriers before/after - * the sequence. - * - * See above about the ARM64_WORKAROUND_REPEAT_TLBI sequence. - */ -#define TLB_HELPER_VA(name, tlbop) \ -static inline void name(vaddr_t va) \ -{ \ - asm volatile( \ - "tlbi " # tlbop ", %0;" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ", %0;", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - : : "r" (va >> PAGE_SHIFT) : "memory"); \ +#define TLB_HELPER(name, tlbop) \ +static inline void name(void) \ +{ \ + asm volatile ( \ + "dsb ishst;" \ + "tlbi " # tlbop ";" \ + ALTERNATIVE( \ + "nop; nop;", \ + "dsb ish;" \ + "tlbi vale2is, xzr;", \ + ARM64_WORKAROUND_REPEAT_TLBI, \ + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ + "dsb ish;" \ + "isb;" \ + : : : "memory"); \ } /* Flush local TLBs, current VMID only. */ -TLB_HELPER(flush_guest_tlb_local, vmalls12e1, nsh) +TLB_HELPER_LOCAL(flush_guest_tlb_local, vmalls12e1) /* Flush innershareable TLBs, current VMID only */ -TLB_HELPER(flush_guest_tlb, vmalls12e1is, ish) +TLB_HELPER(flush_guest_tlb, vmalls12e1is) /* Flush local TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb_local, alle1, nsh) +TLB_HELPER_LOCAL(flush_all_guests_tlb_local, alle1) /* Flush innershareable TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb, alle1is, ish) +TLB_HELPER(flush_all_guests_tlb, alle1is) /* Flush all hypervisor mappings from the TLB of the local processor. */ -TLB_HELPER(flush_xen_tlb_local, alle2, nsh) +TLB_HELPER_LOCAL(flush_xen_tlb_local, alle2) + +#undef TLB_HELPER_LOCAL +#undef TLB_HELPER + +/* + * FLush TLB by VA. This will likely be used in a loop, so the caller + * is responsible to use the appropriate memory barriers before/after + * the sequence. + */ /* Flush TLB of local processor for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one_local, vae2) +static inline void __flush_xen_tlb_one_local(vaddr_t va) +{ + asm volatile ( + "tlbi vae2, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} /* Flush TLB of all processors in the inner-shareable domain for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one, vae2is) +static inline void __flush_xen_tlb_one(vaddr_t va) +{ + asm volatile ( + "tlbi vae2is, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} -#undef TLB_HELPER -#undef TLB_HELPER_VA +/* + * ARM64_WORKAROUND_REPEAT_TLBI: + * For all relevant erratas it is only necessary to execute a single + * additional TLBI;DSB sequence after any number of TLBIs are completed by DSB. + */ +static inline void __tlb_repeat_sync(void) +{ + asm volatile ( + ALTERNATIVE( + "nop; nop;", + "tlbi vale2is, xzr;" + "dsb ish;", + ARM64_WORKAROUND_REPEAT_TLBI, + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) + : : : "memory"); +} #endif /* __ASM_ARM_ARM64_FLUSHTLB_H__ */ /* diff --git a/xen/arch/arm/include/asm/flushtlb.h b/xen/arch/arm/include/asm/flushtlb.h index e45fb6d97b..c292c3c00d 100644 --- a/xen/arch/arm/include/asm/flushtlb.h +++ b/xen/arch/arm/include/asm/flushtlb.h @@ -65,6 +65,7 @@ static inline void flush_xen_tlb_range_va(vaddr_t va, va += PAGE_SIZE; } dsb(ish); /* Ensure the TLB invalidation has completed */ + __tlb_repeat_sync(); isb(); } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:59:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:59:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333299.1596126 (Exim 4.92) (envelope-from ) id 1wWw2s-00010q-UK; Tue, 09 Jun 2026 12:59:06 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333299.1596126; Tue, 09 Jun 2026 12:59:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw2s-00010h-RY; Tue, 09 Jun 2026 12:59:06 +0000 Received: by outflank-mailman (input) for mailman id 1333299; Tue, 09 Jun 2026 12:59:05 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw2r-00010Z-12 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:59:05 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw2r-001g11-0u for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:59:05 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw2q-00DNUy-38 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:59:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=axE6CecDbq+pnVNnk1dwqZ6n1C+gK+3t07254eBPLUI=; b=WjIs0WpO4ciS/xCHkhzTgtJqZU f69rzFDjx6yzJJ4uz7wF6M8IXaq1wpKKekd2/pkaOGmCN+BhdiRWRHO0bVKklvj85x4AZFiC96wwp THpwDh38R7UL6ujNyeHvAuYFR0ftAAbCNinsyIFyK+jV6N2ObQMcAcLlTgqbUE4kuqao=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] xen/arm: Sync missing definitions for Arm CPUs with Linux Message-Id: Date: Tue, 09 Jun 2026 12:59:04 +0000 commit 33937ea4816af9cd14ea4c736dabb25e36920a27 Author: Michal Orzel AuthorDate: Fri May 22 09:35:55 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 xen/arm: Sync missing definitions for Arm CPUs with Linux Synchronize with Linux kernel 7.0 definitions for the following CPUs: - Cortex-A76AE, - Cortex-A78AE, - Cortex-X1C, - Cortex-X3, - Neoverse-V2, - Cortex-X4, - Neoverse-V3AE, - Neoverse-V3, - Cortex-X925. These will be used for errata detection in subsequent patches. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit d54682a5b23d7a22a0f1aa74130bd1ed8a669db1) --- xen/arch/arm/include/asm/processor.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 1dd81d7d52..af086ebe98 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -74,13 +74,22 @@ #define ARM_CPU_PART_CORTEX_A76 0xD0B #define ARM_CPU_PART_NEOVERSE_N1 0xD0C #define ARM_CPU_PART_CORTEX_A77 0xD0D +#define ARM_CPU_PART_CORTEX_A76AE 0xD0E #define ARM_CPU_PART_NEOVERSE_V1 0xD40 #define ARM_CPU_PART_CORTEX_A78 0xD41 +#define ARM_CPU_PART_CORTEX_A78AE 0xD42 #define ARM_CPU_PART_CORTEX_X1 0xD44 #define ARM_CPU_PART_CORTEX_A710 0xD47 #define ARM_CPU_PART_CORTEX_X2 0xD48 #define ARM_CPU_PART_NEOVERSE_N2 0xD49 #define ARM_CPU_PART_CORTEX_A78C 0xD4B +#define ARM_CPU_PART_CORTEX_X1C 0xD4C +#define ARM_CPU_PART_CORTEX_X3 0xD4E +#define ARM_CPU_PART_NEOVERSE_V2 0xD4F +#define ARM_CPU_PART_CORTEX_X4 0xD82 +#define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 +#define ARM_CPU_PART_NEOVERSE_V3 0xD84 +#define ARM_CPU_PART_CORTEX_X925 0xD85 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -95,13 +104,22 @@ #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) +#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE) #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1) #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) +#define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) #define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2) #define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2) #define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C) +#define MIDR_CORTEX_X1C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1C) +#define MIDR_CORTEX_X3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X3) +#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2) +#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4) +#define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) +#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) +#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:59:16 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:59:17 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333300.1596131 (Exim 4.92) (envelope-from ) id 1wWw32-000151-Vb; Tue, 09 Jun 2026 12:59:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333300.1596131; Tue, 09 Jun 2026 12:59:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw32-00014s-Ss; Tue, 09 Jun 2026 12:59:16 +0000 Received: by outflank-mailman (input) for mailman id 1333300; Tue, 09 Jun 2026 12:59:15 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw31-00014l-49 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:59:15 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw31-001g1P-1B for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:59:15 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw31-00DNm0-0B for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:59:15 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ssg1oiYVICpxbaV5DqvJNL180xHTip7gLfzEl5nKioE=; b=5VMysR0d1RUrl1Xc/hCiLCghpg O/DTWGtdxAI1TUW9GqAx3Dj/OfvcD2RxWAOOeJ50pjKY4tiysuN7Z4eqkycCdYAbV00JRsAHWKywG eTwvnLB3GOolwchopcMBQ84EJEMPc+yW6cIhMDV0tZvzBJ0K4HvoWNLJ2H7MX/qRWgO8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] xen/arm: Add C1-Ultra definitions Message-Id: Date: Tue, 09 Jun 2026 12:59:15 +0000 commit c76e89264fc04b0b826793ce41381e1022f3a4b0 Author: Michal Orzel AuthorDate: Fri May 22 09:35:56 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 xen/arm: Add C1-Ultra definitions Add processor definitions for C1-Ultra. These will be used for errata detection in subsequent patches. These values can be found in the C1-Ultra TRM: https://developer.arm.com/documentation/108014/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 36ddaa7918d6ec0d06a31079c8a25a6ae3c69cbc) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index af086ebe98..935dd61762 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -90,6 +90,7 @@ #define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 +#define ARM_CPU_PART_C1_ULTRA 0xD8C #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -120,6 +121,7 @@ #define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) +#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:59:27 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:59:27 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333301.1596135 (Exim 4.92) (envelope-from ) id 1wWw3D-00017L-0g; Tue, 09 Jun 2026 12:59:27 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333301.1596135; Tue, 09 Jun 2026 12:59:26 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw3C-00017D-UC; Tue, 09 Jun 2026 12:59:26 +0000 Received: by outflank-mailman (input) for mailman id 1333301; Tue, 09 Jun 2026 12:59:25 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw3B-000176-6H for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:59:25 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw3B-001g1T-1R for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:59:25 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw3B-00DNyc-0S for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:59:25 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=wUEGSJD62ZKRyypMS19tOXKESye6bel/q+vUmvyY9Kg=; b=JGyBWPRmCHIUYZhdJGnkoJARMK u9DupvAVHgdVd81rNWgnHcMm25fd1q5G8NoZaEC23SIfajQsOVukuXSRd4CgtyCRym2zcoeRlvD9g 0tubLCE2SZzwOEuQ1ipGqT5Yxm20+YiCGs+rkNeZYDiaona4tjynnnF4cZRZTrbRAnBE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] xen/arm: Add C1-Premium definitions Message-Id: Date: Tue, 09 Jun 2026 12:59:25 +0000 commit a0371b3dedeb7035a508b5ec6d7bb6e73985c938 Author: Michal Orzel AuthorDate: Fri May 22 09:35:57 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 xen/arm: Add C1-Premium definitions Add processor definitions for C1-Premium. These will be used for errata detection in subsequent patches. These values can be found in the C1-Premium TRM: https://developer.arm.com/documentation/109416/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 0315d10321518beb24c41bb595e9197cadec0693) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 935dd61762..ea4cdfb3e7 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -91,6 +91,7 @@ #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 #define ARM_CPU_PART_C1_ULTRA 0xD8C +#define ARM_CPU_PART_C1_PREMIUM 0xD90 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -122,6 +123,7 @@ #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) #define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) +#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:59:37 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:59:37 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333302.1596139 (Exim 4.92) (envelope-from ) id 1wWw3N-00019J-2G; Tue, 09 Jun 2026 12:59:37 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333302.1596139; Tue, 09 Jun 2026 12:59:37 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw3M-00019B-VZ; Tue, 09 Jun 2026 12:59:36 +0000 Received: by outflank-mailman (input) for mailman id 1333302; Tue, 09 Jun 2026 12:59:35 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw3L-000193-8r for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:59:35 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw3L-001g1X-1h for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:59:35 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw3L-00DOHW-0j for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:59:35 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=SLekvaXk2QYw1RN51SnvYGVBwFqj5FSK5UQbZ0M3j1E=; b=kDgugyCYMuM4xzcdlM1dajHy/R Pj7nvdZ26i2Bar1RPExMqvDE7y3Auo4jwzW9XO4687nZoDDkqRKuVFdIEOULL4CTbfhmiQPe6C+bC KkykAs7o/uOQWulJ7OTNewlI6xdVXA6IYNcg70qhJLwqGfqWoXUwOnvakYwTgAzHhDH4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] xen/arm: Mitigate TLBI errata on various Arm CPUs Message-Id: Date: Tue, 09 Jun 2026 12:59:35 +0000 commit 9e60576dbeaa01985319876e8f8c54f2a165dcac Author: Michal Orzel AuthorDate: Fri May 22 09:35:58 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 xen/arm: Mitigate TLBI errata on various Arm CPUs A number of CPUs developed by Arm suffer from errata whereby a broadcast TLBI + DSB sequence may complete before the global observation of writes which are translated by an affected TLB entry. This can lead to memory corruption and potential privilege escalation. These errata ONLY affect the completion of memory accesses which have been translated by an invalidated TLB entry, and these errata DO NOT affect the actual invalidation of TLB entries. TLB entries are removed correctly. To mitigate this issue, Arm recommends that software follows each TLBI+DSB sequence with an additional TLBI+DSB, which will ensure that all memory write effects affected by the first TLBI have been globally observed. The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate the issue. Enable this workaround for affected CPUs. This is XSA-493 / CVE-2025-10263. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 161e8f61b5b0f2c205072c7bc699bfc37653999f) --- xen/arch/arm/Kconfig | 21 ++++++++++++ xen/arch/arm/cpuerrata.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+) diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index 87d541c411..29076297ad 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -339,6 +339,27 @@ config ARM64_ERRATUM_1508412 If unsure, say Y. +config ARM64_ERRATUM_CVE_2025_10263 + bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" + default y + depends on ARM_64 + select ARM64_WORKAROUND_REPEAT_TLBI + help + This option adds a workaround for CVE-2025-10263. + + A broadcast TLBI on another PE may complete before affected memory + accesses are globally observed. This may permit bypass of Stage 1 + translation, Stage-2 translation, or GPT protection. + + The workaround repeats the TLBI VALE2IS, XZR + DSB ISH operation for all + the broadcast TLB flush operations. A single additional TLBI and DSB are + sufficient regardless of how many TLBIs are completed by the DSB. + + Note that software workarounds are required at all execution levels for + affected parts to fully mitigate this issue. + + If unsure, say Y. + endmenu config ARM64_HARDEN_BRANCH_PREDICTOR diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index ea680fac2e..33736342fb 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -534,6 +534,92 @@ static const struct arm_cpu_capabilities arm_errata[] = { MIDR_RANGE(MIDR_NEOVERSE_N1, 0, 3 << MIDR_VARIANT_SHIFT), }, #endif +#ifdef CONFIG_ARM64_ERRATUM_CVE_2025_10263 + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X4), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_ULTRA), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM), + }, +#endif #ifdef CONFIG_ARM64_HARDEN_BRANCH_PREDICTOR { .capability = ARM_HARDEN_BRANCH_PREDICTOR, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 12:59:47 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 12:59:47 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333303.1596143 (Exim 4.92) (envelope-from ) id 1wWw3X-0001Cr-4k; Tue, 09 Jun 2026 12:59:47 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333303.1596143; Tue, 09 Jun 2026 12:59:47 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw3X-0001Cj-29; Tue, 09 Jun 2026 12:59:47 +0000 Received: by outflank-mailman (input) for mailman id 1333303; Tue, 09 Jun 2026 12:59:45 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWw3V-0001BT-Cb for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:59:45 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWw3V-001g1d-24 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:59:45 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWw3V-00DOSA-14 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 12:59:45 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=AfxVajl1NmXZhw930m9CZsVtIdFfr+UZDejtEOZN6Jc=; b=bpkF7MhblbDkdT5XjGFH500wKN w/14mQi9sNCypWFcMmNLe9POdmXBae2sVAzknpDBRcwqWXtoiyNmV5nsbLJxeEVsCfL7rIgIK7hdH 4gz6BD8bePTvEyvDMl275oyFcTvS8QQZslMKxSx3TPkFTJURsDu3MXdbpjMiQAU4SjIY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/mm: accurately track which vCPU page-tables are loaded Message-Id: Date: Tue, 09 Jun 2026 12:59:45 +0000 commit 5dfbc0b77f9669bcf9180c227b86a9429efe12c7 Author: Roger Pau Monne AuthorDate: Mon Mar 16 11:03:22 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:13 2026 +0100 x86/mm: accurately track which vCPU page-tables are loaded Neither current nor curr_vcpu per-CPU fields accurately track which page-tables are loaded. There are corner cases when dealing with shadow paging failures that switch to the idle vCPU page-tables without changing current or curr_vcpu per-CPU fields. Introduce a new per-CPU field that attempts to track which vCPU page-tables are loaded. Update such tracking when cr3 is changed, and do so in a region with interrupts disabled, as to avoid handling interrupts with a mismatch between the vCPU tracking field and the loaded page-tables. As a result of this newly more accurate tracking the mapcache override functionality can be removed: the dom0 PV builder was the only user of it, and it's updated here to properly signal which vCPU page-tables are loaded in the calls to switch_cr3_cr4(). Note the EFI page-tables have the Xen owned L4 slots copied from the idle page-tables, so for the effects of the mapcache the EFI page-tables could use the idle mapcache if it had one. Pass the idle vCPU in the switch_cr3_cr4() call that switches to the runtime EFI page-tables. There are known issues with the use of mapcache in NMI context.  This patch does not alter the behaviour. This is CVE-2026-42488 / XSA-494. Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference") Signed-off-by: Roger Pau Monné Acked-by: Andrew Cooper (cherry picked from commit 622c9a5ba95dae9b1084f16d0557ec64d1d12eaa) --- xen/arch/x86/domain_page.c | 48 +++++++++++++++--------------------- xen/arch/x86/flushtlb.c | 5 +++- xen/arch/x86/include/asm/domain.h | 1 - xen/arch/x86/include/asm/flushtlb.h | 2 +- xen/arch/x86/include/asm/processor.h | 3 +++ xen/arch/x86/mm.c | 4 +-- xen/arch/x86/pv/dom0_build.c | 12 +++------ xen/arch/x86/pv/domain.c | 13 ++++++++-- xen/arch/x86/smpboot.c | 1 + xen/common/efi/common-stub.c | 5 ---- xen/common/efi/runtime.c | 21 ++++++---------- xen/include/xen/efi.h | 1 - 12 files changed, 54 insertions(+), 62 deletions(-) diff --git a/xen/arch/x86/domain_page.c b/xen/arch/x86/domain_page.c index eac5e3304f..72c00194f3 100644 --- a/xen/arch/x86/domain_page.c +++ b/xen/arch/x86/domain_page.c @@ -18,48 +18,40 @@ #include #include -static DEFINE_PER_CPU(struct vcpu *, override); - static inline struct vcpu *mapcache_current_vcpu(void) { - /* In the common case we use the mapcache of the running VCPU. */ - struct vcpu *v = this_cpu(override) ?: current; - - /* - * When current isn't properly set up yet, this is equivalent to - * running in an idle vCPU (callers must check for NULL). - */ - if ( !v ) - return NULL; + struct vcpu *v = this_cpu(pgtable_vcpu); + struct vcpu *curr = current; /* - * When using efi runtime page tables, we have the equivalent of the idle - * domain's page tables but current may point at another domain's VCPU. - * Return NULL as though current is not properly set up yet. + * During early boot pgtable_vcpu is not set, callers must handle NULL. + * Non-PV domains don't have a mapcache, the directmap covers all physical + * address space. */ - if ( efi_rs_using_pgtables() ) + if ( !v || !is_pv_vcpu(v) ) return NULL; /* - * If guest_table is NULL, and we are running a paravirtualised guest, - * then it means we are running on the idle domain's page table and must - * therefore use its mapcache. + * If we are in a lazy context-switch state from a PV vCPU do a full switch + * to the idle vCPU now, otherwise an incoming FLUSH_VCPU_STATE IPI would + * change the page tables under our feet an invalidate any in-use mapcache + * entries. */ - if ( unlikely(pagetable_is_null(v->arch.guest_table)) && is_pv_vcpu(v) ) + if ( unlikely(this_cpu(curr_vcpu) != curr) ) { - /* If we really are idling, perform lazy context switch now. */ - if ( (v = idle_vcpu[smp_processor_id()]) == current ) - sync_local_execstate(); + ASSERT(curr == idle_vcpu[smp_processor_id()]); + sync_local_execstate(); /* We must now be running on the idle page table. */ ASSERT(cr3_pa(read_cr3()) == __pa(idle_pg_table)); } - return v; -} - -void __init mapcache_override_current(struct vcpu *v) -{ - this_cpu(override) = v; + /* + * At this point we can guarantee Xen is not in lazy context switch: either + * the code above will have synced the state, or an incoming + * FLUSH_VCPU_STATE IPI has done so behind our back. Use ACCESS_ONCE to + * ensure the compiler never returns the locally cached pgtable_vcpu value. + */ + return ACCESS_ONCE(this_cpu(pgtable_vcpu)); } #define mapcache_l2_entry(e) ((e) >> PAGETABLE_ORDER) diff --git a/xen/arch/x86/flushtlb.c b/xen/arch/x86/flushtlb.c index 18748b2bc8..cdefab2f08 100644 --- a/xen/arch/x86/flushtlb.c +++ b/xen/arch/x86/flushtlb.c @@ -111,7 +111,9 @@ static void do_tlb_flush(void) local_irq_restore(flags); } -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) +DEFINE_PER_CPU(struct vcpu *, pgtable_vcpu); + +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4) { unsigned long flags, old_cr4; u32 t = 0; @@ -155,6 +157,7 @@ void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) if ( (old_cr4 & X86_CR4_PCIDE) > (cr4 & X86_CR4_PCIDE) ) cr3 |= X86_CR3_NOFLUSH; write_cr3(cr3); + this_cpu(pgtable_vcpu) = v; if ( old_cr4 != cr4 ) write_cr4(cr4); diff --git a/xen/arch/x86/include/asm/domain.h b/xen/arch/x86/include/asm/domain.h index f90a268b01..588b56b3fd 100644 --- a/xen/arch/x86/include/asm/domain.h +++ b/xen/arch/x86/include/asm/domain.h @@ -76,7 +76,6 @@ struct mapcache_domain { int mapcache_domain_init(struct domain *); int mapcache_vcpu_init(struct vcpu *); -void mapcache_override_current(struct vcpu *); /* x86/64: toggle guest between kernel and user modes. */ void toggle_guest_mode(struct vcpu *); diff --git a/xen/arch/x86/include/asm/flushtlb.h b/xen/arch/x86/include/asm/flushtlb.h index a461ee36ff..821ffe3e8b 100644 --- a/xen/arch/x86/include/asm/flushtlb.h +++ b/xen/arch/x86/include/asm/flushtlb.h @@ -99,7 +99,7 @@ static inline unsigned long read_cr3(void) } /* Write pagetable base and implicitly tick the tlbflush clock. */ -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4); +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4); /* flush_* flag fields: */ /* diff --git a/xen/arch/x86/include/asm/processor.h b/xen/arch/x86/include/asm/processor.h index 07328d44bf..4309441944 100644 --- a/xen/arch/x86/include/asm/processor.h +++ b/xen/arch/x86/include/asm/processor.h @@ -465,6 +465,9 @@ extern idt_entry_t *idt_tables[]; DECLARE_PER_CPU(root_pgentry_t *, root_pgt); +/* vCPU of the currently loaded page-tables. */ +DECLARE_PER_CPU(struct vcpu *, pgtable_vcpu); + extern void write_ptbase(struct vcpu *v); /* REP NOP (PAUSE) is a good thing to insert into busy-wait loops. */ diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index d31b8d56ff..4dbe86017c 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -546,7 +546,7 @@ void write_ptbase(struct vcpu *v) cpu_info->pv_cr3 = __pa(this_cpu(root_pgt)); if ( new_cr4 & X86_CR4_PCIDE ) cpu_info->pv_cr3 |= get_pcid_bits(v, true); - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); } else { @@ -554,7 +554,7 @@ void write_ptbase(struct vcpu *v) cpu_info->use_pv_cr3 = false; cpu_info->xen_cr3 = 0; /* switch_cr3_cr4() serializes. */ - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); cpu_info->pv_cr3 = 0; } } diff --git a/xen/arch/x86/pv/dom0_build.c b/xen/arch/x86/pv/dom0_build.c index 3e74cf4ea2..25267f4edc 100644 --- a/xen/arch/x86/pv/dom0_build.c +++ b/xen/arch/x86/pv/dom0_build.c @@ -811,8 +811,7 @@ int __init dom0_construct_pv(struct domain *d, update_cr3(v); /* We run on dom0's page tables for the final part of the build process. */ - switch_cr3_cr4(cr3_pa(v->arch.cr3), read_cr4()); - mapcache_override_current(v); + switch_cr3_cr4(v, cr3_pa(v->arch.cr3), read_cr4()); /* Copy the OS image and free temporary buffer. */ elf.dest_base = (void*)vkern_start; @@ -821,8 +820,7 @@ int __init dom0_construct_pv(struct domain *d, rc = elf_load_binary(&elf); if ( rc < 0 ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Failed to load the kernel binary\n"); goto out; } @@ -833,8 +831,7 @@ int __init dom0_construct_pv(struct domain *d, if ( (parms.virt_hypercall < v_start) || (parms.virt_hypercall >= v_end) ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Invalid HYPERCALL_PAGE field in ELF notes.\n"); return -EINVAL; } @@ -975,8 +972,7 @@ int __init dom0_construct_pv(struct domain *d, #endif /* Return to idle domain's page tables. */ - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); update_domain_wallclock_time(d); diff --git a/xen/arch/x86/pv/domain.c b/xen/arch/x86/pv/domain.c index 2a445bb17b..5cd467d7a6 100644 --- a/xen/arch/x86/pv/domain.c +++ b/xen/arch/x86/pv/domain.c @@ -428,6 +428,8 @@ static void _toggle_guest_pt(struct vcpu *v) pagetable_t old_shadow; unsigned long cr3; + ASSERT(local_irq_is_enabled()); + v->arch.flags ^= TF_kernel_mode; guest_update = v->arch.flags & TF_kernel_mode; old_shadow = update_cr3(v); @@ -450,15 +452,22 @@ static void _toggle_guest_pt(struct vcpu *v) { cr3 &= ~X86_CR3_NOFLUSH; + local_irq_disable(); if ( unlikely(mfn_eq(pagetable_get_mfn(old_shadow), maddr_to_mfn(cr3))) ) { - cr3 = idle_vcpu[v->processor]->arch.cr3; /* Also suppress runstate/time area updates below. */ guest_update = false; + + cr3 = idle_vcpu[v->processor]->arch.cr3; + this_cpu(pgtable_vcpu) = idle_vcpu[v->processor]; } + + write_cr3(cr3); + local_irq_enable(); } - write_cr3(cr3); + else + write_cr3(cr3); if ( !pagetable_is_null(old_shadow) ) shadow_put_top_level(v->domain, old_shadow); diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c index 7aa899dac3..a8a4739f5d 100644 --- a/xen/arch/x86/smpboot.c +++ b/xen/arch/x86/smpboot.c @@ -335,6 +335,7 @@ void start_secondary(void *unused) set_current(idle_vcpu[cpu]); this_cpu(curr_vcpu) = idle_vcpu[cpu]; + this_cpu(pgtable_vcpu) = idle_vcpu[cpu]; rdmsrl(MSR_EFER, this_cpu(efer)); init_shadow_spec_ctrl_state(); diff --git a/xen/common/efi/common-stub.c b/xen/common/efi/common-stub.c index 5a91fe28cc..aaeb916c0f 100644 --- a/xen/common/efi/common-stub.c +++ b/xen/common/efi/common-stub.c @@ -7,11 +7,6 @@ bool efi_enabled(unsigned int feature) return false; } -bool efi_rs_using_pgtables(void) -{ - return false; -} - unsigned long efi_get_time(void) { BUG(); diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c index 13b0975866..a83dfaf3bf 100644 --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -46,7 +46,6 @@ const CHAR16 *__read_mostly efi_fw_vendor; const EFI_RUNTIME_SERVICES *__read_mostly efi_rs; #ifndef CONFIG_ARM /* TODO - disabled until implemented on ARM */ static DEFINE_SPINLOCK(efi_rs_lock); -static unsigned int efi_rs_on_cpu = NR_CPUS; #endif UINTN __read_mostly efi_memmap_size; @@ -89,6 +88,11 @@ struct efi_rs_state efi_rs_enter(void) if ( mfn_eq(efi_l4_mfn, INVALID_MFN) ) return state; + /* + * If in lazy idle context switch state sync now to avoid an incoming + * FLUSH_VCPU_STATE IPI changing the loaded page-tables. + */ + sync_local_execstate(); state.cr3 = read_cr3(); save_fpu_enable(); asm volatile ( "fnclex; fldcw %0" :: "m" (fcw) ); @@ -96,8 +100,6 @@ struct efi_rs_state efi_rs_enter(void) spin_lock(&efi_rs_lock); - efi_rs_on_cpu = smp_processor_id(); - /* prevent fixup_page_fault() from doing anything */ irq_enter(); @@ -112,7 +114,8 @@ struct efi_rs_state efi_rs_enter(void) lgdt(&gdt_desc); } - switch_cr3_cr4(mfn_to_maddr(efi_l4_mfn), read_cr4()); + switch_cr3_cr4(idle_vcpu[smp_processor_id()], mfn_to_maddr(efi_l4_mfn), + read_cr4()); /* * At the time of writing (2022), no UEFI firwmare is CET-IBT compatible. @@ -140,7 +143,7 @@ void efi_rs_leave(struct efi_rs_state *state) if ( state->msr_s_cet ) wrmsrl(MSR_S_CET, state->msr_s_cet); - switch_cr3_cr4(state->cr3, read_cr4()); + switch_cr3_cr4(curr, state->cr3, read_cr4()); if ( is_pv_vcpu(curr) && !is_idle_vcpu(curr) ) { struct desc_ptr gdt_desc = { @@ -151,18 +154,10 @@ void efi_rs_leave(struct efi_rs_state *state) lgdt(&gdt_desc); } irq_exit(); - efi_rs_on_cpu = NR_CPUS; spin_unlock(&efi_rs_lock); vcpu_restore_fpu_nonlazy(curr, true); } -bool efi_rs_using_pgtables(void) -{ - return !mfn_eq(efi_l4_mfn, INVALID_MFN) && - (smp_processor_id() == efi_rs_on_cpu) && - (read_cr3() == mfn_to_maddr(efi_l4_mfn)); -} - unsigned long efi_get_time(void) { EFI_TIME time; diff --git a/xen/include/xen/efi.h b/xen/include/xen/efi.h index 94a7e547f9..fe2f3b3941 100644 --- a/xen/include/xen/efi.h +++ b/xen/include/xen/efi.h @@ -34,7 +34,6 @@ struct compat_pf_efi_runtime_call; bool efi_enabled(unsigned int feature); void efi_init_memory(void); bool efi_boot_mem_unused(unsigned long *start, unsigned long *end); -bool efi_rs_using_pgtables(void); unsigned long efi_get_time(void); void efi_halt_system(void); void efi_reset_system(bool warm); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:33:07 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:33:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333320.1596157 (Exim 4.92) (envelope-from ) id 1wWwZj-0000uI-NX; Tue, 09 Jun 2026 13:33:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333320.1596157; Tue, 09 Jun 2026 13:33:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwZj-0000uA-KM; Tue, 09 Jun 2026 13:33:03 +0000 Received: by outflank-mailman (input) for mailman id 1333320; Tue, 09 Jun 2026 13:33:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwZi-0000u3-Ou for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:33:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwZi-001geJ-3A for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:33:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwZi-00E4oa-23 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:33:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Jg+zrsT5qlpJFr6X7eyUUViur/5EpMKiEdJqA4l3/zk=; b=IYbGWabkhQQvjdkHZB27F2n0vI RlSUd2RGzDpNi0OYo0CV59w509sY/vUfgDj19Qegi3oYiQ1bLTa4ybF3dzpuOHXG4ZgB75ZjTyJKe MdxRdsC4KnGQlYrJyGJphGDt28PwVrcuRSoJjxFrwleLvLau1qiFEi31AKf+/ZbGMwL4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/HVM: add locking to I/O port translation list traversal Message-Id: Date: Tue, 09 Jun 2026 13:33:02 +0000 commit 7787f8e9396d06026f72d3db13e836f365e085f8 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:21 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 x86/HVM: add locking to I/O port translation list traversal XEN_DOMCTL_ioport_mapping is usable by DM stubdoms, and hence we can't assume the list to be left unaltered while the guest (really: the hypervisor on behalf of the guest) is accessing it. This is XSA-491 / CVE-2026-42487. Fixes: 192c4dabc344 ("domctl and p2m changes for PCI passthru") Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné --- xen/arch/x86/domctl.c | 8 ++++ xen/arch/x86/hvm/emulate.c | 1 - xen/arch/x86/hvm/hvm.c | 1 + xen/arch/x86/hvm/io.c | 72 +++++++++++++++++++++++++---------- xen/arch/x86/include/asm/hvm/domain.h | 1 + xen/arch/x86/include/asm/hvm/vcpu.h | 2 - 6 files changed, 61 insertions(+), 24 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index bfbc35c08b..b967a56e52 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -667,6 +667,7 @@ long arch_do_domctl( "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if (g2m_ioport->mport == fmp ) { @@ -688,11 +689,14 @@ long arch_do_domctl( g2m_ioport->np = np; list_add_tail(&g2m_ioport->list, &hvm->g2m_ioport_list); } + write_unlock(&hvm->g2m_ioport_lock); if ( !ret ) ret = ioports_permit_access(d, fmp, fmp + np - 1); if ( ret && !found && g2m_ioport ) { + write_lock(&hvm->g2m_ioport_lock); list_del(&g2m_ioport->list); + write_unlock(&hvm->g2m_ioport_lock); xfree(g2m_ioport); } } @@ -701,6 +705,8 @@ long arch_do_domctl( printk(XENLOG_G_INFO "ioport_map:remove: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if ( g2m_ioport->mport == fmp ) { @@ -708,6 +714,8 @@ long arch_do_domctl( xfree(g2m_ioport); break; } + write_unlock(&hvm->g2m_ioport_lock); + ret = ioports_deny_access(d, fmp, fmp + np - 1); if ( ret && is_hardware_domain(currd) ) printk(XENLOG_ERR diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c index bb1bb03ac4..2efb1d4f08 100644 --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -160,7 +160,6 @@ void hvmemul_cancel(struct vcpu *v) hvio->mmio_insn_bytes = 0; hvio->mmio_access = (struct npfec){}; hvio->mmio_retry = false; - hvio->g2m_ioport = NULL; hvmemul_cache_disable(v); } diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index cbcef18449..a75ccb57bf 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -613,6 +613,7 @@ int hvm_domain_initialise(struct domain *d, spin_lock_init(&d->arch.hvm.irq_lock); spin_lock_init(&d->arch.hvm.write_map.lock); + rwlock_init(&d->arch.hvm.g2m_ioport_lock); rwlock_init(&d->arch.hvm.mmcfg_lock); INIT_LIST_HEAD(&d->arch.hvm.write_map.list); INIT_LIST_HEAD(&d->arch.hvm.g2m_ioport_list); diff --git a/xen/arch/x86/hvm/io.c b/xen/arch/x86/hvm/io.c index 23a5ea0e61..912e55d416 100644 --- a/xen/arch/x86/hvm/io.c +++ b/xen/arch/x86/hvm/io.c @@ -143,36 +143,56 @@ bool handle_pio(uint16_t port, unsigned int size, int dir) return true; } -static bool cf_check g2m_portio_accept( - const struct hvm_io_handler *handler, const ioreq_t *p) +/* NB: Returns with the lock held in the success case. */ +static const struct g2m_ioport *g2m_portio_find_and_lock(struct hvm_domain *hvm, + uint64_t addr, + uint32_t size) { - struct vcpu *curr = current; - const struct hvm_domain *hvm = &curr->domain->arch.hvm; - struct hvm_vcpu_io *hvio = &curr->arch.hvm.hvm_io; - struct g2m_ioport *g2m_ioport; - unsigned int start, end; + const struct g2m_ioport *g2m_ioport; + + read_lock(&hvm->g2m_ioport_lock); list_for_each_entry( g2m_ioport, &hvm->g2m_ioport_list, list ) { - start = g2m_ioport->gport; - end = start + g2m_ioport->np; - if ( (p->addr >= start) && (p->addr + p->size <= end) ) - { - hvio->g2m_ioport = g2m_ioport; - return 1; - } + unsigned int start = g2m_ioport->gport; + + if ( addr >= start && addr + size <= start + g2m_ioport->np ) + return g2m_ioport; } - return 0; + read_unlock(&hvm->g2m_ioport_lock); + + return NULL; +} + +static bool cf_check g2m_portio_accept( + const struct hvm_io_handler *handler, const ioreq_t *p) +{ + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, p->addr, p->size); + + if ( !g2m_ioport ) + return false; + + read_unlock(&hvm->g2m_ioport_lock); + + return true; } static int cf_check g2m_portio_read( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t *data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -189,6 +209,8 @@ static int cf_check g2m_portio_read( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } @@ -196,9 +218,15 @@ static int cf_check g2m_portio_write( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -215,6 +243,8 @@ static int cf_check g2m_portio_write( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } diff --git a/xen/arch/x86/include/asm/hvm/domain.h b/xen/arch/x86/include/asm/hvm/domain.h index abf9bc448d..dd7fa96aad 100644 --- a/xen/arch/x86/include/asm/hvm/domain.h +++ b/xen/arch/x86/include/asm/hvm/domain.h @@ -124,6 +124,7 @@ struct hvm_domain { /* List of guest to machine IO ports mapping. */ struct list_head g2m_ioport_list; + rwlock_t g2m_ioport_lock; /* List of MMCFG regions trapped by Xen. */ struct list_head mmcfg_regions; diff --git a/xen/arch/x86/include/asm/hvm/vcpu.h b/xen/arch/x86/include/asm/hvm/vcpu.h index 836138a4a6..2a14fa0a63 100644 --- a/xen/arch/x86/include/asm/hvm/vcpu.h +++ b/xen/arch/x86/include/asm/hvm/vcpu.h @@ -53,8 +53,6 @@ struct hvm_vcpu_io { unsigned long msix_unmask_address; unsigned long msix_snoop_address; unsigned long msix_snoop_gpa; - - const struct g2m_ioport *g2m_ioport; }; struct nestedvcpu { -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:33:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:33:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333321.1596159 (Exim 4.92) (envelope-from ) id 1wWwZt-0000zz-OO; Tue, 09 Jun 2026 13:33:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333321.1596159; Tue, 09 Jun 2026 13:33:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwZt-0000zr-Lq; Tue, 09 Jun 2026 13:33:13 +0000 Received: by outflank-mailman (input) for mailman id 1333321; Tue, 09 Jun 2026 13:33:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwZs-0000zl-R4 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:33:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwZt-001geN-0H for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:33:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwZs-00E50u-2T for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:33:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=T/5uFo5e1DQ+DeQ1DcKaJndRPgzsHyBopw/GlNZ8yM0=; b=jcV54h363ybqZK+Bvr1DsBjvCL CwFc1ptw3FqNLbYWR3/5IQW/drT5Fm+JxfSvIBC2cDYAbif+XgQmfn+Qhvlz91ru2+5yyxSrYBf4I JwPssZLYKAqNPNtV7ZTFG8dYVZqyqzoVWitGaWA+pLX9+c3Iwg59IOBUL0o42FEeC9bo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] sched: use sequence counter to enlighten vcpu_runstate_get() Message-Id: Date: Tue, 09 Jun 2026 13:33:12 +0000 commit 1dc4d5d81822541a5cc82fa6387d2d73eebc7023 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 sched: use sequence counter to enlighten vcpu_runstate_get() Subsequently XEN_DOMCTL_getdomaininfo will want to invoke the function without holding a lock, thus allowing parallel execution of potentially many instances. As was learned from 228ab9992ffb ("domctl: improve locking during domain destruction"), reverted by d0887cc6b16e, such parallelism can result in severe lock contention on any (previously) inner lock. To avoid taking that risk replace the use of the scheduler lock in vcpu_runstate_get() by a newly introduced sequence counter. Convert the "no lock if current" property to "use a local counter instance", thus guaranteeing the loop to exit after the first iteration. Skeleton and commentary of the seqcount implementation based on / derived from Linux 6.11-rc. To have runstate_seq placed next to runstate in struct vcpu, without introducing a new obvious padding hole, yet while keeping the latter adjacent to runstate_guest{,_area} as well, move runstate down a little. This is part of XSA-492. Requested-by: Andrew Cooper Signed-off-by: Jan Beulich Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Juergen Gross --- xen/common/sched/core.c | 47 +++++++-------- xen/include/xen/sched.h | 4 +- xen/include/xen/seqcount.h | 139 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 162 insertions(+), 28 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 8e2b75bc35..a65d49a442 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -280,13 +280,18 @@ static inline void vcpu_runstate_change( } delta = new_entry_time - v->runstate.state_entry_time; - if ( delta > 0 ) + + /* Serialization: ->schedule_lock (see ASSERT() above). */ + with_seq_write(&v->runstate_seq) { - v->runstate.time[v->runstate.state] += delta; - v->runstate.state_entry_time = new_entry_time; - } + if ( delta > 0 ) + { + v->runstate.time[v->runstate.state] += delta; + v->runstate.state_entry_time = new_entry_time; + } - v->runstate.state = new_state; + v->runstate.state = new_state; + } } void sched_guest_idle(void (*idle) (void), unsigned int cpu) @@ -306,30 +311,18 @@ void sched_guest_idle(void (*idle) (void), unsigned int cpu) void vcpu_runstate_get(const struct vcpu *v, struct vcpu_runstate_info *runstate) { - spinlock_t *lock; - s_time_t delta; - struct sched_unit *unit; + struct seqcount seq = SEQCNT_ZERO(); + const struct seqcount *s = likely(v == current) ? &seq : &v->runstate_seq; - rcu_read_lock(&sched_res_rculock); - - /* - * Be careful in case of an idle vcpu: the assignment to a unit might - * change even with the scheduling lock held, so be sure to use the - * correct unit for locking in order to avoid triggering an ASSERT() in - * the unlock function. - */ - unit = is_idle_vcpu(v) ? get_sched_res(v->processor)->sched_unit_idle - : v->sched_unit; - lock = likely(v == current) ? NULL : unit_schedule_lock_irq(unit); - memcpy(runstate, &v->runstate, sizeof(*runstate)); - delta = NOW() - runstate->state_entry_time; - if ( delta > 0 ) - runstate->time[runstate->state] += delta; - - if ( unlikely(lock != NULL) ) - unit_schedule_unlock_irq(lock, unit); + until_seq_read(s) + { + s_time_t delta; - rcu_read_unlock(&sched_res_rculock); + *runstate = v->runstate; + delta = NOW() - runstate->state_entry_time; + if ( delta > 0 ) + runstate->time[runstate->state] += delta; + } } uint64_t get_cpu_idle_time(unsigned int cpu) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 00db1da12f..898256d320 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -16,6 +16,7 @@ #include #include #include +#include #include #include #include @@ -198,7 +199,6 @@ struct vcpu struct sched_unit *sched_unit; - struct vcpu_runstate_info runstate; #ifndef CONFIG_COMPAT # define runstate_guest(v) ((v)->runstate_guest) XEN_GUEST_HANDLE(vcpu_runstate_info_t) runstate_guest; /* guest address */ @@ -210,6 +210,8 @@ struct vcpu } runstate_guest; /* guest address */ #endif struct guest_area runstate_guest_area; + struct vcpu_runstate_info runstate; + struct seqcount runstate_seq; unsigned int new_state; /* Initialization completed for this VCPU? */ diff --git a/xen/include/xen/seqcount.h b/xen/include/xen/seqcount.h new file mode 100644 index 0000000000..b5faf422e4 --- /dev/null +++ b/xen/include/xen/seqcount.h @@ -0,0 +1,139 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef XEN_SEQCOUNT_H +#define XEN_SEQCOUNT_H + +#include +#include + +#include +#include + +/* + * Sequence counters (seqcount_t) + * + * This is the raw counting mechanism, without any writer protection. + * + * Write side critical sections must be serialized (and non-preemptible). + * + * If readers can be invoked from interrupt contexts, interrupts must also + * be respectively disabled before entering the write section. + * + * This mechanism can't be used if the protected data contains pointers, + * as the writer can invalidate a pointer that a reader is following. + */ +struct seqcount { + unsigned int sequence; +}; + +/* + * SEQCNT_ZERO() - initializer for seqcount_t + * @name: Name of the struct seqcount instance + */ +#define SEQCNT_ZERO() { .sequence = 0 } + +static inline unsigned int seqprop_sequence(const struct seqcount *s) +{ + return ACCESS_ONCE(s->sequence); +} + +/* + * read_seqcount_begin() - begin a seqcount read critical section + * @s: Pointer to struct seqcount + * + * Return: count to be passed to read_seqcount_retry() + */ +static inline unsigned int _read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq; + + while ((seq = seqprop_sequence(s)) & 1) + cpu_relax(); + + smp_rmb(); + + return seq; +} + +static always_inline unsigned int read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq = _read_seqcount_begin(s); + + block_lock_speculation(); + + return seq; +} + +/* + * read_seqcount_retry() - end a seqcount read critical section + * @s: Pointer to struct seqcount + * @start: count, from read_seqcount_begin() + * + * read_seqcount_retry closes the read critical section of given struct + * seqcount. If the critical section was invalid, it must be ignored + * (and typically retried). + * + * Return: true if a read section retry is required, else false + */ +static inline bool _read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + smp_rmb(); + return unlikely(seqprop_sequence(s) != start); +} + +static always_inline bool read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + return lock_evaluate_nospec(_read_seqcount_retry(s, start)); +} + +/* Loops until a consistent count has been observed across the loop body. */ +#define until_seq_read(seq) \ + for ( unsigned int retry_ = 1, count_; \ + retry_ && (count_ = read_seqcount_begin(seq), true); \ + retry_ = read_seqcount_retry(seq, count_) ) + +/* + * write_seqcount_begin() - start a struct seqcount write side critical section + * @s: Pointer to struct seqcount + * + * Context: sequence counter write side sections must be serialized. + * If readers can be invoked from interrupt context, interrupts must be + * respectively disabled. + */ +static inline void write_seqcount_begin(struct seqcount *s) +{ + add_sized(&s->sequence, 1); + smp_wmb(); +} + +/* + * write_seqcount_end() - end a struct seqcount write side critical section + * @s: Pointer to seqcount + */ +static inline void write_seqcount_end(struct seqcount *s) +{ + smp_wmb(); + add_sized(&s->sequence, 1); +} + +/* + * Not really a loop, but we need write_seqcount_{begin,end}() in the correct + * position. + */ +#define with_seq_write(seq) \ + for ( bool once_ = true; \ + once_ && (write_seqcount_begin(seq), true); \ + (write_seqcount_end(seq), once_ = false) ) + +#endif /* XEN_SEQCOUNT_H */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:33:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:33:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333322.1596163 (Exim 4.92) (envelope-from ) id 1wWwa3-00017N-RH; Tue, 09 Jun 2026 13:33:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333322.1596163; Tue, 09 Jun 2026 13:33:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwa3-00017G-Ol; Tue, 09 Jun 2026 13:33:23 +0000 Received: by outflank-mailman (input) for mailman id 1333322; Tue, 09 Jun 2026 13:33:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwa2-00017A-U9 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:33:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwa3-001gem-0a for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:33:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwa2-00E5Ak-2n for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:33:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=K9UtRfPmIjEzVlUD3b5wL691yFqcly31mhRJ3NW5Nng=; b=NJyIjjL7zGsvKtOheLXh86qhHD 9pYOnCeFftAv15bMX6tv5pTtZ64e7rvi32Qy7M1InTQvMHoF5eHD42z22AVVKVDAtj0sBpQoKdV/n LHnsaSv0OHr/uWdzDNVXE5r+HOF1W9zyB4tE8b9fKyXqxN4uwToVEiSiNQdDK3DZlYN4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 13:33:22 +0000 commit 784bd4dc0bc440b978b80b6945c4bc380b28e32d Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock getdomaininfo() is not called under consistently the same lock. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. (Callers not pausing the domain they want to retrieve information for already need to be aware that not all of the data returned can be relied on as being consistent; most data will also be stale by the time the caller gets to look at it.) Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. While moving, convert an assignment to an assertion: The domain in question was determined from the field which previously was "updated". This is part of XSA-492. Fixes: 5513bd0b4675 ("add xenstore domain flag to hypervisor") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith --- xen/common/domctl.c | 31 ++++++++++++++++++++----------- xen/include/xsm/dummy.h | 6 +++++- xen/xsm/flask/hooks.c | 6 +++++- 3 files changed, 30 insertions(+), 13 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index b969f5ada6..c205ba802d 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -318,6 +318,26 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } + /* Handle sub-ops not requiring the domctl lock. */ + switch ( op->cmd ) + { + case XEN_DOMCTL_getdomaininfo: + ret = xsm_getdomaininfo(XSM_XS_PRIV, d); + if ( !ret ) + { + getdomaininfo(d, &op->u.getdomaininfo); + + ASSERT(op->domain == op->u.getdomaininfo.domain); + copyback = true; + } + + goto domctl_out_unlock_domonly; + + default: + /* Everything else handled further down. */ + break; + } + ret = xsm_domctl(XSM_OTHER, d, op->cmd, /* SSIDRef only applicable for cmd == createdomain */ op->u.createdomain.ssidref); @@ -521,17 +541,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = 1; break; - case XEN_DOMCTL_getdomaininfo: - ret = xsm_getdomaininfo(XSM_XS_PRIV, d); - if ( ret ) - break; - - getdomaininfo(d, &op->u.getdomaininfo); - - op->domain = op->u.getdomaininfo.domain; - copyback = 1; - break; - case XEN_DOMCTL_getvcpucontext: { vcpu_guest_context_u c = { .nat = NULL }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index b8fd7aeedd..6ca4209108 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,9 +172,13 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: return xsm_default_action(XSM_XS_PRIV, current->domain, d); + + case XEN_DOMCTL_getdomaininfo: + ASSERT_UNREACHABLE(); + return -EILSEQ; + default: return xsm_default_action(XSM_PRIV, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 28522dcbd2..03413eac51 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -649,8 +649,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, */ return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); - /* These have individual XSM hooks (common/domctl.c) */ + /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + ASSERT_UNREACHABLE(); + return -EILSEQ; + + /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:33:33 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:33:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333323.1596167 (Exim 4.92) (envelope-from ) id 1wWwaD-0001AH-Sy; Tue, 09 Jun 2026 13:33:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333323.1596167; Tue, 09 Jun 2026 13:33:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwaD-0001AA-QG; Tue, 09 Jun 2026 13:33:33 +0000 Received: by outflank-mailman (input) for mailman id 1333323; Tue, 09 Jun 2026 13:33:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwaD-0001A3-16 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:33:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwaD-001gey-0u for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:33:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwaC-00E5KP-36 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:33:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=0hVhL8CggpyTGOr8aDAoWbuWGrEv7smEAhQTM9RZY70=; b=oXdElMjkhsVMiFfRMS6kWteSXr JbEuNKrAsqZgzgCW7BABGCLhfkFICZbf9NQiyJZ8OZN8QJUj9R40lQpMgEj7lEWc84hNrm8AALdVX gAgxrpCH3XmWRjKvrz16Bd7XxGSnFPQ6I5yIzACPylSJoAehtwg6mweMqDQBwR2QBrro=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: protect locking for get_domain_state Message-Id: Date: Tue, 09 Jun 2026 13:33:32 +0000 commit 5154fdda1124ae76e6a5efc124227790d81046ab Author: Daniel P. Smith AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: protect locking for get_domain_state When DOMID_INVALID is passed, the dom exec handler lock is being taken without any check that the domain is even allowed to take the lock. This allows for an unauthorized domain to DoS the get_domain_state domctl op. Move to consider the op effectively being called against the hypervisor. Thus it is the target of the call being invoked to identify the last domain with a state change. The subsequent check of whether the source domain is allowed the state of the last domain to change state is still relevant. This is part of XSA-492. Signed-off-by: Daniel P. Smith Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné --- tools/flask/policy/modules/xenstore.te | 1 + xen/common/domain.c | 6 +----- xen/common/domctl.c | 14 +++++++++++--- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/tools/flask/policy/modules/xenstore.te b/tools/flask/policy/modules/xenstore.te index 776c274869..12549f5482 100644 --- a/tools/flask/policy/modules/xenstore.te +++ b/tools/flask/policy/modules/xenstore.te @@ -14,6 +14,7 @@ allow xenstore_t xen_t:xen writeconsole; # Xenstore queries domaininfo on all domains allow xenstore_t domain_type:domain getdomaininfo; allow xenstore_t domain_type:domain2 get_domain_state; +allow xenstore_t domxen_t:domain2 get_domain_state; # As a shortcut, the following 3 rules are used instead of adding a domain_comms # rule between xenstore_t and every domain type that talks to xenstore diff --git a/xen/common/domain.c b/xen/common/domain.c index bb9e210c28..021e6d8432 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -218,12 +218,8 @@ int get_domain_state(struct xen_domctl_get_domain_state *info, struct domain *d, if ( info->pad0 ) return -EINVAL; - if ( d ) + if ( d != dom_xen ) { - rc = xsm_get_domain_state(XSM_XS_PRIV, d); - if ( rc ) - return rc; - set_domain_state_info(info, d); return 0; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index c205ba802d..eee30e8534 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -304,13 +304,19 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) fallthrough; case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_vm_event_op: - case XEN_DOMCTL_get_domain_state: if ( op->domain == DOMID_INVALID ) { d = NULL; break; } fallthrough; + case XEN_DOMCTL_get_domain_state: + if ( op->domain == DOMID_INVALID ) + { + d = dom_xen; + break; + } + fallthrough; default: d = rcu_lock_domain_by_id(op->domain); if ( !d ) @@ -868,7 +874,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; case XEN_DOMCTL_get_domain_state: - ret = get_domain_state(&op->u.get_domain_state, d, &op->domain); + ret = xsm_get_domain_state(XSM_XS_PRIV, d); + if ( !ret ) + ret = get_domain_state(&op->u.get_domain_state, d, &op->domain); if ( !ret ) copyback = true; break; @@ -881,7 +889,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) domctl_lock_release(); domctl_out_unlock_domonly: - if ( d && d != dom_io ) + if ( d && !is_system_domain(d) ) rcu_unlock_domain(d); if ( copyback && __copy_to_guest(u_domctl, op, 1) ) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:33:43 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:33:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333324.1596172 (Exim 4.92) (envelope-from ) id 1wWwaN-0001DO-Ub; Tue, 09 Jun 2026 13:33:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333324.1596172; Tue, 09 Jun 2026 13:33:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwaN-0001DH-Rp; Tue, 09 Jun 2026 13:33:43 +0000 Received: by outflank-mailman (input) for mailman id 1333324; Tue, 09 Jun 2026 13:33:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwaN-0001DB-4r for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:33:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwaN-001gf5-1H for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:33:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwaN-00E5XH-0D for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:33:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=kNEvryUclLdIgSwCtKHSABLVOfWaMvTa2abXsY04BOo=; b=1ZPbFyT1eBAKYYseAautgK434a HMWuefWJxjlU9SuCY6UVawPUnE46KOA0D5yrXUoAh1d2EfyKXggV/A455Jbe6evp3n4kAJ3B0PgEy 9mnww9yHilbleLl3bFOf79MtqPwesY/CfXZX86aLk6oWdRFctb2mzp7872iAfqa8Jz/A=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: handle XEN_DOMCTL_get_domain_state without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 13:33:43 +0000 commit eedff4bcd3d1314f098c2a151d4bb8a90c0f1820 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: handle XEN_DOMCTL_get_domain_state without acquiring domctl lock get_domain_state() uses its own locking. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Fixes: 3ad3df1bd0aa ("xen: add new domctl get_domain_state") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/common/domctl.c | 16 ++++++++-------- xen/include/xsm/dummy.h | 3 +-- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 10 insertions(+), 11 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index eee30e8534..8745bc3d30 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -339,6 +339,14 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; + case XEN_DOMCTL_get_domain_state: + ret = xsm_get_domain_state(XSM_XS_PRIV, d); + if ( !ret ) + ret = get_domain_state(&op->u.get_domain_state, d, &op->domain); + if ( !ret ) + copyback = true; + goto domctl_out_unlock_domonly; + default: /* Everything else handled further down. */ break; @@ -873,14 +881,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -EOPNOTSUPP; break; - case XEN_DOMCTL_get_domain_state: - ret = xsm_get_domain_state(XSM_XS_PRIV, d); - if ( !ret ) - ret = get_domain_state(&op->u.get_domain_state, d, &op->domain); - if ( !ret ) - copyback = true; - break; - default: ret = arch_do_domctl(op, d, u_domctl); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 6ca4209108..ffc6bcbde7 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,10 +172,9 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_get_domain_state: - return xsm_default_action(XSM_XS_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_domain_state: ASSERT_UNREACHABLE(); return -EILSEQ; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 03413eac51..bdfaa936be 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -651,6 +651,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_domain_state: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -661,7 +662,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: - case XEN_DOMCTL_get_domain_state: /* These have individual XSM hooks (arch/../domctl.c) */ case XEN_DOMCTL_bind_pt_irq: -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:33:54 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:33:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333325.1596176 (Exim 4.92) (envelope-from ) id 1wWwaX-0001FM-Vt; Tue, 09 Jun 2026 13:33:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333325.1596176; Tue, 09 Jun 2026 13:33:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwaX-0001FE-TO; Tue, 09 Jun 2026 13:33:53 +0000 Received: by outflank-mailman (input) for mailman id 1333325; Tue, 09 Jun 2026 13:33:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwaX-0001F8-7V for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:33:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwaX-001gfR-1Y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:33:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwaX-00E5go-0a for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:33:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=gDU/Es0zjLd2Aiw8cisfwQpuN0sqmFrzPO3tK+1QFBE=; b=6tH4Ccz85YL97GDhc6WJHtfvnQ HJ0rVkYgJXcnyVVYxiqv92gVP/peTgkTZiCmQYuih//6Z4GgSC7WJBAOHyl2xPp/pfo6DilPbKlH5 nC7GtWUgTVdYGA+E5r6VnRLJmvmmltW6TJ9AhAux2pwTzb3/nq9tmPcaLhSC3vjLox7Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domain: locking for iomem_caps accesses Message-Id: Date: Tue, 09 Jun 2026 13:33:53 +0000 commit 960713dfd4a405e67e9f174302f8f9fd9e0e50dc Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domain: locking for iomem_caps accesses In order to be able to pull at least the XEN_DOMCTL_iomem_mapping handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_iomem_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné --- xen/common/domain.c | 6 ++++++ xen/common/domctl.c | 53 +++++++++++++++++++++++++++++++++++++++---------- xen/include/xen/iocap.h | 3 +++ xen/include/xen/sched.h | 1 + 4 files changed, 52 insertions(+), 11 deletions(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index 021e6d8432..8f2bfcae28 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -568,10 +568,15 @@ static int late_hwdom_init(struct domain *d) * may be modified after this hypercall returns if a more complex * device model is desired. */ + write_lock(&dom0->caps_lock); rangeset_swap(d->irq_caps, dom0->irq_caps); rangeset_swap(d->iomem_caps, dom0->iomem_caps); #ifdef CONFIG_X86 rangeset_swap(d->arch.ioport_caps, dom0->arch.ioport_caps); +#endif + write_unlock(&dom0->caps_lock); + +#ifdef CONFIG_X86 setup_io_bitmap(d); setup_io_bitmap(dom0); #endif @@ -937,6 +942,7 @@ struct domain *domain_create(domid_t domid, rspin_lock_init_prof(d, domain_lock); rspin_lock_init_prof(d, page_alloc_lock); spin_lock_init(&d->hypercall_deadlock_mutex); + rwlock_init(&d->caps_lock); INIT_PAGE_LIST_HEAD(&d->page_list); INIT_PAGE_LIST_HEAD(&d->extra_page_list); INIT_PAGE_LIST_HEAD(&d->xenpage_list); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 8745bc3d30..8c59d0da9f 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -267,6 +267,35 @@ static struct vnuma_info *vnuma_init(const struct xen_domctl_vnuma *uinfo, return ERR_PTR(ret); } +void iocaps_double_lock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d->domain_id > currd->domain_id ) + read_lock(&currd->caps_lock); + + if ( write ) + write_lock(&d->caps_lock); + else + read_lock(&d->caps_lock); + + if ( d->domain_id < currd->domain_id ) + read_lock(&currd->caps_lock); +} + +void iocaps_double_unlock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d != currd ) + read_unlock(&currd->caps_lock); + + if ( write ) + write_unlock(&d->caps_lock); + else + read_unlock(&d->caps_lock); +} + static bool is_stable_domctl(uint32_t cmd) { return cmd == XEN_DOMCTL_get_domain_state; @@ -692,6 +721,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ break; + iocaps_double_lock(d, true); + if ( !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) || xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) @@ -700,6 +731,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); else ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); break; } @@ -724,19 +757,15 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; #endif + iocaps_double_lock(d, false); + ret = -EPERM; if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) ) - break; - - ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add); - if ( ret ) - break; - - if ( !paging_mode_translate(d) ) - break; - - if ( add ) + !iomem_access_permitted(d, mfn, mfn_end) || + (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || + !paging_mode_translate(d) ) + /* Nothing. */; + else if ( add ) { printk(XENLOG_G_DEBUG "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", @@ -760,6 +789,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", ret, d->domain_id, mfn, mfn_end); } + + iocaps_double_unlock(d, false); break; } diff --git a/xen/include/xen/iocap.h b/xen/include/xen/iocap.h index ffbc48b60f..cb36ebbeeb 100644 --- a/xen/include/xen/iocap.h +++ b/xen/include/xen/iocap.h @@ -12,6 +12,9 @@ #include #include +void iocaps_double_lock(struct domain *d, bool write); +void iocaps_double_unlock(struct domain *d, bool write); + static inline int iomem_permit_access(struct domain *d, unsigned long s, unsigned long e) { diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 898256d320..11ffebbea4 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -551,6 +551,7 @@ struct domain #endif /* I/O capabilities (access to IRQs and memory-mapped I/O). */ + rwlock_t caps_lock; struct rangeset *iomem_caps; struct rangeset *irq_caps; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:34:04 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:34:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333326.1596179 (Exim 4.92) (envelope-from ) id 1wWwai-0001HN-0y; Tue, 09 Jun 2026 13:34:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333326.1596179; Tue, 09 Jun 2026 13:34:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwah-0001HF-Uj; Tue, 09 Jun 2026 13:34:03 +0000 Received: by outflank-mailman (input) for mailman id 1333326; Tue, 09 Jun 2026 13:34:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwah-0001H8-BB for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:34:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwah-001gfr-1v for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:34:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwah-00E5ui-0q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:34:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ofm0MsGYJvE2hyV9kFkucwk0OC1O+8EU6gVlrTo7OWk=; b=vSX/F5itxq5oGN85dwx8TKO7bM 7Ktjoqx96BKPI+49h3BCfRQilO4eLJe307z2nwoPo/j9T7mxJp8CDvA4BfVWR8beTdXG8LeqCcgmE +3Z7cwZn8dNpibn53oOGBQrlIfD6Cc2OBjO/KFZG/Dw335ObyWQYqzbC/mv2pR5uahN4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/domain: locking for ioport_caps accesses Message-Id: Date: Tue, 09 Jun 2026 13:34:03 +0000 commit c9f4586766c4ceeaf013fbc02ad79359c62102c3 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 x86/domain: locking for ioport_caps accesses In order to be able to pull at least the XEN_DOMCTL_ioport_mapping handling out of the domctl-locked region, the new separate (per-domain) lock is used to synchronize in particular with XEN_DOMCTL_ioport_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné --- xen/arch/x86/domctl.c | 21 ++++++++++++--------- xen/arch/x86/setup.c | 3 +++ 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index b967a56e52..1368223bdf 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -237,6 +237,8 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + iocaps_double_lock(d, true); + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) ret = -EINVAL; else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || @@ -246,6 +248,8 @@ long arch_do_domctl( ret = ioports_permit_access(d, fp, fp + np - 1); else ret = ioports_deny_access(d, fp, fp + np - 1); + + iocaps_double_unlock(d, true); break; } @@ -652,16 +656,13 @@ long arch_do_domctl( break; } - ret = -EPERM; - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) - break; - - ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add); - if ( ret ) - break; - hvm = &d->arch.hvm; - if ( add ) + iocaps_double_lock(d, true); + + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || + (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) + ret = ret ?: -EPERM; + else if ( add ) { printk(XENLOG_G_INFO "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", @@ -722,6 +723,8 @@ long arch_do_domctl( "ioport_map: error %ld denying dom%d access to [%x,%x]\n", ret, d->domain_id, fmp, fmp + np - 1); } + + iocaps_double_unlock(d, true); break; } diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 19ee857abf..4192edf635 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -2339,9 +2339,12 @@ void __hwdom_init setup_io_bitmap(struct domain *d) return; bitmap_fill(d->arch.hvm.io_bitmap, 0x10000); + + read_lock(&d->caps_lock); if ( rangeset_report_ranges(d->arch.ioport_caps, 0, 0x10000, io_bitmap_cb, d) ) BUG(); + read_unlock(&d->caps_lock); /* * We need to trap 4-byte accesses to 0xcf8 (see admin_io_okay(), -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:34:15 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:34:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333327.1596183 (Exim 4.92) (envelope-from ) id 1wWwat-0001Jv-3e; Tue, 09 Jun 2026 13:34:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333327.1596183; Tue, 09 Jun 2026 13:34:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwat-0001Jn-18; Tue, 09 Jun 2026 13:34:15 +0000 Received: by outflank-mailman (input) for mailman id 1333327; Tue, 09 Jun 2026 13:34:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwar-0001Jg-Dy for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:34:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwar-001gfw-2C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:34:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwar-00E65T-1D for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:34:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Lkty6Jkef2ty2rWZPOeqjSahIbX9BHqJtdKkAon6Dvg=; b=XdHpGLilflcZgy/3JPuT+vjgON J52+g8h9qmlTwmLIj9PKNr35cgzQp+BAV3nnrHx3hZYw3QkTVxP3rOgtmHgv6cT7yGKZCEBSeF/UR cmM6zEwL1eExh+2M4ZAD6f2KnuxgGbjNY5DxnYbvHX0X2RmnW9WYdsFl7ewdMdT6WZT0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domain: locking for irq_caps accesses Message-Id: Date: Tue, 09 Jun 2026 13:34:13 +0000 commit 329edc090dd5c833213bad3f13f1cbc252bc15a2 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domain: locking for irq_caps accesses In order to be able to pull at least the XEN_DOMCTL_{,un}bind_pt_irq handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_{irq,gsi}_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Reviewed-by: Julien Grall --- xen/arch/arm/domctl.c | 37 +++++++++++++++++++++---------------- xen/arch/x86/domctl.c | 51 +++++++++++++++++++++++++++++++-------------------- xen/common/domctl.c | 5 +++++ 3 files changed, 57 insertions(+), 36 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index ad914c915f..75c3df602a 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -76,6 +76,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, case XEN_DOMCTL_bind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -107,21 +108,26 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - if ( !vgic_reserve_virq(d, virq) ) - return -EBUSY; - - rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); - if ( rc ) - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !vgic_reserve_virq(d, virq) ) + rc = -EBUSY; + else + { + rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); + if ( rc ) + vgic_free_virq(d, virq); + } + read_unlock(&currd->caps_lock); return rc; } case XEN_DOMCTL_unbind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -138,16 +144,15 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - rc = release_guest_irq(d, virq); - if ( rc ) - return rc; - - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !(rc = release_guest_irq(d, virq)) ) + vgic_free_virq(d, virq); - return 0; + read_unlock(&currd->caps_lock); + return rc; } case XEN_DOMCTL_vuart_op: diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 1368223bdf..649b22a4c4 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -271,16 +271,17 @@ long arch_do_domctl( break; } - ret = -EPERM; + iocaps_double_lock(d, true); + if ( !irq_access_permitted(currd, irq) || xsm_irq_permission(XSM_HOOK, d, irq, flags) ) - break; - - if ( flags ) + ret = -EPERM; + else if ( flags ) ret = irq_permit_access(d, irq); else ret = irq_deny_access(d, irq); + iocaps_double_unlock(d, true); break; } @@ -583,20 +584,27 @@ long arch_do_domctl( break; irq = domain_pirq_to_irq(d, bind->machine_irq); - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; + if ( irq <= 0 ) + ret = -EPERM; - ret = -ESRCH; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_create_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + else + ret = -ESRCH; + + read_unlock(&currd->caps_lock); break; } @@ -609,23 +617,26 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); if ( ret ) break; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_destroy_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + + read_unlock(&currd->caps_lock); break; } diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 8c59d0da9f..704142ed76 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -700,6 +700,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -EINVAL; break; } + + iocaps_double_lock(d, true); + irq = pirq_access_permitted(current->domain, pirq); if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) ret = -EPERM; @@ -707,6 +710,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = irq_permit_access(d, irq); else ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); break; } #endif -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:34:25 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:34:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333328.1596189 (Exim 4.92) (envelope-from ) id 1wWwb3-0001NN-5D; Tue, 09 Jun 2026 13:34:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333328.1596189; Tue, 09 Jun 2026 13:34:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwb3-0001ND-2P; Tue, 09 Jun 2026 13:34:25 +0000 Received: by outflank-mailman (input) for mailman id 1333328; Tue, 09 Jun 2026 13:34:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwb1-0001N4-Gr for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:34:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwb1-001ggV-2U for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:34:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwb1-00E6E0-1V for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:34:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=GFR9/y5QICmOd4elhZuxkA+Xqf5qSJUTN41Cq+bDWkc=; b=oYdaE7t1w61QEYDYKlZ/n+Y//T vmhNWU73ts07yhyXvhjzoaosCqxOgjQmFpY41mzqOK5/3oz2ZHWUMVdTyAR3IcI+mWhf2deozjJK3 myu+WlLHbDJpXFvian1x1dYdAIfgDIer6idBGVAzCSD7OECO86aLlfoMzhxzexDCjzpY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] XSM/Flask: split the .iomem_mapping() hook Message-Id: Date: Tue, 09 Jun 2026 13:34:23 +0000 commit 6bb83b1aa01bb3baabc150a881849977c82146a4 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 XSM/Flask: split the .iomem_mapping() hook It's used twice in entirely different situations. The use in do_domctl() wants to become an ordinary XSM_DM_PRIV invocation, while the one in vPCI code need to remain XSM_HOOK (it may plausibly become XSM_TARGET). For Flask, the same backing function will continue to be used for the time being. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith --- xen/drivers/vpci/header.c | 2 +- xen/include/xsm/dummy.h | 7 +++++++ xen/include/xsm/xsm.h | 8 ++++++++ xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) diff --git a/xen/drivers/vpci/header.c b/xen/drivers/vpci/header.c index a760d8c32f..d1c92cf77f 100644 --- a/xen/drivers/vpci/header.c +++ b/xen/drivers/vpci/header.c @@ -68,7 +68,7 @@ static int cf_check map_range( return -EPERM; } - rc = xsm_iomem_mapping(XSM_HOOK, map->d, map_mfn, m_end, map->map); + rc = xsm_iomem_mapping_vpci(XSM_HOOK, map->d, map_mfn, m_end, map->map); if ( rc ) { printk(XENLOG_G_WARNING diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index ffc6bcbde7..a6216239cc 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -573,6 +573,13 @@ static XSM_INLINE int cf_check xsm_iomem_mapping( return xsm_default_action(action, current->domain, d); } +static XSM_INLINE int cf_check xsm_iomem_mapping_vpci( + XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + XSM_ASSERT_ACTION(XSM_HOOK); + return xsm_default_action(action, current->domain, d); +} + static XSM_INLINE int cf_check xsm_pci_config_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index cc32a6c091..2708d5ecba 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -116,6 +116,8 @@ struct xsm_ops { uint8_t allow); int (*iomem_mapping)(struct domain *d, uint64_t s, uint64_t e, uint8_t allow); + int (*iomem_mapping_vpci)(struct domain *d, uint64_t s, uint64_t e, + uint8_t allow); int (*pci_config_permission)(struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access); @@ -516,6 +518,12 @@ static inline int xsm_iomem_mapping( return alternative_call(xsm_ops.iomem_mapping, d, s, e, allow); } +static inline int xsm_iomem_mapping_vpci( + xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + return alternative_call(xsm_ops.iomem_mapping_vpci, d, s, e, allow); +} + static inline int xsm_pci_config_permission( xsm_default_t def, struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 244ef55752..9b0eab4bfc 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -74,6 +74,7 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .irq_permission = xsm_irq_permission, .iomem_permission = xsm_iomem_permission, .iomem_mapping = xsm_iomem_mapping, + .iomem_mapping_vpci = xsm_iomem_mapping_vpci, .pci_config_permission = xsm_pci_config_permission, .get_vnumainfo = xsm_get_vnumainfo, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index bdfaa936be..aee8b9fe91 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1911,6 +1911,7 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .irq_permission = flask_irq_permission, .iomem_permission = flask_iomem_permission, .iomem_mapping = flask_iomem_mapping, + .iomem_mapping_vpci = flask_iomem_mapping, .pci_config_permission = flask_pci_config_permission, .resource_plug_core = flask_resource_plug_core, -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:34:35 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:34:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333329.1596192 (Exim 4.92) (envelope-from ) id 1wWwbD-0001PJ-6O; Tue, 09 Jun 2026 13:34:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333329.1596192; Tue, 09 Jun 2026 13:34:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwbD-0001PB-3g; Tue, 09 Jun 2026 13:34:35 +0000 Received: by outflank-mailman (input) for mailman id 1333329; Tue, 09 Jun 2026 13:34:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwbB-0001P5-Ja for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:34:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwbB-001gh2-2k for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:34:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwbB-00E6Qd-1m for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:34:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=wrjtLBZ3bjS4IKztCOCMSyDfv6b54G0UC5hwSsbIADY=; b=3Ki0Q+70APrbE0nBZZv8LdsEKw Kf13/PCd3qfpAKqVxy4Xxf2UWoD5jJeeFhYVlzIrxNbulBk2iUoNZzzEXsPiqb9/Ph+W35n/BRvFh E1X6or/MvqzIJm0ZFFIxbKnSXIIC1SjORHuVmMO0fHORd/XEKgQI07zr/mXn8D2QLWfY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 13:34:33 +0000 commit 5a81fb873cb0c7913995372d22660d6a2db0ec48 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. Move the re-purposed dedicated XSM check as early as possible. Minimal "modernization": Switch "add" to bool and use %pd in log messages. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/common/domctl.c | 118 ++++++++++++++++++++++++------------------------ xen/include/xsm/dummy.h | 4 +- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 63 insertions(+), 61 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 704142ed76..c5daaf51f0 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -376,6 +376,66 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = true; goto domctl_out_unlock_domonly; + case XEN_DOMCTL_memory_mapping: + { + unsigned long gfn = op->u.memory_mapping.first_gfn; + unsigned long mfn = op->u.memory_mapping.first_mfn; + unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; + unsigned long mfn_end = mfn + nr_mfns - 1; + bool add = op->u.memory_mapping.add_mapping; + + ret = -EINVAL; + if ( mfn_end < mfn || /* Wrap? */ + ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || + (gfn + nr_mfns - 1) < gfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_mapping(XSM_DM_PRIV, d, mfn, mfn_end, add); + if ( ret || !paging_mode_translate(d) ) + goto domctl_out_unlock_domonly; + +#ifndef CONFIG_X86 /* XXX ARM!? */ + ret = -E2BIG; + /* Must break hypercall up as this could take a while. */ + if ( nr_mfns > 64 ) + goto domctl_out_unlock_domonly; +#endif + + iocaps_double_lock(d, false); + + ret = -EPERM; + if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || + !iomem_access_permitted(d, mfn, mfn_end) ) + /* Nothing. */; + else if ( add ) + { + printk(XENLOG_G_DEBUG + "memory_map:add: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 ) + printk(XENLOG_G_WARNING + "memory_map:fail: %pd gfn=%lx mfn=%lx nr=%lx ret:%ld\n", + d, gfn, mfn, nr_mfns, ret); + } + else + { + printk(XENLOG_G_DEBUG + "memory_map:remove: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 && is_hardware_domain(current->domain) ) + printk(XENLOG_ERR + "memory_map: error %ld removing %pd access to [%lx,%lx]\n", + ret, d, mfn, mfn_end); + } + + iocaps_double_unlock(d, false); + goto domctl_out_unlock_domonly; + } + default: /* Everything else handled further down. */ break; @@ -741,64 +801,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - case XEN_DOMCTL_memory_mapping: - { - unsigned long gfn = op->u.memory_mapping.first_gfn; - unsigned long mfn = op->u.memory_mapping.first_mfn; - unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; - unsigned long mfn_end = mfn + nr_mfns - 1; - int add = op->u.memory_mapping.add_mapping; - - ret = -EINVAL; - if ( mfn_end < mfn || /* wrap? */ - ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || - (gfn + nr_mfns - 1) < gfn ) /* wrap? */ - break; - -#ifndef CONFIG_X86 /* XXX ARM!? */ - ret = -E2BIG; - /* Must break hypercall up as this could take a while. */ - if ( nr_mfns > 64 ) - break; -#endif - - iocaps_double_lock(d, false); - - ret = -EPERM; - if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) || - (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || - !paging_mode_translate(d) ) - /* Nothing. */; - else if ( add ) - { - printk(XENLOG_G_DEBUG - "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 ) - printk(XENLOG_G_WARNING - "memory_map:fail: dom%d gfn=%lx mfn=%lx nr=%lx ret:%ld\n", - d->domain_id, gfn, mfn, nr_mfns, ret); - } - else - { - printk(XENLOG_G_DEBUG - "memory_map:remove: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 && is_hardware_domain(current->domain) ) - printk(XENLOG_ERR - "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", - ret, d->domain_id, mfn, mfn_end); - } - - iocaps_double_unlock(d, false); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index a6216239cc..7733e3385a 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,13 +168,13 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_ioport_mapping: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -569,7 +569,7 @@ static XSM_INLINE int cf_check xsm_iomem_permission( static XSM_INLINE int cf_check xsm_iomem_mapping( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index aee8b9fe91..2e29ad0719 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -652,6 +652,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -659,7 +660,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:34:45 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:34:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333330.1596196 (Exim 4.92) (envelope-from ) id 1wWwbN-0001RG-7i; Tue, 09 Jun 2026 13:34:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333330.1596196; Tue, 09 Jun 2026 13:34:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwbN-0001R7-4y; Tue, 09 Jun 2026 13:34:45 +0000 Received: by outflank-mailman (input) for mailman id 1333330; Tue, 09 Jun 2026 13:34:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwbL-0001R0-MJ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:34:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwbL-001ghT-32 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:34:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwbL-00E6e7-23 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:34:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=EWkUXa3zcdd7TqBKQURazIB41FrI67YPqMnxkrUafPk=; b=aD6zZIkcGd4YPcckJo1Rjjm+/x vpY/8nhA/0lByoYkPRtbtLGqv2hsGXEPQd0nwXsRP7o+NxQh9WKrh34mqDVfDWvXbjpUWKGtzf/jS pcJN7mZ1VYhRydgFiJvf+r6QLdCYce7fFmAPC8uNS2aEp93GNDVhK5QyOwHHwGZforTI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 13:34:43 +0000 commit 9ac94138a5f31b5325fe4401e5cd9e377bbedcdb Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the handling is in arch-specific code (x86 only), almost no code is being moved, but a 2nd (extensible to other sub-ops) invocation of arch_do_domctl() is being added. Move just the re-purposed dedicated XSM check as early as possible. In flask_domctl() don't put #ifdef around the moved case label. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith --- xen/arch/x86/domctl.c | 9 ++++++--- xen/common/domctl.c | 4 ++++ xen/include/xsm/dummy.h | 4 ++-- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 649b22a4c4..7e7c61bdfc 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -667,12 +667,15 @@ long arch_do_domctl( break; } + ret = xsm_ioport_mapping(XSM_DM_PRIV, d, fmp, fmp + np - 1, add); + if ( ret ) + break; + hvm = &d->arch.hvm; iocaps_double_lock(d, true); - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || - (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) - ret = ret ?: -EPERM; + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) + ret = -EPERM; else if ( add ) { printk(XENLOG_G_INFO diff --git a/xen/common/domctl.c b/xen/common/domctl.c index c5daaf51f0..82bbfa32d6 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -436,6 +436,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_mapping: + ret = arch_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + default: /* Everything else handled further down. */ break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 7733e3385a..11fbb7ac68 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -167,13 +167,13 @@ static XSM_INLINE int cf_check xsm_domctl( XSM_ASSERT_ACTION(XSM_OTHER); switch ( cmd ) { - case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -765,7 +765,7 @@ static XSM_INLINE int cf_check xsm_ioport_permission( static XSM_INLINE int cf_check xsm_ioport_mapping( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 2e29ad0719..13d32feb96 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -652,6 +652,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -670,7 +671,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: case XEN_DOMCTL_ioport_permission: - case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_gsi_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:34:55 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:34:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333331.1596200 (Exim 4.92) (envelope-from ) id 1wWwbX-0001Up-AE; Tue, 09 Jun 2026 13:34:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333331.1596200; Tue, 09 Jun 2026 13:34:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwbX-0001Uh-7h; Tue, 09 Jun 2026 13:34:55 +0000 Received: by outflank-mailman (input) for mailman id 1333331; Tue, 09 Jun 2026 13:34:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwbV-0001UZ-Ph for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:34:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwbW-001ghX-09 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:34:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwbV-00E6rq-2M for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:34:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=VauOFf67UHJ1RmWoGZGxcDpzSAjoV+L8sq9JTsUjxh0=; b=Oj5OJx2OuvzpPJgk4JSEfTH30+ 0YAcAhEUJVApHImMeZrdWYa/qrjyfwOMEz6cT8kw1qzsdrW4kwF0v5lcmI5ogVwPFtZkehFDXik1m VjeJUerxA9BGA5NVBYFemsVwbuG9asKVb5YebYxrPBPhcvRthYaUvrDBb+hoN2mYllSM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 13:34:53 +0000 commit e263eeaf71b961d0d6f987bf7a33c8517be1bae5 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. (It also already isn't used when pt_irq_{create,destroy}_bind() are invoked for PVH Dom0.) As the handling is in arch-specific code, no code is being moved, but the 2nd (extensible to other sub-ops like the ones here) invocation of arch_do_domctl() is being re-used. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith Acked-by: Julien Grall --- xen/arch/arm/domctl.c | 4 ++-- xen/arch/x86/domctl.c | 4 ++-- xen/common/domctl.c | 2 ++ xen/include/xsm/dummy.h | 8 +++----- xen/xsm/flask/hooks.c | 5 ++--- 5 files changed, 11 insertions(+), 12 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index 75c3df602a..6c9a3f9920 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -104,7 +104,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - rc = xsm_bind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; @@ -140,7 +140,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( irq != virq ) return -EINVAL; - rc = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 7e7c61bdfc..66c6bdf0a3 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -579,7 +579,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_bind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; @@ -617,7 +617,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 82bbfa32d6..10460c1c57 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -437,6 +437,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_bind_pt_irq: + case XEN_DOMCTL_unbind_pt_irq: ret = arch_do_domctl(op, d, u_domctl); goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 11fbb7ac68..2ab2f5fc52 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,13 +168,11 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: - return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -534,14 +532,14 @@ static XSM_INLINE int cf_check xsm_unmap_domain_pirq( static XSM_INLINE int cf_check xsm_bind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } static XSM_INLINE int cf_check xsm_unbind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 13d32feb96..435cb8d661 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -650,10 +650,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ + case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -664,9 +666,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: - /* These have individual XSM hooks (arch/../domctl.c) */ - case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:35:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:35:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333332.1596204 (Exim 4.92) (envelope-from ) id 1wWwbh-0001Xu-Bm; Tue, 09 Jun 2026 13:35:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333332.1596204; Tue, 09 Jun 2026 13:35:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwbh-0001Xl-94; Tue, 09 Jun 2026 13:35:05 +0000 Received: by outflank-mailman (input) for mailman id 1333332; Tue, 09 Jun 2026 13:35:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwbf-0001Xe-T1 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:35:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwbg-001ghp-0T for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:35:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwbf-00E71E-2g for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:35:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=GjBww1CUuhpajw6JOaYHRE9UM5bdXRl1IZqDv0+hOds=; b=XWijQw8wi9vbFCgJG+lB9f6X4H 5mwFWYVFvmiq1rFbLR6IwBrDBdLG7g0ur1U3l7WGeQYW4klPKOfLu8R+49gnG/4JM1eykmUagsV2f aXl5xGm+b/8yCr5m0jW2Z6OY3zMwhDBNAkxx8mxs4Gbj3sr2J7KV1D2YfDUd4RrJAuws=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 13:35:03 +0000 commit 9f54e10bf3ab02c8d5dc3253d85c9b3258d1fc88 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the I/O port handling is in arch-specific code (x86 only), no code is being moved, but the 2nd invocation of arch_do_domctl() is re-used. Move the re-purposed dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith --- xen/arch/x86/domctl.c | 13 ++++++++---- xen/common/domctl.c | 54 ++++++++++++++++++++++++++----------------------- xen/include/xsm/dummy.h | 6 ++++-- xen/xsm/flask/hooks.c | 4 ++-- 4 files changed, 44 insertions(+), 33 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 66c6bdf0a3..18c19c4b63 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -237,12 +237,17 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + ret = -EINVAL; + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) + break; + + ret = xsm_ioport_permission(XSM_PRIV, d, fp, fp + np - 1, allow); + if ( ret ) + break; + iocaps_double_lock(d, true); - if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) - ret = -EINVAL; - else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || - xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) ) + if ( !ioports_access_permitted(currd, fp, fp + np - 1) ) ret = -EPERM; else if ( allow ) ret = ioports_permit_access(d, fp, fp + np - 1); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 10460c1c57..c6c8e0440b 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -376,6 +376,34 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = true; goto domctl_out_unlock_domonly; + case XEN_DOMCTL_iomem_permission: + { + unsigned long mfn = op->u.iomem_permission.first_mfn; + unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; + bool allow = op->u.iomem_permission.allow_access; + + ret = -EINVAL; + if ( (mfn + nr_mfns - 1) < mfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_permission(XSM_PRIV, d, mfn, mfn + nr_mfns - 1, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !iomem_access_permitted(current->domain, + mfn, mfn + nr_mfns - 1) ) + ret = -EPERM; + else if ( allow ) + ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); + else + ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_memory_mapping: { unsigned long gfn = op->u.memory_mapping.first_gfn; @@ -436,6 +464,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: @@ -782,31 +811,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif - case XEN_DOMCTL_iomem_permission: - { - unsigned long mfn = op->u.iomem_permission.first_mfn; - unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; - int allow = op->u.iomem_permission.allow_access; - - ret = -EINVAL; - if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ - break; - - iocaps_double_lock(d, true); - - if ( !iomem_access_permitted(current->domain, - mfn, mfn + nr_mfns - 1) || - xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) - ret = -EPERM; - else if ( allow ) - ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); - else - ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); - - iocaps_double_unlock(d, true); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 2ab2f5fc52..d3d2a29ae4 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -170,7 +170,9 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -560,7 +562,7 @@ static XSM_INLINE int cf_check xsm_irq_permission( static XSM_INLINE int cf_check xsm_iomem_permission( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } @@ -756,7 +758,7 @@ static XSM_INLINE int cf_check xsm_priv_mapping( static XSM_INLINE int cf_check xsm_ioport_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 435cb8d661..3338a35c1e 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -653,7 +653,9 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -662,14 +664,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: - case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: - case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_gsi_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:35:15 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:35:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333333.1596208 (Exim 4.92) (envelope-from ) id 1wWwbr-0001Zw-D4; Tue, 09 Jun 2026 13:35:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333333.1596208; Tue, 09 Jun 2026 13:35:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwbr-0001Zm-AP; Tue, 09 Jun 2026 13:35:15 +0000 Received: by outflank-mailman (input) for mailman id 1333333; Tue, 09 Jun 2026 13:35:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwbp-0001Zb-Vm for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:35:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwbq-001gkD-0l for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:35:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwbp-00E7BA-30 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:35:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=5q6mWg9K1tmsuvlPtDaiRdKCdyuKrOvRsd7gk4uoFkQ=; b=O+mD3IxYSW72zT6sgcklL6P0lo 7jsLCBNBPDuDWbZOHdt5JeR0ATTEdxsYjdABBur/BqzCOVaVxpVnWYsVe7NS1OqYjXR0d47s3NnMK QRJ0RqArsSG+I/YDOq2yil/9blE52/fI8ca4bc2tGhkSIFg2ETM38sqUeLSfH+v3l+1Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: handle XEN_DOMCTL_{irq,gsi}_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 13:35:13 +0000 commit 6b71151cd84cafff1ea9e67a8022e7a3e41d811f Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: handle XEN_DOMCTL_{irq,gsi}_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the GSI handling is in arch-specific code (x86 only), no code is being moved there; the 2nd invocation of arch_do_domctl() is re-used. Move the re-purposed (XSM_HOOK -> XSM_PRIV, as xsm_domctl() is now bypassed) dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/arch/x86/domctl.c | 7 ++++-- xen/common/domctl.c | 60 +++++++++++++++++++++++++++---------------------- xen/include/xsm/dummy.h | 4 +++- xen/xsm/flask/hooks.c | 4 ++-- 4 files changed, 43 insertions(+), 32 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 18c19c4b63..83bf51e498 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -276,10 +276,13 @@ long arch_do_domctl( break; } + ret = xsm_irq_permission(XSM_PRIV, d, irq, flags); + if ( ret ) + break; + iocaps_double_lock(d, true); - if ( !irq_access_permitted(currd, irq) || - xsm_irq_permission(XSM_HOOK, d, irq, flags) ) + if ( !irq_access_permitted(currd, irq) ) ret = -EPERM; else if ( flags ) ret = irq_permit_access(d, irq); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index c6c8e0440b..4bb4be009b 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -464,8 +464,41 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } +#ifdef CONFIG_HAS_PIRQ + case XEN_DOMCTL_irq_permission: + { + unsigned int pirq = op->u.irq_permission.pirq, irq; + bool allow = op->u.irq_permission.allow_access; + + ret = -EINVAL; + if ( pirq >= current->domain->nr_pirqs ) + goto domctl_out_unlock_domonly; + + irq = domain_pirq_to_irq(current->domain, pirq); + + ret = -EPERM; + if ( irq ) + ret = xsm_irq_permission(XSM_PRIV, d, irq, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !irq_access_permitted(current->domain, irq) ) + ret = -EPERM; + else if ( allow ) + ret = irq_permit_access(d, irq); + else + ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } +#endif + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: ret = arch_do_domctl(op, d, u_domctl); @@ -784,33 +817,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } break; -#ifdef CONFIG_HAS_PIRQ - case XEN_DOMCTL_irq_permission: - { - unsigned int pirq = op->u.irq_permission.pirq, irq; - int allow = op->u.irq_permission.allow_access; - - if ( pirq >= current->domain->nr_pirqs ) - { - ret = -EINVAL; - break; - } - - iocaps_double_lock(d, true); - - irq = pirq_access_permitted(current->domain, pirq); - if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) - ret = -EPERM; - else if ( allow ) - ret = irq_permit_access(d, irq); - else - ret = irq_deny_access(d, irq); - - iocaps_double_unlock(d, true); - break; - } -#endif - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index d3d2a29ae4..d4e3e27ab4 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -170,9 +170,11 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -555,7 +557,7 @@ static XSM_INLINE int cf_check xsm_unmap_domain_irq( static XSM_INLINE int cf_check xsm_irq_permission( XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 3338a35c1e..14df9b78d4 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -653,9 +653,11 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -663,14 +665,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: - case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: - case XEN_DOMCTL_gsi_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH /* -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:35:25 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:35:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333334.1596214 (Exim 4.92) (envelope-from ) id 1wWwc1-0001cD-Fo; Tue, 09 Jun 2026 13:35:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333334.1596214; Tue, 09 Jun 2026 13:35:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwc1-0001c4-Bl; Tue, 09 Jun 2026 13:35:25 +0000 Received: by outflank-mailman (input) for mailman id 1333334; Tue, 09 Jun 2026 13:35:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwc0-0001bx-2P for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:35:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwc0-001gkH-12 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:35:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwc0-00E7Q4-03 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:35:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=F6kCjrvYeRpmtP/S9Dk0nQbwGOblavPw+izxl5Y2Bbs=; b=eFBZotCZE54dp+4T2DOauXbTk6 On5uQJQmWCznANAW1EXMgabnkpAMfVpCP8Q7wua8x5dffSJkhNhvL7EIViCJtD1dskIhNXrj65h1v 1gK8+CmWhhZ/XyuqZ5nEXDpuDPPuiH7T9GqJpmQ40g5n2KN2WdYg7VpimVv95wOU0RK4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl/XSM: drop vm_event_control hook Message-Id: Date: Tue, 09 Jun 2026 13:35:24 +0000 commit b4a7c17146f4363750d26cb2dcee08b480625a3d Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl/XSM: drop vm_event_control hook Integrate the checking with xsm_domctl(). Care needs to be taken with the GET_VERSION sub-op, which may be invoked with DOMID_INVALID, and which has been (and continues to be) bypassing XSM checking. Since the latter two parameters were unused, monitor_domctl() invoking the hook was actually redundant with the earlier xsm_domctl() (as can be seen nicely from the hunks changing xsm/flask/hooks.c). As a positive side effect, permissions are then checked at the same early point with and without Flask. While folding XEN_DOMCTL_monitor_op and XEN_DOMCTL_vm_event_op in flask_domctl(), also fold in XEN_DOMCTL_set_access_required. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/common/domctl.c | 17 +++++++++++++++++ xen/common/monitor.c | 5 ----- xen/common/vm_event.c | 9 ++++----- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 8 -------- xen/xsm/dummy.c | 2 -- xen/xsm/flask/hooks.c | 11 +---------- 7 files changed, 22 insertions(+), 37 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 4bb4be009b..d22fa089e1 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -496,6 +496,23 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif + case XEN_DOMCTL_vm_event_op: + if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) + { + /* No XSM check (and potentially d == NULL) here. */ + ret = vm_event_domctl(d, &op->u.vm_event_op); + if ( !ret ) + copyback = true; + goto domctl_out_unlock_domonly; + } + if ( !d ) + { + ret = -ESRCH; + goto domctl_out_unlock_domonly; + } + /* Other sub-ops handled further down. */ + break; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_gsi_permission: diff --git a/xen/common/monitor.c b/xen/common/monitor.c index d5c9ff1cbf..aec6391faf 100644 --- a/xen/common/monitor.c +++ b/xen/common/monitor.c @@ -30,16 +30,11 @@ int monitor_domctl(struct domain *d, struct xen_domctl_monitor_op *mop) { - int rc; bool requested_status = false; if ( unlikely(current->domain == d) ) /* no domain_pause() */ return -EPERM; - rc = xsm_vm_event_control(XSM_PRIV, d, mop->op, mop->event); - if ( unlikely(rc) ) - return rc; - switch ( mop->op ) { case XEN_DOMCTL_MONITOR_OP_ENABLE: diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c index cf0258223f..6f62755af8 100644 --- a/xen/common/vm_event.c +++ b/xen/common/vm_event.c @@ -604,11 +604,10 @@ int vm_event_domctl(struct domain *d, struct xen_domctl_vm_event_op *vec) /* All other subops need to target a real domain. */ if ( unlikely(d == NULL) ) - return -ESRCH; - - rc = xsm_vm_event_control(XSM_PRIV, d, vec->mode, vec->op); - if ( rc ) - return rc; + { + ASSERT_UNREACHABLE(); + return -EILSEQ; + } if ( unlikely(d == current->domain) ) /* no domain_pause() */ { diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index d4e3e27ab4..ed2bcc6521 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -646,13 +646,6 @@ static XSM_INLINE int cf_check xsm_hvm_altp2mhvm_op( } #ifdef CONFIG_VM_EVENT -static XSM_INLINE int cf_check xsm_vm_event_control( - XSM_DEFAULT_ARG struct domain *d, int mode, int op) -{ - XSM_ASSERT_ACTION(XSM_PRIV); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_mem_access(XSM_DEFAULT_ARG struct domain *d) { XSM_ASSERT_ACTION(XSM_DM_PRIV); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 2708d5ecba..cce0972f53 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -156,8 +156,6 @@ struct xsm_ops { int (*get_vnumainfo)(struct domain *d); #ifdef CONFIG_VM_EVENT - int (*vm_event_control)(struct domain *d, int mode, int op); - int (*mem_access)(struct domain *d); #endif @@ -651,12 +649,6 @@ static inline int xsm_get_vnumainfo(xsm_default_t def, struct domain *d) } #ifdef CONFIG_VM_EVENT -static inline int xsm_vm_event_control( - xsm_default_t def, struct domain *d, int mode, int op) -{ - return alternative_call(xsm_ops.vm_event_control, d, mode, op); -} - static inline int xsm_mem_access(xsm_default_t def, struct domain *d) { return alternative_call(xsm_ops.mem_access, d); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 9b0eab4bfc..31ee287d68 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -115,8 +115,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .map_gmfn_foreign = xsm_map_gmfn_foreign, #ifdef CONFIG_VM_EVENT - .vm_event_control = xsm_vm_event_control, - .mem_access = xsm_mem_access, #endif diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 14df9b78d4..51188f33f3 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -666,7 +666,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: - case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ @@ -760,9 +759,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__TRIGGER); case XEN_DOMCTL_set_access_required: - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); - case XEN_DOMCTL_monitor_op: + case XEN_DOMCTL_vm_event_op: return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); case XEN_DOMCTL_debug_op: @@ -1332,11 +1330,6 @@ static int cf_check flask_hvm_altp2mhvm_op(struct domain *d, uint64_t mode, uint } #ifdef CONFIG_VM_EVENT -static int cf_check flask_vm_event_control(struct domain *d, int mode, int op) -{ - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); -} - static int cf_check flask_mem_access(struct domain *d) { return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__MEM_ACCESS); @@ -1933,8 +1926,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .get_vnumainfo = flask_get_vnumainfo, #ifdef CONFIG_VM_EVENT - .vm_event_control = flask_vm_event_control, - .mem_access = flask_mem_access, #endif -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:35:35 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:35:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333335.1596216 (Exim 4.92) (envelope-from ) id 1wWwcB-0001ef-HA; Tue, 09 Jun 2026 13:35:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333335.1596216; Tue, 09 Jun 2026 13:35:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwcB-0001eX-Ee; Tue, 09 Jun 2026 13:35:35 +0000 Received: by outflank-mailman (input) for mailman id 1333335; Tue, 09 Jun 2026 13:35:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwcA-0001eR-51 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:35:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwcA-001gkL-1I for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:35:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwcA-00E7fI-0K for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:35:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=vrKvhs7Pk6a9LueKreSmTNWdX5pubLbSwyxxW6rY66g=; b=3ew8bEkIxwbbC8SelxnvhWgKx6 wkIRvvsccp5KfcTJ8KinFAw6xREVqT6nFZ6PEB+IJ9T+Xn8oE/oreRNM4x1H610JXpCLNq1d1YQ4A x6AqTjf1t/JYSiUpl/5rF4MR4rVdUYw2/beK1b3KL746lPpxxaOLTH8qsytSmmdTWwf4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl/XSM: pass full struct xen_domctl to xsm_domctl() Message-Id: Date: Tue, 09 Jun 2026 13:35:34 +0000 commit 83f0e11ed16b5ceb42e47dcaab5afd35583ec5d7 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl/XSM: pass full struct xen_domctl to xsm_domctl() Subsequently some sub-ops will want to inspect their sub-sub-ops. Plus this way we don't need to pass SSIDref separately anymore for domain_create. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith --- xen/arch/x86/mm/paging.c | 2 +- xen/common/domctl.c | 4 +--- xen/include/xsm/dummy.h | 4 ++-- xen/include/xsm/xsm.h | 6 +++--- xen/xsm/flask/hooks.c | 10 +++++----- 5 files changed, 12 insertions(+), 14 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index 2396f81ad5..92bd7d7f26 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -747,7 +747,7 @@ long do_paging_domctl_cont( if ( d == NULL ) return -ESRCH; - ret = xsm_domctl(XSM_OTHER, d, op.cmd, 0 /* SSIDref not applicable */); + ret = xsm_domctl(XSM_OTHER, d, &op); if ( !ret ) { if ( domctl_lock_acquire() ) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index d22fa089e1..d28626b4ca 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -526,9 +526,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - ret = xsm_domctl(XSM_OTHER, d, op->cmd, - /* SSIDRef only applicable for cmd == createdomain */ - op->u.createdomain.ssidref); + ret = xsm_domctl(XSM_OTHER, d, op); if ( ret ) goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index ed2bcc6521..19e39d9c7d 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,10 +162,10 @@ static XSM_INLINE int cf_check xsm_set_target( } static XSM_INLINE int cf_check xsm_domctl( - XSM_DEFAULT_ARG struct domain *d, unsigned int cmd, uint32_t ssidref) + XSM_DEFAULT_ARG struct domain *d, struct xen_domctl *op) { XSM_ASSERT_ACTION(XSM_OTHER); - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index cce0972f53..31bbbc1597 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -61,7 +61,7 @@ struct xsm_ops { int (*sysctl_scheduler_op)(int op); #endif int (*set_target)(struct domain *d, struct domain *e); - int (*domctl)(struct domain *d, unsigned int cmd, uint32_t ssidref); + int (*domctl)(struct domain *d, struct xen_domctl *op); int (*sysctl)(int cmd); int (*readconsole)(uint32_t clear); @@ -258,9 +258,9 @@ static inline int xsm_set_target( } static inline int xsm_domctl(xsm_default_t def, struct domain *d, - unsigned int cmd, uint32_t ssidref) + struct xen_domctl *op) { - return alternative_call(xsm_ops.domctl, d, cmd, ssidref); + return alternative_call(xsm_ops.domctl, d, op); } static inline int xsm_sysctl(xsm_default_t def, int cmd) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 51188f33f3..086d4c81db 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -634,10 +634,9 @@ static int cf_check flask_set_target(struct domain *d, struct domain *t) return rc; } -static int cf_check flask_domctl(struct domain *d, unsigned int cmd, - uint32_t ssidref) +static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) { - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_createdomain: /* @@ -647,7 +646,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, * Note that d is NULL because we haven't even allocated memory for it * this early in XEN_DOMCTL_createdomain. */ - return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); + return avc_current_has_perm(op->u.createdomain.ssidref, SECCLASS_DOMAIN, + DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: @@ -822,7 +822,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SET_LLC_COLORS); default: - return avc_unknown_permission("domctl", cmd); + return avc_unknown_permission("domctl", op->cmd); } } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:35:45 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:35:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333336.1596220 (Exim 4.92) (envelope-from ) id 1wWwcL-0001gl-Io; Tue, 09 Jun 2026 13:35:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333336.1596220; Tue, 09 Jun 2026 13:35:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwcL-0001gc-Fx; Tue, 09 Jun 2026 13:35:45 +0000 Received: by outflank-mailman (input) for mailman id 1333336; Tue, 09 Jun 2026 13:35:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwcK-0001gV-83 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:35:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwcK-001gkS-1b for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:35:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwcK-00E7vW-0d for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:35:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=1AJV/qWUAekeMWMpU57fs81pqSuQYbcAN83f54e3atA=; b=iv3EOkzgZPMNKhvcq2Z5UlbG17 mBp8b0BXKrxPY0Qz6bRwZ6RLXW6WSLBDQnsqlaJfM4FMma1hxSiMqN5GaaZBalJ2oPYKxLWZT7PSP sR5Mtw1oh/3p+ZrvS7B6jSj0mAzPIhW7w5CmIvwCWjGncMSvdw0bKCR7yTrNAIP+95E0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl/XSM: drop scheduler_op hook Message-Id: Date: Tue, 09 Jun 2026 13:35:44 +0000 commit 3ba374d3886f0e1d835eafe62cc2fa20ca5376ad Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl/XSM: drop scheduler_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Juergen Gross --- xen/common/sched/core.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 7 ++++--- 5 files changed, 4 insertions(+), 22 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index a65d49a442..cf7c4e7a8a 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -2072,10 +2072,6 @@ long sched_adjust(struct domain *d, struct xen_domctl_scheduler_op *op) { long ret; - ret = xsm_domctl_scheduler_op(XSM_HOOK, d, op->cmd); - if ( ret ) - return ret; - if ( op->sched_id != dom_scheduler(d)->sched_id ) return -EINVAL; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 19e39d9c7d..19e1283d55 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -141,13 +141,6 @@ static XSM_INLINE int cf_check xsm_getdomaininfo( return xsm_default_action(action, current->domain, d); } -static XSM_INLINE int cf_check xsm_domctl_scheduler_op( - XSM_DEFAULT_ARG struct domain *d, int cmd) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 31bbbc1597..266af2c7ba 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -56,7 +56,6 @@ struct xsm_ops { struct xen_domctl_getdomaininfo *info); int (*domain_create)(struct domain *d, uint32_t ssidref); int (*getdomaininfo)(struct domain *d); - int (*domctl_scheduler_op)(struct domain *d, int op); #ifdef CONFIG_SYSCTL int (*sysctl_scheduler_op)(int op); #endif @@ -238,12 +237,6 @@ static inline int xsm_get_domain_state(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.get_domain_state, d); } -static inline int xsm_domctl_scheduler_op( - xsm_default_t def, struct domain *d, int cmd) -{ - return alternative_call(xsm_ops.domctl_scheduler_op, d, cmd); -} - #ifdef CONFIG_SYSCTL static inline int xsm_sysctl_scheduler_op(xsm_default_t def, int cmd) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 31ee287d68..b49bd96ef1 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -18,7 +18,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .security_domaininfo = xsm_security_domaininfo, .domain_create = xsm_domain_create, .getdomaininfo = xsm_getdomaininfo, - .domctl_scheduler_op = xsm_domctl_scheduler_op, #ifdef CONFIG_SYSCTL .sysctl_scheduler_op = xsm_sysctl_scheduler_op, #endif diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 086d4c81db..d344338fc6 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -576,7 +576,7 @@ static int cf_check flask_getdomaininfo(struct domain *d) return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO); } -static int cf_check flask_domctl_scheduler_op(struct domain *d, int op) +static int flask_domctl_scheduler_op(struct domain *d, int op) { switch ( op ) { @@ -664,7 +664,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return -EILSEQ; /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: #ifdef CONFIG_X86 @@ -712,6 +711,9 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_setdomainhandle: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE); + case XEN_DOMCTL_scheduler_op: + return flask_domctl_scheduler_op(d, op->u.scheduler_op.cmd); + case XEN_DOMCTL_set_ext_vcpucontext: case XEN_DOMCTL_set_vcpu_msrs: case XEN_DOMCTL_setvcpucontext: @@ -1847,7 +1849,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .security_domaininfo = flask_security_domaininfo, .domain_create = flask_domain_create, .getdomaininfo = flask_getdomaininfo, - .domctl_scheduler_op = flask_domctl_scheduler_op, #ifdef CONFIG_SYSCTL .sysctl_scheduler_op = flask_sysctl_scheduler_op, #endif -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:35:55 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:35:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333337.1596224 (Exim 4.92) (envelope-from ) id 1wWwcV-0001kJ-Jy; Tue, 09 Jun 2026 13:35:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333337.1596224; Tue, 09 Jun 2026 13:35:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwcV-0001kA-HL; Tue, 09 Jun 2026 13:35:55 +0000 Received: by outflank-mailman (input) for mailman id 1333337; Tue, 09 Jun 2026 13:35:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwcU-0001jl-Aq for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:35:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwcU-001gkW-1t for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:35:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwcU-00E8Dx-0u for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:35:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=M4sGzgplyush3/6zVtoE6ruX3nTumIviyOPonlBEWP0=; b=vVPCQNyJEAXdF1+HeB0ybI8nDa Ryv6JJEQj8koOUOrQUPDBhVVDUp4IYvrcOqlu0IuUThJyUmbGsonvWH2or0jPXCtgYbH2PF3kLKOB 0aC6njMqi7V11L+MraCMEZx8l75DvId34iVOfGMg/j81NUDNC6J8n3Uoc2EGZcx8I1Zk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl/XSM: drop shadow_control_op hook Message-Id: Date: Tue, 09 Jun 2026 13:35:54 +0000 commit d9d2758622422a4db0498a74c3dfd1c8168a8154 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl/XSM: drop shadow_control_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith --- xen/arch/x86/mm/paging.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 13 +++++++------ 5 files changed, 7 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index 92bd7d7f26..1a58228086 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -689,10 +689,6 @@ int paging_domctl(struct domain *d, struct xen_domctl_shadow_op *sc, return -EBUSY; } - rc = xsm_shadow_control(XSM_HOOK, d, sc->op); - if ( rc ) - return rc; - /* Code to handle log-dirty. Note that some log dirty operations * piggy-back on shadow operations. For example, when * XEN_DOMCTL_SHADOW_OP_OFF is called, it first checks whether log dirty diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 19e1283d55..1dde2cd5c6 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -675,13 +675,6 @@ static XSM_INLINE int cf_check xsm_do_mca(XSM_DEFAULT_VOID) return xsm_default_action(action, current->domain, NULL); } -static XSM_INLINE int cf_check xsm_shadow_control( - XSM_DEFAULT_ARG struct domain *d, uint32_t op) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_mem_sharing_op( XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 266af2c7ba..dfff432ff1 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -170,7 +170,6 @@ struct xsm_ops { #ifdef CONFIG_X86 int (*do_mca)(void); - int (*shadow_control)(struct domain *d, uint32_t op); int (*mem_sharing_op)(struct domain *d, struct domain *cd, int op); int (*apic)(struct domain *d, int cmd); int (*machine_memory_map)(void); @@ -673,12 +672,6 @@ static inline int xsm_do_mca(xsm_default_t def) return alternative_call(xsm_ops.do_mca); } -static inline int xsm_shadow_control( - xsm_default_t def, struct domain *d, uint32_t op) -{ - return alternative_call(xsm_ops.shadow_control, d, op); -} - static inline int xsm_mem_sharing_op( xsm_default_t def, struct domain *d, struct domain *cd, int op) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index b49bd96ef1..cfa83380e6 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -128,7 +128,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .platform_op = xsm_platform_op, #ifdef CONFIG_X86 .do_mca = xsm_do_mca, - .shadow_control = xsm_shadow_control, .mem_sharing_op = xsm_mem_sharing_op, .apic = xsm_apic, .machine_memory_map = xsm_machine_memory_map, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index d344338fc6..a7075f742b 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -39,6 +39,7 @@ #ifdef CONFIG_X86 #include +static int flask_shadow_control(struct domain *d, unsigned int op); #else #define pv_shim false #endif @@ -666,10 +667,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: -#ifdef CONFIG_X86 - /* These have individual XSM hooks (arch/x86/domctl.c) */ - case XEN_DOMCTL_shadow_op: -#endif #ifdef CONFIG_HAS_PASSTHROUGH /* * These have individual XSM hooks @@ -754,6 +751,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_get_address_size: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETADDRSIZE); +#ifdef CONFIG_X86 + case XEN_DOMCTL_shadow_op: + return flask_shadow_control(d, op->u.shadow_op.op); +#endif + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1566,7 +1568,7 @@ static int cf_check flask_do_mca(void) return domain_has_xen(current->domain, XEN__MCA_OP); } -static int cf_check flask_shadow_control(struct domain *d, uint32_t op) +static int flask_shadow_control(struct domain *d, unsigned int op) { uint32_t perm; @@ -1960,7 +1962,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .platform_op = flask_platform_op, #ifdef CONFIG_X86 .do_mca = flask_do_mca, - .shadow_control = flask_shadow_control, .mem_sharing_op = flask_mem_sharing_op, .apic = flask_apic, .machine_memory_map = flask_machine_memory_map, -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:36:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:36:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333338.1596228 (Exim 4.92) (envelope-from ) id 1wWwcf-0001mU-LE; Tue, 09 Jun 2026 13:36:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333338.1596228; Tue, 09 Jun 2026 13:36:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwcf-0001mN-If; Tue, 09 Jun 2026 13:36:05 +0000 Received: by outflank-mailman (input) for mailman id 1333338; Tue, 09 Jun 2026 13:36:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwce-0001mG-Dg for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:36:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwce-001gkt-2B for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:36:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwce-00E8Ps-1C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:36:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=NUngkScNobhk+LsPGvMKkBUC8d224nrBQbOGJ1j1s6o=; b=vTNIzqZVyOm1EtD8R7kurzXN3g 2mdvPS7aNLAONuk4Jgt2gKZdJrIOZIu3dTdMpDufWeYzlaORk/w+FDrC+dgmMUiKgIexSEjqY11EC EeR+ByL1154Uf5UgYlUtnZ97sdKeGPiCg4GwPreg/dYj1IvIBUa3mCX+0p/ROevQ/wsw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 13:36:04 +0000 commit 471b377747cb5eb0ea7c1ca48ac9d38027a9aa13 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock iommu_get_device_group() uses its own locking. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/common/domctl.c | 5 ++++- xen/drivers/passthrough/pci.c | 4 ++-- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index d28626b4ca..a9816b2e58 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -513,6 +513,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) /* Other sub-ops handled further down. */ break; + case XEN_DOMCTL_get_device_group: + ret = iommu_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_gsi_permission: @@ -923,7 +927,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_assign_device: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_deassign_device: - case XEN_DOMCTL_get_device_group: ret = iommu_do_domctl(op, d, u_domctl); break; diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 464bb0fee4..7991a0f91b 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1703,7 +1703,7 @@ static int iommu_get_device_group( if ( (pdev->seg != seg) || ((b == bus) && (df == devfn)) ) continue; - if ( xsm_get_device_group(XSM_HOOK, (seg << 16) | (b << 8) | df) ) + if ( xsm_get_device_group(XSM_PRIV, (seg << 16) | (b << 8) | df) ) continue; sdev_id = iommu_call(ops, get_device_group_id, seg, b, df); @@ -1773,7 +1773,7 @@ int iommu_do_pci_domctl( u32 max_sdevs; XEN_GUEST_HANDLE_64(uint32) sdevs; - ret = xsm_get_device_group(XSM_HOOK, domctl->u.get_device_group.machine_sbdf); + ret = xsm_get_device_group(XSM_PRIV, domctl->u.get_device_group.machine_sbdf); if ( ret ) break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 1dde2cd5c6..ca010387b1 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,6 +162,7 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_get_domain_state: case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: @@ -394,7 +395,7 @@ static XSM_INLINE int cf_check xsm_get_vnumainfo( static XSM_INLINE int cf_check xsm_get_device_group( XSM_DEFAULT_ARG uint32_t machine_bdf) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index a7075f742b..14347ae2fd 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -653,6 +653,7 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_get_domain_state: case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: @@ -672,7 +673,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) * These have individual XSM hooks * (drivers/passthrough/{pci,device_tree.c) */ - case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_assign_device: case XEN_DOMCTL_deassign_device: -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:36:15 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:36:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333339.1596231 (Exim 4.92) (envelope-from ) id 1wWwcp-0001pe-Mv; Tue, 09 Jun 2026 13:36:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333339.1596231; Tue, 09 Jun 2026 13:36:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwcp-0001pW-K8; Tue, 09 Jun 2026 13:36:15 +0000 Received: by outflank-mailman (input) for mailman id 1333339; Tue, 09 Jun 2026 13:36:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwco-0001pQ-Gx for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:36:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwco-001glG-2U for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:36:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwco-00E8Zt-1V for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:36:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=tpxAAiww40sa6JFZcNPbGccvW6oqkeJMACa//vQ0nGg=; b=FBBemYtXIH0Lhr82MOanuAQBtS xOcLM8AQIXrmosiNa2NgVd/jqNxNCIWxaBVkiciDvGDHLXD4VcC83348UP7jEegyyNjYW6soedUry IvKGvHJFb73tNPoetkLJJTVOQYyLPT8qO+ktnZouhhrteyS4uwTNvzipCYPPXoeeoFVc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl/XSM: drop {,de}assign_{,dt}device hooks Message-Id: Date: Tue, 09 Jun 2026 13:36:14 +0000 commit eab54f074f17c134fa6fa780f672393066e7b631 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl/XSM: drop {,de}assign_{,dt}device hooks Integrate the checking with xsm_domctl(). As a positive side effect, permissions are then checked at the same early point with and without Flask. As the DT device path needs fetching earlier (but must not be double fetched), cache it in a private field of the public interface struct. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/common/domctl.c | 9 ++++ xen/drivers/passthrough/device_tree.c | 36 ++++++++-------- xen/drivers/passthrough/pci.c | 8 ---- xen/include/public/domctl.h | 5 ++- xen/include/xsm/dummy.h | 32 -------------- xen/include/xsm/xsm.h | 34 --------------- xen/xsm/dummy.c | 7 ---- xen/xsm/flask/hooks.c | 79 +++++++++++++++++++++++++---------- 8 files changed, 89 insertions(+), 121 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index a9816b2e58..200b5b3669 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -325,6 +325,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_deassign_device: if ( op->domain == DOMID_IO ) { +#ifdef CONFIG_HAS_DEVICE_TREE_DISCOVERY + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; +#endif d = dom_io; break; } @@ -332,6 +336,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) return -ESRCH; fallthrough; case XEN_DOMCTL_test_assign_device: +#ifdef CONFIG_HAS_DEVICE_TREE_DISCOVERY + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; + fallthrough; +#endif case XEN_DOMCTL_vm_event_op: if ( op->domain == DOMID_INVALID ) { diff --git a/xen/drivers/passthrough/device_tree.c b/xen/drivers/passthrough/device_tree.c index f5850a2607..ab1e07ac99 100644 --- a/xen/drivers/passthrough/device_tree.c +++ b/xen/drivers/passthrough/device_tree.c @@ -340,15 +340,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( (d && d->is_dying) || domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_assign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( domctl->cmd == XEN_DOMCTL_test_assign_device ) { @@ -396,15 +396,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_deassign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( d == dom_io ) { diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 7991a0f91b..d37ceb7b6c 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1823,10 +1823,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_assign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); @@ -1868,10 +1864,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_deassign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h index 23124547f3..cdf350a290 100644 --- a/xen/include/public/domctl.h +++ b/xen/include/public/domctl.h @@ -575,7 +575,10 @@ struct xen_domctl_assign_device { } pci; struct { uint32_t size; /* Length of the path */ - XEN_GUEST_HANDLE_64(char) path; /* path to the device tree node */ + XEN_GUEST_HANDLE_64(char) path; /* Path to the device tree node */ +#ifdef __XEN__ + struct dt_device_node *dev; /* Resolved device node of the above */ +#endif } dt; } u; }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index ca010387b1..81d9a7ba3b 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -398,40 +398,8 @@ static XSM_INLINE int cf_check xsm_get_device_group( XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } - -static XSM_INLINE int cf_check xsm_assign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - #endif /* HAS_PASSTHROUGH && HAS_PCI */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) -static XSM_INLINE int cf_check xsm_assign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE_DISCOVERY */ - static XSM_INLINE int cf_check xsm_resource_plug_core(XSM_DEFAULT_VOID) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index dfff432ff1..fb622c62ce 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -122,13 +122,6 @@ struct xsm_ops { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) int (*get_device_group)(uint32_t machine_bdf); - int (*assign_device)(struct domain *d, uint32_t machine_bdf); - int (*deassign_device)(struct domain *d, uint32_t machine_bdf); -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) - int (*assign_dtdevice)(struct domain *d, const char *dtpath); - int (*deassign_dtdevice)(struct domain *d, const char *dtpath); #endif int (*resource_plug_core)(void); @@ -526,35 +519,8 @@ static inline int xsm_get_device_group(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.get_device_group, machine_bdf); } - -static inline int xsm_assign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.assign_device, d, machine_bdf); -} - -static inline int xsm_deassign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.deassign_device, d, machine_bdf); -} #endif /* HAS_PASSTHROUGH && HAS_PCI) */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) -static inline int xsm_assign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.assign_dtdevice, d, dtpath); -} - -static inline int xsm_deassign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.deassign_dtdevice, d, dtpath); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE_DISCOVERY */ - static inline int xsm_resource_plug_pci(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.resource_plug_pci, machine_bdf); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index cfa83380e6..6c17bbff3a 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -79,13 +79,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = xsm_get_device_group, - .assign_device = xsm_assign_device, - .deassign_device = xsm_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) - .assign_dtdevice = xsm_assign_dtdevice, - .deassign_dtdevice = xsm_deassign_dtdevice, #endif .resource_plug_core = xsm_resource_plug_core, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 14347ae2fd..fe75412f5e 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -44,6 +44,17 @@ static int flask_shadow_control(struct domain *d, unsigned int op); #define pv_shim false #endif +#ifdef CONFIG_HAS_PASSTHROUGH +#ifdef CONFIG_HAS_PCI +static int flask_assign_device(struct domain *d, unsigned int machine_bdf); +static int flask_deassign_device(struct domain *d, unsigned int machine_bdf); +#endif +#ifdef CONFIG_HAS_DEVICE_TREE_DISCOVERY +static int flask_assign_dtdevice(struct domain *d, const char *dtpath); +static int flask_deassign_dtdevice(struct domain *d, const char *dtpath); +#endif +#endif /* CONFIG_HAS_PASSTHROUGH */ + static uint32_t domain_sid(const struct domain *dom) { struct domain_security_struct *dsec = dom->ssid; @@ -667,16 +678,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: - -#ifdef CONFIG_HAS_PASSTHROUGH - /* - * These have individual XSM hooks - * (drivers/passthrough/{pci,device_tree.c) - */ - case XEN_DOMCTL_test_assign_device: - case XEN_DOMCTL_assign_device: - case XEN_DOMCTL_deassign_device: -#endif return 0; case XEN_DOMCTL_destroydomain: @@ -756,6 +757,49 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return flask_shadow_control(d, op->u.shadow_op.op); #endif +#ifdef CONFIG_HAS_PASSTHROUGH + + case XEN_DOMCTL_test_assign_device: + case XEN_DOMCTL_assign_device: + case XEN_DOMCTL_deassign_device: + switch ( op->u.assign_device.dev ) + { +#ifdef CONFIG_HAS_PCI + case XEN_DOMCTL_DEV_PCI: + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_device( + d, op->u.assign_device.u.pci.machine_sbdf) + : flask_deassign_device( + d, op->u.assign_device.u.pci.machine_sbdf); +#endif + +#ifdef CONFIG_HAS_DEVICE_TREE_DISCOVERY + case XEN_DOMCTL_DEV_DT: + { + struct dt_device_node *dev; + int ret = dt_find_node_by_gpath(op->u.assign_device.u.dt.path, + op->u.assign_device.u.dt.size, + &dev); + + if ( ret ) + return ret; + + op->u.assign_device.u.dt.dev = dev; + + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_dtdevice(d, dt_node_full_name(dev)) + : flask_deassign_dtdevice(d, dt_node_full_name(dev)); + } +#endif + + default: + /* Unknown type. */ + break; + } + return avc_unknown_permission("assign_device", op->cmd); + +#endif /* CONFIG_HAS_PASSTHROUGH */ + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1379,7 +1423,7 @@ static int flask_test_assign_device(uint32_t machine_bdf) return avc_current_has_perm(rsid, SECCLASS_RESOURCE, RESOURCE__STAT_DEVICE, NULL); } -static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) +static int flask_assign_device(struct domain *d, uint32_t machine_bdf) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1409,7 +1453,7 @@ static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_device( +static int flask_deassign_device( struct domain *d, uint32_t machine_bdf) { uint32_t rsid; @@ -1441,7 +1485,7 @@ static int flask_test_assign_dtdevice(const char *dtpath) NULL); } -static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) +static int flask_assign_dtdevice(struct domain *d, const char *dtpath) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1471,7 +1515,7 @@ static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_dtdevice( +static int flask_deassign_dtdevice( struct domain *d, const char *dtpath) { uint32_t rsid; @@ -1950,13 +1994,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = flask_get_device_group, - .assign_device = flask_assign_device, - .deassign_device = flask_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) - .assign_dtdevice = flask_assign_dtdevice, - .deassign_dtdevice = flask_deassign_dtdevice, #endif .platform_op = flask_platform_op, -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:36:25 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:36:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333340.1596236 (Exim 4.92) (envelope-from ) id 1wWwcz-0001sP-PP; Tue, 09 Jun 2026 13:36:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333340.1596236; Tue, 09 Jun 2026 13:36:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwcz-0001sH-Mu; Tue, 09 Jun 2026 13:36:25 +0000 Received: by outflank-mailman (input) for mailman id 1333340; Tue, 09 Jun 2026 13:36:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwcy-0001s9-JO for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:36:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwcy-001glO-2k for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:36:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwcy-00E8tt-1m for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:36:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=H1n0EOnIizJdeoyzLDBcdhGSs7oC3JJ65mpQXv8cna8=; b=yMIRtVL5xzicF/FCn2mo4ZfMvB 9g5I6EoKvEREB7RLKiTAHGRS6HZL6WVzTigr2aD3/Zn5OmOj6XvY9H0gDzOi+pHmVrRJFfutRiDY2 FYX/4mc21i/TiChvHDiOIzFMGJOmqauNzGOLFCzj97o8ZBxquMWJTpCa6RTcD3sNOo+Q=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 13:36:24 +0000 commit 4a93d1fb4f7f1231159688d428f7362d35d32ef6 Author: Jan Beulich AuthorDate: Thu Jun 4 20:20:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock The only locking required here is that between checking d->target and setting it. To avoid the need for an explicit lock, use cmpxchgptr() to update d->target. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/common/domctl.c | 54 ++++++++++++++++++++++--------------------------- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 5 +---- 3 files changed, 27 insertions(+), 35 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 200b5b3669..3efa5b9d55 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -505,6 +505,30 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif + case XEN_DOMCTL_set_target: + { + struct domain *e = get_domain_by_id(op->u.set_target.target); + + ret = -ESRCH; + if ( !e ) + goto domctl_out_unlock_domonly; + + if ( d == e ) + ret = -EINVAL; + else if ( !is_hvm_domain(e) ) + ret = -EOPNOTSUPP; + else + ret = xsm_set_target(XSM_PRIV, d, e); + + /* Hold reference on @e until we destroy @d. */ + if ( !ret && cmpxchgptr(&d->target, NULL, e) ) + ret = -EINVAL; + + if ( ret ) + put_domain(e); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_vm_event_op: if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) { @@ -849,36 +873,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; - case XEN_DOMCTL_set_target: - { - struct domain *e; - - ret = -ESRCH; - e = get_domain_by_id(op->u.set_target.target); - if ( e == NULL ) - break; - - ret = -EINVAL; - if ( (d == e) || (d->target != NULL) ) - { - put_domain(e); - break; - } - - ret = -EOPNOTSUPP; - if ( is_hvm_domain(e) ) - ret = xsm_set_target(XSM_HOOK, d, e); - if ( ret ) - { - put_domain(e); - break; - } - - /* Hold reference on @e until we destroy @d. */ - d->target = e; - break; - } - case XEN_DOMCTL_subscribe: d->suspend_evtchn = op->u.subscribe.port; break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 81d9a7ba3b..36369da963 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -150,7 +150,7 @@ static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) static XSM_INLINE int cf_check xsm_set_target( XSM_DEFAULT_ARG struct domain *d, struct domain *e) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } @@ -170,6 +170,7 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index fe75412f5e..cc799273f5 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -672,14 +672,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; - /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_set_target: - return 0; - case XEN_DOMCTL_destroydomain: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__DESTROY); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:36:35 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:36:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333341.1596240 (Exim 4.92) (envelope-from ) id 1wWwd9-0001uN-R9; Tue, 09 Jun 2026 13:36:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333341.1596240; Tue, 09 Jun 2026 13:36:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwd9-0001uF-OF; Tue, 09 Jun 2026 13:36:35 +0000 Received: by outflank-mailman (input) for mailman id 1333341; Tue, 09 Jun 2026 13:36:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwd8-0001u9-Lm for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:36:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwd8-001glS-2z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:36:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwd8-00E95Q-21 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:36:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=yJuba1a7LHjr1e0yJFVDH/yolZfXErOERCZmQRlQI/Y=; b=fe7siqm74FGON94zyJed7hVZhh wFUGJDnD77rAca2hvseqtFtDdjTEGAf9bH6GgtV7Scp0b41eATl0kqdO9uyCz9xzYrNUVfiDIV/F5 79PtvHp6REa58sxZGqTJ/H3zmlh6mngeQ3s6XyfpzSjrK12ph/H9BjFFDDgGjM/W2aG4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/arm: Sync missing definitions for Arm CPUs with Linux Message-Id: Date: Tue, 09 Jun 2026 13:36:34 +0000 commit d54682a5b23d7a22a0f1aa74130bd1ed8a669db1 Author: Michal Orzel AuthorDate: Fri May 22 09:35:55 2026 +0200 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 xen/arm: Sync missing definitions for Arm CPUs with Linux Synchronize with Linux kernel 7.0 definitions for the following CPUs: - Cortex-A76AE, - Cortex-A78AE, - Cortex-X1C, - Cortex-X3, - Neoverse-V2, - Cortex-X4, - Neoverse-V3AE, - Neoverse-V3, - Cortex-X925. These will be used for errata detection in subsequent patches. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall --- xen/arch/arm/include/asm/processor.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 895d7cd502..9e2b6bd597 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -89,13 +89,22 @@ #define ARM_CPU_PART_CORTEX_A76 0xD0B #define ARM_CPU_PART_NEOVERSE_N1 0xD0C #define ARM_CPU_PART_CORTEX_A77 0xD0D +#define ARM_CPU_PART_CORTEX_A76AE 0xD0E #define ARM_CPU_PART_NEOVERSE_V1 0xD40 #define ARM_CPU_PART_CORTEX_A78 0xD41 +#define ARM_CPU_PART_CORTEX_A78AE 0xD42 #define ARM_CPU_PART_CORTEX_X1 0xD44 #define ARM_CPU_PART_CORTEX_A710 0xD47 #define ARM_CPU_PART_CORTEX_X2 0xD48 #define ARM_CPU_PART_NEOVERSE_N2 0xD49 #define ARM_CPU_PART_CORTEX_A78C 0xD4B +#define ARM_CPU_PART_CORTEX_X1C 0xD4C +#define ARM_CPU_PART_CORTEX_X3 0xD4E +#define ARM_CPU_PART_NEOVERSE_V2 0xD4F +#define ARM_CPU_PART_CORTEX_X4 0xD82 +#define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 +#define ARM_CPU_PART_NEOVERSE_V3 0xD84 +#define ARM_CPU_PART_CORTEX_X925 0xD85 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -110,13 +119,22 @@ #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) +#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE) #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1) #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) +#define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) #define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2) #define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2) #define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C) +#define MIDR_CORTEX_X1C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1C) +#define MIDR_CORTEX_X3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X3) +#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2) +#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4) +#define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) +#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) +#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:36:46 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:36:46 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333342.1596244 (Exim 4.92) (envelope-from ) id 1wWwdK-0001xV-SH; Tue, 09 Jun 2026 13:36:46 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333342.1596244; Tue, 09 Jun 2026 13:36:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwdK-0001xL-Pa; Tue, 09 Jun 2026 13:36:46 +0000 Received: by outflank-mailman (input) for mailman id 1333342; Tue, 09 Jun 2026 13:36:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwdI-0001w8-Ob for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:36:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwdJ-001glW-02 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:36:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwdI-00E9DD-2H for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:36:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=uXZlI96ayqMmaqEgV2xgJT2VWj3bUIHIV2O6Z9tAciE=; b=ovasBNuZbdD/J04eayDVuKt2MI UGQZMh1ayhQqB4cwoCONRQcmN0EZ/NeG9W1fvuD/Dazd7D1rL+jOzCENScMg5Qz3fveL7rgKdaJkp I0ZQfAiOHDKyIEOzQ7YkdP8fUUIOvM96By6rp0h8xF5P+nOhK7jiC6DdWmyPhBEGc3Dg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/arm: Add C1-Ultra definitions Message-Id: Date: Tue, 09 Jun 2026 13:36:44 +0000 commit 36ddaa7918d6ec0d06a31079c8a25a6ae3c69cbc Author: Michal Orzel AuthorDate: Fri May 22 09:35:56 2026 +0200 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 xen/arm: Add C1-Ultra definitions Add processor definitions for C1-Ultra. These will be used for errata detection in subsequent patches. These values can be found in the C1-Ultra TRM: https://developer.arm.com/documentation/108014/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 9e2b6bd597..955cb1a8a7 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -105,6 +105,7 @@ #define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 +#define ARM_CPU_PART_C1_ULTRA 0xD8C #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -135,6 +136,7 @@ #define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) +#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:36:56 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:36:56 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333343.1596247 (Exim 4.92) (envelope-from ) id 1wWwdU-0001zP-TS; Tue, 09 Jun 2026 13:36:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333343.1596247; Tue, 09 Jun 2026 13:36:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwdU-0001zH-Qs; Tue, 09 Jun 2026 13:36:56 +0000 Received: by outflank-mailman (input) for mailman id 1333343; Tue, 09 Jun 2026 13:36:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwdS-0001z9-RG for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:36:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwdT-001gli-0I for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:36:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwdS-00E9RF-2X for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:36:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Hh/mR+AzEiV/hr62G9z3fFSroam+XitDVjJWkkgYXBY=; b=0GL40MUNPGFbJHhrM80zRfShgm tvZF0KNGYOc3gmTvVlPsXe/UlmC2u930kRHFG7PYfvsXRgWBicWfcQtszbbVzvidApfuVLpUiKavd pNWk5+ndpUUDvl+uQJzSMclsKYwIJJ6GaXtd6xJL1L/XjE3N1/Lmiu8ONeRPnvu988a8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/arm: Add C1-Premium definitions Message-Id: Date: Tue, 09 Jun 2026 13:36:54 +0000 commit 0315d10321518beb24c41bb595e9197cadec0693 Author: Michal Orzel AuthorDate: Fri May 22 09:35:57 2026 +0200 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 xen/arm: Add C1-Premium definitions Add processor definitions for C1-Premium. These will be used for errata detection in subsequent patches. These values can be found in the C1-Premium TRM: https://developer.arm.com/documentation/109416/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 955cb1a8a7..a3753c317f 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -106,6 +106,7 @@ #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 #define ARM_CPU_PART_C1_ULTRA 0xD8C +#define ARM_CPU_PART_C1_PREMIUM 0xD90 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -137,6 +138,7 @@ #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) #define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) +#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:37:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:37:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333344.1596252 (Exim 4.92) (envelope-from ) id 1wWwde-00022Z-Up; Tue, 09 Jun 2026 13:37:06 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333344.1596252; Tue, 09 Jun 2026 13:37:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwde-00022R-S9; Tue, 09 Jun 2026 13:37:06 +0000 Received: by outflank-mailman (input) for mailman id 1333344; Tue, 09 Jun 2026 13:37:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwdc-00022E-Tu for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:37:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwdd-001glx-0Z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:37:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwdc-00E9bj-2o for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:37:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=hWLW7r9iDQoeRv+HPK2vks0jCEJ7oFO5XHOq4m/28lI=; b=UAq27HqzAdG0Kx570kpn1j8b23 skssi0pKt8Qqm3jMRhXcvrX0fjmPwn+bcN0keE9wwHN1ieLk3LnNH/h2UJyWXtOrJWYZvJsLJGr6x oBJ8ugBZ7b2/zgZuITMyB8x/AOu8dW27dJcFj9aefKA9/ugwdyAUB1WI7GOTnSgMNwfY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/arm: Mitigate TLBI errata on various Arm CPUs Message-Id: Date: Tue, 09 Jun 2026 13:37:04 +0000 commit 161e8f61b5b0f2c205072c7bc699bfc37653999f Author: Michal Orzel AuthorDate: Fri May 22 09:35:58 2026 +0200 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 xen/arm: Mitigate TLBI errata on various Arm CPUs A number of CPUs developed by Arm suffer from errata whereby a broadcast TLBI + DSB sequence may complete before the global observation of writes which are translated by an affected TLB entry. This can lead to memory corruption and potential privilege escalation. These errata ONLY affect the completion of memory accesses which have been translated by an invalidated TLB entry, and these errata DO NOT affect the actual invalidation of TLB entries. TLB entries are removed correctly. To mitigate this issue, Arm recommends that software follows each TLBI+DSB sequence with an additional TLBI+DSB, which will ensure that all memory write effects affected by the first TLBI have been globally observed. The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate the issue. Enable this workaround for affected CPUs. This is XSA-493 / CVE-2025-10263. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall --- xen/arch/arm/Kconfig | 21 ++++++++++++ xen/arch/arm/cpuerrata.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+) diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index 79622b46a1..5fa89fcb24 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -468,6 +468,27 @@ config ARM64_ERRATUM_1508412 If unsure, say Y. +config ARM64_ERRATUM_CVE_2025_10263 + bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" + default y + depends on ARM_64 + select ARM64_WORKAROUND_REPEAT_TLBI + help + This option adds a workaround for CVE-2025-10263. + + A broadcast TLBI on another PE may complete before affected memory + accesses are globally observed. This may permit bypass of Stage 1 + translation, Stage-2 translation, or GPT protection. + + The workaround repeats the TLBI VALE2IS, XZR + DSB ISH operation for all + the broadcast TLB flush operations. A single additional TLBI and DSB are + sufficient regardless of how many TLBIs are completed by the DSB. + + Note that software workarounds are required at all execution levels for + affected parts to fully mitigate this issue. + + If unsure, say Y. + endmenu config ARM64_HARDEN_BRANCH_PREDICTOR diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index 17cf134f1b..3a32183618 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -534,6 +534,92 @@ static const struct arm_cpu_capabilities arm_errata[] = { MIDR_RANGE(MIDR_NEOVERSE_N1, 0, 3 << MIDR_VARIANT_SHIFT), }, #endif +#ifdef CONFIG_ARM64_ERRATUM_CVE_2025_10263 + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X4), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_ULTRA), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM), + }, +#endif #ifdef CONFIG_ARM64_HARDEN_BRANCH_PREDICTOR { .capability = ARM_HARDEN_BRANCH_PREDICTOR, -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 13:37:17 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 13:37:17 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333345.1596255 (Exim 4.92) (envelope-from ) id 1wWwdo-00024Y-W8; Tue, 09 Jun 2026 13:37:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333345.1596255; Tue, 09 Jun 2026 13:37:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwdo-00024Q-TW; Tue, 09 Jun 2026 13:37:16 +0000 Received: by outflank-mailman (input) for mailman id 1333345; Tue, 09 Jun 2026 13:37:15 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwdn-00024I-1N for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:37:15 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwdn-001gmN-0w for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:37:15 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwdm-00E9ia-3C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 13:37:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=JtdBYjLcNNnQSkb1X1spZhz/yzOKolsvmP1N7BTdfqg=; b=4nR5kphg8x5ZWN8k3SJ27I8nz4 Z6iIoFUCvxVaFSs7cc7LXp2eeNYE7mX7fQnLcp17vaU4SDNGJ/ZOdV1jc3myxdWwt8xcMTVk+eicC v3iv19pS0XIGCqJ4nNl4Lv8TVxtdIwmDUgVlbeFSpJ7ul/b2LpwM8vTrHa1UfWAf4VB0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/mm: accurately track which vCPU page-tables are loaded Message-Id: Date: Tue, 09 Jun 2026 13:37:14 +0000 commit 622c9a5ba95dae9b1084f16d0557ec64d1d12eaa Author: Roger Pau Monne AuthorDate: Mon Mar 16 11:03:22 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 12:45:56 2026 +0100 x86/mm: accurately track which vCPU page-tables are loaded Neither current nor curr_vcpu per-CPU fields accurately track which page-tables are loaded. There are corner cases when dealing with shadow paging failures that switch to the idle vCPU page-tables without changing current or curr_vcpu per-CPU fields. Introduce a new per-CPU field that attempts to track which vCPU page-tables are loaded. Update such tracking when cr3 is changed, and do so in a region with interrupts disabled, as to avoid handling interrupts with a mismatch between the vCPU tracking field and the loaded page-tables. As a result of this newly more accurate tracking the mapcache override functionality can be removed: the dom0 PV builder was the only user of it, and it's updated here to properly signal which vCPU page-tables are loaded in the calls to switch_cr3_cr4(). Note the EFI page-tables have the Xen owned L4 slots copied from the idle page-tables, so for the effects of the mapcache the EFI page-tables could use the idle mapcache if it had one. Pass the idle vCPU in the switch_cr3_cr4() call that switches to the runtime EFI page-tables. There are known issues with the use of mapcache in NMI context.  This patch does not alter the behaviour. This is CVE-2026-42488 / XSA-494. Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference") Signed-off-by: Roger Pau Monné Acked-by: Andrew Cooper --- xen/arch/x86/domain_page.c | 48 +++++++++++++++--------------------- xen/arch/x86/flushtlb.c | 5 +++- xen/arch/x86/include/asm/domain.h | 1 - xen/arch/x86/include/asm/flushtlb.h | 2 +- xen/arch/x86/include/asm/processor.h | 3 +++ xen/arch/x86/mm.c | 4 +-- xen/arch/x86/pv/dom0_build.c | 12 +++------ xen/arch/x86/pv/domain.c | 13 ++++++++-- xen/arch/x86/smpboot.c | 1 + xen/common/efi/common-stub.c | 5 ---- xen/common/efi/runtime.c | 21 ++++++---------- xen/include/xen/efi.h | 1 - 12 files changed, 54 insertions(+), 62 deletions(-) diff --git a/xen/arch/x86/domain_page.c b/xen/arch/x86/domain_page.c index eac5e3304f..72c00194f3 100644 --- a/xen/arch/x86/domain_page.c +++ b/xen/arch/x86/domain_page.c @@ -18,48 +18,40 @@ #include #include -static DEFINE_PER_CPU(struct vcpu *, override); - static inline struct vcpu *mapcache_current_vcpu(void) { - /* In the common case we use the mapcache of the running VCPU. */ - struct vcpu *v = this_cpu(override) ?: current; - - /* - * When current isn't properly set up yet, this is equivalent to - * running in an idle vCPU (callers must check for NULL). - */ - if ( !v ) - return NULL; + struct vcpu *v = this_cpu(pgtable_vcpu); + struct vcpu *curr = current; /* - * When using efi runtime page tables, we have the equivalent of the idle - * domain's page tables but current may point at another domain's VCPU. - * Return NULL as though current is not properly set up yet. + * During early boot pgtable_vcpu is not set, callers must handle NULL. + * Non-PV domains don't have a mapcache, the directmap covers all physical + * address space. */ - if ( efi_rs_using_pgtables() ) + if ( !v || !is_pv_vcpu(v) ) return NULL; /* - * If guest_table is NULL, and we are running a paravirtualised guest, - * then it means we are running on the idle domain's page table and must - * therefore use its mapcache. + * If we are in a lazy context-switch state from a PV vCPU do a full switch + * to the idle vCPU now, otherwise an incoming FLUSH_VCPU_STATE IPI would + * change the page tables under our feet an invalidate any in-use mapcache + * entries. */ - if ( unlikely(pagetable_is_null(v->arch.guest_table)) && is_pv_vcpu(v) ) + if ( unlikely(this_cpu(curr_vcpu) != curr) ) { - /* If we really are idling, perform lazy context switch now. */ - if ( (v = idle_vcpu[smp_processor_id()]) == current ) - sync_local_execstate(); + ASSERT(curr == idle_vcpu[smp_processor_id()]); + sync_local_execstate(); /* We must now be running on the idle page table. */ ASSERT(cr3_pa(read_cr3()) == __pa(idle_pg_table)); } - return v; -} - -void __init mapcache_override_current(struct vcpu *v) -{ - this_cpu(override) = v; + /* + * At this point we can guarantee Xen is not in lazy context switch: either + * the code above will have synced the state, or an incoming + * FLUSH_VCPU_STATE IPI has done so behind our back. Use ACCESS_ONCE to + * ensure the compiler never returns the locally cached pgtable_vcpu value. + */ + return ACCESS_ONCE(this_cpu(pgtable_vcpu)); } #define mapcache_l2_entry(e) ((e) >> PAGETABLE_ORDER) diff --git a/xen/arch/x86/flushtlb.c b/xen/arch/x86/flushtlb.c index 23721bb52c..5e2ed50ec9 100644 --- a/xen/arch/x86/flushtlb.c +++ b/xen/arch/x86/flushtlb.c @@ -104,7 +104,9 @@ static void do_tlb_flush(void) local_irq_restore(flags); } -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) +DEFINE_PER_CPU(struct vcpu *, pgtable_vcpu); + +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4) { unsigned long flags, old_cr4; u32 t = 0; @@ -148,6 +150,7 @@ void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) if ( (old_cr4 & X86_CR4_PCIDE) > (cr4 & X86_CR4_PCIDE) ) cr3 |= X86_CR3_NOFLUSH; write_cr3(cr3); + this_cpu(pgtable_vcpu) = v; if ( old_cr4 != cr4 ) write_cr4(cr4); diff --git a/xen/arch/x86/include/asm/domain.h b/xen/arch/x86/include/asm/domain.h index 385a6666da..e0ce8b4c39 100644 --- a/xen/arch/x86/include/asm/domain.h +++ b/xen/arch/x86/include/asm/domain.h @@ -90,7 +90,6 @@ struct mapcache_domain { int mapcache_domain_init(struct domain *d); int mapcache_vcpu_init(struct vcpu *v); -void mapcache_override_current(struct vcpu *v); /* x86/64: toggle guest between kernel and user modes. */ void toggle_guest_mode(struct vcpu *v); diff --git a/xen/arch/x86/include/asm/flushtlb.h b/xen/arch/x86/include/asm/flushtlb.h index 7bcbca2b7f..345677eb72 100644 --- a/xen/arch/x86/include/asm/flushtlb.h +++ b/xen/arch/x86/include/asm/flushtlb.h @@ -104,7 +104,7 @@ static inline void invlpg(const void *p) } /* Write pagetable base and implicitly tick the tlbflush clock. */ -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4); +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4); /* flush_* flag fields: */ /* diff --git a/xen/arch/x86/include/asm/processor.h b/xen/arch/x86/include/asm/processor.h index c37bd7a176..8ca6799a81 100644 --- a/xen/arch/x86/include/asm/processor.h +++ b/xen/arch/x86/include/asm/processor.h @@ -329,6 +329,9 @@ DECLARE_PER_CPU(struct tss_page, tss_page); DECLARE_PER_CPU(root_pgentry_t *, root_pgt); +/* vCPU of the currently loaded page-tables. */ +DECLARE_PER_CPU(struct vcpu *, pgtable_vcpu); + extern void write_ptbase(struct vcpu *v); /* PAUSE (encoding: REP NOP) is a good thing to insert into busy-wait loops. */ diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index a158379e77..bb4ba0afe2 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -535,7 +535,7 @@ void write_ptbase(struct vcpu *v) cpu_info->pv_cr3 = __pa(this_cpu(root_pgt)); if ( new_cr4 & X86_CR4_PCIDE ) cpu_info->pv_cr3 |= get_pcid_bits(v, true); - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); } else { @@ -543,7 +543,7 @@ void write_ptbase(struct vcpu *v) cpu_info->use_pv_cr3 = false; cpu_info->xen_cr3 = 0; /* switch_cr3_cr4() serializes. */ - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); cpu_info->pv_cr3 = 0; } } diff --git a/xen/arch/x86/pv/dom0_build.c b/xen/arch/x86/pv/dom0_build.c index 12d8ba744a..ddeb144b06 100644 --- a/xen/arch/x86/pv/dom0_build.c +++ b/xen/arch/x86/pv/dom0_build.c @@ -831,8 +831,7 @@ static int __init dom0_construct(const struct boot_domain *bd) update_cr3(v); /* We run on dom0's page tables for the final part of the build process. */ - switch_cr3_cr4(cr3_pa(v->arch.cr3), read_cr4()); - mapcache_override_current(v); + switch_cr3_cr4(v, cr3_pa(v->arch.cr3), read_cr4()); /* Copy the OS image and free temporary buffer. */ elf.dest_base = (void*)vkern_start; @@ -841,8 +840,7 @@ static int __init dom0_construct(const struct boot_domain *bd) rc = elf_load_binary(&elf); if ( rc < 0 ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Failed to load the kernel binary\n"); goto out; } @@ -853,8 +851,7 @@ static int __init dom0_construct(const struct boot_domain *bd) if ( (parms.virt_hypercall < v_start) || (parms.virt_hypercall >= v_end) ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Invalid HYPERCALL_PAGE field in ELF notes.\n"); return -EINVAL; } @@ -995,8 +992,7 @@ static int __init dom0_construct(const struct boot_domain *bd) #endif /* Return to idle domain's page tables. */ - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); update_domain_wallclock_time(d); diff --git a/xen/arch/x86/pv/domain.c b/xen/arch/x86/pv/domain.c index 5027c32e1a..0c42ae58aa 100644 --- a/xen/arch/x86/pv/domain.c +++ b/xen/arch/x86/pv/domain.c @@ -457,6 +457,8 @@ static void _toggle_guest_pt(struct vcpu *v) pagetable_t old_shadow; unsigned long cr3; + ASSERT(local_irq_is_enabled()); + v->arch.flags ^= TF_kernel_mode; guest_update = v->arch.flags & TF_kernel_mode; old_shadow = update_cr3(v); @@ -479,15 +481,22 @@ static void _toggle_guest_pt(struct vcpu *v) { cr3 &= ~X86_CR3_NOFLUSH; + local_irq_disable(); if ( unlikely(mfn_eq(pagetable_get_mfn(old_shadow), maddr_to_mfn(cr3))) ) { - cr3 = idle_vcpu[v->processor]->arch.cr3; /* Also suppress runstate/time area updates below. */ guest_update = false; + + cr3 = idle_vcpu[v->processor]->arch.cr3; + this_cpu(pgtable_vcpu) = idle_vcpu[v->processor]; } + + write_cr3(cr3); + local_irq_enable(); } - write_cr3(cr3); + else + write_cr3(cr3); if ( !pagetable_is_null(old_shadow) ) shadow_put_top_level(v->domain, old_shadow); diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c index ff05955bae..d8fd71ffab 100644 --- a/xen/arch/x86/smpboot.c +++ b/xen/arch/x86/smpboot.c @@ -1063,6 +1063,7 @@ static int cpu_smpboot_alloc(unsigned int cpu) info->current_vcpu = idle_vcpu[cpu]; /* set_current() */ per_cpu(curr_vcpu, cpu) = idle_vcpu[cpu]; + per_cpu(pgtable_vcpu, cpu) = idle_vcpu[cpu]; gdt = per_cpu(gdt, cpu) ?: alloc_xenheap_pages(0, memflags); if ( gdt == NULL ) diff --git a/xen/common/efi/common-stub.c b/xen/common/efi/common-stub.c index 9dc8aa538c..f91ba6f740 100644 --- a/xen/common/efi/common-stub.c +++ b/xen/common/efi/common-stub.c @@ -7,11 +7,6 @@ bool efi_enabled(unsigned int feature) return false; } -bool efi_rs_using_pgtables(void) -{ - return false; -} - unsigned long efi_get_time(void) { BUG(); diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c index 0f1cc765ec..a23fa75e37 100644 --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -50,7 +50,6 @@ const CHAR16 *__read_mostly efi_fw_vendor; const EFI_RUNTIME_SERVICES *__read_mostly efi_rs; #ifndef CONFIG_ARM /* TODO - disabled until implemented on ARM */ static DEFINE_SPINLOCK(efi_rs_lock); -static unsigned int efi_rs_on_cpu = NR_CPUS; #endif UINTN __read_mostly efi_memmap_size; @@ -93,6 +92,11 @@ struct efi_rs_state efi_rs_enter(void) if ( mfn_eq(efi_l4_mfn, INVALID_MFN) ) return state; + /* + * If in lazy idle context switch state sync now to avoid an incoming + * FLUSH_VCPU_STATE IPI changing the loaded page-tables. + */ + sync_local_execstate(); state.cr3 = read_cr3(); vcpu_save_fpu(current); asm volatile ( "fnclex; fldcw %0" :: "m" (fcw) ); @@ -100,8 +104,6 @@ struct efi_rs_state efi_rs_enter(void) spin_lock(&efi_rs_lock); - efi_rs_on_cpu = smp_processor_id(); - /* prevent fixup_page_fault() from doing anything */ irq_enter(); @@ -116,7 +118,8 @@ struct efi_rs_state efi_rs_enter(void) lgdt(&gdt_desc); } - switch_cr3_cr4(mfn_to_maddr(efi_l4_mfn), read_cr4()); + switch_cr3_cr4(idle_vcpu[smp_processor_id()], mfn_to_maddr(efi_l4_mfn), + read_cr4()); /* * At the time of writing (2022), no UEFI firwmare is CET-IBT compatible. @@ -144,7 +147,7 @@ void efi_rs_leave(struct efi_rs_state *state) if ( state->msr_s_cet ) wrmsrl(MSR_S_CET, state->msr_s_cet); - switch_cr3_cr4(state->cr3, read_cr4()); + switch_cr3_cr4(curr, state->cr3, read_cr4()); if ( is_pv_vcpu(curr) && !is_idle_vcpu(curr) ) { struct desc_ptr gdt_desc = { @@ -155,18 +158,10 @@ void efi_rs_leave(struct efi_rs_state *state) lgdt(&gdt_desc); } irq_exit(); - efi_rs_on_cpu = NR_CPUS; spin_unlock(&efi_rs_lock); vcpu_restore_fpu(curr); } -bool efi_rs_using_pgtables(void) -{ - return !mfn_eq(efi_l4_mfn, INVALID_MFN) && - (smp_processor_id() == efi_rs_on_cpu) && - (read_cr3() == mfn_to_maddr(efi_l4_mfn)); -} - unsigned long efi_get_time(void) { EFI_TIME time; diff --git a/xen/include/xen/efi.h b/xen/include/xen/efi.h index 2e36b01e20..87146172ad 100644 --- a/xen/include/xen/efi.h +++ b/xen/include/xen/efi.h @@ -40,7 +40,6 @@ extern bool efi_secure_boot; void efi_init_memory(void); bool efi_boot_mem_unused(unsigned long *start, unsigned long *end); -bool efi_rs_using_pgtables(void); unsigned long efi_get_time(void); void efi_reset_system(bool warm); #ifndef COMPAT -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:00:11 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:00:11 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333350.1596259 (Exim 4.92) (envelope-from ) id 1wWwzr-0006xw-KD; Tue, 09 Jun 2026 14:00:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333350.1596259; Tue, 09 Jun 2026 14:00:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwzr-0006xd-Hh; Tue, 09 Jun 2026 14:00:03 +0000 Received: by outflank-mailman (input) for mailman id 1333350; Tue, 09 Jun 2026 14:00:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWwzq-0006kE-JF for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:00:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWwzq-001hEE-2Z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:00:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWwzq-00Eecm-1X for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:00:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=enftOqn3njgvTUkA++ULRDMwYaNKVjKt/bYGRakB/Kw=; b=nTKJSCafdh95moeoWjxWXlLUTe pbC/9zMdMByTWS2slri9aujxqlIY96Nhmp8aKOlRCYt5ZA7ihekGfqilFI+OkMYKG/FPMLVeuL9oM uXooH9Uoxf1prGDXVxhLqbTLDGLMxEh/MMUWW4MFZ3ENvhZNSh8aRpK5v/irznR/QAB0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] HACK: Disable Eclair, MacOS Message-Id: Date: Tue, 09 Jun 2026 14:00:02 +0000 commit 1b251cc02a24ed6e5ffdd71bc3f142f9a53551c3 Author: Andrew Cooper AuthorDate: Thu Jun 4 20:20:00 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 HACK: Disable Eclair, MacOS --- .gitlab-ci.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7974ac4e82..e85d1fea7a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -20,9 +20,6 @@ include: - local: 'automation/gitlab-ci/containers.yaml' rules: - if: $XEN_CI_REBUILD_CONTAINERS - - local: 'automation/gitlab-ci/analyze.yaml' - rules: - - if: $XEN_CI_REBUILD_CONTAINERS == null - local: 'automation/gitlab-ci/build.yaml' rules: - if: $XEN_CI_REBUILD_CONTAINERS == null -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:00:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:00:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333351.1596263 (Exim 4.92) (envelope-from ) id 1wWx01-0007c8-LU; Tue, 09 Jun 2026 14:00:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333351.1596263; Tue, 09 Jun 2026 14:00:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx01-0007c1-J0; Tue, 09 Jun 2026 14:00:13 +0000 Received: by outflank-mailman (input) for mailman id 1333351; Tue, 09 Jun 2026 14:00:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx00-0007bq-LP for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:00:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx00-001hGB-2u for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:00:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx00-00EerL-1t for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:00:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=EVCtP4BRqpV9aZfkbwPIVBE3C7uan+Hjkn0d0ck8/CI=; b=TgHcLVV/fxoNOpOYfKLx0bhkYa H01KaG1M13mSyqX0rpxIrkrPseCBI9rrhimYfbbhAZ5SpjNod0caprHt1x+PCD/n1xgjBRhpKr/rt z1Si1PGQq4ANrkqrlhtlB1BiBYE8aPSHtKcsgUpQQQ4sMPONLtNq9rBgz1AoUU7QPkYA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] x86/HVM: add locking to I/O port translation list traversal Message-Id: Date: Tue, 09 Jun 2026 14:00:12 +0000 commit 4ac1fc0c45b52ebbe9ad7ca1e39f949a431b43f6 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:21 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 x86/HVM: add locking to I/O port translation list traversal XEN_DOMCTL_ioport_mapping is usable by DM stubdoms, and hence we can't assume the list to be left unaltered while the guest (really: the hypervisor on behalf of the guest) is accessing it. This is XSA-491 / CVE-2026-42487. Fixes: 192c4dabc344 ("domctl and p2m changes for PCI passthru") Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 7787f8e9396d06026f72d3db13e836f365e085f8) --- xen/arch/x86/domctl.c | 8 ++++ xen/arch/x86/hvm/emulate.c | 1 - xen/arch/x86/hvm/hvm.c | 1 + xen/arch/x86/hvm/io.c | 72 +++++++++++++++++++++++++---------- xen/arch/x86/include/asm/hvm/domain.h | 1 + xen/arch/x86/include/asm/hvm/vcpu.h | 2 - 6 files changed, 61 insertions(+), 24 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 6153e3c07e..276049b044 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -663,6 +663,7 @@ long arch_do_domctl( "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if (g2m_ioport->mport == fmp ) { @@ -684,11 +685,14 @@ long arch_do_domctl( g2m_ioport->np = np; list_add_tail(&g2m_ioport->list, &hvm->g2m_ioport_list); } + write_unlock(&hvm->g2m_ioport_lock); if ( !ret ) ret = ioports_permit_access(d, fmp, fmp + np - 1); if ( ret && !found && g2m_ioport ) { + write_lock(&hvm->g2m_ioport_lock); list_del(&g2m_ioport->list); + write_unlock(&hvm->g2m_ioport_lock); xfree(g2m_ioport); } } @@ -697,6 +701,8 @@ long arch_do_domctl( printk(XENLOG_G_INFO "ioport_map:remove: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if ( g2m_ioport->mport == fmp ) { @@ -704,6 +710,8 @@ long arch_do_domctl( xfree(g2m_ioport); break; } + write_unlock(&hvm->g2m_ioport_lock); + ret = ioports_deny_access(d, fmp, fmp + np - 1); if ( ret && is_hardware_domain(currd) ) printk(XENLOG_ERR diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c index 2af4f30359..3a7976729b 100644 --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -160,7 +160,6 @@ void hvmemul_cancel(struct vcpu *v) hvio->mmio_insn_bytes = 0; hvio->mmio_access = (struct npfec){}; hvio->mmio_retry = false; - hvio->g2m_ioport = NULL; hvmemul_cache_disable(v); } diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 0c60faa39d..4fe1c5fa16 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -610,6 +610,7 @@ int hvm_domain_initialise(struct domain *d, spin_lock_init(&d->arch.hvm.irq_lock); spin_lock_init(&d->arch.hvm.uc_lock); spin_lock_init(&d->arch.hvm.write_map.lock); + rwlock_init(&d->arch.hvm.g2m_ioport_lock); rwlock_init(&d->arch.hvm.mmcfg_lock); INIT_LIST_HEAD(&d->arch.hvm.write_map.list); INIT_LIST_HEAD(&d->arch.hvm.g2m_ioport_list); diff --git a/xen/arch/x86/hvm/io.c b/xen/arch/x86/hvm/io.c index 23a5ea0e61..912e55d416 100644 --- a/xen/arch/x86/hvm/io.c +++ b/xen/arch/x86/hvm/io.c @@ -143,36 +143,56 @@ bool handle_pio(uint16_t port, unsigned int size, int dir) return true; } -static bool cf_check g2m_portio_accept( - const struct hvm_io_handler *handler, const ioreq_t *p) +/* NB: Returns with the lock held in the success case. */ +static const struct g2m_ioport *g2m_portio_find_and_lock(struct hvm_domain *hvm, + uint64_t addr, + uint32_t size) { - struct vcpu *curr = current; - const struct hvm_domain *hvm = &curr->domain->arch.hvm; - struct hvm_vcpu_io *hvio = &curr->arch.hvm.hvm_io; - struct g2m_ioport *g2m_ioport; - unsigned int start, end; + const struct g2m_ioport *g2m_ioport; + + read_lock(&hvm->g2m_ioport_lock); list_for_each_entry( g2m_ioport, &hvm->g2m_ioport_list, list ) { - start = g2m_ioport->gport; - end = start + g2m_ioport->np; - if ( (p->addr >= start) && (p->addr + p->size <= end) ) - { - hvio->g2m_ioport = g2m_ioport; - return 1; - } + unsigned int start = g2m_ioport->gport; + + if ( addr >= start && addr + size <= start + g2m_ioport->np ) + return g2m_ioport; } - return 0; + read_unlock(&hvm->g2m_ioport_lock); + + return NULL; +} + +static bool cf_check g2m_portio_accept( + const struct hvm_io_handler *handler, const ioreq_t *p) +{ + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, p->addr, p->size); + + if ( !g2m_ioport ) + return false; + + read_unlock(&hvm->g2m_ioport_lock); + + return true; } static int cf_check g2m_portio_read( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t *data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -189,6 +209,8 @@ static int cf_check g2m_portio_read( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } @@ -196,9 +218,15 @@ static int cf_check g2m_portio_write( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -215,6 +243,8 @@ static int cf_check g2m_portio_write( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } diff --git a/xen/arch/x86/include/asm/hvm/domain.h b/xen/arch/x86/include/asm/hvm/domain.h index 333501d5f2..1b2c59b18b 100644 --- a/xen/arch/x86/include/asm/hvm/domain.h +++ b/xen/arch/x86/include/asm/hvm/domain.h @@ -125,6 +125,7 @@ struct hvm_domain { /* List of guest to machine IO ports mapping. */ struct list_head g2m_ioport_list; + rwlock_t g2m_ioport_lock; /* List of MMCFG regions trapped by Xen. */ struct list_head mmcfg_regions; diff --git a/xen/arch/x86/include/asm/hvm/vcpu.h b/xen/arch/x86/include/asm/hvm/vcpu.h index 924af890c5..87586b05c6 100644 --- a/xen/arch/x86/include/asm/hvm/vcpu.h +++ b/xen/arch/x86/include/asm/hvm/vcpu.h @@ -54,8 +54,6 @@ struct hvm_vcpu_io { unsigned long msix_unmask_address; unsigned long msix_snoop_address; unsigned long msix_snoop_gpa; - - const struct g2m_ioport *g2m_ioport; }; struct nestedvcpu { -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:00:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:00:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333352.1596268 (Exim 4.92) (envelope-from ) id 1wWx0B-0007ek-NC; Tue, 09 Jun 2026 14:00:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333352.1596268; Tue, 09 Jun 2026 14:00:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx0B-0007ec-KQ; Tue, 09 Jun 2026 14:00:23 +0000 Received: by outflank-mailman (input) for mailman id 1333352; Tue, 09 Jun 2026 14:00:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx0A-0007eU-OD for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:00:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx0A-001hGc-3D for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:00:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx0A-00Ef5v-2C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:00:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=lz3qtiyCWrxnzDoTDT72BS3bolMzAi/vCbGLTdagxcs=; b=1DDOJka0MpxAR6IWs1FBaB6EH5 4+qrtTH75vBpGKD4wS0/N/WUOWfoQUSTXPv5oR4wXW83FAaZDBL4VZmu3GKbcCnTlIzqYzJFeSv9I U9zDl8Eqw9MppFN5+x+Lqb3tmJtDU+xuS96sIENQ2xZ0QCmmVbGwe3UhbVQTZ98KHCiI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] sched: use sequence counter to enlighten vcpu_runstate_get() Message-Id: Date: Tue, 09 Jun 2026 14:00:22 +0000 commit 8d2ffa5ba842a9a667157cacc7fe1d5aad3fe53e Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 sched: use sequence counter to enlighten vcpu_runstate_get() Subsequently XEN_DOMCTL_getdomaininfo will want to invoke the function without holding a lock, thus allowing parallel execution of potentially many instances. As was learned from 228ab9992ffb ("domctl: improve locking during domain destruction"), reverted by d0887cc6b16e, such parallelism can result in severe lock contention on any (previously) inner lock. To avoid taking that risk replace the use of the scheduler lock in vcpu_runstate_get() by a newly introduced sequence counter. Convert the "no lock if current" property to "use a local counter instance", thus guaranteeing the loop to exit after the first iteration. Skeleton and commentary of the seqcount implementation based on / derived from Linux 6.11-rc. To have runstate_seq placed next to runstate in struct vcpu, without introducing a new obvious padding hole, yet while keeping the latter adjacent to runstate_guest{,_area} as well, move runstate down a little. This is part of XSA-492. Requested-by: Andrew Cooper Signed-off-by: Jan Beulich Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Juergen Gross (cherry picked from commit 1dc4d5d81822541a5cc82fa6387d2d73eebc7023) --- xen/common/sched/core.c | 47 +++++++-------- xen/include/xen/sched.h | 4 +- xen/include/xen/seqcount.h | 139 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 162 insertions(+), 28 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 2ab4313517..adfdddde15 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -281,13 +281,18 @@ static inline void vcpu_runstate_change( } delta = new_entry_time - v->runstate.state_entry_time; - if ( delta > 0 ) + + /* Serialization: ->schedule_lock (see ASSERT() above). */ + with_seq_write(&v->runstate_seq) { - v->runstate.time[v->runstate.state] += delta; - v->runstate.state_entry_time = new_entry_time; - } + if ( delta > 0 ) + { + v->runstate.time[v->runstate.state] += delta; + v->runstate.state_entry_time = new_entry_time; + } - v->runstate.state = new_state; + v->runstate.state = new_state; + } } void sched_guest_idle(void (*idle) (void), unsigned int cpu) @@ -307,30 +312,18 @@ void sched_guest_idle(void (*idle) (void), unsigned int cpu) void vcpu_runstate_get(const struct vcpu *v, struct vcpu_runstate_info *runstate) { - spinlock_t *lock; - s_time_t delta; - struct sched_unit *unit; + struct seqcount seq = SEQCNT_ZERO(); + const struct seqcount *s = likely(v == current) ? &seq : &v->runstate_seq; - rcu_read_lock(&sched_res_rculock); - - /* - * Be careful in case of an idle vcpu: the assignment to a unit might - * change even with the scheduling lock held, so be sure to use the - * correct unit for locking in order to avoid triggering an ASSERT() in - * the unlock function. - */ - unit = is_idle_vcpu(v) ? get_sched_res(v->processor)->sched_unit_idle - : v->sched_unit; - lock = likely(v == current) ? NULL : unit_schedule_lock_irq(unit); - memcpy(runstate, &v->runstate, sizeof(*runstate)); - delta = NOW() - runstate->state_entry_time; - if ( delta > 0 ) - runstate->time[runstate->state] += delta; - - if ( unlikely(lock != NULL) ) - unit_schedule_unlock_irq(lock, unit); + until_seq_read(s) + { + s_time_t delta; - rcu_read_unlock(&sched_res_rculock); + *runstate = v->runstate; + delta = NOW() - runstate->state_entry_time; + if ( delta > 0 ) + runstate->time[runstate->state] += delta; + } } uint64_t get_cpu_idle_time(unsigned int cpu) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 610f3d4c0d..d867fa5745 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -16,6 +16,7 @@ #include #include #include +#include #include #include #include @@ -198,7 +199,6 @@ struct vcpu struct sched_unit *sched_unit; - struct vcpu_runstate_info runstate; #ifndef CONFIG_COMPAT # define runstate_guest(v) ((v)->runstate_guest) XEN_GUEST_HANDLE(vcpu_runstate_info_t) runstate_guest; /* guest address */ @@ -210,6 +210,8 @@ struct vcpu } runstate_guest; /* guest address */ #endif struct guest_area runstate_guest_area; + struct vcpu_runstate_info runstate; + struct seqcount runstate_seq; unsigned int new_state; /* Has the FPU been initialised? */ diff --git a/xen/include/xen/seqcount.h b/xen/include/xen/seqcount.h new file mode 100644 index 0000000000..b5faf422e4 --- /dev/null +++ b/xen/include/xen/seqcount.h @@ -0,0 +1,139 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef XEN_SEQCOUNT_H +#define XEN_SEQCOUNT_H + +#include +#include + +#include +#include + +/* + * Sequence counters (seqcount_t) + * + * This is the raw counting mechanism, without any writer protection. + * + * Write side critical sections must be serialized (and non-preemptible). + * + * If readers can be invoked from interrupt contexts, interrupts must also + * be respectively disabled before entering the write section. + * + * This mechanism can't be used if the protected data contains pointers, + * as the writer can invalidate a pointer that a reader is following. + */ +struct seqcount { + unsigned int sequence; +}; + +/* + * SEQCNT_ZERO() - initializer for seqcount_t + * @name: Name of the struct seqcount instance + */ +#define SEQCNT_ZERO() { .sequence = 0 } + +static inline unsigned int seqprop_sequence(const struct seqcount *s) +{ + return ACCESS_ONCE(s->sequence); +} + +/* + * read_seqcount_begin() - begin a seqcount read critical section + * @s: Pointer to struct seqcount + * + * Return: count to be passed to read_seqcount_retry() + */ +static inline unsigned int _read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq; + + while ((seq = seqprop_sequence(s)) & 1) + cpu_relax(); + + smp_rmb(); + + return seq; +} + +static always_inline unsigned int read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq = _read_seqcount_begin(s); + + block_lock_speculation(); + + return seq; +} + +/* + * read_seqcount_retry() - end a seqcount read critical section + * @s: Pointer to struct seqcount + * @start: count, from read_seqcount_begin() + * + * read_seqcount_retry closes the read critical section of given struct + * seqcount. If the critical section was invalid, it must be ignored + * (and typically retried). + * + * Return: true if a read section retry is required, else false + */ +static inline bool _read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + smp_rmb(); + return unlikely(seqprop_sequence(s) != start); +} + +static always_inline bool read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + return lock_evaluate_nospec(_read_seqcount_retry(s, start)); +} + +/* Loops until a consistent count has been observed across the loop body. */ +#define until_seq_read(seq) \ + for ( unsigned int retry_ = 1, count_; \ + retry_ && (count_ = read_seqcount_begin(seq), true); \ + retry_ = read_seqcount_retry(seq, count_) ) + +/* + * write_seqcount_begin() - start a struct seqcount write side critical section + * @s: Pointer to struct seqcount + * + * Context: sequence counter write side sections must be serialized. + * If readers can be invoked from interrupt context, interrupts must be + * respectively disabled. + */ +static inline void write_seqcount_begin(struct seqcount *s) +{ + add_sized(&s->sequence, 1); + smp_wmb(); +} + +/* + * write_seqcount_end() - end a struct seqcount write side critical section + * @s: Pointer to seqcount + */ +static inline void write_seqcount_end(struct seqcount *s) +{ + smp_wmb(); + add_sized(&s->sequence, 1); +} + +/* + * Not really a loop, but we need write_seqcount_{begin,end}() in the correct + * position. + */ +#define with_seq_write(seq) \ + for ( bool once_ = true; \ + once_ && (write_seqcount_begin(seq), true); \ + (write_seqcount_end(seq), once_ = false) ) + +#endif /* XEN_SEQCOUNT_H */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:00:33 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:00:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333353.1596271 (Exim 4.92) (envelope-from ) id 1wWx0L-0007ho-OY; Tue, 09 Jun 2026 14:00:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333353.1596271; Tue, 09 Jun 2026 14:00:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx0L-0007hh-M5; Tue, 09 Jun 2026 14:00:33 +0000 Received: by outflank-mailman (input) for mailman id 1333353; Tue, 09 Jun 2026 14:00:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx0K-0007hb-R2 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:00:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx0L-001hGg-0H for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:00:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx0K-00EfHI-2V for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:00:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=YuZ8NJ9H4ahACmuRX3AfQJT2FjJt0R4HKDLLu5ES5To=; b=HFsaEzEp6MWxSBycZ3YzuD1vx/ pn3GQzYBzddlEwbbgnZorSd33k5baBWWN+Z10rpIRpp0tb5sKLScmIQ9rmnl/jG2R4n2K4Dm/mH8e 4jTH5i4KI0lm5k/uV9AqYQ3bE1KIcdl9o8/QdeiHy6r3GgohMvluJGBaqmYyG1uPJnoI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 14:00:32 +0000 commit 1874bf7927674575d87eb13b5fd3476b02d4238d Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock getdomaininfo() is not called under consistently the same lock. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. (Callers not pausing the domain they want to retrieve information for already need to be aware that not all of the data returned can be relied on as being consistent; most data will also be stale by the time the caller gets to look at it.) Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. While moving, convert an assignment to an assertion: The domain in question was determined from the field which previously was "updated". This is part of XSA-492. Fixes: 5513bd0b4675 ("add xenstore domain flag to hypervisor") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 784bd4dc0bc440b978b80b6945c4bc380b28e32d) --- xen/common/domctl.c | 31 ++++++++++++++++++++----------- xen/include/xsm/dummy.h | 6 +++++- xen/xsm/flask/hooks.c | 6 +++++- 3 files changed, 30 insertions(+), 13 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 21bbffdc40..48be3ec58a 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -318,6 +318,26 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } + /* Handle sub-ops not requiring the domctl lock. */ + switch ( op->cmd ) + { + case XEN_DOMCTL_getdomaininfo: + ret = xsm_getdomaininfo(XSM_XS_PRIV, d); + if ( !ret ) + { + getdomaininfo(d, &op->u.getdomaininfo); + + ASSERT(op->domain == op->u.getdomaininfo.domain); + copyback = true; + } + + goto domctl_out_unlock_domonly; + + default: + /* Everything else handled further down. */ + break; + } + ret = xsm_domctl(XSM_OTHER, d, op->cmd, /* SSIDRef only applicable for cmd == createdomain */ op->u.createdomain.ssidref); @@ -516,17 +536,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = 1; break; - case XEN_DOMCTL_getdomaininfo: - ret = xsm_getdomaininfo(XSM_XS_PRIV, d); - if ( ret ) - break; - - getdomaininfo(d, &op->u.getdomaininfo); - - op->domain = op->u.getdomaininfo.domain; - copyback = 1; - break; - case XEN_DOMCTL_getvcpucontext: { vcpu_guest_context_u c = { .nat = NULL }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 12792c3a43..dcdfa79137 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,9 +172,13 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: return xsm_default_action(XSM_XS_PRIV, current->domain, d); + + case XEN_DOMCTL_getdomaininfo: + ASSERT_UNREACHABLE(); + return -EILSEQ; + default: return xsm_default_action(XSM_PRIV, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index b0308e1b26..529de9d7f5 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -682,8 +682,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, */ return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); - /* These have individual XSM hooks (common/domctl.c) */ + /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + ASSERT_UNREACHABLE(); + return -EILSEQ; + + /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:00:43 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:00:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333354.1596276 (Exim 4.92) (envelope-from ) id 1wWx0V-0007kK-Rr; Tue, 09 Jun 2026 14:00:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333354.1596276; Tue, 09 Jun 2026 14:00:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx0V-0007kC-P5; Tue, 09 Jun 2026 14:00:43 +0000 Received: by outflank-mailman (input) for mailman id 1333354; Tue, 09 Jun 2026 14:00:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx0U-0007k5-VX for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:00:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx0V-001hGn-0g for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:00:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx0U-00EfUs-2n for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:00:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=XECuyEVs3AIYSUORobOzMoPB/30UxfI6V1Ii1uw0t+0=; b=2AijCrjtAa5Kb0ewWQAKDP6lwh 5WwxqQlCVxvS+FxH76DN8DRLJhs/cQwaO5qcEJc8s4qt5t3A3AZVbswicOeH1Ht/TR5Hypa52mmGX XG63470KmQMNyDhwXGVB+Hv08cRgwqsE0k5kOpw30uWwyQDsU0ExRhpKwS2bvwag7p7I=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] domctl: protect locking for get_domain_state Message-Id: Date: Tue, 09 Jun 2026 14:00:42 +0000 commit e772f8d428bd7f2c094df6704ec392f949f55e10 Author: Daniel P. Smith AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: protect locking for get_domain_state When DOMID_INVALID is passed, the dom exec handler lock is being taken without any check that the domain is even allowed to take the lock. This allows for an unauthorized domain to DoS the get_domain_state domctl op. Move to consider the op effectively being called against the hypervisor. Thus it is the target of the call being invoked to identify the last domain with a state change. The subsequent check of whether the source domain is allowed the state of the last domain to change state is still relevant. This is part of XSA-492. Signed-off-by: Daniel P. Smith Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 5154fdda1124ae76e6a5efc124227790d81046ab) --- tools/flask/policy/modules/xenstore.te | 1 + xen/common/domain.c | 6 +----- xen/common/domctl.c | 14 +++++++++++--- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/tools/flask/policy/modules/xenstore.te b/tools/flask/policy/modules/xenstore.te index 776c274869..12549f5482 100644 --- a/tools/flask/policy/modules/xenstore.te +++ b/tools/flask/policy/modules/xenstore.te @@ -14,6 +14,7 @@ allow xenstore_t xen_t:xen writeconsole; # Xenstore queries domaininfo on all domains allow xenstore_t domain_type:domain getdomaininfo; allow xenstore_t domain_type:domain2 get_domain_state; +allow xenstore_t domxen_t:domain2 get_domain_state; # As a shortcut, the following 3 rules are used instead of adding a domain_comms # rule between xenstore_t and every domain type that talks to xenstore diff --git a/xen/common/domain.c b/xen/common/domain.c index 88db82d187..dfeb6c7558 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -216,12 +216,8 @@ int get_domain_state(struct xen_domctl_get_domain_state *info, struct domain *d, if ( info->pad0 ) return -EINVAL; - if ( d ) + if ( d != dom_xen ) { - rc = xsm_get_domain_state(XSM_XS_PRIV, d); - if ( rc ) - return rc; - set_domain_state_info(info, d); return 0; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 48be3ec58a..9fe097cc71 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -304,13 +304,19 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) fallthrough; case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_vm_event_op: - case XEN_DOMCTL_get_domain_state: if ( op->domain == DOMID_INVALID ) { d = NULL; break; } fallthrough; + case XEN_DOMCTL_get_domain_state: + if ( op->domain == DOMID_INVALID ) + { + d = dom_xen; + break; + } + fallthrough; default: d = rcu_lock_domain_by_id(op->domain); if ( !d ) @@ -863,7 +869,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; case XEN_DOMCTL_get_domain_state: - ret = get_domain_state(&op->u.get_domain_state, d, &op->domain); + ret = xsm_get_domain_state(XSM_XS_PRIV, d); + if ( !ret ) + ret = get_domain_state(&op->u.get_domain_state, d, &op->domain); if ( !ret ) copyback = true; break; @@ -876,7 +884,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) domctl_lock_release(); domctl_out_unlock_domonly: - if ( d && d != dom_io ) + if ( d && !is_system_domain(d) ) rcu_unlock_domain(d); if ( copyback && __copy_to_guest(u_domctl, op, 1) ) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:00:53 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:00:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333355.1596280 (Exim 4.92) (envelope-from ) id 1wWx0f-0007mH-T4; Tue, 09 Jun 2026 14:00:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333355.1596280; Tue, 09 Jun 2026 14:00:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx0f-0007m9-QV; Tue, 09 Jun 2026 14:00:53 +0000 Received: by outflank-mailman (input) for mailman id 1333355; Tue, 09 Jun 2026 14:00:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx0f-0007ly-1r for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:00:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx0f-001hGr-0z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:00:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx0e-00Efen-3C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:00:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=i7O5toxxVqn9of75tgAlYExJm0c4nzCcCsF/hOzNr0w=; b=MIygerleKcrXOFdMoSDDZZcScj TxjsW6dgLhnUKVhYx2Ju/qnHUTaHKp3rEbuLpwoVJbwV7532ec4bhu9/95pWNkHxksYbLgZnWreWW 7Rmryxr+j7GPfrs0mHGIhbDWvUIKxT6Pg6kRwLkeII/5HOkHrj33t12O5lPz6p8pk778=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] domctl: handle XEN_DOMCTL_get_domain_state without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 14:00:52 +0000 commit 7dff06d83cef9dba3780771eaac720c3c34f1877 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: handle XEN_DOMCTL_get_domain_state without acquiring domctl lock get_domain_state() uses its own locking. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Fixes: 3ad3df1bd0aa ("xen: add new domctl get_domain_state") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit eedff4bcd3d1314f098c2a151d4bb8a90c0f1820) --- xen/common/domctl.c | 16 ++++++++-------- xen/include/xsm/dummy.h | 3 +-- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 10 insertions(+), 11 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 9fe097cc71..509347822c 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -339,6 +339,14 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; + case XEN_DOMCTL_get_domain_state: + ret = xsm_get_domain_state(XSM_XS_PRIV, d); + if ( !ret ) + ret = get_domain_state(&op->u.get_domain_state, d, &op->domain); + if ( !ret ) + copyback = true; + goto domctl_out_unlock_domonly; + default: /* Everything else handled further down. */ break; @@ -868,14 +876,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -EOPNOTSUPP; break; - case XEN_DOMCTL_get_domain_state: - ret = xsm_get_domain_state(XSM_XS_PRIV, d); - if ( !ret ) - ret = get_domain_state(&op->u.get_domain_state, d, &op->domain); - if ( !ret ) - copyback = true; - break; - default: ret = arch_do_domctl(op, d, u_domctl); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index dcdfa79137..561b078419 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,10 +172,9 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_get_domain_state: - return xsm_default_action(XSM_XS_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_domain_state: ASSERT_UNREACHABLE(); return -EILSEQ; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 529de9d7f5..094cb7691f 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -684,6 +684,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_domain_state: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -694,7 +695,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: - case XEN_DOMCTL_get_domain_state: /* These have individual XSM hooks (arch/../domctl.c) */ case XEN_DOMCTL_bind_pt_irq: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:01:03 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:01:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333356.1596284 (Exim 4.92) (envelope-from ) id 1wWx0p-0007pN-Ue; Tue, 09 Jun 2026 14:01:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333356.1596284; Tue, 09 Jun 2026 14:01:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx0p-0007pD-S0; Tue, 09 Jun 2026 14:01:03 +0000 Received: by outflank-mailman (input) for mailman id 1333356; Tue, 09 Jun 2026 14:01:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx0p-0007o1-6z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:01:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx0p-001hH6-1I for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:01:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx0p-00Efv1-0I for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:01:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6xsTasBSuEyctM2z59LkVJbvRnamD4UuAG9xk9BIaFo=; b=1x+PWz73X0zkYX1p/Rp+BhTKgJ 8fOm5p7M6MctiaSKrAUyDb9fpxfo/Eywznq6bVVYDftwIw/+j7VOi12Qf3MeyDkuuadp09xNxNuEI Wo+BH66LA5ykBHQretB0boT+1YRSQwsPtgZBrBcBIzSyXKd5nVhV/C7roqO7Lv0sPak4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] domain: locking for iomem_caps accesses Message-Id: Date: Tue, 09 Jun 2026 14:01:03 +0000 commit 06ca3bef324ad44daa5691ab1d98f874325aed22 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domain: locking for iomem_caps accesses In order to be able to pull at least the XEN_DOMCTL_iomem_mapping handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_iomem_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 960713dfd4a405e67e9f174302f8f9fd9e0e50dc) --- xen/common/domain.c | 6 ++++++ xen/common/domctl.c | 53 +++++++++++++++++++++++++++++++++++++++---------- xen/include/xen/iocap.h | 3 +++ xen/include/xen/sched.h | 1 + 4 files changed, 52 insertions(+), 11 deletions(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index dfeb6c7558..69fe1debcc 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -518,10 +518,15 @@ static int late_hwdom_init(struct domain *d) * may be modified after this hypercall returns if a more complex * device model is desired. */ + write_lock(&dom0->caps_lock); rangeset_swap(d->irq_caps, dom0->irq_caps); rangeset_swap(d->iomem_caps, dom0->iomem_caps); #ifdef CONFIG_X86 rangeset_swap(d->arch.ioport_caps, dom0->arch.ioport_caps); +#endif + write_unlock(&dom0->caps_lock); + +#ifdef CONFIG_X86 setup_io_bitmap(d); setup_io_bitmap(dom0); #endif @@ -873,6 +878,7 @@ struct domain *domain_create(domid_t domid, rspin_lock_init_prof(d, domain_lock); rspin_lock_init_prof(d, page_alloc_lock); spin_lock_init(&d->hypercall_deadlock_mutex); + rwlock_init(&d->caps_lock); INIT_PAGE_LIST_HEAD(&d->page_list); INIT_PAGE_LIST_HEAD(&d->extra_page_list); INIT_PAGE_LIST_HEAD(&d->xenpage_list); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 509347822c..ba3667c4ca 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -267,6 +267,35 @@ static struct vnuma_info *vnuma_init(const struct xen_domctl_vnuma *uinfo, return ERR_PTR(ret); } +void iocaps_double_lock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d->domain_id > currd->domain_id ) + read_lock(&currd->caps_lock); + + if ( write ) + write_lock(&d->caps_lock); + else + read_lock(&d->caps_lock); + + if ( d->domain_id < currd->domain_id ) + read_lock(&currd->caps_lock); +} + +void iocaps_double_unlock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d != currd ) + read_unlock(&currd->caps_lock); + + if ( write ) + write_unlock(&d->caps_lock); + else + read_unlock(&d->caps_lock); +} + static bool is_stable_domctl(uint32_t cmd) { return cmd == XEN_DOMCTL_get_domain_state; @@ -687,6 +716,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ break; + iocaps_double_lock(d, true); + if ( !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) || xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) @@ -695,6 +726,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); else ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); break; } @@ -719,19 +752,15 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; #endif + iocaps_double_lock(d, false); + ret = -EPERM; if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) ) - break; - - ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add); - if ( ret ) - break; - - if ( !paging_mode_translate(d) ) - break; - - if ( add ) + !iomem_access_permitted(d, mfn, mfn_end) || + (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || + !paging_mode_translate(d) ) + /* Nothing. */; + else if ( add ) { printk(XENLOG_G_DEBUG "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", @@ -755,6 +784,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", ret, d->domain_id, mfn, mfn_end); } + + iocaps_double_unlock(d, false); break; } diff --git a/xen/include/xen/iocap.h b/xen/include/xen/iocap.h index ffbc48b60f..cb36ebbeeb 100644 --- a/xen/include/xen/iocap.h +++ b/xen/include/xen/iocap.h @@ -12,6 +12,9 @@ #include #include +void iocaps_double_lock(struct domain *d, bool write); +void iocaps_double_unlock(struct domain *d, bool write); + static inline int iomem_permit_access(struct domain *d, unsigned long s, unsigned long e) { diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index d867fa5745..f42fcaf20e 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -536,6 +536,7 @@ struct domain #endif /* I/O capabilities (access to IRQs and memory-mapped I/O). */ + rwlock_t caps_lock; struct rangeset *iomem_caps; struct rangeset *irq_caps; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:01:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:01:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333357.1596288 (Exim 4.92) (envelope-from ) id 1wWx0z-0007rM-Vy; Tue, 09 Jun 2026 14:01:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333357.1596288; Tue, 09 Jun 2026 14:01:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx0z-0007rE-TO; Tue, 09 Jun 2026 14:01:13 +0000 Received: by outflank-mailman (input) for mailman id 1333357; Tue, 09 Jun 2026 14:01:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx0z-0007r6-A1 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:01:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx0z-001hHA-1n for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:01:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx0z-00EgAn-0c for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:01:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=tCGBL33f1cptjiPNctHexbHVKwAKTvVUe1wwblyruOA=; b=WCSkWiy8KVJGMB7CtHTQIhdC8x rcJwtTVE+kCC12IEym/t85DinNU1JWq7IWjEyyxV6JLCDwmi5ns0aJiiZ/cVAwtj3rT2QszlZt/4f 9kOdgPHxvPpyTZKKoyhlNxMMU7v/tMIzHNFOJZgsAK5iFd0Dh1h684kovXiQBoIQlg6c=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] x86/domain: locking for ioport_caps accesses Message-Id: Date: Tue, 09 Jun 2026 14:01:13 +0000 commit ab63ab56c7e1703dd5d0e796e464a587787239b8 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 x86/domain: locking for ioport_caps accesses In order to be able to pull at least the XEN_DOMCTL_ioport_mapping handling out of the domctl-locked region, the new separate (per-domain) lock is used to synchronize in particular with XEN_DOMCTL_ioport_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit c9f4586766c4ceeaf013fbc02ad79359c62102c3) --- xen/arch/x86/domctl.c | 21 ++++++++++++--------- xen/arch/x86/setup.c | 3 +++ 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 276049b044..ee46ed5546 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -233,6 +233,8 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + iocaps_double_lock(d, true); + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) ret = -EINVAL; else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || @@ -242,6 +244,8 @@ long arch_do_domctl( ret = ioports_permit_access(d, fp, fp + np - 1); else ret = ioports_deny_access(d, fp, fp + np - 1); + + iocaps_double_unlock(d, true); break; } @@ -648,16 +652,13 @@ long arch_do_domctl( break; } - ret = -EPERM; - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) - break; - - ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add); - if ( ret ) - break; - hvm = &d->arch.hvm; - if ( add ) + iocaps_double_lock(d, true); + + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || + (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) + ret = ret ?: -EPERM; + else if ( add ) { printk(XENLOG_G_INFO "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", @@ -718,6 +719,8 @@ long arch_do_domctl( "ioport_map: error %ld denying dom%d access to [%x,%x]\n", ret, d->domain_id, fmp, fmp + np - 1); } + + iocaps_double_unlock(d, true); break; } diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 7f264debc9..f4e06b2ad8 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -2339,9 +2339,12 @@ void __hwdom_init setup_io_bitmap(struct domain *d) return; bitmap_fill(d->arch.hvm.io_bitmap, 0x10000); + + read_lock(&d->caps_lock); if ( rangeset_report_ranges(d->arch.ioport_caps, 0, 0x10000, io_bitmap_cb, d) ) BUG(); + read_unlock(&d->caps_lock); /* * We need to trap 4-byte accesses to 0xcf8 (see admin_io_okay(), -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:01:24 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:01:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333358.1596292 (Exim 4.92) (envelope-from ) id 1wWx1A-0007tj-12; Tue, 09 Jun 2026 14:01:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333358.1596292; Tue, 09 Jun 2026 14:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx19-0007tb-Ul; Tue, 09 Jun 2026 14:01:23 +0000 Received: by outflank-mailman (input) for mailman id 1333358; Tue, 09 Jun 2026 14:01:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx19-0007tU-Cr for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:01:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx19-001hHb-25 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:01:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx19-00EgLl-15 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:01:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=iCNxz17agp5ge3sa2uho1MNE06C/9VA2bIe9wP/47t4=; b=ieldB4gXwZR1kj8dw1n82UdD4x pLXslMhoqX7qNipis3ezy7K5eCUQrZfQmVdkkCBnwmTHVLetakGk9k76M/e9/s95vIBgM/zvTSEcj NCD36XTWJd2ESpSXb4Js+ggYmtpAOoRI96mXfgya3ZnXLAWHY7/raJIIsIP8qMONB0do=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] domain: locking for irq_caps accesses Message-Id: Date: Tue, 09 Jun 2026 14:01:23 +0000 commit b9aebf736d53df5d7190b88e813c70b454ca7640 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domain: locking for irq_caps accesses In order to be able to pull at least the XEN_DOMCTL_{,un}bind_pt_irq handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_{irq,gsi}_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Reviewed-by: Julien Grall (cherry picked from commit 329edc090dd5c833213bad3f13f1cbc252bc15a2) --- xen/arch/arm/domctl.c | 37 +++++++++++++++++++++---------------- xen/arch/x86/domctl.c | 51 +++++++++++++++++++++++++++++++-------------------- xen/common/domctl.c | 5 +++++ 3 files changed, 57 insertions(+), 36 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index ad914c915f..75c3df602a 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -76,6 +76,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, case XEN_DOMCTL_bind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -107,21 +108,26 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - if ( !vgic_reserve_virq(d, virq) ) - return -EBUSY; - - rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); - if ( rc ) - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !vgic_reserve_virq(d, virq) ) + rc = -EBUSY; + else + { + rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); + if ( rc ) + vgic_free_virq(d, virq); + } + read_unlock(&currd->caps_lock); return rc; } case XEN_DOMCTL_unbind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -138,16 +144,15 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - rc = release_guest_irq(d, virq); - if ( rc ) - return rc; - - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !(rc = release_guest_irq(d, virq)) ) + vgic_free_virq(d, virq); - return 0; + read_unlock(&currd->caps_lock); + return rc; } case XEN_DOMCTL_vuart_op: diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index ee46ed5546..bf8740c2d3 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -267,16 +267,17 @@ long arch_do_domctl( break; } - ret = -EPERM; + iocaps_double_lock(d, true); + if ( !irq_access_permitted(currd, irq) || xsm_irq_permission(XSM_HOOK, d, irq, flags) ) - break; - - if ( flags ) + ret = -EPERM; + else if ( flags ) ret = irq_permit_access(d, irq); else ret = irq_deny_access(d, irq); + iocaps_double_unlock(d, true); break; } @@ -579,20 +580,27 @@ long arch_do_domctl( break; irq = domain_pirq_to_irq(d, bind->machine_irq); - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; + if ( irq <= 0 ) + ret = -EPERM; - ret = -ESRCH; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_create_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + else + ret = -ESRCH; + + read_unlock(&currd->caps_lock); break; } @@ -605,23 +613,26 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); if ( ret ) break; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_destroy_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + + read_unlock(&currd->caps_lock); break; } diff --git a/xen/common/domctl.c b/xen/common/domctl.c index ba3667c4ca..74934245a0 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -695,6 +695,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -EINVAL; break; } + + iocaps_double_lock(d, true); + irq = pirq_access_permitted(current->domain, pirq); if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) ret = -EPERM; @@ -702,6 +705,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = irq_permit_access(d, irq); else ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); break; } #endif -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:01:34 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:01:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333359.1596296 (Exim 4.92) (envelope-from ) id 1wWx1K-0007wA-3h; Tue, 09 Jun 2026 14:01:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333359.1596296; Tue, 09 Jun 2026 14:01:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx1K-0007w2-17; Tue, 09 Jun 2026 14:01:34 +0000 Received: by outflank-mailman (input) for mailman id 1333359; Tue, 09 Jun 2026 14:01:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx1J-0007vw-Fy for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:01:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx1J-001hHf-2O for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:01:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx1J-00EgYj-1O for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:01:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ASVFvHN8ZWSirllC/ykp4f/Xnz21Lb+EZB2SOHSb0g0=; b=QEe56Pxvnt3f1RM1rNfU2kOMos 40HMCJGXlzeUtgj78cfmuiJ2ieTlG5dMgvuqY21T3mNjw/w0skhGBdM8VZC7SqAEzK0TgPc9ynK3G EgaJhnQw7+bE79+K/b3Jd1G50ysEnVJJ8JoghwyERHlhSQSoq2MK0l44VNA75z3JODiM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] XSM/Flask: split the .iomem_mapping() hook Message-Id: Date: Tue, 09 Jun 2026 14:01:33 +0000 commit a0e384c64d1149a3048e3ab5031f3057e589358b Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 XSM/Flask: split the .iomem_mapping() hook It's used twice in entirely different situations. The use in do_domctl() wants to become an ordinary XSM_DM_PRIV invocation, while the one in vPCI code need to remain XSM_HOOK (it may plausibly become XSM_TARGET). For Flask, the same backing function will continue to be used for the time being. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit 6bb83b1aa01bb3baabc150a881849977c82146a4) --- xen/drivers/vpci/header.c | 2 +- xen/include/xsm/dummy.h | 7 +++++++ xen/include/xsm/xsm.h | 8 ++++++++ xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) diff --git a/xen/drivers/vpci/header.c b/xen/drivers/vpci/header.c index a3e8d0ec82..9fdd8c4874 100644 --- a/xen/drivers/vpci/header.c +++ b/xen/drivers/vpci/header.c @@ -67,7 +67,7 @@ static int cf_check map_range( return -EPERM; } - rc = xsm_iomem_mapping(XSM_HOOK, map->d, map_mfn, m_end, map->map); + rc = xsm_iomem_mapping_vpci(XSM_HOOK, map->d, map_mfn, m_end, map->map); if ( rc ) { printk(XENLOG_G_WARNING diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 561b078419..3a83392d15 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -580,6 +580,13 @@ static XSM_INLINE int cf_check xsm_iomem_mapping( return xsm_default_action(action, current->domain, d); } +static XSM_INLINE int cf_check xsm_iomem_mapping_vpci( + XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + XSM_ASSERT_ACTION(XSM_HOOK); + return xsm_default_action(action, current->domain, d); +} + static XSM_INLINE int cf_check xsm_pci_config_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 9a23d2827c..73b58f9ee3 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -118,6 +118,8 @@ struct xsm_ops { uint8_t allow); int (*iomem_mapping)(struct domain *d, uint64_t s, uint64_t e, uint8_t allow); + int (*iomem_mapping_vpci)(struct domain *d, uint64_t s, uint64_t e, + uint8_t allow); int (*pci_config_permission)(struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access); @@ -523,6 +525,12 @@ static inline int xsm_iomem_mapping( return alternative_call(xsm_ops.iomem_mapping, d, s, e, allow); } +static inline int xsm_iomem_mapping_vpci( + xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + return alternative_call(xsm_ops.iomem_mapping_vpci, d, s, e, allow); +} + static inline int xsm_pci_config_permission( xsm_default_t def, struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 8b7e01b506..c7d030768a 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -76,6 +76,7 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .irq_permission = xsm_irq_permission, .iomem_permission = xsm_iomem_permission, .iomem_mapping = xsm_iomem_mapping, + .iomem_mapping_vpci = xsm_iomem_mapping_vpci, .pci_config_permission = xsm_pci_config_permission, .get_vnumainfo = xsm_get_vnumainfo, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 094cb7691f..19f1451d0a 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1950,6 +1950,7 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .irq_permission = flask_irq_permission, .iomem_permission = flask_iomem_permission, .iomem_mapping = flask_iomem_mapping, + .iomem_mapping_vpci = flask_iomem_mapping, .pci_config_permission = flask_pci_config_permission, .resource_plug_core = flask_resource_plug_core, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:01:45 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:01:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333360.1596300 (Exim 4.92) (envelope-from ) id 1wWx1V-0007yE-50; Tue, 09 Jun 2026 14:01:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333360.1596300; Tue, 09 Jun 2026 14:01:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx1V-0007y6-2T; Tue, 09 Jun 2026 14:01:45 +0000 Received: by outflank-mailman (input) for mailman id 1333360; Tue, 09 Jun 2026 14:01:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx1T-0007xy-It for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:01:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx1T-001hHj-2g for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:01:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx1T-00Egof-1h for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:01:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=yUOkHih1jihCfR4957z1rhu78P4K5THnRjvrwWIMv3o=; b=w72bjWLhxlqVAyBPOZn74yDJvI VRzB2lOIjQaCR4GKOvae95gxR0ysWbdcu/zYSfiiyCOBC4DheSCErDQsdUlpPfO0XSmxYs+WmAA8H uKZQqRn+cquFq9VEzNQlDyCZpy2VqcQGGB3SyxqfA2BcmQ9LOO5/ZhaAORHgxny5e4GA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 14:01:43 +0000 commit d08d614d9c65bf65255d8be09139933d104945d6 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. Move the re-purposed dedicated XSM check as early as possible. Minimal "modernization": Switch "add" to bool and use %pd in log messages. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 5a81fb873cb0c7913995372d22660d6a2db0ec48) --- xen/common/domctl.c | 118 ++++++++++++++++++++++++------------------------ xen/include/xsm/dummy.h | 4 +- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 63 insertions(+), 61 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 74934245a0..301b9bc970 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -376,6 +376,66 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = true; goto domctl_out_unlock_domonly; + case XEN_DOMCTL_memory_mapping: + { + unsigned long gfn = op->u.memory_mapping.first_gfn; + unsigned long mfn = op->u.memory_mapping.first_mfn; + unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; + unsigned long mfn_end = mfn + nr_mfns - 1; + bool add = op->u.memory_mapping.add_mapping; + + ret = -EINVAL; + if ( mfn_end < mfn || /* Wrap? */ + ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || + (gfn + nr_mfns - 1) < gfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_mapping(XSM_DM_PRIV, d, mfn, mfn_end, add); + if ( ret || !paging_mode_translate(d) ) + goto domctl_out_unlock_domonly; + +#ifndef CONFIG_X86 /* XXX ARM!? */ + ret = -E2BIG; + /* Must break hypercall up as this could take a while. */ + if ( nr_mfns > 64 ) + goto domctl_out_unlock_domonly; +#endif + + iocaps_double_lock(d, false); + + ret = -EPERM; + if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || + !iomem_access_permitted(d, mfn, mfn_end) ) + /* Nothing. */; + else if ( add ) + { + printk(XENLOG_G_DEBUG + "memory_map:add: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 ) + printk(XENLOG_G_WARNING + "memory_map:fail: %pd gfn=%lx mfn=%lx nr=%lx ret:%ld\n", + d, gfn, mfn, nr_mfns, ret); + } + else + { + printk(XENLOG_G_DEBUG + "memory_map:remove: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 && is_hardware_domain(current->domain) ) + printk(XENLOG_ERR + "memory_map: error %ld removing %pd access to [%lx,%lx]\n", + ret, d, mfn, mfn_end); + } + + iocaps_double_unlock(d, false); + goto domctl_out_unlock_domonly; + } + default: /* Everything else handled further down. */ break; @@ -736,64 +796,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - case XEN_DOMCTL_memory_mapping: - { - unsigned long gfn = op->u.memory_mapping.first_gfn; - unsigned long mfn = op->u.memory_mapping.first_mfn; - unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; - unsigned long mfn_end = mfn + nr_mfns - 1; - int add = op->u.memory_mapping.add_mapping; - - ret = -EINVAL; - if ( mfn_end < mfn || /* wrap? */ - ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || - (gfn + nr_mfns - 1) < gfn ) /* wrap? */ - break; - -#ifndef CONFIG_X86 /* XXX ARM!? */ - ret = -E2BIG; - /* Must break hypercall up as this could take a while. */ - if ( nr_mfns > 64 ) - break; -#endif - - iocaps_double_lock(d, false); - - ret = -EPERM; - if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) || - (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || - !paging_mode_translate(d) ) - /* Nothing. */; - else if ( add ) - { - printk(XENLOG_G_DEBUG - "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 ) - printk(XENLOG_G_WARNING - "memory_map:fail: dom%d gfn=%lx mfn=%lx nr=%lx ret:%ld\n", - d->domain_id, gfn, mfn, nr_mfns, ret); - } - else - { - printk(XENLOG_G_DEBUG - "memory_map:remove: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 && is_hardware_domain(current->domain) ) - printk(XENLOG_ERR - "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", - ret, d->domain_id, mfn, mfn_end); - } - - iocaps_double_unlock(d, false); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 3a83392d15..c2475aa128 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,13 +168,13 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_ioport_mapping: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -576,7 +576,7 @@ static XSM_INLINE int cf_check xsm_iomem_permission( static XSM_INLINE int cf_check xsm_iomem_mapping( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 19f1451d0a..c7d3f28492 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -685,6 +685,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -692,7 +693,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:01:55 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:01:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333361.1596304 (Exim 4.92) (envelope-from ) id 1wWx1f-00080D-6R; Tue, 09 Jun 2026 14:01:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333361.1596304; Tue, 09 Jun 2026 14:01:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx1f-000805-3o; Tue, 09 Jun 2026 14:01:55 +0000 Received: by outflank-mailman (input) for mailman id 1333361; Tue, 09 Jun 2026 14:01:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx1d-0007zw-LQ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:01:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx1d-001hHo-2x for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:01:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx1d-00Eh6a-1y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:01:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=QwGTYwAwqNOFka8S34WWs8I5yYB5OKjo45DkwwaJ6EU=; b=th/ORY+4MTowWYCrZiZQRcq7FX VCuKD2fTSKW+jn/gLA2SorzqJKdcbWIrlDyu3USkMV//l6XMivPY+rdfxZLrCn3WJkx1IaIUptvok jeLNSx3TQyEWHR8MEzRwnbBPHtpfjgUPU9U8hBKoIOYjqPSRPRtQTgm6AY1y+o17U8RI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 14:01:53 +0000 commit 15f385cd5bf94d8b28113553d45c031dde5e39af Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the handling is in arch-specific code (x86 only), almost no code is being moved, but a 2nd (extensible to other sub-ops) invocation of arch_do_domctl() is being added. Move just the re-purposed dedicated XSM check as early as possible. In flask_domctl() don't put #ifdef around the moved case label. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9ac94138a5f31b5325fe4401e5cd9e377bbedcdb) --- xen/arch/x86/domctl.c | 9 ++++++--- xen/common/domctl.c | 4 ++++ xen/include/xsm/dummy.h | 4 ++-- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index bf8740c2d3..3fb2989126 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -663,12 +663,15 @@ long arch_do_domctl( break; } + ret = xsm_ioport_mapping(XSM_DM_PRIV, d, fmp, fmp + np - 1, add); + if ( ret ) + break; + hvm = &d->arch.hvm; iocaps_double_lock(d, true); - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || - (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) - ret = ret ?: -EPERM; + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) + ret = -EPERM; else if ( add ) { printk(XENLOG_G_INFO diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 301b9bc970..858e72a05a 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -436,6 +436,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_mapping: + ret = arch_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + default: /* Everything else handled further down. */ break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index c2475aa128..e4ae29e88d 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -167,13 +167,13 @@ static XSM_INLINE int cf_check xsm_domctl( XSM_ASSERT_ACTION(XSM_OTHER); switch ( cmd ) { - case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -772,7 +772,7 @@ static XSM_INLINE int cf_check xsm_ioport_permission( static XSM_INLINE int cf_check xsm_ioport_mapping( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index c7d3f28492..f094e05640 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -685,6 +685,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -703,7 +704,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: case XEN_DOMCTL_ioport_permission: - case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_gsi_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:02:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:02:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333362.1596308 (Exim 4.92) (envelope-from ) id 1wWx1p-00082D-8L; Tue, 09 Jun 2026 14:02:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333362.1596308; Tue, 09 Jun 2026 14:02:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx1p-000826-5M; Tue, 09 Jun 2026 14:02:05 +0000 Received: by outflank-mailman (input) for mailman id 1333362; Tue, 09 Jun 2026 14:02:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx1n-00081w-OR for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:02:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx1o-001hI7-01 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:02:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx1n-00EhJ4-2G for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:02:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=i8ZsKbjPUUmXfHjB6T7HFfjpnt/QqdVN3SALdhu9ha4=; b=wD7xT0wS8YdqnG1QJvaAJntnMy mXPofq5HSJyQFz96aG0cfQzLjfrtIQODoqlu4DNB7WKlINXRBm5LWlRriQ7hWQwQLIO3Fz/JNLqp0 6pWO28QeE/3MdH7O0UR/sGTYO1WZV1MVhjdiB/8OmcZHlyr5ALWhdLJXUFPbNdnn0Wek=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 14:02:03 +0000 commit 7073cc4de69235623e596e79deb80705e08e4329 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. (It also already isn't used when pt_irq_{create,destroy}_bind() are invoked for PVH Dom0.) As the handling is in arch-specific code, no code is being moved, but the 2nd (extensible to other sub-ops like the ones here) invocation of arch_do_domctl() is being re-used. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith Acked-by: Julien Grall (cherry picked from commit e263eeaf71b961d0d6f987bf7a33c8517be1bae5) --- xen/arch/arm/domctl.c | 4 ++-- xen/arch/x86/domctl.c | 4 ++-- xen/common/domctl.c | 2 ++ xen/include/xsm/dummy.h | 8 +++----- xen/xsm/flask/hooks.c | 5 ++--- 5 files changed, 11 insertions(+), 12 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index 75c3df602a..6c9a3f9920 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -104,7 +104,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - rc = xsm_bind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; @@ -140,7 +140,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( irq != virq ) return -EINVAL; - rc = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 3fb2989126..9f8e8de5b5 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -575,7 +575,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_bind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; @@ -613,7 +613,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 858e72a05a..a5359f3814 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -437,6 +437,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_bind_pt_irq: + case XEN_DOMCTL_unbind_pt_irq: ret = arch_do_domctl(op, d, u_domctl); goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index e4ae29e88d..dfff3b52b3 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,13 +168,11 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: - return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -541,14 +539,14 @@ static XSM_INLINE int cf_check xsm_unmap_domain_pirq( static XSM_INLINE int cf_check xsm_bind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } static XSM_INLINE int cf_check xsm_unbind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index f094e05640..a5280e3334 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -683,10 +683,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ + case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -697,9 +699,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: - /* These have individual XSM hooks (arch/../domctl.c) */ - case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:02:15 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:02:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333363.1596311 (Exim 4.92) (envelope-from ) id 1wWx1z-00084m-B4; Tue, 09 Jun 2026 14:02:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333363.1596311; Tue, 09 Jun 2026 14:02:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx1z-00084e-8R; Tue, 09 Jun 2026 14:02:15 +0000 Received: by outflank-mailman (input) for mailman id 1333363; Tue, 09 Jun 2026 14:02:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx1x-00084T-RY for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:02:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx1y-001hIB-0K for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:02:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx1x-00EhVF-2Y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:02:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=4j2CGzq4VWB2IUz3idqq8VIEN9J7lJHay9eYYRSCOCI=; b=4GQtVq21RO/+9tLl7sCbx8EgTM Pgnyzti4ogY5FLDYJP9tkAOx3DydLeUTMSB9bftoVbfxcNJDOXKTQHRJAmnSxQBd2q2IQ7s6CHcXH wULSOUKPIxXxg5XZNpw81hvAihJKk/k1eWyK+whID27eck8ik9VkThD6nBghpXVzpK9Q=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 14:02:13 +0000 commit 3941b2ceb0131a0dc99a9779ff438d309445ca3a Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the I/O port handling is in arch-specific code (x86 only), no code is being moved, but the 2nd invocation of arch_do_domctl() is re-used. Move the re-purposed dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9f54e10bf3ab02c8d5dc3253d85c9b3258d1fc88) --- xen/arch/x86/domctl.c | 13 ++++++++---- xen/common/domctl.c | 54 ++++++++++++++++++++++++++----------------------- xen/include/xsm/dummy.h | 6 ++++-- xen/xsm/flask/hooks.c | 4 ++-- 4 files changed, 44 insertions(+), 33 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 9f8e8de5b5..f030bc91c0 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -233,12 +233,17 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + ret = -EINVAL; + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) + break; + + ret = xsm_ioport_permission(XSM_PRIV, d, fp, fp + np - 1, allow); + if ( ret ) + break; + iocaps_double_lock(d, true); - if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) - ret = -EINVAL; - else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || - xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) ) + if ( !ioports_access_permitted(currd, fp, fp + np - 1) ) ret = -EPERM; else if ( allow ) ret = ioports_permit_access(d, fp, fp + np - 1); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index a5359f3814..9ebf28fda6 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -376,6 +376,34 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = true; goto domctl_out_unlock_domonly; + case XEN_DOMCTL_iomem_permission: + { + unsigned long mfn = op->u.iomem_permission.first_mfn; + unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; + bool allow = op->u.iomem_permission.allow_access; + + ret = -EINVAL; + if ( (mfn + nr_mfns - 1) < mfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_permission(XSM_PRIV, d, mfn, mfn + nr_mfns - 1, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !iomem_access_permitted(current->domain, + mfn, mfn + nr_mfns - 1) ) + ret = -EPERM; + else if ( allow ) + ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); + else + ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_memory_mapping: { unsigned long gfn = op->u.memory_mapping.first_gfn; @@ -436,6 +464,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: @@ -777,31 +806,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif - case XEN_DOMCTL_iomem_permission: - { - unsigned long mfn = op->u.iomem_permission.first_mfn; - unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; - int allow = op->u.iomem_permission.allow_access; - - ret = -EINVAL; - if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ - break; - - iocaps_double_lock(d, true); - - if ( !iomem_access_permitted(current->domain, - mfn, mfn + nr_mfns - 1) || - xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) - ret = -EPERM; - else if ( allow ) - ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); - else - ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); - - iocaps_double_unlock(d, true); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index dfff3b52b3..8499167a36 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -170,7 +170,9 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -567,7 +569,7 @@ static XSM_INLINE int cf_check xsm_irq_permission( static XSM_INLINE int cf_check xsm_iomem_permission( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } @@ -763,7 +765,7 @@ static XSM_INLINE int cf_check xsm_priv_mapping( static XSM_INLINE int cf_check xsm_ioport_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index a5280e3334..294d966f87 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -686,7 +686,9 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -695,14 +697,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: - case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: - case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_gsi_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:02:25 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:02:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333364.1596317 (Exim 4.92) (envelope-from ) id 1wWx29-00088B-DT; Tue, 09 Jun 2026 14:02:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333364.1596317; Tue, 09 Jun 2026 14:02:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx29-000883-9t; Tue, 09 Jun 2026 14:02:25 +0000 Received: by outflank-mailman (input) for mailman id 1333364; Tue, 09 Jun 2026 14:02:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx27-00086q-W9 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:02:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx28-001hIV-0c for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:02:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx27-00EhhB-2q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:02:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=r0KFSKvILoXYkFPLUDObyIv9IBFMs2h05nJrex7I8j4=; b=e4Ln5n4VTtT87DyjcFe6qAl0H+ 90E76Y81qSGQmFJzY7tGOzZfAJBGDIJ+HiNGHGWijneqIxUTgcINNx6r5dejRV+nFrhyUWEy4xrSX yRHDGvGK1L3aJ1C4vC0w+nFj7QQzoIJ1UNpHdPmUkNeO6ltJZp5eUaS/vLwE5Hf0BGi4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] domctl: handle XEN_DOMCTL_{irq,gsi}_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 14:02:23 +0000 commit f1bbc0077e103f87549c830ec1dba8d2eac92be3 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: handle XEN_DOMCTL_{irq,gsi}_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the GSI handling is in arch-specific code (x86 only), no code is being moved there; the 2nd invocation of arch_do_domctl() is re-used. Move the re-purposed (XSM_HOOK -> XSM_PRIV, as xsm_domctl() is now bypassed) dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 6b71151cd84cafff1ea9e67a8022e7a3e41d811f) --- xen/arch/x86/domctl.c | 7 ++++-- xen/common/domctl.c | 60 +++++++++++++++++++++++++++---------------------- xen/include/xsm/dummy.h | 4 +++- xen/xsm/flask/hooks.c | 4 ++-- 4 files changed, 43 insertions(+), 32 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index f030bc91c0..b8bc0caaf2 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -272,10 +272,13 @@ long arch_do_domctl( break; } + ret = xsm_irq_permission(XSM_PRIV, d, irq, flags); + if ( ret ) + break; + iocaps_double_lock(d, true); - if ( !irq_access_permitted(currd, irq) || - xsm_irq_permission(XSM_HOOK, d, irq, flags) ) + if ( !irq_access_permitted(currd, irq) ) ret = -EPERM; else if ( flags ) ret = irq_permit_access(d, irq); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 9ebf28fda6..d8e22210c4 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -464,8 +464,41 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } +#ifdef CONFIG_HAS_PIRQ + case XEN_DOMCTL_irq_permission: + { + unsigned int pirq = op->u.irq_permission.pirq, irq; + bool allow = op->u.irq_permission.allow_access; + + ret = -EINVAL; + if ( pirq >= current->domain->nr_pirqs ) + goto domctl_out_unlock_domonly; + + irq = domain_pirq_to_irq(current->domain, pirq); + + ret = -EPERM; + if ( irq ) + ret = xsm_irq_permission(XSM_PRIV, d, irq, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !irq_access_permitted(current->domain, irq) ) + ret = -EPERM; + else if ( allow ) + ret = irq_permit_access(d, irq); + else + ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } +#endif + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: ret = arch_do_domctl(op, d, u_domctl); @@ -779,33 +812,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } break; -#ifdef CONFIG_HAS_PIRQ - case XEN_DOMCTL_irq_permission: - { - unsigned int pirq = op->u.irq_permission.pirq, irq; - int allow = op->u.irq_permission.allow_access; - - if ( pirq >= current->domain->nr_pirqs ) - { - ret = -EINVAL; - break; - } - - iocaps_double_lock(d, true); - - irq = pirq_access_permitted(current->domain, pirq); - if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) - ret = -EPERM; - else if ( allow ) - ret = irq_permit_access(d, irq); - else - ret = irq_deny_access(d, irq); - - iocaps_double_unlock(d, true); - break; - } -#endif - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 8499167a36..1289777ffd 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -170,9 +170,11 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -562,7 +564,7 @@ static XSM_INLINE int cf_check xsm_unmap_domain_irq( static XSM_INLINE int cf_check xsm_irq_permission( XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 294d966f87..b6ff190dc6 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -686,9 +686,11 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_get_domain_state: + case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -696,14 +698,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: - case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: - case XEN_DOMCTL_gsi_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH /* -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:02:35 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:02:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333365.1596320 (Exim 4.92) (envelope-from ) id 1wWx2J-0008A8-Dm; Tue, 09 Jun 2026 14:02:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333365.1596320; Tue, 09 Jun 2026 14:02:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx2J-0008A0-BC; Tue, 09 Jun 2026 14:02:35 +0000 Received: by outflank-mailman (input) for mailman id 1333365; Tue, 09 Jun 2026 14:02:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx2I-00089t-18 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:02:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx2I-001hIc-0v for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:02:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx2H-00EhuC-39 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:02:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=9WSgpXco+sYZgy6Ohmtj8NVjTJq9jcND8srLHsMsk9w=; b=yqd/4i75BXz3XxY+51q6cpVRo3 hZGQIG4LG2pZRI/sujeRB2Ds2i1z3RkOoyiZujJwukATFGK2MwC/t3DrSELMQDhTrjP9/MU1JJ2Ct wG2a4qNFkjsr8pS8uHkWOVapHXVm0gZO9g2Ul8hEI6GU6YaEW67/z8F3+manW0p7HKlw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] domctl/XSM: drop vm_event_control hook Message-Id: Date: Tue, 09 Jun 2026 14:02:33 +0000 commit 619b70fccb0c64c6468e16a3f701fe228a534920 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl/XSM: drop vm_event_control hook Integrate the checking with xsm_domctl(). Care needs to be taken with the GET_VERSION sub-op, which may be invoked with DOMID_INVALID, and which has been (and continues to be) bypassing XSM checking. Since the latter two parameters were unused, monitor_domctl() invoking the hook was actually redundant with the earlier xsm_domctl() (as can be seen nicely from the hunks changing xsm/flask/hooks.c). As a positive side effect, permissions are then checked at the same early point with and without Flask. While folding XEN_DOMCTL_monitor_op and XEN_DOMCTL_vm_event_op in flask_domctl(), also fold in XEN_DOMCTL_set_access_required. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit b4a7c17146f4363750d26cb2dcee08b480625a3d) --- xen/common/domctl.c | 17 +++++++++++++++++ xen/common/monitor.c | 5 ----- xen/common/vm_event.c | 9 ++++----- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 8 -------- xen/xsm/dummy.c | 2 -- xen/xsm/flask/hooks.c | 11 +---------- 7 files changed, 22 insertions(+), 37 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index d8e22210c4..396874acf2 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -496,6 +496,23 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif + case XEN_DOMCTL_vm_event_op: + if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) + { + /* No XSM check (and potentially d == NULL) here. */ + ret = vm_event_domctl(d, &op->u.vm_event_op); + if ( !ret ) + copyback = true; + goto domctl_out_unlock_domonly; + } + if ( !d ) + { + ret = -ESRCH; + goto domctl_out_unlock_domonly; + } + /* Other sub-ops handled further down. */ + break; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_gsi_permission: diff --git a/xen/common/monitor.c b/xen/common/monitor.c index d5c9ff1cbf..aec6391faf 100644 --- a/xen/common/monitor.c +++ b/xen/common/monitor.c @@ -30,16 +30,11 @@ int monitor_domctl(struct domain *d, struct xen_domctl_monitor_op *mop) { - int rc; bool requested_status = false; if ( unlikely(current->domain == d) ) /* no domain_pause() */ return -EPERM; - rc = xsm_vm_event_control(XSM_PRIV, d, mop->op, mop->event); - if ( unlikely(rc) ) - return rc; - switch ( mop->op ) { case XEN_DOMCTL_MONITOR_OP_ENABLE: diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c index b2787c0108..15eb8bf9b2 100644 --- a/xen/common/vm_event.c +++ b/xen/common/vm_event.c @@ -603,11 +603,10 @@ int vm_event_domctl(struct domain *d, struct xen_domctl_vm_event_op *vec) /* All other subops need to target a real domain. */ if ( unlikely(d == NULL) ) - return -ESRCH; - - rc = xsm_vm_event_control(XSM_PRIV, d, vec->mode, vec->op); - if ( rc ) - return rc; + { + ASSERT_UNREACHABLE(); + return -EILSEQ; + } if ( unlikely(d == current->domain) ) /* no domain_pause() */ { diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 1289777ffd..f0cba259d7 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -652,13 +652,6 @@ static XSM_INLINE int cf_check xsm_hvm_altp2mhvm_op( } } -static XSM_INLINE int cf_check xsm_vm_event_control( - XSM_DEFAULT_ARG struct domain *d, int mode, int op) -{ - XSM_ASSERT_ACTION(XSM_PRIV); - return xsm_default_action(action, current->domain, d); -} - #ifdef CONFIG_VM_EVENT static XSM_INLINE int cf_check xsm_mem_access(XSM_DEFAULT_ARG struct domain *d) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 73b58f9ee3..c8b07329ae 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -157,8 +157,6 @@ struct xsm_ops { int (*hvm_altp2mhvm_op)(struct domain *d, uint64_t mode, uint32_t op); int (*get_vnumainfo)(struct domain *d); - int (*vm_event_control)(struct domain *d, int mode, int op); - #ifdef CONFIG_VM_EVENT int (*mem_access)(struct domain *d); #endif @@ -657,12 +655,6 @@ static inline int xsm_get_vnumainfo(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.get_vnumainfo, d); } -static inline int xsm_vm_event_control( - xsm_default_t def, struct domain *d, int mode, int op) -{ - return alternative_call(xsm_ops.vm_event_control, d, mode, op); -} - #ifdef CONFIG_VM_EVENT static inline int xsm_mem_access(xsm_default_t def, struct domain *d) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index c7d030768a..ccdaa924d7 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -116,8 +116,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .remove_from_physmap = xsm_remove_from_physmap, .map_gmfn_foreign = xsm_map_gmfn_foreign, - .vm_event_control = xsm_vm_event_control, - #ifdef CONFIG_VM_EVENT .mem_access = xsm_mem_access, #endif diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index b6ff190dc6..1fa0b1a6c7 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -699,7 +699,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: - case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ @@ -793,9 +792,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__TRIGGER); case XEN_DOMCTL_set_access_required: - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); - case XEN_DOMCTL_monitor_op: + case XEN_DOMCTL_vm_event_op: return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); case XEN_DOMCTL_debug_op: @@ -1368,11 +1366,6 @@ static int cf_check flask_hvm_altp2mhvm_op(struct domain *d, uint64_t mode, uint return current_has_perm(d, SECCLASS_HVM, HVM__ALTP2MHVM_OP); } -static int cf_check flask_vm_event_control(struct domain *d, int mode, int op) -{ - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); -} - #ifdef CONFIG_VM_EVENT static int cf_check flask_mem_access(struct domain *d) { @@ -1971,8 +1964,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .do_xsm_op = do_flask_op, .get_vnumainfo = flask_get_vnumainfo, - .vm_event_control = flask_vm_event_control, - #ifdef CONFIG_VM_EVENT .mem_access = flask_mem_access, #endif -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:02:45 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:02:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333366.1596325 (Exim 4.92) (envelope-from ) id 1wWx2T-0008Dl-GC; Tue, 09 Jun 2026 14:02:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333366.1596325; Tue, 09 Jun 2026 14:02:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx2T-0008Db-Ca; Tue, 09 Jun 2026 14:02:45 +0000 Received: by outflank-mailman (input) for mailman id 1333366; Tue, 09 Jun 2026 14:02:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx2S-0008DL-41 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:02:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx2S-001hIi-1C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:02:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx2S-00Ei7S-0D for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:02:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=GasGYu55VEoCVuITwZAiAoyZcIEif7x2rWjJX/VUzzE=; b=pJEXvwrvZLTvMWdW2ae2DvhuK4 EEgSx6RWPc+SqZ4C7oL4An5jUQqxVThYr7IGzprHX6EHBuKPRYCILJTRpQ8rCqVSKnspNyNANbpIM +js/BSE6ssTaDybGcKw5cfARois1XMrVOn+8Zy+c6ScT4yzx9rJyYHOmI8tdDKsZBLKY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] domctl/XSM: pass full struct xen_domctl to xsm_domctl() Message-Id: Date: Tue, 09 Jun 2026 14:02:44 +0000 commit 83f644192726c4ee87977d9135840b67f04d56cd Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl/XSM: pass full struct xen_domctl to xsm_domctl() Subsequently some sub-ops will want to inspect their sub-sub-ops. Plus this way we don't need to pass SSIDref separately anymore for domain_create. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit 83f0e11ed16b5ceb42e47dcaab5afd35583ec5d7) --- xen/arch/x86/mm/paging.c | 2 +- xen/common/domctl.c | 4 +--- xen/include/xsm/dummy.h | 4 ++-- xen/include/xsm/xsm.h | 6 +++--- xen/xsm/flask/hooks.c | 10 +++++----- 5 files changed, 12 insertions(+), 14 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index 65455a6867..3545ddd1d0 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -735,7 +735,7 @@ long do_paging_domctl_cont( if ( d == NULL ) return -ESRCH; - ret = xsm_domctl(XSM_OTHER, d, op.cmd, 0 /* SSIDref not applicable */); + ret = xsm_domctl(XSM_OTHER, d, &op); if ( !ret ) { if ( domctl_lock_acquire() ) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 396874acf2..7a450c87ff 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -526,9 +526,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - ret = xsm_domctl(XSM_OTHER, d, op->cmd, - /* SSIDRef only applicable for cmd == createdomain */ - op->u.createdomain.ssidref); + ret = xsm_domctl(XSM_OTHER, d, op); if ( ret ) goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index f0cba259d7..c469331ea8 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,10 +162,10 @@ static XSM_INLINE int cf_check xsm_set_target( } static XSM_INLINE int cf_check xsm_domctl( - XSM_DEFAULT_ARG struct domain *d, unsigned int cmd, uint32_t ssidref) + XSM_DEFAULT_ARG struct domain *d, struct xen_domctl *op) { XSM_ASSERT_ACTION(XSM_OTHER); - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index c8b07329ae..4379a6e96b 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -61,7 +61,7 @@ struct xsm_ops { int (*sysctl_scheduler_op)(int op); #endif int (*set_target)(struct domain *d, struct domain *e); - int (*domctl)(struct domain *d, unsigned int cmd, uint32_t ssidref); + int (*domctl)(struct domain *d, struct xen_domctl *op); int (*sysctl)(int cmd); int (*readconsole)(uint32_t clear); @@ -260,9 +260,9 @@ static inline int xsm_set_target( } static inline int xsm_domctl(xsm_default_t def, struct domain *d, - unsigned int cmd, uint32_t ssidref) + struct xen_domctl *op) { - return alternative_call(xsm_ops.domctl, d, cmd, ssidref); + return alternative_call(xsm_ops.domctl, d, op); } static inline int xsm_sysctl(xsm_default_t def, int cmd) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 1fa0b1a6c7..ca4aa9d367 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -667,10 +667,9 @@ static int cf_check flask_set_target(struct domain *d, struct domain *t) return rc; } -static int cf_check flask_domctl(struct domain *d, unsigned int cmd, - uint32_t ssidref) +static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) { - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_createdomain: /* @@ -680,7 +679,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, * Note that d is NULL because we haven't even allocated memory for it * this early in XEN_DOMCTL_createdomain. */ - return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); + return avc_current_has_perm(op->u.createdomain.ssidref, SECCLASS_DOMAIN, + DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: @@ -855,7 +855,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SET_LLC_COLORS); default: - return avc_unknown_permission("domctl", cmd); + return avc_unknown_permission("domctl", op->cmd); } } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:02:55 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:02:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333367.1596327 (Exim 4.92) (envelope-from ) id 1wWx2d-0008GE-IL; Tue, 09 Jun 2026 14:02:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333367.1596327; Tue, 09 Jun 2026 14:02:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx2d-0008G6-Fn; Tue, 09 Jun 2026 14:02:55 +0000 Received: by outflank-mailman (input) for mailman id 1333367; Tue, 09 Jun 2026 14:02:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx2c-0008Fy-6s for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:02:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx2c-001hIo-1U for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:02:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx2c-00EiFM-0V for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:02:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=TAd6wNg76/TStMuD0Q+GI/hNiVXvItheiSFA7r8JwJE=; b=N2dQBu56hIN5lXHxCSnyvuIxIo ofbBEATFd3tfTgKzL0DKvJ+GC2YnUccTLiWHs+mIOx0g6XdcS75iUaWyf92lbKkVcPfeNxC/L2Bro zct/A5mO8iB8HyooH+ZueFIiTJm/jtkzitC1HlllpvkvkXMZnAIvM6uo5QwXc845P6tI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] domctl/XSM: drop scheduler_op hook Message-Id: Date: Tue, 09 Jun 2026 14:02:54 +0000 commit b48039e907a65ce0b85dfc32ceed0d0bad639319 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl/XSM: drop scheduler_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Juergen Gross (cherry picked from commit 3ba374d3886f0e1d835eafe62cc2fa20ca5376ad) --- xen/common/sched/core.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 7 ++++--- 5 files changed, 4 insertions(+), 22 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index adfdddde15..08175215a0 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -2074,10 +2074,6 @@ long sched_adjust(struct domain *d, struct xen_domctl_scheduler_op *op) { long ret; - ret = xsm_domctl_scheduler_op(XSM_HOOK, d, op->cmd); - if ( ret ) - return ret; - if ( op->sched_id != dom_scheduler(d)->sched_id ) return -EINVAL; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index c469331ea8..f4444b0488 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -141,13 +141,6 @@ static XSM_INLINE int cf_check xsm_getdomaininfo( return xsm_default_action(action, current->domain, d); } -static XSM_INLINE int cf_check xsm_domctl_scheduler_op( - XSM_DEFAULT_ARG struct domain *d, int cmd) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 4379a6e96b..941e768dd6 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -56,7 +56,6 @@ struct xsm_ops { struct xen_domctl_getdomaininfo *info); int (*domain_create)(struct domain *d, uint32_t ssidref); int (*getdomaininfo)(struct domain *d); - int (*domctl_scheduler_op)(struct domain *d, int op); #ifdef CONFIG_SYSCTL int (*sysctl_scheduler_op)(int op); #endif @@ -240,12 +239,6 @@ static inline int xsm_get_domain_state(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.get_domain_state, d); } -static inline int xsm_domctl_scheduler_op( - xsm_default_t def, struct domain *d, int cmd) -{ - return alternative_call(xsm_ops.domctl_scheduler_op, d, cmd); -} - #ifdef CONFIG_SYSCTL static inline int xsm_sysctl_scheduler_op(xsm_default_t def, int cmd) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index ccdaa924d7..5e58ccd260 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -18,7 +18,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .security_domaininfo = xsm_security_domaininfo, .domain_create = xsm_domain_create, .getdomaininfo = xsm_getdomaininfo, - .domctl_scheduler_op = xsm_domctl_scheduler_op, #ifdef CONFIG_SYSCTL .sysctl_scheduler_op = xsm_sysctl_scheduler_op, #endif diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index ca4aa9d367..f318f37fd9 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -609,7 +609,7 @@ static int cf_check flask_getdomaininfo(struct domain *d) return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO); } -static int cf_check flask_domctl_scheduler_op(struct domain *d, int op) +static int flask_domctl_scheduler_op(struct domain *d, int op) { switch ( op ) { @@ -697,7 +697,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return -EILSEQ; /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: #ifdef CONFIG_X86 @@ -745,6 +744,9 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_setdomainhandle: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE); + case XEN_DOMCTL_scheduler_op: + return flask_domctl_scheduler_op(d, op->u.scheduler_op.cmd); + case XEN_DOMCTL_set_ext_vcpucontext: case XEN_DOMCTL_set_vcpu_msrs: case XEN_DOMCTL_setvcpucontext: @@ -1884,7 +1886,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .security_domaininfo = flask_security_domaininfo, .domain_create = flask_domain_create, .getdomaininfo = flask_getdomaininfo, - .domctl_scheduler_op = flask_domctl_scheduler_op, #ifdef CONFIG_SYSCTL .sysctl_scheduler_op = flask_sysctl_scheduler_op, #endif -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:03:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:03:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333368.1596332 (Exim 4.92) (envelope-from ) id 1wWx2n-0008JI-Jn; Tue, 09 Jun 2026 14:03:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333368.1596332; Tue, 09 Jun 2026 14:03:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx2n-0008JA-HD; Tue, 09 Jun 2026 14:03:05 +0000 Received: by outflank-mailman (input) for mailman id 1333368; Tue, 09 Jun 2026 14:03:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx2m-0008J3-9h for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:03:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx2m-001hJC-1l for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:03:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx2m-00EiRq-0m for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:03:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=MoGkqS9IYZutuwV7Zk/7oK0OXd3v4Ugz5gSNhN6Au8w=; b=nKqmonCJ8Yf6yZAlsthsz0yuBH Rvu2w5EbOQcHzvh3MGlCnfiDT35sswFTEuqAu2UxI8n+Lws+Nm4ZbnygFiMc6XOaBMWfwBLOKSFXZ gSFT1LhnSd1EgNnP81NZCuqrDmaxvWYh/GZs2Vq+LUnJ5gV+kRa/YWIH2VeJFwqTtPYY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] domctl/XSM: drop shadow_control_op hook Message-Id: Date: Tue, 09 Jun 2026 14:03:04 +0000 commit 82887f1d254b077d765bb008015ddcd5298ca660 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl/XSM: drop shadow_control_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit d9d2758622422a4db0498a74c3dfd1c8168a8154) --- xen/arch/x86/mm/paging.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 13 +++++++------ 5 files changed, 7 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index 3545ddd1d0..6d4b4c802b 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -677,10 +677,6 @@ int paging_domctl(struct domain *d, struct xen_domctl_shadow_op *sc, return -EBUSY; } - rc = xsm_shadow_control(XSM_HOOK, d, sc->op); - if ( rc ) - return rc; - /* Code to handle log-dirty. Note that some log dirty operations * piggy-back on shadow operations. For example, when * XEN_DOMCTL_SHADOW_OP_OFF is called, it first checks whether log dirty diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index f4444b0488..63a390bac4 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -682,13 +682,6 @@ static XSM_INLINE int cf_check xsm_do_mca(XSM_DEFAULT_VOID) return xsm_default_action(action, current->domain, NULL); } -static XSM_INLINE int cf_check xsm_shadow_control( - XSM_DEFAULT_ARG struct domain *d, uint32_t op) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_mem_sharing_op( XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 941e768dd6..1bd195f6c8 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -172,7 +172,6 @@ struct xsm_ops { #ifdef CONFIG_X86 int (*do_mca)(void); - int (*shadow_control)(struct domain *d, uint32_t op); int (*mem_sharing_op)(struct domain *d, struct domain *cd, int op); int (*apic)(struct domain *d, int cmd); int (*machine_memory_map)(void); @@ -680,12 +679,6 @@ static inline int xsm_do_mca(xsm_default_t def) return alternative_call(xsm_ops.do_mca); } -static inline int xsm_shadow_control( - xsm_default_t def, struct domain *d, uint32_t op) -{ - return alternative_call(xsm_ops.shadow_control, d, op); -} - static inline int xsm_mem_sharing_op( xsm_default_t def, struct domain *d, struct domain *cd, int op) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 5e58ccd260..ae3318e596 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -130,7 +130,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .platform_op = xsm_platform_op, #ifdef CONFIG_X86 .do_mca = xsm_do_mca, - .shadow_control = xsm_shadow_control, .mem_sharing_op = xsm_mem_sharing_op, .apic = xsm_apic, .machine_memory_map = xsm_machine_memory_map, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index f318f37fd9..ac49a62719 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -40,6 +40,7 @@ #ifdef CONFIG_X86 #include +static int flask_shadow_control(struct domain *d, unsigned int op); #else #define pv_shim false #endif @@ -699,10 +700,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: -#ifdef CONFIG_X86 - /* These have individual XSM hooks (arch/x86/domctl.c) */ - case XEN_DOMCTL_shadow_op: -#endif #ifdef CONFIG_HAS_PASSTHROUGH /* * These have individual XSM hooks @@ -787,6 +784,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_get_address_size: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETADDRSIZE); +#ifdef CONFIG_X86 + case XEN_DOMCTL_shadow_op: + return flask_shadow_control(d, op->u.shadow_op.op); +#endif + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1603,7 +1605,7 @@ static int cf_check flask_do_mca(void) return domain_has_xen(current->domain, XEN__MCA_OP); } -static int cf_check flask_shadow_control(struct domain *d, uint32_t op) +static int flask_shadow_control(struct domain *d, unsigned int op) { uint32_t perm; @@ -1999,7 +2001,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .platform_op = flask_platform_op, #ifdef CONFIG_X86 .do_mca = flask_do_mca, - .shadow_control = flask_shadow_control, .mem_sharing_op = flask_mem_sharing_op, .apic = flask_apic, .machine_memory_map = flask_machine_memory_map, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:03:15 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:03:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333369.1596336 (Exim 4.92) (envelope-from ) id 1wWx2x-0008MK-L8; Tue, 09 Jun 2026 14:03:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333369.1596336; Tue, 09 Jun 2026 14:03:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx2x-0008MC-IX; Tue, 09 Jun 2026 14:03:15 +0000 Received: by outflank-mailman (input) for mailman id 1333369; Tue, 09 Jun 2026 14:03:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx2w-0008M5-CW for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:03:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx2w-001hJZ-24 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:03:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx2w-00EifD-15 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:03:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=gcoUPI5e4Yp3l7xb0aYtE0EzAzAeOP7OHUPumbeZ4YI=; b=0jO1vPdkfLQYajlClezHxTKEkO qgXZBTDEB9wve19Ctyz4BFRSfZTTQVuJO0Q25kZF5T7TFuS5etGIsjKn/01/Typ4GQoHoFgqbbQ6T QU7dqFcPFzlhQd7ZxQhiiEWQiTWXczBFDIurHqt9L6bTX9awFhWMDcBayTrG6IJ3o7uk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 14:03:14 +0000 commit e3b16b87a2df9419d0a6826cc80e78d26dacf0b0 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock iommu_get_device_group() uses its own locking. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 471b377747cb5eb0ea7c1ca48ac9d38027a9aa13) --- xen/common/domctl.c | 5 ++++- xen/drivers/passthrough/pci.c | 4 ++-- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 7a450c87ff..8d002ac914 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -513,6 +513,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) /* Other sub-ops handled further down. */ break; + case XEN_DOMCTL_get_device_group: + ret = iommu_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_gsi_permission: @@ -918,7 +922,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_assign_device: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_deassign_device: - case XEN_DOMCTL_get_device_group: ret = iommu_do_domctl(op, d, u_domctl); break; diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 7858c9418c..a7f7b2d20b 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1620,7 +1620,7 @@ static int iommu_get_device_group( if ( (pdev->seg != seg) || ((b == bus) && (df == devfn)) ) continue; - if ( xsm_get_device_group(XSM_HOOK, (seg << 16) | (b << 8) | df) ) + if ( xsm_get_device_group(XSM_PRIV, (seg << 16) | (b << 8) | df) ) continue; sdev_id = iommu_call(ops, get_device_group_id, seg, b, df); @@ -1690,7 +1690,7 @@ int iommu_do_pci_domctl( u32 max_sdevs; XEN_GUEST_HANDLE_64(uint32) sdevs; - ret = xsm_get_device_group(XSM_HOOK, domctl->u.get_device_group.machine_sbdf); + ret = xsm_get_device_group(XSM_PRIV, domctl->u.get_device_group.machine_sbdf); if ( ret ) break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 63a390bac4..cc28fa24bb 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,6 +162,7 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_get_domain_state: case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: @@ -401,7 +402,7 @@ static XSM_INLINE int cf_check xsm_get_vnumainfo( static XSM_INLINE int cf_check xsm_get_device_group( XSM_DEFAULT_ARG uint32_t machine_bdf) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index ac49a62719..064cdec14f 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -686,6 +686,7 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_get_domain_state: case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: @@ -705,7 +706,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) * These have individual XSM hooks * (drivers/passthrough/{pci,device_tree.c) */ - case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_assign_device: case XEN_DOMCTL_deassign_device: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:03:25 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:03:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333370.1596340 (Exim 4.92) (envelope-from ) id 1wWx37-0008Pl-My; Tue, 09 Jun 2026 14:03:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333370.1596340; Tue, 09 Jun 2026 14:03:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx37-0008Pd-Jw; Tue, 09 Jun 2026 14:03:25 +0000 Received: by outflank-mailman (input) for mailman id 1333370; Tue, 09 Jun 2026 14:03:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx36-0008PV-FW for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:03:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx36-001hJf-2M for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:03:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx36-00EiyL-1N for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:03:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Td8HCIHdfjBQv6oyfQrt4QtsieXXxe6wsVQHOCExHbM=; b=cSuiPlEtWMzJjeJInwO2IoAY50 KH4dsQECeUAdmx27eN2z6O2dUiNGPrHo/902dWr+bPHAiW6ejXDbgLwMGXA9poN4fZJ7arJlfIaLg myNlJ09iY6PhBPsHD6ckudPJSjv/V8LriOI8xv40ApICpH3aWkJX3opey4JfFomcgIVk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] domctl/XSM: drop {,de}assign_{,dt}device hooks Message-Id: Date: Tue, 09 Jun 2026 14:03:24 +0000 commit 1ea57a5866b0c1bb430159b914a46dcf0c06efe1 Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl/XSM: drop {,de}assign_{,dt}device hooks Integrate the checking with xsm_domctl(). As a positive side effect, permissions are then checked at the same early point with and without Flask. As the DT device path needs fetching earlier (but must not be double fetched), cache it in a private field of the public interface struct. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit eab54f074f17c134fa6fa780f672393066e7b631) --- xen/common/domctl.c | 9 ++++ xen/drivers/passthrough/device_tree.c | 36 ++++++++-------- xen/drivers/passthrough/pci.c | 8 ---- xen/include/public/domctl.h | 5 ++- xen/include/xsm/dummy.h | 32 -------------- xen/include/xsm/xsm.h | 34 --------------- xen/xsm/dummy.c | 7 ---- xen/xsm/flask/hooks.c | 79 +++++++++++++++++++++++++---------- 8 files changed, 89 insertions(+), 121 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 8d002ac914..6abe5858fd 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -325,6 +325,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_deassign_device: if ( op->domain == DOMID_IO ) { +#ifdef CONFIG_HAS_DEVICE_TREE_DISCOVERY + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; +#endif d = dom_io; break; } @@ -332,6 +336,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) return -ESRCH; fallthrough; case XEN_DOMCTL_test_assign_device: +#ifdef CONFIG_HAS_DEVICE_TREE_DISCOVERY + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; + fallthrough; +#endif case XEN_DOMCTL_vm_event_op: if ( op->domain == DOMID_INVALID ) { diff --git a/xen/drivers/passthrough/device_tree.c b/xen/drivers/passthrough/device_tree.c index f5850a2607..ab1e07ac99 100644 --- a/xen/drivers/passthrough/device_tree.c +++ b/xen/drivers/passthrough/device_tree.c @@ -340,15 +340,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( (d && d->is_dying) || domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_assign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( domctl->cmd == XEN_DOMCTL_test_assign_device ) { @@ -396,15 +396,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_deassign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( d == dom_io ) { diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index a7f7b2d20b..8b0ee98abc 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1740,10 +1740,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_assign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); @@ -1785,10 +1781,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_deassign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h index 8f6708c0a7..7b1252556a 100644 --- a/xen/include/public/domctl.h +++ b/xen/include/public/domctl.h @@ -575,7 +575,10 @@ struct xen_domctl_assign_device { } pci; struct { uint32_t size; /* Length of the path */ - XEN_GUEST_HANDLE_64(char) path; /* path to the device tree node */ + XEN_GUEST_HANDLE_64(char) path; /* Path to the device tree node */ +#ifdef __XEN__ + struct dt_device_node *dev; /* Resolved device node of the above */ +#endif } dt; } u; }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index cc28fa24bb..d06006cb94 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -405,40 +405,8 @@ static XSM_INLINE int cf_check xsm_get_device_group( XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } - -static XSM_INLINE int cf_check xsm_assign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - #endif /* HAS_PASSTHROUGH && HAS_PCI */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) -static XSM_INLINE int cf_check xsm_assign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE_DISCOVERY */ - static XSM_INLINE int cf_check xsm_resource_plug_core(XSM_DEFAULT_VOID) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 1bd195f6c8..4443763295 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -124,13 +124,6 @@ struct xsm_ops { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) int (*get_device_group)(uint32_t machine_bdf); - int (*assign_device)(struct domain *d, uint32_t machine_bdf); - int (*deassign_device)(struct domain *d, uint32_t machine_bdf); -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) - int (*assign_dtdevice)(struct domain *d, const char *dtpath); - int (*deassign_dtdevice)(struct domain *d, const char *dtpath); #endif int (*resource_plug_core)(void); @@ -533,35 +526,8 @@ static inline int xsm_get_device_group(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.get_device_group, machine_bdf); } - -static inline int xsm_assign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.assign_device, d, machine_bdf); -} - -static inline int xsm_deassign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.deassign_device, d, machine_bdf); -} #endif /* HAS_PASSTHROUGH && HAS_PCI) */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) -static inline int xsm_assign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.assign_dtdevice, d, dtpath); -} - -static inline int xsm_deassign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.deassign_dtdevice, d, dtpath); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE_DISCOVERY */ - static inline int xsm_resource_plug_pci(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.resource_plug_pci, machine_bdf); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index ae3318e596..860233e4be 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -81,13 +81,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = xsm_get_device_group, - .assign_device = xsm_assign_device, - .deassign_device = xsm_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) - .assign_dtdevice = xsm_assign_dtdevice, - .deassign_dtdevice = xsm_deassign_dtdevice, #endif .resource_plug_core = xsm_resource_plug_core, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 064cdec14f..9ab185ff41 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -45,6 +45,17 @@ static int flask_shadow_control(struct domain *d, unsigned int op); #define pv_shim false #endif +#ifdef CONFIG_HAS_PASSTHROUGH +#ifdef CONFIG_HAS_PCI +static int flask_assign_device(struct domain *d, unsigned int machine_bdf); +static int flask_deassign_device(struct domain *d, unsigned int machine_bdf); +#endif +#ifdef CONFIG_HAS_DEVICE_TREE_DISCOVERY +static int flask_assign_dtdevice(struct domain *d, const char *dtpath); +static int flask_deassign_dtdevice(struct domain *d, const char *dtpath); +#endif +#endif /* CONFIG_HAS_PASSTHROUGH */ + static uint32_t domain_sid(const struct domain *dom) { struct domain_security_struct *dsec = dom->ssid; @@ -700,16 +711,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: - -#ifdef CONFIG_HAS_PASSTHROUGH - /* - * These have individual XSM hooks - * (drivers/passthrough/{pci,device_tree.c) - */ - case XEN_DOMCTL_test_assign_device: - case XEN_DOMCTL_assign_device: - case XEN_DOMCTL_deassign_device: -#endif return 0; case XEN_DOMCTL_destroydomain: @@ -789,6 +790,49 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return flask_shadow_control(d, op->u.shadow_op.op); #endif +#ifdef CONFIG_HAS_PASSTHROUGH + + case XEN_DOMCTL_test_assign_device: + case XEN_DOMCTL_assign_device: + case XEN_DOMCTL_deassign_device: + switch ( op->u.assign_device.dev ) + { +#ifdef CONFIG_HAS_PCI + case XEN_DOMCTL_DEV_PCI: + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_device( + d, op->u.assign_device.u.pci.machine_sbdf) + : flask_deassign_device( + d, op->u.assign_device.u.pci.machine_sbdf); +#endif + +#ifdef CONFIG_HAS_DEVICE_TREE_DISCOVERY + case XEN_DOMCTL_DEV_DT: + { + struct dt_device_node *dev; + int ret = dt_find_node_by_gpath(op->u.assign_device.u.dt.path, + op->u.assign_device.u.dt.size, + &dev); + + if ( ret ) + return ret; + + op->u.assign_device.u.dt.dev = dev; + + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_dtdevice(d, dt_node_full_name(dev)) + : flask_deassign_dtdevice(d, dt_node_full_name(dev)); + } +#endif + + default: + /* Unknown type. */ + break; + } + return avc_unknown_permission("assign_device", op->cmd); + +#endif /* CONFIG_HAS_PASSTHROUGH */ + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1416,7 +1460,7 @@ static int flask_test_assign_device(uint32_t machine_bdf) return avc_current_has_perm(rsid, SECCLASS_RESOURCE, RESOURCE__STAT_DEVICE, NULL); } -static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) +static int flask_assign_device(struct domain *d, uint32_t machine_bdf) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1446,7 +1490,7 @@ static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_device( +static int flask_deassign_device( struct domain *d, uint32_t machine_bdf) { uint32_t rsid; @@ -1478,7 +1522,7 @@ static int flask_test_assign_dtdevice(const char *dtpath) NULL); } -static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) +static int flask_assign_dtdevice(struct domain *d, const char *dtpath) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1508,7 +1552,7 @@ static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_dtdevice( +static int flask_deassign_dtdevice( struct domain *d, const char *dtpath) { uint32_t rsid; @@ -1989,13 +2033,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = flask_get_device_group, - .assign_device = flask_assign_device, - .deassign_device = flask_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE_DISCOVERY) - .assign_dtdevice = flask_assign_dtdevice, - .deassign_dtdevice = flask_deassign_dtdevice, #endif .platform_op = flask_platform_op, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:03:35 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:03:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333371.1596344 (Exim 4.92) (envelope-from ) id 1wWx3H-0008SE-Po; Tue, 09 Jun 2026 14:03:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333371.1596344; Tue, 09 Jun 2026 14:03:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx3H-0008S6-NE; Tue, 09 Jun 2026 14:03:35 +0000 Received: by outflank-mailman (input) for mailman id 1333371; Tue, 09 Jun 2026 14:03:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx3G-0008Ry-I7 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:03:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx3G-001hJm-2c for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:03:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx3G-00EjHQ-1e for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:03:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=sES8LBf+/A13yXvHDF8ofWUeAxfegZKp1O8uNvJoQT8=; b=V3+AA8VorBj/T4nFyhQ9+Xeo0T D72BWrEzK1XPCYsFjKnnkRINLis5yrZoygk1lCS4kvKcQjQR91TLuvwxyxfgAovM8TFokxBPQ8uqw Bt0A0GkcmwbUL3RT7khAORV08TV/IcjgYm6IrM6FsmjZhRsjASfQIm6tqb0BmN1XA+bo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 14:03:34 +0000 commit fcccf99e5e359017ff461588cbe573fbfc6e34ae Author: Jan Beulich AuthorDate: Thu Jun 4 21:37:32 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock The only locking required here is that between checking d->target and setting it. To avoid the need for an explicit lock, use cmpxchgptr() to update d->target. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 4a93d1fb4f7f1231159688d428f7362d35d32ef6) --- xen/common/domctl.c | 54 ++++++++++++++++++++++--------------------------- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 5 +---- 3 files changed, 27 insertions(+), 35 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 6abe5858fd..36ef760c2c 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -505,6 +505,30 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif + case XEN_DOMCTL_set_target: + { + struct domain *e = get_domain_by_id(op->u.set_target.target); + + ret = -ESRCH; + if ( !e ) + goto domctl_out_unlock_domonly; + + if ( d == e ) + ret = -EINVAL; + else if ( !is_hvm_domain(e) ) + ret = -EOPNOTSUPP; + else + ret = xsm_set_target(XSM_PRIV, d, e); + + /* Hold reference on @e until we destroy @d. */ + if ( !ret && cmpxchgptr(&d->target, NULL, e) ) + ret = -EINVAL; + + if ( ret ) + put_domain(e); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_vm_event_op: if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) { @@ -844,36 +868,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; - case XEN_DOMCTL_set_target: - { - struct domain *e; - - ret = -ESRCH; - e = get_domain_by_id(op->u.set_target.target); - if ( e == NULL ) - break; - - ret = -EINVAL; - if ( (d == e) || (d->target != NULL) ) - { - put_domain(e); - break; - } - - ret = -EOPNOTSUPP; - if ( is_hvm_domain(e) ) - ret = xsm_set_target(XSM_HOOK, d, e); - if ( ret ) - { - put_domain(e); - break; - } - - /* Hold reference on @e until we destroy @d. */ - d->target = e; - break; - } - case XEN_DOMCTL_subscribe: d->suspend_evtchn = op->u.subscribe.port; break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index d06006cb94..d45d8b64fc 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -150,7 +150,7 @@ static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) static XSM_INLINE int cf_check xsm_set_target( XSM_DEFAULT_ARG struct domain *d, struct domain *e) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } @@ -170,6 +170,7 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 9ab185ff41..ae33e324bd 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -705,14 +705,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; - /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_set_target: - return 0; - case XEN_DOMCTL_destroydomain: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__DESTROY); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:03:45 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:03:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333372.1596348 (Exim 4.92) (envelope-from ) id 1wWx3R-0008UJ-R7; Tue, 09 Jun 2026 14:03:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333372.1596348; Tue, 09 Jun 2026 14:03:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx3R-0008UB-OY; Tue, 09 Jun 2026 14:03:45 +0000 Received: by outflank-mailman (input) for mailman id 1333372; Tue, 09 Jun 2026 14:03:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx3Q-0008U3-Kr for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:03:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx3Q-001hJr-2t for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:03:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx3Q-00EjTP-1u for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:03:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=a0682vMQu6D9INvriLRfL05wW3Hgz/PXMpaN2f1Om2Y=; b=szDyz0VQKpehyUna0OWxfg+N0e JTwjuponbsUXkFurGuBPbd0Mx4b4ybKxB87eFiQf1vOau21wG5wjnNjC+IjiNwrrHrXgbGOgaRH/1 XU/oAnNENikLbl3fQC6nzJ3seZJ3IvOwvnnM0s1bts4jeoP9TgA7IJLyPcvhhOyGdVZo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI Message-Id: Date: Tue, 09 Jun 2026 14:03:44 +0000 commit bec5efc03ade5cb10a00f8122f0befe25fe6232e Author: Michal Orzel AuthorDate: Tue Apr 14 10:11:24 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI The ARM64_WORKAROUND_REPEAT_TLBI workaround is used to mitigate several errata where broadcast TLBI;DSB sequences don't provide all the architecturally required synchronization. The workaround performs more work than necessary, and can have significant overhead. This patch optimizes the workaround, as explained below. 1. All relevant errata only affect the ordering and/or completion of memory accesses which have been translated by an invalidated TLB entry. The actual invalidation of TLB entries is unaffected. 2. The existing workaround is applied to both broadcast and local TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for broadcast invalidation. 3. The existing workaround replaces every TLBI with a TLBI;DSB;TLBI sequence, whereas for all relevant errata it is only necessary to execute a single additional TLBI;DSB sequence after any number of TLBIs are completed by a DSB. For example, for a sequence of batched TLBIs: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH ... the existing workaround will expand this to: TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional DSB ISH ... whereas it is sufficient to have: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH TLBI [, ] // additional DSB ISH // additional Using a single additional TLBI and DSB at the end of the sequence can have significantly lower overhead as each DSB which completes a TLBI must synchronize with other PEs in the system, with potential performance effects both locally and system-wide. 4. The existing workaround repeats each specific TLBI operation, whereas for all relevant errata it is sufficient for the additional TLBI to use *any* operation which will be broadcast, regardless of which translation regime or stage of translation the operation applies to. For example, for a single TLBI: TLBI ALLE2IS DSB ISH ... the existing workaround will expand this to: TLBI ALLE2IS DSB ISH TLBI ALLE2IS // additional DSB ISH // additional ... whereas it is sufficient to have: TLBI ALLE2IS DSB ISH TLBI VALE1IS, XZR // additional DSB ISH // additional As the additional TLBI doesn't have to match a specific earlier TLBI, the additional TLBI can be implemented in separate code, with no memory of the earlier TLBIs. The additional TLBI can also use a cheaper TLBI operation. 5. The existing workaround is applied to both Stage-1 and Stage-2 TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for Stage-1 invalidation. Architecturally, TLBI operations which invalidate only Stage-2 information (e.g. IPAS2E1IS) are not required to invalidate TLB entries which combine information from Stage-1 and Stage-2 translation table entries, and consequently may not complete memory accesses translated by those combined entries. In these cases, completion of memory accesses is only guaranteed after subsequent invalidation of Stage-1 information (e.g. VMALLE1IS). Rework the workaround logic as follows: - add TLB_HELPER_LOCAL() to be used for local TLB ops without a workaround, - modify TLB_HELPER() workaround to use tlbi vale2is, xzr as a second TLBI, - drop TLB_HELPER_VA(). It's used only by __flush_xen_tlb_one_local which is local and does not need workaround and by __flush_xen_tlb_one. In the latter case, since it's used in a loop, we don't need a workaround in the middle. Add __tlb_repeat_sync with a workaround to be used at the end after DSB and before final ISB, - TLBI VALE2IS passing XZR is used as an additional TLBI. While there is an identity mapping there, it's used very rarely. The performance impact is therefore negligible. If things change in the future, we can revisit the decision. Signed-off-by: Michal Orzel Reviewed-by: Luca Fancellu Reviewed-by: Julien Grall (cherry picked from commit 7c502d7591519135765b8041cbd1c70e56e5a0b9) --- xen/arch/arm/include/asm/arm32/flushtlb.h | 3 + xen/arch/arm/include/asm/arm64/flushtlb.h | 108 ++++++++++++++++++------------ xen/arch/arm/include/asm/flushtlb.h | 1 + xen/arch/arm/include/asm/mmu/layout.h | 4 ++ 4 files changed, 75 insertions(+), 41 deletions(-) diff --git a/xen/arch/arm/include/asm/arm32/flushtlb.h b/xen/arch/arm/include/asm/arm32/flushtlb.h index 61c25a3189..5483be08fb 100644 --- a/xen/arch/arm/include/asm/arm32/flushtlb.h +++ b/xen/arch/arm/include/asm/arm32/flushtlb.h @@ -57,6 +57,9 @@ static inline void __flush_xen_tlb_one(vaddr_t va) asm volatile(STORE_CP32(0, TLBIMVAHIS) : : "r" (va) : "memory"); } +/* Only for ARM64_WORKAROUND_REPEAT_TLBI */ +static inline void __tlb_repeat_sync(void) {} + #endif /* __ASM_ARM_ARM32_FLUSHTLB_H__ */ /* * Local variables: diff --git a/xen/arch/arm/include/asm/arm64/flushtlb.h b/xen/arch/arm/include/asm/arm64/flushtlb.h index 3b99c11b50..1606b26bf2 100644 --- a/xen/arch/arm/include/asm/arm64/flushtlb.h +++ b/xen/arch/arm/include/asm/arm64/flushtlb.h @@ -12,9 +12,14 @@ * ARM64_WORKAROUND_REPEAT_TLBI: * Modification of the translation table for a virtual address might lead to * read-after-read ordering violation. - * The workaround repeats TLBI+DSB ISH operation for all the TLB flush - * operations. While this is strictly not necessary, we don't want to - * take any risk. + * The workaround repeats TLBI+DSB ISH operation for broadcast TLB flush + * operations. The workaround is not needed for local operations. + * + * It is sufficient for the additional TLBI to use *any* operation which will + * be broadcast, regardless of which translation regime or stage of translation + * the operation applies to. TLBI VALE2IS is used passing XZR. While there is + * an identity mapping there, it's only used during suspend/resume, CPU on/off, + * so the impact (performance if any) is negligible. * * For Xen page-tables the ISB will discard any instructions fetched * from the old mappings. @@ -26,69 +31,90 @@ * Note that for local TLB flush, using non-shareable (nsh) is sufficient * (see D5-4929 in ARM DDI 0487H.a). Although, the memory barrier in * for the workaround is left as inner-shareable to match with Linux - * v6.1-rc8. + * v6.19. */ -#define TLB_HELPER(name, tlbop, sh) \ +#define TLB_HELPER_LOCAL(name, tlbop) \ static inline void name(void) \ { \ asm_inline volatile ( \ - "dsb " # sh "st;" \ + "dsb nshst;" \ "tlbi " # tlbop ";" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ";", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - "dsb " # sh ";" \ + "dsb nsh;" \ "isb;" \ : : : "memory"); \ } -/* - * FLush TLB by VA. This will likely be used in a loop, so the caller - * is responsible to use the appropriate memory barriers before/after - * the sequence. - * - * See above about the ARM64_WORKAROUND_REPEAT_TLBI sequence. - */ -#define TLB_HELPER_VA(name, tlbop) \ -static inline void name(vaddr_t va) \ -{ \ - asm_inline volatile ( \ - "tlbi " # tlbop ", %0;" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ", %0;", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - : : "r" (va >> PAGE_SHIFT) : "memory"); \ +#define TLB_HELPER(name, tlbop) \ +static inline void name(void) \ +{ \ + asm_inline volatile ( \ + "dsb ishst;" \ + "tlbi " # tlbop ";" \ + ALTERNATIVE( \ + "nop; nop;", \ + "dsb ish;" \ + "tlbi vale2is, xzr;", \ + ARM64_WORKAROUND_REPEAT_TLBI, \ + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ + "dsb ish;" \ + "isb;" \ + : : : "memory"); \ } /* Flush local TLBs, current VMID only. */ -TLB_HELPER(flush_guest_tlb_local, vmalls12e1, nsh) +TLB_HELPER_LOCAL(flush_guest_tlb_local, vmalls12e1) /* Flush innershareable TLBs, current VMID only */ -TLB_HELPER(flush_guest_tlb, vmalls12e1is, ish) +TLB_HELPER(flush_guest_tlb, vmalls12e1is) /* Flush local TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb_local, alle1, nsh) +TLB_HELPER_LOCAL(flush_all_guests_tlb_local, alle1) /* Flush innershareable TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb, alle1is, ish) +TLB_HELPER(flush_all_guests_tlb, alle1is) /* Flush all hypervisor mappings from the TLB of the local processor. */ -TLB_HELPER(flush_xen_tlb_local, alle2, nsh) +TLB_HELPER_LOCAL(flush_xen_tlb_local, alle2) + +#undef TLB_HELPER_LOCAL +#undef TLB_HELPER + +/* + * FLush TLB by VA. This will likely be used in a loop, so the caller + * is responsible to use the appropriate memory barriers before/after + * the sequence. + */ /* Flush TLB of local processor for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one_local, vae2) +static inline void __flush_xen_tlb_one_local(vaddr_t va) +{ + asm_inline volatile ( + "tlbi vae2, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} /* Flush TLB of all processors in the inner-shareable domain for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one, vae2is) +static inline void __flush_xen_tlb_one(vaddr_t va) +{ + asm_inline volatile ( + "tlbi vae2is, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} -#undef TLB_HELPER -#undef TLB_HELPER_VA +/* + * ARM64_WORKAROUND_REPEAT_TLBI: + * For all relevant erratas it is only necessary to execute a single + * additional TLBI;DSB sequence after any number of TLBIs are completed by DSB. + */ +static inline void __tlb_repeat_sync(void) +{ + asm_inline volatile ( + ALTERNATIVE( + "nop; nop;", + "tlbi vale2is, xzr;" + "dsb ish;", + ARM64_WORKAROUND_REPEAT_TLBI, + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) + : : : "memory"); +} #endif /* __ASM_ARM_ARM64_FLUSHTLB_H__ */ /* diff --git a/xen/arch/arm/include/asm/flushtlb.h b/xen/arch/arm/include/asm/flushtlb.h index e45fb6d97b..c292c3c00d 100644 --- a/xen/arch/arm/include/asm/flushtlb.h +++ b/xen/arch/arm/include/asm/flushtlb.h @@ -65,6 +65,7 @@ static inline void flush_xen_tlb_range_va(vaddr_t va, va += PAGE_SIZE; } dsb(ish); /* Ensure the TLB invalidation has completed */ + __tlb_repeat_sync(); isb(); } diff --git a/xen/arch/arm/include/asm/mmu/layout.h b/xen/arch/arm/include/asm/mmu/layout.h index 19c0ec63a5..feafc14ebf 100644 --- a/xen/arch/arm/include/asm/mmu/layout.h +++ b/xen/arch/arm/include/asm/mmu/layout.h @@ -23,6 +23,10 @@ * * Reserved to identity map Xen * + * Note: As part of ARM64_WORKAROUND_REPEAT_TLBI, VA 0 is used for an extra + * TLBI operation given its rare use (only identity mapping) and thus + * negligible performance impact. + * * 0x00000a0000000000 - 0x00000a7fffffffff (512GB, L0 slot [20]) * (Relative offsets) * 0 - 2M Unmapped -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:03:55 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:03:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333373.1596352 (Exim 4.92) (envelope-from ) id 1wWx3b-0008WG-SX; Tue, 09 Jun 2026 14:03:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333373.1596352; Tue, 09 Jun 2026 14:03:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx3b-0008W8-Pz; Tue, 09 Jun 2026 14:03:55 +0000 Received: by outflank-mailman (input) for mailman id 1333373; Tue, 09 Jun 2026 14:03:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx3a-0008W2-NX for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:03:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx3a-001hJv-3A for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:03:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx3a-00Ejea-2C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:03:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=advrK+zZns8ZduzD4dvkI4OSeNbZ9TQwx4yYZCY6LoE=; b=EgsU0Iek8y4odrvZqmYSRi4Q6R FaQOUwGS0nXQ8OPStqq7ygz3WPqYXMZ5cU9I9nq1l9tg/erZk0ZWxGLmx8lV/o6FO/+m6giGbZ6TB BBpGMsT2qXE3enTKgAc2g5EEiYzdNqCVgipbWkCD7xRcsC/SQQCVv6rEfJG4Wvzh6su0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] xen/arm: Sync missing definitions for Arm CPUs with Linux Message-Id: Date: Tue, 09 Jun 2026 14:03:54 +0000 commit 8851d2e1089e0df6ee289cc1b18ef5e25739bbcb Author: Michal Orzel AuthorDate: Fri May 22 09:35:55 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 xen/arm: Sync missing definitions for Arm CPUs with Linux Synchronize with Linux kernel 7.0 definitions for the following CPUs: - Cortex-A76AE, - Cortex-A78AE, - Cortex-X1C, - Cortex-X3, - Neoverse-V2, - Cortex-X4, - Neoverse-V3AE, - Neoverse-V3, - Cortex-X925. These will be used for errata detection in subsequent patches. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit d54682a5b23d7a22a0f1aa74130bd1ed8a669db1) --- xen/arch/arm/include/asm/processor.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index ec23fd098b..907778683b 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -89,13 +89,22 @@ #define ARM_CPU_PART_CORTEX_A76 0xD0B #define ARM_CPU_PART_NEOVERSE_N1 0xD0C #define ARM_CPU_PART_CORTEX_A77 0xD0D +#define ARM_CPU_PART_CORTEX_A76AE 0xD0E #define ARM_CPU_PART_NEOVERSE_V1 0xD40 #define ARM_CPU_PART_CORTEX_A78 0xD41 +#define ARM_CPU_PART_CORTEX_A78AE 0xD42 #define ARM_CPU_PART_CORTEX_X1 0xD44 #define ARM_CPU_PART_CORTEX_A710 0xD47 #define ARM_CPU_PART_CORTEX_X2 0xD48 #define ARM_CPU_PART_NEOVERSE_N2 0xD49 #define ARM_CPU_PART_CORTEX_A78C 0xD4B +#define ARM_CPU_PART_CORTEX_X1C 0xD4C +#define ARM_CPU_PART_CORTEX_X3 0xD4E +#define ARM_CPU_PART_NEOVERSE_V2 0xD4F +#define ARM_CPU_PART_CORTEX_X4 0xD82 +#define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 +#define ARM_CPU_PART_NEOVERSE_V3 0xD84 +#define ARM_CPU_PART_CORTEX_X925 0xD85 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -110,13 +119,22 @@ #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) +#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE) #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1) #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) +#define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) #define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2) #define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2) #define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C) +#define MIDR_CORTEX_X1C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1C) +#define MIDR_CORTEX_X3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X3) +#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2) +#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4) +#define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) +#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) +#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:04:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:04:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333374.1596356 (Exim 4.92) (envelope-from ) id 1wWx3l-00006j-UB; Tue, 09 Jun 2026 14:04:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333374.1596356; Tue, 09 Jun 2026 14:04:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx3l-00006b-RO; Tue, 09 Jun 2026 14:04:05 +0000 Received: by outflank-mailman (input) for mailman id 1333374; Tue, 09 Jun 2026 14:04:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx3k-00006T-QF for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:04:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx3l-001hKE-0D for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:04:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx3k-00EjtH-2R for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:04:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=eHQkFozsELY057TdLF1HvOLJzZuy785YiZfJM8Fojhc=; b=fqa7KJqPmeYGAHK3Iwa/0iGTcI d8oQ/w17oXgetpqFC1I4cFLSSIYmJWwK0+j6eRYdFp+ZxcHGEi5qOw2E13KUr2D9nfF9uq2i1eyfe GlZ602OcfVwi3oi/JTQ5AR6W41XKVlgoNdVOTLvstVlcmpldbmuWBC99prC3ALnYG4+g=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] xen/arm: Add C1-Ultra definitions Message-Id: Date: Tue, 09 Jun 2026 14:04:04 +0000 commit 984c082ea93b955349163e0a0a8588139a42185a Author: Michal Orzel AuthorDate: Fri May 22 09:35:56 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 xen/arm: Add C1-Ultra definitions Add processor definitions for C1-Ultra. These will be used for errata detection in subsequent patches. These values can be found in the C1-Ultra TRM: https://developer.arm.com/documentation/108014/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 36ddaa7918d6ec0d06a31079c8a25a6ae3c69cbc) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 907778683b..72745cca62 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -105,6 +105,7 @@ #define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 +#define ARM_CPU_PART_C1_ULTRA 0xD8C #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -135,6 +136,7 @@ #define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) +#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:04:17 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:04:17 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333375.1596359 (Exim 4.92) (envelope-from ) id 1wWx3x-0000Ap-0c; Tue, 09 Jun 2026 14:04:17 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333375.1596359; Tue, 09 Jun 2026 14:04:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx3w-0000Ag-UI; Tue, 09 Jun 2026 14:04:16 +0000 Received: by outflank-mailman (input) for mailman id 1333375; Tue, 09 Jun 2026 14:04:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx3u-0000AQ-Sv for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:04:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx3v-001hKZ-0T for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:04:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx3u-00Ek4k-2j for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:04:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=mzqYgA6Wl2jB66RlsM9LeNlpSzQEsZiOFehY8zLHgDE=; b=aE1o8AAEmj21yr/wErcakv2Bis 0kLaHmXhtWxzpC3aiWaHukmHgZxBy9iZkDVjSkOMxEC3BgHiRN0FT6Oh+qlkctGgzpyprkiQdcMv6 GpJ7LZKsGv8fffdogRAZ6x9+Y84mOcil4QZrUYSAN5GUscvAUNh/8oq12+4Is+vUYgoU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] xen/arm: Add C1-Premium definitions Message-Id: Date: Tue, 09 Jun 2026 14:04:14 +0000 commit 781ee5198e57df57a6a6c884ade2573d7f363d02 Author: Michal Orzel AuthorDate: Fri May 22 09:35:57 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 xen/arm: Add C1-Premium definitions Add processor definitions for C1-Premium. These will be used for errata detection in subsequent patches. These values can be found in the C1-Premium TRM: https://developer.arm.com/documentation/109416/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 0315d10321518beb24c41bb595e9197cadec0693) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 72745cca62..25c5762c67 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -106,6 +106,7 @@ #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 #define ARM_CPU_PART_C1_ULTRA 0xD8C +#define ARM_CPU_PART_C1_PREMIUM 0xD90 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -137,6 +138,7 @@ #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) #define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) +#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:04:27 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:04:27 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333376.1596364 (Exim 4.92) (envelope-from ) id 1wWx47-0000D3-2L; Tue, 09 Jun 2026 14:04:27 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333376.1596364; Tue, 09 Jun 2026 14:04:27 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx46-0000Cw-Vb; Tue, 09 Jun 2026 14:04:26 +0000 Received: by outflank-mailman (input) for mailman id 1333376; Tue, 09 Jun 2026 14:04:25 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx44-0000Cp-Vn for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:04:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx45-001hKg-0j for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:04:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx44-00EkKz-2y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:04:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Gpnf7sGNJNTJa4SVtkEJB/r1bfV8Xvrf42hPqSPF4r4=; b=JVD3WP1BIJ3ZaqTypkvSjWjB3z kJHUYB++uq8WXm/mAUlAttMZFEc/8/3nNT1OdwEC+wPB8vCSv/PArA0wBzGcioVU+INwgzPI8jbba 0sMM0pqImNBmaA1wTZqev2al6TemAgZ5OQGV93OIZmr08fHGCvIzPaTRQfzL1RU5loRg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] xen/arm: Mitigate TLBI errata on various Arm CPUs Message-Id: Date: Tue, 09 Jun 2026 14:04:24 +0000 commit 929883468108e1e1fc7aff4b59b95303e2d8a3b7 Author: Michal Orzel AuthorDate: Fri May 22 09:35:58 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 xen/arm: Mitigate TLBI errata on various Arm CPUs A number of CPUs developed by Arm suffer from errata whereby a broadcast TLBI + DSB sequence may complete before the global observation of writes which are translated by an affected TLB entry. This can lead to memory corruption and potential privilege escalation. These errata ONLY affect the completion of memory accesses which have been translated by an invalidated TLB entry, and these errata DO NOT affect the actual invalidation of TLB entries. TLB entries are removed correctly. To mitigate this issue, Arm recommends that software follows each TLBI+DSB sequence with an additional TLBI+DSB, which will ensure that all memory write effects affected by the first TLBI have been globally observed. The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate the issue. Enable this workaround for affected CPUs. This is XSA-493 / CVE-2025-10263. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 161e8f61b5b0f2c205072c7bc699bfc37653999f) --- xen/arch/arm/Kconfig | 21 ++++++++++++ xen/arch/arm/cpuerrata.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+) diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index cf6af68299..dad922c51b 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -467,6 +467,27 @@ config ARM64_ERRATUM_1508412 If unsure, say Y. +config ARM64_ERRATUM_CVE_2025_10263 + bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" + default y + depends on ARM_64 + select ARM64_WORKAROUND_REPEAT_TLBI + help + This option adds a workaround for CVE-2025-10263. + + A broadcast TLBI on another PE may complete before affected memory + accesses are globally observed. This may permit bypass of Stage 1 + translation, Stage-2 translation, or GPT protection. + + The workaround repeats the TLBI VALE2IS, XZR + DSB ISH operation for all + the broadcast TLB flush operations. A single additional TLBI and DSB are + sufficient regardless of how many TLBIs are completed by the DSB. + + Note that software workarounds are required at all execution levels for + affected parts to fully mitigate this issue. + + If unsure, say Y. + endmenu config ARM64_HARDEN_BRANCH_PREDICTOR diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index 17cf134f1b..3a32183618 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -534,6 +534,92 @@ static const struct arm_cpu_capabilities arm_errata[] = { MIDR_RANGE(MIDR_NEOVERSE_N1, 0, 3 << MIDR_VARIANT_SHIFT), }, #endif +#ifdef CONFIG_ARM64_ERRATUM_CVE_2025_10263 + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X4), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_ULTRA), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM), + }, +#endif #ifdef CONFIG_ARM64_HARDEN_BRANCH_PREDICTOR { .capability = ARM_HARDEN_BRANCH_PREDICTOR, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:04:37 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:04:37 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333377.1596368 (Exim 4.92) (envelope-from ) id 1wWx4H-0000FH-3l; Tue, 09 Jun 2026 14:04:37 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333377.1596368; Tue, 09 Jun 2026 14:04:37 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx4H-0000F9-0y; Tue, 09 Jun 2026 14:04:37 +0000 Received: by outflank-mailman (input) for mailman id 1333377; Tue, 09 Jun 2026 14:04:35 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx4F-0000F0-2R for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:04:35 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx4F-001hKl-13 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:04:35 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx4F-00Ekde-04 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:04:35 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=KIjN+rgH0d8GKBg63zsTnRq4D+nrI89LD9VqJR/GzsM=; b=o+NqGG9gF/M4Hn/cBfL05K2Ksm q27Lw8PE2LpVeQWE5f+95hMUfzE6BdBfMljUaGrROL/OWVlMvb0Xhi5SgQ8eUSi+YeS0Us8IZYcHm 4zUQxgIbY++5GZpGFNo6slZVq47ohK8BD9yWVkznzoAAYQtS/ClgXJBJ+Il6KO1KShY8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] x86/mm: accurately track which vCPU page-tables are loaded Message-Id: Date: Tue, 09 Jun 2026 14:04:35 +0000 commit 3bdb2a4fb88620e00160000591694a4da6a940f8 Author: Roger Pau Monne AuthorDate: Mon Mar 16 11:03:22 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:38:04 2026 +0100 x86/mm: accurately track which vCPU page-tables are loaded Neither current nor curr_vcpu per-CPU fields accurately track which page-tables are loaded. There are corner cases when dealing with shadow paging failures that switch to the idle vCPU page-tables without changing current or curr_vcpu per-CPU fields. Introduce a new per-CPU field that attempts to track which vCPU page-tables are loaded. Update such tracking when cr3 is changed, and do so in a region with interrupts disabled, as to avoid handling interrupts with a mismatch between the vCPU tracking field and the loaded page-tables. As a result of this newly more accurate tracking the mapcache override functionality can be removed: the dom0 PV builder was the only user of it, and it's updated here to properly signal which vCPU page-tables are loaded in the calls to switch_cr3_cr4(). Note the EFI page-tables have the Xen owned L4 slots copied from the idle page-tables, so for the effects of the mapcache the EFI page-tables could use the idle mapcache if it had one. Pass the idle vCPU in the switch_cr3_cr4() call that switches to the runtime EFI page-tables. There are known issues with the use of mapcache in NMI context.  This patch does not alter the behaviour. This is CVE-2026-42488 / XSA-494. Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference") Signed-off-by: Roger Pau Monné Acked-by: Andrew Cooper (cherry picked from commit 622c9a5ba95dae9b1084f16d0557ec64d1d12eaa) --- xen/arch/x86/domain_page.c | 48 +++++++++++++++--------------------- xen/arch/x86/flushtlb.c | 5 +++- xen/arch/x86/include/asm/domain.h | 1 - xen/arch/x86/include/asm/flushtlb.h | 2 +- xen/arch/x86/include/asm/processor.h | 3 +++ xen/arch/x86/mm.c | 4 +-- xen/arch/x86/pv/dom0_build.c | 12 +++------ xen/arch/x86/pv/domain.c | 13 ++++++++-- xen/arch/x86/smpboot.c | 1 + xen/common/efi/common-stub.c | 5 ---- xen/common/efi/runtime.c | 21 ++++++---------- xen/include/xen/efi.h | 1 - 12 files changed, 54 insertions(+), 62 deletions(-) diff --git a/xen/arch/x86/domain_page.c b/xen/arch/x86/domain_page.c index eac5e3304f..72c00194f3 100644 --- a/xen/arch/x86/domain_page.c +++ b/xen/arch/x86/domain_page.c @@ -18,48 +18,40 @@ #include #include -static DEFINE_PER_CPU(struct vcpu *, override); - static inline struct vcpu *mapcache_current_vcpu(void) { - /* In the common case we use the mapcache of the running VCPU. */ - struct vcpu *v = this_cpu(override) ?: current; - - /* - * When current isn't properly set up yet, this is equivalent to - * running in an idle vCPU (callers must check for NULL). - */ - if ( !v ) - return NULL; + struct vcpu *v = this_cpu(pgtable_vcpu); + struct vcpu *curr = current; /* - * When using efi runtime page tables, we have the equivalent of the idle - * domain's page tables but current may point at another domain's VCPU. - * Return NULL as though current is not properly set up yet. + * During early boot pgtable_vcpu is not set, callers must handle NULL. + * Non-PV domains don't have a mapcache, the directmap covers all physical + * address space. */ - if ( efi_rs_using_pgtables() ) + if ( !v || !is_pv_vcpu(v) ) return NULL; /* - * If guest_table is NULL, and we are running a paravirtualised guest, - * then it means we are running on the idle domain's page table and must - * therefore use its mapcache. + * If we are in a lazy context-switch state from a PV vCPU do a full switch + * to the idle vCPU now, otherwise an incoming FLUSH_VCPU_STATE IPI would + * change the page tables under our feet an invalidate any in-use mapcache + * entries. */ - if ( unlikely(pagetable_is_null(v->arch.guest_table)) && is_pv_vcpu(v) ) + if ( unlikely(this_cpu(curr_vcpu) != curr) ) { - /* If we really are idling, perform lazy context switch now. */ - if ( (v = idle_vcpu[smp_processor_id()]) == current ) - sync_local_execstate(); + ASSERT(curr == idle_vcpu[smp_processor_id()]); + sync_local_execstate(); /* We must now be running on the idle page table. */ ASSERT(cr3_pa(read_cr3()) == __pa(idle_pg_table)); } - return v; -} - -void __init mapcache_override_current(struct vcpu *v) -{ - this_cpu(override) = v; + /* + * At this point we can guarantee Xen is not in lazy context switch: either + * the code above will have synced the state, or an incoming + * FLUSH_VCPU_STATE IPI has done so behind our back. Use ACCESS_ONCE to + * ensure the compiler never returns the locally cached pgtable_vcpu value. + */ + return ACCESS_ONCE(this_cpu(pgtable_vcpu)); } #define mapcache_l2_entry(e) ((e) >> PAGETABLE_ORDER) diff --git a/xen/arch/x86/flushtlb.c b/xen/arch/x86/flushtlb.c index 09e676c151..928bca66b4 100644 --- a/xen/arch/x86/flushtlb.c +++ b/xen/arch/x86/flushtlb.c @@ -111,7 +111,9 @@ static void do_tlb_flush(void) local_irq_restore(flags); } -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) +DEFINE_PER_CPU(struct vcpu *, pgtable_vcpu); + +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4) { unsigned long flags, old_cr4; u32 t = 0; @@ -155,6 +157,7 @@ void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) if ( (old_cr4 & X86_CR4_PCIDE) > (cr4 & X86_CR4_PCIDE) ) cr3 |= X86_CR3_NOFLUSH; write_cr3(cr3); + this_cpu(pgtable_vcpu) = v; if ( old_cr4 != cr4 ) write_cr4(cr4); diff --git a/xen/arch/x86/include/asm/domain.h b/xen/arch/x86/include/asm/domain.h index 828f42c3e4..10d2b9fe25 100644 --- a/xen/arch/x86/include/asm/domain.h +++ b/xen/arch/x86/include/asm/domain.h @@ -75,7 +75,6 @@ struct mapcache_domain { int mapcache_domain_init(struct domain *d); int mapcache_vcpu_init(struct vcpu *v); -void mapcache_override_current(struct vcpu *v); /* x86/64: toggle guest between kernel and user modes. */ void toggle_guest_mode(struct vcpu *v); diff --git a/xen/arch/x86/include/asm/flushtlb.h b/xen/arch/x86/include/asm/flushtlb.h index 7bcbca2b7f..345677eb72 100644 --- a/xen/arch/x86/include/asm/flushtlb.h +++ b/xen/arch/x86/include/asm/flushtlb.h @@ -104,7 +104,7 @@ static inline void invlpg(const void *p) } /* Write pagetable base and implicitly tick the tlbflush clock. */ -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4); +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4); /* flush_* flag fields: */ /* diff --git a/xen/arch/x86/include/asm/processor.h b/xen/arch/x86/include/asm/processor.h index 2e087c6257..d2cacdfedb 100644 --- a/xen/arch/x86/include/asm/processor.h +++ b/xen/arch/x86/include/asm/processor.h @@ -328,6 +328,9 @@ DECLARE_PER_CPU(struct tss_page, tss_page); DECLARE_PER_CPU(root_pgentry_t *, root_pgt); +/* vCPU of the currently loaded page-tables. */ +DECLARE_PER_CPU(struct vcpu *, pgtable_vcpu); + extern void write_ptbase(struct vcpu *v); /* PAUSE (encoding: REP NOP) is a good thing to insert into busy-wait loops. */ diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 2b23bf2e7a..d02c9862d3 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -535,7 +535,7 @@ void write_ptbase(struct vcpu *v) cpu_info->pv_cr3 = __pa(this_cpu(root_pgt)); if ( new_cr4 & X86_CR4_PCIDE ) cpu_info->pv_cr3 |= get_pcid_bits(v, true); - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); } else { @@ -543,7 +543,7 @@ void write_ptbase(struct vcpu *v) cpu_info->use_pv_cr3 = false; cpu_info->xen_cr3 = 0; /* switch_cr3_cr4() serializes. */ - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); cpu_info->pv_cr3 = 0; } } diff --git a/xen/arch/x86/pv/dom0_build.c b/xen/arch/x86/pv/dom0_build.c index 37729091df..42bc530c0f 100644 --- a/xen/arch/x86/pv/dom0_build.c +++ b/xen/arch/x86/pv/dom0_build.c @@ -828,8 +828,7 @@ static int __init dom0_construct(const struct boot_domain *bd) update_cr3(v); /* We run on dom0's page tables for the final part of the build process. */ - switch_cr3_cr4(cr3_pa(v->arch.cr3), read_cr4()); - mapcache_override_current(v); + switch_cr3_cr4(v, cr3_pa(v->arch.cr3), read_cr4()); /* Copy the OS image and free temporary buffer. */ elf.dest_base = (void*)vkern_start; @@ -838,8 +837,7 @@ static int __init dom0_construct(const struct boot_domain *bd) rc = elf_load_binary(&elf); if ( rc < 0 ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Failed to load the kernel binary\n"); goto out; } @@ -850,8 +848,7 @@ static int __init dom0_construct(const struct boot_domain *bd) if ( (parms.virt_hypercall < v_start) || (parms.virt_hypercall >= v_end) ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Invalid HYPERCALL_PAGE field in ELF notes.\n"); return -EINVAL; } @@ -992,8 +989,7 @@ static int __init dom0_construct(const struct boot_domain *bd) #endif /* Return to idle domain's page tables. */ - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); update_domain_wallclock_time(d); diff --git a/xen/arch/x86/pv/domain.c b/xen/arch/x86/pv/domain.c index ef4f442e73..d9e52f5f88 100644 --- a/xen/arch/x86/pv/domain.c +++ b/xen/arch/x86/pv/domain.c @@ -451,6 +451,8 @@ static void _toggle_guest_pt(struct vcpu *v) pagetable_t old_shadow; unsigned long cr3; + ASSERT(local_irq_is_enabled()); + v->arch.flags ^= TF_kernel_mode; guest_update = v->arch.flags & TF_kernel_mode; old_shadow = update_cr3(v); @@ -473,15 +475,22 @@ static void _toggle_guest_pt(struct vcpu *v) { cr3 &= ~X86_CR3_NOFLUSH; + local_irq_disable(); if ( unlikely(mfn_eq(pagetable_get_mfn(old_shadow), maddr_to_mfn(cr3))) ) { - cr3 = idle_vcpu[v->processor]->arch.cr3; /* Also suppress runstate/time area updates below. */ guest_update = false; + + cr3 = idle_vcpu[v->processor]->arch.cr3; + this_cpu(pgtable_vcpu) = idle_vcpu[v->processor]; } + + write_cr3(cr3); + local_irq_enable(); } - write_cr3(cr3); + else + write_cr3(cr3); if ( !pagetable_is_null(old_shadow) ) shadow_put_top_level(v->domain, old_shadow); diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c index 27628800a8..b37feab3be 100644 --- a/xen/arch/x86/smpboot.c +++ b/xen/arch/x86/smpboot.c @@ -1063,6 +1063,7 @@ static int cpu_smpboot_alloc(unsigned int cpu) info->current_vcpu = idle_vcpu[cpu]; /* set_current() */ per_cpu(curr_vcpu, cpu) = idle_vcpu[cpu]; + per_cpu(pgtable_vcpu, cpu) = idle_vcpu[cpu]; gdt = per_cpu(gdt, cpu) ?: alloc_xenheap_pages(0, memflags); if ( gdt == NULL ) diff --git a/xen/common/efi/common-stub.c b/xen/common/efi/common-stub.c index 77f138a6c5..7b12005bea 100644 --- a/xen/common/efi/common-stub.c +++ b/xen/common/efi/common-stub.c @@ -7,11 +7,6 @@ bool efi_enabled(unsigned int feature) return false; } -bool efi_rs_using_pgtables(void) -{ - return false; -} - unsigned long efi_get_time(void) { BUG(); diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c index 30d649ca5c..feb09acf75 100644 --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -49,7 +49,6 @@ const CHAR16 *__read_mostly efi_fw_vendor; const EFI_RUNTIME_SERVICES *__read_mostly efi_rs; #ifndef CONFIG_ARM /* TODO - disabled until implemented on ARM */ static DEFINE_SPINLOCK(efi_rs_lock); -static unsigned int efi_rs_on_cpu = NR_CPUS; #endif UINTN __read_mostly efi_memmap_size; @@ -92,6 +91,11 @@ struct efi_rs_state efi_rs_enter(void) if ( mfn_eq(efi_l4_mfn, INVALID_MFN) ) return state; + /* + * If in lazy idle context switch state sync now to avoid an incoming + * FLUSH_VCPU_STATE IPI changing the loaded page-tables. + */ + sync_local_execstate(); state.cr3 = read_cr3(); save_fpu_enable(); asm volatile ( "fnclex; fldcw %0" :: "m" (fcw) ); @@ -99,8 +103,6 @@ struct efi_rs_state efi_rs_enter(void) spin_lock(&efi_rs_lock); - efi_rs_on_cpu = smp_processor_id(); - /* prevent fixup_page_fault() from doing anything */ irq_enter(); @@ -115,7 +117,8 @@ struct efi_rs_state efi_rs_enter(void) lgdt(&gdt_desc); } - switch_cr3_cr4(mfn_to_maddr(efi_l4_mfn), read_cr4()); + switch_cr3_cr4(idle_vcpu[smp_processor_id()], mfn_to_maddr(efi_l4_mfn), + read_cr4()); /* * At the time of writing (2022), no UEFI firwmare is CET-IBT compatible. @@ -143,7 +146,7 @@ void efi_rs_leave(struct efi_rs_state *state) if ( state->msr_s_cet ) wrmsrl(MSR_S_CET, state->msr_s_cet); - switch_cr3_cr4(state->cr3, read_cr4()); + switch_cr3_cr4(curr, state->cr3, read_cr4()); if ( is_pv_vcpu(curr) && !is_idle_vcpu(curr) ) { struct desc_ptr gdt_desc = { @@ -154,18 +157,10 @@ void efi_rs_leave(struct efi_rs_state *state) lgdt(&gdt_desc); } irq_exit(); - efi_rs_on_cpu = NR_CPUS; spin_unlock(&efi_rs_lock); vcpu_restore_fpu_nonlazy(curr, true); } -bool efi_rs_using_pgtables(void) -{ - return !mfn_eq(efi_l4_mfn, INVALID_MFN) && - (smp_processor_id() == efi_rs_on_cpu) && - (read_cr3() == mfn_to_maddr(efi_l4_mfn)); -} - unsigned long efi_get_time(void) { EFI_TIME time; diff --git a/xen/include/xen/efi.h b/xen/include/xen/efi.h index 723cb80852..9953197ee5 100644 --- a/xen/include/xen/efi.h +++ b/xen/include/xen/efi.h @@ -40,7 +40,6 @@ extern bool efi_secure_boot; void efi_init_memory(void); bool efi_boot_mem_unused(unsigned long *start, unsigned long *end); -bool efi_rs_using_pgtables(void); unsigned long efi_get_time(void); void efi_halt_system(void); void efi_reset_system(bool warm); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:04:47 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:04:47 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333378.1596371 (Exim 4.92) (envelope-from ) id 1wWx4R-0000HL-51; Tue, 09 Jun 2026 14:04:47 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333378.1596371; Tue, 09 Jun 2026 14:04:47 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx4R-0000HD-2M; Tue, 09 Jun 2026 14:04:47 +0000 Received: by outflank-mailman (input) for mailman id 1333378; Tue, 09 Jun 2026 14:04:45 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWx4P-0000H5-4q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:04:45 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWx4P-001hKr-1I for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:04:45 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWx4P-00EkuE-0J for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:04:45 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RnsrSlrjLmm5jcOz5HwOTEV06vd+zND3bgc3T6dSsDc=; b=ECnrpAXtYuhoQex3yuW8UDwpJt wzSROpy4As5dsF8elyDfcGDO3VaxMQnnjATRtY6mx7bcwuGGl0IFJQ081iQDY4IWQF4UMFd0WSh7m 4IIBRcvTywA4rH572Nn66IbxtPpJiDs0gjoCWrjCKi5r8C2OYXKybXS/3YM3ZLERkzWs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] Revert local CI adjustements Message-Id: Date: Tue, 09 Jun 2026 14:04:45 +0000 commit 29f3147966c5e17e686291d664d1b0c0ccdae849 Author: Andrew Cooper AuthorDate: Tue Jun 9 13:06:08 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 13:06:08 2026 +0100 Revert local CI adjustements This reverts commit 1b251cc02a24ed6e5ffdd71bc3f142f9a53551c3. Signed-off-by: Andrew Cooper --- .gitlab-ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e85d1fea7a..7974ac4e82 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -20,6 +20,9 @@ include: - local: 'automation/gitlab-ci/containers.yaml' rules: - if: $XEN_CI_REBUILD_CONTAINERS + - local: 'automation/gitlab-ci/analyze.yaml' + rules: + - if: $XEN_CI_REBUILD_CONTAINERS == null - local: 'automation/gitlab-ci/build.yaml' rules: - if: $XEN_CI_REBUILD_CONTAINERS == null -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:44:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:44:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333435.1596391 (Exim 4.92) (envelope-from ) id 1wWxgS-00009t-0l; Tue, 09 Jun 2026 14:44:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333435.1596391; Tue, 09 Jun 2026 14:44:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxgR-00009m-UK; Tue, 09 Jun 2026 14:44:03 +0000 Received: by outflank-mailman (input) for mailman id 1333435; Tue, 09 Jun 2026 14:44:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxgQ-00009g-7w for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:44:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxgQ-001hyt-1E for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:44:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxgQ-00FWLF-00 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:44:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ivZ8araE+RNN+oWb2O0tG9lJhk6gw28AKAyeFFiDhP0=; b=dxGdy6L4xRfZ/YOsY68Vc2+Ff+ 4ccLHrpTyERd8oqpY+fYBJmeItEB/RfAQT066dDSvuYpAjqh/usvHsYjGSATL57JQaeU+7QD6eUUB Cr6tqRH2VvBKj8B8+Cwxy7e3O/4KVMShpt9i4D+wfjte9hzGNZ9Nfn0ONoFiRmOZ1h6o=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] HACK: Disable Eclair, MacOS Message-Id: Date: Tue, 09 Jun 2026 14:44:02 +0000 commit 24ccd8302e8670b4c824dcb845b01d88a7a14aff Author: Andrew Cooper AuthorDate: Thu Jun 4 20:20:00 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 HACK: Disable Eclair, MacOS --- .gitlab-ci.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b3beb2ff9d..4f99f0d0c0 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -19,9 +19,6 @@ include: - local: 'automation/gitlab-ci/containers.yaml' rules: - if: $XEN_CI_REBUILD_CONTAINERS - - local: 'automation/gitlab-ci/analyze.yaml' - rules: - - if: $XEN_CI_REBUILD_CONTAINERS == null - local: 'automation/gitlab-ci/build.yaml' rules: - if: $XEN_CI_REBUILD_CONTAINERS == null -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:44:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:44:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333436.1596396 (Exim 4.92) (envelope-from ) id 1wWxgb-0000C4-25; Tue, 09 Jun 2026 14:44:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333436.1596396; Tue, 09 Jun 2026 14:44:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxga-0000Bw-Vn; Tue, 09 Jun 2026 14:44:12 +0000 Received: by outflank-mailman (input) for mailman id 1333436; Tue, 09 Jun 2026 14:44:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxga-0000Bm-97 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:44:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxga-001hyy-1i for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:44:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxga-00FWVt-0Y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:44:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=mgw2DzTrnAxldeSJ9gk9yqZ8/LdxYsa/Fu4/k96THBw=; b=EIPHD0u2Gg2vpnoFEIrDNTbEkN VPo9jCGXELlLLi6AYU/V+Ftov+G6VoddhNh4MqMd1NTGhvDTMFTR+XszWfcEJblDrHlJfEA5NVT37 b/BsM+NQT1XQvl2AJtj+6AWWoG50XRfn0PPjvIxVSIbmUxf84xd6dvhCBmyer7eXWgIM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] x86/HVM: add locking to I/O port translation list traversal Message-Id: Date: Tue, 09 Jun 2026 14:44:12 +0000 commit 493a937a9b3d2e74bb1dbbb1b6e0085a2a8e2ae6 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:21 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 x86/HVM: add locking to I/O port translation list traversal XEN_DOMCTL_ioport_mapping is usable by DM stubdoms, and hence we can't assume the list to be left unaltered while the guest (really: the hypervisor on behalf of the guest) is accessing it. This is XSA-491 / CVE-2026-42487. Fixes: 192c4dabc344 ("domctl and p2m changes for PCI passthru") Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 7787f8e9396d06026f72d3db13e836f365e085f8) --- xen/arch/x86/domctl.c | 8 ++++ xen/arch/x86/hvm/emulate.c | 1 - xen/arch/x86/hvm/hvm.c | 1 + xen/arch/x86/hvm/io.c | 72 +++++++++++++++++++++++++---------- xen/arch/x86/include/asm/hvm/domain.h | 1 + xen/arch/x86/include/asm/hvm/vcpu.h | 2 - 6 files changed, 61 insertions(+), 24 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 5f01111619..a8bd91c1f3 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -656,6 +656,7 @@ long arch_do_domctl( "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if (g2m_ioport->mport == fmp ) { @@ -677,11 +678,14 @@ long arch_do_domctl( g2m_ioport->np = np; list_add_tail(&g2m_ioport->list, &hvm->g2m_ioport_list); } + write_unlock(&hvm->g2m_ioport_lock); if ( !ret ) ret = ioports_permit_access(d, fmp, fmp + np - 1); if ( ret && !found && g2m_ioport ) { + write_lock(&hvm->g2m_ioport_lock); list_del(&g2m_ioport->list); + write_unlock(&hvm->g2m_ioport_lock); xfree(g2m_ioport); } } @@ -690,6 +694,8 @@ long arch_do_domctl( printk(XENLOG_G_INFO "ioport_map:remove: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if ( g2m_ioport->mport == fmp ) { @@ -697,6 +703,8 @@ long arch_do_domctl( xfree(g2m_ioport); break; } + write_unlock(&hvm->g2m_ioport_lock); + ret = ioports_deny_access(d, fmp, fmp + np - 1); if ( ret && is_hardware_domain(currd) ) printk(XENLOG_ERR diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c index 495c8fe3b3..660aff134f 100644 --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -159,7 +159,6 @@ void hvmemul_cancel(struct vcpu *v) hvio->mmio_insn_bytes = 0; hvio->mmio_access = (struct npfec){}; hvio->mmio_retry = false; - hvio->g2m_ioport = NULL; hvmemul_cache_disable(v); } diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index ba9a08bf54..ef1bbbf758 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -601,6 +601,7 @@ int hvm_domain_initialise(struct domain *d, spin_lock_init(&d->arch.hvm.irq_lock); spin_lock_init(&d->arch.hvm.uc_lock); spin_lock_init(&d->arch.hvm.write_map.lock); + rwlock_init(&d->arch.hvm.g2m_ioport_lock); rwlock_init(&d->arch.hvm.mmcfg_lock); INIT_LIST_HEAD(&d->arch.hvm.write_map.list); INIT_LIST_HEAD(&d->arch.hvm.g2m_ioport_list); diff --git a/xen/arch/x86/hvm/io.c b/xen/arch/x86/hvm/io.c index de6ee6c4dd..47ce09331d 100644 --- a/xen/arch/x86/hvm/io.c +++ b/xen/arch/x86/hvm/io.c @@ -144,36 +144,56 @@ bool handle_pio(uint16_t port, unsigned int size, int dir) return true; } -static bool cf_check g2m_portio_accept( - const struct hvm_io_handler *handler, const ioreq_t *p) +/* NB: Returns with the lock held in the success case. */ +static const struct g2m_ioport *g2m_portio_find_and_lock(struct hvm_domain *hvm, + uint64_t addr, + uint32_t size) { - struct vcpu *curr = current; - const struct hvm_domain *hvm = &curr->domain->arch.hvm; - struct hvm_vcpu_io *hvio = &curr->arch.hvm.hvm_io; - struct g2m_ioport *g2m_ioport; - unsigned int start, end; + const struct g2m_ioport *g2m_ioport; + + read_lock(&hvm->g2m_ioport_lock); list_for_each_entry( g2m_ioport, &hvm->g2m_ioport_list, list ) { - start = g2m_ioport->gport; - end = start + g2m_ioport->np; - if ( (p->addr >= start) && (p->addr + p->size <= end) ) - { - hvio->g2m_ioport = g2m_ioport; - return 1; - } + unsigned int start = g2m_ioport->gport; + + if ( addr >= start && addr + size <= start + g2m_ioport->np ) + return g2m_ioport; } - return 0; + read_unlock(&hvm->g2m_ioport_lock); + + return NULL; +} + +static bool cf_check g2m_portio_accept( + const struct hvm_io_handler *handler, const ioreq_t *p) +{ + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, p->addr, p->size); + + if ( !g2m_ioport ) + return false; + + read_unlock(&hvm->g2m_ioport_lock); + + return true; } static int cf_check g2m_portio_read( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t *data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -190,6 +210,8 @@ static int cf_check g2m_portio_read( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } @@ -197,9 +219,15 @@ static int cf_check g2m_portio_write( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -216,6 +244,8 @@ static int cf_check g2m_portio_write( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } diff --git a/xen/arch/x86/include/asm/hvm/domain.h b/xen/arch/x86/include/asm/hvm/domain.h index 333501d5f2..1b2c59b18b 100644 --- a/xen/arch/x86/include/asm/hvm/domain.h +++ b/xen/arch/x86/include/asm/hvm/domain.h @@ -125,6 +125,7 @@ struct hvm_domain { /* List of guest to machine IO ports mapping. */ struct list_head g2m_ioport_list; + rwlock_t g2m_ioport_lock; /* List of MMCFG regions trapped by Xen. */ struct list_head mmcfg_regions; diff --git a/xen/arch/x86/include/asm/hvm/vcpu.h b/xen/arch/x86/include/asm/hvm/vcpu.h index 196fed6d5d..b5a711e067 100644 --- a/xen/arch/x86/include/asm/hvm/vcpu.h +++ b/xen/arch/x86/include/asm/hvm/vcpu.h @@ -54,8 +54,6 @@ struct hvm_vcpu_io { unsigned long msix_unmask_address; unsigned long msix_snoop_address; unsigned long msix_snoop_gpa; - - const struct g2m_ioport *g2m_ioport; }; struct nestedvcpu { -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:44:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:44:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333437.1596400 (Exim 4.92) (envelope-from ) id 1wWxgl-0000Ed-43; Tue, 09 Jun 2026 14:44:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333437.1596400; Tue, 09 Jun 2026 14:44:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxgl-0000EV-0r; Tue, 09 Jun 2026 14:44:23 +0000 Received: by outflank-mailman (input) for mailman id 1333437; Tue, 09 Jun 2026 14:44:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxgk-0000EO-CR for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:44:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxgk-001hzI-22 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:44:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxgk-00FWgM-10 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:44:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=74ruadGq/ACIvWOJqMWDi2zLCSgPAhQtS5OcV+VPlBA=; b=3OburdNrRmoiVwLFX2SIyRlrD8 aRQy7Zr9mQUl+2IFeboKKnMyHyVNckycsuj8pU6+DxR2/xxTxbspbSJlyqjG7xj4u6gmBSqliYGmk IstYe6EcowpWp0hSM5q9xv8d6aI4/zR3qazgjZ1GSBYMwBurfLLxa4LUodhAzfnQ5jG4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] sched: use sequence counter to enlighten vcpu_runstate_get() Message-Id: Date: Tue, 09 Jun 2026 14:44:22 +0000 commit 1927a7e49311cf36d2030b8087dc52b3d7ab6c8e Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 sched: use sequence counter to enlighten vcpu_runstate_get() Subsequently XEN_DOMCTL_getdomaininfo will want to invoke the function without holding a lock, thus allowing parallel execution of potentially many instances. As was learned from 228ab9992ffb ("domctl: improve locking during domain destruction"), reverted by d0887cc6b16e, such parallelism can result in severe lock contention on any (previously) inner lock. To avoid taking that risk replace the use of the scheduler lock in vcpu_runstate_get() by a newly introduced sequence counter. Convert the "no lock if current" property to "use a local counter instance", thus guaranteeing the loop to exit after the first iteration. Skeleton and commentary of the seqcount implementation based on / derived from Linux 6.11-rc. To have runstate_seq placed next to runstate in struct vcpu, without introducing a new obvious padding hole, yet while keeping the latter adjacent to runstate_guest{,_area} as well, move runstate down a little. This is part of XSA-492. Requested-by: Andrew Cooper Signed-off-by: Jan Beulich Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Juergen Gross (cherry picked from commit 1dc4d5d81822541a5cc82fa6387d2d73eebc7023) --- xen/common/sched/core.c | 47 +++++++-------- xen/include/xen/sched.h | 4 +- xen/include/xen/seqcount.h | 139 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 162 insertions(+), 28 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index d6296d99fd..f6736c6e43 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -281,13 +281,18 @@ static inline void vcpu_runstate_change( } delta = new_entry_time - v->runstate.state_entry_time; - if ( delta > 0 ) + + /* Serialization: ->schedule_lock (see ASSERT() above). */ + with_seq_write(&v->runstate_seq) { - v->runstate.time[v->runstate.state] += delta; - v->runstate.state_entry_time = new_entry_time; - } + if ( delta > 0 ) + { + v->runstate.time[v->runstate.state] += delta; + v->runstate.state_entry_time = new_entry_time; + } - v->runstate.state = new_state; + v->runstate.state = new_state; + } } void sched_guest_idle(void (*idle) (void), unsigned int cpu) @@ -307,30 +312,18 @@ void sched_guest_idle(void (*idle) (void), unsigned int cpu) void vcpu_runstate_get(const struct vcpu *v, struct vcpu_runstate_info *runstate) { - spinlock_t *lock; - s_time_t delta; - struct sched_unit *unit; + struct seqcount seq = SEQCNT_ZERO(); + const struct seqcount *s = likely(v == current) ? &seq : &v->runstate_seq; - rcu_read_lock(&sched_res_rculock); - - /* - * Be careful in case of an idle vcpu: the assignment to a unit might - * change even with the scheduling lock held, so be sure to use the - * correct unit for locking in order to avoid triggering an ASSERT() in - * the unlock function. - */ - unit = is_idle_vcpu(v) ? get_sched_res(v->processor)->sched_unit_idle - : v->sched_unit; - lock = likely(v == current) ? NULL : unit_schedule_lock_irq(unit); - memcpy(runstate, &v->runstate, sizeof(*runstate)); - delta = NOW() - runstate->state_entry_time; - if ( delta > 0 ) - runstate->time[runstate->state] += delta; - - if ( unlikely(lock != NULL) ) - unit_schedule_unlock_irq(lock, unit); + until_seq_read(s) + { + s_time_t delta; - rcu_read_unlock(&sched_res_rculock); + *runstate = v->runstate; + delta = NOW() - runstate->state_entry_time; + if ( delta > 0 ) + runstate->time[runstate->state] += delta; + } } uint64_t get_cpu_idle_time(unsigned int cpu) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index de621eb123..c49bd51a9a 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -16,6 +16,7 @@ #include #include #include +#include #include #include #include @@ -192,7 +193,6 @@ struct vcpu struct sched_unit *sched_unit; - struct vcpu_runstate_info runstate; #ifndef CONFIG_COMPAT # define runstate_guest(v) ((v)->runstate_guest) XEN_GUEST_HANDLE(vcpu_runstate_info_t) runstate_guest; /* guest address */ @@ -204,6 +204,8 @@ struct vcpu } runstate_guest; /* guest address */ #endif struct guest_area runstate_guest_area; + struct vcpu_runstate_info runstate; + struct seqcount runstate_seq; unsigned int new_state; /* Has the FPU been initialised? */ diff --git a/xen/include/xen/seqcount.h b/xen/include/xen/seqcount.h new file mode 100644 index 0000000000..b5faf422e4 --- /dev/null +++ b/xen/include/xen/seqcount.h @@ -0,0 +1,139 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef XEN_SEQCOUNT_H +#define XEN_SEQCOUNT_H + +#include +#include + +#include +#include + +/* + * Sequence counters (seqcount_t) + * + * This is the raw counting mechanism, without any writer protection. + * + * Write side critical sections must be serialized (and non-preemptible). + * + * If readers can be invoked from interrupt contexts, interrupts must also + * be respectively disabled before entering the write section. + * + * This mechanism can't be used if the protected data contains pointers, + * as the writer can invalidate a pointer that a reader is following. + */ +struct seqcount { + unsigned int sequence; +}; + +/* + * SEQCNT_ZERO() - initializer for seqcount_t + * @name: Name of the struct seqcount instance + */ +#define SEQCNT_ZERO() { .sequence = 0 } + +static inline unsigned int seqprop_sequence(const struct seqcount *s) +{ + return ACCESS_ONCE(s->sequence); +} + +/* + * read_seqcount_begin() - begin a seqcount read critical section + * @s: Pointer to struct seqcount + * + * Return: count to be passed to read_seqcount_retry() + */ +static inline unsigned int _read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq; + + while ((seq = seqprop_sequence(s)) & 1) + cpu_relax(); + + smp_rmb(); + + return seq; +} + +static always_inline unsigned int read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq = _read_seqcount_begin(s); + + block_lock_speculation(); + + return seq; +} + +/* + * read_seqcount_retry() - end a seqcount read critical section + * @s: Pointer to struct seqcount + * @start: count, from read_seqcount_begin() + * + * read_seqcount_retry closes the read critical section of given struct + * seqcount. If the critical section was invalid, it must be ignored + * (and typically retried). + * + * Return: true if a read section retry is required, else false + */ +static inline bool _read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + smp_rmb(); + return unlikely(seqprop_sequence(s) != start); +} + +static always_inline bool read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + return lock_evaluate_nospec(_read_seqcount_retry(s, start)); +} + +/* Loops until a consistent count has been observed across the loop body. */ +#define until_seq_read(seq) \ + for ( unsigned int retry_ = 1, count_; \ + retry_ && (count_ = read_seqcount_begin(seq), true); \ + retry_ = read_seqcount_retry(seq, count_) ) + +/* + * write_seqcount_begin() - start a struct seqcount write side critical section + * @s: Pointer to struct seqcount + * + * Context: sequence counter write side sections must be serialized. + * If readers can be invoked from interrupt context, interrupts must be + * respectively disabled. + */ +static inline void write_seqcount_begin(struct seqcount *s) +{ + add_sized(&s->sequence, 1); + smp_wmb(); +} + +/* + * write_seqcount_end() - end a struct seqcount write side critical section + * @s: Pointer to seqcount + */ +static inline void write_seqcount_end(struct seqcount *s) +{ + smp_wmb(); + add_sized(&s->sequence, 1); +} + +/* + * Not really a loop, but we need write_seqcount_{begin,end}() in the correct + * position. + */ +#define with_seq_write(seq) \ + for ( bool once_ = true; \ + once_ && (write_seqcount_begin(seq), true); \ + (write_seqcount_end(seq), once_ = false) ) + +#endif /* XEN_SEQCOUNT_H */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:44:33 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:44:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333438.1596404 (Exim 4.92) (envelope-from ) id 1wWxgv-0000Hm-54; Tue, 09 Jun 2026 14:44:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333438.1596404; Tue, 09 Jun 2026 14:44:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxgv-0000He-2F; Tue, 09 Jun 2026 14:44:33 +0000 Received: by outflank-mailman (input) for mailman id 1333438; Tue, 09 Jun 2026 14:44:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxgu-0000HY-FT for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:44:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxgu-001hzM-2K for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:44:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxgu-00FWvm-1K for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:44:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=cEid6rMdaMiQG7YGu4e6QLLq0VX3yVk4MztK0yCldFo=; b=LP7WwS71r5UdgQrMGWVMnaCs10 ttXrRT9wAsKu2wd2c8zcejw+hOaXjmCt+o8ozGhie/1NL/vdcvvOEbEtPcNNjDsT32AzFWSnjuVLR 0Ujqu3xRpfKWA4160ENv47SXFzRn3C3Aey6XnQxDA2bEvaxPcmNu/SZZVZM2zMy1yZxc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 14:44:32 +0000 commit 634145d777ab416b6db01e28b8d16e42568d1cfa Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock getdomaininfo() is not called under consistently the same lock. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. (Callers not pausing the domain they want to retrieve information for already need to be aware that not all of the data returned can be relied on as being consistent; most data will also be stale by the time the caller gets to look at it.) Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. While moving, convert an assignment to an assertion: The domain in question was determined from the field which previously was "updated". This is part of XSA-492. Fixes: 5513bd0b4675 ("add xenstore domain flag to hypervisor") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 784bd4dc0bc440b978b80b6945c4bc380b28e32d) --- xen/common/domctl.c | 31 ++++++++++++++++++++----------- xen/include/xsm/dummy.h | 5 ++++- xen/xsm/flask/hooks.c | 6 +++++- 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 05abb581a0..f9fbc4a8f8 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -323,6 +323,26 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } + /* Handle sub-ops not requiring the domctl lock. */ + switch ( op->cmd ) + { + case XEN_DOMCTL_getdomaininfo: + ret = xsm_getdomaininfo(XSM_XS_PRIV, d); + if ( !ret ) + { + getdomaininfo(d, &op->u.getdomaininfo); + + ASSERT(op->domain == op->u.getdomaininfo.domain); + copyback = true; + } + + goto domctl_out_unlock_domonly; + + default: + /* Everything else handled further down. */ + break; + } + ret = xsm_domctl(XSM_OTHER, d, op->cmd, /* SSIDRef only applicable for cmd == createdomain */ op->u.createdomain.ssidref); @@ -539,17 +559,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = 1; break; - case XEN_DOMCTL_getdomaininfo: - ret = xsm_getdomaininfo(XSM_XS_PRIV, d); - if ( ret ) - break; - - getdomaininfo(d, &op->u.getdomaininfo); - - op->domain = op->u.getdomaininfo.domain; - copyback = 1; - break; - case XEN_DOMCTL_getvcpucontext: { vcpu_guest_context_u c = { .nat = NULL }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 6a2fc33c3b..66d98ff14c 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,8 +172,11 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); + case XEN_DOMCTL_getdomaininfo: - return xsm_default_action(XSM_XS_PRIV, current->domain, d); + ASSERT_UNREACHABLE(); + return -EILSEQ; + default: return xsm_default_action(XSM_PRIV, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 14d84df9ca..c6faebefcf 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -680,8 +680,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, */ return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); - /* These have individual XSM hooks (common/domctl.c) */ + /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + ASSERT_UNREACHABLE(); + return -EILSEQ; + + /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:44:43 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:44:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333439.1596409 (Exim 4.92) (envelope-from ) id 1wWxh5-0000KH-89; Tue, 09 Jun 2026 14:44:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333439.1596409; Tue, 09 Jun 2026 14:44:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxh5-0000K5-5A; Tue, 09 Jun 2026 14:44:43 +0000 Received: by outflank-mailman (input) for mailman id 1333439; Tue, 09 Jun 2026 14:44:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxh4-0000Jz-IJ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:44:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxh4-001hzQ-2d for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:44:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxh4-00FX9B-1d for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:44:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=VBpCz/mRr1czAeIwYauXfQCzEOGGFhlYc0GAb0fLVzc=; b=CpGoXUnE+9DIPW9NTNiLc3LTQ2 2XrSFUvwGdBuLWsYsfLbc8mk0JcisYM7Y18oXKd2Pl2KagPdVzlsFtgMM0zLsFKwxCxm3NQtZUxtA uGvcfA+gRQKT3Ueey1Akh+lLq/yIfCA7OWsAcObTbkSdPxteK7vp+Ng/e0TAPJ4ZKem0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] domain: locking for iomem_caps accesses Message-Id: Date: Tue, 09 Jun 2026 14:44:42 +0000 commit c1c16ad1a5553139c263392a28a96977942b9bff Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domain: locking for iomem_caps accesses In order to be able to pull at least the XEN_DOMCTL_iomem_mapping handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_iomem_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 960713dfd4a405e67e9f174302f8f9fd9e0e50dc) --- xen/common/domain.c | 6 ++++++ xen/common/domctl.c | 53 +++++++++++++++++++++++++++++++++++++++---------- xen/include/xen/iocap.h | 3 +++ xen/include/xen/sched.h | 1 + 4 files changed, 52 insertions(+), 11 deletions(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index d03f3e046f..96833c1715 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -386,10 +386,15 @@ static int late_hwdom_init(struct domain *d) * may be modified after this hypercall returns if a more complex * device model is desired. */ + write_lock(&dom0->caps_lock); rangeset_swap(d->irq_caps, dom0->irq_caps); rangeset_swap(d->iomem_caps, dom0->iomem_caps); #ifdef CONFIG_X86 rangeset_swap(d->arch.ioport_caps, dom0->arch.ioport_caps); +#endif + write_unlock(&dom0->caps_lock); + +#ifdef CONFIG_X86 setup_io_bitmap(d); setup_io_bitmap(dom0); #endif @@ -717,6 +722,7 @@ struct domain *domain_create(domid_t domid, rspin_lock_init_prof(d, domain_lock); rspin_lock_init_prof(d, page_alloc_lock); spin_lock_init(&d->hypercall_deadlock_mutex); + rwlock_init(&d->caps_lock); INIT_PAGE_LIST_HEAD(&d->page_list); INIT_PAGE_LIST_HEAD(&d->extra_page_list); INIT_PAGE_LIST_HEAD(&d->xenpage_list); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index f9fbc4a8f8..0badf74793 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -279,6 +279,35 @@ static struct vnuma_info *vnuma_init(const struct xen_domctl_vnuma *uinfo, return ERR_PTR(ret); } +void iocaps_double_lock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d->domain_id > currd->domain_id ) + read_lock(&currd->caps_lock); + + if ( write ) + write_lock(&d->caps_lock); + else + read_lock(&d->caps_lock); + + if ( d->domain_id < currd->domain_id ) + read_lock(&currd->caps_lock); +} + +void iocaps_double_unlock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d != currd ) + read_unlock(&currd->caps_lock); + + if ( write ) + write_unlock(&d->caps_lock); + else + read_unlock(&d->caps_lock); +} + long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) { long ret = 0; @@ -696,6 +725,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ break; + iocaps_double_lock(d, true); + if ( !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) || xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) @@ -704,6 +735,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); else ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); break; } @@ -728,19 +761,15 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; #endif + iocaps_double_lock(d, false); + ret = -EPERM; if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) ) - break; - - ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add); - if ( ret ) - break; - - if ( !paging_mode_translate(d) ) - break; - - if ( add ) + !iomem_access_permitted(d, mfn, mfn_end) || + (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || + !paging_mode_translate(d) ) + /* Nothing. */; + else if ( add ) { printk(XENLOG_G_DEBUG "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", @@ -764,6 +793,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", ret, d->domain_id, mfn, mfn_end); } + + iocaps_double_unlock(d, false); break; } diff --git a/xen/include/xen/iocap.h b/xen/include/xen/iocap.h index ffbc48b60f..cb36ebbeeb 100644 --- a/xen/include/xen/iocap.h +++ b/xen/include/xen/iocap.h @@ -12,6 +12,9 @@ #include #include +void iocaps_double_lock(struct domain *d, bool write); +void iocaps_double_unlock(struct domain *d, bool write); + static inline int iomem_permit_access(struct domain *d, unsigned long s, unsigned long e) { diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index c49bd51a9a..df8828706d 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -530,6 +530,7 @@ struct domain #endif /* I/O capabilities (access to IRQs and memory-mapped I/O). */ + rwlock_t caps_lock; struct rangeset *iomem_caps; struct rangeset *irq_caps; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:44:53 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:44:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333440.1596412 (Exim 4.92) (envelope-from ) id 1wWxhF-0000M7-9F; Tue, 09 Jun 2026 14:44:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333440.1596412; Tue, 09 Jun 2026 14:44:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxhF-0000Lz-6a; Tue, 09 Jun 2026 14:44:53 +0000 Received: by outflank-mailman (input) for mailman id 1333440; Tue, 09 Jun 2026 14:44:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxhE-0000Lt-Ld for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:44:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxhE-001hzW-2x for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:44:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxhE-00FXMt-1u for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:44:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=2p4UcHtOAxdBzX/AwF9kubRQoV+mF2kLL4IcinvPNoQ=; b=qAUQpmOpF6hZxeLB+CJDKdfZhA 8wY7qPuESb958ibsr9UcgtFkwoHBf8tyaVctLnaSUXzAbI5SQ1C9RURGMOdqKUeDugtVRLRusZSl4 eVmNPiarJTCgkZogjdTQWbVyBKGqSOJrR5n1DYHnU5POWnWxjKPQO6I6X2LS5i0hn8As=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] x86/domain: locking for ioport_caps accesses Message-Id: Date: Tue, 09 Jun 2026 14:44:52 +0000 commit aa133b1b9d25204e5b0a5fba45098f4d38f8ba37 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 x86/domain: locking for ioport_caps accesses In order to be able to pull at least the XEN_DOMCTL_ioport_mapping handling out of the domctl-locked region, the new separate (per-domain) lock is used to synchronize in particular with XEN_DOMCTL_ioport_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit c9f4586766c4ceeaf013fbc02ad79359c62102c3) --- xen/arch/x86/domctl.c | 21 ++++++++++++--------- xen/arch/x86/setup.c | 3 +++ 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index a8bd91c1f3..d470bbd0d2 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -226,6 +226,8 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + iocaps_double_lock(d, true); + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) ret = -EINVAL; else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || @@ -235,6 +237,8 @@ long arch_do_domctl( ret = ioports_permit_access(d, fp, fp + np - 1); else ret = ioports_deny_access(d, fp, fp + np - 1); + + iocaps_double_unlock(d, true); break; } @@ -641,16 +645,13 @@ long arch_do_domctl( break; } - ret = -EPERM; - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) - break; - - ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add); - if ( ret ) - break; - hvm = &d->arch.hvm; - if ( add ) + iocaps_double_lock(d, true); + + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || + (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) + ret = ret ?: -EPERM; + else if ( add ) { printk(XENLOG_G_INFO "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", @@ -711,6 +712,8 @@ long arch_do_domctl( "ioport_map: error %ld denying dom%d access to [%x,%x]\n", ret, d->domain_id, fmp, fmp + np - 1); } + + iocaps_double_unlock(d, true); break; } diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index e0c320e165..769b2a64b6 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -2273,9 +2273,12 @@ void __hwdom_init setup_io_bitmap(struct domain *d) return; bitmap_fill(d->arch.hvm.io_bitmap, 0x10000); + + read_lock(&d->caps_lock); if ( rangeset_report_ranges(d->arch.ioport_caps, 0, 0x10000, io_bitmap_cb, d) ) BUG(); + read_unlock(&d->caps_lock); /* * We need to trap 4-byte accesses to 0xcf8 (see admin_io_okay(), -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:45:03 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:45:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333441.1596417 (Exim 4.92) (envelope-from ) id 1wWxhP-0000PT-BA; Tue, 09 Jun 2026 14:45:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333441.1596417; Tue, 09 Jun 2026 14:45:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxhP-0000PL-7y; Tue, 09 Jun 2026 14:45:03 +0000 Received: by outflank-mailman (input) for mailman id 1333441; Tue, 09 Jun 2026 14:45:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxhO-0000PF-OV for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:45:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxhP-001hzy-01 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:45:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxhO-00FXZ6-2G for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:45:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7ta/wkqHH7Yb0IngQtM0J6nEwrulfOYHMXulJdKjGFc=; b=DAtxWSaKZr8UOjKXUvfPAkgEQH XNRipYipKKpJ3njjk0DpyDrA4Lo4IV25owpnHVfucofftmVBXrOvZrAjgxwFm3FlLIeDEMAkbrzfM Q+dXM8YJyLVNK1vMvHV5IfsLdVXbO/s1SRsPks6BpVconfjO5b0NteKQhwbdYjRnlFBg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] domain: locking for irq_caps accesses Message-Id: Date: Tue, 09 Jun 2026 14:45:02 +0000 commit 2a50079f71d32451671703e9b70aa04c9a3e5304 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domain: locking for irq_caps accesses In order to be able to pull at least the XEN_DOMCTL_{,un}bind_pt_irq handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_{irq,gsi}_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Reviewed-by: Julien Grall (cherry picked from commit 329edc090dd5c833213bad3f13f1cbc252bc15a2) --- xen/arch/arm/domctl.c | 37 +++++++++++++++++++++---------------- xen/arch/x86/domctl.c | 51 +++++++++++++++++++++++++++++++-------------------- xen/common/domctl.c | 5 +++++ 3 files changed, 57 insertions(+), 36 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index ad914c915f..75c3df602a 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -76,6 +76,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, case XEN_DOMCTL_bind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -107,21 +108,26 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - if ( !vgic_reserve_virq(d, virq) ) - return -EBUSY; - - rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); - if ( rc ) - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !vgic_reserve_virq(d, virq) ) + rc = -EBUSY; + else + { + rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); + if ( rc ) + vgic_free_virq(d, virq); + } + read_unlock(&currd->caps_lock); return rc; } case XEN_DOMCTL_unbind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -138,16 +144,15 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - rc = release_guest_irq(d, virq); - if ( rc ) - return rc; - - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !(rc = release_guest_irq(d, virq)) ) + vgic_free_virq(d, virq); - return 0; + read_unlock(&currd->caps_lock); + return rc; } case XEN_DOMCTL_vuart_op: diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index d470bbd0d2..4d680a9fa5 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -260,16 +260,17 @@ long arch_do_domctl( break; } - ret = -EPERM; + iocaps_double_lock(d, true); + if ( !irq_access_permitted(currd, irq) || xsm_irq_permission(XSM_HOOK, d, irq, flags) ) - break; - - if ( flags ) + ret = -EPERM; + else if ( flags ) ret = irq_permit_access(d, irq); else ret = irq_deny_access(d, irq); + iocaps_double_unlock(d, true); break; } @@ -572,20 +573,27 @@ long arch_do_domctl( break; irq = domain_pirq_to_irq(d, bind->machine_irq); - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; + if ( irq <= 0 ) + ret = -EPERM; - ret = -ESRCH; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_create_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + else + ret = -ESRCH; + + read_unlock(&currd->caps_lock); break; } @@ -598,23 +606,26 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); if ( ret ) break; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_destroy_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + + read_unlock(&currd->caps_lock); break; } diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 0badf74793..a31a026ecd 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -704,6 +704,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -EINVAL; break; } + + iocaps_double_lock(d, true); + irq = pirq_access_permitted(current->domain, pirq); if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) ret = -EPERM; @@ -711,6 +714,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = irq_permit_access(d, irq); else ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); break; } #endif -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:45:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:45:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333442.1596421 (Exim 4.92) (envelope-from ) id 1wWxhZ-0000RR-CI; Tue, 09 Jun 2026 14:45:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333442.1596421; Tue, 09 Jun 2026 14:45:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxhZ-0000RJ-9Q; Tue, 09 Jun 2026 14:45:13 +0000 Received: by outflank-mailman (input) for mailman id 1333442; Tue, 09 Jun 2026 14:45:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxhY-0000RD-Rm for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:45:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxhZ-001i25-0M for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:45:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxhY-00FXkJ-2Y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:45:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=PJtixyUZDVwxPey5lCZR+ugQH5VG8B6fpM4NBCTJ7Cs=; b=dtMsU29Tg5uF5tqT+NCgago1yq D+8XFdbfPo1VpdMRjY/vsI3FkE8qFYtt8cZ/Os3v03vMPorkHnP79m03R9dB0JPx3IlJFIKtTAdpD ncdkF2p8oxYrpvVPBMvYAtqchGDQVn/FEq/Ox895LosV9S5RDQwCcukP9r6RX2A0ebDY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] XSM/Flask: split the .iomem_mapping() hook Message-Id: Date: Tue, 09 Jun 2026 14:45:12 +0000 commit 724f4f49d68aeb1d2b9e153b887121aedc59e90f Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 XSM/Flask: split the .iomem_mapping() hook It's used twice in entirely different situations. The use in do_domctl() wants to become an ordinary XSM_DM_PRIV invocation, while the one in vPCI code need to remain XSM_HOOK (it may plausibly become XSM_TARGET). For Flask, the same backing function will continue to be used for the time being. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit 6bb83b1aa01bb3baabc150a881849977c82146a4) --- xen/drivers/vpci/header.c | 2 +- xen/include/xsm/dummy.h | 7 +++++++ xen/include/xsm/xsm.h | 8 ++++++++ xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) diff --git a/xen/drivers/vpci/header.c b/xen/drivers/vpci/header.c index b002eb2072..1f0ab9d177 100644 --- a/xen/drivers/vpci/header.c +++ b/xen/drivers/vpci/header.c @@ -67,7 +67,7 @@ static int cf_check map_range( return -EPERM; } - rc = xsm_iomem_mapping(XSM_HOOK, map->d, map_mfn, m_end, map->map); + rc = xsm_iomem_mapping_vpci(XSM_HOOK, map->d, map_mfn, m_end, map->map); if ( rc ) { printk(XENLOG_G_WARNING diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 66d98ff14c..04062a5f01 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -579,6 +579,13 @@ static XSM_INLINE int cf_check xsm_iomem_mapping( return xsm_default_action(action, current->domain, d); } +static XSM_INLINE int cf_check xsm_iomem_mapping_vpci( + XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + XSM_ASSERT_ACTION(XSM_HOOK); + return xsm_default_action(action, current->domain, d); +} + static XSM_INLINE int cf_check xsm_pci_config_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 4dbff9d866..41d3070570 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -116,6 +116,8 @@ struct xsm_ops { uint8_t allow); int (*iomem_mapping)(struct domain *d, uint64_t s, uint64_t e, uint8_t allow); + int (*iomem_mapping_vpci)(struct domain *d, uint64_t s, uint64_t e, + uint8_t allow); int (*pci_config_permission)(struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access); @@ -503,6 +505,12 @@ static inline int xsm_iomem_mapping( return alternative_call(xsm_ops.iomem_mapping, d, s, e, allow); } +static inline int xsm_iomem_mapping_vpci( + xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + return alternative_call(xsm_ops.iomem_mapping_vpci, d, s, e, allow); +} + static inline int xsm_pci_config_permission( xsm_default_t def, struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index e6ffa948f7..44a9e04ae7 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -72,6 +72,7 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .irq_permission = xsm_irq_permission, .iomem_permission = xsm_iomem_permission, .iomem_mapping = xsm_iomem_mapping, + .iomem_mapping_vpci = xsm_iomem_mapping_vpci, .pci_config_permission = xsm_pci_config_permission, .get_vnumainfo = xsm_get_vnumainfo, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index c6faebefcf..0c54407f75 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1932,6 +1932,7 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .irq_permission = flask_irq_permission, .iomem_permission = flask_iomem_permission, .iomem_mapping = flask_iomem_mapping, + .iomem_mapping_vpci = flask_iomem_mapping, .pci_config_permission = flask_pci_config_permission, .resource_plug_core = flask_resource_plug_core, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:45:24 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:45:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333443.1596424 (Exim 4.92) (envelope-from ) id 1wWxhk-0000Uo-E3; Tue, 09 Jun 2026 14:45:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333443.1596424; Tue, 09 Jun 2026 14:45:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxhk-0000Ug-Au; Tue, 09 Jun 2026 14:45:24 +0000 Received: by outflank-mailman (input) for mailman id 1333443; Tue, 09 Jun 2026 14:45:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxhi-0000TU-Ud for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:45:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxhj-001i2S-0d for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:45:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxhi-00FXyz-2s for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:45:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=q8hFvNPi1Ogxz6d+CqAMRwugoHlcCDE1U2njAjKnHIs=; b=G8Gdc4safaIQlXPVysE5wt/AcK 26fQdzCWxvlZvYfZUQ0e22s6uYbL6M2u4zvkN0X7aWv09VB7WXNtkqzbx2wSZedFUYUPhfncJ7qiv JQr5/j5pG+lV8lbTZXE0DU7uAR30bLVDMI65hafcfqbZkAe3wFAzGy5zGurOyV5UyfHc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 14:45:22 +0000 commit e701842f7dbfa404dfc22732c69604d08161e19b Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. Move the re-purposed dedicated XSM check as early as possible. Minimal "modernization": Switch "add" to bool and use %pd in log messages. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 5a81fb873cb0c7913995372d22660d6a2db0ec48) --- xen/common/domctl.c | 118 ++++++++++++++++++++++++------------------------ xen/include/xsm/dummy.h | 4 +- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 63 insertions(+), 61 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index a31a026ecd..af54577bb8 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -367,6 +367,66 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; + case XEN_DOMCTL_memory_mapping: + { + unsigned long gfn = op->u.memory_mapping.first_gfn; + unsigned long mfn = op->u.memory_mapping.first_mfn; + unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; + unsigned long mfn_end = mfn + nr_mfns - 1; + bool add = op->u.memory_mapping.add_mapping; + + ret = -EINVAL; + if ( mfn_end < mfn || /* Wrap? */ + ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || + (gfn + nr_mfns - 1) < gfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_mapping(XSM_DM_PRIV, d, mfn, mfn_end, add); + if ( ret || !paging_mode_translate(d) ) + goto domctl_out_unlock_domonly; + +#ifndef CONFIG_X86 /* XXX ARM!? */ + ret = -E2BIG; + /* Must break hypercall up as this could take a while. */ + if ( nr_mfns > 64 ) + goto domctl_out_unlock_domonly; +#endif + + iocaps_double_lock(d, false); + + ret = -EPERM; + if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || + !iomem_access_permitted(d, mfn, mfn_end) ) + /* Nothing. */; + else if ( add ) + { + printk(XENLOG_G_DEBUG + "memory_map:add: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 ) + printk(XENLOG_G_WARNING + "memory_map:fail: %pd gfn=%lx mfn=%lx nr=%lx ret:%ld\n", + d, gfn, mfn, nr_mfns, ret); + } + else + { + printk(XENLOG_G_DEBUG + "memory_map:remove: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 && is_hardware_domain(current->domain) ) + printk(XENLOG_ERR + "memory_map: error %ld removing %pd access to [%lx,%lx]\n", + ret, d, mfn, mfn_end); + } + + iocaps_double_unlock(d, false); + goto domctl_out_unlock_domonly; + } + default: /* Everything else handled further down. */ break; @@ -745,64 +805,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - case XEN_DOMCTL_memory_mapping: - { - unsigned long gfn = op->u.memory_mapping.first_gfn; - unsigned long mfn = op->u.memory_mapping.first_mfn; - unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; - unsigned long mfn_end = mfn + nr_mfns - 1; - int add = op->u.memory_mapping.add_mapping; - - ret = -EINVAL; - if ( mfn_end < mfn || /* wrap? */ - ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || - (gfn + nr_mfns - 1) < gfn ) /* wrap? */ - break; - -#ifndef CONFIG_X86 /* XXX ARM!? */ - ret = -E2BIG; - /* Must break hypercall up as this could take a while. */ - if ( nr_mfns > 64 ) - break; -#endif - - iocaps_double_lock(d, false); - - ret = -EPERM; - if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) || - (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || - !paging_mode_translate(d) ) - /* Nothing. */; - else if ( add ) - { - printk(XENLOG_G_DEBUG - "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 ) - printk(XENLOG_G_WARNING - "memory_map:fail: dom%d gfn=%lx mfn=%lx nr=%lx ret:%ld\n", - d->domain_id, gfn, mfn, nr_mfns, ret); - } - else - { - printk(XENLOG_G_DEBUG - "memory_map:remove: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 && is_hardware_domain(current->domain) ) - printk(XENLOG_ERR - "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", - ret, d->domain_id, mfn, mfn_end); - } - - iocaps_double_unlock(d, false); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 04062a5f01..1a8d692245 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,12 +168,12 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_ioport_mapping: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -575,7 +575,7 @@ static XSM_INLINE int cf_check xsm_iomem_permission( static XSM_INLINE int cf_check xsm_iomem_mapping( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 0c54407f75..ae0e5c06a1 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -682,6 +682,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -689,7 +690,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:45:34 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:45:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333444.1596428 (Exim 4.92) (envelope-from ) id 1wWxhu-0000XG-Gz; Tue, 09 Jun 2026 14:45:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333444.1596428; Tue, 09 Jun 2026 14:45:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxhu-0000X7-EE; Tue, 09 Jun 2026 14:45:34 +0000 Received: by outflank-mailman (input) for mailman id 1333444; Tue, 09 Jun 2026 14:45:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxht-0000X0-1W for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:45:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxht-001i2W-0w for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:45:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxhs-00FYBb-3A for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:45:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=F9siGq4n7ZykWE30pmt+TYe9aB3F9prUiHVgc9+/VaQ=; b=AiPVzDJSLPIbpfMYFGHEwXUq3I 6FZ2ZeEs012Z5U2XMCFog1auQO9DEys9f4dhvTWMkXoIn8ozRDfn+uuoxRu7nY5BUkbR7unK66+zC HsWGWYOEBPJ0DmkiNPJjFCIweaM/Bc9ItBZX8SRwtgubK4Stvp2HqxLhB9KDapSSy0Cs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 14:45:32 +0000 commit f7ec26e3b703c509012a8937a32bc9be10223323 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the handling is in arch-specific code (x86 only), almost no code is being moved, but a 2nd (extensible to other sub-ops) invocation of arch_do_domctl() is being added. Move just the re-purposed dedicated XSM check as early as possible. In flask_domctl() don't put #ifdef around the moved case label. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9ac94138a5f31b5325fe4401e5cd9e377bbedcdb) --- xen/arch/x86/domctl.c | 9 ++++++--- xen/common/domctl.c | 4 ++++ xen/include/xsm/dummy.h | 4 ++-- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 4d680a9fa5..585a8a7601 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -656,12 +656,15 @@ long arch_do_domctl( break; } + ret = xsm_ioport_mapping(XSM_DM_PRIV, d, fmp, fmp + np - 1, add); + if ( ret ) + break; + hvm = &d->arch.hvm; iocaps_double_lock(d, true); - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || - (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) - ret = ret ?: -EPERM; + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) + ret = -EPERM; else if ( add ) { printk(XENLOG_G_INFO diff --git a/xen/common/domctl.c b/xen/common/domctl.c index af54577bb8..3bd55e76f6 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -427,6 +427,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_mapping: + ret = arch_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + default: /* Everything else handled further down. */ break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 1a8d692245..8a2c48ec14 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -167,12 +167,12 @@ static XSM_INLINE int cf_check xsm_domctl( XSM_ASSERT_ACTION(XSM_OTHER); switch ( cmd ) { - case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -771,7 +771,7 @@ static XSM_INLINE int cf_check xsm_ioport_permission( static XSM_INLINE int cf_check xsm_ioport_mapping( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index ae0e5c06a1..aaa42f083c 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -682,6 +682,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -700,7 +701,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: case XEN_DOMCTL_ioport_permission: - case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_gsi_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:45:44 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:45:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333445.1596432 (Exim 4.92) (envelope-from ) id 1wWxi4-0000ZF-IH; Tue, 09 Jun 2026 14:45:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333445.1596432; Tue, 09 Jun 2026 14:45:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxi4-0000Z8-Fb; Tue, 09 Jun 2026 14:45:44 +0000 Received: by outflank-mailman (input) for mailman id 1333445; Tue, 09 Jun 2026 14:45:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxi3-0000Z0-4F for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:45:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxi3-001i2d-1E for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:45:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxi3-00FYKR-0F for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:45:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=W3qFdAtBXWNkqfinRlyTUfD6T6Hd4R5rl2VMa/dek90=; b=ZPvKD2HaArl9+afcUPRTHcgvYk 5NpETbnOvQLfSqFTceOi749KNQ0/an4G0YGThGNAzz1vtWqJ8UTC436aO7FUDBxMRkjqHU9AXYe4v Bx1beIetGjrLdq7kE2WZSEyDrXJzVwNT+Ereqr7DNfcssAsviba8kfGwSFzi1F+swbeQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 14:45:43 +0000 commit 4e53d41bee5d2f9b67b0234e3bda20496b289694 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. (It also already isn't used when pt_irq_{create,destroy}_bind() are invoked for PVH Dom0.) As the handling is in arch-specific code, no code is being moved, but the 2nd (extensible to other sub-ops like the ones here) invocation of arch_do_domctl() is being re-used. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith Acked-by: Julien Grall (cherry picked from commit e263eeaf71b961d0d6f987bf7a33c8517be1bae5) --- xen/arch/arm/domctl.c | 4 ++-- xen/arch/x86/domctl.c | 4 ++-- xen/common/domctl.c | 2 ++ xen/include/xsm/dummy.h | 8 +++----- xen/xsm/flask/hooks.c | 5 ++--- 5 files changed, 11 insertions(+), 12 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index 75c3df602a..6c9a3f9920 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -104,7 +104,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - rc = xsm_bind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; @@ -140,7 +140,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( irq != virq ) return -EINVAL; - rc = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 585a8a7601..77e612796f 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -568,7 +568,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_bind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; @@ -606,7 +606,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 3bd55e76f6..966e5dce7a 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -428,6 +428,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_bind_pt_irq: + case XEN_DOMCTL_unbind_pt_irq: ret = arch_do_domctl(op, d, u_domctl); goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 8a2c48ec14..8d9eecd6af 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,12 +168,10 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: - return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -540,14 +538,14 @@ static XSM_INLINE int cf_check xsm_unmap_domain_pirq( static XSM_INLINE int cf_check xsm_bind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } static XSM_INLINE int cf_check xsm_unbind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index aaa42f083c..0695c0dcf4 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -681,9 +681,11 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ + case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -694,9 +696,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: - /* These have individual XSM hooks (arch/../domctl.c) */ - case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:45:54 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:45:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333446.1596436 (Exim 4.92) (envelope-from ) id 1wWxiE-0000bK-Jr; Tue, 09 Jun 2026 14:45:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333446.1596436; Tue, 09 Jun 2026 14:45:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxiE-0000bC-HA; Tue, 09 Jun 2026 14:45:54 +0000 Received: by outflank-mailman (input) for mailman id 1333446; Tue, 09 Jun 2026 14:45:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxiD-0000b5-7E for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:45:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxiD-001i2h-1X for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:45:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxiD-00FYYY-0X for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:45:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=pL/hkU1NbRX1pt0RcMwiEjUgIya9WSfFex9Wh+rEKJs=; b=2kDgn4U0XiF5HDnG8bcBu5jV8B 8Zjnym0a0ag5pQGhQbhV7PvzlUm3Z2JqVG72nVgG1Vss6Pw5GOydfMW4HFkvrWqCOHXK4PaEsT92e J0K8UHMCtFViatkvIf8Y0RG0WK+8sVBJluQLS3KO5fV84ZsFjlP45gfYKkhoQM6Wq+zg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 14:45:53 +0000 commit 1a7b04ab0efff2c666561bbfa6a3c0b2d15210c5 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the I/O port handling is in arch-specific code (x86 only), no code is being moved, but the 2nd invocation of arch_do_domctl() is re-used. Move the re-purposed dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9f54e10bf3ab02c8d5dc3253d85c9b3258d1fc88) --- xen/arch/x86/domctl.c | 13 ++++++++---- xen/common/domctl.c | 54 ++++++++++++++++++++++++++----------------------- xen/include/xsm/dummy.h | 6 ++++-- xen/xsm/flask/hooks.c | 4 ++-- 4 files changed, 44 insertions(+), 33 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 77e612796f..c772f1f788 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -226,12 +226,17 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + ret = -EINVAL; + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) + break; + + ret = xsm_ioport_permission(XSM_PRIV, d, fp, fp + np - 1, allow); + if ( ret ) + break; + iocaps_double_lock(d, true); - if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) - ret = -EINVAL; - else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || - xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) ) + if ( !ioports_access_permitted(currd, fp, fp + np - 1) ) ret = -EPERM; else if ( allow ) ret = ioports_permit_access(d, fp, fp + np - 1); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 966e5dce7a..38415ec243 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -367,6 +367,34 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; + case XEN_DOMCTL_iomem_permission: + { + unsigned long mfn = op->u.iomem_permission.first_mfn; + unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; + bool allow = op->u.iomem_permission.allow_access; + + ret = -EINVAL; + if ( (mfn + nr_mfns - 1) < mfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_permission(XSM_PRIV, d, mfn, mfn + nr_mfns - 1, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !iomem_access_permitted(current->domain, + mfn, mfn + nr_mfns - 1) ) + ret = -EPERM; + else if ( allow ) + ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); + else + ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_memory_mapping: { unsigned long gfn = op->u.memory_mapping.first_gfn; @@ -427,6 +455,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: @@ -786,31 +815,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif - case XEN_DOMCTL_iomem_permission: - { - unsigned long mfn = op->u.iomem_permission.first_mfn; - unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; - int allow = op->u.iomem_permission.allow_access; - - ret = -EINVAL; - if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ - break; - - iocaps_double_lock(d, true); - - if ( !iomem_access_permitted(current->domain, - mfn, mfn + nr_mfns - 1) || - xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) - ret = -EPERM; - else if ( allow ) - ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); - else - ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); - - iocaps_double_unlock(d, true); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 8d9eecd6af..2a00a438c8 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -169,7 +169,9 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -566,7 +568,7 @@ static XSM_INLINE int cf_check xsm_irq_permission( static XSM_INLINE int cf_check xsm_iomem_permission( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } @@ -762,7 +764,7 @@ static XSM_INLINE int cf_check xsm_priv_mapping( static XSM_INLINE int cf_check xsm_ioport_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 0695c0dcf4..5042f7e958 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -683,7 +683,9 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -692,14 +694,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: - case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: - case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_gsi_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:46:04 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:46:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333447.1596439 (Exim 4.92) (envelope-from ) id 1wWxiO-0000dM-LU; Tue, 09 Jun 2026 14:46:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333447.1596439; Tue, 09 Jun 2026 14:46:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxiO-0000dE-Id; Tue, 09 Jun 2026 14:46:04 +0000 Received: by outflank-mailman (input) for mailman id 1333447; Tue, 09 Jun 2026 14:46:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxiN-0000d7-AY for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:46:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxiN-001i2w-1q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:46:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxiN-00FYm4-0r for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:46:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=J9kVXCbaHqqNTmWVknX26986mFRFfxCX5FL3BtZ4q8E=; b=j6j98W2S5q1Ul1ZQ63ilRD3mK+ JJBkjnX+so8Egg8o4i7opyQoMyt3lp/4S3Zs7KLGwLgFwAHDMRVfK+KY7f7un0LpcGvqqk4ZmsEXx +Hrt+YLLootS+yqcCm7UfuumaTnDywXNf5e3K/yiY3pNkT6ClQB8QVezmCZ09ejdsp4Q=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] domctl: handle XEN_DOMCTL_{irq,gsi}_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 14:46:03 +0000 commit d1ffc533650b6f61f5ccdbdf1591143e59feb651 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl: handle XEN_DOMCTL_{irq,gsi}_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the GSI handling is in arch-specific code (x86 only), no code is being moved there; the 2nd invocation of arch_do_domctl() is re-used. Move the re-purposed (XSM_HOOK -> XSM_PRIV, as xsm_domctl() is now bypassed) dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 6b71151cd84cafff1ea9e67a8022e7a3e41d811f) --- xen/arch/x86/domctl.c | 7 ++++-- xen/common/domctl.c | 60 +++++++++++++++++++++++++++---------------------- xen/include/xsm/dummy.h | 4 +++- xen/xsm/flask/hooks.c | 4 ++-- 4 files changed, 43 insertions(+), 32 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index c772f1f788..3b92690f23 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -265,10 +265,13 @@ long arch_do_domctl( break; } + ret = xsm_irq_permission(XSM_PRIV, d, irq, flags); + if ( ret ) + break; + iocaps_double_lock(d, true); - if ( !irq_access_permitted(currd, irq) || - xsm_irq_permission(XSM_HOOK, d, irq, flags) ) + if ( !irq_access_permitted(currd, irq) ) ret = -EPERM; else if ( flags ) ret = irq_permit_access(d, irq); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 38415ec243..a0f816df55 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -455,8 +455,41 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } +#ifdef CONFIG_HAS_PIRQ + case XEN_DOMCTL_irq_permission: + { + unsigned int pirq = op->u.irq_permission.pirq, irq; + bool allow = op->u.irq_permission.allow_access; + + ret = -EINVAL; + if ( pirq >= current->domain->nr_pirqs ) + goto domctl_out_unlock_domonly; + + irq = domain_pirq_to_irq(current->domain, pirq); + + ret = -EPERM; + if ( irq ) + ret = xsm_irq_permission(XSM_PRIV, d, irq, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !irq_access_permitted(current->domain, irq) ) + ret = -EPERM; + else if ( allow ) + ret = irq_permit_access(d, irq); + else + ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } +#endif + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: ret = arch_do_domctl(op, d, u_domctl); @@ -788,33 +821,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } break; -#ifdef CONFIG_HAS_PIRQ - case XEN_DOMCTL_irq_permission: - { - unsigned int pirq = op->u.irq_permission.pirq, irq; - int allow = op->u.irq_permission.allow_access; - - if ( pirq >= current->domain->nr_pirqs ) - { - ret = -EINVAL; - break; - } - - iocaps_double_lock(d, true); - - irq = pirq_access_permitted(current->domain, pirq); - if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) - ret = -EPERM; - else if ( allow ) - ret = irq_permit_access(d, irq); - else - ret = irq_deny_access(d, irq); - - iocaps_double_unlock(d, true); - break; - } -#endif - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 2a00a438c8..0b4e1ee9be 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -169,9 +169,11 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -561,7 +563,7 @@ static XSM_INLINE int cf_check xsm_unmap_domain_irq( static XSM_INLINE int cf_check xsm_irq_permission( XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 5042f7e958..28c681eb34 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -683,9 +683,11 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -693,14 +695,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: - case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: - case XEN_DOMCTL_gsi_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH /* -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:46:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:46:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333448.1596444 (Exim 4.92) (envelope-from ) id 1wWxiY-0000fn-OU; Tue, 09 Jun 2026 14:46:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333448.1596444; Tue, 09 Jun 2026 14:46:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxiY-0000fg-Lv; Tue, 09 Jun 2026 14:46:14 +0000 Received: by outflank-mailman (input) for mailman id 1333448; Tue, 09 Jun 2026 14:46:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxiX-0000fZ-DT for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:46:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxiX-001i30-29 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:46:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxiX-00FYyJ-19 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:46:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=u8vuEJSMMKNPECFbnm4zkO8/6fe1sfiD3lbm5vksBjo=; b=AZm5/Tm43jA8VmhSAaKQQdpyIH GcYSzQvuu7b7PuA7ZRkSqf7U8UFaRXpUU4zYdAvFTt4XNxwaEvI5J/sTspVVF/ImrxWxwZRvtOSBI EHoSegVsp7jET1sVg6lZt8nsyyY4e4LuunL6wzftN+u+LpZFEuIwtEHMy4LvFLxlgPZg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] domctl/XSM: drop vm_event_control hook Message-Id: Date: Tue, 09 Jun 2026 14:46:13 +0000 commit c51d9a3f89cb85bac46750916a2d48c6fe58af37 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl/XSM: drop vm_event_control hook Integrate the checking with xsm_domctl(). Care needs to be taken with the GET_VERSION sub-op, which may be invoked with DOMID_INVALID, and which has been (and continues to be) bypassing XSM checking. Since the latter two parameters were unused, monitor_domctl() invoking the hook was actually redundant with the earlier xsm_domctl() (as can be seen nicely from the hunks changing xsm/flask/hooks.c). As a positive side effect, permissions are then checked at the same early point with and without Flask. While folding XEN_DOMCTL_monitor_op and XEN_DOMCTL_vm_event_op in flask_domctl(), also fold in XEN_DOMCTL_set_access_required. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit b4a7c17146f4363750d26cb2dcee08b480625a3d) --- xen/common/domctl.c | 17 +++++++++++++++++ xen/common/monitor.c | 5 ----- xen/common/vm_event.c | 9 ++++----- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 8 -------- xen/xsm/dummy.c | 2 -- xen/xsm/flask/hooks.c | 11 +---------- 7 files changed, 22 insertions(+), 37 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index a0f816df55..1bff00c50d 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -487,6 +487,23 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif + case XEN_DOMCTL_vm_event_op: + if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) + { + /* No XSM check (and potentially d == NULL) here. */ + ret = vm_event_domctl(d, &op->u.vm_event_op); + if ( !ret ) + copyback = true; + goto domctl_out_unlock_domonly; + } + if ( !d ) + { + ret = -ESRCH; + goto domctl_out_unlock_domonly; + } + /* Other sub-ops handled further down. */ + break; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_gsi_permission: diff --git a/xen/common/monitor.c b/xen/common/monitor.c index d5c9ff1cbf..aec6391faf 100644 --- a/xen/common/monitor.c +++ b/xen/common/monitor.c @@ -30,16 +30,11 @@ int monitor_domctl(struct domain *d, struct xen_domctl_monitor_op *mop) { - int rc; bool requested_status = false; if ( unlikely(current->domain == d) ) /* no domain_pause() */ return -EPERM; - rc = xsm_vm_event_control(XSM_PRIV, d, mop->op, mop->event); - if ( unlikely(rc) ) - return rc; - switch ( mop->op ) { case XEN_DOMCTL_MONITOR_OP_ENABLE: diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c index 1666ff615f..7aea0a78b2 100644 --- a/xen/common/vm_event.c +++ b/xen/common/vm_event.c @@ -602,11 +602,10 @@ int vm_event_domctl(struct domain *d, struct xen_domctl_vm_event_op *vec) /* All other subops need to target a real domain. */ if ( unlikely(d == NULL) ) - return -ESRCH; - - rc = xsm_vm_event_control(XSM_PRIV, d, vec->mode, vec->op); - if ( rc ) - return rc; + { + ASSERT_UNREACHABLE(); + return -EILSEQ; + } if ( unlikely(d == current->domain) ) /* no domain_pause() */ { diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 0b4e1ee9be..3f38138856 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -651,13 +651,6 @@ static XSM_INLINE int cf_check xsm_hvm_altp2mhvm_op( } } -static XSM_INLINE int cf_check xsm_vm_event_control( - XSM_DEFAULT_ARG struct domain *d, int mode, int op) -{ - XSM_ASSERT_ACTION(XSM_PRIV); - return xsm_default_action(action, current->domain, d); -} - #ifdef CONFIG_MEM_ACCESS static XSM_INLINE int cf_check xsm_mem_access(XSM_DEFAULT_ARG struct domain *d) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 41d3070570..ae3af5510d 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -153,8 +153,6 @@ struct xsm_ops { int (*hvm_altp2mhvm_op)(struct domain *d, uint64_t mode, uint32_t op); int (*get_vnumainfo)(struct domain *d); - int (*vm_event_control)(struct domain *d, int mode, int op); - #ifdef CONFIG_MEM_ACCESS int (*mem_access)(struct domain *d); #endif @@ -633,12 +631,6 @@ static inline int xsm_get_vnumainfo(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.get_vnumainfo, d); } -static inline int xsm_vm_event_control( - xsm_default_t def, struct domain *d, int mode, int op) -{ - return alternative_call(xsm_ops.vm_event_control, d, mode, op); -} - #ifdef CONFIG_MEM_ACCESS static inline int xsm_mem_access(xsm_default_t def, struct domain *d) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 44a9e04ae7..95170547fc 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -110,8 +110,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .remove_from_physmap = xsm_remove_from_physmap, .map_gmfn_foreign = xsm_map_gmfn_foreign, - .vm_event_control = xsm_vm_event_control, - #ifdef CONFIG_MEM_ACCESS .mem_access = xsm_mem_access, #endif diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 28c681eb34..8fb3a08682 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -696,7 +696,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: - case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ @@ -790,9 +789,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__TRIGGER); case XEN_DOMCTL_set_access_required: - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); - case XEN_DOMCTL_monitor_op: + case XEN_DOMCTL_vm_event_op: return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); case XEN_DOMCTL_debug_op: @@ -1359,11 +1357,6 @@ static int cf_check flask_hvm_altp2mhvm_op(struct domain *d, uint64_t mode, uint return current_has_perm(d, SECCLASS_HVM, HVM__ALTP2MHVM_OP); } -static int cf_check flask_vm_event_control(struct domain *d, int mode, int op) -{ - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); -} - #ifdef CONFIG_MEM_ACCESS static int cf_check flask_mem_access(struct domain *d) { @@ -1951,8 +1944,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .do_xsm_op = do_flask_op, .get_vnumainfo = flask_get_vnumainfo, - .vm_event_control = flask_vm_event_control, - #ifdef CONFIG_MEM_ACCESS .mem_access = flask_mem_access, #endif -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:46:24 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:46:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333449.1596448 (Exim 4.92) (envelope-from ) id 1wWxii-0000j5-QJ; Tue, 09 Jun 2026 14:46:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333449.1596448; Tue, 09 Jun 2026 14:46:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxii-0000ix-NZ; Tue, 09 Jun 2026 14:46:24 +0000 Received: by outflank-mailman (input) for mailman id 1333449; Tue, 09 Jun 2026 14:46:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxih-0000ir-H3 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:46:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxih-001i3O-2W for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:46:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxih-00FZ79-1R for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:46:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=4B8SZAisZCJPcRKCCgG9mVH5LOi7QOzcbbWgkLhF8n4=; b=eEIXBJtYTBt+W+LauNPGXGQu0D GfvQy5TceGoaq2GEaKznYZQFn+hIsTa/B2JTEalYgdBw8lj3XYdeROEQbpP6tmPA93hROkw6grctq m+sLy+Sc+MGMZdVV4mYtNsjPevrxbQE3r9OqBqBixgVkVcdRXyCYYR+UItJGSGbtM7Iw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] domctl/XSM: pass full struct xen_domctl to xsm_domctl() Message-Id: Date: Tue, 09 Jun 2026 14:46:23 +0000 commit b8193cc781106a1fbc032c7cb9cce8a357ec44f8 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl/XSM: pass full struct xen_domctl to xsm_domctl() Subsequently some sub-ops will want to inspect their sub-sub-ops. Plus this way we don't need to pass SSIDref separately anymore for domain_create. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit 83f0e11ed16b5ceb42e47dcaab5afd35583ec5d7) --- xen/arch/x86/mm/paging.c | 2 +- xen/common/domctl.c | 4 +--- xen/include/xsm/dummy.h | 4 ++-- xen/include/xsm/xsm.h | 6 +++--- xen/xsm/flask/hooks.c | 10 +++++----- 5 files changed, 12 insertions(+), 14 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index c77f4c1dac..76a2e3114f 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -767,7 +767,7 @@ long do_paging_domctl_cont( if ( d == NULL ) return -ESRCH; - ret = xsm_domctl(XSM_OTHER, d, op.cmd, 0 /* SSIDref not applicable */); + ret = xsm_domctl(XSM_OTHER, d, &op); if ( !ret ) { if ( domctl_lock_acquire() ) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 1bff00c50d..601626f061 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -517,9 +517,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - ret = xsm_domctl(XSM_OTHER, d, op->cmd, - /* SSIDRef only applicable for cmd == createdomain */ - op->u.createdomain.ssidref); + ret = xsm_domctl(XSM_OTHER, d, op); if ( ret ) goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 3f38138856..fde5da4e41 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,10 +162,10 @@ static XSM_INLINE int cf_check xsm_set_target( } static XSM_INLINE int cf_check xsm_domctl( - XSM_DEFAULT_ARG struct domain *d, unsigned int cmd, uint32_t ssidref) + XSM_DEFAULT_ARG struct domain *d, struct xen_domctl *op) { XSM_ASSERT_ACTION(XSM_OTHER); - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index ae3af5510d..cf70ad630d 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -59,7 +59,7 @@ struct xsm_ops { int (*domctl_scheduler_op)(struct domain *d, int op); int (*sysctl_scheduler_op)(int op); int (*set_target)(struct domain *d, struct domain *e); - int (*domctl)(struct domain *d, unsigned int cmd, uint32_t ssidref); + int (*domctl)(struct domain *d, struct xen_domctl *op); int (*sysctl)(int cmd); int (*readconsole)(uint32_t clear); @@ -248,9 +248,9 @@ static inline int xsm_set_target( } static inline int xsm_domctl(xsm_default_t def, struct domain *d, - unsigned int cmd, uint32_t ssidref) + struct xen_domctl *op) { - return alternative_call(xsm_ops.domctl, d, cmd, ssidref); + return alternative_call(xsm_ops.domctl, d, op); } static inline int xsm_sysctl(xsm_default_t def, int cmd) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 8fb3a08682..9916520f03 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -665,10 +665,9 @@ static int cf_check flask_set_target(struct domain *d, struct domain *t) return rc; } -static int cf_check flask_domctl(struct domain *d, unsigned int cmd, - uint32_t ssidref) +static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) { - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_createdomain: /* @@ -678,7 +677,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, * Note that d is NULL because we haven't even allocated memory for it * this early in XEN_DOMCTL_createdomain. */ - return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); + return avc_current_has_perm(op->u.createdomain.ssidref, SECCLASS_DOMAIN, + DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: @@ -852,7 +852,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SET_LLC_COLORS); default: - return avc_unknown_permission("domctl", cmd); + return avc_unknown_permission("domctl", op->cmd); } } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:46:34 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:46:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333450.1596451 (Exim 4.92) (envelope-from ) id 1wWxis-0000mB-RR; Tue, 09 Jun 2026 14:46:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333450.1596451; Tue, 09 Jun 2026 14:46:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxis-0000m3-Ot; Tue, 09 Jun 2026 14:46:34 +0000 Received: by outflank-mailman (input) for mailman id 1333450; Tue, 09 Jun 2026 14:46:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxir-0000lx-K6 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:46:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxir-001i3S-2p for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:46:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxir-00FZRI-1p for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:46:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=p+z8OLPUlMeo936CsxE+GwW32aFeg0ooTwyre6Q49w8=; b=DODoVMoQLCgoKlLd+P8C6o4V2n +zX8Ct5t87XVL7S7ieGmHXfdNAF5luyEaoo+wt3rQspS11kUhTmNkQRbKRW8vIG4veikU1zgAvsfB Mm/997aO9W5IMmbt9MvXUGNY76kGo6fsqJ93Ulb4NX4xjlWhcqa7WmpG1z2UuD0bpz7Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] domctl/XSM: drop scheduler_op hook Message-Id: Date: Tue, 09 Jun 2026 14:46:33 +0000 commit 13865d78c32a36ed914ce71c1283988cd4fe5542 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl/XSM: drop scheduler_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Juergen Gross (cherry picked from commit 3ba374d3886f0e1d835eafe62cc2fa20ca5376ad) --- xen/common/sched/core.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 7 ++++--- 5 files changed, 4 insertions(+), 22 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index f6736c6e43..6cba57dba5 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -2056,10 +2056,6 @@ long sched_adjust(struct domain *d, struct xen_domctl_scheduler_op *op) { long ret; - ret = xsm_domctl_scheduler_op(XSM_HOOK, d, op->cmd); - if ( ret ) - return ret; - if ( op->sched_id != dom_scheduler(d)->sched_id ) return -EINVAL; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index fde5da4e41..c18bfbd046 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -141,13 +141,6 @@ static XSM_INLINE int cf_check xsm_getdomaininfo( return xsm_default_action(action, current->domain, d); } -static XSM_INLINE int cf_check xsm_domctl_scheduler_op( - XSM_DEFAULT_ARG struct domain *d, int cmd) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index cf70ad630d..93d924e13c 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -56,7 +56,6 @@ struct xsm_ops { struct xen_domctl_getdomaininfo *info); int (*domain_create)(struct domain *d, uint32_t ssidref); int (*getdomaininfo)(struct domain *d); - int (*domctl_scheduler_op)(struct domain *d, int op); int (*sysctl_scheduler_op)(int op); int (*set_target)(struct domain *d, struct domain *e); int (*domctl)(struct domain *d, struct xen_domctl *op); @@ -230,12 +229,6 @@ static inline int xsm_getdomaininfo(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.getdomaininfo, d); } -static inline int xsm_domctl_scheduler_op( - xsm_default_t def, struct domain *d, int cmd) -{ - return alternative_call(xsm_ops.domctl_scheduler_op, d, cmd); -} - static inline int xsm_sysctl_scheduler_op(xsm_default_t def, int cmd) { return alternative_call(xsm_ops.sysctl_scheduler_op, cmd); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 95170547fc..cb312eb7cb 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -18,7 +18,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .security_domaininfo = xsm_security_domaininfo, .domain_create = xsm_domain_create, .getdomaininfo = xsm_getdomaininfo, - .domctl_scheduler_op = xsm_domctl_scheduler_op, .sysctl_scheduler_op = xsm_sysctl_scheduler_op, .set_target = xsm_set_target, .domctl = xsm_domctl, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 9916520f03..383bf47c63 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -609,7 +609,7 @@ static int cf_check flask_getdomaininfo(struct domain *d) return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO); } -static int cf_check flask_domctl_scheduler_op(struct domain *d, int op) +static int flask_domctl_scheduler_op(struct domain *d, int op) { switch ( op ) { @@ -694,7 +694,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return -EILSEQ; /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: #ifdef CONFIG_X86 @@ -742,6 +741,9 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_setdomainhandle: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE); + case XEN_DOMCTL_scheduler_op: + return flask_domctl_scheduler_op(d, op->u.scheduler_op.cmd); + case XEN_DOMCTL_set_ext_vcpucontext: case XEN_DOMCTL_set_vcpu_msrs: case XEN_DOMCTL_setvcpucontext: @@ -1870,7 +1872,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .security_domaininfo = flask_security_domaininfo, .domain_create = flask_domain_create, .getdomaininfo = flask_getdomaininfo, - .domctl_scheduler_op = flask_domctl_scheduler_op, .sysctl_scheduler_op = flask_sysctl_scheduler_op, .set_target = flask_set_target, .domctl = flask_domctl, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:46:44 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:46:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333452.1596456 (Exim 4.92) (envelope-from ) id 1wWxj2-0000oJ-T1; Tue, 09 Jun 2026 14:46:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333452.1596456; Tue, 09 Jun 2026 14:46:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxj2-0000oA-QL; Tue, 09 Jun 2026 14:46:44 +0000 Received: by outflank-mailman (input) for mailman id 1333452; Tue, 09 Jun 2026 14:46:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxj1-0000o3-Mv for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:46:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxj1-001i3W-36 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:46:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxj1-00FZeJ-28 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:46:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=XRJhuOkn2Jd+RgpuWOry7Dt+KILJcT/CMtyVYVsMzn4=; b=v/z7o7GvG2U+LUzcJxsb9a3QuV NBTprD32pCi07LY3lWxnL8yVkU7GEohEI4y+RkAhcvsGaLhig8kdAOY7FkCdd8kvXJWPtp5T7js6F 1pUcJJeJLyq+yjFZKCiEJj7L8gFRbR5GNIxkBhCVzLUnINXsfsTiCMHpmWXQG7FKQVq8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] domctl/XSM: drop shadow_control_op hook Message-Id: Date: Tue, 09 Jun 2026 14:46:43 +0000 commit 5f17064d10ae1b8105449da73176a9e760c0e1a7 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl/XSM: drop shadow_control_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit d9d2758622422a4db0498a74c3dfd1c8168a8154) --- xen/arch/x86/mm/paging.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 13 +++++++------ 5 files changed, 7 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index 76a2e3114f..e29263752a 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -709,10 +709,6 @@ int paging_domctl(struct domain *d, struct xen_domctl_shadow_op *sc, return -EBUSY; } - rc = xsm_shadow_control(XSM_HOOK, d, sc->op); - if ( rc ) - return rc; - /* Code to handle log-dirty. Note that some log dirty operations * piggy-back on shadow operations. For example, when * XEN_DOMCTL_SHADOW_OP_OFF is called, it first checks whether log dirty diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index c18bfbd046..2a5d14d6bf 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -681,13 +681,6 @@ static XSM_INLINE int cf_check xsm_do_mca(XSM_DEFAULT_VOID) return xsm_default_action(action, current->domain, NULL); } -static XSM_INLINE int cf_check xsm_shadow_control( - XSM_DEFAULT_ARG struct domain *d, uint32_t op) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_mem_sharing_op( XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 93d924e13c..800bffc314 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -168,7 +168,6 @@ struct xsm_ops { #ifdef CONFIG_X86 int (*do_mca)(void); - int (*shadow_control)(struct domain *d, uint32_t op); int (*mem_sharing_op)(struct domain *d, struct domain *cd, int op); int (*apic)(struct domain *d, int cmd); int (*machine_memory_map)(void); @@ -656,12 +655,6 @@ static inline int xsm_do_mca(xsm_default_t def) return alternative_call(xsm_ops.do_mca); } -static inline int xsm_shadow_control( - xsm_default_t def, struct domain *d, uint32_t op) -{ - return alternative_call(xsm_ops.shadow_control, d, op); -} - static inline int xsm_mem_sharing_op( xsm_default_t def, struct domain *d, struct domain *cd, int op) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index cb312eb7cb..f4bcefc46b 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -124,7 +124,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .platform_op = xsm_platform_op, #ifdef CONFIG_X86 .do_mca = xsm_do_mca, - .shadow_control = xsm_shadow_control, .mem_sharing_op = xsm_mem_sharing_op, .apic = xsm_apic, .machine_memory_map = xsm_machine_memory_map, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 383bf47c63..e9cdc45456 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -40,6 +40,7 @@ #ifdef CONFIG_X86 #include +static int flask_shadow_control(struct domain *d, unsigned int op); #else #define pv_shim false #endif @@ -696,10 +697,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: -#ifdef CONFIG_X86 - /* These have individual XSM hooks (arch/x86/domctl.c) */ - case XEN_DOMCTL_shadow_op: -#endif #ifdef CONFIG_HAS_PASSTHROUGH /* * These have individual XSM hooks @@ -784,6 +781,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_get_address_size: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETADDRSIZE); +#ifdef CONFIG_X86 + case XEN_DOMCTL_shadow_op: + return flask_shadow_control(d, op->u.shadow_op.op); +#endif + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1594,7 +1596,7 @@ static int cf_check flask_do_mca(void) return domain_has_xen(current->domain, XEN__MCA_OP); } -static int cf_check flask_shadow_control(struct domain *d, uint32_t op) +static int flask_shadow_control(struct domain *d, unsigned int op) { uint32_t perm; @@ -1979,7 +1981,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .platform_op = flask_platform_op, #ifdef CONFIG_X86 .do_mca = flask_do_mca, - .shadow_control = flask_shadow_control, .mem_sharing_op = flask_mem_sharing_op, .apic = flask_apic, .machine_memory_map = flask_machine_memory_map, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:46:55 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:46:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333453.1596460 (Exim 4.92) (envelope-from ) id 1wWxjC-0000qo-Va; Tue, 09 Jun 2026 14:46:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333453.1596460; Tue, 09 Jun 2026 14:46:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxjC-0000qg-T1; Tue, 09 Jun 2026 14:46:54 +0000 Received: by outflank-mailman (input) for mailman id 1333453; Tue, 09 Jun 2026 14:46:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxjB-0000qZ-Ph for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:46:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxjC-001i3b-09 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:46:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxjB-00FZnq-2O for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:46:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=UKc4sjJvAze6h1p9zualP/0dDA7oniyPxwL20t3bT9E=; b=HZ5RCHaI3I7mm0dmxqU+l1a9/r xI7VCq/uDHtupp2aLlaVAstbgA7vLge2lbeqoSTzwZd4EtTSzUit9bv1g2qbONjpJ8vbOeAAYA3+r AYYHCLEZPBzPBSbHOfdPwFzUaCuql4V1DJ92XIGaQ//kXGRwJ8Edkm6BRTrLrOMzafQ8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 14:46:53 +0000 commit c720b158d90c77ca629d9a60ae1ad69f46c3eb63 Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock iommu_get_device_group() uses its own locking. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 471b377747cb5eb0ea7c1ca48ac9d38027a9aa13) --- xen/common/domctl.c | 5 ++++- xen/drivers/passthrough/pci.c | 4 ++-- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 601626f061..bc46dce585 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -504,6 +504,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) /* Other sub-ops handled further down. */ break; + case XEN_DOMCTL_get_device_group: + ret = iommu_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_gsi_permission: @@ -927,7 +931,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_assign_device: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_deassign_device: - case XEN_DOMCTL_get_device_group: ret = iommu_do_domctl(op, d, u_domctl); break; diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 7410dfdfcb..f41ba30426 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1626,7 +1626,7 @@ static int iommu_get_device_group( if ( (pdev->seg != seg) || ((b == bus) && (df == devfn)) ) continue; - if ( xsm_get_device_group(XSM_HOOK, (seg << 16) | (b << 8) | df) ) + if ( xsm_get_device_group(XSM_PRIV, (seg << 16) | (b << 8) | df) ) continue; sdev_id = iommu_call(ops, get_device_group_id, seg, b, df); @@ -1696,7 +1696,7 @@ int iommu_do_pci_domctl( u32 max_sdevs; XEN_GUEST_HANDLE_64(uint32) sdevs; - ret = xsm_get_device_group(XSM_HOOK, domctl->u.get_device_group.machine_sbdf); + ret = xsm_get_device_group(XSM_PRIV, domctl->u.get_device_group.machine_sbdf); if ( ret ) break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 2a5d14d6bf..1129b2ffc6 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,6 +162,7 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: @@ -400,7 +401,7 @@ static XSM_INLINE int cf_check xsm_get_vnumainfo( static XSM_INLINE int cf_check xsm_get_device_group( XSM_DEFAULT_ARG uint32_t machine_bdf) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index e9cdc45456..5561e0e8fd 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -684,6 +684,7 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: @@ -702,7 +703,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) * These have individual XSM hooks * (drivers/passthrough/{pci,device_tree.c) */ - case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_assign_device: case XEN_DOMCTL_deassign_device: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:47:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:47:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333454.1596464 (Exim 4.92) (envelope-from ) id 1wWxjN-0000sk-0v; Tue, 09 Jun 2026 14:47:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333454.1596464; Tue, 09 Jun 2026 14:47:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxjM-0000sc-UT; Tue, 09 Jun 2026 14:47:04 +0000 Received: by outflank-mailman (input) for mailman id 1333454; Tue, 09 Jun 2026 14:47:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxjL-0000sR-Sg for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:47:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxjM-001i3s-0R for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:47:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxjL-00FZyR-2h for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:47:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=paZOp+cld6KnTro33vh/fDnmIwiLSWEHtgL77h+MB3I=; b=5zzgLzeOeB85F9yenJUrNV/BPr NPyb97Yd9BtlaPp2J7rsTxF+LpeFsYrvxD+ED6GIENOmVE/50vi4ZslaO/Hsg+Y+5xy2DXAWDKGyy RWMA2aeXcpXMZFJzJBafKLMYwB9KyLCgWqAXZelbXZgq+my3ReeBXnRwodKduzAaE9us=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] domctl/XSM: drop {,de}assign_{,dt}device hooks Message-Id: Date: Tue, 09 Jun 2026 14:47:03 +0000 commit 324d0ee554943e774f8cc021ed259354b33fac1e Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl/XSM: drop {,de}assign_{,dt}device hooks Integrate the checking with xsm_domctl(). As a positive side effect, permissions are then checked at the same early point with and without Flask. As the DT device path needs fetching earlier (but must not be double fetched), cache it in a private field of the public interface struct. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit eab54f074f17c134fa6fa780f672393066e7b631) --- xen/common/domctl.c | 9 ++++ xen/drivers/passthrough/device_tree.c | 36 ++++++++-------- xen/drivers/passthrough/pci.c | 8 ---- xen/include/public/domctl.h | 5 ++- xen/include/xsm/dummy.h | 32 -------------- xen/include/xsm/xsm.h | 34 --------------- xen/xsm/dummy.c | 7 ---- xen/xsm/flask/hooks.c | 79 +++++++++++++++++++++++++---------- 8 files changed, 89 insertions(+), 121 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index bc46dce585..8dc4f48876 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -331,6 +331,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_deassign_device: if ( op->domain == DOMID_IO ) { +#ifdef CONFIG_HAS_DEVICE_TREE + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; +#endif d = dom_io; break; } @@ -338,6 +342,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) return -ESRCH; fallthrough; case XEN_DOMCTL_test_assign_device: +#ifdef CONFIG_HAS_DEVICE_TREE + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; + fallthrough; +#endif case XEN_DOMCTL_vm_event_op: if ( op->domain == DOMID_INVALID ) { diff --git a/xen/drivers/passthrough/device_tree.c b/xen/drivers/passthrough/device_tree.c index 075fb25a37..49b3a26628 100644 --- a/xen/drivers/passthrough/device_tree.c +++ b/xen/drivers/passthrough/device_tree.c @@ -279,15 +279,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( (d && d->is_dying) || domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_assign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( domctl->cmd == XEN_DOMCTL_test_assign_device ) { @@ -335,15 +335,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_deassign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( d == dom_io ) { diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index f41ba30426..494840681e 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1746,10 +1746,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_assign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); @@ -1791,10 +1787,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_deassign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h index e2d392d1e5..ee8fc0b784 100644 --- a/xen/include/public/domctl.h +++ b/xen/include/public/domctl.h @@ -567,7 +567,10 @@ struct xen_domctl_assign_device { } pci; struct { uint32_t size; /* Length of the path */ - XEN_GUEST_HANDLE_64(char) path; /* path to the device tree node */ + XEN_GUEST_HANDLE_64(char) path; /* Path to the device tree node */ +#ifdef __XEN__ + struct dt_device_node *dev; /* Resolved device node of the above */ +#endif } dt; } u; }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 1129b2ffc6..485cb70ca7 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -404,40 +404,8 @@ static XSM_INLINE int cf_check xsm_get_device_group( XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } - -static XSM_INLINE int cf_check xsm_assign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - #endif /* HAS_PASSTHROUGH && HAS_PCI */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) -static XSM_INLINE int cf_check xsm_assign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */ - static XSM_INLINE int cf_check xsm_resource_plug_core(XSM_DEFAULT_VOID) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 800bffc314..c7b3f1f618 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -122,13 +122,6 @@ struct xsm_ops { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) int (*get_device_group)(uint32_t machine_bdf); - int (*assign_device)(struct domain *d, uint32_t machine_bdf); - int (*deassign_device)(struct domain *d, uint32_t machine_bdf); -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - int (*assign_dtdevice)(struct domain *d, const char *dtpath); - int (*deassign_dtdevice)(struct domain *d, const char *dtpath); #endif int (*resource_plug_core)(void); @@ -513,35 +506,8 @@ static inline int xsm_get_device_group(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.get_device_group, machine_bdf); } - -static inline int xsm_assign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.assign_device, d, machine_bdf); -} - -static inline int xsm_deassign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.deassign_device, d, machine_bdf); -} #endif /* HAS_PASSTHROUGH && HAS_PCI) */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) -static inline int xsm_assign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.assign_dtdevice, d, dtpath); -} - -static inline int xsm_deassign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.deassign_dtdevice, d, dtpath); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */ - static inline int xsm_resource_plug_pci(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.resource_plug_pci, machine_bdf); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index f4bcefc46b..92fe9664a8 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -77,13 +77,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = xsm_get_device_group, - .assign_device = xsm_assign_device, - .deassign_device = xsm_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - .assign_dtdevice = xsm_assign_dtdevice, - .deassign_dtdevice = xsm_deassign_dtdevice, #endif .resource_plug_core = xsm_resource_plug_core, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 5561e0e8fd..49baa6dc0d 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -45,6 +45,17 @@ static int flask_shadow_control(struct domain *d, unsigned int op); #define pv_shim false #endif +#ifdef CONFIG_HAS_PASSTHROUGH +#ifdef CONFIG_HAS_PCI +static int flask_assign_device(struct domain *d, unsigned int machine_bdf); +static int flask_deassign_device(struct domain *d, unsigned int machine_bdf); +#endif +#ifdef CONFIG_HAS_DEVICE_TREE +static int flask_assign_dtdevice(struct domain *d, const char *dtpath); +static int flask_deassign_dtdevice(struct domain *d, const char *dtpath); +#endif +#endif /* CONFIG_HAS_PASSTHROUGH */ + static uint32_t domain_sid(const struct domain *dom) { struct domain_security_struct *dsec = dom->ssid; @@ -697,16 +708,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: - -#ifdef CONFIG_HAS_PASSTHROUGH - /* - * These have individual XSM hooks - * (drivers/passthrough/{pci,device_tree.c) - */ - case XEN_DOMCTL_test_assign_device: - case XEN_DOMCTL_assign_device: - case XEN_DOMCTL_deassign_device: -#endif return 0; case XEN_DOMCTL_destroydomain: @@ -786,6 +787,49 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return flask_shadow_control(d, op->u.shadow_op.op); #endif +#ifdef CONFIG_HAS_PASSTHROUGH + + case XEN_DOMCTL_test_assign_device: + case XEN_DOMCTL_assign_device: + case XEN_DOMCTL_deassign_device: + switch ( op->u.assign_device.dev ) + { +#ifdef CONFIG_HAS_PCI + case XEN_DOMCTL_DEV_PCI: + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_device( + d, op->u.assign_device.u.pci.machine_sbdf) + : flask_deassign_device( + d, op->u.assign_device.u.pci.machine_sbdf); +#endif + +#ifdef CONFIG_HAS_DEVICE_TREE + case XEN_DOMCTL_DEV_DT: + { + struct dt_device_node *dev; + int ret = dt_find_node_by_gpath(op->u.assign_device.u.dt.path, + op->u.assign_device.u.dt.size, + &dev); + + if ( ret ) + return ret; + + op->u.assign_device.u.dt.dev = dev; + + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_dtdevice(d, dt_node_full_name(dev)) + : flask_deassign_dtdevice(d, dt_node_full_name(dev)); + } +#endif + + default: + /* Unknown type. */ + break; + } + return avc_unknown_permission("assign_device", op->cmd); + +#endif /* CONFIG_HAS_PASSTHROUGH */ + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1407,7 +1451,7 @@ static int flask_test_assign_device(uint32_t machine_bdf) return avc_current_has_perm(rsid, SECCLASS_RESOURCE, RESOURCE__STAT_DEVICE, NULL); } -static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) +static int flask_assign_device(struct domain *d, uint32_t machine_bdf) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1437,7 +1481,7 @@ static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_device( +static int flask_deassign_device( struct domain *d, uint32_t machine_bdf) { uint32_t rsid; @@ -1469,7 +1513,7 @@ static int flask_test_assign_dtdevice(const char *dtpath) NULL); } -static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) +static int flask_assign_dtdevice(struct domain *d, const char *dtpath) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1499,7 +1543,7 @@ static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_dtdevice( +static int flask_deassign_dtdevice( struct domain *d, const char *dtpath) { uint32_t rsid; @@ -1969,13 +2013,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = flask_get_device_group, - .assign_device = flask_assign_device, - .deassign_device = flask_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - .assign_dtdevice = flask_assign_dtdevice, - .deassign_dtdevice = flask_deassign_dtdevice, #endif .platform_op = flask_platform_op, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:47:15 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:47:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333455.1596469 (Exim 4.92) (envelope-from ) id 1wWxjX-0000uq-2h; Tue, 09 Jun 2026 14:47:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333455.1596469; Tue, 09 Jun 2026 14:47:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxjW-0000ui-Vs; Tue, 09 Jun 2026 14:47:14 +0000 Received: by outflank-mailman (input) for mailman id 1333455; Tue, 09 Jun 2026 14:47:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxjV-0000uZ-VF for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:47:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxjW-001i3w-0i for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:47:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxjV-00Fa79-2x for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:47:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=zqSVBlTCSD3DKT1wasUrCmNSuM4PgAaKBAI/sl/ifH4=; b=q9I63kSRkyHM5RLeeO3SnQLczA MOOweqltRnUZmExg5gg1QzS2dQYlgItZye7KtqDMZjkxf4mti/7DCtboJbnOYSX9ahjSgE8MIvyG5 pCXFlO2V26i8K9lPhHR+P8QJFdQMnRQtmdk9FcdTVcEBcode1/hj84OCgh8jvKNqCBD4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 14:47:13 +0000 commit 4fab10041498a08e38d68d6ad8d043000accb80b Author: Jan Beulich AuthorDate: Thu Jun 4 21:39:31 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock The only locking required here is that between checking d->target and setting it. To avoid the need for an explicit lock, use cmpxchgptr() to update d->target. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 4a93d1fb4f7f1231159688d428f7362d35d32ef6) --- xen/common/domctl.c | 54 ++++++++++++++++++++++--------------------------- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 5 +---- 3 files changed, 27 insertions(+), 35 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 8dc4f48876..a186d145e8 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -496,6 +496,30 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif + case XEN_DOMCTL_set_target: + { + struct domain *e = get_domain_by_id(op->u.set_target.target); + + ret = -ESRCH; + if ( !e ) + goto domctl_out_unlock_domonly; + + if ( d == e ) + ret = -EINVAL; + else if ( !is_hvm_domain(e) ) + ret = -EOPNOTSUPP; + else + ret = xsm_set_target(XSM_PRIV, d, e); + + /* Hold reference on @e until we destroy @d. */ + if ( !ret && cmpxchgptr(&d->target, NULL, e) ) + ret = -EINVAL; + + if ( ret ) + put_domain(e); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_vm_event_op: if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) { @@ -853,36 +877,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; - case XEN_DOMCTL_set_target: - { - struct domain *e; - - ret = -ESRCH; - e = get_domain_by_id(op->u.set_target.target); - if ( e == NULL ) - break; - - ret = -EINVAL; - if ( (d == e) || (d->target != NULL) ) - { - put_domain(e); - break; - } - - ret = -EOPNOTSUPP; - if ( is_hvm_domain(e) ) - ret = xsm_set_target(XSM_HOOK, d, e); - if ( ret ) - { - put_domain(e); - break; - } - - /* Hold reference on @e until we destroy @d. */ - d->target = e; - break; - } - case XEN_DOMCTL_subscribe: d->suspend_evtchn = op->u.subscribe.port; break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 485cb70ca7..ec377ed9b2 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -150,7 +150,7 @@ static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) static XSM_INLINE int cf_check xsm_set_target( XSM_DEFAULT_ARG struct domain *d, struct domain *e) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } @@ -169,6 +169,7 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 49baa6dc0d..2c3bab1d18 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -702,14 +702,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; - /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_set_target: - return 0; - case XEN_DOMCTL_destroydomain: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__DESTROY); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:47:25 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:47:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333456.1596472 (Exim 4.92) (envelope-from ) id 1wWxjh-0000xB-3i; Tue, 09 Jun 2026 14:47:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333456.1596472; Tue, 09 Jun 2026 14:47:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxjh-0000x3-18; Tue, 09 Jun 2026 14:47:25 +0000 Received: by outflank-mailman (input) for mailman id 1333456; Tue, 09 Jun 2026 14:47:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxjg-0000wx-1t for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:47:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxjg-001i4M-0z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:47:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxjg-00FaJR-01 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:47:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=KnBezJC08PWPHuWHqCIjMe2rKko2UOrFGMu4ltAl0Dw=; b=ikKTFgYTgyGCf9cMnikXal8vDr /l5oFGJten3jqeog/9KcId/z/v2mMBhHgZXV6s99qvIeBI+YbjQ2LUZLEi/nEQbEJBKm7wjCZhobB es1V5giEKCw4BhJCALHwU32+577nghbld3ttlPahvzq3cINXYrlt4T433k2c8+k8Ghtg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI Message-Id: Date: Tue, 09 Jun 2026 14:47:24 +0000 commit c411e33d8c232e21ebbd447a3d101e212829aa08 Author: Michal Orzel AuthorDate: Tue Apr 14 10:11:24 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI The ARM64_WORKAROUND_REPEAT_TLBI workaround is used to mitigate several errata where broadcast TLBI;DSB sequences don't provide all the architecturally required synchronization. The workaround performs more work than necessary, and can have significant overhead. This patch optimizes the workaround, as explained below. 1. All relevant errata only affect the ordering and/or completion of memory accesses which have been translated by an invalidated TLB entry. The actual invalidation of TLB entries is unaffected. 2. The existing workaround is applied to both broadcast and local TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for broadcast invalidation. 3. The existing workaround replaces every TLBI with a TLBI;DSB;TLBI sequence, whereas for all relevant errata it is only necessary to execute a single additional TLBI;DSB sequence after any number of TLBIs are completed by a DSB. For example, for a sequence of batched TLBIs: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH ... the existing workaround will expand this to: TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional DSB ISH ... whereas it is sufficient to have: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH TLBI [, ] // additional DSB ISH // additional Using a single additional TLBI and DSB at the end of the sequence can have significantly lower overhead as each DSB which completes a TLBI must synchronize with other PEs in the system, with potential performance effects both locally and system-wide. 4. The existing workaround repeats each specific TLBI operation, whereas for all relevant errata it is sufficient for the additional TLBI to use *any* operation which will be broadcast, regardless of which translation regime or stage of translation the operation applies to. For example, for a single TLBI: TLBI ALLE2IS DSB ISH ... the existing workaround will expand this to: TLBI ALLE2IS DSB ISH TLBI ALLE2IS // additional DSB ISH // additional ... whereas it is sufficient to have: TLBI ALLE2IS DSB ISH TLBI VALE1IS, XZR // additional DSB ISH // additional As the additional TLBI doesn't have to match a specific earlier TLBI, the additional TLBI can be implemented in separate code, with no memory of the earlier TLBIs. The additional TLBI can also use a cheaper TLBI operation. 5. The existing workaround is applied to both Stage-1 and Stage-2 TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for Stage-1 invalidation. Architecturally, TLBI operations which invalidate only Stage-2 information (e.g. IPAS2E1IS) are not required to invalidate TLB entries which combine information from Stage-1 and Stage-2 translation table entries, and consequently may not complete memory accesses translated by those combined entries. In these cases, completion of memory accesses is only guaranteed after subsequent invalidation of Stage-1 information (e.g. VMALLE1IS). Rework the workaround logic as follows: - add TLB_HELPER_LOCAL() to be used for local TLB ops without a workaround, - modify TLB_HELPER() workaround to use tlbi vale2is, xzr as a second TLBI, - drop TLB_HELPER_VA(). It's used only by __flush_xen_tlb_one_local which is local and does not need workaround and by __flush_xen_tlb_one. In the latter case, since it's used in a loop, we don't need a workaround in the middle. Add __tlb_repeat_sync with a workaround to be used at the end after DSB and before final ISB, - TLBI VALE2IS passing XZR is used as an additional TLBI. While there is an identity mapping there, it's used very rarely. The performance impact is therefore negligible. If things change in the future, we can revisit the decision. Signed-off-by: Michal Orzel Reviewed-by: Luca Fancellu Reviewed-by: Julien Grall (cherry picked from commit 7c502d7591519135765b8041cbd1c70e56e5a0b9) --- xen/arch/arm/include/asm/arm32/flushtlb.h | 3 + xen/arch/arm/include/asm/arm64/flushtlb.h | 108 ++++++++++++++++++------------ xen/arch/arm/include/asm/flushtlb.h | 1 + xen/arch/arm/include/asm/mmu/layout.h | 4 ++ 4 files changed, 75 insertions(+), 41 deletions(-) diff --git a/xen/arch/arm/include/asm/arm32/flushtlb.h b/xen/arch/arm/include/asm/arm32/flushtlb.h index 61c25a3189..5483be08fb 100644 --- a/xen/arch/arm/include/asm/arm32/flushtlb.h +++ b/xen/arch/arm/include/asm/arm32/flushtlb.h @@ -57,6 +57,9 @@ static inline void __flush_xen_tlb_one(vaddr_t va) asm volatile(STORE_CP32(0, TLBIMVAHIS) : : "r" (va) : "memory"); } +/* Only for ARM64_WORKAROUND_REPEAT_TLBI */ +static inline void __tlb_repeat_sync(void) {} + #endif /* __ASM_ARM_ARM32_FLUSHTLB_H__ */ /* * Local variables: diff --git a/xen/arch/arm/include/asm/arm64/flushtlb.h b/xen/arch/arm/include/asm/arm64/flushtlb.h index 45642201d1..c1314be122 100644 --- a/xen/arch/arm/include/asm/arm64/flushtlb.h +++ b/xen/arch/arm/include/asm/arm64/flushtlb.h @@ -12,9 +12,14 @@ * ARM64_WORKAROUND_REPEAT_TLBI: * Modification of the translation table for a virtual address might lead to * read-after-read ordering violation. - * The workaround repeats TLBI+DSB ISH operation for all the TLB flush - * operations. While this is strictly not necessary, we don't want to - * take any risk. + * The workaround repeats TLBI+DSB ISH operation for broadcast TLB flush + * operations. The workaround is not needed for local operations. + * + * It is sufficient for the additional TLBI to use *any* operation which will + * be broadcast, regardless of which translation regime or stage of translation + * the operation applies to. TLBI VALE2IS is used passing XZR. While there is + * an identity mapping there, it's only used during suspend/resume, CPU on/off, + * so the impact (performance if any) is negligible. * * For Xen page-tables the ISB will discard any instructions fetched * from the old mappings. @@ -26,69 +31,90 @@ * Note that for local TLB flush, using non-shareable (nsh) is sufficient * (see D5-4929 in ARM DDI 0487H.a). Although, the memory barrier in * for the workaround is left as inner-shareable to match with Linux - * v6.1-rc8. + * v6.19. */ -#define TLB_HELPER(name, tlbop, sh) \ +#define TLB_HELPER_LOCAL(name, tlbop) \ static inline void name(void) \ { \ asm volatile( \ - "dsb " # sh "st;" \ + "dsb nshst;" \ "tlbi " # tlbop ";" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ";", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - "dsb " # sh ";" \ + "dsb nsh;" \ "isb;" \ : : : "memory"); \ } -/* - * FLush TLB by VA. This will likely be used in a loop, so the caller - * is responsible to use the appropriate memory barriers before/after - * the sequence. - * - * See above about the ARM64_WORKAROUND_REPEAT_TLBI sequence. - */ -#define TLB_HELPER_VA(name, tlbop) \ -static inline void name(vaddr_t va) \ -{ \ - asm volatile( \ - "tlbi " # tlbop ", %0;" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ", %0;", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - : : "r" (va >> PAGE_SHIFT) : "memory"); \ +#define TLB_HELPER(name, tlbop) \ +static inline void name(void) \ +{ \ + asm volatile ( \ + "dsb ishst;" \ + "tlbi " # tlbop ";" \ + ALTERNATIVE( \ + "nop; nop;", \ + "dsb ish;" \ + "tlbi vale2is, xzr;", \ + ARM64_WORKAROUND_REPEAT_TLBI, \ + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ + "dsb ish;" \ + "isb;" \ + : : : "memory"); \ } /* Flush local TLBs, current VMID only. */ -TLB_HELPER(flush_guest_tlb_local, vmalls12e1, nsh) +TLB_HELPER_LOCAL(flush_guest_tlb_local, vmalls12e1) /* Flush innershareable TLBs, current VMID only */ -TLB_HELPER(flush_guest_tlb, vmalls12e1is, ish) +TLB_HELPER(flush_guest_tlb, vmalls12e1is) /* Flush local TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb_local, alle1, nsh) +TLB_HELPER_LOCAL(flush_all_guests_tlb_local, alle1) /* Flush innershareable TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb, alle1is, ish) +TLB_HELPER(flush_all_guests_tlb, alle1is) /* Flush all hypervisor mappings from the TLB of the local processor. */ -TLB_HELPER(flush_xen_tlb_local, alle2, nsh) +TLB_HELPER_LOCAL(flush_xen_tlb_local, alle2) + +#undef TLB_HELPER_LOCAL +#undef TLB_HELPER + +/* + * FLush TLB by VA. This will likely be used in a loop, so the caller + * is responsible to use the appropriate memory barriers before/after + * the sequence. + */ /* Flush TLB of local processor for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one_local, vae2) +static inline void __flush_xen_tlb_one_local(vaddr_t va) +{ + asm volatile ( + "tlbi vae2, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} /* Flush TLB of all processors in the inner-shareable domain for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one, vae2is) +static inline void __flush_xen_tlb_one(vaddr_t va) +{ + asm volatile ( + "tlbi vae2is, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} -#undef TLB_HELPER -#undef TLB_HELPER_VA +/* + * ARM64_WORKAROUND_REPEAT_TLBI: + * For all relevant erratas it is only necessary to execute a single + * additional TLBI;DSB sequence after any number of TLBIs are completed by DSB. + */ +static inline void __tlb_repeat_sync(void) +{ + asm volatile ( + ALTERNATIVE( + "nop; nop;", + "tlbi vale2is, xzr;" + "dsb ish;", + ARM64_WORKAROUND_REPEAT_TLBI, + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) + : : : "memory"); +} #endif /* __ASM_ARM_ARM64_FLUSHTLB_H__ */ /* diff --git a/xen/arch/arm/include/asm/flushtlb.h b/xen/arch/arm/include/asm/flushtlb.h index e45fb6d97b..c292c3c00d 100644 --- a/xen/arch/arm/include/asm/flushtlb.h +++ b/xen/arch/arm/include/asm/flushtlb.h @@ -65,6 +65,7 @@ static inline void flush_xen_tlb_range_va(vaddr_t va, va += PAGE_SIZE; } dsb(ish); /* Ensure the TLB invalidation has completed */ + __tlb_repeat_sync(); isb(); } diff --git a/xen/arch/arm/include/asm/mmu/layout.h b/xen/arch/arm/include/asm/mmu/layout.h index 19c0ec63a5..feafc14ebf 100644 --- a/xen/arch/arm/include/asm/mmu/layout.h +++ b/xen/arch/arm/include/asm/mmu/layout.h @@ -23,6 +23,10 @@ * * Reserved to identity map Xen * + * Note: As part of ARM64_WORKAROUND_REPEAT_TLBI, VA 0 is used for an extra + * TLBI operation given its rare use (only identity mapping) and thus + * negligible performance impact. + * * 0x00000a0000000000 - 0x00000a7fffffffff (512GB, L0 slot [20]) * (Relative offsets) * 0 - 2M Unmapped -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:47:35 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:47:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333458.1596476 (Exim 4.92) (envelope-from ) id 1wWxjr-00017n-6d; Tue, 09 Jun 2026 14:47:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333458.1596476; Tue, 09 Jun 2026 14:47:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxjr-00017f-42; Tue, 09 Jun 2026 14:47:35 +0000 Received: by outflank-mailman (input) for mailman id 1333458; Tue, 09 Jun 2026 14:47:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxjq-00017Y-4w for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:47:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxjq-001i4T-1J for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:47:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxjq-00FaYo-0I for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:47:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=oQu8w6ZjOkSvUmg7KdNjyvwQgK3BZhV3iSv76T1LNPQ=; b=x6qwcrN8/jpKdRAUQWvgciOzkA MJv3rWAcbUNAwJOwqejBr/uNzam33l2ZTysCMuM+AZxm78Tp4Tl4A7BwWqah2GB2MKHqUw3PctPWU Up/dG0N9qADNRMHRgn6hxiBHHPcQoSJL7vOp4mGPn/r/vztlh6kEeVbM6wCeIFKBeVo0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] xen/arm: Sync missing definitions for Arm CPUs with Linux Message-Id: Date: Tue, 09 Jun 2026 14:47:34 +0000 commit c8fbbdc7ecb89b71c62d2b53ef290413285ee52c Author: Michal Orzel AuthorDate: Fri May 22 09:35:55 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 xen/arm: Sync missing definitions for Arm CPUs with Linux Synchronize with Linux kernel 7.0 definitions for the following CPUs: - Cortex-A76AE, - Cortex-A78AE, - Cortex-X1C, - Cortex-X3, - Neoverse-V2, - Cortex-X4, - Neoverse-V3AE, - Neoverse-V3, - Cortex-X925. These will be used for errata detection in subsequent patches. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit d54682a5b23d7a22a0f1aa74130bd1ed8a669db1) --- xen/arch/arm/include/asm/processor.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index ecf7f2e859..e344715082 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -89,13 +89,22 @@ #define ARM_CPU_PART_CORTEX_A76 0xD0B #define ARM_CPU_PART_NEOVERSE_N1 0xD0C #define ARM_CPU_PART_CORTEX_A77 0xD0D +#define ARM_CPU_PART_CORTEX_A76AE 0xD0E #define ARM_CPU_PART_NEOVERSE_V1 0xD40 #define ARM_CPU_PART_CORTEX_A78 0xD41 +#define ARM_CPU_PART_CORTEX_A78AE 0xD42 #define ARM_CPU_PART_CORTEX_X1 0xD44 #define ARM_CPU_PART_CORTEX_A710 0xD47 #define ARM_CPU_PART_CORTEX_X2 0xD48 #define ARM_CPU_PART_NEOVERSE_N2 0xD49 #define ARM_CPU_PART_CORTEX_A78C 0xD4B +#define ARM_CPU_PART_CORTEX_X1C 0xD4C +#define ARM_CPU_PART_CORTEX_X3 0xD4E +#define ARM_CPU_PART_NEOVERSE_V2 0xD4F +#define ARM_CPU_PART_CORTEX_X4 0xD82 +#define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 +#define ARM_CPU_PART_NEOVERSE_V3 0xD84 +#define ARM_CPU_PART_CORTEX_X925 0xD85 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -110,13 +119,22 @@ #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) +#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE) #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1) #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) +#define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) #define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2) #define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2) #define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C) +#define MIDR_CORTEX_X1C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1C) +#define MIDR_CORTEX_X3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X3) +#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2) +#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4) +#define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) +#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) +#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:47:45 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:47:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333463.1596480 (Exim 4.92) (envelope-from ) id 1wWxk1-0001OW-8I; Tue, 09 Jun 2026 14:47:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333463.1596480; Tue, 09 Jun 2026 14:47:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxk1-0001O9-5O; Tue, 09 Jun 2026 14:47:45 +0000 Received: by outflank-mailman (input) for mailman id 1333463; Tue, 09 Jun 2026 14:47:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxk0-0001N3-7S for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:47:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxk0-001i4X-1Y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:47:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxk0-00Famk-0a for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:47:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=pZFEXOE/JQL+vw+wghALV0U+K1IW05/ZDf1JcvTlZU8=; b=SQnRZg7RNbKEyyPPfZMfsHSIRe uW2W7q3+yjdvNLkptylxKmTDDR56YAq8CXBV47iDUO4PNEZaUfpH0Rdx7RpgeFO9NjBHx2nJgTG9/ iB2opnEv6XFaua0qRFvzWJHponVjIgOSBUqHuCsEjUbXLRnt6zGiVXv1R8kvBGSMbKro=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] xen/arm: Add C1-Ultra definitions Message-Id: Date: Tue, 09 Jun 2026 14:47:44 +0000 commit ff6ee97f42a6663388fe903d7613534a244a2ed0 Author: Michal Orzel AuthorDate: Fri May 22 09:35:56 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 xen/arm: Add C1-Ultra definitions Add processor definitions for C1-Ultra. These will be used for errata detection in subsequent patches. These values can be found in the C1-Ultra TRM: https://developer.arm.com/documentation/108014/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 36ddaa7918d6ec0d06a31079c8a25a6ae3c69cbc) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index e344715082..1f8b2184fa 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -105,6 +105,7 @@ #define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 +#define ARM_CPU_PART_C1_ULTRA 0xD8C #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -135,6 +136,7 @@ #define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) +#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:47:56 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:47:56 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333467.1596485 (Exim 4.92) (envelope-from ) id 1wWxkC-0001Xr-A8; Tue, 09 Jun 2026 14:47:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333467.1596485; Tue, 09 Jun 2026 14:47:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxkC-0001Xj-6r; Tue, 09 Jun 2026 14:47:56 +0000 Received: by outflank-mailman (input) for mailman id 1333467; Tue, 09 Jun 2026 14:47:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxkA-0001Xd-9w for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:47:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxkA-001i4d-1o for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:47:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxkA-00FayH-0p for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:47:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=FtkgSd2aBoGjrqPLaMNIcodQPd4ODDv6GQWzcdYnlXU=; b=hyuFhwhpgf0nElPpenIrd68vJM ORAMktwZiply+ns12jHD7MT+L/ZTBRM13AuIOrBjCHAzmCS9ScGWLU637TbtfyCIWnLYeUfA5ZJlP LNwUXsTAwtxAKmjRmyq5yhM3DOolmdRtaun9QH9h0vq7AtFKMh1NHt2kkebzDytTHK9s=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] xen/arm: Add C1-Premium definitions Message-Id: Date: Tue, 09 Jun 2026 14:47:54 +0000 commit d84ac74f8bc587b4aa04974a9f7f2a8fe837d838 Author: Michal Orzel AuthorDate: Fri May 22 09:35:57 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 xen/arm: Add C1-Premium definitions Add processor definitions for C1-Premium. These will be used for errata detection in subsequent patches. These values can be found in the C1-Premium TRM: https://developer.arm.com/documentation/109416/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 0315d10321518beb24c41bb595e9197cadec0693) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 1f8b2184fa..2405616534 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -106,6 +106,7 @@ #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 #define ARM_CPU_PART_C1_ULTRA 0xD8C +#define ARM_CPU_PART_C1_PREMIUM 0xD90 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -137,6 +138,7 @@ #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) #define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) +#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:48:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:48:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333468.1596488 (Exim 4.92) (envelope-from ) id 1wWxkM-0001Zr-Am; Tue, 09 Jun 2026 14:48:06 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333468.1596488; Tue, 09 Jun 2026 14:48:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxkM-0001Zj-89; Tue, 09 Jun 2026 14:48:06 +0000 Received: by outflank-mailman (input) for mailman id 1333468; Tue, 09 Jun 2026 14:48:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxkK-0001Zb-Cc for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:48:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxkK-001i51-24 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:48:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxkK-00FbEA-15 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:48:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=3gWK6t1UyBpsXjsUukqVyD79/RM6Xc1GOPYOLa1wJjQ=; b=FjV4qXZhBHwAuSvlH/2j29Cc0J wntygInrrF8UxTNlJWDp/v5Bj401ceJGl3aaeWPIqiGt9nh7ELmycD9hZ+xbhIwWSiWgiY4oxdFX4 zXEZKq0g5IciycFMHegHy+tgxl8oLm3Qd2wxB6Ey329K7mESYZKcXMKBa34/LdwFVOaI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] xen/arm: Mitigate TLBI errata on various Arm CPUs Message-Id: Date: Tue, 09 Jun 2026 14:48:04 +0000 commit 08ea7c4416ce45240871806cf41f070f9e890654 Author: Michal Orzel AuthorDate: Fri May 22 09:35:58 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 xen/arm: Mitigate TLBI errata on various Arm CPUs A number of CPUs developed by Arm suffer from errata whereby a broadcast TLBI + DSB sequence may complete before the global observation of writes which are translated by an affected TLB entry. This can lead to memory corruption and potential privilege escalation. These errata ONLY affect the completion of memory accesses which have been translated by an invalidated TLB entry, and these errata DO NOT affect the actual invalidation of TLB entries. TLB entries are removed correctly. To mitigate this issue, Arm recommends that software follows each TLBI+DSB sequence with an additional TLBI+DSB, which will ensure that all memory write effects affected by the first TLBI have been globally observed. The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate the issue. Enable this workaround for affected CPUs. This is XSA-493 / CVE-2025-10263. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 161e8f61b5b0f2c205072c7bc699bfc37653999f) --- xen/arch/arm/Kconfig | 21 ++++++++++++ xen/arch/arm/cpuerrata.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+) diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index a26d3e1182..a89995545f 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -467,6 +467,27 @@ config ARM64_ERRATUM_1508412 If unsure, say Y. +config ARM64_ERRATUM_CVE_2025_10263 + bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" + default y + depends on ARM_64 + select ARM64_WORKAROUND_REPEAT_TLBI + help + This option adds a workaround for CVE-2025-10263. + + A broadcast TLBI on another PE may complete before affected memory + accesses are globally observed. This may permit bypass of Stage 1 + translation, Stage-2 translation, or GPT protection. + + The workaround repeats the TLBI VALE2IS, XZR + DSB ISH operation for all + the broadcast TLB flush operations. A single additional TLBI and DSB are + sufficient regardless of how many TLBIs are completed by the DSB. + + Note that software workarounds are required at all execution levels for + affected parts to fully mitigate this issue. + + If unsure, say Y. + endmenu config ARM64_HARDEN_BRANCH_PREDICTOR diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index 17cf134f1b..3a32183618 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -534,6 +534,92 @@ static const struct arm_cpu_capabilities arm_errata[] = { MIDR_RANGE(MIDR_NEOVERSE_N1, 0, 3 << MIDR_VARIANT_SHIFT), }, #endif +#ifdef CONFIG_ARM64_ERRATUM_CVE_2025_10263 + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X4), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_ULTRA), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM), + }, +#endif #ifdef CONFIG_ARM64_HARDEN_BRANCH_PREDICTOR { .capability = ARM_HARDEN_BRANCH_PREDICTOR, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:48:16 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:48:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333469.1596494 (Exim 4.92) (envelope-from ) id 1wWxkW-0001bw-Da; Tue, 09 Jun 2026 14:48:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333469.1596494; Tue, 09 Jun 2026 14:48:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxkW-0001bo-9m; Tue, 09 Jun 2026 14:48:16 +0000 Received: by outflank-mailman (input) for mailman id 1333469; Tue, 09 Jun 2026 14:48:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxkU-0001bg-Fv for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:48:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxkU-001i55-2O for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:48:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxkU-00FbQq-1P for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:48:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Y5l0nrzFmLhd6fU+LxNQAaLT3BiCRQIZTCoCKL9xKH8=; b=g8ZmCXgkw6YgAeMqpGzphE31Jd 9MByktzOZk6Ab4RU+nrWd9JKBoRPJ7LAfG1DWHk12945iasGChx5dWAYGJFKlVc4zH4i5S6oWTh// 3oubZS+IS3dBWid+74Y8fwBKZjJN2SapzvPCyppl8i/hTwH010RI2DvOlfFfwhQSGOX4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] x86/mm: accurately track which vCPU page-tables are loaded Message-Id: Date: Tue, 09 Jun 2026 14:48:14 +0000 commit 2653b35edb56af4fe5b677d473a89d6233afeae2 Author: Roger Pau Monne AuthorDate: Mon Mar 16 11:03:22 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:39:53 2026 +0100 x86/mm: accurately track which vCPU page-tables are loaded Neither current nor curr_vcpu per-CPU fields accurately track which page-tables are loaded. There are corner cases when dealing with shadow paging failures that switch to the idle vCPU page-tables without changing current or curr_vcpu per-CPU fields. Introduce a new per-CPU field that attempts to track which vCPU page-tables are loaded. Update such tracking when cr3 is changed, and do so in a region with interrupts disabled, as to avoid handling interrupts with a mismatch between the vCPU tracking field and the loaded page-tables. As a result of this newly more accurate tracking the mapcache override functionality can be removed: the dom0 PV builder was the only user of it, and it's updated here to properly signal which vCPU page-tables are loaded in the calls to switch_cr3_cr4(). Note the EFI page-tables have the Xen owned L4 slots copied from the idle page-tables, so for the effects of the mapcache the EFI page-tables could use the idle mapcache if it had one. Pass the idle vCPU in the switch_cr3_cr4() call that switches to the runtime EFI page-tables. There are known issues with the use of mapcache in NMI context.  This patch does not alter the behaviour. This is CVE-2026-42488 / XSA-494. Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference") Signed-off-by: Roger Pau Monné Acked-by: Andrew Cooper (cherry picked from commit 622c9a5ba95dae9b1084f16d0557ec64d1d12eaa) --- xen/arch/x86/domain_page.c | 48 +++++++++++++++--------------------- xen/arch/x86/flushtlb.c | 5 +++- xen/arch/x86/include/asm/domain.h | 1 - xen/arch/x86/include/asm/flushtlb.h | 2 +- xen/arch/x86/include/asm/processor.h | 3 +++ xen/arch/x86/mm.c | 4 +-- xen/arch/x86/pv/dom0_build.c | 12 +++------ xen/arch/x86/pv/domain.c | 13 ++++++++-- xen/arch/x86/smpboot.c | 1 + xen/common/efi/common-stub.c | 5 ---- xen/common/efi/runtime.c | 21 ++++++---------- xen/include/xen/efi.h | 1 - 12 files changed, 54 insertions(+), 62 deletions(-) diff --git a/xen/arch/x86/domain_page.c b/xen/arch/x86/domain_page.c index eac5e3304f..72c00194f3 100644 --- a/xen/arch/x86/domain_page.c +++ b/xen/arch/x86/domain_page.c @@ -18,48 +18,40 @@ #include #include -static DEFINE_PER_CPU(struct vcpu *, override); - static inline struct vcpu *mapcache_current_vcpu(void) { - /* In the common case we use the mapcache of the running VCPU. */ - struct vcpu *v = this_cpu(override) ?: current; - - /* - * When current isn't properly set up yet, this is equivalent to - * running in an idle vCPU (callers must check for NULL). - */ - if ( !v ) - return NULL; + struct vcpu *v = this_cpu(pgtable_vcpu); + struct vcpu *curr = current; /* - * When using efi runtime page tables, we have the equivalent of the idle - * domain's page tables but current may point at another domain's VCPU. - * Return NULL as though current is not properly set up yet. + * During early boot pgtable_vcpu is not set, callers must handle NULL. + * Non-PV domains don't have a mapcache, the directmap covers all physical + * address space. */ - if ( efi_rs_using_pgtables() ) + if ( !v || !is_pv_vcpu(v) ) return NULL; /* - * If guest_table is NULL, and we are running a paravirtualised guest, - * then it means we are running on the idle domain's page table and must - * therefore use its mapcache. + * If we are in a lazy context-switch state from a PV vCPU do a full switch + * to the idle vCPU now, otherwise an incoming FLUSH_VCPU_STATE IPI would + * change the page tables under our feet an invalidate any in-use mapcache + * entries. */ - if ( unlikely(pagetable_is_null(v->arch.guest_table)) && is_pv_vcpu(v) ) + if ( unlikely(this_cpu(curr_vcpu) != curr) ) { - /* If we really are idling, perform lazy context switch now. */ - if ( (v = idle_vcpu[smp_processor_id()]) == current ) - sync_local_execstate(); + ASSERT(curr == idle_vcpu[smp_processor_id()]); + sync_local_execstate(); /* We must now be running on the idle page table. */ ASSERT(cr3_pa(read_cr3()) == __pa(idle_pg_table)); } - return v; -} - -void __init mapcache_override_current(struct vcpu *v) -{ - this_cpu(override) = v; + /* + * At this point we can guarantee Xen is not in lazy context switch: either + * the code above will have synced the state, or an incoming + * FLUSH_VCPU_STATE IPI has done so behind our back. Use ACCESS_ONCE to + * ensure the compiler never returns the locally cached pgtable_vcpu value. + */ + return ACCESS_ONCE(this_cpu(pgtable_vcpu)); } #define mapcache_l2_entry(e) ((e) >> PAGETABLE_ORDER) diff --git a/xen/arch/x86/flushtlb.c b/xen/arch/x86/flushtlb.c index 65be0474a8..16f1fab5c5 100644 --- a/xen/arch/x86/flushtlb.c +++ b/xen/arch/x86/flushtlb.c @@ -111,7 +111,9 @@ static void do_tlb_flush(void) local_irq_restore(flags); } -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) +DEFINE_PER_CPU(struct vcpu *, pgtable_vcpu); + +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4) { unsigned long flags, old_cr4; u32 t = 0; @@ -155,6 +157,7 @@ void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) if ( (old_cr4 & X86_CR4_PCIDE) > (cr4 & X86_CR4_PCIDE) ) cr3 |= X86_CR3_NOFLUSH; write_cr3(cr3); + this_cpu(pgtable_vcpu) = v; if ( old_cr4 != cr4 ) write_cr4(cr4); diff --git a/xen/arch/x86/include/asm/domain.h b/xen/arch/x86/include/asm/domain.h index b79d6badd7..f0370bc7bb 100644 --- a/xen/arch/x86/include/asm/domain.h +++ b/xen/arch/x86/include/asm/domain.h @@ -75,7 +75,6 @@ struct mapcache_domain { int mapcache_domain_init(struct domain *d); int mapcache_vcpu_init(struct vcpu *v); -void mapcache_override_current(struct vcpu *v); /* x86/64: toggle guest between kernel and user modes. */ void toggle_guest_mode(struct vcpu *v); diff --git a/xen/arch/x86/include/asm/flushtlb.h b/xen/arch/x86/include/asm/flushtlb.h index bb0ad58db4..75e291d93b 100644 --- a/xen/arch/x86/include/asm/flushtlb.h +++ b/xen/arch/x86/include/asm/flushtlb.h @@ -99,7 +99,7 @@ static inline unsigned long read_cr3(void) } /* Write pagetable base and implicitly tick the tlbflush clock. */ -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4); +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4); /* flush_* flag fields: */ /* diff --git a/xen/arch/x86/include/asm/processor.h b/xen/arch/x86/include/asm/processor.h index 98734f4d3f..4b52d68a6f 100644 --- a/xen/arch/x86/include/asm/processor.h +++ b/xen/arch/x86/include/asm/processor.h @@ -375,6 +375,9 @@ extern idt_entry_t *idt_tables[]; DECLARE_PER_CPU(root_pgentry_t *, root_pgt); +/* vCPU of the currently loaded page-tables. */ +DECLARE_PER_CPU(struct vcpu *, pgtable_vcpu); + extern void write_ptbase(struct vcpu *v); /* REP NOP (PAUSE) is a good thing to insert into busy-wait loops. */ diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 3430b13dcd..23496407f2 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -542,7 +542,7 @@ void write_ptbase(struct vcpu *v) cpu_info->pv_cr3 = __pa(this_cpu(root_pgt)); if ( new_cr4 & X86_CR4_PCIDE ) cpu_info->pv_cr3 |= get_pcid_bits(v, true); - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); } else { @@ -550,7 +550,7 @@ void write_ptbase(struct vcpu *v) cpu_info->use_pv_cr3 = false; cpu_info->xen_cr3 = 0; /* switch_cr3_cr4() serializes. */ - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); cpu_info->pv_cr3 = 0; } } diff --git a/xen/arch/x86/pv/dom0_build.c b/xen/arch/x86/pv/dom0_build.c index 5bc59b48a5..7ce82f199b 100644 --- a/xen/arch/x86/pv/dom0_build.c +++ b/xen/arch/x86/pv/dom0_build.c @@ -836,8 +836,7 @@ static int __init dom0_construct(struct boot_info *bi, struct domain *d) update_cr3(v); /* We run on dom0's page tables for the final part of the build process. */ - switch_cr3_cr4(cr3_pa(v->arch.cr3), read_cr4()); - mapcache_override_current(v); + switch_cr3_cr4(v, cr3_pa(v->arch.cr3), read_cr4()); /* Copy the OS image and free temporary buffer. */ elf.dest_base = (void*)vkern_start; @@ -846,8 +845,7 @@ static int __init dom0_construct(struct boot_info *bi, struct domain *d) rc = elf_load_binary(&elf); if ( rc < 0 ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Failed to load the kernel binary\n"); goto out; } @@ -858,8 +856,7 @@ static int __init dom0_construct(struct boot_info *bi, struct domain *d) if ( (parms.virt_hypercall < v_start) || (parms.virt_hypercall >= v_end) ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Invalid HYPERCALL_PAGE field in ELF notes.\n"); return -EINVAL; } @@ -1000,8 +997,7 @@ static int __init dom0_construct(struct boot_info *bi, struct domain *d) #endif /* Return to idle domain's page tables. */ - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); update_domain_wallclock_time(d); diff --git a/xen/arch/x86/pv/domain.c b/xen/arch/x86/pv/domain.c index 745c1dbb21..0f45ccafc2 100644 --- a/xen/arch/x86/pv/domain.c +++ b/xen/arch/x86/pv/domain.c @@ -449,6 +449,8 @@ static void _toggle_guest_pt(struct vcpu *v) pagetable_t old_shadow; unsigned long cr3; + ASSERT(local_irq_is_enabled()); + v->arch.flags ^= TF_kernel_mode; guest_update = v->arch.flags & TF_kernel_mode; old_shadow = update_cr3(v); @@ -471,15 +473,22 @@ static void _toggle_guest_pt(struct vcpu *v) { cr3 &= ~X86_CR3_NOFLUSH; + local_irq_disable(); if ( unlikely(mfn_eq(pagetable_get_mfn(old_shadow), maddr_to_mfn(cr3))) ) { - cr3 = idle_vcpu[v->processor]->arch.cr3; /* Also suppress runstate/time area updates below. */ guest_update = false; + + cr3 = idle_vcpu[v->processor]->arch.cr3; + this_cpu(pgtable_vcpu) = idle_vcpu[v->processor]; } + + write_cr3(cr3); + local_irq_enable(); } - write_cr3(cr3); + else + write_cr3(cr3); if ( !pagetable_is_null(old_shadow) ) shadow_put_top_level(v->domain, old_shadow); diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c index 8742e30561..fc0761150f 100644 --- a/xen/arch/x86/smpboot.c +++ b/xen/arch/x86/smpboot.c @@ -330,6 +330,7 @@ void asmlinkage start_secondary(void *unused) set_current(idle_vcpu[cpu]); this_cpu(curr_vcpu) = idle_vcpu[cpu]; + this_cpu(pgtable_vcpu) = idle_vcpu[cpu]; rdmsrl(MSR_EFER, this_cpu(efer)); init_shadow_spec_ctrl_state(); diff --git a/xen/common/efi/common-stub.c b/xen/common/efi/common-stub.c index 77f138a6c5..7b12005bea 100644 --- a/xen/common/efi/common-stub.c +++ b/xen/common/efi/common-stub.c @@ -7,11 +7,6 @@ bool efi_enabled(unsigned int feature) return false; } -bool efi_rs_using_pgtables(void) -{ - return false; -} - unsigned long efi_get_time(void) { BUG(); diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c index 7e1fce291d..af7f96fb7d 100644 --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -47,7 +47,6 @@ const CHAR16 *__read_mostly efi_fw_vendor; const EFI_RUNTIME_SERVICES *__read_mostly efi_rs; #ifndef CONFIG_ARM /* TODO - disabled until implemented on ARM */ static DEFINE_SPINLOCK(efi_rs_lock); -static unsigned int efi_rs_on_cpu = NR_CPUS; #endif UINTN __read_mostly efi_memmap_size; @@ -90,6 +89,11 @@ struct efi_rs_state efi_rs_enter(void) if ( mfn_eq(efi_l4_mfn, INVALID_MFN) ) return state; + /* + * If in lazy idle context switch state sync now to avoid an incoming + * FLUSH_VCPU_STATE IPI changing the loaded page-tables. + */ + sync_local_execstate(); state.cr3 = read_cr3(); save_fpu_enable(); asm volatile ( "fnclex; fldcw %0" :: "m" (fcw) ); @@ -97,8 +101,6 @@ struct efi_rs_state efi_rs_enter(void) spin_lock(&efi_rs_lock); - efi_rs_on_cpu = smp_processor_id(); - /* prevent fixup_page_fault() from doing anything */ irq_enter(); @@ -113,7 +115,8 @@ struct efi_rs_state efi_rs_enter(void) lgdt(&gdt_desc); } - switch_cr3_cr4(mfn_to_maddr(efi_l4_mfn), read_cr4()); + switch_cr3_cr4(idle_vcpu[smp_processor_id()], mfn_to_maddr(efi_l4_mfn), + read_cr4()); /* * At the time of writing (2022), no UEFI firwmare is CET-IBT compatible. @@ -141,7 +144,7 @@ void efi_rs_leave(struct efi_rs_state *state) if ( state->msr_s_cet ) wrmsrl(MSR_S_CET, state->msr_s_cet); - switch_cr3_cr4(state->cr3, read_cr4()); + switch_cr3_cr4(curr, state->cr3, read_cr4()); if ( is_pv_vcpu(curr) && !is_idle_vcpu(curr) ) { struct desc_ptr gdt_desc = { @@ -152,18 +155,10 @@ void efi_rs_leave(struct efi_rs_state *state) lgdt(&gdt_desc); } irq_exit(); - efi_rs_on_cpu = NR_CPUS; spin_unlock(&efi_rs_lock); vcpu_restore_fpu_nonlazy(curr, true); } -bool efi_rs_using_pgtables(void) -{ - return !mfn_eq(efi_l4_mfn, INVALID_MFN) && - (smp_processor_id() == efi_rs_on_cpu) && - (read_cr3() == mfn_to_maddr(efi_l4_mfn)); -} - unsigned long efi_get_time(void) { EFI_TIME time; diff --git a/xen/include/xen/efi.h b/xen/include/xen/efi.h index 160804e294..356be1705a 100644 --- a/xen/include/xen/efi.h +++ b/xen/include/xen/efi.h @@ -42,7 +42,6 @@ static inline bool efi_enabled(unsigned int feature) void efi_init_memory(void); bool efi_boot_mem_unused(unsigned long *start, unsigned long *end); -bool efi_rs_using_pgtables(void); unsigned long efi_get_time(void); void efi_halt_system(void); void efi_reset_system(bool warm); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 14:48:26 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 14:48:26 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333470.1596495 (Exim 4.92) (envelope-from ) id 1wWxkg-0001fp-FF; Tue, 09 Jun 2026 14:48:26 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333470.1596495; Tue, 09 Jun 2026 14:48:26 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxkg-0001ff-Ca; Tue, 09 Jun 2026 14:48:26 +0000 Received: by outflank-mailman (input) for mailman id 1333470; Tue, 09 Jun 2026 14:48:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWxke-0001fV-IJ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:48:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWxke-001i5R-2d for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:48:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWxke-00Fbif-1f for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 14:48:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=v48sMa7yHeis2g3lWLclKhlx09ZAdIsK68glV/vXEHI=; b=G+Btdbb3Wq6HkiAxDjZzR5/C9a yzfFPNdNzAO0e+ONyJ8M9cUwE2QxexFdjzsUKHzL3szp6IICS8Tu8QN2ddfHgxgtGbJko8ec21frl Fr4XOA6cuTwcNLmbmqqBnVWr3lpiwKBCmYE5XgwGt83LqRCRjFUzxLnyNMZNDTEZWZKs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] Revert local CI adjustments Message-Id: Date: Tue, 09 Jun 2026 14:48:24 +0000 commit 0953c1890794c849771b4bd6e061a30a181d5c23 Author: Andrew Cooper AuthorDate: Tue Jun 9 13:08:15 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 13:08:15 2026 +0100 Revert local CI adjustments This reverts commit 24ccd8302e8670b4c824dcb845b01d88a7a14aff. Signed-off-by: Andrew Cooper --- .gitlab-ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4f99f0d0c0..b3beb2ff9d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -19,6 +19,9 @@ include: - local: 'automation/gitlab-ci/containers.yaml' rules: - if: $XEN_CI_REBUILD_CONTAINERS + - local: 'automation/gitlab-ci/analyze.yaml' + rules: + - if: $XEN_CI_REBUILD_CONTAINERS == null - local: 'automation/gitlab-ci/build.yaml' rules: - if: $XEN_CI_REBUILD_CONTAINERS == null -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:22:07 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:22:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333517.1596536 (Exim 4.92) (envelope-from ) id 1wWyHE-00022k-K3; Tue, 09 Jun 2026 15:22:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333517.1596536; Tue, 09 Jun 2026 15:22:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyHE-00022c-H6; Tue, 09 Jun 2026 15:22:04 +0000 Received: by outflank-mailman (input) for mailman id 1333517; Tue, 09 Jun 2026 15:22:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyHC-00022W-PG for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:22:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyHC-001igt-31 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:22:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyHC-00GEEz-21 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:22:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=aTSRJC99+oo/L7cfTPei8P1CwmFVchS9q598nVXyH9U=; b=4wx6lqYyWLJt65bVFt1Xlxk77k oAwIqs3J6BQechvczObSAoW6843pLVZF7GJfzKbBeABOWmdbSJKFkDXwpg9s636nPJqfqmyayqHE8 SEn8er9TBYkPy8xF1rQVrbJPaUD4RzTcg2OmHCHzHdSuLFXRfOrWMGUdTFCBUF7MZOH4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] HACK: Disable Eclair, MacOS Message-Id: Date: Tue, 09 Jun 2026 15:22:02 +0000 commit e1eae714bf3d130f810f715bec1e08d6faa6ea3d Author: Andrew Cooper AuthorDate: Thu Jun 4 20:20:00 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:41:00 2026 +0100 HACK: Disable Eclair, MacOS --- .gitlab-ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b2fcf6c28f..716c3c5cdb 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -15,6 +15,5 @@ stages: - test include: - - 'automation/gitlab-ci/analyze.yaml' - 'automation/gitlab-ci/build.yaml' - 'automation/gitlab-ci/test.yaml' -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:22:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:22:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333518.1596540 (Exim 4.92) (envelope-from ) id 1wWyHO-00025l-L5; Tue, 09 Jun 2026 15:22:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333518.1596540; Tue, 09 Jun 2026 15:22:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyHO-00025d-IX; Tue, 09 Jun 2026 15:22:14 +0000 Received: by outflank-mailman (input) for mailman id 1333518; Tue, 09 Jun 2026 15:22:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyHM-00025Q-QK for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:22:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyHN-001igx-0C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:22:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyHM-00GEOJ-2L for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:22:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=/BYGvnwEfarM6LOSihp1UKCwNio0D+Zv53GDx+zlTP0=; b=MA8qx7AmEwoPlThOd/vifQWhQU M6wZsu9MHEtYg1PGSepmMizXm1BXx7N89J8wpyAlXQp037yemicY/gp6R8gbQHU6kHOzaPXYgJeAO WaKcuJDmTVP0jQqqwS3rrqhmUMy5xfrNTdvvdEX+NF/4Fq0Y50wkZKtTB5kekznk0Hvc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] x86/HVM: add locking to I/O port translation list traversal Message-Id: Date: Tue, 09 Jun 2026 15:22:12 +0000 commit 792e70b85f23029f36e2457cd837db45aa7b64dd Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:26 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:41:00 2026 +0100 x86/HVM: add locking to I/O port translation list traversal XEN_DOMCTL_ioport_mapping is usable by DM stubdoms, and hence we can't assume the list to be left unaltered while the guest (really: the hypervisor on behalf of the guest) is accessing it. This is XSA-491 / CVE-2026-42487. Fixes: 192c4dabc344 ("domctl and p2m changes for PCI passthru") Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 7787f8e9396d06026f72d3db13e836f365e085f8) --- xen/arch/x86/domctl.c | 8 ++++ xen/arch/x86/hvm/emulate.c | 1 - xen/arch/x86/hvm/hvm.c | 1 + xen/arch/x86/hvm/io.c | 72 +++++++++++++++++++++++++---------- xen/arch/x86/include/asm/hvm/domain.h | 1 + xen/arch/x86/include/asm/hvm/vcpu.h | 2 - 6 files changed, 61 insertions(+), 24 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 8066f28e9d..35d7332d87 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -623,6 +623,7 @@ long arch_do_domctl( "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if (g2m_ioport->mport == fmp ) { @@ -644,11 +645,14 @@ long arch_do_domctl( g2m_ioport->np = np; list_add_tail(&g2m_ioport->list, &hvm->g2m_ioport_list); } + write_unlock(&hvm->g2m_ioport_lock); if ( !ret ) ret = ioports_permit_access(d, fmp, fmp + np - 1); if ( ret && !found && g2m_ioport ) { + write_lock(&hvm->g2m_ioport_lock); list_del(&g2m_ioport->list); + write_unlock(&hvm->g2m_ioport_lock); xfree(g2m_ioport); } } @@ -657,6 +661,8 @@ long arch_do_domctl( printk(XENLOG_G_INFO "ioport_map:remove: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if ( g2m_ioport->mport == fmp ) { @@ -664,6 +670,8 @@ long arch_do_domctl( xfree(g2m_ioport); break; } + write_unlock(&hvm->g2m_ioport_lock); + ret = ioports_deny_access(d, fmp, fmp + np - 1); if ( ret && is_hardware_domain(currd) ) printk(XENLOG_ERR diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c index 03e40ab9ff..4dde6a7b4a 100644 --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -159,7 +159,6 @@ void hvmemul_cancel(struct vcpu *v) hvio->mmio_insn_bytes = 0; hvio->mmio_access = (struct npfec){}; hvio->mmio_retry = false; - hvio->g2m_ioport = NULL; hvmemul_cache_disable(v); } diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 7c5a5314ba..232563a3f3 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -601,6 +601,7 @@ int hvm_domain_initialise(struct domain *d, spin_lock_init(&d->arch.hvm.irq_lock); spin_lock_init(&d->arch.hvm.uc_lock); spin_lock_init(&d->arch.hvm.write_map.lock); + rwlock_init(&d->arch.hvm.g2m_ioport_lock); rwlock_init(&d->arch.hvm.mmcfg_lock); INIT_LIST_HEAD(&d->arch.hvm.write_map.list); INIT_LIST_HEAD(&d->arch.hvm.g2m_ioport_list); diff --git a/xen/arch/x86/hvm/io.c b/xen/arch/x86/hvm/io.c index de6ee6c4dd..47ce09331d 100644 --- a/xen/arch/x86/hvm/io.c +++ b/xen/arch/x86/hvm/io.c @@ -144,36 +144,56 @@ bool handle_pio(uint16_t port, unsigned int size, int dir) return true; } -static bool cf_check g2m_portio_accept( - const struct hvm_io_handler *handler, const ioreq_t *p) +/* NB: Returns with the lock held in the success case. */ +static const struct g2m_ioport *g2m_portio_find_and_lock(struct hvm_domain *hvm, + uint64_t addr, + uint32_t size) { - struct vcpu *curr = current; - const struct hvm_domain *hvm = &curr->domain->arch.hvm; - struct hvm_vcpu_io *hvio = &curr->arch.hvm.hvm_io; - struct g2m_ioport *g2m_ioport; - unsigned int start, end; + const struct g2m_ioport *g2m_ioport; + + read_lock(&hvm->g2m_ioport_lock); list_for_each_entry( g2m_ioport, &hvm->g2m_ioport_list, list ) { - start = g2m_ioport->gport; - end = start + g2m_ioport->np; - if ( (p->addr >= start) && (p->addr + p->size <= end) ) - { - hvio->g2m_ioport = g2m_ioport; - return 1; - } + unsigned int start = g2m_ioport->gport; + + if ( addr >= start && addr + size <= start + g2m_ioport->np ) + return g2m_ioport; } - return 0; + read_unlock(&hvm->g2m_ioport_lock); + + return NULL; +} + +static bool cf_check g2m_portio_accept( + const struct hvm_io_handler *handler, const ioreq_t *p) +{ + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, p->addr, p->size); + + if ( !g2m_ioport ) + return false; + + read_unlock(&hvm->g2m_ioport_lock); + + return true; } static int cf_check g2m_portio_read( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t *data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -190,6 +210,8 @@ static int cf_check g2m_portio_read( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } @@ -197,9 +219,15 @@ static int cf_check g2m_portio_write( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -216,6 +244,8 @@ static int cf_check g2m_portio_write( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } diff --git a/xen/arch/x86/include/asm/hvm/domain.h b/xen/arch/x86/include/asm/hvm/domain.h index 333501d5f2..1b2c59b18b 100644 --- a/xen/arch/x86/include/asm/hvm/domain.h +++ b/xen/arch/x86/include/asm/hvm/domain.h @@ -125,6 +125,7 @@ struct hvm_domain { /* List of guest to machine IO ports mapping. */ struct list_head g2m_ioport_list; + rwlock_t g2m_ioport_lock; /* List of MMCFG regions trapped by Xen. */ struct list_head mmcfg_regions; diff --git a/xen/arch/x86/include/asm/hvm/vcpu.h b/xen/arch/x86/include/asm/hvm/vcpu.h index ddf9f8b831..32b50b4194 100644 --- a/xen/arch/x86/include/asm/hvm/vcpu.h +++ b/xen/arch/x86/include/asm/hvm/vcpu.h @@ -54,8 +54,6 @@ struct hvm_vcpu_io { unsigned long msix_unmask_address; unsigned long msix_snoop_address; unsigned long msix_snoop_gpa; - - const struct g2m_ioport *g2m_ioport; }; struct nestedvcpu { -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:22:24 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:22:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333520.1596544 (Exim 4.92) (envelope-from ) id 1wWyHY-00028M-Mk; Tue, 09 Jun 2026 15:22:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333520.1596544; Tue, 09 Jun 2026 15:22:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyHY-00028F-Jr; Tue, 09 Jun 2026 15:22:24 +0000 Received: by outflank-mailman (input) for mailman id 1333520; Tue, 09 Jun 2026 15:22:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyHW-00027y-TB for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:22:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyHX-001ihJ-0U for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:22:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyHW-00GEZB-2i for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:22:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=WxK99CoxOc7+6G+Iejp9vN2h1kPxYlMijaT+naXTZrI=; b=0dk/DrvxyOphqDspPvOX/eoTeK iqpGWAG9HYfafpeIn0wb1wGYKOVQ31EcWJfDaUiGPeL2fw3wOEVZSwrDUxbZuel9Gkar6NlULKifT 8GKkWytxqs77skmVMhXRgrB9+oJcAC4SNklo1yDYi/PffL9oJBGhY1GMnR4fpPue8lpE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] xen/xsm: make getdomaininfo xsm dummy checks more stringent Message-Id: Date: Tue, 09 Jun 2026 15:22:22 +0000 commit 0ac39241895cdee87953dc7f830884c2f5123196 Author: Juergen Gross AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:38 2026 +0100 xen/xsm: make getdomaininfo xsm dummy checks more stringent Today the dummy XSM privilege checks for getdomaininfo are less stringent than possible: they basically rely on the general sysctl/domctl entry check to do all tests and then do the test with the XSM_HOOK privilege, which is an "allow all" default. Instead of XSM_HOOK use XSM_XS_PRIV, which is the privilege really wanted. Note that this test is still wider than the sysctl entry test, but there is no easy way to make both domctl and sysctl happy at the same time. Signed-off-by: Juergen Gross Acked-by: Daniel P. Smith master commit: 5793b84c5e8fb268f94e7fde7816799e66945a73 master date: 2024-12-16 13:06:55 +0100 --- xen/common/domctl.c | 2 +- xen/common/sysctl.c | 2 +- xen/include/xsm/dummy.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index ea16b75910..444e072fdc 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -539,7 +539,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; case XEN_DOMCTL_getdomaininfo: - ret = xsm_getdomaininfo(XSM_HOOK, d); + ret = xsm_getdomaininfo(XSM_XS_PRIV, d); if ( ret ) break; diff --git a/xen/common/sysctl.c b/xen/common/sysctl.c index d02f44fe3a..c2d99ae12e 100644 --- a/xen/common/sysctl.c +++ b/xen/common/sysctl.c @@ -89,7 +89,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl) if ( num_domains == op->u.getdomaininfolist.max_domains ) break; - if ( xsm_getdomaininfo(XSM_HOOK, d) ) + if ( xsm_getdomaininfo(XSM_XS_PRIV, d) ) continue; getdomaininfo(d, &info); diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 7956f27a29..f8a3c4b81e 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -137,7 +137,7 @@ static XSM_INLINE int cf_check xsm_domain_create( static XSM_INLINE int cf_check xsm_getdomaininfo( XSM_DEFAULT_ARG struct domain *d) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_XS_PRIV); return xsm_default_action(action, current->domain, d); } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:22:34 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:22:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333521.1596548 (Exim 4.92) (envelope-from ) id 1wWyHi-0002C2-O5; Tue, 09 Jun 2026 15:22:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333521.1596548; Tue, 09 Jun 2026 15:22:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyHi-0002Bu-LR; Tue, 09 Jun 2026 15:22:34 +0000 Received: by outflank-mailman (input) for mailman id 1333521; Tue, 09 Jun 2026 15:22:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyHh-0002Bn-0B for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:22:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyHh-001ihQ-0o for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:22:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyHg-00GEl2-30 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:22:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=DsRUEd4hMBztUQ6etLoYt6VqfUN5X/JUPOstsEMROss=; b=Uq0ga+NBvbVtIKS6aUDny5lH3w Wx9qzDeEm6yZ8pqS2y8CmR/fh6OrPu+z+zDUBzp1RH0B5IwUhDhm/vlq7oef+LSirC19tP8DAfbB6 h2mOgZQ83ANqJq7xPonXWui1PVvf801xyiyo4RqnH2lQCsx0n7vGTNGYX0W144l80mrs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] sched: use sequence counter to enlighten vcpu_runstate_get() Message-Id: Date: Tue, 09 Jun 2026 15:22:32 +0000 commit 27e32cc10055a313b41c337d7562609109b42f2b Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:49 2026 +0100 sched: use sequence counter to enlighten vcpu_runstate_get() Subsequently XEN_DOMCTL_getdomaininfo will want to invoke the function without holding a lock, thus allowing parallel execution of potentially many instances. As was learned from 228ab9992ffb ("domctl: improve locking during domain destruction"), reverted by d0887cc6b16e, such parallelism can result in severe lock contention on any (previously) inner lock. To avoid taking that risk replace the use of the scheduler lock in vcpu_runstate_get() by a newly introduced sequence counter. Convert the "no lock if current" property to "use a local counter instance", thus guaranteeing the loop to exit after the first iteration. Skeleton and commentary of the seqcount implementation based on / derived from Linux 6.11-rc. To have runstate_seq placed next to runstate in struct vcpu, without introducing a new obvious padding hole, yet while keeping the latter adjacent to runstate_guest{,_area} as well, move runstate down a little. This is part of XSA-492. Requested-by: Andrew Cooper Signed-off-by: Jan Beulich Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Juergen Gross (cherry picked from commit 1dc4d5d81822541a5cc82fa6387d2d73eebc7023) --- xen/common/sched/core.c | 47 +++++++-------- xen/include/xen/sched.h | 4 +- xen/include/xen/seqcount.h | 139 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 162 insertions(+), 28 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index c466711e9e..6477ec3455 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -280,13 +280,18 @@ static inline void vcpu_runstate_change( } delta = new_entry_time - v->runstate.state_entry_time; - if ( delta > 0 ) + + /* Serialization: ->schedule_lock (see ASSERT() above). */ + with_seq_write(&v->runstate_seq) { - v->runstate.time[v->runstate.state] += delta; - v->runstate.state_entry_time = new_entry_time; - } + if ( delta > 0 ) + { + v->runstate.time[v->runstate.state] += delta; + v->runstate.state_entry_time = new_entry_time; + } - v->runstate.state = new_state; + v->runstate.state = new_state; + } } void sched_guest_idle(void (*idle) (void), unsigned int cpu) @@ -306,30 +311,18 @@ void sched_guest_idle(void (*idle) (void), unsigned int cpu) void vcpu_runstate_get(const struct vcpu *v, struct vcpu_runstate_info *runstate) { - spinlock_t *lock; - s_time_t delta; - struct sched_unit *unit; + struct seqcount seq = SEQCNT_ZERO(); + const struct seqcount *s = likely(v == current) ? &seq : &v->runstate_seq; - rcu_read_lock(&sched_res_rculock); - - /* - * Be careful in case of an idle vcpu: the assignment to a unit might - * change even with the scheduling lock held, so be sure to use the - * correct unit for locking in order to avoid triggering an ASSERT() in - * the unlock function. - */ - unit = is_idle_vcpu(v) ? get_sched_res(v->processor)->sched_unit_idle - : v->sched_unit; - lock = likely(v == current) ? NULL : unit_schedule_lock_irq(unit); - memcpy(runstate, &v->runstate, sizeof(*runstate)); - delta = NOW() - runstate->state_entry_time; - if ( delta > 0 ) - runstate->time[runstate->state] += delta; - - if ( unlikely(lock != NULL) ) - unit_schedule_unlock_irq(lock, unit); + until_seq_read(s) + { + s_time_t delta; - rcu_read_unlock(&sched_res_rculock); + *runstate = v->runstate; + delta = NOW() - runstate->state_entry_time; + if ( delta > 0 ) + runstate->time[runstate->state] += delta; + } } uint64_t get_cpu_idle_time(unsigned int cpu) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 2a83b9dacf..88dc27024b 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -16,6 +16,7 @@ #include #include #include +#include #include #include #include @@ -192,7 +193,6 @@ struct vcpu struct sched_unit *sched_unit; - struct vcpu_runstate_info runstate; #ifndef CONFIG_COMPAT # define runstate_guest(v) ((v)->runstate_guest) XEN_GUEST_HANDLE(vcpu_runstate_info_t) runstate_guest; /* guest address */ @@ -204,6 +204,8 @@ struct vcpu } runstate_guest; /* guest address */ #endif struct guest_area runstate_guest_area; + struct vcpu_runstate_info runstate; + struct seqcount runstate_seq; unsigned int new_state; /* Has the FPU been initialised? */ diff --git a/xen/include/xen/seqcount.h b/xen/include/xen/seqcount.h new file mode 100644 index 0000000000..b5faf422e4 --- /dev/null +++ b/xen/include/xen/seqcount.h @@ -0,0 +1,139 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef XEN_SEQCOUNT_H +#define XEN_SEQCOUNT_H + +#include +#include + +#include +#include + +/* + * Sequence counters (seqcount_t) + * + * This is the raw counting mechanism, without any writer protection. + * + * Write side critical sections must be serialized (and non-preemptible). + * + * If readers can be invoked from interrupt contexts, interrupts must also + * be respectively disabled before entering the write section. + * + * This mechanism can't be used if the protected data contains pointers, + * as the writer can invalidate a pointer that a reader is following. + */ +struct seqcount { + unsigned int sequence; +}; + +/* + * SEQCNT_ZERO() - initializer for seqcount_t + * @name: Name of the struct seqcount instance + */ +#define SEQCNT_ZERO() { .sequence = 0 } + +static inline unsigned int seqprop_sequence(const struct seqcount *s) +{ + return ACCESS_ONCE(s->sequence); +} + +/* + * read_seqcount_begin() - begin a seqcount read critical section + * @s: Pointer to struct seqcount + * + * Return: count to be passed to read_seqcount_retry() + */ +static inline unsigned int _read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq; + + while ((seq = seqprop_sequence(s)) & 1) + cpu_relax(); + + smp_rmb(); + + return seq; +} + +static always_inline unsigned int read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq = _read_seqcount_begin(s); + + block_lock_speculation(); + + return seq; +} + +/* + * read_seqcount_retry() - end a seqcount read critical section + * @s: Pointer to struct seqcount + * @start: count, from read_seqcount_begin() + * + * read_seqcount_retry closes the read critical section of given struct + * seqcount. If the critical section was invalid, it must be ignored + * (and typically retried). + * + * Return: true if a read section retry is required, else false + */ +static inline bool _read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + smp_rmb(); + return unlikely(seqprop_sequence(s) != start); +} + +static always_inline bool read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + return lock_evaluate_nospec(_read_seqcount_retry(s, start)); +} + +/* Loops until a consistent count has been observed across the loop body. */ +#define until_seq_read(seq) \ + for ( unsigned int retry_ = 1, count_; \ + retry_ && (count_ = read_seqcount_begin(seq), true); \ + retry_ = read_seqcount_retry(seq, count_) ) + +/* + * write_seqcount_begin() - start a struct seqcount write side critical section + * @s: Pointer to struct seqcount + * + * Context: sequence counter write side sections must be serialized. + * If readers can be invoked from interrupt context, interrupts must be + * respectively disabled. + */ +static inline void write_seqcount_begin(struct seqcount *s) +{ + add_sized(&s->sequence, 1); + smp_wmb(); +} + +/* + * write_seqcount_end() - end a struct seqcount write side critical section + * @s: Pointer to seqcount + */ +static inline void write_seqcount_end(struct seqcount *s) +{ + smp_wmb(); + add_sized(&s->sequence, 1); +} + +/* + * Not really a loop, but we need write_seqcount_{begin,end}() in the correct + * position. + */ +#define with_seq_write(seq) \ + for ( bool once_ = true; \ + once_ && (write_seqcount_begin(seq), true); \ + (write_seqcount_end(seq), once_ = false) ) + +#endif /* XEN_SEQCOUNT_H */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:22:44 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:22:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333524.1596552 (Exim 4.92) (envelope-from ) id 1wWyHs-0002LU-RZ; Tue, 09 Jun 2026 15:22:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333524.1596552; Tue, 09 Jun 2026 15:22:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyHs-0002L8-OL; Tue, 09 Jun 2026 15:22:44 +0000 Received: by outflank-mailman (input) for mailman id 1333524; Tue, 09 Jun 2026 15:22:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyHr-0002Ja-32 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:22:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyHr-001ihU-16 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:22:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyHr-00GF0R-06 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:22:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=FTCCkE897uajpRKgwmvovB8WBYpXzlY7nQf1q+VwGAg=; b=zjs9PBosxB1KhJrgm4lAX8fP9/ twqlkB1mmXaNcloPWxpGIpchXRl9y/uH05a5VeIGt20WCnnuDBc/v7EORFc0PB+epv80GnDtwt5y8 DrT7dqS/iC5XtwBfWuHXae6F4prPEuNyDG/1NTaxKpKgdcPtlUe5Ea6Xgxz3ODmUrmNw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 15:22:43 +0000 commit 8f449eb5ac23152d770ba080174c9612854fb5ca Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:49 2026 +0100 domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock getdomaininfo() is not called under consistently the same lock. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. (Callers not pausing the domain they want to retrieve information for already need to be aware that not all of the data returned can be relied on as being consistent; most data will also be stale by the time the caller gets to look at it.) Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. While moving, convert an assignment to an assertion: The domain in question was determined from the field which previously was "updated". This is part of XSA-492. Fixes: 5513bd0b4675 ("add xenstore domain flag to hypervisor") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 784bd4dc0bc440b978b80b6945c4bc380b28e32d) --- xen/common/domctl.c | 31 ++++++++++++++++++++----------- xen/include/xsm/dummy.h | 5 ++++- xen/xsm/flask/hooks.c | 6 +++++- 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 444e072fdc..69a44bd0a8 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -322,6 +322,26 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } + /* Handle sub-ops not requiring the domctl lock. */ + switch ( op->cmd ) + { + case XEN_DOMCTL_getdomaininfo: + ret = xsm_getdomaininfo(XSM_XS_PRIV, d); + if ( !ret ) + { + getdomaininfo(d, &op->u.getdomaininfo); + + ASSERT(op->domain == op->u.getdomaininfo.domain); + copyback = true; + } + + goto domctl_out_unlock_domonly; + + default: + /* Everything else handled further down. */ + break; + } + ret = xsm_domctl(XSM_OTHER, d, op->cmd, /* SSIDRef only applicable for cmd == createdomain */ op->u.createdomain.ssidref); @@ -538,17 +558,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = 1; break; - case XEN_DOMCTL_getdomaininfo: - ret = xsm_getdomaininfo(XSM_XS_PRIV, d); - if ( ret ) - break; - - getdomaininfo(d, &op->u.getdomaininfo); - - op->domain = op->u.getdomaininfo.domain; - copyback = 1; - break; - case XEN_DOMCTL_getvcpucontext: { vcpu_guest_context_u c = { .nat = NULL }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index f8a3c4b81e..ad88d2fd91 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,8 +172,11 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); + case XEN_DOMCTL_getdomaininfo: - return xsm_default_action(XSM_XS_PRIV, current->domain, d); + ASSERT_UNREACHABLE(); + return -EILSEQ; + default: return xsm_default_action(XSM_PRIV, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 415edee251..308ac354aa 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -678,8 +678,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, */ return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); - /* These have individual XSM hooks (common/domctl.c) */ + /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + ASSERT_UNREACHABLE(); + return -EILSEQ; + + /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:22:54 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:22:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333525.1596556 (Exim 4.92) (envelope-from ) id 1wWyI2-0002Qk-SC; Tue, 09 Jun 2026 15:22:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333525.1596556; Tue, 09 Jun 2026 15:22:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyI2-0002Qc-Ph; Tue, 09 Jun 2026 15:22:54 +0000 Received: by outflank-mailman (input) for mailman id 1333525; Tue, 09 Jun 2026 15:22:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyI1-0002QW-5t for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:22:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyI1-001ihc-1O for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:22:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyI1-00GFJy-0P for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:22:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=WL3nVi/D5ebI04ETl0TJYUNHQH8DMLNxvGYse/Kk69M=; b=WRcyKgYnUtvEh6M/tm39vnAGTk x1hurrVp5pqZzE1nA3A6oAyMeSdkEF2HqgGDkodj5cbv4IKU2+wUMwuo9W1UQJ+OQNaUPbDmjCvOb p3AzQkH0mscFd4AqGrHROwpdvQjyPCdBV3ZwuXsSIivIl3QCxDYZLQkxGKl1gpvRzNsw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] domain: locking for iomem_caps accesses Message-Id: Date: Tue, 09 Jun 2026 15:22:53 +0000 commit f615fc1e9143d767bbb0e88760b7ae3c9a9041b2 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:49 2026 +0100 domain: locking for iomem_caps accesses In order to be able to pull at least the XEN_DOMCTL_iomem_mapping handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_iomem_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 960713dfd4a405e67e9f174302f8f9fd9e0e50dc) --- xen/common/domain.c | 6 ++++++ xen/common/domctl.c | 53 +++++++++++++++++++++++++++++++++++++++---------- xen/include/xen/iocap.h | 3 +++ xen/include/xen/sched.h | 1 + 4 files changed, 52 insertions(+), 11 deletions(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index 00c59a9baa..52a2139495 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -332,10 +332,15 @@ static int late_hwdom_init(struct domain *d) * may be modified after this hypercall returns if a more complex * device model is desired. */ + write_lock(&dom0->caps_lock); rangeset_swap(d->irq_caps, dom0->irq_caps); rangeset_swap(d->iomem_caps, dom0->iomem_caps); #ifdef CONFIG_X86 rangeset_swap(d->arch.ioport_caps, dom0->arch.ioport_caps); +#endif + write_unlock(&dom0->caps_lock); + +#ifdef CONFIG_X86 setup_io_bitmap(d); setup_io_bitmap(dom0); #endif @@ -636,6 +641,7 @@ struct domain *domain_create(domid_t domid, rspin_lock_init_prof(d, domain_lock); rspin_lock_init_prof(d, page_alloc_lock); spin_lock_init(&d->hypercall_deadlock_mutex); + rwlock_init(&d->caps_lock); INIT_PAGE_LIST_HEAD(&d->page_list); INIT_PAGE_LIST_HEAD(&d->extra_page_list); INIT_PAGE_LIST_HEAD(&d->xenpage_list); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 69a44bd0a8..94c9489307 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -278,6 +278,35 @@ static struct vnuma_info *vnuma_init(const struct xen_domctl_vnuma *uinfo, return ERR_PTR(ret); } +void iocaps_double_lock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d->domain_id > currd->domain_id ) + read_lock(&currd->caps_lock); + + if ( write ) + write_lock(&d->caps_lock); + else + read_lock(&d->caps_lock); + + if ( d->domain_id < currd->domain_id ) + read_lock(&currd->caps_lock); +} + +void iocaps_double_unlock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d != currd ) + read_unlock(&currd->caps_lock); + + if ( write ) + write_unlock(&d->caps_lock); + else + read_unlock(&d->caps_lock); +} + long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) { long ret = 0; @@ -695,6 +724,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ break; + iocaps_double_lock(d, true); + if ( !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) || xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) @@ -703,6 +734,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); else ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); break; } @@ -727,19 +760,15 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; #endif + iocaps_double_lock(d, false); + ret = -EPERM; if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) ) - break; - - ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add); - if ( ret ) - break; - - if ( !paging_mode_translate(d) ) - break; - - if ( add ) + !iomem_access_permitted(d, mfn, mfn_end) || + (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || + !paging_mode_translate(d) ) + /* Nothing. */; + else if ( add ) { printk(XENLOG_G_DEBUG "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", @@ -763,6 +792,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", ret, d->domain_id, mfn, mfn_end); } + + iocaps_double_unlock(d, false); break; } diff --git a/xen/include/xen/iocap.h b/xen/include/xen/iocap.h index ffbc48b60f..cb36ebbeeb 100644 --- a/xen/include/xen/iocap.h +++ b/xen/include/xen/iocap.h @@ -12,6 +12,9 @@ #include #include +void iocaps_double_lock(struct domain *d, bool write); +void iocaps_double_unlock(struct domain *d, bool write); + static inline int iomem_permit_access(struct domain *d, unsigned long s, unsigned long e) { diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 88dc27024b..331306fcbd 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -527,6 +527,7 @@ struct domain #endif /* I/O capabilities (access to IRQs and memory-mapped I/O). */ + rwlock_t caps_lock; struct rangeset *iomem_caps; struct rangeset *irq_caps; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:23:04 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:23:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333527.1596560 (Exim 4.92) (envelope-from ) id 1wWyIC-0002X5-Tk; Tue, 09 Jun 2026 15:23:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333527.1596560; Tue, 09 Jun 2026 15:23:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyIC-0002Wv-R4; Tue, 09 Jun 2026 15:23:04 +0000 Received: by outflank-mailman (input) for mailman id 1333527; Tue, 09 Jun 2026 15:23:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyIB-0002VS-91 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:23:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyIB-001ii6-1h for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:23:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyIB-00GFXV-0g for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:23:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Y2M6AXgdHTEkFEYpeuIKozUrsS2BFnAB+gjVsN7lAk4=; b=h5/vq27txscfTd9cPqgssqFRoK WqmWy3KTqB9K8psrr5fJHPlUR1d9wx7pKJOYddYBeehNYYtQNprNQNpXtJE/uiXHS3p6ozhbg7wSQ kz/bupZGKqesS0br2NcI1Mpttd8iPcJMJESS0NRzjV6wdERF9M2qf6FspcqnZrtyZBjM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] x86/domain: locking for ioport_caps accesses Message-Id: Date: Tue, 09 Jun 2026 15:23:03 +0000 commit 3c45f671ee4472966c65b9b919aa720a3c0bda4b Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:49 2026 +0100 x86/domain: locking for ioport_caps accesses In order to be able to pull at least the XEN_DOMCTL_ioport_mapping handling out of the domctl-locked region, the new separate (per-domain) lock is used to synchronize in particular with XEN_DOMCTL_ioport_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit c9f4586766c4ceeaf013fbc02ad79359c62102c3) --- xen/arch/x86/domctl.c | 21 ++++++++++++--------- xen/arch/x86/setup.c | 3 +++ 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 35d7332d87..711068e472 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -225,6 +225,8 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + iocaps_double_lock(d, true); + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) ret = -EINVAL; else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || @@ -234,6 +236,8 @@ long arch_do_domctl( ret = ioports_permit_access(d, fp, fp + np - 1); else ret = ioports_deny_access(d, fp, fp + np - 1); + + iocaps_double_unlock(d, true); break; } @@ -608,16 +612,13 @@ long arch_do_domctl( break; } - ret = -EPERM; - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) - break; - - ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add); - if ( ret ) - break; - hvm = &d->arch.hvm; - if ( add ) + iocaps_double_lock(d, true); + + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || + (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) + ret = ret ?: -EPERM; + else if ( add ) { printk(XENLOG_G_INFO "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", @@ -678,6 +679,8 @@ long arch_do_domctl( "ioport_map: error %ld denying dom%d access to [%x,%x]\n", ret, d->domain_id, fmp, fmp + np - 1); } + + iocaps_double_unlock(d, true); break; } diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index a123f94e85..a5b0b9978d 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -2173,9 +2173,12 @@ void __hwdom_init setup_io_bitmap(struct domain *d) return; bitmap_fill(d->arch.hvm.io_bitmap, 0x10000); + + read_lock(&d->caps_lock); if ( rangeset_report_ranges(d->arch.ioport_caps, 0, 0x10000, io_bitmap_cb, d) ) BUG(); + read_unlock(&d->caps_lock); /* * We need to trap 4-byte accesses to 0xcf8 (see admin_io_okay(), -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:23:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:23:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333528.1596564 (Exim 4.92) (envelope-from ) id 1wWyIM-0002dU-Ux; Tue, 09 Jun 2026 15:23:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333528.1596564; Tue, 09 Jun 2026 15:23:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyIM-0002dM-SR; Tue, 09 Jun 2026 15:23:14 +0000 Received: by outflank-mailman (input) for mailman id 1333528; Tue, 09 Jun 2026 15:23:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyIL-0002dF-Bw for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:23:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyIL-001iiC-20 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:23:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyIL-00GFgX-0z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:23:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=NSGR8FmC2tSUphsL+DP5EMtzaNMfZtSUwFwHEjd7Fwk=; b=R8jDvUNsQxE21KB4LIVJbE9e7f mf+Nx7swZkle5Gm2FoIybs1ckYkrw/ZLSy+PbYLCO34IvNM3d66cszbIfKawzM49OeeehFtOSeY// nzkMyRaRh4hX/VcuDDP6MrKLW7EFKeyGybzIxKQV6B23T8dkRG9jctomqVtYQzUdWAKA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] domain: locking for irq_caps accesses Message-Id: Date: Tue, 09 Jun 2026 15:23:13 +0000 commit 08afe7a8df7e2f688938fedf495a0bfcdf31b2a8 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:49 2026 +0100 domain: locking for irq_caps accesses In order to be able to pull at least the XEN_DOMCTL_{,un}bind_pt_irq handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_irq_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Reviewed-by: Julien Grall (cherry picked from commit 329edc090dd5c833213bad3f13f1cbc252bc15a2) --- xen/arch/arm/domctl.c | 37 +++++++++++++++++++++---------------- xen/arch/x86/domctl.c | 42 ++++++++++++++++++++++++++---------------- xen/common/domctl.c | 5 +++++ 3 files changed, 52 insertions(+), 32 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index 7a502afa6b..dd8c610f3d 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -76,6 +76,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, case XEN_DOMCTL_bind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -107,21 +108,26 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - if ( !vgic_reserve_virq(d, virq) ) - return -EBUSY; - - rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); - if ( rc ) - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !vgic_reserve_virq(d, virq) ) + rc = -EBUSY; + else + { + rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); + if ( rc ) + vgic_free_virq(d, virq); + } + read_unlock(&currd->caps_lock); return rc; } case XEN_DOMCTL_unbind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -138,16 +144,15 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - rc = release_guest_irq(d, virq); - if ( rc ) - return rc; - - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !(rc = release_guest_irq(d, virq)) ) + vgic_free_virq(d, virq); - return 0; + read_unlock(&currd->caps_lock); + return rc; } case XEN_DOMCTL_vuart_op: diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 711068e472..f20d174f5b 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -539,20 +539,27 @@ long arch_do_domctl( break; irq = domain_pirq_to_irq(d, bind->machine_irq); - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; + if ( irq <= 0 ) + ret = -EPERM; - ret = -ESRCH; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_create_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + else + ret = -ESRCH; + + read_unlock(&currd->caps_lock); break; } @@ -565,23 +572,26 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); if ( ret ) break; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_destroy_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + + read_unlock(&currd->caps_lock); break; } diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 94c9489307..7d0e78365a 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -703,6 +703,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -EINVAL; break; } + + iocaps_double_lock(d, true); + irq = pirq_access_permitted(current->domain, pirq); if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) ret = -EPERM; @@ -710,6 +713,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = irq_permit_access(d, irq); else ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); break; } #endif -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:23:25 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:23:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333529.1596568 (Exim 4.92) (envelope-from ) id 1wWyIX-0002lT-0P; Tue, 09 Jun 2026 15:23:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333529.1596568; Tue, 09 Jun 2026 15:23:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyIW-0002lL-Tr; Tue, 09 Jun 2026 15:23:24 +0000 Received: by outflank-mailman (input) for mailman id 1333529; Tue, 09 Jun 2026 15:23:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyIV-0002jS-Er for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:23:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyIV-001iib-2I for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:23:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyIV-00GFxw-1J for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:23:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=djWf6Zz/K49bo1ey4W3z+y/50h9N+rzsi38MvhlvLQI=; b=nTtMKv24C9rJhhnleIRPsXsqFe y936djE/LVL9l1LnpO5o20vnpKW5LHn51/hPNqVsZfJCFXrQgSDpPS2z3yCz6uNLhCCDlse80CKhZ fugR68MSRpOH134bk+uEsI21BUN9dYDY0HUBKarB9lsc9TymoAU+nrugryGuL6WoVvJc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] XSM/Flask: split the .iomem_mapping() hook Message-Id: Date: Tue, 09 Jun 2026 15:23:23 +0000 commit a5b7170c3bde92729a61970367270aeb7983f190 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:49 2026 +0100 XSM/Flask: split the .iomem_mapping() hook It's used twice in entirely different situations. The use in do_domctl() wants to become an ordinary XSM_DM_PRIV invocation, while the one in vPCI code need to remain XSM_HOOK (it may plausibly become XSM_TARGET). For Flask, the same backing function will continue to be used for the time being. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit 6bb83b1aa01bb3baabc150a881849977c82146a4) --- xen/drivers/vpci/header.c | 2 +- xen/include/xsm/dummy.h | 7 +++++++ xen/include/xsm/xsm.h | 8 ++++++++ xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) diff --git a/xen/drivers/vpci/header.c b/xen/drivers/vpci/header.c index b002eb2072..1f0ab9d177 100644 --- a/xen/drivers/vpci/header.c +++ b/xen/drivers/vpci/header.c @@ -67,7 +67,7 @@ static int cf_check map_range( return -EPERM; } - rc = xsm_iomem_mapping(XSM_HOOK, map->d, map_mfn, m_end, map->map); + rc = xsm_iomem_mapping_vpci(XSM_HOOK, map->d, map_mfn, m_end, map->map); if ( rc ) { printk(XENLOG_G_WARNING diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index ad88d2fd91..47d409cf08 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -579,6 +579,13 @@ static XSM_INLINE int cf_check xsm_iomem_mapping( return xsm_default_action(action, current->domain, d); } +static XSM_INLINE int cf_check xsm_iomem_mapping_vpci( + XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + XSM_ASSERT_ACTION(XSM_HOOK); + return xsm_default_action(action, current->domain, d); +} + static XSM_INLINE int cf_check xsm_pci_config_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 5867ccceaf..fc30cf822f 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -117,6 +117,8 @@ struct xsm_ops { uint8_t allow); int (*iomem_mapping)(struct domain *d, uint64_t s, uint64_t e, uint8_t allow); + int (*iomem_mapping_vpci)(struct domain *d, uint64_t s, uint64_t e, + uint8_t allow); int (*pci_config_permission)(struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access); @@ -504,6 +506,12 @@ static inline int xsm_iomem_mapping( return alternative_call(xsm_ops.iomem_mapping, d, s, e, allow); } +static inline int xsm_iomem_mapping_vpci( + xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + return alternative_call(xsm_ops.iomem_mapping_vpci, d, s, e, allow); +} + static inline int xsm_pci_config_permission( xsm_default_t def, struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index e6ffa948f7..44a9e04ae7 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -72,6 +72,7 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .irq_permission = xsm_irq_permission, .iomem_permission = xsm_iomem_permission, .iomem_mapping = xsm_iomem_mapping, + .iomem_mapping_vpci = xsm_iomem_mapping_vpci, .pci_config_permission = xsm_pci_config_permission, .get_vnumainfo = xsm_get_vnumainfo, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 308ac354aa..6ca850d23e 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1921,6 +1921,7 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .irq_permission = flask_irq_permission, .iomem_permission = flask_iomem_permission, .iomem_mapping = flask_iomem_mapping, + .iomem_mapping_vpci = flask_iomem_mapping, .pci_config_permission = flask_pci_config_permission, .resource_plug_core = flask_resource_plug_core, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:23:35 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:23:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333532.1596572 (Exim 4.92) (envelope-from ) id 1wWyIh-0002qA-3l; Tue, 09 Jun 2026 15:23:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333532.1596572; Tue, 09 Jun 2026 15:23:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyIh-0002pe-0P; Tue, 09 Jun 2026 15:23:35 +0000 Received: by outflank-mailman (input) for mailman id 1333532; Tue, 09 Jun 2026 15:23:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyIf-0002pX-Hz for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:23:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyIf-001iif-2b for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:23:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyIf-00GGAN-1c for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:23:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ErF4H8XYKlYtPBNeHdiqV+vwhRbUs3N6pGg3SkKyXTc=; b=zF4gfwfm8bgilqBLNdAj8cvRj8 4WzkWgMvqLpEj2ud0C4SqgdQW3LzI12NavHg9jKibKvQx6tVIWVFBjPMfN87etCXmSO1md5qfl3jV koje1TvQHwOELRfgcP8VR9kLzpKD6y32h9S+GiNnjBkFk0I3b+mKWTZDS7M+DYDyett4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 15:23:33 +0000 commit c49dc949ad314a461e12ecc7c5a622c1d4961ef0 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:49 2026 +0100 domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. Move the re-purposed dedicated XSM check as early as possible. Minimal "modernization": Switch "add" to bool and use %pd in log messages. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 5a81fb873cb0c7913995372d22660d6a2db0ec48) --- xen/common/domctl.c | 118 ++++++++++++++++++++++++------------------------ xen/include/xsm/dummy.h | 4 +- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 63 insertions(+), 61 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 7d0e78365a..a878867f01 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -366,6 +366,66 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; + case XEN_DOMCTL_memory_mapping: + { + unsigned long gfn = op->u.memory_mapping.first_gfn; + unsigned long mfn = op->u.memory_mapping.first_mfn; + unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; + unsigned long mfn_end = mfn + nr_mfns - 1; + bool add = op->u.memory_mapping.add_mapping; + + ret = -EINVAL; + if ( mfn_end < mfn || /* Wrap? */ + ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || + (gfn + nr_mfns - 1) < gfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_mapping(XSM_DM_PRIV, d, mfn, mfn_end, add); + if ( ret || !paging_mode_translate(d) ) + goto domctl_out_unlock_domonly; + +#ifndef CONFIG_X86 /* XXX ARM!? */ + ret = -E2BIG; + /* Must break hypercall up as this could take a while. */ + if ( nr_mfns > 64 ) + goto domctl_out_unlock_domonly; +#endif + + iocaps_double_lock(d, false); + + ret = -EPERM; + if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || + !iomem_access_permitted(d, mfn, mfn_end) ) + /* Nothing. */; + else if ( add ) + { + printk(XENLOG_G_DEBUG + "memory_map:add: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 ) + printk(XENLOG_G_WARNING + "memory_map:fail: %pd gfn=%lx mfn=%lx nr=%lx ret:%ld\n", + d, gfn, mfn, nr_mfns, ret); + } + else + { + printk(XENLOG_G_DEBUG + "memory_map:remove: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 && is_hardware_domain(current->domain) ) + printk(XENLOG_ERR + "memory_map: error %ld removing %pd access to [%lx,%lx]\n", + ret, d, mfn, mfn_end); + } + + iocaps_double_unlock(d, false); + goto domctl_out_unlock_domonly; + } + default: /* Everything else handled further down. */ break; @@ -744,64 +804,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - case XEN_DOMCTL_memory_mapping: - { - unsigned long gfn = op->u.memory_mapping.first_gfn; - unsigned long mfn = op->u.memory_mapping.first_mfn; - unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; - unsigned long mfn_end = mfn + nr_mfns - 1; - int add = op->u.memory_mapping.add_mapping; - - ret = -EINVAL; - if ( mfn_end < mfn || /* wrap? */ - ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || - (gfn + nr_mfns - 1) < gfn ) /* wrap? */ - break; - -#ifndef CONFIG_X86 /* XXX ARM!? */ - ret = -E2BIG; - /* Must break hypercall up as this could take a while. */ - if ( nr_mfns > 64 ) - break; -#endif - - iocaps_double_lock(d, false); - - ret = -EPERM; - if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) || - (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || - !paging_mode_translate(d) ) - /* Nothing. */; - else if ( add ) - { - printk(XENLOG_G_DEBUG - "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 ) - printk(XENLOG_G_WARNING - "memory_map:fail: dom%d gfn=%lx mfn=%lx nr=%lx ret:%ld\n", - d->domain_id, gfn, mfn, nr_mfns, ret); - } - else - { - printk(XENLOG_G_DEBUG - "memory_map:remove: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 && is_hardware_domain(current->domain) ) - printk(XENLOG_ERR - "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", - ret, d->domain_id, mfn, mfn_end); - } - - iocaps_double_unlock(d, false); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 47d409cf08..e023e1bb17 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,12 +168,12 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_ioport_mapping: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -575,7 +575,7 @@ static XSM_INLINE int cf_check xsm_iomem_permission( static XSM_INLINE int cf_check xsm_iomem_mapping( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 6ca850d23e..d43762f38b 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -680,6 +680,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -687,7 +688,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:23:45 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:23:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333534.1596576 (Exim 4.92) (envelope-from ) id 1wWyIr-0002z7-4M; Tue, 09 Jun 2026 15:23:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333534.1596576; Tue, 09 Jun 2026 15:23:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyIr-0002yz-1p; Tue, 09 Jun 2026 15:23:45 +0000 Received: by outflank-mailman (input) for mailman id 1333534; Tue, 09 Jun 2026 15:23:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyIp-0002xY-Km for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:23:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyIp-001iim-2s for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:23:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyIp-00GGPM-1u for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:23:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=3DhTHaC64WUXmf3Mzt/n66MSHq8HaZyqLCxnXfVf2AE=; b=tcrNLJMrnpLdd87/onl07D6BnX ZG9aO9Iv8a0ZOg8+qeOhEcrGkkDCl/irhwUMB+AfrME4MwqcnaRYt0zrDeoWr5dWUhvDWnyOlzJNM aqqiqIDcBWIEgwk1yKDhljVLwl1jYTDteUS3c6b2BbgsDlTcIoLrhNgp1Kn2GrAonJE8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 15:23:43 +0000 commit 2ba1d549351c5c5ecb65b24d00dfb7509eb9bbb2 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:49 2026 +0100 domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the handling is in arch-specific code (x86 only), almost no code is being moved, but a 2nd (extensible to other sub-ops) invocation of arch_do_domctl() is being added. Move just the re-purposed dedicated XSM check as early as possible. In flask_domctl() don't put #ifdef around the moved case label. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9ac94138a5f31b5325fe4401e5cd9e377bbedcdb) --- xen/arch/x86/domctl.c | 9 ++++++--- xen/common/domctl.c | 4 ++++ xen/include/xsm/dummy.h | 4 ++-- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index f20d174f5b..128a75caac 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -622,12 +622,15 @@ long arch_do_domctl( break; } + ret = xsm_ioport_mapping(XSM_DM_PRIV, d, fmp, fmp + np - 1, add); + if ( ret ) + break; + hvm = &d->arch.hvm; iocaps_double_lock(d, true); - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || - (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) - ret = ret ?: -EPERM; + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) + ret = -EPERM; else if ( add ) { printk(XENLOG_G_INFO diff --git a/xen/common/domctl.c b/xen/common/domctl.c index a878867f01..2f1235989b 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -426,6 +426,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_mapping: + ret = arch_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + default: /* Everything else handled further down. */ break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index e023e1bb17..65d36b74fc 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -167,12 +167,12 @@ static XSM_INLINE int cf_check xsm_domctl( XSM_ASSERT_ACTION(XSM_OTHER); switch ( cmd ) { - case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -771,7 +771,7 @@ static XSM_INLINE int cf_check xsm_ioport_permission( static XSM_INLINE int cf_check xsm_ioport_mapping( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index d43762f38b..52c15ca25c 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -680,6 +680,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -698,7 +699,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: case XEN_DOMCTL_ioport_permission: - case XEN_DOMCTL_ioport_mapping: #endif #ifdef CONFIG_HAS_PASSTHROUGH /* -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:23:55 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:23:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333535.1596580 (Exim 4.92) (envelope-from ) id 1wWyJ1-00032M-5j; Tue, 09 Jun 2026 15:23:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333535.1596580; Tue, 09 Jun 2026 15:23:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyJ1-00032E-38; Tue, 09 Jun 2026 15:23:55 +0000 Received: by outflank-mailman (input) for mailman id 1333535; Tue, 09 Jun 2026 15:23:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyIz-000325-Ns for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:23:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyIz-001iis-3B for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:23:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyIz-00GGca-2A for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:23:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=tm+iSLkmoGSP3tpEGcsxdZyKBB4d0ripgtEIZUZkWZk=; b=y3lBIKfv12DO13ATbmDyyg+Zpw /KSUlPUMJ9DUV1KSNZ0a3R8v+fK3X1OV46C+014UqWlvqYDVxqSJxDzR8n0fNZUouL9570eEqAq3i ujlxKKPqQfqoB4EL+bpx12bMbt/pyuQ96E2OitQYz+cXNsuoZRRUm5KuuOgs49mSpNXU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 15:23:53 +0000 commit d5f0523f8571a9873d3b9733cef62bf4820815a0 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. (It also already isn't used when pt_irq_{create,destroy}_bind() are invoked for PVH Dom0.) As the handling is in arch-specific code, no code is being moved, but the 2nd (extensible to other sub-ops like the ones here) invocation of arch_do_domctl() is being re-used. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith Acked-by: Julien Grall (cherry picked from commit e263eeaf71b961d0d6f987bf7a33c8517be1bae5) --- xen/arch/arm/domctl.c | 4 ++-- xen/arch/x86/domctl.c | 4 ++-- xen/common/domctl.c | 2 ++ xen/include/xsm/dummy.h | 8 +++----- xen/xsm/flask/hooks.c | 5 ++--- 5 files changed, 11 insertions(+), 12 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index dd8c610f3d..78325848ab 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -104,7 +104,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - rc = xsm_bind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; @@ -140,7 +140,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( irq != virq ) return -EINVAL; - rc = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 128a75caac..48ae07c29a 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -534,7 +534,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_bind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; @@ -572,7 +572,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 2f1235989b..447a66d8a6 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -427,6 +427,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_bind_pt_irq: + case XEN_DOMCTL_unbind_pt_irq: ret = arch_do_domctl(op, d, u_domctl); goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 65d36b74fc..eb88313a79 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,12 +168,10 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: - return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -540,14 +538,14 @@ static XSM_INLINE int cf_check xsm_unmap_domain_pirq( static XSM_INLINE int cf_check xsm_bind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } static XSM_INLINE int cf_check xsm_unbind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 52c15ca25c..a87f8d87a0 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -679,9 +679,11 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ + case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -692,9 +694,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: - /* These have individual XSM hooks (arch/../domctl.c) */ - case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:24:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:24:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333536.1596584 (Exim 4.92) (envelope-from ) id 1wWyJB-00035V-7d; Tue, 09 Jun 2026 15:24:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333536.1596584; Tue, 09 Jun 2026 15:24:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyJB-00035M-4T; Tue, 09 Jun 2026 15:24:05 +0000 Received: by outflank-mailman (input) for mailman id 1333536; Tue, 09 Jun 2026 15:24:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyJ9-00034B-Qx for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:24:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyJA-001ijE-0G for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:24:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyJ9-00GGo6-2V for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:24:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=gM50V+f7R2k//XExBAwxG5Mx76dH3ueQE+8y54Gy0ms=; b=2u2pyNSGRyWAMpO9eRUtVnM/FX UcZBAijKU+/obgAdTvHjsPAlyExobq7GKTnBZSd/8tfgSKcuj3ndqTB/Re0gQ15uH/edMlxcyR7oq xaUdfkBwHk1/07htPiukev5FBGGtlUlVDKLkLh9/ziaLmIsMiLYsPSL4ZEcfiBj0RLJY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 15:24:03 +0000 commit 3ca879ff749887429b5dc1be0a3a00bc2cc18938 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the I/O port handling is in arch-specific code (x86 only), no code is being moved, but the 2nd invocation of arch_do_domctl() is re-used. Move the re-purposed dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9f54e10bf3ab02c8d5dc3253d85c9b3258d1fc88) --- xen/arch/x86/domctl.c | 13 ++++++++---- xen/common/domctl.c | 54 ++++++++++++++++++++++++++----------------------- xen/include/xsm/dummy.h | 6 ++++-- xen/xsm/flask/hooks.c | 4 ++-- 4 files changed, 44 insertions(+), 33 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 48ae07c29a..0dc36be2ff 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -225,12 +225,17 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + ret = -EINVAL; + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) + break; + + ret = xsm_ioport_permission(XSM_PRIV, d, fp, fp + np - 1, allow); + if ( ret ) + break; + iocaps_double_lock(d, true); - if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) - ret = -EINVAL; - else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || - xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) ) + if ( !ioports_access_permitted(currd, fp, fp + np - 1) ) ret = -EPERM; else if ( allow ) ret = ioports_permit_access(d, fp, fp + np - 1); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 447a66d8a6..6b0316aa5e 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -366,6 +366,34 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; + case XEN_DOMCTL_iomem_permission: + { + unsigned long mfn = op->u.iomem_permission.first_mfn; + unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; + bool allow = op->u.iomem_permission.allow_access; + + ret = -EINVAL; + if ( (mfn + nr_mfns - 1) < mfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_permission(XSM_PRIV, d, mfn, mfn + nr_mfns - 1, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !iomem_access_permitted(current->domain, + mfn, mfn + nr_mfns - 1) ) + ret = -EPERM; + else if ( allow ) + ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); + else + ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_memory_mapping: { unsigned long gfn = op->u.memory_mapping.first_gfn; @@ -426,6 +454,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: @@ -785,31 +814,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif - case XEN_DOMCTL_iomem_permission: - { - unsigned long mfn = op->u.iomem_permission.first_mfn; - unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; - int allow = op->u.iomem_permission.allow_access; - - ret = -EINVAL; - if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ - break; - - iocaps_double_lock(d, true); - - if ( !iomem_access_permitted(current->domain, - mfn, mfn + nr_mfns - 1) || - xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) - ret = -EPERM; - else if ( allow ) - ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); - else - ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); - - iocaps_double_unlock(d, true); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index eb88313a79..6d2c9ddbb6 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -169,7 +169,9 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -566,7 +568,7 @@ static XSM_INLINE int cf_check xsm_irq_permission( static XSM_INLINE int cf_check xsm_iomem_permission( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } @@ -762,7 +764,7 @@ static XSM_INLINE int cf_check xsm_priv_mapping( static XSM_INLINE int cf_check xsm_ioport_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index a87f8d87a0..c301750134 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -681,7 +681,9 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -690,14 +692,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: - case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: - case XEN_DOMCTL_ioport_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH /* -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:24:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:24:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333537.1596588 (Exim 4.92) (envelope-from ) id 1wWyJK-000380-AY; Tue, 09 Jun 2026 15:24:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333537.1596588; Tue, 09 Jun 2026 15:24:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyJK-00037s-7g; Tue, 09 Jun 2026 15:24:14 +0000 Received: by outflank-mailman (input) for mailman id 1333537; Tue, 09 Jun 2026 15:24:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyJJ-00037m-Tm for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:24:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyJK-001ijJ-0Y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:24:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyJJ-00GH2C-2n for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:24:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=hJo7hguR5kiKcoHQhoeIMleDO7ymQIA3Avkf9/hKKvE=; b=loTf0vSeeg4ski1AJkQtVIQBzk 9pMnJqP//EpxEn7S2h7rCNWdrSCQrFTSTnOI6N+I8zMAstrbnzmAaqpt40cXvtRCnlumY77swKKoZ YgU2CwyVnpZQLzmlYfeCHT7gSm7fepVw7cPJ4AwCErCVgz7omxWXgbNfLDBnR+sVqkq8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] domctl: handle XEN_DOMCTL_irq_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 15:24:13 +0000 commit 2ff10f2acd12060b885153e50857e9e8847f4f8c Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl: handle XEN_DOMCTL_irq_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. Move the re-purposed (XSM_HOOK -> XSM_PRIV, as xsm_domctl() is now bypassed) dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/common/domctl.c | 59 +++++++++++++++++++++++++++---------------------- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 35 insertions(+), 29 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 6b0316aa5e..944878cdcf 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -454,6 +454,38 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } +#ifdef CONFIG_HAS_PIRQ + case XEN_DOMCTL_irq_permission: + { + unsigned int pirq = op->u.irq_permission.pirq, irq; + bool allow = op->u.irq_permission.allow_access; + + ret = -EINVAL; + if ( pirq >= current->domain->nr_pirqs ) + goto domctl_out_unlock_domonly; + + irq = domain_pirq_to_irq(current->domain, pirq); + + ret = -EPERM; + if ( irq ) + ret = xsm_irq_permission(XSM_PRIV, d, irq, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !irq_access_permitted(current->domain, irq) ) + ret = -EPERM; + else if ( allow ) + ret = irq_permit_access(d, irq); + else + ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } +#endif + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: @@ -787,33 +819,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } break; -#ifdef CONFIG_HAS_PIRQ - case XEN_DOMCTL_irq_permission: - { - unsigned int pirq = op->u.irq_permission.pirq, irq; - int allow = op->u.irq_permission.allow_access; - - if ( pirq >= current->domain->nr_pirqs ) - { - ret = -EINVAL; - break; - } - - iocaps_double_lock(d, true); - - irq = pirq_access_permitted(current->domain, pirq); - if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) - ret = -EPERM; - else if ( allow ) - ret = irq_permit_access(d, irq); - else - ret = irq_deny_access(d, irq); - - iocaps_double_unlock(d, true); - break; - } -#endif - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 6d2c9ddbb6..02829e806b 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,6 +172,7 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -561,7 +562,7 @@ static XSM_INLINE int cf_check xsm_unmap_domain_irq( static XSM_INLINE int cf_check xsm_irq_permission( XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index c301750134..270e682883 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -684,6 +684,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -691,7 +692,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: - case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:24:24 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:24:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333538.1596592 (Exim 4.92) (envelope-from ) id 1wWyJU-0003AH-CE; Tue, 09 Jun 2026 15:24:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333538.1596592; Tue, 09 Jun 2026 15:24:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyJU-0003A9-9E; Tue, 09 Jun 2026 15:24:24 +0000 Received: by outflank-mailman (input) for mailman id 1333538; Tue, 09 Jun 2026 15:24:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyJU-0003A3-0C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:24:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyJU-001ijd-0p for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:24:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyJT-00GHJm-35 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:24:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=MoQ+6+ilmQQy4mgoQmU81mUJpcbIGRmmQq/Hp/cZe+o=; b=BTFRtlOtZsKQRI6i7EE5lPdmjh 8cVW1TVhynIzD/TAlP0S1Ztz0K9bZp6M4sU3MSzK2v1xTiwC5P9mgapVdYG+aEtmueQOeKU2pFSaQ aWDF7G0g3UrlGeYgXF3dpynTd/z/nQuHCk/1tx+yiL7uYwRYA4Orl9zdtRikQEJfmnbE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] domctl/XSM: drop vm_event_control hook Message-Id: Date: Tue, 09 Jun 2026 15:24:23 +0000 commit fc86e21be9af7f542e962e66785b9852c93d4fd3 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl/XSM: drop vm_event_control hook Integrate the checking with xsm_domctl(). Care needs to be taken with the GET_VERSION sub-op, which may be invoked with DOMID_INVALID, and which has been (and continues to be) bypassing XSM checking. Since the latter two parameters were unused, monitor_domctl() invoking the hook was actually redundant with the earlier xsm_domctl() (as can be seen nicely from the hunks changing xsm/flask/hooks.c). As a positive side effect, permissions are then checked at the same early point with and without Flask. While folding XEN_DOMCTL_monitor_op and XEN_DOMCTL_vm_event_op in flask_domctl(), also fold in XEN_DOMCTL_set_access_required. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit b4a7c17146f4363750d26cb2dcee08b480625a3d) --- xen/common/domctl.c | 17 +++++++++++++++++ xen/common/monitor.c | 5 ----- xen/common/vm_event.c | 9 ++++----- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 8 -------- xen/xsm/dummy.c | 2 -- xen/xsm/flask/hooks.c | 11 +---------- 7 files changed, 22 insertions(+), 37 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 944878cdcf..f1f0d60615 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -486,6 +486,23 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif + case XEN_DOMCTL_vm_event_op: + if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) + { + /* No XSM check (and potentially d == NULL) here. */ + ret = vm_event_domctl(d, &op->u.vm_event_op); + if ( !ret ) + copyback = true; + goto domctl_out_unlock_domonly; + } + if ( !d ) + { + ret = -ESRCH; + goto domctl_out_unlock_domonly; + } + /* Other sub-ops handled further down. */ + break; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: diff --git a/xen/common/monitor.c b/xen/common/monitor.c index d5c9ff1cbf..aec6391faf 100644 --- a/xen/common/monitor.c +++ b/xen/common/monitor.c @@ -30,16 +30,11 @@ int monitor_domctl(struct domain *d, struct xen_domctl_monitor_op *mop) { - int rc; bool requested_status = false; if ( unlikely(current->domain == d) ) /* no domain_pause() */ return -EPERM; - rc = xsm_vm_event_control(XSM_PRIV, d, mop->op, mop->event); - if ( unlikely(rc) ) - return rc; - switch ( mop->op ) { case XEN_DOMCTL_MONITOR_OP_ENABLE: diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c index 1666ff615f..7aea0a78b2 100644 --- a/xen/common/vm_event.c +++ b/xen/common/vm_event.c @@ -602,11 +602,10 @@ int vm_event_domctl(struct domain *d, struct xen_domctl_vm_event_op *vec) /* All other subops need to target a real domain. */ if ( unlikely(d == NULL) ) - return -ESRCH; - - rc = xsm_vm_event_control(XSM_PRIV, d, vec->mode, vec->op); - if ( rc ) - return rc; + { + ASSERT_UNREACHABLE(); + return -EILSEQ; + } if ( unlikely(d == current->domain) ) /* no domain_pause() */ { diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 02829e806b..f20be2e899 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -650,13 +650,6 @@ static XSM_INLINE int cf_check xsm_hvm_altp2mhvm_op( } } -static XSM_INLINE int cf_check xsm_vm_event_control( - XSM_DEFAULT_ARG struct domain *d, int mode, int op) -{ - XSM_ASSERT_ACTION(XSM_PRIV); - return xsm_default_action(action, current->domain, d); -} - #ifdef CONFIG_MEM_ACCESS static XSM_INLINE int cf_check xsm_mem_access(XSM_DEFAULT_ARG struct domain *d) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index fc30cf822f..f2bbe3ed8b 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -154,8 +154,6 @@ struct xsm_ops { int (*hvm_altp2mhvm_op)(struct domain *d, uint64_t mode, uint32_t op); int (*get_vnumainfo)(struct domain *d); - int (*vm_event_control)(struct domain *d, int mode, int op); - #ifdef CONFIG_MEM_ACCESS int (*mem_access)(struct domain *d); #endif @@ -634,12 +632,6 @@ static inline int xsm_get_vnumainfo(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.get_vnumainfo, d); } -static inline int xsm_vm_event_control( - xsm_default_t def, struct domain *d, int mode, int op) -{ - return alternative_call(xsm_ops.vm_event_control, d, mode, op); -} - #ifdef CONFIG_MEM_ACCESS static inline int xsm_mem_access(xsm_default_t def, struct domain *d) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 44a9e04ae7..95170547fc 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -110,8 +110,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .remove_from_physmap = xsm_remove_from_physmap, .map_gmfn_foreign = xsm_map_gmfn_foreign, - .vm_event_control = xsm_vm_event_control, - #ifdef CONFIG_MEM_ACCESS .mem_access = xsm_mem_access, #endif diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 270e682883..3fb4330f70 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -693,7 +693,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: - case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ @@ -787,9 +786,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__TRIGGER); case XEN_DOMCTL_set_access_required: - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); - case XEN_DOMCTL_monitor_op: + case XEN_DOMCTL_vm_event_op: return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); case XEN_DOMCTL_debug_op: @@ -1352,11 +1350,6 @@ static int cf_check flask_hvm_altp2mhvm_op(struct domain *d, uint64_t mode, uint return current_has_perm(d, SECCLASS_HVM, HVM__ALTP2MHVM_OP); } -static int cf_check flask_vm_event_control(struct domain *d, int mode, int op) -{ - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); -} - #ifdef CONFIG_MEM_ACCESS static int cf_check flask_mem_access(struct domain *d) { @@ -1940,8 +1933,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .do_xsm_op = do_flask_op, .get_vnumainfo = flask_get_vnumainfo, - .vm_event_control = flask_vm_event_control, - #ifdef CONFIG_MEM_ACCESS .mem_access = flask_mem_access, #endif -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:24:35 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:24:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333540.1596596 (Exim 4.92) (envelope-from ) id 1wWyJf-0003DS-DJ; Tue, 09 Jun 2026 15:24:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333540.1596596; Tue, 09 Jun 2026 15:24:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyJf-0003DK-Ac; Tue, 09 Jun 2026 15:24:35 +0000 Received: by outflank-mailman (input) for mailman id 1333540; Tue, 09 Jun 2026 15:24:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyJe-0003DE-3I for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:24:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyJe-001ijl-18 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:24:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyJe-00GHTy-08 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:24:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=jOXf8QrN/qs5OjIybtJLzYLpL7syhUUJRyBGNrxSRfg=; b=x0gg6KNotFZiCQcmCAv1rHBMKj mEzsMZobuphIFsW45ZKZ26suougN/YyMM83oDCErYttlNp+LqZeXWV3+24RSRJeFM9ToX/r7IfrN6 zPvrfilyc9ICWcqIeDC7HsWFPjvYZBNoW327HUKZfZFSf6qKiwnLujJBWl9IgGgafzvA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] domctl/XSM: pass full struct xen_domctl to xsm_domctl() Message-Id: Date: Tue, 09 Jun 2026 15:24:34 +0000 commit 5c86d123d7580aba4305519c39da873ada5dd124 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl/XSM: pass full struct xen_domctl to xsm_domctl() Subsequently some sub-ops will want to inspect their sub-sub-ops. Plus this way we don't need to pass SSIDref separately anymore for domain_create. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit 83f0e11ed16b5ceb42e47dcaab5afd35583ec5d7) --- xen/arch/x86/mm/paging.c | 2 +- xen/common/domctl.c | 4 +--- xen/include/xsm/dummy.h | 4 ++-- xen/include/xsm/xsm.h | 6 +++--- xen/xsm/flask/hooks.c | 10 +++++----- 5 files changed, 12 insertions(+), 14 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index dd47bde5ce..e213171ea9 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -767,7 +767,7 @@ long do_paging_domctl_cont( if ( d == NULL ) return -ESRCH; - ret = xsm_domctl(XSM_OTHER, d, op.cmd, 0 /* SSIDref not applicable */); + ret = xsm_domctl(XSM_OTHER, d, &op); if ( !ret ) { if ( domctl_lock_acquire() ) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index f1f0d60615..4981ae5925 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -515,9 +515,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - ret = xsm_domctl(XSM_OTHER, d, op->cmd, - /* SSIDRef only applicable for cmd == createdomain */ - op->u.createdomain.ssidref); + ret = xsm_domctl(XSM_OTHER, d, op); if ( ret ) goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index f20be2e899..a941827105 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,10 +162,10 @@ static XSM_INLINE int cf_check xsm_set_target( } static XSM_INLINE int cf_check xsm_domctl( - XSM_DEFAULT_ARG struct domain *d, unsigned int cmd, uint32_t ssidref) + XSM_DEFAULT_ARG struct domain *d, struct xen_domctl *op) { XSM_ASSERT_ACTION(XSM_OTHER); - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index f2bbe3ed8b..e91fa49d7d 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -60,7 +60,7 @@ struct xsm_ops { int (*domctl_scheduler_op)(struct domain *d, int op); int (*sysctl_scheduler_op)(int op); int (*set_target)(struct domain *d, struct domain *e); - int (*domctl)(struct domain *d, unsigned int cmd, uint32_t ssidref); + int (*domctl)(struct domain *d, struct xen_domctl *op); int (*sysctl)(int cmd); int (*readconsole)(uint32_t clear); @@ -249,9 +249,9 @@ static inline int xsm_set_target( } static inline int xsm_domctl(xsm_default_t def, struct domain *d, - unsigned int cmd, uint32_t ssidref) + struct xen_domctl *op) { - return alternative_call(xsm_ops.domctl, d, cmd, ssidref); + return alternative_call(xsm_ops.domctl, d, op); } static inline int xsm_sysctl(xsm_default_t def, int cmd) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 3fb4330f70..97526b4211 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -663,10 +663,9 @@ static int cf_check flask_set_target(struct domain *d, struct domain *t) return rc; } -static int cf_check flask_domctl(struct domain *d, unsigned int cmd, - uint32_t ssidref) +static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) { - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_createdomain: /* @@ -676,7 +675,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, * Note that d is NULL because we haven't even allocated memory for it * this early in XEN_DOMCTL_createdomain. */ - return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); + return avc_current_has_perm(op->u.createdomain.ssidref, SECCLASS_DOMAIN, + DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: @@ -846,7 +846,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__DT_OVERLAY); default: - return avc_unknown_permission("domctl", cmd); + return avc_unknown_permission("domctl", op->cmd); } } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:24:45 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:24:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333541.1596601 (Exim 4.92) (envelope-from ) id 1wWyJp-0003GW-Ew; Tue, 09 Jun 2026 15:24:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333541.1596601; Tue, 09 Jun 2026 15:24:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyJp-0003GO-C0; Tue, 09 Jun 2026 15:24:45 +0000 Received: by outflank-mailman (input) for mailman id 1333541; Tue, 09 Jun 2026 15:24:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyJo-0003GH-66 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:24:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyJo-001ijr-1Q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:24:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyJo-00GHk1-0R for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:24:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=0B5it8byv4LGQgpcsSCev1re23U13MuDmAmofhOX6p8=; b=w+sXz4MrP8+JbbJGuLl+nT4Fr2 MCpVAV4J2unEMDMFb9sspaCaEkUTH19KSWz1v/5ZSgLoPMQvajoPRdoswJaHmO8Yb2p58mip57D8J PtGI4TQnWWuOhqJbCiAI2rXBLfz7LqwCW4NAAqWG4SwKQkGKkGFOawZicbUraht+cfHg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] domctl/XSM: drop scheduler_op hook Message-Id: Date: Tue, 09 Jun 2026 15:24:44 +0000 commit c581c4008884ee555f2894e3c7ccf08759001dcc Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl/XSM: drop scheduler_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Juergen Gross (cherry picked from commit 3ba374d3886f0e1d835eafe62cc2fa20ca5376ad) --- xen/common/sched/core.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 7 ++++--- 5 files changed, 4 insertions(+), 22 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 6477ec3455..08e3bf48fc 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -2055,10 +2055,6 @@ long sched_adjust(struct domain *d, struct xen_domctl_scheduler_op *op) { long ret; - ret = xsm_domctl_scheduler_op(XSM_HOOK, d, op->cmd); - if ( ret ) - return ret; - if ( op->sched_id != dom_scheduler(d)->sched_id ) return -EINVAL; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index a941827105..8352d22d43 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -141,13 +141,6 @@ static XSM_INLINE int cf_check xsm_getdomaininfo( return xsm_default_action(action, current->domain, d); } -static XSM_INLINE int cf_check xsm_domctl_scheduler_op( - XSM_DEFAULT_ARG struct domain *d, int cmd) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index e91fa49d7d..d0e9c33927 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -57,7 +57,6 @@ struct xsm_ops { struct xen_domctl_getdomaininfo *info); int (*domain_create)(struct domain *d, uint32_t ssidref); int (*getdomaininfo)(struct domain *d); - int (*domctl_scheduler_op)(struct domain *d, int op); int (*sysctl_scheduler_op)(int op); int (*set_target)(struct domain *d, struct domain *e); int (*domctl)(struct domain *d, struct xen_domctl *op); @@ -231,12 +230,6 @@ static inline int xsm_getdomaininfo(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.getdomaininfo, d); } -static inline int xsm_domctl_scheduler_op( - xsm_default_t def, struct domain *d, int cmd) -{ - return alternative_call(xsm_ops.domctl_scheduler_op, d, cmd); -} - static inline int xsm_sysctl_scheduler_op(xsm_default_t def, int cmd) { return alternative_call(xsm_ops.sysctl_scheduler_op, cmd); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 95170547fc..cb312eb7cb 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -18,7 +18,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .security_domaininfo = xsm_security_domaininfo, .domain_create = xsm_domain_create, .getdomaininfo = xsm_getdomaininfo, - .domctl_scheduler_op = xsm_domctl_scheduler_op, .sysctl_scheduler_op = xsm_sysctl_scheduler_op, .set_target = xsm_set_target, .domctl = xsm_domctl, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 97526b4211..2b2bbb5627 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -607,7 +607,7 @@ static int cf_check flask_getdomaininfo(struct domain *d) return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO); } -static int cf_check flask_domctl_scheduler_op(struct domain *d, int op) +static int flask_domctl_scheduler_op(struct domain *d, int op) { switch ( op ) { @@ -691,7 +691,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return -EILSEQ; /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: #ifdef CONFIG_X86 @@ -739,6 +738,9 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_setdomainhandle: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE); + case XEN_DOMCTL_scheduler_op: + return flask_domctl_scheduler_op(d, op->u.scheduler_op.cmd); + case XEN_DOMCTL_set_ext_vcpucontext: case XEN_DOMCTL_set_vcpu_msrs: case XEN_DOMCTL_setvcpucontext: @@ -1859,7 +1861,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .security_domaininfo = flask_security_domaininfo, .domain_create = flask_domain_create, .getdomaininfo = flask_getdomaininfo, - .domctl_scheduler_op = flask_domctl_scheduler_op, .sysctl_scheduler_op = flask_sysctl_scheduler_op, .set_target = flask_set_target, .domctl = flask_domctl, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:24:55 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:24:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333542.1596604 (Exim 4.92) (envelope-from ) id 1wWyJz-0003Iz-HJ; Tue, 09 Jun 2026 15:24:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333542.1596604; Tue, 09 Jun 2026 15:24:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyJz-0003Ir-Ej; Tue, 09 Jun 2026 15:24:55 +0000 Received: by outflank-mailman (input) for mailman id 1333542; Tue, 09 Jun 2026 15:24:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyJy-0003If-93 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:24:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyJy-001ijv-1h for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:24:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyJy-00GHvS-0j for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:24:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=jtUdFPntz6nvRgEOhJMUR53kKN5R2maEyljJizdC5DQ=; b=0mE1yek+01dVgg4usp+cVRDaMo 8D253iOFEka0cMAe6CxLAunrwx7Xa/SUT2s3tDgyAAy3BdjTPkRHl1UfxtROYIvYiM5KoajhEr4XN sCmERmYvU0ZBbffyIu+xTk1VRzq0xFGZQ2BiOgIP2OUcAV1JMrz8sIczDKkGO+Tr6+os=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] domctl/XSM: drop shadow_control_op hook Message-Id: Date: Tue, 09 Jun 2026 15:24:54 +0000 commit 7fcb12d5208e18124d14c81c55f193bd26cc6fc3 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl/XSM: drop shadow_control_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit d9d2758622422a4db0498a74c3dfd1c8168a8154) --- xen/arch/x86/mm/paging.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 13 +++++++------ 5 files changed, 7 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index e213171ea9..beb7b88e67 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -709,10 +709,6 @@ int paging_domctl(struct domain *d, struct xen_domctl_shadow_op *sc, return -EBUSY; } - rc = xsm_shadow_control(XSM_HOOK, d, sc->op); - if ( rc ) - return rc; - /* Code to handle log-dirty. Note that some log dirty operations * piggy-back on shadow operations. For example, when * XEN_DOMCTL_SHADOW_OP_OFF is called, it first checks whether log dirty diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 8352d22d43..8b3b648532 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -680,13 +680,6 @@ static XSM_INLINE int cf_check xsm_do_mca(XSM_DEFAULT_VOID) return xsm_default_action(action, current->domain, NULL); } -static XSM_INLINE int cf_check xsm_shadow_control( - XSM_DEFAULT_ARG struct domain *d, uint32_t op) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_mem_sharing_op( XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index d0e9c33927..d60917f93d 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -169,7 +169,6 @@ struct xsm_ops { #ifdef CONFIG_X86 int (*do_mca)(void); - int (*shadow_control)(struct domain *d, uint32_t op); int (*mem_sharing_op)(struct domain *d, struct domain *cd, int op); int (*apic)(struct domain *d, int cmd); int (*machine_memory_map)(void); @@ -657,12 +656,6 @@ static inline int xsm_do_mca(xsm_default_t def) return alternative_call(xsm_ops.do_mca); } -static inline int xsm_shadow_control( - xsm_default_t def, struct domain *d, uint32_t op) -{ - return alternative_call(xsm_ops.shadow_control, d, op); -} - static inline int xsm_mem_sharing_op( xsm_default_t def, struct domain *d, struct domain *cd, int op) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index cb312eb7cb..f4bcefc46b 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -124,7 +124,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .platform_op = xsm_platform_op, #ifdef CONFIG_X86 .do_mca = xsm_do_mca, - .shadow_control = xsm_shadow_control, .mem_sharing_op = xsm_mem_sharing_op, .apic = xsm_apic, .machine_memory_map = xsm_machine_memory_map, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 2b2bbb5627..96c13b71ef 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -40,6 +40,7 @@ #ifdef CONFIG_X86 #include +static int flask_shadow_control(struct domain *d, unsigned int op); #else #define pv_shim false #endif @@ -693,10 +694,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: -#ifdef CONFIG_X86 - /* These have individual XSM hooks (arch/x86/domctl.c) */ - case XEN_DOMCTL_shadow_op: -#endif #ifdef CONFIG_HAS_PASSTHROUGH /* * These have individual XSM hooks @@ -781,6 +778,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_get_address_size: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETADDRSIZE); +#ifdef CONFIG_X86 + case XEN_DOMCTL_shadow_op: + return flask_shadow_control(d, op->u.shadow_op.op); +#endif + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1587,7 +1589,7 @@ static int cf_check flask_do_mca(void) return domain_has_xen(current->domain, XEN__MCA_OP); } -static int cf_check flask_shadow_control(struct domain *d, uint32_t op) +static int flask_shadow_control(struct domain *d, unsigned int op) { uint32_t perm; @@ -1968,7 +1970,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .platform_op = flask_platform_op, #ifdef CONFIG_X86 .do_mca = flask_do_mca, - .shadow_control = flask_shadow_control, .mem_sharing_op = flask_mem_sharing_op, .apic = flask_apic, .machine_memory_map = flask_machine_memory_map, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:25:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:25:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333543.1596609 (Exim 4.92) (envelope-from ) id 1wWyK9-0003L2-Iz; Tue, 09 Jun 2026 15:25:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333543.1596609; Tue, 09 Jun 2026 15:25:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyK9-0003Kt-G6; Tue, 09 Jun 2026 15:25:05 +0000 Received: by outflank-mailman (input) for mailman id 1333543; Tue, 09 Jun 2026 15:25:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyK8-0003Km-Bg for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:25:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyK8-001ikA-1y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:25:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyK8-00GI8b-10 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:25:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=z2VdVB2j0Q6n+/3ihxOyvwAuKLK9eht1Rh82aZTi39U=; b=YL+NTf/jsHy3UX3145HgHGVeEA yK0/F8XFL8r/LzqCLMMMwQt0PxD7Jkj82S1hS4B/nhz8DKRIiGju+qNsWyfJKbWBh8tqE/Eq8gD4n DSVw4QbAS02M0xM7/WgcB8QtVhd2hooyVc9rXzDhpw+LpHSE2gJfKNhMCI/KQLX8A+54=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 15:25:04 +0000 commit 4618e73b2565ba3c0d362c3055521dc6c0c8313f Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock iommu_get_device_group() uses its own locking. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 471b377747cb5eb0ea7c1ca48ac9d38027a9aa13) --- xen/common/domctl.c | 5 ++++- xen/drivers/passthrough/pci.c | 4 ++-- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 4981ae5925..ccf0550d41 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -503,6 +503,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) /* Other sub-ops handled further down. */ break; + case XEN_DOMCTL_get_device_group: + ret = iommu_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: @@ -925,7 +929,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_assign_device: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_deassign_device: - case XEN_DOMCTL_get_device_group: ret = iommu_do_domctl(op, d, u_domctl); break; diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index bd144aa59c..5cdc49ebf0 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1640,7 +1640,7 @@ static int iommu_get_device_group( if ( (pdev->seg != seg) || ((b == bus) && (df == devfn)) ) continue; - if ( xsm_get_device_group(XSM_HOOK, (seg << 16) | (b << 8) | df) ) + if ( xsm_get_device_group(XSM_PRIV, (seg << 16) | (b << 8) | df) ) continue; sdev_id = iommu_call(ops, get_device_group_id, seg, b, df); @@ -1710,7 +1710,7 @@ int iommu_do_pci_domctl( u32 max_sdevs; XEN_GUEST_HANDLE_64(uint32) sdevs; - ret = xsm_get_device_group(XSM_HOOK, domctl->u.get_device_group.machine_sbdf); + ret = xsm_get_device_group(XSM_PRIV, domctl->u.get_device_group.machine_sbdf); if ( ret ) break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 8b3b648532..d83a893219 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,6 +162,7 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: @@ -399,7 +400,7 @@ static XSM_INLINE int cf_check xsm_get_vnumainfo( static XSM_INLINE int cf_check xsm_get_device_group( XSM_DEFAULT_ARG uint32_t machine_bdf) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 96c13b71ef..32d156d441 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -682,6 +682,7 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: @@ -699,7 +700,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) * These have individual XSM hooks * (drivers/passthrough/{pci,device_tree.c) */ - case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_assign_device: case XEN_DOMCTL_deassign_device: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:25:15 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:25:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333544.1596612 (Exim 4.92) (envelope-from ) id 1wWyKJ-0003N1-K6; Tue, 09 Jun 2026 15:25:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333544.1596612; Tue, 09 Jun 2026 15:25:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyKJ-0003Mt-HV; Tue, 09 Jun 2026 15:25:15 +0000 Received: by outflank-mailman (input) for mailman id 1333544; Tue, 09 Jun 2026 15:25:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyKI-0003Ml-El for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:25:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyKI-001imD-2H for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:25:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyKI-00GINl-1I for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:25:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=3gPVhtg79bmn+kCRd2q5ICALdQSFIsexRYsg1Fsp4z4=; b=w0c+cC87bfjZNvjbpb0+vXb0Bw hEOSbbISrP0XcGaftmdI13Qk+tijR/s1+BVTPhxmA8p6LFOrPyUMDWLU8JEZW0q/JTv/y7SLOTsZV VSx3iMRqqbVU5tDTzdn0KagoeacNq4MduYXLHwTmX90/jM8TY9OYdeP3MqnHptGA7K+o=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] domctl/XSM: drop {,de}assign_{,dt}device hooks Message-Id: Date: Tue, 09 Jun 2026 15:25:14 +0000 commit 923d69856a10fff053f6450ae7ad91542db3064c Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl/XSM: drop {,de}assign_{,dt}device hooks Integrate the checking with xsm_domctl(). As a positive side effect, permissions are then checked at the same early point with and without Flask. As the DT device path needs fetching earlier (but must not be double fetched), cache it in a private field of the public interface struct. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit eab54f074f17c134fa6fa780f672393066e7b631) --- xen/common/domctl.c | 9 ++++ xen/drivers/passthrough/device_tree.c | 36 ++++++++-------- xen/drivers/passthrough/pci.c | 8 ---- xen/include/public/domctl.h | 5 ++- xen/include/xsm/dummy.h | 32 -------------- xen/include/xsm/xsm.h | 34 --------------- xen/xsm/dummy.c | 7 ---- xen/xsm/flask/hooks.c | 79 +++++++++++++++++++++++++---------- 8 files changed, 89 insertions(+), 121 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index ccf0550d41..760c4867bd 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -330,6 +330,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_deassign_device: if ( op->domain == DOMID_IO ) { +#ifdef CONFIG_HAS_DEVICE_TREE + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; +#endif d = dom_io; break; } @@ -337,6 +341,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) return -ESRCH; fallthrough; case XEN_DOMCTL_test_assign_device: +#ifdef CONFIG_HAS_DEVICE_TREE + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; + fallthrough; +#endif case XEN_DOMCTL_vm_event_op: if ( op->domain == DOMID_INVALID ) { diff --git a/xen/drivers/passthrough/device_tree.c b/xen/drivers/passthrough/device_tree.c index 075fb25a37..49b3a26628 100644 --- a/xen/drivers/passthrough/device_tree.c +++ b/xen/drivers/passthrough/device_tree.c @@ -279,15 +279,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( (d && d->is_dying) || domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_assign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( domctl->cmd == XEN_DOMCTL_test_assign_device ) { @@ -335,15 +335,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_deassign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( d == dom_io ) { diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 5cdc49ebf0..691406483f 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1760,10 +1760,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_assign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); @@ -1805,10 +1801,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_deassign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h index 2a49fe46ce..6f01865609 100644 --- a/xen/include/public/domctl.h +++ b/xen/include/public/domctl.h @@ -549,7 +549,10 @@ struct xen_domctl_assign_device { } pci; struct { uint32_t size; /* Length of the path */ - XEN_GUEST_HANDLE_64(char) path; /* path to the device tree node */ + XEN_GUEST_HANDLE_64(char) path; /* Path to the device tree node */ +#ifdef __XEN__ + struct dt_device_node *dev; /* Resolved device node of the above */ +#endif } dt; } u; }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index d83a893219..0947b3c7b1 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -403,40 +403,8 @@ static XSM_INLINE int cf_check xsm_get_device_group( XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } - -static XSM_INLINE int cf_check xsm_assign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - #endif /* HAS_PASSTHROUGH && HAS_PCI */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) -static XSM_INLINE int cf_check xsm_assign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */ - static XSM_INLINE int cf_check xsm_resource_plug_core(XSM_DEFAULT_VOID) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index d60917f93d..bf6d4e9772 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -123,13 +123,6 @@ struct xsm_ops { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) int (*get_device_group)(uint32_t machine_bdf); - int (*assign_device)(struct domain *d, uint32_t machine_bdf); - int (*deassign_device)(struct domain *d, uint32_t machine_bdf); -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - int (*assign_dtdevice)(struct domain *d, const char *dtpath); - int (*deassign_dtdevice)(struct domain *d, const char *dtpath); #endif int (*resource_plug_core)(void); @@ -514,35 +507,8 @@ static inline int xsm_get_device_group(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.get_device_group, machine_bdf); } - -static inline int xsm_assign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.assign_device, d, machine_bdf); -} - -static inline int xsm_deassign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.deassign_device, d, machine_bdf); -} #endif /* HAS_PASSTHROUGH && HAS_PCI) */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) -static inline int xsm_assign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.assign_dtdevice, d, dtpath); -} - -static inline int xsm_deassign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.deassign_dtdevice, d, dtpath); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */ - static inline int xsm_resource_plug_pci(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.resource_plug_pci, machine_bdf); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index f4bcefc46b..92fe9664a8 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -77,13 +77,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = xsm_get_device_group, - .assign_device = xsm_assign_device, - .deassign_device = xsm_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - .assign_dtdevice = xsm_assign_dtdevice, - .deassign_dtdevice = xsm_deassign_dtdevice, #endif .resource_plug_core = xsm_resource_plug_core, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 32d156d441..4b609d9929 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -45,6 +45,17 @@ static int flask_shadow_control(struct domain *d, unsigned int op); #define pv_shim false #endif +#ifdef CONFIG_HAS_PASSTHROUGH +#ifdef CONFIG_HAS_PCI +static int flask_assign_device(struct domain *d, unsigned int machine_bdf); +static int flask_deassign_device(struct domain *d, unsigned int machine_bdf); +#endif +#ifdef CONFIG_HAS_DEVICE_TREE +static int flask_assign_dtdevice(struct domain *d, const char *dtpath); +static int flask_deassign_dtdevice(struct domain *d, const char *dtpath); +#endif +#endif /* CONFIG_HAS_PASSTHROUGH */ + static uint32_t domain_sid(const struct domain *dom) { struct domain_security_struct *dsec = dom->ssid; @@ -694,16 +705,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: - -#ifdef CONFIG_HAS_PASSTHROUGH - /* - * These have individual XSM hooks - * (drivers/passthrough/{pci,device_tree.c) - */ - case XEN_DOMCTL_test_assign_device: - case XEN_DOMCTL_assign_device: - case XEN_DOMCTL_deassign_device: -#endif return 0; case XEN_DOMCTL_destroydomain: @@ -783,6 +784,49 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return flask_shadow_control(d, op->u.shadow_op.op); #endif +#ifdef CONFIG_HAS_PASSTHROUGH + + case XEN_DOMCTL_test_assign_device: + case XEN_DOMCTL_assign_device: + case XEN_DOMCTL_deassign_device: + switch ( op->u.assign_device.dev ) + { +#ifdef CONFIG_HAS_PCI + case XEN_DOMCTL_DEV_PCI: + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_device( + d, op->u.assign_device.u.pci.machine_sbdf) + : flask_deassign_device( + d, op->u.assign_device.u.pci.machine_sbdf); +#endif + +#ifdef CONFIG_HAS_DEVICE_TREE + case XEN_DOMCTL_DEV_DT: + { + struct dt_device_node *dev; + int ret = dt_find_node_by_gpath(op->u.assign_device.u.dt.path, + op->u.assign_device.u.dt.size, + &dev); + + if ( ret ) + return ret; + + op->u.assign_device.u.dt.dev = dev; + + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_dtdevice(d, dt_node_full_name(dev)) + : flask_deassign_dtdevice(d, dt_node_full_name(dev)); + } +#endif + + default: + /* Unknown type. */ + break; + } + return avc_unknown_permission("assign_device", op->cmd); + +#endif /* CONFIG_HAS_PASSTHROUGH */ + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1400,7 +1444,7 @@ static int flask_test_assign_device(uint32_t machine_bdf) return avc_current_has_perm(rsid, SECCLASS_RESOURCE, RESOURCE__STAT_DEVICE, NULL); } -static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) +static int flask_assign_device(struct domain *d, uint32_t machine_bdf) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1430,7 +1474,7 @@ static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_device( +static int flask_deassign_device( struct domain *d, uint32_t machine_bdf) { uint32_t rsid; @@ -1462,7 +1506,7 @@ static int flask_test_assign_dtdevice(const char *dtpath) NULL); } -static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) +static int flask_assign_dtdevice(struct domain *d, const char *dtpath) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1492,7 +1536,7 @@ static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_dtdevice( +static int flask_deassign_dtdevice( struct domain *d, const char *dtpath) { uint32_t rsid; @@ -1958,13 +2002,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = flask_get_device_group, - .assign_device = flask_assign_device, - .deassign_device = flask_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - .assign_dtdevice = flask_assign_dtdevice, - .deassign_dtdevice = flask_deassign_dtdevice, #endif .platform_op = flask_platform_op, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:25:25 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:25:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333545.1596617 (Exim 4.92) (envelope-from ) id 1wWyKT-0003Pp-Nw; Tue, 09 Jun 2026 15:25:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333545.1596617; Tue, 09 Jun 2026 15:25:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyKT-0003Ph-KR; Tue, 09 Jun 2026 15:25:25 +0000 Received: by outflank-mailman (input) for mailman id 1333545; Tue, 09 Jun 2026 15:25:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyKS-0003Pa-HV for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:25:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyKS-001ima-2Y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:25:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyKS-00GIdx-1Z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:25:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=sMJ3BGo3yl86lbV83WEcSchjHvrw1wssbzdyWd3lZsI=; b=N04d5dsKOg+80X7TURw4B62WQr 5z9h/6OKdH8ovpgABfawvn1m8fLvA6ldR0TvLpkO0dByDEVac48hZkvQ/XjvroKU5A6gVMOXTVGqo sMxSi6KIO91uWVnqnH5IQM4DRVpmDerv66+UQ9e1UGXJ4Eddkhe/T8z+gf9o4Ora2ea0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 15:25:24 +0000 commit 17bce447ad421a78bb7d9201f615dce6069be1b7 Author: Jan Beulich AuthorDate: Thu Jun 4 21:40:34 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock The only locking required here is that between checking d->target and setting it. To avoid the need for an explicit lock, use cmpxchgptr() to update d->target. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 4a93d1fb4f7f1231159688d428f7362d35d32ef6) --- xen/common/domctl.c | 54 ++++++++++++++++++++++--------------------------- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 5 +---- 3 files changed, 27 insertions(+), 35 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 760c4867bd..9d5f55161b 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -495,6 +495,30 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } #endif + case XEN_DOMCTL_set_target: + { + struct domain *e = get_domain_by_id(op->u.set_target.target); + + ret = -ESRCH; + if ( !e ) + goto domctl_out_unlock_domonly; + + if ( d == e ) + ret = -EINVAL; + else if ( !is_hvm_domain(e) ) + ret = -EOPNOTSUPP; + else + ret = xsm_set_target(XSM_PRIV, d, e); + + /* Hold reference on @e until we destroy @d. */ + if ( !ret && cmpxchgptr(&d->target, NULL, e) ) + ret = -EINVAL; + + if ( ret ) + put_domain(e); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_vm_event_op: if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) { @@ -851,36 +875,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; - case XEN_DOMCTL_set_target: - { - struct domain *e; - - ret = -ESRCH; - e = get_domain_by_id(op->u.set_target.target); - if ( e == NULL ) - break; - - ret = -EINVAL; - if ( (d == e) || (d->target != NULL) ) - { - put_domain(e); - break; - } - - ret = -EOPNOTSUPP; - if ( is_hvm_domain(e) ) - ret = xsm_set_target(XSM_HOOK, d, e); - if ( ret ) - { - put_domain(e); - break; - } - - /* Hold reference on @e until we destroy @d. */ - d->target = e; - break; - } - case XEN_DOMCTL_subscribe: d->suspend_evtchn = op->u.subscribe.port; break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 0947b3c7b1..95c73f9894 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -150,7 +150,7 @@ static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) static XSM_INLINE int cf_check xsm_set_target( XSM_DEFAULT_ARG struct domain *d, struct domain *e) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } @@ -168,6 +168,7 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 4b609d9929..694c748694 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -699,14 +699,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; - /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_set_target: - return 0; - case XEN_DOMCTL_destroydomain: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__DESTROY); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:25:35 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:25:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333546.1596619 (Exim 4.92) (envelope-from ) id 1wWyKd-0003Ro-OU; Tue, 09 Jun 2026 15:25:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333546.1596619; Tue, 09 Jun 2026 15:25:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyKd-0003Rh-Lt; Tue, 09 Jun 2026 15:25:35 +0000 Received: by outflank-mailman (input) for mailman id 1333546; Tue, 09 Jun 2026 15:25:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyKc-0003Ra-KJ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:25:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyKc-001imi-2p for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:25:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyKc-00GIyK-1q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:25:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ncGDEv3fTzgAn/2uGbHk7/pZlqQAHC3TefFx+3xrKLs=; b=RVufuuxn07o7gEz+i+hiqIIM0l WLtdPJ8kob+/SUtEumLIt9Ih5KRJt6+2u0oLOVwMbPCsKRPcV2YcCN7su2tNfhb83uTzXCbkYCOxG 1G+Bsnxq997yLI0IzfLg1+D51i483y1tjHyarA059/bL1oCWJ3gBcHW8ARSjqO5nJrnA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI Message-Id: Date: Tue, 09 Jun 2026 15:25:34 +0000 commit 54bb4e99724bdf1f6a0a25dde1ab32a8ce9bc18f Author: Michal Orzel AuthorDate: Tue Apr 14 10:11:24 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI The ARM64_WORKAROUND_REPEAT_TLBI workaround is used to mitigate several errata where broadcast TLBI;DSB sequences don't provide all the architecturally required synchronization. The workaround performs more work than necessary, and can have significant overhead. This patch optimizes the workaround, as explained below. 1. All relevant errata only affect the ordering and/or completion of memory accesses which have been translated by an invalidated TLB entry. The actual invalidation of TLB entries is unaffected. 2. The existing workaround is applied to both broadcast and local TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for broadcast invalidation. 3. The existing workaround replaces every TLBI with a TLBI;DSB;TLBI sequence, whereas for all relevant errata it is only necessary to execute a single additional TLBI;DSB sequence after any number of TLBIs are completed by a DSB. For example, for a sequence of batched TLBIs: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH ... the existing workaround will expand this to: TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional DSB ISH ... whereas it is sufficient to have: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH TLBI [, ] // additional DSB ISH // additional Using a single additional TLBI and DSB at the end of the sequence can have significantly lower overhead as each DSB which completes a TLBI must synchronize with other PEs in the system, with potential performance effects both locally and system-wide. 4. The existing workaround repeats each specific TLBI operation, whereas for all relevant errata it is sufficient for the additional TLBI to use *any* operation which will be broadcast, regardless of which translation regime or stage of translation the operation applies to. For example, for a single TLBI: TLBI ALLE2IS DSB ISH ... the existing workaround will expand this to: TLBI ALLE2IS DSB ISH TLBI ALLE2IS // additional DSB ISH // additional ... whereas it is sufficient to have: TLBI ALLE2IS DSB ISH TLBI VALE1IS, XZR // additional DSB ISH // additional As the additional TLBI doesn't have to match a specific earlier TLBI, the additional TLBI can be implemented in separate code, with no memory of the earlier TLBIs. The additional TLBI can also use a cheaper TLBI operation. 5. The existing workaround is applied to both Stage-1 and Stage-2 TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for Stage-1 invalidation. Architecturally, TLBI operations which invalidate only Stage-2 information (e.g. IPAS2E1IS) are not required to invalidate TLB entries which combine information from Stage-1 and Stage-2 translation table entries, and consequently may not complete memory accesses translated by those combined entries. In these cases, completion of memory accesses is only guaranteed after subsequent invalidation of Stage-1 information (e.g. VMALLE1IS). Rework the workaround logic as follows: - add TLB_HELPER_LOCAL() to be used for local TLB ops without a workaround, - modify TLB_HELPER() workaround to use tlbi vale2is, xzr as a second TLBI, - drop TLB_HELPER_VA(). It's used only by __flush_xen_tlb_one_local which is local and does not need workaround and by __flush_xen_tlb_one. In the latter case, since it's used in a loop, we don't need a workaround in the middle. Add __tlb_repeat_sync with a workaround to be used at the end after DSB and before final ISB, - TLBI VALE2IS passing XZR is used as an additional TLBI. While there is an identity mapping there, it's used very rarely. The performance impact is therefore negligible. If things change in the future, we can revisit the decision. Signed-off-by: Michal Orzel Reviewed-by: Luca Fancellu Reviewed-by: Julien Grall (cherry picked from commit 7c502d7591519135765b8041cbd1c70e56e5a0b9) --- xen/arch/arm/include/asm/arm32/flushtlb.h | 3 + xen/arch/arm/include/asm/arm64/flushtlb.h | 108 ++++++++++++++++++------------ xen/arch/arm/include/asm/flushtlb.h | 1 + xen/arch/arm/include/asm/mmu/layout.h | 4 ++ 4 files changed, 75 insertions(+), 41 deletions(-) diff --git a/xen/arch/arm/include/asm/arm32/flushtlb.h b/xen/arch/arm/include/asm/arm32/flushtlb.h index 61c25a3189..5483be08fb 100644 --- a/xen/arch/arm/include/asm/arm32/flushtlb.h +++ b/xen/arch/arm/include/asm/arm32/flushtlb.h @@ -57,6 +57,9 @@ static inline void __flush_xen_tlb_one(vaddr_t va) asm volatile(STORE_CP32(0, TLBIMVAHIS) : : "r" (va) : "memory"); } +/* Only for ARM64_WORKAROUND_REPEAT_TLBI */ +static inline void __tlb_repeat_sync(void) {} + #endif /* __ASM_ARM_ARM32_FLUSHTLB_H__ */ /* * Local variables: diff --git a/xen/arch/arm/include/asm/arm64/flushtlb.h b/xen/arch/arm/include/asm/arm64/flushtlb.h index 45642201d1..c1314be122 100644 --- a/xen/arch/arm/include/asm/arm64/flushtlb.h +++ b/xen/arch/arm/include/asm/arm64/flushtlb.h @@ -12,9 +12,14 @@ * ARM64_WORKAROUND_REPEAT_TLBI: * Modification of the translation table for a virtual address might lead to * read-after-read ordering violation. - * The workaround repeats TLBI+DSB ISH operation for all the TLB flush - * operations. While this is strictly not necessary, we don't want to - * take any risk. + * The workaround repeats TLBI+DSB ISH operation for broadcast TLB flush + * operations. The workaround is not needed for local operations. + * + * It is sufficient for the additional TLBI to use *any* operation which will + * be broadcast, regardless of which translation regime or stage of translation + * the operation applies to. TLBI VALE2IS is used passing XZR. While there is + * an identity mapping there, it's only used during suspend/resume, CPU on/off, + * so the impact (performance if any) is negligible. * * For Xen page-tables the ISB will discard any instructions fetched * from the old mappings. @@ -26,69 +31,90 @@ * Note that for local TLB flush, using non-shareable (nsh) is sufficient * (see D5-4929 in ARM DDI 0487H.a). Although, the memory barrier in * for the workaround is left as inner-shareable to match with Linux - * v6.1-rc8. + * v6.19. */ -#define TLB_HELPER(name, tlbop, sh) \ +#define TLB_HELPER_LOCAL(name, tlbop) \ static inline void name(void) \ { \ asm volatile( \ - "dsb " # sh "st;" \ + "dsb nshst;" \ "tlbi " # tlbop ";" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ";", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - "dsb " # sh ";" \ + "dsb nsh;" \ "isb;" \ : : : "memory"); \ } -/* - * FLush TLB by VA. This will likely be used in a loop, so the caller - * is responsible to use the appropriate memory barriers before/after - * the sequence. - * - * See above about the ARM64_WORKAROUND_REPEAT_TLBI sequence. - */ -#define TLB_HELPER_VA(name, tlbop) \ -static inline void name(vaddr_t va) \ -{ \ - asm volatile( \ - "tlbi " # tlbop ", %0;" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ", %0;", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - : : "r" (va >> PAGE_SHIFT) : "memory"); \ +#define TLB_HELPER(name, tlbop) \ +static inline void name(void) \ +{ \ + asm volatile ( \ + "dsb ishst;" \ + "tlbi " # tlbop ";" \ + ALTERNATIVE( \ + "nop; nop;", \ + "dsb ish;" \ + "tlbi vale2is, xzr;", \ + ARM64_WORKAROUND_REPEAT_TLBI, \ + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ + "dsb ish;" \ + "isb;" \ + : : : "memory"); \ } /* Flush local TLBs, current VMID only. */ -TLB_HELPER(flush_guest_tlb_local, vmalls12e1, nsh) +TLB_HELPER_LOCAL(flush_guest_tlb_local, vmalls12e1) /* Flush innershareable TLBs, current VMID only */ -TLB_HELPER(flush_guest_tlb, vmalls12e1is, ish) +TLB_HELPER(flush_guest_tlb, vmalls12e1is) /* Flush local TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb_local, alle1, nsh) +TLB_HELPER_LOCAL(flush_all_guests_tlb_local, alle1) /* Flush innershareable TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb, alle1is, ish) +TLB_HELPER(flush_all_guests_tlb, alle1is) /* Flush all hypervisor mappings from the TLB of the local processor. */ -TLB_HELPER(flush_xen_tlb_local, alle2, nsh) +TLB_HELPER_LOCAL(flush_xen_tlb_local, alle2) + +#undef TLB_HELPER_LOCAL +#undef TLB_HELPER + +/* + * FLush TLB by VA. This will likely be used in a loop, so the caller + * is responsible to use the appropriate memory barriers before/after + * the sequence. + */ /* Flush TLB of local processor for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one_local, vae2) +static inline void __flush_xen_tlb_one_local(vaddr_t va) +{ + asm volatile ( + "tlbi vae2, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} /* Flush TLB of all processors in the inner-shareable domain for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one, vae2is) +static inline void __flush_xen_tlb_one(vaddr_t va) +{ + asm volatile ( + "tlbi vae2is, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} -#undef TLB_HELPER -#undef TLB_HELPER_VA +/* + * ARM64_WORKAROUND_REPEAT_TLBI: + * For all relevant erratas it is only necessary to execute a single + * additional TLBI;DSB sequence after any number of TLBIs are completed by DSB. + */ +static inline void __tlb_repeat_sync(void) +{ + asm volatile ( + ALTERNATIVE( + "nop; nop;", + "tlbi vale2is, xzr;" + "dsb ish;", + ARM64_WORKAROUND_REPEAT_TLBI, + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) + : : : "memory"); +} #endif /* __ASM_ARM_ARM64_FLUSHTLB_H__ */ /* diff --git a/xen/arch/arm/include/asm/flushtlb.h b/xen/arch/arm/include/asm/flushtlb.h index e45fb6d97b..c292c3c00d 100644 --- a/xen/arch/arm/include/asm/flushtlb.h +++ b/xen/arch/arm/include/asm/flushtlb.h @@ -65,6 +65,7 @@ static inline void flush_xen_tlb_range_va(vaddr_t va, va += PAGE_SIZE; } dsb(ish); /* Ensure the TLB invalidation has completed */ + __tlb_repeat_sync(); isb(); } diff --git a/xen/arch/arm/include/asm/mmu/layout.h b/xen/arch/arm/include/asm/mmu/layout.h index a3b546465b..74848725e9 100644 --- a/xen/arch/arm/include/asm/mmu/layout.h +++ b/xen/arch/arm/include/asm/mmu/layout.h @@ -23,6 +23,10 @@ * * Reserved to identity map Xen * + * Note: As part of ARM64_WORKAROUND_REPEAT_TLBI, VA 0 is used for an extra + * TLBI operation given its rare use (only identity mapping) and thus + * negligible performance impact. + * * 0x00000a0000000000 - 0x00000a7fffffffff (512GB, L0 slot [20]) * (Relative offsets) * 0 - 2M Unmapped -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:25:45 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:25:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333547.1596624 (Exim 4.92) (envelope-from ) id 1wWyKn-0003Tq-Pv; Tue, 09 Jun 2026 15:25:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333547.1596624; Tue, 09 Jun 2026 15:25:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyKn-0003Ti-NP; Tue, 09 Jun 2026 15:25:45 +0000 Received: by outflank-mailman (input) for mailman id 1333547; Tue, 09 Jun 2026 15:25:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyKm-0003Tb-Mg for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:25:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyKm-001ims-35 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:25:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyKm-00GJ6Y-26 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:25:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=9cMo4z6h+Wn2dY0rUvHu/DtqJapMEeTnC0kUlDv2tEE=; b=tTEmELLdMykSF0Q1Ty7wbikHaz 2+vJ8MeieJ+rC6KJJTKBoiCM9esYFLMHVx6lO56za1y6T8D+bG3Y2uVG/VjZCeIz0wbDWm/T+tNLN nRDxVfyUHYFtq68ZR65/++CdMkHxTEoHlzb7GazYtF2bwb9+jAvyLACH87UaE2HPTZyI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] xen/arm: Sync missing definitions for Arm CPUs with Linux Message-Id: Date: Tue, 09 Jun 2026 15:25:44 +0000 commit 1ea95e237d2b50514e3370382c1253a8852235e7 Author: Michal Orzel AuthorDate: Fri May 22 09:35:55 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 xen/arm: Sync missing definitions for Arm CPUs with Linux Synchronize with Linux kernel 7.0 definitions for the following CPUs: - Cortex-A76AE, - Cortex-A78AE, - Cortex-X1C, - Cortex-X3, - Neoverse-V2, - Cortex-X4, - Neoverse-V3AE, - Neoverse-V3, - Cortex-X925. These will be used for errata detection in subsequent patches. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit d54682a5b23d7a22a0f1aa74130bd1ed8a669db1) --- xen/arch/arm/include/asm/processor.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 2ca2662c02..5fda69344c 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -74,13 +74,22 @@ #define ARM_CPU_PART_CORTEX_A76 0xD0B #define ARM_CPU_PART_NEOVERSE_N1 0xD0C #define ARM_CPU_PART_CORTEX_A77 0xD0D +#define ARM_CPU_PART_CORTEX_A76AE 0xD0E #define ARM_CPU_PART_NEOVERSE_V1 0xD40 #define ARM_CPU_PART_CORTEX_A78 0xD41 +#define ARM_CPU_PART_CORTEX_A78AE 0xD42 #define ARM_CPU_PART_CORTEX_X1 0xD44 #define ARM_CPU_PART_CORTEX_A710 0xD47 #define ARM_CPU_PART_CORTEX_X2 0xD48 #define ARM_CPU_PART_NEOVERSE_N2 0xD49 #define ARM_CPU_PART_CORTEX_A78C 0xD4B +#define ARM_CPU_PART_CORTEX_X1C 0xD4C +#define ARM_CPU_PART_CORTEX_X3 0xD4E +#define ARM_CPU_PART_NEOVERSE_V2 0xD4F +#define ARM_CPU_PART_CORTEX_X4 0xD82 +#define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 +#define ARM_CPU_PART_NEOVERSE_V3 0xD84 +#define ARM_CPU_PART_CORTEX_X925 0xD85 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -95,13 +104,22 @@ #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) +#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE) #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1) #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) +#define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) #define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2) #define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2) #define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C) +#define MIDR_CORTEX_X1C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1C) +#define MIDR_CORTEX_X3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X3) +#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2) +#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4) +#define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) +#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) +#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:25:55 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:25:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333548.1596628 (Exim 4.92) (envelope-from ) id 1wWyKx-0003Vx-RK; Tue, 09 Jun 2026 15:25:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333548.1596628; Tue, 09 Jun 2026 15:25:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyKx-0003Vp-Om; Tue, 09 Jun 2026 15:25:55 +0000 Received: by outflank-mailman (input) for mailman id 1333548; Tue, 09 Jun 2026 15:25:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyKw-0003Vd-PI for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:25:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyKx-001imw-07 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:25:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyKw-00GJGf-2N for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:25:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=XMiFygEwmnn2wU5mAzO8rkU1XApMonw4WxmI/kmFPjs=; b=X1tQeKlZYKgR2qk/nFhbjxRVxf qG/qstlgtuYGtnwfuFlMbOM1Hsbz15XbNvGZTiU9uywD53t48LzrFtZSd3HkulmeZbdws28lilUND RRXzIUOxxhJK73eiBU/DUosgt/eoSJTA0tDSzKgAkEcod7NQQCKOWsPKC9We4f1SmQzM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] xen/arm: Add C1-Ultra definitions Message-Id: Date: Tue, 09 Jun 2026 15:25:54 +0000 commit 618173c1319431959a7b3f0500435e4e04f05dff Author: Michal Orzel AuthorDate: Fri May 22 09:35:56 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 xen/arm: Add C1-Ultra definitions Add processor definitions for C1-Ultra. These will be used for errata detection in subsequent patches. These values can be found in the C1-Ultra TRM: https://developer.arm.com/documentation/108014/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 36ddaa7918d6ec0d06a31079c8a25a6ae3c69cbc) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 5fda69344c..85a7469eba 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -90,6 +90,7 @@ #define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 +#define ARM_CPU_PART_C1_ULTRA 0xD8C #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -120,6 +121,7 @@ #define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) +#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:26:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:26:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333549.1596632 (Exim 4.92) (envelope-from ) id 1wWyL7-0003YR-UJ; Tue, 09 Jun 2026 15:26:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333549.1596632; Tue, 09 Jun 2026 15:26:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyL7-0003YJ-RM; Tue, 09 Jun 2026 15:26:05 +0000 Received: by outflank-mailman (input) for mailman id 1333549; Tue, 09 Jun 2026 15:26:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyL6-0003YD-Rj for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:26:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyL7-001inB-0M for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:26:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyL6-00GJRc-2c for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:26:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=qLpeu/bnFSNqe9o417alM5NWeaUgHUuvR6DDt0mgnSI=; b=H05FCFNkaxopcEemgpDTAIBf9P Xy3SEhDOpHH0owNt1GenJ7sTZtLJeHKpKi+oY2uCqDAepA3g/xq+/tz92djA05C4C9M6pAK+p7Vz9 /RCvdOZdnkR3I+vBZgWhMaNkjgCVNyG4rEwTdZAhlFgz/kAmQgLdA90UTfE1lozKhoa4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] xen/arm: Add C1-Premium definitions Message-Id: Date: Tue, 09 Jun 2026 15:26:04 +0000 commit 52b28b0cf797079b29ad194407cd7c1b44fef576 Author: Michal Orzel AuthorDate: Fri May 22 09:35:57 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 xen/arm: Add C1-Premium definitions Add processor definitions for C1-Premium. These will be used for errata detection in subsequent patches. These values can be found in the C1-Premium TRM: https://developer.arm.com/documentation/109416/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 0315d10321518beb24c41bb595e9197cadec0693) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 85a7469eba..f89b061d44 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -91,6 +91,7 @@ #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 #define ARM_CPU_PART_C1_ULTRA 0xD8C +#define ARM_CPU_PART_C1_PREMIUM 0xD90 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -122,6 +123,7 @@ #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) #define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) +#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:26:15 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:26:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333550.1596636 (Exim 4.92) (envelope-from ) id 1wWyLH-0003aO-VM; Tue, 09 Jun 2026 15:26:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333550.1596636; Tue, 09 Jun 2026 15:26:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyLH-0003aG-So; Tue, 09 Jun 2026 15:26:15 +0000 Received: by outflank-mailman (input) for mailman id 1333550; Tue, 09 Jun 2026 15:26:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyLG-0003aA-Ug for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:26:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyLH-001inJ-0c for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:26:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyLG-00GJan-2s for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:26:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ghi7rUuNt/taZvlccrSL8M4Uw+w3S02Y4vFbV/n3fm8=; b=XW3U5+H69JxUrrQoOum7kajNGW rZkvUmvZHLFKorWIZzB4j1L1vwH5cttQH0obeXtylP8L+C76mXg9Gsbkj3Hitr4O2S80vzv69CuxE drpa2KUGoH6f1xcUBZUMUZeL+nshTj5XazBjuvb30YUH2ryduIoctAGkKNpkJHdSlpOc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] xen/arm: Mitigate TLBI errata on various Arm CPUs Message-Id: Date: Tue, 09 Jun 2026 15:26:14 +0000 commit a9c8547cc8d8522a83adfaa87d35d97e2b15f237 Author: Michal Orzel AuthorDate: Fri May 22 09:35:58 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 xen/arm: Mitigate TLBI errata on various Arm CPUs A number of CPUs developed by Arm suffer from errata whereby a broadcast TLBI + DSB sequence may complete before the global observation of writes which are translated by an affected TLB entry. This can lead to memory corruption and potential privilege escalation. These errata ONLY affect the completion of memory accesses which have been translated by an invalidated TLB entry, and these errata DO NOT affect the actual invalidation of TLB entries. TLB entries are removed correctly. To mitigate this issue, Arm recommends that software follows each TLBI+DSB sequence with an additional TLBI+DSB, which will ensure that all memory write effects affected by the first TLBI have been globally observed. The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate the issue. Enable this workaround for affected CPUs. This is XSA-493 / CVE-2025-10263. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 161e8f61b5b0f2c205072c7bc699bfc37653999f) --- xen/arch/arm/Kconfig | 21 ++++++++++++ xen/arch/arm/cpuerrata.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+) diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index 21d03d9f44..12aa8580c8 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -436,6 +436,27 @@ config ARM64_ERRATUM_1508412 If unsure, say Y. +config ARM64_ERRATUM_CVE_2025_10263 + bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" + default y + depends on ARM_64 + select ARM64_WORKAROUND_REPEAT_TLBI + help + This option adds a workaround for CVE-2025-10263. + + A broadcast TLBI on another PE may complete before affected memory + accesses are globally observed. This may permit bypass of Stage 1 + translation, Stage-2 translation, or GPT protection. + + The workaround repeats the TLBI VALE2IS, XZR + DSB ISH operation for all + the broadcast TLB flush operations. A single additional TLBI and DSB are + sufficient regardless of how many TLBIs are completed by the DSB. + + Note that software workarounds are required at all execution levels for + affected parts to fully mitigate this issue. + + If unsure, say Y. + endmenu config ARM64_HARDEN_BRANCH_PREDICTOR diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index 2b7101ea25..1fb0cf599f 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -535,6 +535,92 @@ static const struct arm_cpu_capabilities arm_errata[] = { MIDR_RANGE(MIDR_NEOVERSE_N1, 0, 3 << MIDR_VARIANT_SHIFT), }, #endif +#ifdef CONFIG_ARM64_ERRATUM_CVE_2025_10263 + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X4), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_ULTRA), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM), + }, +#endif #ifdef CONFIG_ARM64_HARDEN_BRANCH_PREDICTOR { .capability = ARM_HARDEN_BRANCH_PREDICTOR, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:26:26 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:26:26 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333551.1596640 (Exim 4.92) (envelope-from ) id 1wWyLS-0003ca-0f; Tue, 09 Jun 2026 15:26:26 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333551.1596640; Tue, 09 Jun 2026 15:26:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyLR-0003cT-UK; Tue, 09 Jun 2026 15:26:25 +0000 Received: by outflank-mailman (input) for mailman id 1333551; Tue, 09 Jun 2026 15:26:25 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyLR-0003cN-14 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:26:25 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyLR-001inh-0v for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:26:25 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyLQ-00GJnz-3A for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:26:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=dNz86oi5gS9078qvmt5LZ2DRWrHLXyx36XjXTqx8Lyg=; b=W6vLBlxLrIPP6YtYtPDRA8Vbd0 CgNZ2RbRCnoP/JcxUeaSPZ/A2r8hk+KhZJ9Vret1PZH8zgMR8pPk+6EEmqdeag5iEdO06FY0yBRry SDV6mn3cNsoelDaG0BmvosqWFoG1HgMr1ipXqH6+nQg+zynOCk//NxIb97tpmU2FVcco=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] x86/mm: accurately track which vCPU page-tables are loaded Message-Id: Date: Tue, 09 Jun 2026 15:26:24 +0000 commit 376de647729a611eba47086c7834655e8a64fcab Author: Roger Pau Monne AuthorDate: Mon Mar 16 11:03:22 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:47:50 2026 +0100 x86/mm: accurately track which vCPU page-tables are loaded Neither current nor curr_vcpu per-CPU fields accurately track which page-tables are loaded. There are corner cases when dealing with shadow paging failures that switch to the idle vCPU page-tables without changing current or curr_vcpu per-CPU fields. Introduce a new per-CPU field that attempts to track which vCPU page-tables are loaded. Update such tracking when cr3 is changed, and do so in a region with interrupts disabled, as to avoid handling interrupts with a mismatch between the vCPU tracking field and the loaded page-tables. As a result of this newly more accurate tracking the mapcache override functionality can be removed: the dom0 PV builder was the only user of it, and it's updated here to properly signal which vCPU page-tables are loaded in the calls to switch_cr3_cr4(). Note the EFI page-tables have the Xen owned L4 slots copied from the idle page-tables, so for the effects of the mapcache the EFI page-tables could use the idle mapcache if it had one. Pass the idle vCPU in the switch_cr3_cr4() call that switches to the runtime EFI page-tables. There are known issues with the use of mapcache in NMI context.  This patch does not alter the behaviour. This is CVE-2026-42488 / XSA-494. Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference") Signed-off-by: Roger Pau Monné Acked-by: Andrew Cooper (cherry picked from commit 622c9a5ba95dae9b1084f16d0557ec64d1d12eaa) --- xen/arch/x86/domain_page.c | 48 +++++++++++++++--------------------- xen/arch/x86/flushtlb.c | 5 +++- xen/arch/x86/include/asm/domain.h | 1 - xen/arch/x86/include/asm/flushtlb.h | 2 +- xen/arch/x86/include/asm/processor.h | 3 +++ xen/arch/x86/mm.c | 4 +-- xen/arch/x86/pv/dom0_build.c | 12 +++------ xen/arch/x86/pv/domain.c | 13 ++++++++-- xen/arch/x86/smpboot.c | 1 + xen/common/efi/common-stub.c | 5 ---- xen/common/efi/runtime.c | 21 ++++++---------- xen/include/xen/efi.h | 1 - 12 files changed, 54 insertions(+), 62 deletions(-) diff --git a/xen/arch/x86/domain_page.c b/xen/arch/x86/domain_page.c index eac5e3304f..72c00194f3 100644 --- a/xen/arch/x86/domain_page.c +++ b/xen/arch/x86/domain_page.c @@ -18,48 +18,40 @@ #include #include -static DEFINE_PER_CPU(struct vcpu *, override); - static inline struct vcpu *mapcache_current_vcpu(void) { - /* In the common case we use the mapcache of the running VCPU. */ - struct vcpu *v = this_cpu(override) ?: current; - - /* - * When current isn't properly set up yet, this is equivalent to - * running in an idle vCPU (callers must check for NULL). - */ - if ( !v ) - return NULL; + struct vcpu *v = this_cpu(pgtable_vcpu); + struct vcpu *curr = current; /* - * When using efi runtime page tables, we have the equivalent of the idle - * domain's page tables but current may point at another domain's VCPU. - * Return NULL as though current is not properly set up yet. + * During early boot pgtable_vcpu is not set, callers must handle NULL. + * Non-PV domains don't have a mapcache, the directmap covers all physical + * address space. */ - if ( efi_rs_using_pgtables() ) + if ( !v || !is_pv_vcpu(v) ) return NULL; /* - * If guest_table is NULL, and we are running a paravirtualised guest, - * then it means we are running on the idle domain's page table and must - * therefore use its mapcache. + * If we are in a lazy context-switch state from a PV vCPU do a full switch + * to the idle vCPU now, otherwise an incoming FLUSH_VCPU_STATE IPI would + * change the page tables under our feet an invalidate any in-use mapcache + * entries. */ - if ( unlikely(pagetable_is_null(v->arch.guest_table)) && is_pv_vcpu(v) ) + if ( unlikely(this_cpu(curr_vcpu) != curr) ) { - /* If we really are idling, perform lazy context switch now. */ - if ( (v = idle_vcpu[smp_processor_id()]) == current ) - sync_local_execstate(); + ASSERT(curr == idle_vcpu[smp_processor_id()]); + sync_local_execstate(); /* We must now be running on the idle page table. */ ASSERT(cr3_pa(read_cr3()) == __pa(idle_pg_table)); } - return v; -} - -void __init mapcache_override_current(struct vcpu *v) -{ - this_cpu(override) = v; + /* + * At this point we can guarantee Xen is not in lazy context switch: either + * the code above will have synced the state, or an incoming + * FLUSH_VCPU_STATE IPI has done so behind our back. Use ACCESS_ONCE to + * ensure the compiler never returns the locally cached pgtable_vcpu value. + */ + return ACCESS_ONCE(this_cpu(pgtable_vcpu)); } #define mapcache_l2_entry(e) ((e) >> PAGETABLE_ORDER) diff --git a/xen/arch/x86/flushtlb.c b/xen/arch/x86/flushtlb.c index 18748b2bc8..cdefab2f08 100644 --- a/xen/arch/x86/flushtlb.c +++ b/xen/arch/x86/flushtlb.c @@ -111,7 +111,9 @@ static void do_tlb_flush(void) local_irq_restore(flags); } -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) +DEFINE_PER_CPU(struct vcpu *, pgtable_vcpu); + +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4) { unsigned long flags, old_cr4; u32 t = 0; @@ -155,6 +157,7 @@ void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) if ( (old_cr4 & X86_CR4_PCIDE) > (cr4 & X86_CR4_PCIDE) ) cr3 |= X86_CR3_NOFLUSH; write_cr3(cr3); + this_cpu(pgtable_vcpu) = v; if ( old_cr4 != cr4 ) write_cr4(cr4); diff --git a/xen/arch/x86/include/asm/domain.h b/xen/arch/x86/include/asm/domain.h index 21e6ca90d5..893117dcc6 100644 --- a/xen/arch/x86/include/asm/domain.h +++ b/xen/arch/x86/include/asm/domain.h @@ -75,7 +75,6 @@ struct mapcache_domain { int mapcache_domain_init(struct domain *d); int mapcache_vcpu_init(struct vcpu *v); -void mapcache_override_current(struct vcpu *v); /* x86/64: toggle guest between kernel and user modes. */ void toggle_guest_mode(struct vcpu *v); diff --git a/xen/arch/x86/include/asm/flushtlb.h b/xen/arch/x86/include/asm/flushtlb.h index bb0ad58db4..75e291d93b 100644 --- a/xen/arch/x86/include/asm/flushtlb.h +++ b/xen/arch/x86/include/asm/flushtlb.h @@ -99,7 +99,7 @@ static inline unsigned long read_cr3(void) } /* Write pagetable base and implicitly tick the tlbflush clock. */ -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4); +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4); /* flush_* flag fields: */ /* diff --git a/xen/arch/x86/include/asm/processor.h b/xen/arch/x86/include/asm/processor.h index 26da7f8974..e47302c5af 100644 --- a/xen/arch/x86/include/asm/processor.h +++ b/xen/arch/x86/include/asm/processor.h @@ -379,6 +379,9 @@ extern idt_entry_t *idt_tables[]; DECLARE_PER_CPU(root_pgentry_t *, root_pgt); +/* vCPU of the currently loaded page-tables. */ +DECLARE_PER_CPU(struct vcpu *, pgtable_vcpu); + extern void write_ptbase(struct vcpu *v); /* REP NOP (PAUSE) is a good thing to insert into busy-wait loops. */ diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 9861efbef9..ce62475f19 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -528,7 +528,7 @@ void write_ptbase(struct vcpu *v) cpu_info->pv_cr3 = __pa(this_cpu(root_pgt)); if ( new_cr4 & X86_CR4_PCIDE ) cpu_info->pv_cr3 |= get_pcid_bits(v, true); - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); } else { @@ -536,7 +536,7 @@ void write_ptbase(struct vcpu *v) cpu_info->use_pv_cr3 = false; cpu_info->xen_cr3 = 0; /* switch_cr3_cr4() serializes. */ - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); cpu_info->pv_cr3 = 0; } } diff --git a/xen/arch/x86/pv/dom0_build.c b/xen/arch/x86/pv/dom0_build.c index 07e9594493..fe326a83ad 100644 --- a/xen/arch/x86/pv/dom0_build.c +++ b/xen/arch/x86/pv/dom0_build.c @@ -815,8 +815,7 @@ static int __init dom0_construct(struct domain *d, update_cr3(v); /* We run on dom0's page tables for the final part of the build process. */ - switch_cr3_cr4(cr3_pa(v->arch.cr3), read_cr4()); - mapcache_override_current(v); + switch_cr3_cr4(v, cr3_pa(v->arch.cr3), read_cr4()); /* Copy the OS image and free temporary buffer. */ elf.dest_base = (void*)vkern_start; @@ -825,8 +824,7 @@ static int __init dom0_construct(struct domain *d, rc = elf_load_binary(&elf); if ( rc < 0 ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Failed to load the kernel binary\n"); goto out; } @@ -837,8 +835,7 @@ static int __init dom0_construct(struct domain *d, if ( (parms.virt_hypercall < v_start) || (parms.virt_hypercall >= v_end) ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Invalid HYPERCALL_PAGE field in ELF notes.\n"); return -EINVAL; } @@ -979,8 +976,7 @@ static int __init dom0_construct(struct domain *d, #endif /* Return to idle domain's page tables. */ - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); update_domain_wallclock_time(d); diff --git a/xen/arch/x86/pv/domain.c b/xen/arch/x86/pv/domain.c index 5302f7b366..6d037075d6 100644 --- a/xen/arch/x86/pv/domain.c +++ b/xen/arch/x86/pv/domain.c @@ -456,6 +456,8 @@ static void _toggle_guest_pt(struct vcpu *v) pagetable_t old_shadow; unsigned long cr3; + ASSERT(local_irq_is_enabled()); + v->arch.flags ^= TF_kernel_mode; guest_update = v->arch.flags & TF_kernel_mode; old_shadow = update_cr3(v); @@ -478,15 +480,22 @@ static void _toggle_guest_pt(struct vcpu *v) { cr3 &= ~X86_CR3_NOFLUSH; + local_irq_disable(); if ( unlikely(mfn_eq(pagetable_get_mfn(old_shadow), maddr_to_mfn(cr3))) ) { - cr3 = idle_vcpu[v->processor]->arch.cr3; /* Also suppress runstate/time area updates below. */ guest_update = false; + + cr3 = idle_vcpu[v->processor]->arch.cr3; + this_cpu(pgtable_vcpu) = idle_vcpu[v->processor]; } + + write_cr3(cr3); + local_irq_enable(); } - write_cr3(cr3); + else + write_cr3(cr3); if ( !pagetable_is_null(old_shadow) ) shadow_put_top_level(v->domain, old_shadow); diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c index df46150f2f..0b1e3841a5 100644 --- a/xen/arch/x86/smpboot.c +++ b/xen/arch/x86/smpboot.c @@ -327,6 +327,7 @@ void asmlinkage start_secondary(void *unused) set_current(idle_vcpu[cpu]); this_cpu(curr_vcpu) = idle_vcpu[cpu]; + this_cpu(pgtable_vcpu) = idle_vcpu[cpu]; rdmsrl(MSR_EFER, this_cpu(efer)); init_shadow_spec_ctrl_state(); diff --git a/xen/common/efi/common-stub.c b/xen/common/efi/common-stub.c index 77f138a6c5..7b12005bea 100644 --- a/xen/common/efi/common-stub.c +++ b/xen/common/efi/common-stub.c @@ -7,11 +7,6 @@ bool efi_enabled(unsigned int feature) return false; } -bool efi_rs_using_pgtables(void) -{ - return false; -} - unsigned long efi_get_time(void) { BUG(); diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c index d952c3ba78..1aa5ad4bf3 100644 --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -46,7 +46,6 @@ const CHAR16 *__read_mostly efi_fw_vendor; const EFI_RUNTIME_SERVICES *__read_mostly efi_rs; #ifndef CONFIG_ARM /* TODO - disabled until implemented on ARM */ static DEFINE_SPINLOCK(efi_rs_lock); -static unsigned int efi_rs_on_cpu = NR_CPUS; #endif UINTN __read_mostly efi_memmap_size; @@ -89,6 +88,11 @@ struct efi_rs_state efi_rs_enter(void) if ( mfn_eq(efi_l4_mfn, INVALID_MFN) ) return state; + /* + * If in lazy idle context switch state sync now to avoid an incoming + * FLUSH_VCPU_STATE IPI changing the loaded page-tables. + */ + sync_local_execstate(); state.cr3 = read_cr3(); save_fpu_enable(); asm volatile ( "fnclex; fldcw %0" :: "m" (fcw) ); @@ -96,8 +100,6 @@ struct efi_rs_state efi_rs_enter(void) spin_lock(&efi_rs_lock); - efi_rs_on_cpu = smp_processor_id(); - /* prevent fixup_page_fault() from doing anything */ irq_enter(); @@ -112,7 +114,8 @@ struct efi_rs_state efi_rs_enter(void) lgdt(&gdt_desc); } - switch_cr3_cr4(mfn_to_maddr(efi_l4_mfn), read_cr4()); + switch_cr3_cr4(idle_vcpu[smp_processor_id()], mfn_to_maddr(efi_l4_mfn), + read_cr4()); /* * At the time of writing (2022), no UEFI firwmare is CET-IBT compatible. @@ -140,7 +143,7 @@ void efi_rs_leave(struct efi_rs_state *state) if ( state->msr_s_cet ) wrmsrl(MSR_S_CET, state->msr_s_cet); - switch_cr3_cr4(state->cr3, read_cr4()); + switch_cr3_cr4(curr, state->cr3, read_cr4()); if ( is_pv_vcpu(curr) && !is_idle_vcpu(curr) ) { struct desc_ptr gdt_desc = { @@ -151,18 +154,10 @@ void efi_rs_leave(struct efi_rs_state *state) lgdt(&gdt_desc); } irq_exit(); - efi_rs_on_cpu = NR_CPUS; spin_unlock(&efi_rs_lock); vcpu_restore_fpu_nonlazy(curr, true); } -bool efi_rs_using_pgtables(void) -{ - return !mfn_eq(efi_l4_mfn, INVALID_MFN) && - (smp_processor_id() == efi_rs_on_cpu) && - (read_cr3() == mfn_to_maddr(efi_l4_mfn)); -} - unsigned long efi_get_time(void) { EFI_TIME time; diff --git a/xen/include/xen/efi.h b/xen/include/xen/efi.h index 160804e294..356be1705a 100644 --- a/xen/include/xen/efi.h +++ b/xen/include/xen/efi.h @@ -42,7 +42,6 @@ static inline bool efi_enabled(unsigned int feature) void efi_init_memory(void); bool efi_boot_mem_unused(unsigned long *start, unsigned long *end); -bool efi_rs_using_pgtables(void); unsigned long efi_get_time(void); void efi_halt_system(void); void efi_reset_system(bool warm); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:26:36 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:26:36 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333552.1596644 (Exim 4.92) (envelope-from ) id 1wWyLc-0003fa-2L; Tue, 09 Jun 2026 15:26:36 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333552.1596644; Tue, 09 Jun 2026 15:26:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyLb-0003fT-Vw; Tue, 09 Jun 2026 15:26:35 +0000 Received: by outflank-mailman (input) for mailman id 1333552; Tue, 09 Jun 2026 15:26:35 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyLb-0003fN-3g for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:26:35 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyLb-001inn-1A for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:26:35 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyLb-00GK2M-0B for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:26:35 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=pEAPxDxXQqcluqs3AyEttoQCFTD9WPJHiC4mof7xHsw=; b=d9+gVmq6DtVWhIgm6Y2CrBrmaV wXcIUo6KDN8ZFPnN7Fd0l/iHCzCiqP8K9lOmKXhWko5NrMA5EoZkW6NPe3jRV/M61kQsq6vQOfhG1 /e15HZV6cfGQ4ZfDmf60RYlQ2ZhF/eViCMNtwK+0Mc24WNUotHV6zyF8PniObfRcXRjg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] Revert local CI adjustments Message-Id: Date: Tue, 09 Jun 2026 15:26:35 +0000 commit 96a8a2750afd6dab86b8ce1683ba7fea57b0823f Author: Andrew Cooper AuthorDate: Tue Jun 9 13:09:08 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 13:09:08 2026 +0100 Revert local CI adjustments This reverts commit e1eae714bf3d130f810f715bec1e08d6faa6ea3d. Signed-off-by: Andrew Cooper --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 716c3c5cdb..b2fcf6c28f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -15,5 +15,6 @@ stages: - test include: + - 'automation/gitlab-ci/analyze.yaml' - 'automation/gitlab-ci/build.yaml' - 'automation/gitlab-ci/test.yaml' -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:26:47 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:26:47 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333553.1596647 (Exim 4.92) (envelope-from ) id 1wWyLn-0003jD-5A; Tue, 09 Jun 2026 15:26:47 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333553.1596647; Tue, 09 Jun 2026 15:26:47 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyLn-0003j5-2X; Tue, 09 Jun 2026 15:26:47 +0000 Received: by outflank-mailman (input) for mailman id 1333553; Tue, 09 Jun 2026 15:26:45 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyLl-0003iy-Kn for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:26:45 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyLl-001inr-2s for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:26:45 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyLl-00GKD2-1u for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:26:45 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=tvkp5eK8SWwhuipG3oxEdKAEExTsLIq0/Ce1T8thlf8=; b=Xn6l1yykyQVL3LL4p7b23obp2N 2gHhT2tkfvnJ9G7lwIBqVV/h4gSdqrZPrz0651ZIjG/FNhP/U4gIM7F//G6qXeSHCIUUprtA6BxEi yLTzNXU1rjTFArSrEpiW+L383HqkxYml8V0ElHd0F+h01VqNqkKo/l7myA6rRSVBVdo4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/arm: split DTB/initrd placement helpers Message-Id: Date: Tue, 09 Jun 2026 15:26:45 +0000 commit 0656627b898afe8fb29b93d3e85c55df8f141d1a Author: Mykola Kvach AuthorDate: Mon Jun 8 07:39:18 2026 +0100 Commit: Michal Orzel CommitDate: Tue Jun 9 16:08:16 2026 +0100 xen/arm: split DTB/initrd placement helpers The Arm zImage loader currently computes the kernel load address and places the DTB/initrd in one local flow. The hardware-domain memory allocator needs to reuse those placement rules before it chooses bank 0, but open-coding the same calculations there would make the fix harder to audit. Split the existing logic into small helpers: - kernel_zimage_place_in_bank() computes the zImage load address for a given bank. - first_bank_can_fit_modules() checks the aggregate first-bank footprint. - find_dtb_initrd_placement() chooses the DTB/initrd location within a known bank and kernel range. Rename place_modules() to place_dtb_initrd() so the code distinguishes the kernel image from the DTB/initrd placement area. Also update the comments linking the hypervisor and toolstack placement paths. While moving the code, spell the 2MB alignment mask with MB(2) rather than open-coding (2 << 20). This is mechanical and keeps the generated value unchanged. The caller still panics in the same cases as before, so this is intended to be behavior preserving. Signed-off-by: Mykola Kvach Reviewed-by: Michal Orzel Release-Acked-by: Oleksii Kurochko --- tools/libs/guest/xg_dom_arm.c | 2 +- xen/arch/arm/kernel.c | 147 ++++++++++++++++++++++------------ xen/common/device-tree/domain-build.c | 6 +- 3 files changed, 98 insertions(+), 57 deletions(-) diff --git a/tools/libs/guest/xg_dom_arm.c b/tools/libs/guest/xg_dom_arm.c index 739ec1c338..cb0af9f35a 100644 --- a/tools/libs/guest/xg_dom_arm.c +++ b/tools/libs/guest/xg_dom_arm.c @@ -429,7 +429,7 @@ static int meminit(struct xc_dom_image *dom) * just before the kernel. * * If changing this then consider - * xen/arch/arm/kernel.c:place_modules as well. + * xen/arch/arm/kernel.c:place_dtb_initrd as well. */ bank0end = bankbase[0] + ((uint64_t)dom->rambank_size[0] << XC_PAGE_SHIFT); diff --git a/xen/arch/arm/kernel.c b/xen/arch/arm/kernel.c index b72585b7fe..d1be4d8074 100644 --- a/xen/arch/arm/kernel.c +++ b/xen/arch/arm/kernel.c @@ -40,27 +40,59 @@ struct minimal_dtb_header { /* There are other fields but we don't use them yet. */ }; -static void __init place_modules(struct kernel_info *info, - paddr_t kernbase, paddr_t kernend) +static paddr_t __init +kernel_zimage_place_in_bank(const struct kernel_info *info, + paddr_t bank_start, paddr_t bank_size) { - /* Align DTB and initrd size to 2Mb. Linux only requires 4 byte alignment */ - const struct boot_module *mod = info->bd.initrd; - const struct membanks *mem = kernel_info_get_mem(info); - const paddr_t initrd_len = ROUNDUP(mod ? mod->size : 0, MB(2)); - const paddr_t dtb_len = ROUNDUP(fdt_totalsize(info->fdt), MB(2)); - const paddr_t modsize = initrd_len + dtb_len; + paddr_t load_addr; - /* Convenient */ - const paddr_t rambase = mem->bank[0].start; - const paddr_t ramsize = mem->bank[0].size; - const paddr_t ramend = rambase + ramsize; +#ifdef CONFIG_HAS_DOMAIN_TYPE + if ( (info->type == DOMAIN_64BIT) && (info->image.start == 0) ) + return bank_start + info->image.text_offset; +#endif + + /* + * If start is zero, the zImage is position independent, in this + * case Documentation/arm/Booting recommends loading below 128MiB + * and above 32MiB. Load it as high as possible within these + * constraints, while also avoiding the DTB. + */ + if ( info->image.start == 0 ) + { + paddr_t load_end; + + load_end = bank_start + bank_size; + load_end = MIN(bank_start + MB(128), load_end); + + load_addr = load_end - info->image.len; + /* Align to 2MB */ + load_addr &= ~(MB(2) - 1); + } + else + load_addr = info->image.start; + + return load_addr; +} + +static bool __init first_bank_can_fit_modules(paddr_t ramsize, + paddr_t kernbase, paddr_t kernend, + paddr_t dtb_initrd_size) +{ const paddr_t kernsize = ROUNDUP(kernend, MB(2)) - kernbase; - const paddr_t ram128mb = rambase + MB(128); - paddr_t modbase; + /* + * Check only the aggregate kernel + DTB/initrd footprint. The actual + * DTB/initrd location is selected by find_dtb_initrd_placement(). + */ + return dtb_initrd_size + kernsize <= ramsize; +} - if ( modsize + kernsize > ramsize ) - panic("Not enough memory in the first bank for the kernel+dtb+initrd\n"); +static bool __init find_dtb_initrd_placement(paddr_t rambase, paddr_t ramend, + paddr_t kernbase, paddr_t kernend, + paddr_t dtb_initrd_size, + paddr_t *dtb_base) +{ + const paddr_t ram128mb = rambase + MB(128); /* * DTB must be loaded such that it does not conflict with the @@ -77,55 +109,64 @@ static void __init place_modules(struct kernel_info *info, * just before the kernel. * * If changing this then consider - * tools/libxc/xc_dom_arm.c:arch_setup_meminit as well. + * tools/libs/guest/xg_dom_arm.c:meminit as well. */ - if ( ramend >= ram128mb + modsize && kernend < ram128mb ) - modbase = ram128mb; - else if ( ramend - modsize > ROUNDUP(kernend, MB(2)) ) - modbase = ramend - modsize; - else if ( kernbase - rambase > modsize ) - modbase = kernbase - modsize; - else + if ( ramend >= ram128mb + dtb_initrd_size && kernend < ram128mb ) { - panic("Unable to find suitable location for dtb+initrd\n"); - return; + *dtb_base = ram128mb; + return true; } - info->dtb_paddr = modbase; - info->initrd_paddr = info->dtb_paddr + dtb_len; + if ( ramend - dtb_initrd_size > ROUNDUP(kernend, MB(2)) ) + { + *dtb_base = ramend - dtb_initrd_size; + return true; + } + + if ( kernbase - rambase > dtb_initrd_size ) + { + *dtb_base = kernbase - dtb_initrd_size; + return true; + } + + return false; } -static paddr_t __init kernel_zimage_place(struct kernel_info *info) +static void __init place_dtb_initrd(struct kernel_info *info, + paddr_t kernbase, paddr_t kernend) { + /* Align DTB and initrd size to 2Mb. Linux only requires 4 byte alignment */ + const struct boot_module *initrd = info->bd.initrd; const struct membanks *mem = kernel_info_get_mem(info); - paddr_t load_addr; + const paddr_t initrd_len = ROUNDUP(initrd ? initrd->size : 0, MB(2)); + const paddr_t dtb_len = ROUNDUP(fdt_totalsize(info->fdt), MB(2)); + const paddr_t dtb_initrd_size = initrd_len + dtb_len; -#ifdef CONFIG_HAS_DOMAIN_TYPE - if ( (info->type == DOMAIN_64BIT) && (info->image.start == 0) ) - return mem->bank[0].start + info->image.text_offset; -#endif + /* Convenient */ + const paddr_t rambase = mem->bank[0].start; + const paddr_t ramsize = mem->bank[0].size; + const paddr_t ramend = rambase + ramsize; - /* - * If start is zero, the zImage is position independent, in this - * case Documentation/arm/Booting recommends loading below 128MiB - * and above 32MiB. Load it as high as possible within these - * constraints, while also avoiding the DTB. - */ - if ( info->image.start == 0 ) - { - paddr_t load_end; + paddr_t dtb_base; - load_end = mem->bank[0].start + mem->bank[0].size; - load_end = MIN(mem->bank[0].start + MB(128), load_end); + if ( !first_bank_can_fit_modules(ramsize, kernbase, kernend, + dtb_initrd_size) ) + panic("Not enough memory in the first bank for the kernel+dtb+initrd\n"); - load_addr = load_end - info->image.len; - /* Align to 2MB */ - load_addr &= ~((2 << 20) - 1); - } - else - load_addr = info->image.start; + if ( !find_dtb_initrd_placement(rambase, ramend, kernbase, kernend, + dtb_initrd_size, &dtb_base) ) + panic("Unable to find suitable location for dtb+initrd\n"); - return load_addr; + info->dtb_paddr = dtb_base; + info->initrd_paddr = info->dtb_paddr + dtb_len; +} + +static paddr_t __init kernel_zimage_place(struct kernel_info *info) +{ + const struct membanks *mem = kernel_info_get_mem(info); + + return kernel_zimage_place_in_bank(info, mem->bank[0].start, + mem->bank[0].size); } static void __init kernel_zimage_load(struct kernel_info *info) @@ -143,7 +184,7 @@ static void __init kernel_zimage_load(struct kernel_info *info) if ( info->entry == 0 ) info->entry = load_addr; - place_modules(info, load_addr, load_addr + len); + place_dtb_initrd(info, load_addr, load_addr + len); printk("Loading zImage from %"PRIpaddr" to %"PRIpaddr"-%"PRIpaddr"\n", paddr, load_addr, load_addr + len); diff --git a/xen/common/device-tree/domain-build.c b/xen/common/device-tree/domain-build.c index 2a760b007b..f3ba496f1e 100644 --- a/xen/common/device-tree/domain-build.c +++ b/xen/common/device-tree/domain-build.c @@ -245,8 +245,8 @@ out: * hardware domain to have memory reachable by devices with limited DMA address * capabilities (e.g. 32-bit DMA). * - * The first bank allocated must be large enough for place_modules() to fit - * the kernel, DTB and initrd. + * The first bank allocated must be large enough for place_dtb_initrd() to + * fit the kernel, DTB and initrd. */ static bool __init allocate_hwdom_memory(struct kernel_info *kinfo) { @@ -302,7 +302,7 @@ static bool __init allocate_hwdom_memory(struct kernel_info *kinfo) paddr_t bank_size; /* - * The first bank must be large enough for place_modules() to + * The first bank must be large enough for place_dtb_initrd() to * fit the kernel, DTB and initrd. Skip small regions to avoid * ending up with a tiny first bank. */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:26:57 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:26:57 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333554.1596652 (Exim 4.92) (envelope-from ) id 1wWyLx-0003kw-6g; Tue, 09 Jun 2026 15:26:57 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333554.1596652; Tue, 09 Jun 2026 15:26:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyLx-0003kp-43; Tue, 09 Jun 2026 15:26:57 +0000 Received: by outflank-mailman (input) for mailman id 1333554; Tue, 09 Jun 2026 15:26:55 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyLv-0003kg-NQ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:26:55 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyLv-001inx-39 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:26:55 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyLv-00GKRV-2B for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:26:55 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=+9WPKRTOR07mFGaW9WbV/7s9ciWlGQCOE+HYxlajDtE=; b=QF4ost21FwOWLjm6pY6TJLJ0fN HRqbtZq4X+uXGuI/z5MXu9JcKnV+ZPin+/gzbj+6y/OW7eH9FHORATMjPfieVs+MWsazIe8STjQXv in+9gfD63DBidz4Nz/VaWwLfEPJFHeqDhCFKZYS/E6gDkSWSb0IhAZbz+9Jffvnobmuk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] device-tree: validate hwdom bank 0 boot placement Message-Id: Date: Tue, 09 Jun 2026 15:26:55 +0000 commit af11b93e3e98235d38114ba44a6d3134aa2ba2a0 Author: Mykola Kvach AuthorDate: Mon Jun 8 07:39:19 2026 +0100 Commit: Michal Orzel CommitDate: Tue Jun 9 16:13:28 2026 +0100 device-tree: validate hwdom bank 0 boot placement With LLC coloring enabled, the hardware domain memory is allocated by allocate_hwdom_memory() rather than by using the fixed direct-map layout. Commit de99f3263555 ("device-tree: Improve hwdom memory allocation for DMA") made that allocator prefer lower host regions. The first-bank filter, however, still only checked the old 128MB heuristic. A low region can satisfy that heuristic but still be too small, or otherwise unsuitable, for the hardware-domain kernel and the DTB/initrd area to fit in bank 0 according to the Arm placement rules. Keep the existing first-bank size policy and add an architecture-specific candidate check. On Arm, compute the kernel load address for the candidate bank using the same logic as kernel_zimage_place(), verify that the kernel range is covered by that bank, and then reuse the same DTB/initrd placement helper as place_dtb_initrd(). The FDT is generated later, so use the hardware-domain FDT allocation size as a conservative upper bound for the final DTB size. Check the candidate after capping the host region by the remaining unassigned hardware-domain memory, so the validation is performed against the size that would actually become bank 0. This keeps the DMA-oriented allocation policy from de99f3263555 while preventing a too-small bank 0 from reaching place_dtb_initrd(). Make kernel_zimage_place_in_bank() return INVALID_PADDR when a position-independent zImage cannot be placed in the supplied bank; the real load path turns this into a panic, while the hwdom candidate check uses it to reject the bank. Fixes: de99f3263555 ("device-tree: Improve hwdom memory allocation for DMA") Signed-off-by: Mykola Kvach Release-Acked-by: Oleksii Kurochko Reviewed-by: Michal Orzel --- xen/arch/arm/acpi/domain_build.c | 2 -- xen/arch/arm/domain_build.c | 8 +++++ xen/arch/arm/include/asm/domain_build.h | 4 +++ xen/arch/arm/include/asm/kernel.h | 10 +++++++ xen/arch/arm/kernel.c | 53 +++++++++++++++++++++++++++++++-- xen/common/device-tree/domain-build.c | 25 +++++++++++----- xen/include/xen/fdt-kernel.h | 14 +++++++++ 7 files changed, 105 insertions(+), 11 deletions(-) diff --git a/xen/arch/arm/acpi/domain_build.c b/xen/arch/arm/acpi/domain_build.c index 249d899c33..db16f7fa94 100644 --- a/xen/arch/arm/acpi/domain_build.c +++ b/xen/arch/arm/acpi/domain_build.c @@ -26,8 +26,6 @@ #undef virt_to_mfn #define virt_to_mfn(va) _mfn(__virt_to_mfn(va)) -#define ACPI_DOM0_FDT_MIN_SIZE 4096 - static int __init acpi_iomem_deny_access(struct domain *d) { acpi_status status; diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c index 1efddc60ef..550617f152 100644 --- a/xen/arch/arm/domain_build.c +++ b/xen/arch/arm/domain_build.c @@ -115,6 +115,14 @@ int __init parse_arch_dom0_param(const char *s, const char *e) (IS_ENABLED(CONFIG_STATIC_SHM) ? \ (NR_SHMEM_BANKS * (160 + 16)) : 0)) +paddr_t __init hwdom_get_fdt_alloc_size(void) +{ + if ( acpi_disabled ) + return fdt_totalsize(device_tree_flattened) + DOM0_FDT_EXTRA_SIZE; + + return ACPI_DOM0_FDT_MIN_SIZE; +} + unsigned int __init dom0_max_vcpus(void) { if ( opt_dom0_max_vcpus == 0 ) diff --git a/xen/arch/arm/include/asm/domain_build.h b/xen/arch/arm/include/asm/domain_build.h index df8b361b3d..85cf46a958 100644 --- a/xen/arch/arm/include/asm/domain_build.h +++ b/xen/arch/arm/include/asm/domain_build.h @@ -19,6 +19,10 @@ int prepare_acpi(struct domain *d, struct kernel_info *kinfo); int add_ext_regions(unsigned long s_gfn, unsigned long e_gfn, void *data); +#define ACPI_DOM0_FDT_MIN_SIZE 4096 + +paddr_t hwdom_get_fdt_alloc_size(void); + #if defined(CONFIG_MPU) && defined(CONFIG_ARM_64) /* Utility function to determine if an Armv8-R processor supports VMSA. */ bool has_v8r_vmsa_support(void); diff --git a/xen/arch/arm/include/asm/kernel.h b/xen/arch/arm/include/asm/kernel.h index 21f4273fa1..b86c7337fe 100644 --- a/xen/arch/arm/include/asm/kernel.h +++ b/xen/arch/arm/include/asm/kernel.h @@ -8,12 +8,22 @@ #include +#include + +struct kernel_info; + struct arch_kernel_info { /* Enable pl011 emulation */ bool vpl011; }; +#define arch_hwdom_first_bank_can_fit_modules \ + arch_hwdom_first_bank_can_fit_modules +bool arch_hwdom_first_bank_can_fit_modules(const struct kernel_info *info, + paddr_t bank_start, + paddr_t bank_size); + #endif /* #ifdef __ARCH_ARM_KERNEL_H__ */ /* diff --git a/xen/arch/arm/kernel.c b/xen/arch/arm/kernel.c index d1be4d8074..47229644b2 100644 --- a/xen/arch/arm/kernel.c +++ b/xen/arch/arm/kernel.c @@ -64,6 +64,9 @@ kernel_zimage_place_in_bank(const struct kernel_info *info, load_end = bank_start + bank_size; load_end = MIN(bank_start + MB(128), load_end); + if ( load_end - bank_start < info->image.len ) + return INVALID_PADDR; + load_addr = load_end - info->image.len; /* Align to 2MB */ load_addr &= ~(MB(2) - 1); @@ -164,9 +167,55 @@ static void __init place_dtb_initrd(struct kernel_info *info, static paddr_t __init kernel_zimage_place(struct kernel_info *info) { const struct membanks *mem = kernel_info_get_mem(info); + paddr_t load_addr; + + load_addr = kernel_zimage_place_in_bank(info, mem->bank[0].start, + mem->bank[0].size); + if ( load_addr == INVALID_PADDR ) + panic("Unable to find suitable location for the kernel\n"); + + return load_addr; +} + +bool __init arch_hwdom_first_bank_can_fit_modules(const struct kernel_info *info, + paddr_t bank_start, + paddr_t bank_size) +{ + const struct boot_module *initrd = info->bd.initrd; + /* + * place_dtb_initrd() rounds the DTB and initrd placement to 2MB boundaries; + * use the same granularity when checking whether the first bank can hold + * them. + */ + const paddr_t initrd_len = ROUNDUP(initrd ? initrd->size : 0, MB(2)); + /* + * The hardware domain FDT has not been generated yet. Use the allocation + * size as a conservative upper bound for the final DTB size. + */ + const paddr_t dtb_len = ROUNDUP(hwdom_get_fdt_alloc_size(), MB(2)); + const paddr_t rambase = bank_start; + const paddr_t ramsize = bank_size; + const paddr_t dtb_initrd_size = initrd_len + dtb_len; + const paddr_t ramend = rambase + ramsize; + paddr_t kernbase; + paddr_t kernend; + paddr_t dtb_base; + + kernbase = kernel_zimage_place_in_bank(info, bank_start, bank_size); + if ( kernbase == INVALID_PADDR ) + return false; + + kernend = kernbase + info->image.len; + + if ( (kernbase < rambase) || (kernend > ramend) ) + return false; + + if ( !first_bank_can_fit_modules(ramsize, kernbase, kernend, + dtb_initrd_size) ) + return false; - return kernel_zimage_place_in_bank(info, mem->bank[0].start, - mem->bank[0].size); + return find_dtb_initrd_placement(rambase, ramend, kernbase, kernend, + dtb_initrd_size, &dtb_base); } static void __init kernel_zimage_load(struct kernel_info *info) diff --git a/xen/common/device-tree/domain-build.c b/xen/common/device-tree/domain-build.c index f3ba496f1e..30a59abfa7 100644 --- a/xen/common/device-tree/domain-build.c +++ b/xen/common/device-tree/domain-build.c @@ -299,20 +299,31 @@ static bool __init allocate_hwdom_memory(struct kernel_info *kinfo) for ( i = 0; (kinfo->unassigned_mem > 0) && (i < nr_banks); i++ ) { - paddr_t bank_size; + const paddr_t bank_start = hwdom_free_mem->bank[i].start; + paddr_t bank_size = hwdom_free_mem->bank[i].size; + + /* + * Check the size that would actually be assigned, not just the size + * of the host region. + */ + bank_size = min(bank_size, kinfo->unassigned_mem); /* * The first bank must be large enough for place_dtb_initrd() to * fit the kernel, DTB and initrd. Skip small regions to avoid * ending up with a tiny first bank. */ - if ( !mem->nr_banks && (hwdom_free_mem->bank[i].size < min_bank_size) ) - continue; + if ( !mem->nr_banks ) + { + if ( bank_size < min_bank_size ) + continue; + + if ( !arch_hwdom_first_bank_can_fit_modules(kinfo, bank_start, + bank_size) ) + continue; + } - bank_size = MIN(hwdom_free_mem->bank[i].size, kinfo->unassigned_mem); - if ( !allocate_bank_memory(kinfo, - gaddr_to_gfn(hwdom_free_mem->bank[i].start), - bank_size) ) + if ( !allocate_bank_memory(kinfo, gaddr_to_gfn(bank_start), bank_size) ) { xfree(hwdom_free_mem); return false; diff --git a/xen/include/xen/fdt-kernel.h b/xen/include/xen/fdt-kernel.h index 00c37be101..95d7a4299e 100644 --- a/xen/include/xen/fdt-kernel.h +++ b/xen/include/xen/fdt-kernel.h @@ -93,6 +93,20 @@ kernel_info_get_mem_const(const struct kernel_info *kinfo) return container_of(&kinfo->mem.common, const struct membanks, common); } +/* + * Return whether the proposed hardware-domain first RAM bank can satisfy the + * architecture-specific kernel, DTB and initrd boot placement requirements. + */ +#ifndef arch_hwdom_first_bank_can_fit_modules +static inline bool +arch_hwdom_first_bank_can_fit_modules(const struct kernel_info *info, + paddr_t bank_start, + paddr_t bank_size) +{ + return true; +} +#endif + #ifndef KERNEL_INFO_SHM_MEM_INIT #ifdef CONFIG_STATIC_SHM -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:55:07 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:55:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333622.1596728 (Exim 4.92) (envelope-from ) id 1wWyn9-0005K8-61; Tue, 09 Jun 2026 15:55:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333622.1596728; Tue, 09 Jun 2026 15:55:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyn9-0005Jy-3E; Tue, 09 Jun 2026 15:55:03 +0000 Received: by outflank-mailman (input) for mailman id 1333622; Tue, 09 Jun 2026 15:55:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyn8-0005Js-CV for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:55:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyn8-001jH6-21 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:55:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyn8-00Gp3R-0y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:55:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Zwb8/Y3vXhbiNeVkXVq6GtiX5YfEyQg9hY8GMFXUXGk=; b=txlg9V1DO1I+VyvAsa/9Q+/fFu PesD8MekcACQX0ScEI3TtnNkPQ5wlRWUx2PvdArjq2I7MLZ8YDlIYb6o9B71CJt5hVjlJTKfSTT+C a9MLN8zoE36XgI5ijkWovPivnSrVF10HrAKIAl8Thg/9BBSvrhEJGIHbR94qJPpf/MFU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] HACK: Disable Eclair, MacOS Message-Id: Date: Tue, 09 Jun 2026 15:55:02 +0000 commit 3f4d62dce7f5fe168e849d7fa6082853d07ad3bc Author: Andrew Cooper AuthorDate: Thu Jun 4 20:20:00 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:42:21 2026 +0100 HACK: Disable Eclair, MacOS --- .gitlab-ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ef4484e09a..da236e3347 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -10,6 +10,5 @@ stages: - test include: - - 'automation/gitlab-ci/analyze.yaml' - 'automation/gitlab-ci/build.yaml' - 'automation/gitlab-ci/test.yaml' -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:55:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:55:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333623.1596732 (Exim 4.92) (envelope-from ) id 1wWynJ-0005Mx-7R; Tue, 09 Jun 2026 15:55:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333623.1596732; Tue, 09 Jun 2026 15:55:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWynJ-0005Mp-4T; Tue, 09 Jun 2026 15:55:13 +0000 Received: by outflank-mailman (input) for mailman id 1333623; Tue, 09 Jun 2026 15:55:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWynI-0005Mi-Fy for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:55:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWynI-001jIv-2O for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:55:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWynI-00GpIN-1M for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:55:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=uXoufQjtWUTLXypBGnDYcjeWyDrb0zV/ewRxqAo8Bd4=; b=W3O6E0DfeTm5eXJgJZAua7ASnd kz/6BVUEePUnQeeada/U9AaLcc65xN1Poh+piPjsmpfssUyq1Ccp4OyXIFDACPoq4EqZXCZSx3ceS 4jayx1fCtiwl2tG4dL5A9pwVpg5D1neraoTyylOzJ12wlgL4MdtVdvgU3qd9CH8vlRao=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/HVM: add locking to I/O port translation list traversal Message-Id: Date: Tue, 09 Jun 2026 15:55:12 +0000 commit 4ef23e64ebf9ef5d22bdb53b8ab418ee18a49037 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:38 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 21:42:21 2026 +0100 x86/HVM: add locking to I/O port translation list traversal XEN_DOMCTL_ioport_mapping is usable by DM stubdoms, and hence we can't assume the list to be left unaltered while the guest (really: the hypervisor on behalf of the guest) is accessing it. This is XSA-491 / CVE-2026-42487. Fixes: 192c4dabc344 ("domctl and p2m changes for PCI passthru") Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 7787f8e9396d06026f72d3db13e836f365e085f8) --- xen/arch/x86/domctl.c | 8 ++++ xen/arch/x86/hvm/emulate.c | 1 - xen/arch/x86/hvm/hvm.c | 1 + xen/arch/x86/hvm/io.c | 72 +++++++++++++++++++++++++---------- xen/arch/x86/include/asm/hvm/domain.h | 1 + xen/arch/x86/include/asm/hvm/vcpu.h | 2 - 6 files changed, 61 insertions(+), 24 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 9bb90a83cf..877a6767a0 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -619,6 +619,7 @@ long arch_do_domctl( "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if (g2m_ioport->mport == fmp ) { @@ -640,11 +641,14 @@ long arch_do_domctl( g2m_ioport->np = np; list_add_tail(&g2m_ioport->list, &hvm->g2m_ioport_list); } + write_unlock(&hvm->g2m_ioport_lock); if ( !ret ) ret = ioports_permit_access(d, fmp, fmp + np - 1); if ( ret && !found && g2m_ioport ) { + write_lock(&hvm->g2m_ioport_lock); list_del(&g2m_ioport->list); + write_unlock(&hvm->g2m_ioport_lock); xfree(g2m_ioport); } } @@ -653,6 +657,8 @@ long arch_do_domctl( printk(XENLOG_G_INFO "ioport_map:remove: dom%d gport=%x mport=%x nr=%x\n", d->domain_id, fgp, fmp, np); + + write_lock(&hvm->g2m_ioport_lock); list_for_each_entry(g2m_ioport, &hvm->g2m_ioport_list, list) if ( g2m_ioport->mport == fmp ) { @@ -660,6 +666,8 @@ long arch_do_domctl( xfree(g2m_ioport); break; } + write_unlock(&hvm->g2m_ioport_lock); + ret = ioports_deny_access(d, fmp, fmp + np - 1); if ( ret && is_hardware_domain(currd) ) printk(XENLOG_ERR diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c index aa77466a77..af443555cc 100644 --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -157,7 +157,6 @@ void hvmemul_cancel(struct vcpu *v) hvio->mmio_insn_bytes = 0; hvio->mmio_access = (struct npfec){}; hvio->mmio_retry = false; - hvio->g2m_ioport = NULL; hvmemul_cache_disable(v); } diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 3662e23cb6..f679fc0a44 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -596,6 +596,7 @@ int hvm_domain_initialise(struct domain *d, spin_lock_init(&d->arch.hvm.irq_lock); spin_lock_init(&d->arch.hvm.uc_lock); spin_lock_init(&d->arch.hvm.write_map.lock); + rwlock_init(&d->arch.hvm.g2m_ioport_lock); rwlock_init(&d->arch.hvm.mmcfg_lock); INIT_LIST_HEAD(&d->arch.hvm.write_map.list); INIT_LIST_HEAD(&d->arch.hvm.g2m_ioport_list); diff --git a/xen/arch/x86/hvm/io.c b/xen/arch/x86/hvm/io.c index d75af83ad0..1d676833c7 100644 --- a/xen/arch/x86/hvm/io.c +++ b/xen/arch/x86/hvm/io.c @@ -145,36 +145,56 @@ bool handle_pio(uint16_t port, unsigned int size, int dir) return true; } -static bool cf_check g2m_portio_accept( - const struct hvm_io_handler *handler, const ioreq_t *p) +/* NB: Returns with the lock held in the success case. */ +static const struct g2m_ioport *g2m_portio_find_and_lock(struct hvm_domain *hvm, + uint64_t addr, + uint32_t size) { - struct vcpu *curr = current; - const struct hvm_domain *hvm = &curr->domain->arch.hvm; - struct hvm_vcpu_io *hvio = &curr->arch.hvm.hvm_io; - struct g2m_ioport *g2m_ioport; - unsigned int start, end; + const struct g2m_ioport *g2m_ioport; + + read_lock(&hvm->g2m_ioport_lock); list_for_each_entry( g2m_ioport, &hvm->g2m_ioport_list, list ) { - start = g2m_ioport->gport; - end = start + g2m_ioport->np; - if ( (p->addr >= start) && (p->addr + p->size <= end) ) - { - hvio->g2m_ioport = g2m_ioport; - return 1; - } + unsigned int start = g2m_ioport->gport; + + if ( addr >= start && addr + size <= start + g2m_ioport->np ) + return g2m_ioport; } - return 0; + read_unlock(&hvm->g2m_ioport_lock); + + return NULL; +} + +static bool cf_check g2m_portio_accept( + const struct hvm_io_handler *handler, const ioreq_t *p) +{ + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, p->addr, p->size); + + if ( !g2m_ioport ) + return false; + + read_unlock(&hvm->g2m_ioport_lock); + + return true; } static int cf_check g2m_portio_read( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t *data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -191,6 +211,8 @@ static int cf_check g2m_portio_read( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } @@ -198,9 +220,15 @@ static int cf_check g2m_portio_write( const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t data) { - struct hvm_vcpu_io *hvio = ¤t->arch.hvm.hvm_io; - const struct g2m_ioport *g2m_ioport = hvio->g2m_ioport; - unsigned int mport = (addr - g2m_ioport->gport) + g2m_ioport->mport; + struct hvm_domain *hvm = ¤t->domain->arch.hvm; + const struct g2m_ioport *g2m_ioport = + g2m_portio_find_and_lock(hvm, addr, size); + unsigned int mport; + + if ( !g2m_ioport ) + return X86EMUL_RETRY; + + mport = addr - g2m_ioport->gport + g2m_ioport->mport; switch ( size ) { @@ -217,6 +245,8 @@ static int cf_check g2m_portio_write( BUG(); } + read_unlock(&hvm->g2m_ioport_lock); + return X86EMUL_OKAY; } diff --git a/xen/arch/x86/include/asm/hvm/domain.h b/xen/arch/x86/include/asm/hvm/domain.h index 333501d5f2..1b2c59b18b 100644 --- a/xen/arch/x86/include/asm/hvm/domain.h +++ b/xen/arch/x86/include/asm/hvm/domain.h @@ -125,6 +125,7 @@ struct hvm_domain { /* List of guest to machine IO ports mapping. */ struct list_head g2m_ioport_list; + rwlock_t g2m_ioport_lock; /* List of MMCFG regions trapped by Xen. */ struct list_head mmcfg_regions; diff --git a/xen/arch/x86/include/asm/hvm/vcpu.h b/xen/arch/x86/include/asm/hvm/vcpu.h index 3985994298..4e61b87df3 100644 --- a/xen/arch/x86/include/asm/hvm/vcpu.h +++ b/xen/arch/x86/include/asm/hvm/vcpu.h @@ -54,8 +54,6 @@ struct hvm_vcpu_io { unsigned long msix_unmask_address; unsigned long msix_snoop_address; unsigned long msix_snoop_gpa; - - const struct g2m_ioport *g2m_ioport; }; struct nestedvcpu { -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:55:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:55:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333624.1596736 (Exim 4.92) (envelope-from ) id 1wWynT-0005Pt-A3; Tue, 09 Jun 2026 15:55:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333624.1596736; Tue, 09 Jun 2026 15:55:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWynT-0005Pl-7R; Tue, 09 Jun 2026 15:55:23 +0000 Received: by outflank-mailman (input) for mailman id 1333624; Tue, 09 Jun 2026 15:55:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWynS-0005Pf-Ip for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:55:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWynS-001jJW-2g for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:55:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWynS-00GpSj-1g for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:55:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=FWfyaIR8309Q3AW+W7+QSVBkDewxmrQR2fUc+i6oz3k=; b=jpzemZt2mvx6PgMfkHtYsVcibb q1JDJoqlO3MUm1jZXAWkrCAoGJlKyS7VKk8G5Z8YjkqxGArfti34WrgbGmL1n+PykSsgr439Vkon3 EEJUqeiiOyPbgRwzvWiH6Cymjp8quh6HSmVhJZ1ashyNyt0aRpUztthWHJDX9YvLgXt8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] xen/xsm: make getdomaininfo xsm dummy checks more stringent Message-Id: Date: Tue, 09 Jun 2026 15:55:22 +0000 commit b471a845b1f2c066cfc2a991d5eb3f89779cac41 Author: Juergen Gross AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:28:57 2026 +0100 xen/xsm: make getdomaininfo xsm dummy checks more stringent Today the dummy XSM privilege checks for getdomaininfo are less stringent than possible: they basically rely on the general sysctl/domctl entry check to do all tests and then do the test with the XSM_HOOK privilege, which is an "allow all" default. Instead of XSM_HOOK use XSM_XS_PRIV, which is the privilege really wanted. Note that this test is still wider than the sysctl entry test, but there is no easy way to make both domctl and sysctl happy at the same time. Signed-off-by: Juergen Gross Acked-by: Daniel P. Smith master commit: 5793b84c5e8fb268f94e7fde7816799e66945a73 master date: 2024-12-16 13:06:55 +0100 --- xen/common/domctl.c | 2 +- xen/common/sysctl.c | 2 +- xen/include/xsm/dummy.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 6cf78d4975..4c2773ed1f 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -535,7 +535,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; case XEN_DOMCTL_getdomaininfo: - ret = xsm_getdomaininfo(XSM_HOOK, d); + ret = xsm_getdomaininfo(XSM_XS_PRIV, d); if ( ret ) break; diff --git a/xen/common/sysctl.c b/xen/common/sysctl.c index 7cabfb0230..2d04a9e161 100644 --- a/xen/common/sysctl.c +++ b/xen/common/sysctl.c @@ -89,7 +89,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl) if ( num_domains == op->u.getdomaininfolist.max_domains ) break; - if ( xsm_getdomaininfo(XSM_HOOK, d) ) + if ( xsm_getdomaininfo(XSM_XS_PRIV, d) ) continue; getdomaininfo(d, &info); diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 3286befeca..4b5f07ad27 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -137,7 +137,7 @@ static XSM_INLINE int cf_check xsm_domain_create( static XSM_INLINE int cf_check xsm_getdomaininfo( XSM_DEFAULT_ARG struct domain *d) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_XS_PRIV); return xsm_default_action(action, current->domain, d); } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:55:33 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:55:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333625.1596739 (Exim 4.92) (envelope-from ) id 1wWynd-0005Rt-BE; Tue, 09 Jun 2026 15:55:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333625.1596739; Tue, 09 Jun 2026 15:55:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWynd-0005Rl-8j; Tue, 09 Jun 2026 15:55:33 +0000 Received: by outflank-mailman (input) for mailman id 1333625; Tue, 09 Jun 2026 15:55:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWync-0005Rd-MN for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:55:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWync-001jJc-30 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:55:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWync-00Gpd6-1z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:55:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Ub3/44lxMI2q9kcRt59ZOzjQVUdlywf/43HUoABXLCY=; b=G2J+bCd8r3kTL0GDBD+ZgpnxHx PstBOUX7hhiNkYul6/xw0lyaCc9GF02lDF1bu8rP1E3s7/E1a8KHFED0f3VYxSgR6Wofwqp/O5YHn DaU3IEAKK4kNONIErhpYGDaqnDnPdgW+KZCbz6Z3B69Z0u6i8l5RGNrluZFXNh72k+0U=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] sched: use sequence counter to enlighten vcpu_runstate_get() Message-Id: Date: Tue, 09 Jun 2026 15:55:32 +0000 commit 3786cf1cc1ca118393972c6a98b701222dfc23d9 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:00 2026 +0100 sched: use sequence counter to enlighten vcpu_runstate_get() Subsequently XEN_DOMCTL_getdomaininfo will want to invoke the function without holding a lock, thus allowing parallel execution of potentially many instances. As was learned from 228ab9992ffb ("domctl: improve locking during domain destruction"), reverted by d0887cc6b16e, such parallelism can result in severe lock contention on any (previously) inner lock. To avoid taking that risk replace the use of the scheduler lock in vcpu_runstate_get() by a newly introduced sequence counter. Convert the "no lock if current" property to "use a local counter instance", thus guaranteeing the loop to exit after the first iteration. Skeleton and commentary of the seqcount implementation based on / derived from Linux 6.11-rc. To have runstate_seq placed next to runstate in struct vcpu, without introducing a new obvious padding hole, yet while keeping the latter adjacent to runstate_guest{,_area} as well, move runstate down a little. This is part of XSA-492. Requested-by: Andrew Cooper Signed-off-by: Jan Beulich Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Juergen Gross (cherry picked from commit 1dc4d5d81822541a5cc82fa6387d2d73eebc7023) --- xen/common/sched/core.c | 47 +++++++-------- xen/include/xen/sched.h | 4 +- xen/include/xen/seqcount.h | 139 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 162 insertions(+), 28 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index cbaa292bb2..3e6e35a1e6 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -280,13 +280,18 @@ static inline void vcpu_runstate_change( } delta = new_entry_time - v->runstate.state_entry_time; - if ( delta > 0 ) + + /* Serialization: ->schedule_lock (see ASSERT() above). */ + with_seq_write(&v->runstate_seq) { - v->runstate.time[v->runstate.state] += delta; - v->runstate.state_entry_time = new_entry_time; - } + if ( delta > 0 ) + { + v->runstate.time[v->runstate.state] += delta; + v->runstate.state_entry_time = new_entry_time; + } - v->runstate.state = new_state; + v->runstate.state = new_state; + } } void sched_guest_idle(void (*idle) (void), unsigned int cpu) @@ -306,30 +311,18 @@ void sched_guest_idle(void (*idle) (void), unsigned int cpu) void vcpu_runstate_get(const struct vcpu *v, struct vcpu_runstate_info *runstate) { - spinlock_t *lock; - s_time_t delta; - struct sched_unit *unit; + struct seqcount seq = SEQCNT_ZERO(); + const struct seqcount *s = likely(v == current) ? &seq : &v->runstate_seq; - rcu_read_lock(&sched_res_rculock); - - /* - * Be careful in case of an idle vcpu: the assignment to a unit might - * change even with the scheduling lock held, so be sure to use the - * correct unit for locking in order to avoid triggering an ASSERT() in - * the unlock function. - */ - unit = is_idle_vcpu(v) ? get_sched_res(v->processor)->sched_unit_idle - : v->sched_unit; - lock = likely(v == current) ? NULL : unit_schedule_lock_irq(unit); - memcpy(runstate, &v->runstate, sizeof(*runstate)); - delta = NOW() - runstate->state_entry_time; - if ( delta > 0 ) - runstate->time[runstate->state] += delta; - - if ( unlikely(lock != NULL) ) - unit_schedule_unlock_irq(lock, unit); + until_seq_read(s) + { + s_time_t delta; - rcu_read_unlock(&sched_res_rculock); + *runstate = v->runstate; + delta = NOW() - runstate->state_entry_time; + if ( delta > 0 ) + runstate->time[runstate->state] += delta; + } } uint64_t get_cpu_idle_time(unsigned int cpu) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 3609ef88c4..e041ac9e08 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -16,6 +16,7 @@ #include #include #include +#include #include #include #include @@ -192,7 +193,6 @@ struct vcpu struct sched_unit *sched_unit; - struct vcpu_runstate_info runstate; #ifndef CONFIG_COMPAT # define runstate_guest(v) ((v)->runstate_guest) XEN_GUEST_HANDLE(vcpu_runstate_info_t) runstate_guest; /* guest address */ @@ -204,6 +204,8 @@ struct vcpu } runstate_guest; /* guest address */ #endif struct guest_area runstate_guest_area; + struct vcpu_runstate_info runstate; + struct seqcount runstate_seq; unsigned int new_state; /* Has the FPU been initialised? */ diff --git a/xen/include/xen/seqcount.h b/xen/include/xen/seqcount.h new file mode 100644 index 0000000000..b5faf422e4 --- /dev/null +++ b/xen/include/xen/seqcount.h @@ -0,0 +1,139 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef XEN_SEQCOUNT_H +#define XEN_SEQCOUNT_H + +#include +#include + +#include +#include + +/* + * Sequence counters (seqcount_t) + * + * This is the raw counting mechanism, without any writer protection. + * + * Write side critical sections must be serialized (and non-preemptible). + * + * If readers can be invoked from interrupt contexts, interrupts must also + * be respectively disabled before entering the write section. + * + * This mechanism can't be used if the protected data contains pointers, + * as the writer can invalidate a pointer that a reader is following. + */ +struct seqcount { + unsigned int sequence; +}; + +/* + * SEQCNT_ZERO() - initializer for seqcount_t + * @name: Name of the struct seqcount instance + */ +#define SEQCNT_ZERO() { .sequence = 0 } + +static inline unsigned int seqprop_sequence(const struct seqcount *s) +{ + return ACCESS_ONCE(s->sequence); +} + +/* + * read_seqcount_begin() - begin a seqcount read critical section + * @s: Pointer to struct seqcount + * + * Return: count to be passed to read_seqcount_retry() + */ +static inline unsigned int _read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq; + + while ((seq = seqprop_sequence(s)) & 1) + cpu_relax(); + + smp_rmb(); + + return seq; +} + +static always_inline unsigned int read_seqcount_begin(const struct seqcount *s) +{ + unsigned int seq = _read_seqcount_begin(s); + + block_lock_speculation(); + + return seq; +} + +/* + * read_seqcount_retry() - end a seqcount read critical section + * @s: Pointer to struct seqcount + * @start: count, from read_seqcount_begin() + * + * read_seqcount_retry closes the read critical section of given struct + * seqcount. If the critical section was invalid, it must be ignored + * (and typically retried). + * + * Return: true if a read section retry is required, else false + */ +static inline bool _read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + smp_rmb(); + return unlikely(seqprop_sequence(s) != start); +} + +static always_inline bool read_seqcount_retry(const struct seqcount *s, + unsigned int start) +{ + return lock_evaluate_nospec(_read_seqcount_retry(s, start)); +} + +/* Loops until a consistent count has been observed across the loop body. */ +#define until_seq_read(seq) \ + for ( unsigned int retry_ = 1, count_; \ + retry_ && (count_ = read_seqcount_begin(seq), true); \ + retry_ = read_seqcount_retry(seq, count_) ) + +/* + * write_seqcount_begin() - start a struct seqcount write side critical section + * @s: Pointer to struct seqcount + * + * Context: sequence counter write side sections must be serialized. + * If readers can be invoked from interrupt context, interrupts must be + * respectively disabled. + */ +static inline void write_seqcount_begin(struct seqcount *s) +{ + add_sized(&s->sequence, 1); + smp_wmb(); +} + +/* + * write_seqcount_end() - end a struct seqcount write side critical section + * @s: Pointer to seqcount + */ +static inline void write_seqcount_end(struct seqcount *s) +{ + smp_wmb(); + add_sized(&s->sequence, 1); +} + +/* + * Not really a loop, but we need write_seqcount_{begin,end}() in the correct + * position. + */ +#define with_seq_write(seq) \ + for ( bool once_ = true; \ + once_ && (write_seqcount_begin(seq), true); \ + (write_seqcount_end(seq), once_ = false) ) + +#endif /* XEN_SEQCOUNT_H */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:55:44 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:55:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333626.1596744 (Exim 4.92) (envelope-from ) id 1wWyno-0005Tu-CZ; Tue, 09 Jun 2026 15:55:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333626.1596744; Tue, 09 Jun 2026 15:55:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyno-0005Tm-A4; Tue, 09 Jun 2026 15:55:44 +0000 Received: by outflank-mailman (input) for mailman id 1333626; Tue, 09 Jun 2026 15:55:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWynm-0005Td-P3 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:55:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWynn-001jJj-04 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:55:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWynm-00GpkN-2I for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:55:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=DEl5LOxfU5+CHNqw0iI3+sIcg39zgFJBNk+deg+eFTk=; b=YQ32vvRS3dWXdj3TaXO0X9O47R DKsYXuq11MXUGM5c3acUx5WZc4ogelJolIsjQNICMedDkQMoMLWGGv/AHwYd8Oimp4qfQpj6L0wJn /dDrvoxtQg3P7GE7A1Vrh7I3Qe68OnW42nMXZAjXrahVhC6QrNygoNL8gxgJYOLbEBGc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 15:55:42 +0000 commit 64327f3e892380a97358943df2de5907fd83b0b1 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:00 2026 +0100 domctl: handle XEN_DOMCTL_getdomaininfo without acquiring domctl lock getdomaininfo() is not called under consistently the same lock. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. (Callers not pausing the domain they want to retrieve information for already need to be aware that not all of the data returned can be relied on as being consistent; most data will also be stale by the time the caller gets to look at it.) Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. While moving, convert an assignment to an assertion: The domain in question was determined from the field which previously was "updated". This is part of XSA-492. Fixes: 5513bd0b4675 ("add xenstore domain flag to hypervisor") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 784bd4dc0bc440b978b80b6945c4bc380b28e32d) --- xen/common/domctl.c | 31 ++++++++++++++++++++----------- xen/include/xsm/dummy.h | 5 ++++- xen/xsm/flask/hooks.c | 6 +++++- 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 4c2773ed1f..f1cdb4b61b 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -318,6 +318,26 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) return -ESRCH; } + /* Handle sub-ops not requiring the domctl lock. */ + switch ( op->cmd ) + { + case XEN_DOMCTL_getdomaininfo: + ret = xsm_getdomaininfo(XSM_XS_PRIV, d); + if ( !ret ) + { + getdomaininfo(d, &op->u.getdomaininfo); + + ASSERT(op->domain == op->u.getdomaininfo.domain); + copyback = true; + } + + goto domctl_out_unlock_domonly; + + default: + /* Everything else handled further down. */ + break; + } + ret = xsm_domctl(XSM_OTHER, d, op->cmd, /* SSIDRef only applicable for cmd == createdomain */ op->u.createdomain.ssidref); @@ -534,17 +554,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = 1; break; - case XEN_DOMCTL_getdomaininfo: - ret = xsm_getdomaininfo(XSM_XS_PRIV, d); - if ( ret ) - break; - - getdomaininfo(d, &op->u.getdomaininfo); - - op->domain = op->u.getdomaininfo.domain; - copyback = 1; - break; - case XEN_DOMCTL_getvcpucontext: { vcpu_guest_context_u c = { .nat = NULL }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 4b5f07ad27..2ed193689f 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,8 +172,11 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); + case XEN_DOMCTL_getdomaininfo: - return xsm_default_action(XSM_XS_PRIV, current->domain, d); + ASSERT_UNREACHABLE(); + return -EILSEQ; + default: return xsm_default_action(XSM_PRIV, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 35237a00c4..556bc60a6a 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -678,8 +678,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, */ return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); - /* These have individual XSM hooks (common/domctl.c) */ + /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + ASSERT_UNREACHABLE(); + return -EILSEQ; + + /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:55:54 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:55:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333628.1596747 (Exim 4.92) (envelope-from ) id 1wWyny-0005X4-E0; Tue, 09 Jun 2026 15:55:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333628.1596747; Tue, 09 Jun 2026 15:55:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyny-0005Wx-BW; Tue, 09 Jun 2026 15:55:54 +0000 Received: by outflank-mailman (input) for mailman id 1333628; Tue, 09 Jun 2026 15:55:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWynw-0005Wp-SZ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:55:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWynx-001jJn-0R for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:55:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWynw-00Gptd-2c for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:55:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Xd9HUxbvLBEz1ymxW8LHxgHNu+SSiBj+tAZlIf0SfHM=; b=iCAY+vRjfzAjlGhQtRhZHFmGfX 7RFzuBdNrn8UsmrLGXgJAotjL738j4qO4/JECbk5InR7/HqLx63Gr1oCjZ8b9LNhw/I49Q+fN2d6Q TB26CzVFOqYM6y6mE0V8lrVDfDpQ2JIIUBw8eDdlHmpj2OIbG9onS9o91K6CaY/Afwo8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] domain: locking for iomem_caps accesses Message-Id: Date: Tue, 09 Jun 2026 15:55:52 +0000 commit f91eab583f97f413e525f71bae2de3b94f44b666 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:00 2026 +0100 domain: locking for iomem_caps accesses In order to be able to pull at least the XEN_DOMCTL_iomem_mapping handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_iomem_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit 960713dfd4a405e67e9f174302f8f9fd9e0e50dc) --- xen/common/domain.c | 6 ++++++ xen/common/domctl.c | 53 +++++++++++++++++++++++++++++++++++++++---------- xen/include/xen/iocap.h | 3 +++ xen/include/xen/sched.h | 1 + 4 files changed, 52 insertions(+), 11 deletions(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index 62832a5860..68a5112283 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -332,10 +332,15 @@ static int late_hwdom_init(struct domain *d) * may be modified after this hypercall returns if a more complex * device model is desired. */ + write_lock(&dom0->caps_lock); rangeset_swap(d->irq_caps, dom0->irq_caps); rangeset_swap(d->iomem_caps, dom0->iomem_caps); #ifdef CONFIG_X86 rangeset_swap(d->arch.ioport_caps, dom0->arch.ioport_caps); +#endif + write_unlock(&dom0->caps_lock); + +#ifdef CONFIG_X86 setup_io_bitmap(d); setup_io_bitmap(dom0); #endif @@ -631,6 +636,7 @@ struct domain *domain_create(domid_t domid, spin_lock_init_prof(d, domain_lock); spin_lock_init_prof(d, page_alloc_lock); spin_lock_init(&d->hypercall_deadlock_mutex); + rwlock_init(&d->caps_lock); INIT_PAGE_LIST_HEAD(&d->page_list); INIT_PAGE_LIST_HEAD(&d->extra_page_list); INIT_PAGE_LIST_HEAD(&d->xenpage_list); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index f1cdb4b61b..7b7096f5ea 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -278,6 +278,35 @@ static struct vnuma_info *vnuma_init(const struct xen_domctl_vnuma *uinfo, return ERR_PTR(ret); } +void iocaps_double_lock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d->domain_id > currd->domain_id ) + read_lock(&currd->caps_lock); + + if ( write ) + write_lock(&d->caps_lock); + else + read_lock(&d->caps_lock); + + if ( d->domain_id < currd->domain_id ) + read_lock(&currd->caps_lock); +} + +void iocaps_double_unlock(struct domain *d, bool write) +{ + struct domain *currd = current->domain; + + if ( d != currd ) + read_unlock(&currd->caps_lock); + + if ( write ) + write_unlock(&d->caps_lock); + else + read_unlock(&d->caps_lock); +} + long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) { long ret = 0; @@ -689,6 +718,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ break; + iocaps_double_lock(d, true); + if ( !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) || xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) @@ -697,6 +728,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); else ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); break; } @@ -721,19 +754,15 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; #endif + iocaps_double_lock(d, false); + ret = -EPERM; if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) ) - break; - - ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add); - if ( ret ) - break; - - if ( !paging_mode_translate(d) ) - break; - - if ( add ) + !iomem_access_permitted(d, mfn, mfn_end) || + (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || + !paging_mode_translate(d) ) + /* Nothing. */; + else if ( add ) { printk(XENLOG_G_DEBUG "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", @@ -757,6 +786,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", ret, d->domain_id, mfn, mfn_end); } + + iocaps_double_unlock(d, false); break; } diff --git a/xen/include/xen/iocap.h b/xen/include/xen/iocap.h index ffbc48b60f..cb36ebbeeb 100644 --- a/xen/include/xen/iocap.h +++ b/xen/include/xen/iocap.h @@ -12,6 +12,9 @@ #include #include +void iocaps_double_lock(struct domain *d, bool write); +void iocaps_double_unlock(struct domain *d, bool write); + static inline int iomem_permit_access(struct domain *d, unsigned long s, unsigned long e) { diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index e041ac9e08..12127debb4 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -493,6 +493,7 @@ struct domain #endif /* I/O capabilities (access to IRQs and memory-mapped I/O). */ + rwlock_t caps_lock; struct rangeset *iomem_caps; struct rangeset *irq_caps; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:56:04 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:56:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333629.1596753 (Exim 4.92) (envelope-from ) id 1wWyo8-0005Zg-HA; Tue, 09 Jun 2026 15:56:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333629.1596753; Tue, 09 Jun 2026 15:56:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyo8-0005ZW-E7; Tue, 09 Jun 2026 15:56:04 +0000 Received: by outflank-mailman (input) for mailman id 1333629; Tue, 09 Jun 2026 15:56:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyo6-0005ZN-Vc for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:56:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyo7-001jK2-0k for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:56:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyo6-00Gq3J-2x for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:56:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Ejiee0n/tQM6IyjhLOSt6lUgOm1j1A1eRSriODhsLc4=; b=nNVsQiuzc5IfKpouYTzuBGwc1E vaEXaBvxxe/TWMsk+akf+w2f9yt0THP4cRasOWh0v2vvNRrealjXla2bnLoT3gsr5PNEwlyO3MuNd B2w2uQCgayi5VgzhL5B6k7gm4F3PiGFKWRvAYnhiGsueztqDhZ7fNY+Xj/PR7XCuvyKg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/domain: locking for ioport_caps accesses Message-Id: Date: Tue, 09 Jun 2026 15:56:02 +0000 commit 12659bf43eb3d8b5840b4b9496da792b3f708759 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:00 2026 +0100 x86/domain: locking for ioport_caps accesses In order to be able to pull at least the XEN_DOMCTL_ioport_mapping handling out of the domctl-locked region, the new separate (per-domain) lock is used to synchronize in particular with XEN_DOMCTL_ioport_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné (cherry picked from commit c9f4586766c4ceeaf013fbc02ad79359c62102c3) --- xen/arch/x86/domctl.c | 21 ++++++++++++--------- xen/arch/x86/setup.c | 3 +++ 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 877a6767a0..2c264722ad 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -225,6 +225,8 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + iocaps_double_lock(d, true); + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) ret = -EINVAL; else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || @@ -234,6 +236,8 @@ long arch_do_domctl( ret = ioports_permit_access(d, fp, fp + np - 1); else ret = ioports_deny_access(d, fp, fp + np - 1); + + iocaps_double_unlock(d, true); break; } @@ -604,16 +608,13 @@ long arch_do_domctl( break; } - ret = -EPERM; - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) - break; - - ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add); - if ( ret ) - break; - hvm = &d->arch.hvm; - if ( add ) + iocaps_double_lock(d, true); + + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || + (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) + ret = ret ?: -EPERM; + else if ( add ) { printk(XENLOG_G_INFO "ioport_map:add: dom%d gport=%x mport=%x nr=%x\n", @@ -674,6 +675,8 @@ long arch_do_domctl( "ioport_map: error %ld denying dom%d access to [%x,%x]\n", ret, d->domain_id, fmp, fmp + np - 1); } + + iocaps_double_unlock(d, true); break; } diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 8a79fc1d8c..999b7c6824 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -2144,9 +2144,12 @@ void __hwdom_init setup_io_bitmap(struct domain *d) return; bitmap_fill(d->arch.hvm.io_bitmap, 0x10000); + + read_lock(&d->caps_lock); if ( rangeset_report_ranges(d->arch.ioport_caps, 0, 0x10000, io_bitmap_cb, d) ) BUG(); + read_unlock(&d->caps_lock); /* * We need to trap 4-byte accesses to 0xcf8 (see admin_io_okay(), -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:56:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:56:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333630.1596756 (Exim 4.92) (envelope-from ) id 1wWyoI-0005bc-IB; Tue, 09 Jun 2026 15:56:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333630.1596756; Tue, 09 Jun 2026 15:56:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyoI-0005bU-FR; Tue, 09 Jun 2026 15:56:14 +0000 Received: by outflank-mailman (input) for mailman id 1333630; Tue, 09 Jun 2026 15:56:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyoH-0005bN-2U for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:56:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyoH-001jK6-12 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:56:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyoH-00GqBO-02 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:56:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=UMJGIOM9LCfNZrKUwqaBpT3xuLiCbUVwgxmc4Cp+Ci4=; b=iZr+jGqzXXX+OzMTDtgA2WgNRa jHmh6T1OGzaNoONJh0z+vKRHlWLmg4DJ2QJSg+vm0vNagGGcXe66PerKcRCkvf5Aj3aRDPylib2GT aydvmAbBsnQsktZfy+SPbPKddiPVlPLcDW7cwBIGUpFaXPmb+oW/jH7MvmF4gSzvTVS8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] domain: locking for irq_caps accesses Message-Id: Date: Tue, 09 Jun 2026 15:56:13 +0000 commit bc1a888dbea6bde481281e1204dd5bcd8115732d Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:00 2026 +0100 domain: locking for irq_caps accesses In order to be able to pull at least the XEN_DOMCTL_{,un}bind_pt_irq handling out of the domctl-locked region, a separate (per-domain) lock is needed to synchronize in particular with XEN_DOMCTL_irq_permission. Locking is added only as far as domctl-s are affected. Uses presently outside of the domctl lock may want dealing with subsequently (perhaps limited to non-__init code). This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Reviewed-by: Julien Grall (cherry picked from commit 329edc090dd5c833213bad3f13f1cbc252bc15a2) --- xen/arch/arm/domctl.c | 37 +++++++++++++++++++++---------------- xen/arch/x86/domctl.c | 42 ++++++++++++++++++++++++++---------------- xen/common/domctl.c | 5 +++++ 3 files changed, 52 insertions(+), 32 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index 8e9851e560..d9a1a93778 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -75,6 +75,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, case XEN_DOMCTL_bind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -106,21 +107,26 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - if ( !vgic_reserve_virq(d, virq) ) - return -EBUSY; - - rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); - if ( rc ) - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !vgic_reserve_virq(d, virq) ) + rc = -EBUSY; + else + { + rc = route_irq_to_guest(d, virq, irq, "routed IRQ"); + if ( rc ) + vgic_free_virq(d, virq); + } + read_unlock(&currd->caps_lock); return rc; } case XEN_DOMCTL_unbind_pt_irq: { int rc; + struct domain *currd = current->domain; struct xen_domctl_bind_pt_irq *bind = &domctl->u.bind_pt_irq; uint32_t irq = bind->u.spi.spi; uint32_t virq = bind->machine_irq; @@ -137,16 +143,15 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - if ( !irq_access_permitted(current->domain, irq) ) - return -EPERM; + read_lock(&currd->caps_lock); - rc = release_guest_irq(d, virq); - if ( rc ) - return rc; - - vgic_free_virq(d, virq); + if ( !irq_access_permitted(currd, irq) ) + rc = -EPERM; + else if ( !(rc = release_guest_irq(d, virq)) ) + vgic_free_virq(d, virq); - return 0; + read_unlock(&currd->caps_lock); + return rc; } case XEN_DOMCTL_vuart_op: diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 2c264722ad..abc2b5ef47 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -535,20 +535,27 @@ long arch_do_domctl( break; irq = domain_pirq_to_irq(d, bind->machine_irq); - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; + if ( irq <= 0 ) + ret = -EPERM; - ret = -ESRCH; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_create_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_create_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + else + ret = -ESRCH; + + read_unlock(&currd->caps_lock); break; } @@ -561,23 +568,26 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = -EPERM; - if ( irq <= 0 || !irq_access_permitted(currd, irq) ) - break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); if ( ret ) break; - if ( is_iommu_enabled(d) ) + read_lock(&currd->caps_lock); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( is_iommu_enabled(d) ) { pcidevs_lock(); ret = pt_irq_destroy_bind(d, bind); pcidevs_unlock(); + + if ( ret < 0 ) + printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for %pd\n", + ret, d); } - if ( ret < 0 ) - printk(XENLOG_G_ERR "pt_irq_destroy_bind failed (%ld) for dom%d\n", - ret, d->domain_id); + + read_unlock(&currd->caps_lock); break; } diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 7b7096f5ea..2ae0c78f22 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -698,6 +698,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -EINVAL; break; } + + iocaps_double_lock(d, true); + irq = pirq_access_permitted(current->domain, pirq); if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) ret = -EPERM; @@ -705,6 +708,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = irq_permit_access(d, irq); else ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); break; } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:56:24 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:56:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333631.1596760 (Exim 4.92) (envelope-from ) id 1wWyoS-0005dn-Jh; Tue, 09 Jun 2026 15:56:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333631.1596760; Tue, 09 Jun 2026 15:56:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyoS-0005df-Gv; Tue, 09 Jun 2026 15:56:24 +0000 Received: by outflank-mailman (input) for mailman id 1333631; Tue, 09 Jun 2026 15:56:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyoR-0005dY-56 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:56:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyoR-001jKX-1J for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:56:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyoR-00GqJB-0K for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:56:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Ut7iN4lmTp4jgm+cZM35rj+092sjRgmSWDHbU7KTObM=; b=vzzgDSxfcprGeZxxZ03uNvanVp Dtaz/uafeG53OJEkHjqs3tCBFC89ozPrWApjP4h5+KlGxCYWyP52/yBqYMNfe4U5q/IX5rdnegjxX BrMGXExaqvtrhsIQa8ZE/ME+ed/Wwstl0/2sMvTkC4mjH0pd5TALw6J9SdiCpTLQraRs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] XSM/Flask: split the .iomem_mapping() hook Message-Id: Date: Tue, 09 Jun 2026 15:56:23 +0000 commit 2fc05f315a7e02fa6289aa0ce3154211afec5f24 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:00 2026 +0100 XSM/Flask: split the .iomem_mapping() hook It's used twice in entirely different situations. The use in do_domctl() wants to become an ordinary XSM_DM_PRIV invocation, while the one in vPCI code need to remain XSM_HOOK (it may plausibly become XSM_TARGET). For Flask, the same backing function will continue to be used for the time being. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit 6bb83b1aa01bb3baabc150a881849977c82146a4) --- xen/drivers/vpci/header.c | 2 +- xen/include/xsm/dummy.h | 7 +++++++ xen/include/xsm/xsm.h | 8 ++++++++ xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) diff --git a/xen/drivers/vpci/header.c b/xen/drivers/vpci/header.c index 767c1ba718..6766a8208e 100644 --- a/xen/drivers/vpci/header.c +++ b/xen/drivers/vpci/header.c @@ -54,7 +54,7 @@ static int cf_check map_range( return -EPERM; } - rc = xsm_iomem_mapping(XSM_HOOK, map->d, s, e, map->map); + rc = xsm_iomem_mapping_vpci(XSM_HOOK, map->d, s, e, map->map); if ( rc ) { printk(XENLOG_G_WARNING diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 2ed193689f..4160d85ec0 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -579,6 +579,13 @@ static XSM_INLINE int cf_check xsm_iomem_mapping( return xsm_default_action(action, current->domain, d); } +static XSM_INLINE int cf_check xsm_iomem_mapping_vpci( + XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + XSM_ASSERT_ACTION(XSM_HOOK); + return xsm_default_action(action, current->domain, d); +} + static XSM_INLINE int cf_check xsm_pci_config_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 5867ccceaf..fc30cf822f 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -117,6 +117,8 @@ struct xsm_ops { uint8_t allow); int (*iomem_mapping)(struct domain *d, uint64_t s, uint64_t e, uint8_t allow); + int (*iomem_mapping_vpci)(struct domain *d, uint64_t s, uint64_t e, + uint8_t allow); int (*pci_config_permission)(struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access); @@ -504,6 +506,12 @@ static inline int xsm_iomem_mapping( return alternative_call(xsm_ops.iomem_mapping, d, s, e, allow); } +static inline int xsm_iomem_mapping_vpci( + xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow) +{ + return alternative_call(xsm_ops.iomem_mapping_vpci, d, s, e, allow); +} + static inline int xsm_pci_config_permission( xsm_default_t def, struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index e6ffa948f7..44a9e04ae7 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -72,6 +72,7 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .irq_permission = xsm_irq_permission, .iomem_permission = xsm_iomem_permission, .iomem_mapping = xsm_iomem_mapping, + .iomem_mapping_vpci = xsm_iomem_mapping_vpci, .pci_config_permission = xsm_pci_config_permission, .get_vnumainfo = xsm_get_vnumainfo, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 556bc60a6a..640464f312 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1918,6 +1918,7 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .irq_permission = flask_irq_permission, .iomem_permission = flask_iomem_permission, .iomem_mapping = flask_iomem_mapping, + .iomem_mapping_vpci = flask_iomem_mapping, .pci_config_permission = flask_pci_config_permission, .resource_plug_core = flask_resource_plug_core, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:56:34 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:56:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333632.1596764 (Exim 4.92) (envelope-from ) id 1wWyoc-0005gr-L4; Tue, 09 Jun 2026 15:56:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333632.1596764; Tue, 09 Jun 2026 15:56:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyoc-0005gj-II; Tue, 09 Jun 2026 15:56:34 +0000 Received: by outflank-mailman (input) for mailman id 1333632; Tue, 09 Jun 2026 15:56:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyob-0005gb-8T for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:56:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyob-001jKd-1e for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:56:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyob-00GqT3-0b for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:56:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=nUWtO0+z3968tMEUmEWpUQaRBFzXQSPDoRmum8AVs5g=; b=o7iYTko5OozxyFk64BoAuj4pXB AmbAw3jEdH7raPX3WorQLyLEXhdbQzkjHOUkgzU4exg7jGO2/brZXMNu8CURxwtTMVdaxwsPmrV+X KFxW9+/AvnDfjU+HNHt+qRZwDvoXV5BgAWAVHRGs+HkzjEAqwGDhSSOjMCcB+LpN/53U=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 15:56:33 +0000 commit 86dd2e3eb66d7d214747663aa0d1c35e8d6eca92 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:00 2026 +0100 domctl: handle XEN_DOMCTL_memory_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. Move the re-purposed dedicated XSM check as early as possible. Minimal "modernization": Switch "add" to bool and use %pd in log messages. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 5a81fb873cb0c7913995372d22660d6a2db0ec48) --- xen/common/domctl.c | 118 ++++++++++++++++++++++++------------------------ xen/include/xsm/dummy.h | 4 +- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 63 insertions(+), 61 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 2ae0c78f22..1e13a0b485 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -362,6 +362,66 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; + case XEN_DOMCTL_memory_mapping: + { + unsigned long gfn = op->u.memory_mapping.first_gfn; + unsigned long mfn = op->u.memory_mapping.first_mfn; + unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; + unsigned long mfn_end = mfn + nr_mfns - 1; + bool add = op->u.memory_mapping.add_mapping; + + ret = -EINVAL; + if ( mfn_end < mfn || /* Wrap? */ + ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || + (gfn + nr_mfns - 1) < gfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_mapping(XSM_DM_PRIV, d, mfn, mfn_end, add); + if ( ret || !paging_mode_translate(d) ) + goto domctl_out_unlock_domonly; + +#ifndef CONFIG_X86 /* XXX ARM!? */ + ret = -E2BIG; + /* Must break hypercall up as this could take a while. */ + if ( nr_mfns > 64 ) + goto domctl_out_unlock_domonly; +#endif + + iocaps_double_lock(d, false); + + ret = -EPERM; + if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || + !iomem_access_permitted(d, mfn, mfn_end) ) + /* Nothing. */; + else if ( add ) + { + printk(XENLOG_G_DEBUG + "memory_map:add: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 ) + printk(XENLOG_G_WARNING + "memory_map:fail: %pd gfn=%lx mfn=%lx nr=%lx ret:%ld\n", + d, gfn, mfn, nr_mfns, ret); + } + else + { + printk(XENLOG_G_DEBUG + "memory_map:remove: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 && is_hardware_domain(current->domain) ) + printk(XENLOG_ERR + "memory_map: error %ld removing %pd access to [%lx,%lx]\n", + ret, d, mfn, mfn_end); + } + + iocaps_double_unlock(d, false); + goto domctl_out_unlock_domonly; + } + default: /* Everything else handled further down. */ break; @@ -738,64 +798,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - case XEN_DOMCTL_memory_mapping: - { - unsigned long gfn = op->u.memory_mapping.first_gfn; - unsigned long mfn = op->u.memory_mapping.first_mfn; - unsigned long nr_mfns = op->u.memory_mapping.nr_mfns; - unsigned long mfn_end = mfn + nr_mfns - 1; - int add = op->u.memory_mapping.add_mapping; - - ret = -EINVAL; - if ( mfn_end < mfn || /* wrap? */ - ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || - (gfn + nr_mfns - 1) < gfn ) /* wrap? */ - break; - -#ifndef CONFIG_X86 /* XXX ARM!? */ - ret = -E2BIG; - /* Must break hypercall up as this could take a while. */ - if ( nr_mfns > 64 ) - break; -#endif - - iocaps_double_lock(d, false); - - ret = -EPERM; - if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) || - (ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add)) || - !paging_mode_translate(d) ) - /* Nothing. */; - else if ( add ) - { - printk(XENLOG_G_DEBUG - "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 ) - printk(XENLOG_G_WARNING - "memory_map:fail: dom%d gfn=%lx mfn=%lx nr=%lx ret:%ld\n", - d->domain_id, gfn, mfn, nr_mfns, ret); - } - else - { - printk(XENLOG_G_DEBUG - "memory_map:remove: dom%d gfn=%lx mfn=%lx nr=%lx\n", - d->domain_id, gfn, mfn, nr_mfns); - - ret = unmap_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 && is_hardware_domain(current->domain) ) - printk(XENLOG_ERR - "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", - ret, d->domain_id, mfn, mfn_end); - } - - iocaps_double_unlock(d, false); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 4160d85ec0..c5f5a38f7d 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,12 +168,12 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_ioport_mapping: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -575,7 +575,7 @@ static XSM_INLINE int cf_check xsm_iomem_permission( static XSM_INLINE int cf_check xsm_iomem_mapping( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 640464f312..201db0fa50 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -680,6 +680,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -687,7 +688,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_iomem_permission: - case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:56:44 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:56:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333633.1596768 (Exim 4.92) (envelope-from ) id 1wWyom-0005jL-Op; Tue, 09 Jun 2026 15:56:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333633.1596768; Tue, 09 Jun 2026 15:56:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyom-0005jD-ME; Tue, 09 Jun 2026 15:56:44 +0000 Received: by outflank-mailman (input) for mailman id 1333633; Tue, 09 Jun 2026 15:56:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyol-0005j4-BY for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:56:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyol-001jKh-1y for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:56:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyol-00Gqgk-0w for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:56:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RJWfSInFgs8okfs0BmJnoeletCvM2XCVN7D9hOEgMfI=; b=YTdn9Tp0zBrcSh5DHhOcc+h6eW bQC5pkCZX5XHliWby3BzicfYPG+PZu+cAjzBvVzn4TN3+UDhFzMgvsP4XhVcOXu7tiGVHP/UVt8Ru OCWO6oXMXkBEmkrbCEhDUk9Nhy7w7I4vEu7x9yXJ8V8MjPABEs7CFmjBvOHLEEXuroUo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 15:56:43 +0000 commit 53ff9705c103f7d79b7795f56d836a980a5240b6 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:00 2026 +0100 domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the handling is in arch-specific code (x86 only), almost no code is being moved, but a 2nd (extensible to other sub-ops) invocation of arch_do_domctl() is being added. Move just the re-purposed dedicated XSM check as early as possible. In flask_domctl() don't put #ifdef around the moved case label. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9ac94138a5f31b5325fe4401e5cd9e377bbedcdb) --- xen/arch/x86/domctl.c | 9 ++++++--- xen/common/domctl.c | 4 ++++ xen/include/xsm/dummy.h | 4 ++-- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index abc2b5ef47..8bb3e694f8 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -618,12 +618,15 @@ long arch_do_domctl( break; } + ret = xsm_ioport_mapping(XSM_DM_PRIV, d, fmp, fmp + np - 1, add); + if ( ret ) + break; + hvm = &d->arch.hvm; iocaps_double_lock(d, true); - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || - (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) ) - ret = ret ?: -EPERM; + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) + ret = -EPERM; else if ( add ) { printk(XENLOG_G_INFO diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 1e13a0b485..88b5aab418 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -422,6 +422,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_mapping: + ret = arch_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + default: /* Everything else handled further down. */ break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index c5f5a38f7d..42d5ebe013 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -167,12 +167,12 @@ static XSM_INLINE int cf_check xsm_domctl( XSM_ASSERT_ACTION(XSM_OTHER); switch ( cmd ) { - case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: return xsm_default_action(XSM_DM_PRIV, current->domain, d); case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -771,7 +771,7 @@ static XSM_INLINE int cf_check xsm_ioport_permission( static XSM_INLINE int cf_check xsm_ioport_mapping( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 201db0fa50..0c687aa9e7 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -680,6 +680,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -698,7 +699,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: case XEN_DOMCTL_ioport_permission: - case XEN_DOMCTL_ioport_mapping: #endif #ifdef CONFIG_HAS_PASSTHROUGH /* -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:56:54 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:56:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333634.1596772 (Exim 4.92) (envelope-from ) id 1wWyow-0005lJ-Q8; Tue, 09 Jun 2026 15:56:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333634.1596772; Tue, 09 Jun 2026 15:56:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyow-0005lB-Na; Tue, 09 Jun 2026 15:56:54 +0000 Received: by outflank-mailman (input) for mailman id 1333634; Tue, 09 Jun 2026 15:56:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyov-0005l3-Eg for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:56:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyov-001jKl-2G for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:56:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyov-00GqpJ-1G for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:56:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=UakmoQlmj6fXCzx4IKnC2s0qAqMLkkvAuYHDEkhhF/s=; b=BmNHf23+SIy8b+NmcyeVB13z17 3b+hBm+1vKvc6hJxTZVme1rO4v8Z5p2k65Mj/dGkKBZQaEkPQDudr7aX4q2WiwF05aSoMorD9lWnw HkLKZ56LhSWGkWSQnn1EUnfiu8gytnygZHkOxj3mgTIUFmNb0MuNTemGIgGB1Z9kfQnc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 15:56:53 +0000 commit 1f1cafe4f4a87a10023b2393596661004bb7bb14 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl: handle XEN_DOMCTL_{,un}bind_pt_irq without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. (It also already isn't used when pt_irq_{create,destroy}_bind() are invoked for PVH Dom0.) As the handling is in arch-specific code, no code is being moved, but the 2nd (extensible to other sub-ops like the ones here) invocation of arch_do_domctl() is being re-used. This is part of XSA-492. Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from stubdoms") Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith Acked-by: Julien Grall (cherry picked from commit e263eeaf71b961d0d6f987bf7a33c8517be1bae5) --- xen/arch/arm/domctl.c | 4 ++-- xen/arch/x86/domctl.c | 4 ++-- xen/common/domctl.c | 2 ++ xen/include/xsm/dummy.h | 8 +++----- xen/xsm/flask/hooks.c | 5 ++--- 5 files changed, 11 insertions(+), 12 deletions(-) diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c index d9a1a93778..b596076c32 100644 --- a/xen/arch/arm/domctl.c +++ b/xen/arch/arm/domctl.c @@ -103,7 +103,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( rc ) return rc; - rc = xsm_bind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; @@ -139,7 +139,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d, if ( irq != virq ) return -EINVAL; - rc = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + rc = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( rc ) return rc; diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 8bb3e694f8..91f407af98 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -530,7 +530,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_bind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_bind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; @@ -568,7 +568,7 @@ long arch_do_domctl( if ( !is_hvm_domain(d) ) break; - ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind); + ret = xsm_unbind_pt_irq(XSM_DM_PRIV, d, bind); if ( ret ) break; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 88b5aab418..08a844fe25 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -423,6 +423,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_bind_pt_irq: + case XEN_DOMCTL_unbind_pt_irq: ret = arch_do_domctl(op, d, u_domctl); goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 42d5ebe013..7fc106c536 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -168,12 +168,10 @@ static XSM_INLINE int cf_check xsm_domctl( switch ( cmd ) { case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: - return xsm_default_action(XSM_DM_PRIV, current->domain, d); - case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -540,14 +538,14 @@ static XSM_INLINE int cf_check xsm_unmap_domain_pirq( static XSM_INLINE int cf_check xsm_bind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } static XSM_INLINE int cf_check xsm_unbind_pt_irq( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_DM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 0c687aa9e7..87dee85ea6 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -679,9 +679,11 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ + case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; @@ -692,9 +694,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: - /* These have individual XSM hooks (arch/../domctl.c) */ - case XEN_DOMCTL_bind_pt_irq: - case XEN_DOMCTL_unbind_pt_irq: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:57:04 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:57:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333635.1596776 (Exim 4.92) (envelope-from ) id 1wWyp6-0005nH-RU; Tue, 09 Jun 2026 15:57:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333635.1596776; Tue, 09 Jun 2026 15:57:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyp6-0005n9-Ow; Tue, 09 Jun 2026 15:57:04 +0000 Received: by outflank-mailman (input) for mailman id 1333635; Tue, 09 Jun 2026 15:57:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyp5-0005n2-IF for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:57:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyp5-001jL2-2c for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:57:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyp5-00Gr1H-1Z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:57:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=vCWNJe0PhPQxP9oGO0CeONQc/6YbgKsUdstvq3YzPrw=; b=LI4jXWEQrERq6Rm9zIMqyv4snk cCs+/SWYZmGCBRCdVmaQIYwP9nlAAi+svQoguN3TBDafpX07y6u9Byvk7+/sznnhliZmxqJLnL4HG G27VDzWX7PSsqkW3dYibDNfsstXk1WdbtUA6iKxk4vwDWaCUR2Eukuu31Cxh5YFb+dJ8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 15:57:03 +0000 commit c76ed41837259c481945fcf153136f7f3128ff0b Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl: handle XEN_DOMCTL_io{mem,port}_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. As the I/O port handling is in arch-specific code (x86 only), no code is being moved, but the 2nd invocation of arch_do_domctl() is re-used. Move the re-purposed dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Daniel P. Smith (cherry picked from commit 9f54e10bf3ab02c8d5dc3253d85c9b3258d1fc88) --- xen/arch/x86/domctl.c | 13 ++++++++---- xen/common/domctl.c | 54 ++++++++++++++++++++++++++----------------------- xen/include/xsm/dummy.h | 6 ++++-- xen/xsm/flask/hooks.c | 4 ++-- 4 files changed, 44 insertions(+), 33 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 91f407af98..cc956a354c 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -225,12 +225,17 @@ long arch_do_domctl( unsigned int np = domctl->u.ioport_permission.nr_ports; int allow = domctl->u.ioport_permission.allow_access; + ret = -EINVAL; + if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) + break; + + ret = xsm_ioport_permission(XSM_PRIV, d, fp, fp + np - 1, allow); + if ( ret ) + break; + iocaps_double_lock(d, true); - if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS ) - ret = -EINVAL; - else if ( !ioports_access_permitted(currd, fp, fp + np - 1) || - xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) ) + if ( !ioports_access_permitted(currd, fp, fp + np - 1) ) ret = -EPERM; else if ( allow ) ret = ioports_permit_access(d, fp, fp + np - 1); diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 08a844fe25..1072d78f35 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -362,6 +362,34 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; + case XEN_DOMCTL_iomem_permission: + { + unsigned long mfn = op->u.iomem_permission.first_mfn; + unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; + bool allow = op->u.iomem_permission.allow_access; + + ret = -EINVAL; + if ( (mfn + nr_mfns - 1) < mfn ) /* Wrap? */ + goto domctl_out_unlock_domonly; + + ret = xsm_iomem_permission(XSM_PRIV, d, mfn, mfn + nr_mfns - 1, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !iomem_access_permitted(current->domain, + mfn, mfn + nr_mfns - 1) ) + ret = -EPERM; + else if ( allow ) + ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); + else + ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_memory_mapping: { unsigned long gfn = op->u.memory_mapping.first_gfn; @@ -422,6 +450,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: @@ -779,31 +808,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - case XEN_DOMCTL_iomem_permission: - { - unsigned long mfn = op->u.iomem_permission.first_mfn; - unsigned long nr_mfns = op->u.iomem_permission.nr_mfns; - int allow = op->u.iomem_permission.allow_access; - - ret = -EINVAL; - if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */ - break; - - iocaps_double_lock(d, true); - - if ( !iomem_access_permitted(current->domain, - mfn, mfn + nr_mfns - 1) || - xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) ) - ret = -EPERM; - else if ( allow ) - ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); - else - ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); - - iocaps_double_unlock(d, true); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 7fc106c536..9a65f31c51 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -169,7 +169,9 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -566,7 +568,7 @@ static XSM_INLINE int cf_check xsm_irq_permission( static XSM_INLINE int cf_check xsm_iomem_permission( XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } @@ -762,7 +764,7 @@ static XSM_INLINE int cf_check xsm_priv_mapping( static XSM_INLINE int cf_check xsm_ioport_permission( XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 87dee85ea6..949a4a4878 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -681,7 +681,9 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -690,14 +692,12 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_irq_permission: - case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ case XEN_DOMCTL_shadow_op: - case XEN_DOMCTL_ioport_permission: #endif #ifdef CONFIG_HAS_PASSTHROUGH /* -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:57:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:57:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333636.1596780 (Exim 4.92) (envelope-from ) id 1wWypG-0005qQ-T5; Tue, 09 Jun 2026 15:57:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333636.1596780; Tue, 09 Jun 2026 15:57:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWypG-0005qI-QJ; Tue, 09 Jun 2026 15:57:14 +0000 Received: by outflank-mailman (input) for mailman id 1333636; Tue, 09 Jun 2026 15:57:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWypF-0005qB-Kw for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:57:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWypF-001jL7-2t for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:57:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWypF-00GrBb-1u for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:57:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=2MlVnjjSnO+rpIWySbM79Z5kCwVGkSu+yO/YIGjuQTE=; b=C1DoKgG8Tlwzmj2h33rnyw2BwF MDT8vvgF8OkN9CRcHvz+Xv6pPHRmDkZYI5vYKgkYEEH6Yg9eZjWpYYW3JlZqgzfixNMF3r+Q92x80 B94JRu/Z3SVAEpa0Qf8XPI/jPSGvCQhXNUEwJmP8lOOh/Y8aHkqeZYhBycO1USNxOklI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] domctl: handle XEN_DOMCTL_irq_permission without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 15:57:13 +0000 commit 45d368d2c4f808f393ae52582890c0eb05be04cc Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl: handle XEN_DOMCTL_irq_permission without acquiring domctl lock With dedicated locking added, the domctl lock isn't required here anymore. Move the re-purposed (XSM_HOOK -> XSM_PRIV, as xsm_domctl() is now bypassed) dedicated XSM checks as early as possible. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné --- xen/common/domctl.c | 55 +++++++++++++++++++++++++++---------------------- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 2 +- 3 files changed, 33 insertions(+), 27 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 1072d78f35..5bcd4a32cd 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -450,6 +450,36 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_irq_permission: + { + unsigned int pirq = op->u.irq_permission.pirq, irq; + bool allow = op->u.irq_permission.allow_access; + + ret = -EINVAL; + if ( pirq >= current->domain->nr_pirqs ) + goto domctl_out_unlock_domonly; + + irq = domain_pirq_to_irq(current->domain, pirq); + + ret = -EPERM; + if ( irq ) + ret = xsm_irq_permission(XSM_PRIV, d, irq, allow); + if ( ret ) + goto domctl_out_unlock_domonly; + + iocaps_double_lock(d, true); + + if ( !irq_access_permitted(current->domain, irq) ) + ret = -EPERM; + else if ( allow ) + ret = irq_permit_access(d, irq); + else + ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: @@ -783,31 +813,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } break; - case XEN_DOMCTL_irq_permission: - { - unsigned int pirq = op->u.irq_permission.pirq, irq; - int allow = op->u.irq_permission.allow_access; - - if ( pirq >= current->domain->nr_pirqs ) - { - ret = -EINVAL; - break; - } - - iocaps_double_lock(d, true); - - irq = pirq_access_permitted(current->domain, pirq); - if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) ) - ret = -EPERM; - else if ( allow ) - ret = irq_permit_access(d, irq); - else - ret = irq_deny_access(d, irq); - - iocaps_double_unlock(d, true); - break; - } - case XEN_DOMCTL_settimeoffset: domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 9a65f31c51..0af668910b 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -172,6 +172,7 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -561,7 +562,7 @@ static XSM_INLINE int cf_check xsm_unmap_domain_irq( static XSM_INLINE int cf_check xsm_irq_permission( XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, d); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 949a4a4878..4aa91a3dd6 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -684,6 +684,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); @@ -691,7 +692,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: - case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_set_target: case XEN_DOMCTL_vm_event_op: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:57:24 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:57:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333637.1596784 (Exim 4.92) (envelope-from ) id 1wWypQ-0005sf-UU; Tue, 09 Jun 2026 15:57:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333637.1596784; Tue, 09 Jun 2026 15:57:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWypQ-0005sX-Rf; Tue, 09 Jun 2026 15:57:24 +0000 Received: by outflank-mailman (input) for mailman id 1333637; Tue, 09 Jun 2026 15:57:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWypP-0005sQ-Nv for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:57:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWypP-001jLU-3B for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:57:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWypP-00GrMF-2C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:57:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=N4/N13HYIob3VvCmvhBAfCkXOBGW8ngaGWWvoSSVG+k=; b=ticDgaVSoXYJtZ7+uGveqoqOAw ePw1uN3ujR75/K2l44zMXbsIO5LcEpuifPCwNN154NC+sRGZ2+aurz2ZT6lVwX0bh1/Hf/S5lq5TJ ax1kOjRS03Qr5+VZ1mRoWBNfpE5P53l8lN6jrSv/jLGcm2TyPRi0buRLUULdzooCTrnw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] domctl/XSM: drop vm_event_control hook Message-Id: Date: Tue, 09 Jun 2026 15:57:23 +0000 commit 9abd8482f15eb12bc3c1f7f57e26b625c93e0e05 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl/XSM: drop vm_event_control hook Integrate the checking with xsm_domctl(). Care needs to be taken with the GET_VERSION sub-op, which may be invoked with DOMID_INVALID, and which has been (and continues to be) bypassing XSM checking. Since the latter two parameters were unused, monitor_domctl() invoking the hook was actually redundant with the earlier xsm_domctl() (as can be seen nicely from the hunks changing xsm/flask/hooks.c). As a positive side effect, permissions are then checked at the same early point with and without Flask. While folding XEN_DOMCTL_monitor_op and XEN_DOMCTL_vm_event_op in flask_domctl(), also fold in XEN_DOMCTL_set_access_required. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit b4a7c17146f4363750d26cb2dcee08b480625a3d) --- xen/common/domctl.c | 17 +++++++++++++++++ xen/common/monitor.c | 5 ----- xen/common/vm_event.c | 9 ++++----- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 8 -------- xen/xsm/dummy.c | 2 -- xen/xsm/flask/hooks.c | 11 +---------- 7 files changed, 22 insertions(+), 37 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 5bcd4a32cd..c68ffb7337 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -480,6 +480,23 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_vm_event_op: + if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) + { + /* No XSM check (and potentially d == NULL) here. */ + ret = vm_event_domctl(d, &op->u.vm_event_op); + if ( !ret ) + copyback = true; + goto domctl_out_unlock_domonly; + } + if ( !d ) + { + ret = -ESRCH; + goto domctl_out_unlock_domonly; + } + /* Other sub-ops handled further down. */ + break; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: diff --git a/xen/common/monitor.c b/xen/common/monitor.c index d5c9ff1cbf..aec6391faf 100644 --- a/xen/common/monitor.c +++ b/xen/common/monitor.c @@ -30,16 +30,11 @@ int monitor_domctl(struct domain *d, struct xen_domctl_monitor_op *mop) { - int rc; bool requested_status = false; if ( unlikely(current->domain == d) ) /* no domain_pause() */ return -EPERM; - rc = xsm_vm_event_control(XSM_PRIV, d, mop->op, mop->event); - if ( unlikely(rc) ) - return rc; - switch ( mop->op ) { case XEN_DOMCTL_MONITOR_OP_ENABLE: diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c index 71d2898174..8f4bfc0936 100644 --- a/xen/common/vm_event.c +++ b/xen/common/vm_event.c @@ -602,11 +602,10 @@ int vm_event_domctl(struct domain *d, struct xen_domctl_vm_event_op *vec) /* All other subops need to target a real domain. */ if ( unlikely(d == NULL) ) - return -ESRCH; - - rc = xsm_vm_event_control(XSM_PRIV, d, vec->mode, vec->op); - if ( rc ) - return rc; + { + ASSERT_UNREACHABLE(); + return -EILSEQ; + } if ( unlikely(d == current->domain) ) /* no domain_pause() */ { diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 0af668910b..981cd3bf18 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -650,13 +650,6 @@ static XSM_INLINE int cf_check xsm_hvm_altp2mhvm_op( } } -static XSM_INLINE int cf_check xsm_vm_event_control( - XSM_DEFAULT_ARG struct domain *d, int mode, int op) -{ - XSM_ASSERT_ACTION(XSM_PRIV); - return xsm_default_action(action, current->domain, d); -} - #ifdef CONFIG_MEM_ACCESS static XSM_INLINE int cf_check xsm_mem_access(XSM_DEFAULT_ARG struct domain *d) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index fc30cf822f..f2bbe3ed8b 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -154,8 +154,6 @@ struct xsm_ops { int (*hvm_altp2mhvm_op)(struct domain *d, uint64_t mode, uint32_t op); int (*get_vnumainfo)(struct domain *d); - int (*vm_event_control)(struct domain *d, int mode, int op); - #ifdef CONFIG_MEM_ACCESS int (*mem_access)(struct domain *d); #endif @@ -634,12 +632,6 @@ static inline int xsm_get_vnumainfo(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.get_vnumainfo, d); } -static inline int xsm_vm_event_control( - xsm_default_t def, struct domain *d, int mode, int op) -{ - return alternative_call(xsm_ops.vm_event_control, d, mode, op); -} - #ifdef CONFIG_MEM_ACCESS static inline int xsm_mem_access(xsm_default_t def, struct domain *d) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 44a9e04ae7..95170547fc 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -110,8 +110,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .remove_from_physmap = xsm_remove_from_physmap, .map_gmfn_foreign = xsm_map_gmfn_foreign, - .vm_event_control = xsm_vm_event_control, - #ifdef CONFIG_MEM_ACCESS .mem_access = xsm_mem_access, #endif diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 4aa91a3dd6..7d9ebe3d6b 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -693,7 +693,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: - case XEN_DOMCTL_vm_event_op: #ifdef CONFIG_X86 /* These have individual XSM hooks (arch/x86/domctl.c) */ @@ -787,9 +786,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__TRIGGER); case XEN_DOMCTL_set_access_required: - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); - case XEN_DOMCTL_monitor_op: + case XEN_DOMCTL_vm_event_op: return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); case XEN_DOMCTL_debug_op: @@ -1349,11 +1347,6 @@ static int cf_check flask_hvm_altp2mhvm_op(struct domain *d, uint64_t mode, uint return current_has_perm(d, SECCLASS_HVM, HVM__ALTP2MHVM_OP); } -static int cf_check flask_vm_event_control(struct domain *d, int mode, int op) -{ - return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VM_EVENT); -} - #ifdef CONFIG_MEM_ACCESS static int cf_check flask_mem_access(struct domain *d) { @@ -1937,8 +1930,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .do_xsm_op = do_flask_op, .get_vnumainfo = flask_get_vnumainfo, - .vm_event_control = flask_vm_event_control, - #ifdef CONFIG_MEM_ACCESS .mem_access = flask_mem_access, #endif -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:57:35 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:57:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333638.1596787 (Exim 4.92) (envelope-from ) id 1wWypb-0005yu-0e; Tue, 09 Jun 2026 15:57:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333638.1596787; Tue, 09 Jun 2026 15:57:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWypa-0005ym-UQ; Tue, 09 Jun 2026 15:57:34 +0000 Received: by outflank-mailman (input) for mailman id 1333638; Tue, 09 Jun 2026 15:57:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWypZ-0005yg-QS for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:57:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWypa-001jLb-0E for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:57:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWypZ-00GrXv-2U for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:57:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=1XVMxjNjyFfg/cvFHB1W1HAnKbedsjENytAiUXX9xRg=; b=IuQLvDd2HbrfiWo0stwfmuriaz WDWm/1YE6vDunZvhljRKWcF8M7W9bBSvCTlJtjxH7LlYgp1DdrP1Quvujmt0UHO67x5RyE9n9kGjv c2VHtqZm/xFZ4P6BZxGDND862DDevC+wyw14NuG0MJhlvKZ7+CAnAxCIrLxz7TmVgd58=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] domctl/XSM: pass full struct xen_domctl to xsm_domctl() Message-Id: Date: Tue, 09 Jun 2026 15:57:33 +0000 commit 8fe1695361d4a839e9f9095f070c7d5019664251 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl/XSM: pass full struct xen_domctl to xsm_domctl() Subsequently some sub-ops will want to inspect their sub-sub-ops. Plus this way we don't need to pass SSIDref separately anymore for domain_create. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit 83f0e11ed16b5ceb42e47dcaab5afd35583ec5d7) --- xen/arch/x86/mm/paging.c | 2 +- xen/common/domctl.c | 4 +--- xen/include/xsm/dummy.h | 4 ++-- xen/include/xsm/xsm.h | 6 +++--- xen/xsm/flask/hooks.c | 10 +++++----- 5 files changed, 12 insertions(+), 14 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index 3a309bc74b..d8d953cde8 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -767,7 +767,7 @@ long do_paging_domctl_cont( if ( d == NULL ) return -ESRCH; - ret = xsm_domctl(XSM_OTHER, d, op.cmd, 0 /* SSIDref not applicable */); + ret = xsm_domctl(XSM_OTHER, d, &op); if ( !ret ) { if ( domctl_lock_acquire() ) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index c68ffb7337..e918602153 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -509,9 +509,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - ret = xsm_domctl(XSM_OTHER, d, op->cmd, - /* SSIDRef only applicable for cmd == createdomain */ - op->u.createdomain.ssidref); + ret = xsm_domctl(XSM_OTHER, d, op); if ( ret ) goto domctl_out_unlock_domonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 981cd3bf18..7427da1b44 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,10 +162,10 @@ static XSM_INLINE int cf_check xsm_set_target( } static XSM_INLINE int cf_check xsm_domctl( - XSM_DEFAULT_ARG struct domain *d, unsigned int cmd, uint32_t ssidref) + XSM_DEFAULT_ARG struct domain *d, struct xen_domctl *op) { XSM_ASSERT_ACTION(XSM_OTHER); - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index f2bbe3ed8b..e91fa49d7d 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -60,7 +60,7 @@ struct xsm_ops { int (*domctl_scheduler_op)(struct domain *d, int op); int (*sysctl_scheduler_op)(int op); int (*set_target)(struct domain *d, struct domain *e); - int (*domctl)(struct domain *d, unsigned int cmd, uint32_t ssidref); + int (*domctl)(struct domain *d, struct xen_domctl *op); int (*sysctl)(int cmd); int (*readconsole)(uint32_t clear); @@ -249,9 +249,9 @@ static inline int xsm_set_target( } static inline int xsm_domctl(xsm_default_t def, struct domain *d, - unsigned int cmd, uint32_t ssidref) + struct xen_domctl *op) { - return alternative_call(xsm_ops.domctl, d, cmd, ssidref); + return alternative_call(xsm_ops.domctl, d, op); } static inline int xsm_sysctl(xsm_default_t def, int cmd) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 7d9ebe3d6b..360b28a2d9 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -663,10 +663,9 @@ static int cf_check flask_set_target(struct domain *d, struct domain *t) return rc; } -static int cf_check flask_domctl(struct domain *d, unsigned int cmd, - uint32_t ssidref) +static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) { - switch ( cmd ) + switch ( op->cmd ) { case XEN_DOMCTL_createdomain: /* @@ -676,7 +675,8 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, * Note that d is NULL because we haven't even allocated memory for it * this early in XEN_DOMCTL_createdomain. */ - return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); + return avc_current_has_perm(op->u.createdomain.ssidref, SECCLASS_DOMAIN, + DOMAIN__CREATE, NULL); /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: @@ -843,7 +843,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETPAGINGMEMPOOL); default: - return avc_unknown_permission("domctl", cmd); + return avc_unknown_permission("domctl", op->cmd); } } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:57:45 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:57:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333639.1596792 (Exim 4.92) (envelope-from ) id 1wWypl-00062R-2G; Tue, 09 Jun 2026 15:57:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333639.1596792; Tue, 09 Jun 2026 15:57:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWypk-00062J-Vw; Tue, 09 Jun 2026 15:57:44 +0000 Received: by outflank-mailman (input) for mailman id 1333639; Tue, 09 Jun 2026 15:57:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWypj-00062D-TK for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:57:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWypk-001jLf-0W for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:57:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWypj-00Grkt-2m for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:57:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=9/qmcHOB6bzpvapNrnKa/MBafTGQ7yOSoHCK0c7pMvs=; b=pZWMVZFHW6doI/f/RYCUnkpGU1 Hg/Y6GNiLVqkiTMGS1lq+ttTHJq0dbW892ex0XS5VovkMr5o6q4gfUMpUty/sKCBiOOMlIVUBCF2i 1JI0rFC6PKOzFxs42QzilSr4cLLKDQqdHS4RE22W/F6xGR4FbtQb7hKiX5jH98ve98UY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] domctl/XSM: drop scheduler_op hook Message-Id: Date: Tue, 09 Jun 2026 15:57:43 +0000 commit c5501d5ae8e9494d11a3b5464efeb3f50ff84075 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl/XSM: drop scheduler_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Juergen Gross (cherry picked from commit 3ba374d3886f0e1d835eafe62cc2fa20ca5376ad) --- xen/common/sched/core.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 7 ++++--- 5 files changed, 4 insertions(+), 22 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 3e6e35a1e6..89de385a6f 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -2058,10 +2058,6 @@ long sched_adjust(struct domain *d, struct xen_domctl_scheduler_op *op) { long ret; - ret = xsm_domctl_scheduler_op(XSM_HOOK, d, op->cmd); - if ( ret ) - return ret; - if ( op->sched_id != dom_scheduler(d)->sched_id ) return -EINVAL; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 7427da1b44..dbd26489d8 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -141,13 +141,6 @@ static XSM_INLINE int cf_check xsm_getdomaininfo( return xsm_default_action(action, current->domain, d); } -static XSM_INLINE int cf_check xsm_domctl_scheduler_op( - XSM_DEFAULT_ARG struct domain *d, int cmd) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index e91fa49d7d..d0e9c33927 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -57,7 +57,6 @@ struct xsm_ops { struct xen_domctl_getdomaininfo *info); int (*domain_create)(struct domain *d, uint32_t ssidref); int (*getdomaininfo)(struct domain *d); - int (*domctl_scheduler_op)(struct domain *d, int op); int (*sysctl_scheduler_op)(int op); int (*set_target)(struct domain *d, struct domain *e); int (*domctl)(struct domain *d, struct xen_domctl *op); @@ -231,12 +230,6 @@ static inline int xsm_getdomaininfo(xsm_default_t def, struct domain *d) return alternative_call(xsm_ops.getdomaininfo, d); } -static inline int xsm_domctl_scheduler_op( - xsm_default_t def, struct domain *d, int cmd) -{ - return alternative_call(xsm_ops.domctl_scheduler_op, d, cmd); -} - static inline int xsm_sysctl_scheduler_op(xsm_default_t def, int cmd) { return alternative_call(xsm_ops.sysctl_scheduler_op, cmd); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 95170547fc..cb312eb7cb 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -18,7 +18,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .security_domaininfo = xsm_security_domaininfo, .domain_create = xsm_domain_create, .getdomaininfo = xsm_getdomaininfo, - .domctl_scheduler_op = xsm_domctl_scheduler_op, .sysctl_scheduler_op = xsm_sysctl_scheduler_op, .set_target = xsm_set_target, .domctl = xsm_domctl, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 360b28a2d9..23c54bc69b 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -607,7 +607,7 @@ static int cf_check flask_getdomaininfo(struct domain *d) return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO); } -static int cf_check flask_domctl_scheduler_op(struct domain *d, int op) +static int flask_domctl_scheduler_op(struct domain *d, int op) { switch ( op ) { @@ -691,7 +691,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return -EILSEQ; /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_scheduler_op: case XEN_DOMCTL_set_target: #ifdef CONFIG_X86 @@ -739,6 +738,9 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_setdomainhandle: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE); + case XEN_DOMCTL_scheduler_op: + return flask_domctl_scheduler_op(d, op->u.scheduler_op.cmd); + case XEN_DOMCTL_set_ext_vcpucontext: case XEN_DOMCTL_set_vcpu_msrs: case XEN_DOMCTL_setvcpucontext: @@ -1856,7 +1858,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .security_domaininfo = flask_security_domaininfo, .domain_create = flask_domain_create, .getdomaininfo = flask_getdomaininfo, - .domctl_scheduler_op = flask_domctl_scheduler_op, .sysctl_scheduler_op = flask_sysctl_scheduler_op, .set_target = flask_set_target, .domctl = flask_domctl, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:57:55 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:57:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333640.1596796 (Exim 4.92) (envelope-from ) id 1wWypv-00064S-3W; Tue, 09 Jun 2026 15:57:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333640.1596796; Tue, 09 Jun 2026 15:57:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWypv-00064K-10; Tue, 09 Jun 2026 15:57:55 +0000 Received: by outflank-mailman (input) for mailman id 1333640; Tue, 09 Jun 2026 15:57:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWypu-00064E-01 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:57:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWypu-001jLl-0o for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:57:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWypt-00GrwI-33 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:57:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=V/qC0W/SB5hepGDiTRgj2ijOWr0ue7YINFldwPIoPaI=; b=axWq0ymXPvfmuT9425bbIoPm/+ xY1/WHSugzpGqrsKYJay/SjnSSdRjH6Wsmuw+nGrW5FyuSdUb/V7xqh0oNOg/VTYB9YicrvouehYa Lb4qh6rDW/QgklwICJIt8KCwTJ8shr2b1mN9u7tOXw8vlMJPsRA1eb+hsfltpIvzRBjg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] domctl/XSM: drop shadow_control_op hook Message-Id: Date: Tue, 09 Jun 2026 15:57:53 +0000 commit 35742996499584e400e896c2e1ee8f6ad45a8748 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl/XSM: drop shadow_control_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith (cherry picked from commit d9d2758622422a4db0498a74c3dfd1c8168a8154) --- xen/arch/x86/mm/paging.c | 4 ---- xen/include/xsm/dummy.h | 7 ------- xen/include/xsm/xsm.h | 7 ------- xen/xsm/dummy.c | 1 - xen/xsm/flask/hooks.c | 13 +++++++------ 5 files changed, 7 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index d8d953cde8..3209aa1b55 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -709,10 +709,6 @@ int paging_domctl(struct domain *d, struct xen_domctl_shadow_op *sc, return -EBUSY; } - rc = xsm_shadow_control(XSM_HOOK, d, sc->op); - if ( rc ) - return rc; - /* Code to handle log-dirty. Note that some log dirty operations * piggy-back on shadow operations. For example, when * XEN_DOMCTL_SHADOW_OP_OFF is called, it first checks whether log dirty diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index dbd26489d8..847aeb0e1a 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -680,13 +680,6 @@ static XSM_INLINE int cf_check xsm_do_mca(XSM_DEFAULT_VOID) return xsm_default_action(action, current->domain, NULL); } -static XSM_INLINE int cf_check xsm_shadow_control( - XSM_DEFAULT_ARG struct domain *d, uint32_t op) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_mem_sharing_op( XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index d0e9c33927..d60917f93d 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -169,7 +169,6 @@ struct xsm_ops { #ifdef CONFIG_X86 int (*do_mca)(void); - int (*shadow_control)(struct domain *d, uint32_t op); int (*mem_sharing_op)(struct domain *d, struct domain *cd, int op); int (*apic)(struct domain *d, int cmd); int (*machine_memory_map)(void); @@ -657,12 +656,6 @@ static inline int xsm_do_mca(xsm_default_t def) return alternative_call(xsm_ops.do_mca); } -static inline int xsm_shadow_control( - xsm_default_t def, struct domain *d, uint32_t op) -{ - return alternative_call(xsm_ops.shadow_control, d, op); -} - static inline int xsm_mem_sharing_op( xsm_default_t def, struct domain *d, struct domain *cd, int op) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index cb312eb7cb..f4bcefc46b 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -124,7 +124,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .platform_op = xsm_platform_op, #ifdef CONFIG_X86 .do_mca = xsm_do_mca, - .shadow_control = xsm_shadow_control, .mem_sharing_op = xsm_mem_sharing_op, .apic = xsm_apic, .machine_memory_map = xsm_machine_memory_map, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 23c54bc69b..cf800881f4 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -40,6 +40,7 @@ #ifdef CONFIG_X86 #include +static int flask_shadow_control(struct domain *d, unsigned int op); #else #define pv_shim false #endif @@ -693,10 +694,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: -#ifdef CONFIG_X86 - /* These have individual XSM hooks (arch/x86/domctl.c) */ - case XEN_DOMCTL_shadow_op: -#endif #ifdef CONFIG_HAS_PASSTHROUGH /* * These have individual XSM hooks @@ -781,6 +778,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_get_address_size: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETADDRSIZE); +#ifdef CONFIG_X86 + case XEN_DOMCTL_shadow_op: + return flask_shadow_control(d, op->u.shadow_op.op); +#endif + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1584,7 +1586,7 @@ static int cf_check flask_do_mca(void) return domain_has_xen(current->domain, XEN__MCA_OP); } -static int cf_check flask_shadow_control(struct domain *d, uint32_t op) +static int flask_shadow_control(struct domain *d, unsigned int op) { uint32_t perm; @@ -1965,7 +1967,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .platform_op = flask_platform_op, #ifdef CONFIG_X86 .do_mca = flask_do_mca, - .shadow_control = flask_shadow_control, .mem_sharing_op = flask_mem_sharing_op, .apic = flask_apic, .machine_memory_map = flask_machine_memory_map, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:58:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:58:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333641.1596800 (Exim 4.92) (envelope-from ) id 1wWyq6-00066P-5N; Tue, 09 Jun 2026 15:58:06 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333641.1596800; Tue, 09 Jun 2026 15:58:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyq6-00066H-2P; Tue, 09 Jun 2026 15:58:06 +0000 Received: by outflank-mailman (input) for mailman id 1333641; Tue, 09 Jun 2026 15:58:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyq4-00066B-2n for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:58:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyq4-001jMC-15 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:58:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyq4-00Gs5y-06 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:58:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=r05OvhvmMqpJiKbT7g1PcQpfESAUpOrNVTRVNfaWPks=; b=faHkKKCZtOfrTBFnMAV1e6MH4X NQ47hIcksYN42jzi2VSjYrfv2OSNaTquLnsniXa4m3I3xOJOtfgT72BuVIlN7FxdBOzHKsCmOrDD1 +PCnL2BENp4i4XPgR/1d0n47qx9FWD0jMj2T1qR9dT5JFJ8FA2t9IFikagYy556KRcRk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 15:58:04 +0000 commit 4594a6b216e43b7630b1002985d6ac997b1c0510 Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl: handle XEN_DOMCTL_get_device_group without acquiring domctl lock iommu_get_device_group() uses its own locking. Thus, with caller side locking irrelevant, it can as well be called with the domctl lock not held. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 471b377747cb5eb0ea7c1ca48ac9d38027a9aa13) --- xen/common/domctl.c | 5 ++++- xen/drivers/passthrough/pci.c | 4 ++-- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index e918602153..2aad346eca 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -497,6 +497,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) /* Other sub-ops handled further down. */ break; + case XEN_DOMCTL_get_device_group: + ret = iommu_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_bind_pt_irq: @@ -919,7 +923,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_assign_device: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_deassign_device: - case XEN_DOMCTL_get_device_group: ret = iommu_do_domctl(op, d, u_domctl); break; diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 25ea1dc421..c199735b24 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1512,7 +1512,7 @@ static int iommu_get_device_group( if ( (pdev->seg != seg) || ((b == bus) && (df == devfn)) ) continue; - if ( xsm_get_device_group(XSM_HOOK, (seg << 16) | (b << 8) | df) ) + if ( xsm_get_device_group(XSM_PRIV, (seg << 16) | (b << 8) | df) ) continue; sdev_id = iommu_call(ops, get_device_group_id, seg, b, df); @@ -1582,7 +1582,7 @@ int iommu_do_pci_domctl( u32 max_sdevs; XEN_GUEST_HANDLE_64(uint32) sdevs; - ret = xsm_get_device_group(XSM_HOOK, domctl->u.get_device_group.machine_sbdf); + ret = xsm_get_device_group(XSM_PRIV, domctl->u.get_device_group.machine_sbdf); if ( ret ) break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 847aeb0e1a..7e8d3b2893 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -162,6 +162,7 @@ static XSM_INLINE int cf_check xsm_domctl( { case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: @@ -399,7 +400,7 @@ static XSM_INLINE int cf_check xsm_get_vnumainfo( static XSM_INLINE int cf_check xsm_get_device_group( XSM_DEFAULT_ARG uint32_t machine_bdf) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index cf800881f4..fc80576b09 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -682,6 +682,7 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks and don't make it here. */ case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_getdomaininfo: + case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_iomem_permission: case XEN_DOMCTL_ioport_mapping: case XEN_DOMCTL_ioport_permission: @@ -699,7 +700,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) * These have individual XSM hooks * (drivers/passthrough/{pci,device_tree.c) */ - case XEN_DOMCTL_get_device_group: case XEN_DOMCTL_test_assign_device: case XEN_DOMCTL_assign_device: case XEN_DOMCTL_deassign_device: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:58:16 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:58:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333642.1596804 (Exim 4.92) (envelope-from ) id 1wWyqG-00068N-6Y; Tue, 09 Jun 2026 15:58:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333642.1596804; Tue, 09 Jun 2026 15:58:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyqG-00068F-3m; Tue, 09 Jun 2026 15:58:16 +0000 Received: by outflank-mailman (input) for mailman id 1333642; Tue, 09 Jun 2026 15:58:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyqE-000688-5g for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:58:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyqE-001jMG-1N for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:58:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyqE-00GsHy-0P for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:58:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=hWr+SfXtYj+Ttd9iT6u1D9o60e970HGWrcYgGB+LOfQ=; b=eGFpPP4ueTQj1ffH7rRjAyFCqj N6J56jXk0AgSmM1YGGZiEe0zblEQAZqRc4CallUJqLATI7IM0OH0o4TxaJDtdTQkRfAz8+bBvw2b3 vNCxE3s/WsI/gOx7JGwWojuJhSWjaNqY4hYtzAP9vPNlRQy7TfBjN1nkoyiRIj0hmHrs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] domctl/XSM: drop {,de}assign_{,dt}device hooks Message-Id: Date: Tue, 09 Jun 2026 15:58:14 +0000 commit 2c48c89c9d6a078ed8ac2dcde447e2c7146926fb Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl/XSM: drop {,de}assign_{,dt}device hooks Integrate the checking with xsm_domctl(). As a positive side effect, permissions are then checked at the same early point with and without Flask. As the DT device path needs fetching earlier (but must not be double fetched), cache it in a private field of the public interface struct. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit eab54f074f17c134fa6fa780f672393066e7b631) --- xen/common/domctl.c | 9 ++++ xen/drivers/passthrough/device_tree.c | 36 ++++++++-------- xen/drivers/passthrough/pci.c | 8 ---- xen/include/public/domctl.h | 5 ++- xen/include/xsm/dummy.h | 32 -------------- xen/include/xsm/xsm.h | 34 --------------- xen/xsm/dummy.c | 7 ---- xen/xsm/flask/hooks.c | 79 +++++++++++++++++++++++++---------- 8 files changed, 89 insertions(+), 121 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 2aad346eca..f3db0a5c4e 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -326,6 +326,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_deassign_device: if ( op->domain == DOMID_IO ) { +#ifdef CONFIG_HAS_DEVICE_TREE + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; +#endif d = dom_io; break; } @@ -333,6 +337,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) return -ESRCH; /* fall through */ case XEN_DOMCTL_test_assign_device: +#ifdef CONFIG_HAS_DEVICE_TREE + if ( op->u.assign_device.dev == XEN_DOMCTL_DEV_DT ) + op->u.assign_device.u.dt.dev = NULL; + fallthrough; +#endif case XEN_DOMCTL_vm_event_op: if ( op->domain == DOMID_INVALID ) { diff --git a/xen/drivers/passthrough/device_tree.c b/xen/drivers/passthrough/device_tree.c index 075fb25a37..49b3a26628 100644 --- a/xen/drivers/passthrough/device_tree.c +++ b/xen/drivers/passthrough/device_tree.c @@ -279,15 +279,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( (d && d->is_dying) || domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_assign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( domctl->cmd == XEN_DOMCTL_test_assign_device ) { @@ -335,15 +335,15 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d, if ( domctl->u.assign_device.flags ) break; - ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, - domctl->u.assign_device.u.dt.size, - &dev); - if ( ret ) - break; - - ret = xsm_deassign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev)); - if ( ret ) - break; + dev = domctl->u.assign_device.u.dt.dev; + if ( !dev ) + { + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path, + domctl->u.assign_device.u.dt.size, + &dev); + if ( ret ) + break; + } if ( d == dom_io ) { diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index c199735b24..8d015214fa 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -1632,10 +1632,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_assign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); @@ -1677,10 +1673,6 @@ int iommu_do_pci_domctl( machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf; - ret = xsm_deassign_device(XSM_HOOK, d, machine_sbdf); - if ( ret ) - break; - seg = machine_sbdf >> 16; bus = PCI_BUS(machine_sbdf); devfn = PCI_DEVFN(machine_sbdf); diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h index a33f9ec32b..67b708d768 100644 --- a/xen/include/public/domctl.h +++ b/xen/include/public/domctl.h @@ -531,7 +531,10 @@ struct xen_domctl_assign_device { } pci; struct { uint32_t size; /* Length of the path */ - XEN_GUEST_HANDLE_64(char) path; /* path to the device tree node */ + XEN_GUEST_HANDLE_64(char) path; /* Path to the device tree node */ +#ifdef __XEN__ + struct dt_device_node *dev; /* Resolved device node of the above */ +#endif } dt; } u; }; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 7e8d3b2893..21e06f368d 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -403,40 +403,8 @@ static XSM_INLINE int cf_check xsm_get_device_group( XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } - -static XSM_INLINE int cf_check xsm_assign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_device( - XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - #endif /* HAS_PASSTHROUGH && HAS_PCI */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) -static XSM_INLINE int cf_check xsm_assign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -static XSM_INLINE int cf_check xsm_deassign_dtdevice( - XSM_DEFAULT_ARG struct domain *d, const char *dtpath) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */ - static XSM_INLINE int cf_check xsm_resource_plug_core(XSM_DEFAULT_VOID) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index d60917f93d..bf6d4e9772 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -123,13 +123,6 @@ struct xsm_ops { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) int (*get_device_group)(uint32_t machine_bdf); - int (*assign_device)(struct domain *d, uint32_t machine_bdf); - int (*deassign_device)(struct domain *d, uint32_t machine_bdf); -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - int (*assign_dtdevice)(struct domain *d, const char *dtpath); - int (*deassign_dtdevice)(struct domain *d, const char *dtpath); #endif int (*resource_plug_core)(void); @@ -514,35 +507,8 @@ static inline int xsm_get_device_group(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.get_device_group, machine_bdf); } - -static inline int xsm_assign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.assign_device, d, machine_bdf); -} - -static inline int xsm_deassign_device( - xsm_default_t def, struct domain *d, uint32_t machine_bdf) -{ - return alternative_call(xsm_ops.deassign_device, d, machine_bdf); -} #endif /* HAS_PASSTHROUGH && HAS_PCI) */ -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) -static inline int xsm_assign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.assign_dtdevice, d, dtpath); -} - -static inline int xsm_deassign_dtdevice( - xsm_default_t def, struct domain *d, const char *dtpath) -{ - return alternative_call(xsm_ops.deassign_dtdevice, d, dtpath); -} - -#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */ - static inline int xsm_resource_plug_pci(xsm_default_t def, uint32_t machine_bdf) { return alternative_call(xsm_ops.resource_plug_pci, machine_bdf); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index f4bcefc46b..92fe9664a8 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -77,13 +77,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = xsm_get_device_group, - .assign_device = xsm_assign_device, - .deassign_device = xsm_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - .assign_dtdevice = xsm_assign_dtdevice, - .deassign_dtdevice = xsm_deassign_dtdevice, #endif .resource_plug_core = xsm_resource_plug_core, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index fc80576b09..f2248e32bf 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -45,6 +45,17 @@ static int flask_shadow_control(struct domain *d, unsigned int op); #define pv_shim false #endif +#ifdef CONFIG_HAS_PASSTHROUGH +#ifdef CONFIG_HAS_PCI +static int flask_assign_device(struct domain *d, unsigned int machine_bdf); +static int flask_deassign_device(struct domain *d, unsigned int machine_bdf); +#endif +#ifdef CONFIG_HAS_DEVICE_TREE +static int flask_assign_dtdevice(struct domain *d, const char *dtpath); +static int flask_deassign_dtdevice(struct domain *d, const char *dtpath); +#endif +#endif /* CONFIG_HAS_PASSTHROUGH */ + static uint32_t domain_sid(const struct domain *dom) { struct domain_security_struct *dsec = dom->ssid; @@ -694,16 +705,6 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: - -#ifdef CONFIG_HAS_PASSTHROUGH - /* - * These have individual XSM hooks - * (drivers/passthrough/{pci,device_tree.c) - */ - case XEN_DOMCTL_test_assign_device: - case XEN_DOMCTL_assign_device: - case XEN_DOMCTL_deassign_device: -#endif return 0; case XEN_DOMCTL_destroydomain: @@ -783,6 +784,49 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) return flask_shadow_control(d, op->u.shadow_op.op); #endif +#ifdef CONFIG_HAS_PASSTHROUGH + + case XEN_DOMCTL_test_assign_device: + case XEN_DOMCTL_assign_device: + case XEN_DOMCTL_deassign_device: + switch ( op->u.assign_device.dev ) + { +#ifdef CONFIG_HAS_PCI + case XEN_DOMCTL_DEV_PCI: + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_device( + d, op->u.assign_device.u.pci.machine_sbdf) + : flask_deassign_device( + d, op->u.assign_device.u.pci.machine_sbdf); +#endif + +#ifdef CONFIG_HAS_DEVICE_TREE + case XEN_DOMCTL_DEV_DT: + { + struct dt_device_node *dev; + int ret = dt_find_node_by_gpath(op->u.assign_device.u.dt.path, + op->u.assign_device.u.dt.size, + &dev); + + if ( ret ) + return ret; + + op->u.assign_device.u.dt.dev = dev; + + return op->cmd != XEN_DOMCTL_deassign_device + ? flask_assign_dtdevice(d, dt_node_full_name(dev)) + : flask_deassign_dtdevice(d, dt_node_full_name(dev)); + } +#endif + + default: + /* Unknown type. */ + break; + } + return avc_unknown_permission("assign_device", op->cmd); + +#endif /* CONFIG_HAS_PASSTHROUGH */ + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1397,7 +1441,7 @@ static int flask_test_assign_device(uint32_t machine_bdf) return avc_current_has_perm(rsid, SECCLASS_RESOURCE, RESOURCE__STAT_DEVICE, NULL); } -static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) +static int flask_assign_device(struct domain *d, uint32_t machine_bdf) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1427,7 +1471,7 @@ static int cf_check flask_assign_device(struct domain *d, uint32_t machine_bdf) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_device( +static int flask_deassign_device( struct domain *d, uint32_t machine_bdf) { uint32_t rsid; @@ -1459,7 +1503,7 @@ static int flask_test_assign_dtdevice(const char *dtpath) NULL); } -static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) +static int flask_assign_dtdevice(struct domain *d, const char *dtpath) { uint32_t dsid, rsid; int rc = -EPERM; @@ -1489,7 +1533,7 @@ static int cf_check flask_assign_dtdevice(struct domain *d, const char *dtpath) return avc_has_perm(dsid, rsid, SECCLASS_RESOURCE, dperm, &ad); } -static int cf_check flask_deassign_dtdevice( +static int flask_deassign_dtdevice( struct domain *d, const char *dtpath) { uint32_t rsid; @@ -1955,13 +1999,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI) .get_device_group = flask_get_device_group, - .assign_device = flask_assign_device, - .deassign_device = flask_deassign_device, -#endif - -#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE) - .assign_dtdevice = flask_assign_dtdevice, - .deassign_dtdevice = flask_deassign_dtdevice, #endif .platform_op = flask_platform_op, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:58:26 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:58:26 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333643.1596808 (Exim 4.92) (envelope-from ) id 1wWyqQ-0006CI-9V; Tue, 09 Jun 2026 15:58:26 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333643.1596808; Tue, 09 Jun 2026 15:58:26 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyqQ-0006C7-6Z; Tue, 09 Jun 2026 15:58:26 +0000 Received: by outflank-mailman (input) for mailman id 1333643; Tue, 09 Jun 2026 15:58:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyqO-0006Bx-8F for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:58:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyqO-001jMg-1d for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:58:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyqO-00GsXv-0f for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:58:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=arL4K/K4OXV8Q1F+tbzjnmaZ2JFp5sWeei4fcExpHo0=; b=hLoaa3f0VRGwoZuEudzUSe3iAg L1Pxc48oU/ZoOKvdL91HfXTiNbDA8bXN+vfg4LFMATqrHUC7WPGqNtkAMFxNg1aB1fPbjBD0yuWI2 kTNP5t3j81NAH9FZiMm5iVjNgcN936w3apztmEumz2FHX3RVweclyWiJFhbBVacPmVa8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock Message-Id: Date: Tue, 09 Jun 2026 15:58:24 +0000 commit 28cef2926da281d369bfcecd9c54d7656b5b2e0c Author: Jan Beulich AuthorDate: Thu Jun 4 21:41:59 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 domctl: handle XEN_DOMCTL_set_target without acquiring domctl lock The only locking required here is that between checking d->target and setting it. To avoid the need for an explicit lock, use cmpxchgptr() to update d->target. Move the handling not only ahead of acquiring the lock, but also ahead of the XSM check, leveraging that the sub-op has its own hook. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Reviewed-by: Roger Pau Monné (cherry picked from commit 4a93d1fb4f7f1231159688d428f7362d35d32ef6) --- xen/common/domctl.c | 54 ++++++++++++++++++++++--------------------------- xen/include/xsm/dummy.h | 3 ++- xen/xsm/flask/hooks.c | 5 +---- 3 files changed, 27 insertions(+), 35 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index f3db0a5c4e..b0c1d905fe 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -489,6 +489,30 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } + case XEN_DOMCTL_set_target: + { + struct domain *e = get_domain_by_id(op->u.set_target.target); + + ret = -ESRCH; + if ( !e ) + goto domctl_out_unlock_domonly; + + if ( d == e ) + ret = -EINVAL; + else if ( !is_hvm_domain(e) ) + ret = -EOPNOTSUPP; + else + ret = xsm_set_target(XSM_PRIV, d, e); + + /* Hold reference on @e until we destroy @d. */ + if ( !ret && cmpxchgptr(&d->target, NULL, e) ) + ret = -EINVAL; + + if ( ret ) + put_domain(e); + goto domctl_out_unlock_domonly; + } + case XEN_DOMCTL_vm_event_op: if ( op->u.vm_event_op.op == XEN_VM_EVENT_GET_VERSION ) { @@ -845,36 +869,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds); break; - case XEN_DOMCTL_set_target: - { - struct domain *e; - - ret = -ESRCH; - e = get_domain_by_id(op->u.set_target.target); - if ( e == NULL ) - break; - - ret = -EINVAL; - if ( (d == e) || (d->target != NULL) ) - { - put_domain(e); - break; - } - - ret = -EOPNOTSUPP; - if ( is_hvm_domain(e) ) - ret = xsm_set_target(XSM_HOOK, d, e); - if ( ret ) - { - put_domain(e); - break; - } - - /* Hold reference on @e until we destroy @d. */ - d->target = e; - break; - } - case XEN_DOMCTL_subscribe: d->suspend_evtchn = op->u.subscribe.port; break; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 21e06f368d..718d3c4a2a 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -150,7 +150,7 @@ static XSM_INLINE int cf_check xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) static XSM_INLINE int cf_check xsm_set_target( XSM_DEFAULT_ARG struct domain *d, struct domain *e) { - XSM_ASSERT_ACTION(XSM_HOOK); + XSM_ASSERT_ACTION(XSM_PRIV); return xsm_default_action(action, current->domain, NULL); } @@ -168,6 +168,7 @@ static XSM_INLINE int cf_check xsm_domctl( case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index f2248e32bf..d8e2b12b14 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -699,14 +699,11 @@ static int cf_check flask_domctl(struct domain *d, struct xen_domctl *op) case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_memory_mapping: + case XEN_DOMCTL_set_target: case XEN_DOMCTL_unbind_pt_irq: ASSERT_UNREACHABLE(); return -EILSEQ; - /* These have individual XSM hooks (common/domctl.c) */ - case XEN_DOMCTL_set_target: - return 0; - case XEN_DOMCTL_destroydomain: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__DESTROY); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:58:36 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:58:36 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333644.1596812 (Exim 4.92) (envelope-from ) id 1wWyqa-0006EH-Al; Tue, 09 Jun 2026 15:58:36 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333644.1596812; Tue, 09 Jun 2026 15:58:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyqa-0006E9-87; Tue, 09 Jun 2026 15:58:36 +0000 Received: by outflank-mailman (input) for mailman id 1333644; Tue, 09 Jun 2026 15:58:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyqY-0006E1-B0 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:58:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyqY-001jMp-1u for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:58:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyqY-00Gsky-0w for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:58:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=JTD8wNuNqtZYAGPsS7vGo7wkWf9RGw9IxQvh+w32ZvI=; b=Y/ymK6U5rZWE3oEis6Q130Jhm/ QyCbbEXfC4sUpK1P1sTaIOha17Obax4SYvxwHJ5UeLcVOw6gp/TPUipiGPqtrM5/BzzgTYRLG/zB7 l+ciPOPvaePdLU6xezL34HyU7GYyAz2X/ymc4Uc3egkpxhEY/4TpyFKUvKNhBpR0QL4w=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI Message-Id: Date: Tue, 09 Jun 2026 15:58:34 +0000 commit 9fe35345a7e8efed0b6a1934d7db88ca26ad5668 Author: Michal Orzel AuthorDate: Tue Apr 14 10:11:24 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 xen/arm64: flushtlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI The ARM64_WORKAROUND_REPEAT_TLBI workaround is used to mitigate several errata where broadcast TLBI;DSB sequences don't provide all the architecturally required synchronization. The workaround performs more work than necessary, and can have significant overhead. This patch optimizes the workaround, as explained below. 1. All relevant errata only affect the ordering and/or completion of memory accesses which have been translated by an invalidated TLB entry. The actual invalidation of TLB entries is unaffected. 2. The existing workaround is applied to both broadcast and local TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for broadcast invalidation. 3. The existing workaround replaces every TLBI with a TLBI;DSB;TLBI sequence, whereas for all relevant errata it is only necessary to execute a single additional TLBI;DSB sequence after any number of TLBIs are completed by a DSB. For example, for a sequence of batched TLBIs: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH ... the existing workaround will expand this to: TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional TLBI [, ] DSB ISH // additional TLBI [, ] // additional DSB ISH ... whereas it is sufficient to have: TLBI [, ] TLBI [, ] TLBI [, ] DSB ISH TLBI [, ] // additional DSB ISH // additional Using a single additional TLBI and DSB at the end of the sequence can have significantly lower overhead as each DSB which completes a TLBI must synchronize with other PEs in the system, with potential performance effects both locally and system-wide. 4. The existing workaround repeats each specific TLBI operation, whereas for all relevant errata it is sufficient for the additional TLBI to use *any* operation which will be broadcast, regardless of which translation regime or stage of translation the operation applies to. For example, for a single TLBI: TLBI ALLE2IS DSB ISH ... the existing workaround will expand this to: TLBI ALLE2IS DSB ISH TLBI ALLE2IS // additional DSB ISH // additional ... whereas it is sufficient to have: TLBI ALLE2IS DSB ISH TLBI VALE1IS, XZR // additional DSB ISH // additional As the additional TLBI doesn't have to match a specific earlier TLBI, the additional TLBI can be implemented in separate code, with no memory of the earlier TLBIs. The additional TLBI can also use a cheaper TLBI operation. 5. The existing workaround is applied to both Stage-1 and Stage-2 TLB invalidation, whereas for all relevant errata it is only necessary to apply a workaround for Stage-1 invalidation. Architecturally, TLBI operations which invalidate only Stage-2 information (e.g. IPAS2E1IS) are not required to invalidate TLB entries which combine information from Stage-1 and Stage-2 translation table entries, and consequently may not complete memory accesses translated by those combined entries. In these cases, completion of memory accesses is only guaranteed after subsequent invalidation of Stage-1 information (e.g. VMALLE1IS). Rework the workaround logic as follows: - add TLB_HELPER_LOCAL() to be used for local TLB ops without a workaround, - modify TLB_HELPER() workaround to use tlbi vale2is, xzr as a second TLBI, - drop TLB_HELPER_VA(). It's used only by __flush_xen_tlb_one_local which is local and does not need workaround and by __flush_xen_tlb_one. In the latter case, since it's used in a loop, we don't need a workaround in the middle. Add __tlb_repeat_sync with a workaround to be used at the end after DSB and before final ISB, - TLBI VALE2IS passing XZR is used as an additional TLBI. While there is an identity mapping there, it's used very rarely. The performance impact is therefore negligible. If things change in the future, we can revisit the decision. Signed-off-by: Michal Orzel Reviewed-by: Luca Fancellu Reviewed-by: Julien Grall (cherry picked from commit 7c502d7591519135765b8041cbd1c70e56e5a0b9) --- xen/arch/arm/include/asm/arm32/flushtlb.h | 3 + xen/arch/arm/include/asm/arm64/flushtlb.h | 108 ++++++++++++++++++------------ xen/arch/arm/include/asm/flushtlb.h | 1 + xen/arch/arm/include/asm/mmu/layout.h | 4 ++ 4 files changed, 75 insertions(+), 41 deletions(-) diff --git a/xen/arch/arm/include/asm/arm32/flushtlb.h b/xen/arch/arm/include/asm/arm32/flushtlb.h index 61c25a3189..5483be08fb 100644 --- a/xen/arch/arm/include/asm/arm32/flushtlb.h +++ b/xen/arch/arm/include/asm/arm32/flushtlb.h @@ -57,6 +57,9 @@ static inline void __flush_xen_tlb_one(vaddr_t va) asm volatile(STORE_CP32(0, TLBIMVAHIS) : : "r" (va) : "memory"); } +/* Only for ARM64_WORKAROUND_REPEAT_TLBI */ +static inline void __tlb_repeat_sync(void) {} + #endif /* __ASM_ARM_ARM32_FLUSHTLB_H__ */ /* * Local variables: diff --git a/xen/arch/arm/include/asm/arm64/flushtlb.h b/xen/arch/arm/include/asm/arm64/flushtlb.h index 45642201d1..c1314be122 100644 --- a/xen/arch/arm/include/asm/arm64/flushtlb.h +++ b/xen/arch/arm/include/asm/arm64/flushtlb.h @@ -12,9 +12,14 @@ * ARM64_WORKAROUND_REPEAT_TLBI: * Modification of the translation table for a virtual address might lead to * read-after-read ordering violation. - * The workaround repeats TLBI+DSB ISH operation for all the TLB flush - * operations. While this is strictly not necessary, we don't want to - * take any risk. + * The workaround repeats TLBI+DSB ISH operation for broadcast TLB flush + * operations. The workaround is not needed for local operations. + * + * It is sufficient for the additional TLBI to use *any* operation which will + * be broadcast, regardless of which translation regime or stage of translation + * the operation applies to. TLBI VALE2IS is used passing XZR. While there is + * an identity mapping there, it's only used during suspend/resume, CPU on/off, + * so the impact (performance if any) is negligible. * * For Xen page-tables the ISB will discard any instructions fetched * from the old mappings. @@ -26,69 +31,90 @@ * Note that for local TLB flush, using non-shareable (nsh) is sufficient * (see D5-4929 in ARM DDI 0487H.a). Although, the memory barrier in * for the workaround is left as inner-shareable to match with Linux - * v6.1-rc8. + * v6.19. */ -#define TLB_HELPER(name, tlbop, sh) \ +#define TLB_HELPER_LOCAL(name, tlbop) \ static inline void name(void) \ { \ asm volatile( \ - "dsb " # sh "st;" \ + "dsb nshst;" \ "tlbi " # tlbop ";" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ";", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - "dsb " # sh ";" \ + "dsb nsh;" \ "isb;" \ : : : "memory"); \ } -/* - * FLush TLB by VA. This will likely be used in a loop, so the caller - * is responsible to use the appropriate memory barriers before/after - * the sequence. - * - * See above about the ARM64_WORKAROUND_REPEAT_TLBI sequence. - */ -#define TLB_HELPER_VA(name, tlbop) \ -static inline void name(vaddr_t va) \ -{ \ - asm volatile( \ - "tlbi " # tlbop ", %0;" \ - ALTERNATIVE( \ - "nop; nop;", \ - "dsb ish;" \ - "tlbi " # tlbop ", %0;", \ - ARM64_WORKAROUND_REPEAT_TLBI, \ - CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ - : : "r" (va >> PAGE_SHIFT) : "memory"); \ +#define TLB_HELPER(name, tlbop) \ +static inline void name(void) \ +{ \ + asm volatile ( \ + "dsb ishst;" \ + "tlbi " # tlbop ";" \ + ALTERNATIVE( \ + "nop; nop;", \ + "dsb ish;" \ + "tlbi vale2is, xzr;", \ + ARM64_WORKAROUND_REPEAT_TLBI, \ + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \ + "dsb ish;" \ + "isb;" \ + : : : "memory"); \ } /* Flush local TLBs, current VMID only. */ -TLB_HELPER(flush_guest_tlb_local, vmalls12e1, nsh) +TLB_HELPER_LOCAL(flush_guest_tlb_local, vmalls12e1) /* Flush innershareable TLBs, current VMID only */ -TLB_HELPER(flush_guest_tlb, vmalls12e1is, ish) +TLB_HELPER(flush_guest_tlb, vmalls12e1is) /* Flush local TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb_local, alle1, nsh) +TLB_HELPER_LOCAL(flush_all_guests_tlb_local, alle1) /* Flush innershareable TLBs, all VMIDs, non-hypervisor mode */ -TLB_HELPER(flush_all_guests_tlb, alle1is, ish) +TLB_HELPER(flush_all_guests_tlb, alle1is) /* Flush all hypervisor mappings from the TLB of the local processor. */ -TLB_HELPER(flush_xen_tlb_local, alle2, nsh) +TLB_HELPER_LOCAL(flush_xen_tlb_local, alle2) + +#undef TLB_HELPER_LOCAL +#undef TLB_HELPER + +/* + * FLush TLB by VA. This will likely be used in a loop, so the caller + * is responsible to use the appropriate memory barriers before/after + * the sequence. + */ /* Flush TLB of local processor for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one_local, vae2) +static inline void __flush_xen_tlb_one_local(vaddr_t va) +{ + asm volatile ( + "tlbi vae2, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} /* Flush TLB of all processors in the inner-shareable domain for address va. */ -TLB_HELPER_VA(__flush_xen_tlb_one, vae2is) +static inline void __flush_xen_tlb_one(vaddr_t va) +{ + asm volatile ( + "tlbi vae2is, %0" : : "r" (va >> PAGE_SHIFT) : "memory"); +} -#undef TLB_HELPER -#undef TLB_HELPER_VA +/* + * ARM64_WORKAROUND_REPEAT_TLBI: + * For all relevant erratas it is only necessary to execute a single + * additional TLBI;DSB sequence after any number of TLBIs are completed by DSB. + */ +static inline void __tlb_repeat_sync(void) +{ + asm volatile ( + ALTERNATIVE( + "nop; nop;", + "tlbi vale2is, xzr;" + "dsb ish;", + ARM64_WORKAROUND_REPEAT_TLBI, + CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) + : : : "memory"); +} #endif /* __ASM_ARM_ARM64_FLUSHTLB_H__ */ /* diff --git a/xen/arch/arm/include/asm/flushtlb.h b/xen/arch/arm/include/asm/flushtlb.h index e45fb6d97b..c292c3c00d 100644 --- a/xen/arch/arm/include/asm/flushtlb.h +++ b/xen/arch/arm/include/asm/flushtlb.h @@ -65,6 +65,7 @@ static inline void flush_xen_tlb_range_va(vaddr_t va, va += PAGE_SIZE; } dsb(ish); /* Ensure the TLB invalidation has completed */ + __tlb_repeat_sync(); isb(); } diff --git a/xen/arch/arm/include/asm/mmu/layout.h b/xen/arch/arm/include/asm/mmu/layout.h index da6be276ac..d5c58b49a2 100644 --- a/xen/arch/arm/include/asm/mmu/layout.h +++ b/xen/arch/arm/include/asm/mmu/layout.h @@ -23,6 +23,10 @@ * * Reserved to identity map Xen * + * Note: As part of ARM64_WORKAROUND_REPEAT_TLBI, VA 0 is used for an extra + * TLBI operation given its rare use (only identity mapping) and thus + * negligible performance impact. + * * 0x0000020000000000 - 0x0000027fffffffff (512GB, L0 slot [4]) * (Relative offsets) * 0 - 2M Unmapped -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:58:46 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:58:46 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333645.1596816 (Exim 4.92) (envelope-from ) id 1wWyqk-0006GK-CA; Tue, 09 Jun 2026 15:58:46 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333645.1596816; Tue, 09 Jun 2026 15:58:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyqk-0006GC-9Z; Tue, 09 Jun 2026 15:58:46 +0000 Received: by outflank-mailman (input) for mailman id 1333645; Tue, 09 Jun 2026 15:58:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyqi-0006G4-E2 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:58:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyqi-001jMw-2D for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:58:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyqi-00Gt1M-1C for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:58:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=hlJx26nBLOEcXbWzrii7L2fp2tac5WlAvxSb2xw/gfo=; b=dwK2IPeuEK4BV46eckRcan+74F UwGLgAHwM7vSaM/VtSGStWkfSEXMwJeA6QOiVZDlKGpXYw6J648ODW/26nhi6bCcks4qAy1uNTd5i bwHoBI380vnbLy+DbQXjJZbqvebn/KDdu4Zd0qdKReREwaUnYHj1kl+ZlimgA1EFKhrQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] xen/arm: Sync missing definitions for Arm CPUs with Linux Message-Id: Date: Tue, 09 Jun 2026 15:58:44 +0000 commit 49659a2259a80a22f4c3ee04f814daeafe7c94ab Author: Michal Orzel AuthorDate: Fri May 22 09:35:55 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 xen/arm: Sync missing definitions for Arm CPUs with Linux Synchronize with Linux kernel 7.0 definitions for the following CPUs: - Cortex-A76AE, - Cortex-A78AE, - Cortex-X1C, - Cortex-X3, - Neoverse-V2, - Cortex-X4, - Neoverse-V3AE, - Neoverse-V3, - Cortex-X925. These will be used for errata detection in subsequent patches. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit d54682a5b23d7a22a0f1aa74130bd1ed8a669db1) --- xen/arch/arm/include/asm/processor.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index 8e02410465..e1620d5798 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -74,13 +74,22 @@ #define ARM_CPU_PART_CORTEX_A76 0xD0B #define ARM_CPU_PART_NEOVERSE_N1 0xD0C #define ARM_CPU_PART_CORTEX_A77 0xD0D +#define ARM_CPU_PART_CORTEX_A76AE 0xD0E #define ARM_CPU_PART_NEOVERSE_V1 0xD40 #define ARM_CPU_PART_CORTEX_A78 0xD41 +#define ARM_CPU_PART_CORTEX_A78AE 0xD42 #define ARM_CPU_PART_CORTEX_X1 0xD44 #define ARM_CPU_PART_CORTEX_A710 0xD47 #define ARM_CPU_PART_CORTEX_X2 0xD48 #define ARM_CPU_PART_NEOVERSE_N2 0xD49 #define ARM_CPU_PART_CORTEX_A78C 0xD4B +#define ARM_CPU_PART_CORTEX_X1C 0xD4C +#define ARM_CPU_PART_CORTEX_X3 0xD4E +#define ARM_CPU_PART_NEOVERSE_V2 0xD4F +#define ARM_CPU_PART_CORTEX_X4 0xD82 +#define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 +#define ARM_CPU_PART_NEOVERSE_V3 0xD84 +#define ARM_CPU_PART_CORTEX_X925 0xD85 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -95,13 +104,22 @@ #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) +#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE) #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1) #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) +#define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) #define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2) #define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2) #define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C) +#define MIDR_CORTEX_X1C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1C) +#define MIDR_CORTEX_X3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X3) +#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2) +#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4) +#define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) +#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) +#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:58:56 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:58:56 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333646.1596820 (Exim 4.92) (envelope-from ) id 1wWyqu-0006IN-E5; Tue, 09 Jun 2026 15:58:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333646.1596820; Tue, 09 Jun 2026 15:58:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyqu-0006IF-Av; Tue, 09 Jun 2026 15:58:56 +0000 Received: by outflank-mailman (input) for mailman id 1333646; Tue, 09 Jun 2026 15:58:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyqs-0006I7-HZ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:58:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyqs-001jN0-2Z for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:58:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyqs-00GtBV-1V for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:58:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=kYoMqb6hSAznvT0WolcZTYkM9PnlOTCRvmVUkJsI+ss=; b=sqlSPBZ+nehIUo24t0fiwoiBm2 2+XwUqV5xmdoXfBb5PrYKzw2CiwtAIKQ+EvSYDWVW3sR7uunWww/mksFWPuFOXjwkoRKy6ot4hdfU dYw1GrpYLSCOrPDbu9P9n4l7e8ULNp9gbq/gvc5rhH7hmRJrVlzL5a6TqRlaPjuGFdDw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] xen/arm: Add C1-Ultra definitions Message-Id: Date: Tue, 09 Jun 2026 15:58:54 +0000 commit 1c2e5eb9a1ee1b7af55bbb1bf7507e200c593134 Author: Michal Orzel AuthorDate: Fri May 22 09:35:56 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 xen/arm: Add C1-Ultra definitions Add processor definitions for C1-Ultra. These will be used for errata detection in subsequent patches. These values can be found in the C1-Ultra TRM: https://developer.arm.com/documentation/108014/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 36ddaa7918d6ec0d06a31079c8a25a6ae3c69cbc) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index e1620d5798..a2104c2caf 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -90,6 +90,7 @@ #define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 +#define ARM_CPU_PART_C1_ULTRA 0xD8C #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -120,6 +121,7 @@ #define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) +#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:59:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:59:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333647.1596824 (Exim 4.92) (envelope-from ) id 1wWyr3-0006Ks-Go; Tue, 09 Jun 2026 15:59:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333647.1596824; Tue, 09 Jun 2026 15:59:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyr3-0006Kk-EG; Tue, 09 Jun 2026 15:59:05 +0000 Received: by outflank-mailman (input) for mailman id 1333647; Tue, 09 Jun 2026 15:59:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyr2-0006Kd-KJ for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:59:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyr2-001jNJ-2p for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:59:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyr2-00GtOY-1q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:59:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=gHamq4DC95BXnSdfdiMBE12Vze8s8lho+yv896Oy0bI=; b=RWdy36mQK4F1x4C7+qMxu1woqD wfm8c2UeOmiNUtAuFuMfHHTJ1S6VhzoQwm8wR5xVTnoP76yErHgOiLp9fb9i6WLElUQmfP70f9VDe kdjQSEAzt37+HuB9LSn1xCcpH6zYDPHrWs+FGKtifa61nLfmPvuBfL5PF7Wgk7vOzwT0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] xen/arm: Add C1-Premium definitions Message-Id: Date: Tue, 09 Jun 2026 15:59:04 +0000 commit 57b2611107edf07996235166b5214639c9f0253a Author: Michal Orzel AuthorDate: Fri May 22 09:35:57 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 xen/arm: Add C1-Premium definitions Add processor definitions for C1-Premium. These will be used for errata detection in subsequent patches. These values can be found in the C1-Premium TRM: https://developer.arm.com/documentation/109416/0100/ ... in section A.5.1 ("MIDR_EL1, Main ID Register"). Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 0315d10321518beb24c41bb595e9197cadec0693) --- xen/arch/arm/include/asm/processor.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/arch/arm/include/asm/processor.h b/xen/arch/arm/include/asm/processor.h index a2104c2caf..3f086beed1 100644 --- a/xen/arch/arm/include/asm/processor.h +++ b/xen/arch/arm/include/asm/processor.h @@ -91,6 +91,7 @@ #define ARM_CPU_PART_NEOVERSE_V3 0xD84 #define ARM_CPU_PART_CORTEX_X925 0xD85 #define ARM_CPU_PART_C1_ULTRA 0xD8C +#define ARM_CPU_PART_C1_PREMIUM 0xD90 #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) @@ -122,6 +123,7 @@ #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) #define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) +#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) /* MPIDR Multiprocessor Affinity Register */ #define _MPIDR_UP (30) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:59:15 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:59:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333648.1596828 (Exim 4.92) (envelope-from ) id 1wWyrD-0006Mw-IZ; Tue, 09 Jun 2026 15:59:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333648.1596828; Tue, 09 Jun 2026 15:59:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyrD-0006Mo-Fw; Tue, 09 Jun 2026 15:59:15 +0000 Received: by outflank-mailman (input) for mailman id 1333648; Tue, 09 Jun 2026 15:59:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyrC-0006Me-Mn for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:59:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyrC-001jNO-35 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:59:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyrC-00Gtea-26 for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:59:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ABTJ2UsWu4y5v3p2EiT7ok0maTTjmx8athdZIgL7XYM=; b=sIdxQw1WJdStqNyte7FgX9MFvm MRNN4vjqilngU7h4TcAE5HwdO84MVbYwcrhxUJuPyiCEQoWh6TL/UN+txwnsctM3vwYy76yoERnFm 65wqenEq1AdBeEzDVxkwF4Redw+E6hWYlhz6UhblVvkxPVvSrnqZPLm6AFn+ilvU0rx4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] xen/arm: Mitigate TLBI errata on various Arm CPUs Message-Id: Date: Tue, 09 Jun 2026 15:59:14 +0000 commit bb9856e5e4c75576876409cd567b9ab72dac1e23 Author: Michal Orzel AuthorDate: Fri May 22 09:35:58 2026 +0200 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 xen/arm: Mitigate TLBI errata on various Arm CPUs A number of CPUs developed by Arm suffer from errata whereby a broadcast TLBI + DSB sequence may complete before the global observation of writes which are translated by an affected TLB entry. This can lead to memory corruption and potential privilege escalation. These errata ONLY affect the completion of memory accesses which have been translated by an invalidated TLB entry, and these errata DO NOT affect the actual invalidation of TLB entries. TLB entries are removed correctly. To mitigate this issue, Arm recommends that software follows each TLBI+DSB sequence with an additional TLBI+DSB, which will ensure that all memory write effects affected by the first TLBI have been globally observed. The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate the issue. Enable this workaround for affected CPUs. This is XSA-493 / CVE-2025-10263. Signed-off-by: Michal Orzel Reviewed-by: Julien Grall (cherry picked from commit 161e8f61b5b0f2c205072c7bc699bfc37653999f) --- xen/arch/arm/Kconfig | 21 ++++++++++++ xen/arch/arm/cpuerrata.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+) diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index 2939db429b..3eddc9c1e6 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -383,6 +383,27 @@ config ARM64_ERRATUM_1508412 If unsure, say Y. +config ARM64_ERRATUM_CVE_2025_10263 + bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" + default y + depends on ARM_64 + select ARM64_WORKAROUND_REPEAT_TLBI + help + This option adds a workaround for CVE-2025-10263. + + A broadcast TLBI on another PE may complete before affected memory + accesses are globally observed. This may permit bypass of Stage 1 + translation, Stage-2 translation, or GPT protection. + + The workaround repeats the TLBI VALE2IS, XZR + DSB ISH operation for all + the broadcast TLB flush operations. A single additional TLBI and DSB are + sufficient regardless of how many TLBIs are completed by the DSB. + + Note that software workarounds are required at all execution levels for + affected parts to fully mitigate this issue. + + If unsure, say Y. + endmenu config ARM64_HARDEN_BRANCH_PREDICTOR diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index 9137958fb6..99517b5298 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -536,6 +536,92 @@ static const struct arm_cpu_capabilities arm_errata[] = { MIDR_RANGE(MIDR_NEOVERSE_N1, 0, 3 << MIDR_VARIANT_SHIFT), }, #endif +#ifdef CONFIG_ARM64_ERRATUM_CVE_2025_10263 + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X4), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_ULTRA), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM), + }, +#endif #ifdef CONFIG_ARM64_HARDEN_BRANCH_PREDICTOR { .capability = ARM_HARDEN_BRANCH_PREDICTOR, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:59:25 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:59:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333650.1596832 (Exim 4.92) (envelope-from ) id 1wWyrN-0006PN-Kc; Tue, 09 Jun 2026 15:59:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333650.1596832; Tue, 09 Jun 2026 15:59:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyrN-0006PG-HR; Tue, 09 Jun 2026 15:59:25 +0000 Received: by outflank-mailman (input) for mailman id 1333650; Tue, 09 Jun 2026 15:59:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyrM-0006PA-Py for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:59:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyrN-001jNl-0A for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:59:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyrM-00GtnC-2Q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:59:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=mMJ5mlW4dFzBlF/rbAlvLeNOzEf9IwHYUV2j/1SWUlc=; b=QYdaLK4syTgzjkfPbFua2FkRBn S5UYnaxsHaacXOZnlD6CgBBAwnY1U8ssRCpZloDU6Mpf6HHD/XN6cliuT3JWqcd+ThOirP6r6HoQS QrdI9ILpEuGIH/+VEoIrNOaqzeks/TV1bkot46N5McTpOWxAVQFlYO9xjZjvKjisjQ3c=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/mm: accurately track which vCPU page-tables are loaded Message-Id: Date: Tue, 09 Jun 2026 15:59:24 +0000 commit 07f3beb32ff63a497a82f07b37c2c23587a46da9 Author: Roger Pau Monne AuthorDate: Mon Mar 16 11:03:22 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 4 22:29:01 2026 +0100 x86/mm: accurately track which vCPU page-tables are loaded Neither current nor curr_vcpu per-CPU fields accurately track which page-tables are loaded. There are corner cases when dealing with shadow paging failures that switch to the idle vCPU page-tables without changing current or curr_vcpu per-CPU fields. Introduce a new per-CPU field that attempts to track which vCPU page-tables are loaded. Update such tracking when cr3 is changed, and do so in a region with interrupts disabled, as to avoid handling interrupts with a mismatch between the vCPU tracking field and the loaded page-tables. As a result of this newly more accurate tracking the mapcache override functionality can be removed: the dom0 PV builder was the only user of it, and it's updated here to properly signal which vCPU page-tables are loaded in the calls to switch_cr3_cr4(). Note the EFI page-tables have the Xen owned L4 slots copied from the idle page-tables, so for the effects of the mapcache the EFI page-tables could use the idle mapcache if it had one. Pass the idle vCPU in the switch_cr3_cr4() call that switches to the runtime EFI page-tables. There are known issues with the use of mapcache in NMI context.  This patch does not alter the behaviour. This is CVE-2026-42488 / XSA-494. Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference") Signed-off-by: Roger Pau Monné Acked-by: Andrew Cooper (cherry picked from commit 622c9a5ba95dae9b1084f16d0557ec64d1d12eaa) --- xen/arch/x86/domain_page.c | 48 +++++++++++++++--------------------- xen/arch/x86/flushtlb.c | 5 +++- xen/arch/x86/include/asm/domain.h | 1 - xen/arch/x86/include/asm/flushtlb.h | 2 +- xen/arch/x86/include/asm/processor.h | 3 +++ xen/arch/x86/mm.c | 4 +-- xen/arch/x86/pv/dom0_build.c | 12 +++------ xen/arch/x86/pv/domain.c | 13 ++++++++-- xen/arch/x86/smpboot.c | 1 + xen/common/efi/common-stub.c | 5 ---- xen/common/efi/runtime.c | 21 ++++++---------- xen/include/xen/efi.h | 1 - 12 files changed, 54 insertions(+), 62 deletions(-) diff --git a/xen/arch/x86/domain_page.c b/xen/arch/x86/domain_page.c index eac5e3304f..72c00194f3 100644 --- a/xen/arch/x86/domain_page.c +++ b/xen/arch/x86/domain_page.c @@ -18,48 +18,40 @@ #include #include -static DEFINE_PER_CPU(struct vcpu *, override); - static inline struct vcpu *mapcache_current_vcpu(void) { - /* In the common case we use the mapcache of the running VCPU. */ - struct vcpu *v = this_cpu(override) ?: current; - - /* - * When current isn't properly set up yet, this is equivalent to - * running in an idle vCPU (callers must check for NULL). - */ - if ( !v ) - return NULL; + struct vcpu *v = this_cpu(pgtable_vcpu); + struct vcpu *curr = current; /* - * When using efi runtime page tables, we have the equivalent of the idle - * domain's page tables but current may point at another domain's VCPU. - * Return NULL as though current is not properly set up yet. + * During early boot pgtable_vcpu is not set, callers must handle NULL. + * Non-PV domains don't have a mapcache, the directmap covers all physical + * address space. */ - if ( efi_rs_using_pgtables() ) + if ( !v || !is_pv_vcpu(v) ) return NULL; /* - * If guest_table is NULL, and we are running a paravirtualised guest, - * then it means we are running on the idle domain's page table and must - * therefore use its mapcache. + * If we are in a lazy context-switch state from a PV vCPU do a full switch + * to the idle vCPU now, otherwise an incoming FLUSH_VCPU_STATE IPI would + * change the page tables under our feet an invalidate any in-use mapcache + * entries. */ - if ( unlikely(pagetable_is_null(v->arch.guest_table)) && is_pv_vcpu(v) ) + if ( unlikely(this_cpu(curr_vcpu) != curr) ) { - /* If we really are idling, perform lazy context switch now. */ - if ( (v = idle_vcpu[smp_processor_id()]) == current ) - sync_local_execstate(); + ASSERT(curr == idle_vcpu[smp_processor_id()]); + sync_local_execstate(); /* We must now be running on the idle page table. */ ASSERT(cr3_pa(read_cr3()) == __pa(idle_pg_table)); } - return v; -} - -void __init mapcache_override_current(struct vcpu *v) -{ - this_cpu(override) = v; + /* + * At this point we can guarantee Xen is not in lazy context switch: either + * the code above will have synced the state, or an incoming + * FLUSH_VCPU_STATE IPI has done so behind our back. Use ACCESS_ONCE to + * ensure the compiler never returns the locally cached pgtable_vcpu value. + */ + return ACCESS_ONCE(this_cpu(pgtable_vcpu)); } #define mapcache_l2_entry(e) ((e) >> PAGETABLE_ORDER) diff --git a/xen/arch/x86/flushtlb.c b/xen/arch/x86/flushtlb.c index 18748b2bc8..cdefab2f08 100644 --- a/xen/arch/x86/flushtlb.c +++ b/xen/arch/x86/flushtlb.c @@ -111,7 +111,9 @@ static void do_tlb_flush(void) local_irq_restore(flags); } -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) +DEFINE_PER_CPU(struct vcpu *, pgtable_vcpu); + +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4) { unsigned long flags, old_cr4; u32 t = 0; @@ -155,6 +157,7 @@ void switch_cr3_cr4(unsigned long cr3, unsigned long cr4) if ( (old_cr4 & X86_CR4_PCIDE) > (cr4 & X86_CR4_PCIDE) ) cr3 |= X86_CR3_NOFLUSH; write_cr3(cr3); + this_cpu(pgtable_vcpu) = v; if ( old_cr4 != cr4 ) write_cr4(cr4); diff --git a/xen/arch/x86/include/asm/domain.h b/xen/arch/x86/include/asm/domain.h index 0d2d2b6623..85fba8b3c5 100644 --- a/xen/arch/x86/include/asm/domain.h +++ b/xen/arch/x86/include/asm/domain.h @@ -76,7 +76,6 @@ struct mapcache_domain { int mapcache_domain_init(struct domain *); int mapcache_vcpu_init(struct vcpu *); -void mapcache_override_current(struct vcpu *); /* x86/64: toggle guest between kernel and user modes. */ void toggle_guest_mode(struct vcpu *); diff --git a/xen/arch/x86/include/asm/flushtlb.h b/xen/arch/x86/include/asm/flushtlb.h index a461ee36ff..821ffe3e8b 100644 --- a/xen/arch/x86/include/asm/flushtlb.h +++ b/xen/arch/x86/include/asm/flushtlb.h @@ -99,7 +99,7 @@ static inline unsigned long read_cr3(void) } /* Write pagetable base and implicitly tick the tlbflush clock. */ -void switch_cr3_cr4(unsigned long cr3, unsigned long cr4); +void switch_cr3_cr4(struct vcpu *v, unsigned long cr3, unsigned long cr4); /* flush_* flag fields: */ /* diff --git a/xen/arch/x86/include/asm/processor.h b/xen/arch/x86/include/asm/processor.h index c5e5c72341..c6e0c858bf 100644 --- a/xen/arch/x86/include/asm/processor.h +++ b/xen/arch/x86/include/asm/processor.h @@ -372,6 +372,9 @@ extern idt_entry_t *idt_tables[]; DECLARE_PER_CPU(root_pgentry_t *, root_pgt); +/* vCPU of the currently loaded page-tables. */ +DECLARE_PER_CPU(struct vcpu *, pgtable_vcpu); + extern void write_ptbase(struct vcpu *v); /* REP NOP (PAUSE) is a good thing to insert into busy-wait loops. */ diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 3635f90684..484b989042 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -528,7 +528,7 @@ void write_ptbase(struct vcpu *v) cpu_info->pv_cr3 = __pa(this_cpu(root_pgt)); if ( new_cr4 & X86_CR4_PCIDE ) cpu_info->pv_cr3 |= get_pcid_bits(v, true); - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); } else { @@ -536,7 +536,7 @@ void write_ptbase(struct vcpu *v) cpu_info->use_pv_cr3 = false; cpu_info->xen_cr3 = 0; /* switch_cr3_cr4() serializes. */ - switch_cr3_cr4(v->arch.cr3, new_cr4); + switch_cr3_cr4(v, v->arch.cr3, new_cr4); cpu_info->pv_cr3 = 0; } } diff --git a/xen/arch/x86/pv/dom0_build.c b/xen/arch/x86/pv/dom0_build.c index 3b28ae45d1..0f9e614ce7 100644 --- a/xen/arch/x86/pv/dom0_build.c +++ b/xen/arch/x86/pv/dom0_build.c @@ -812,8 +812,7 @@ static int __init dom0_construct(struct domain *d, update_cr3(v); /* We run on dom0's page tables for the final part of the build process. */ - switch_cr3_cr4(cr3_pa(v->arch.cr3), read_cr4()); - mapcache_override_current(v); + switch_cr3_cr4(v, cr3_pa(v->arch.cr3), read_cr4()); /* Copy the OS image and free temporary buffer. */ elf.dest_base = (void*)vkern_start; @@ -822,8 +821,7 @@ static int __init dom0_construct(struct domain *d, rc = elf_load_binary(&elf); if ( rc < 0 ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Failed to load the kernel binary\n"); goto out; } @@ -834,8 +832,7 @@ static int __init dom0_construct(struct domain *d, if ( (parms.virt_hypercall < v_start) || (parms.virt_hypercall >= v_end) ) { - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); printk("Invalid HYPERCALL_PAGE field in ELF notes.\n"); return -EINVAL; } @@ -976,8 +973,7 @@ static int __init dom0_construct(struct domain *d, #endif /* Return to idle domain's page tables. */ - mapcache_override_current(NULL); - switch_cr3_cr4(current->arch.cr3, read_cr4()); + switch_cr3_cr4(current, current->arch.cr3, read_cr4()); update_domain_wallclock_time(d); diff --git a/xen/arch/x86/pv/domain.c b/xen/arch/x86/pv/domain.c index 2a445bb17b..5cd467d7a6 100644 --- a/xen/arch/x86/pv/domain.c +++ b/xen/arch/x86/pv/domain.c @@ -428,6 +428,8 @@ static void _toggle_guest_pt(struct vcpu *v) pagetable_t old_shadow; unsigned long cr3; + ASSERT(local_irq_is_enabled()); + v->arch.flags ^= TF_kernel_mode; guest_update = v->arch.flags & TF_kernel_mode; old_shadow = update_cr3(v); @@ -450,15 +452,22 @@ static void _toggle_guest_pt(struct vcpu *v) { cr3 &= ~X86_CR3_NOFLUSH; + local_irq_disable(); if ( unlikely(mfn_eq(pagetable_get_mfn(old_shadow), maddr_to_mfn(cr3))) ) { - cr3 = idle_vcpu[v->processor]->arch.cr3; /* Also suppress runstate/time area updates below. */ guest_update = false; + + cr3 = idle_vcpu[v->processor]->arch.cr3; + this_cpu(pgtable_vcpu) = idle_vcpu[v->processor]; } + + write_cr3(cr3); + local_irq_enable(); } - write_cr3(cr3); + else + write_cr3(cr3); if ( !pagetable_is_null(old_shadow) ) shadow_put_top_level(v->domain, old_shadow); diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c index ec4956e104..a585d4df5c 100644 --- a/xen/arch/x86/smpboot.c +++ b/xen/arch/x86/smpboot.c @@ -324,6 +324,7 @@ void start_secondary(void *unused) set_current(idle_vcpu[cpu]); this_cpu(curr_vcpu) = idle_vcpu[cpu]; + this_cpu(pgtable_vcpu) = idle_vcpu[cpu]; rdmsrl(MSR_EFER, this_cpu(efer)); init_shadow_spec_ctrl_state(); diff --git a/xen/common/efi/common-stub.c b/xen/common/efi/common-stub.c index 5a91fe28cc..aaeb916c0f 100644 --- a/xen/common/efi/common-stub.c +++ b/xen/common/efi/common-stub.c @@ -7,11 +7,6 @@ bool efi_enabled(unsigned int feature) return false; } -bool efi_rs_using_pgtables(void) -{ - return false; -} - unsigned long efi_get_time(void) { BUG(); diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c index 5cb7504c96..db21b9a802 100644 --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -46,7 +46,6 @@ const CHAR16 *__read_mostly efi_fw_vendor; const EFI_RUNTIME_SERVICES *__read_mostly efi_rs; #ifndef CONFIG_ARM /* TODO - disabled until implemented on ARM */ static DEFINE_SPINLOCK(efi_rs_lock); -static unsigned int efi_rs_on_cpu = NR_CPUS; #endif UINTN __read_mostly efi_memmap_size; @@ -89,6 +88,11 @@ struct efi_rs_state efi_rs_enter(void) if ( mfn_eq(efi_l4_mfn, INVALID_MFN) ) return state; + /* + * If in lazy idle context switch state sync now to avoid an incoming + * FLUSH_VCPU_STATE IPI changing the loaded page-tables. + */ + sync_local_execstate(); state.cr3 = read_cr3(); save_fpu_enable(); asm volatile ( "fnclex; fldcw %0" :: "m" (fcw) ); @@ -96,8 +100,6 @@ struct efi_rs_state efi_rs_enter(void) spin_lock(&efi_rs_lock); - efi_rs_on_cpu = smp_processor_id(); - /* prevent fixup_page_fault() from doing anything */ irq_enter(); @@ -112,7 +114,8 @@ struct efi_rs_state efi_rs_enter(void) lgdt(&gdt_desc); } - switch_cr3_cr4(mfn_to_maddr(efi_l4_mfn), read_cr4()); + switch_cr3_cr4(idle_vcpu[smp_processor_id()], mfn_to_maddr(efi_l4_mfn), + read_cr4()); /* * At the time of writing (2022), no UEFI firwmare is CET-IBT compatible. @@ -140,7 +143,7 @@ void efi_rs_leave(struct efi_rs_state *state) if ( state->msr_s_cet ) wrmsrl(MSR_S_CET, state->msr_s_cet); - switch_cr3_cr4(state->cr3, read_cr4()); + switch_cr3_cr4(curr, state->cr3, read_cr4()); if ( is_pv_vcpu(curr) && !is_idle_vcpu(curr) ) { struct desc_ptr gdt_desc = { @@ -151,18 +154,10 @@ void efi_rs_leave(struct efi_rs_state *state) lgdt(&gdt_desc); } irq_exit(); - efi_rs_on_cpu = NR_CPUS; spin_unlock(&efi_rs_lock); vcpu_restore_fpu_nonlazy(curr, true); } -bool efi_rs_using_pgtables(void) -{ - return !mfn_eq(efi_l4_mfn, INVALID_MFN) && - (smp_processor_id() == efi_rs_on_cpu) && - (read_cr3() == mfn_to_maddr(efi_l4_mfn)); -} - unsigned long efi_get_time(void) { EFI_TIME time; diff --git a/xen/include/xen/efi.h b/xen/include/xen/efi.h index 942d2e9491..383b382fb0 100644 --- a/xen/include/xen/efi.h +++ b/xen/include/xen/efi.h @@ -34,7 +34,6 @@ struct compat_pf_efi_runtime_call; bool efi_enabled(unsigned int feature); void efi_init_memory(void); bool efi_boot_mem_unused(unsigned long *start, unsigned long *end); -bool efi_rs_using_pgtables(void); unsigned long efi_get_time(void); void efi_halt_system(void); void efi_reset_system(bool warm); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 15:59:35 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 15:59:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333651.1596836 (Exim 4.92) (envelope-from ) id 1wWyrX-0006RK-MJ; Tue, 09 Jun 2026 15:59:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333651.1596836; Tue, 09 Jun 2026 15:59:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyrX-0006RC-Iz; Tue, 09 Jun 2026 15:59:35 +0000 Received: by outflank-mailman (input) for mailman id 1333651; Tue, 09 Jun 2026 15:59:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWyrW-0006R6-Ss for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:59:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWyrX-001jNp-0S for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:59:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWyrW-00Gty7-2f for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 15:59:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=VEMkEfINcZ5CojzBl03uVrbPkwglIOh64+2mt6/m5VA=; b=Pmp0tdVJrxFUeu/zycCQhq/9wt VOcPRV8/1D2i/DXJ387DKqcftHmj+6QeaxywK1VZmdgbFvCN5zaVwCkIJpM62y2Eg/eJDvaoTF8c2 AlYQcKxxqD/Bx/7mg0bEAKzPdm8EcuuMkegvjUwTvvJ3wqVpboP3hHZyFPaWedHC3SyI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] Revert local CI adjustments Message-Id: Date: Tue, 09 Jun 2026 15:59:34 +0000 commit f8cc168c4cdfe73da4e7bcb4b575ffc376523bcc Author: Andrew Cooper AuthorDate: Tue Jun 9 13:09:55 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 9 13:09:55 2026 +0100 Revert local CI adjustments This reverts commit 3f4d62dce7f5fe168e849d7fa6082853d07ad3bc. Signed-off-by: Andrew Cooper --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index da236e3347..ef4484e09a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -10,5 +10,6 @@ stages: - test include: + - 'automation/gitlab-ci/analyze.yaml' - 'automation/gitlab-ci/build.yaml' - 'automation/gitlab-ci/test.yaml' -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 16:44:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 16:44:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333680.1596849 (Exim 4.92) (envelope-from ) id 1wWzYZ-0001Fj-2K; Tue, 09 Jun 2026 16:44:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333680.1596849; Tue, 09 Jun 2026 16:44:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWzYY-0001Fb-Vv; Tue, 09 Jun 2026 16:44:02 +0000 Received: by outflank-mailman (input) for mailman id 1333680; Tue, 09 Jun 2026 16:44:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWzYX-0001FV-Su for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 16:44:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWzYY-001kdl-0K for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 16:44:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWzYX-0006km-2X for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 16:44:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=cWHN/bEt55qx643UlX777RHKZfFlQZoDEnPYE4QGaJ4=; b=26y7Lg1KyQXegQfws5txDZpxjl +xsd7Bwou4qTmjWFxmwonyuOufcsNBKpQHzgyx2foJmOhwjyVk9+yME1oxkWryZMOiP9Sq4rB+R8i Wp3jaYwjsE8kL8DTQFw9w7Peq1LM8Vejyk4Ytg+4qcKDFk+T7DKa/oHZEe3JA5vsgzkc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/arm: split DTB/initrd placement helpers Message-Id: Date: Tue, 09 Jun 2026 16:44:01 +0000 commit 0656627b898afe8fb29b93d3e85c55df8f141d1a Author: Mykola Kvach AuthorDate: Mon Jun 8 07:39:18 2026 +0100 Commit: Michal Orzel CommitDate: Tue Jun 9 16:08:16 2026 +0100 xen/arm: split DTB/initrd placement helpers The Arm zImage loader currently computes the kernel load address and places the DTB/initrd in one local flow. The hardware-domain memory allocator needs to reuse those placement rules before it chooses bank 0, but open-coding the same calculations there would make the fix harder to audit. Split the existing logic into small helpers: - kernel_zimage_place_in_bank() computes the zImage load address for a given bank. - first_bank_can_fit_modules() checks the aggregate first-bank footprint. - find_dtb_initrd_placement() chooses the DTB/initrd location within a known bank and kernel range. Rename place_modules() to place_dtb_initrd() so the code distinguishes the kernel image from the DTB/initrd placement area. Also update the comments linking the hypervisor and toolstack placement paths. While moving the code, spell the 2MB alignment mask with MB(2) rather than open-coding (2 << 20). This is mechanical and keeps the generated value unchanged. The caller still panics in the same cases as before, so this is intended to be behavior preserving. Signed-off-by: Mykola Kvach Reviewed-by: Michal Orzel Release-Acked-by: Oleksii Kurochko --- tools/libs/guest/xg_dom_arm.c | 2 +- xen/arch/arm/kernel.c | 147 ++++++++++++++++++++++------------ xen/common/device-tree/domain-build.c | 6 +- 3 files changed, 98 insertions(+), 57 deletions(-) diff --git a/tools/libs/guest/xg_dom_arm.c b/tools/libs/guest/xg_dom_arm.c index 739ec1c338..cb0af9f35a 100644 --- a/tools/libs/guest/xg_dom_arm.c +++ b/tools/libs/guest/xg_dom_arm.c @@ -429,7 +429,7 @@ static int meminit(struct xc_dom_image *dom) * just before the kernel. * * If changing this then consider - * xen/arch/arm/kernel.c:place_modules as well. + * xen/arch/arm/kernel.c:place_dtb_initrd as well. */ bank0end = bankbase[0] + ((uint64_t)dom->rambank_size[0] << XC_PAGE_SHIFT); diff --git a/xen/arch/arm/kernel.c b/xen/arch/arm/kernel.c index b72585b7fe..d1be4d8074 100644 --- a/xen/arch/arm/kernel.c +++ b/xen/arch/arm/kernel.c @@ -40,27 +40,59 @@ struct minimal_dtb_header { /* There are other fields but we don't use them yet. */ }; -static void __init place_modules(struct kernel_info *info, - paddr_t kernbase, paddr_t kernend) +static paddr_t __init +kernel_zimage_place_in_bank(const struct kernel_info *info, + paddr_t bank_start, paddr_t bank_size) { - /* Align DTB and initrd size to 2Mb. Linux only requires 4 byte alignment */ - const struct boot_module *mod = info->bd.initrd; - const struct membanks *mem = kernel_info_get_mem(info); - const paddr_t initrd_len = ROUNDUP(mod ? mod->size : 0, MB(2)); - const paddr_t dtb_len = ROUNDUP(fdt_totalsize(info->fdt), MB(2)); - const paddr_t modsize = initrd_len + dtb_len; + paddr_t load_addr; - /* Convenient */ - const paddr_t rambase = mem->bank[0].start; - const paddr_t ramsize = mem->bank[0].size; - const paddr_t ramend = rambase + ramsize; +#ifdef CONFIG_HAS_DOMAIN_TYPE + if ( (info->type == DOMAIN_64BIT) && (info->image.start == 0) ) + return bank_start + info->image.text_offset; +#endif + + /* + * If start is zero, the zImage is position independent, in this + * case Documentation/arm/Booting recommends loading below 128MiB + * and above 32MiB. Load it as high as possible within these + * constraints, while also avoiding the DTB. + */ + if ( info->image.start == 0 ) + { + paddr_t load_end; + + load_end = bank_start + bank_size; + load_end = MIN(bank_start + MB(128), load_end); + + load_addr = load_end - info->image.len; + /* Align to 2MB */ + load_addr &= ~(MB(2) - 1); + } + else + load_addr = info->image.start; + + return load_addr; +} + +static bool __init first_bank_can_fit_modules(paddr_t ramsize, + paddr_t kernbase, paddr_t kernend, + paddr_t dtb_initrd_size) +{ const paddr_t kernsize = ROUNDUP(kernend, MB(2)) - kernbase; - const paddr_t ram128mb = rambase + MB(128); - paddr_t modbase; + /* + * Check only the aggregate kernel + DTB/initrd footprint. The actual + * DTB/initrd location is selected by find_dtb_initrd_placement(). + */ + return dtb_initrd_size + kernsize <= ramsize; +} - if ( modsize + kernsize > ramsize ) - panic("Not enough memory in the first bank for the kernel+dtb+initrd\n"); +static bool __init find_dtb_initrd_placement(paddr_t rambase, paddr_t ramend, + paddr_t kernbase, paddr_t kernend, + paddr_t dtb_initrd_size, + paddr_t *dtb_base) +{ + const paddr_t ram128mb = rambase + MB(128); /* * DTB must be loaded such that it does not conflict with the @@ -77,55 +109,64 @@ static void __init place_modules(struct kernel_info *info, * just before the kernel. * * If changing this then consider - * tools/libxc/xc_dom_arm.c:arch_setup_meminit as well. + * tools/libs/guest/xg_dom_arm.c:meminit as well. */ - if ( ramend >= ram128mb + modsize && kernend < ram128mb ) - modbase = ram128mb; - else if ( ramend - modsize > ROUNDUP(kernend, MB(2)) ) - modbase = ramend - modsize; - else if ( kernbase - rambase > modsize ) - modbase = kernbase - modsize; - else + if ( ramend >= ram128mb + dtb_initrd_size && kernend < ram128mb ) { - panic("Unable to find suitable location for dtb+initrd\n"); - return; + *dtb_base = ram128mb; + return true; } - info->dtb_paddr = modbase; - info->initrd_paddr = info->dtb_paddr + dtb_len; + if ( ramend - dtb_initrd_size > ROUNDUP(kernend, MB(2)) ) + { + *dtb_base = ramend - dtb_initrd_size; + return true; + } + + if ( kernbase - rambase > dtb_initrd_size ) + { + *dtb_base = kernbase - dtb_initrd_size; + return true; + } + + return false; } -static paddr_t __init kernel_zimage_place(struct kernel_info *info) +static void __init place_dtb_initrd(struct kernel_info *info, + paddr_t kernbase, paddr_t kernend) { + /* Align DTB and initrd size to 2Mb. Linux only requires 4 byte alignment */ + const struct boot_module *initrd = info->bd.initrd; const struct membanks *mem = kernel_info_get_mem(info); - paddr_t load_addr; + const paddr_t initrd_len = ROUNDUP(initrd ? initrd->size : 0, MB(2)); + const paddr_t dtb_len = ROUNDUP(fdt_totalsize(info->fdt), MB(2)); + const paddr_t dtb_initrd_size = initrd_len + dtb_len; -#ifdef CONFIG_HAS_DOMAIN_TYPE - if ( (info->type == DOMAIN_64BIT) && (info->image.start == 0) ) - return mem->bank[0].start + info->image.text_offset; -#endif + /* Convenient */ + const paddr_t rambase = mem->bank[0].start; + const paddr_t ramsize = mem->bank[0].size; + const paddr_t ramend = rambase + ramsize; - /* - * If start is zero, the zImage is position independent, in this - * case Documentation/arm/Booting recommends loading below 128MiB - * and above 32MiB. Load it as high as possible within these - * constraints, while also avoiding the DTB. - */ - if ( info->image.start == 0 ) - { - paddr_t load_end; + paddr_t dtb_base; - load_end = mem->bank[0].start + mem->bank[0].size; - load_end = MIN(mem->bank[0].start + MB(128), load_end); + if ( !first_bank_can_fit_modules(ramsize, kernbase, kernend, + dtb_initrd_size) ) + panic("Not enough memory in the first bank for the kernel+dtb+initrd\n"); - load_addr = load_end - info->image.len; - /* Align to 2MB */ - load_addr &= ~((2 << 20) - 1); - } - else - load_addr = info->image.start; + if ( !find_dtb_initrd_placement(rambase, ramend, kernbase, kernend, + dtb_initrd_size, &dtb_base) ) + panic("Unable to find suitable location for dtb+initrd\n"); - return load_addr; + info->dtb_paddr = dtb_base; + info->initrd_paddr = info->dtb_paddr + dtb_len; +} + +static paddr_t __init kernel_zimage_place(struct kernel_info *info) +{ + const struct membanks *mem = kernel_info_get_mem(info); + + return kernel_zimage_place_in_bank(info, mem->bank[0].start, + mem->bank[0].size); } static void __init kernel_zimage_load(struct kernel_info *info) @@ -143,7 +184,7 @@ static void __init kernel_zimage_load(struct kernel_info *info) if ( info->entry == 0 ) info->entry = load_addr; - place_modules(info, load_addr, load_addr + len); + place_dtb_initrd(info, load_addr, load_addr + len); printk("Loading zImage from %"PRIpaddr" to %"PRIpaddr"-%"PRIpaddr"\n", paddr, load_addr, load_addr + len); diff --git a/xen/common/device-tree/domain-build.c b/xen/common/device-tree/domain-build.c index 2a760b007b..f3ba496f1e 100644 --- a/xen/common/device-tree/domain-build.c +++ b/xen/common/device-tree/domain-build.c @@ -245,8 +245,8 @@ out: * hardware domain to have memory reachable by devices with limited DMA address * capabilities (e.g. 32-bit DMA). * - * The first bank allocated must be large enough for place_modules() to fit - * the kernel, DTB and initrd. + * The first bank allocated must be large enough for place_dtb_initrd() to + * fit the kernel, DTB and initrd. */ static bool __init allocate_hwdom_memory(struct kernel_info *kinfo) { @@ -302,7 +302,7 @@ static bool __init allocate_hwdom_memory(struct kernel_info *kinfo) paddr_t bank_size; /* - * The first bank must be large enough for place_modules() to + * The first bank must be large enough for place_dtb_initrd() to * fit the kernel, DTB and initrd. Skip small regions to avoid * ending up with a tiny first bank. */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 09 16:44:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jun 2026 16:44:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1333681.1596855 (Exim 4.92) (envelope-from ) id 1wWzYj-0001Ia-4I; Tue, 09 Jun 2026 16:44:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1333681.1596855; Tue, 09 Jun 2026 16:44:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWzYj-0001IS-13; Tue, 09 Jun 2026 16:44:13 +0000 Received: by outflank-mailman (input) for mailman id 1333681; Tue, 09 Jun 2026 16:44:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wWzYi-0001IA-0r for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 16:44:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wWzYi-001ke1-0q for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 16:44:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wWzYh-0006vm-2r for xen-changelog@lists.xenproject.org; Tue, 09 Jun 2026 16:44:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=KKF6T3FLHmZ1TfYrXbdjpA27sLano3q80NneBwTpK/0=; b=iaRvklGDPWj+AuHlKzmpn98MI7 SWUQ17cjG8dwDcdoPte/boHsvN5lRpSzqaqD2ZpoReJVRw4+YDQLRQmYAB8U0ozZ5BNWXIouYAk2c w/HWI20eLyJPzeIwcMmBsHvoP7eW0ogQLc9pawjLXTliB2x4plJLHbIUuwlwK1GBGEC8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] device-tree: validate hwdom bank 0 boot placement Message-Id: Date: Tue, 09 Jun 2026 16:44:11 +0000 commit af11b93e3e98235d38114ba44a6d3134aa2ba2a0 Author: Mykola Kvach AuthorDate: Mon Jun 8 07:39:19 2026 +0100 Commit: Michal Orzel CommitDate: Tue Jun 9 16:13:28 2026 +0100 device-tree: validate hwdom bank 0 boot placement With LLC coloring enabled, the hardware domain memory is allocated by allocate_hwdom_memory() rather than by using the fixed direct-map layout. Commit de99f3263555 ("device-tree: Improve hwdom memory allocation for DMA") made that allocator prefer lower host regions. The first-bank filter, however, still only checked the old 128MB heuristic. A low region can satisfy that heuristic but still be too small, or otherwise unsuitable, for the hardware-domain kernel and the DTB/initrd area to fit in bank 0 according to the Arm placement rules. Keep the existing first-bank size policy and add an architecture-specific candidate check. On Arm, compute the kernel load address for the candidate bank using the same logic as kernel_zimage_place(), verify that the kernel range is covered by that bank, and then reuse the same DTB/initrd placement helper as place_dtb_initrd(). The FDT is generated later, so use the hardware-domain FDT allocation size as a conservative upper bound for the final DTB size. Check the candidate after capping the host region by the remaining unassigned hardware-domain memory, so the validation is performed against the size that would actually become bank 0. This keeps the DMA-oriented allocation policy from de99f3263555 while preventing a too-small bank 0 from reaching place_dtb_initrd(). Make kernel_zimage_place_in_bank() return INVALID_PADDR when a position-independent zImage cannot be placed in the supplied bank; the real load path turns this into a panic, while the hwdom candidate check uses it to reject the bank. Fixes: de99f3263555 ("device-tree: Improve hwdom memory allocation for DMA") Signed-off-by: Mykola Kvach Release-Acked-by: Oleksii Kurochko Reviewed-by: Michal Orzel --- xen/arch/arm/acpi/domain_build.c | 2 -- xen/arch/arm/domain_build.c | 8 +++++ xen/arch/arm/include/asm/domain_build.h | 4 +++ xen/arch/arm/include/asm/kernel.h | 10 +++++++ xen/arch/arm/kernel.c | 53 +++++++++++++++++++++++++++++++-- xen/common/device-tree/domain-build.c | 25 +++++++++++----- xen/include/xen/fdt-kernel.h | 14 +++++++++ 7 files changed, 105 insertions(+), 11 deletions(-) diff --git a/xen/arch/arm/acpi/domain_build.c b/xen/arch/arm/acpi/domain_build.c index 249d899c33..db16f7fa94 100644 --- a/xen/arch/arm/acpi/domain_build.c +++ b/xen/arch/arm/acpi/domain_build.c @@ -26,8 +26,6 @@ #undef virt_to_mfn #define virt_to_mfn(va) _mfn(__virt_to_mfn(va)) -#define ACPI_DOM0_FDT_MIN_SIZE 4096 - static int __init acpi_iomem_deny_access(struct domain *d) { acpi_status status; diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c index 1efddc60ef..550617f152 100644 --- a/xen/arch/arm/domain_build.c +++ b/xen/arch/arm/domain_build.c @@ -115,6 +115,14 @@ int __init parse_arch_dom0_param(const char *s, const char *e) (IS_ENABLED(CONFIG_STATIC_SHM) ? \ (NR_SHMEM_BANKS * (160 + 16)) : 0)) +paddr_t __init hwdom_get_fdt_alloc_size(void) +{ + if ( acpi_disabled ) + return fdt_totalsize(device_tree_flattened) + DOM0_FDT_EXTRA_SIZE; + + return ACPI_DOM0_FDT_MIN_SIZE; +} + unsigned int __init dom0_max_vcpus(void) { if ( opt_dom0_max_vcpus == 0 ) diff --git a/xen/arch/arm/include/asm/domain_build.h b/xen/arch/arm/include/asm/domain_build.h index df8b361b3d..85cf46a958 100644 --- a/xen/arch/arm/include/asm/domain_build.h +++ b/xen/arch/arm/include/asm/domain_build.h @@ -19,6 +19,10 @@ int prepare_acpi(struct domain *d, struct kernel_info *kinfo); int add_ext_regions(unsigned long s_gfn, unsigned long e_gfn, void *data); +#define ACPI_DOM0_FDT_MIN_SIZE 4096 + +paddr_t hwdom_get_fdt_alloc_size(void); + #if defined(CONFIG_MPU) && defined(CONFIG_ARM_64) /* Utility function to determine if an Armv8-R processor supports VMSA. */ bool has_v8r_vmsa_support(void); diff --git a/xen/arch/arm/include/asm/kernel.h b/xen/arch/arm/include/asm/kernel.h index 21f4273fa1..b86c7337fe 100644 --- a/xen/arch/arm/include/asm/kernel.h +++ b/xen/arch/arm/include/asm/kernel.h @@ -8,12 +8,22 @@ #include +#include + +struct kernel_info; + struct arch_kernel_info { /* Enable pl011 emulation */ bool vpl011; }; +#define arch_hwdom_first_bank_can_fit_modules \ + arch_hwdom_first_bank_can_fit_modules +bool arch_hwdom_first_bank_can_fit_modules(const struct kernel_info *info, + paddr_t bank_start, + paddr_t bank_size); + #endif /* #ifdef __ARCH_ARM_KERNEL_H__ */ /* diff --git a/xen/arch/arm/kernel.c b/xen/arch/arm/kernel.c index d1be4d8074..47229644b2 100644 --- a/xen/arch/arm/kernel.c +++ b/xen/arch/arm/kernel.c @@ -64,6 +64,9 @@ kernel_zimage_place_in_bank(const struct kernel_info *info, load_end = bank_start + bank_size; load_end = MIN(bank_start + MB(128), load_end); + if ( load_end - bank_start < info->image.len ) + return INVALID_PADDR; + load_addr = load_end - info->image.len; /* Align to 2MB */ load_addr &= ~(MB(2) - 1); @@ -164,9 +167,55 @@ static void __init place_dtb_initrd(struct kernel_info *info, static paddr_t __init kernel_zimage_place(struct kernel_info *info) { const struct membanks *mem = kernel_info_get_mem(info); + paddr_t load_addr; + + load_addr = kernel_zimage_place_in_bank(info, mem->bank[0].start, + mem->bank[0].size); + if ( load_addr == INVALID_PADDR ) + panic("Unable to find suitable location for the kernel\n"); + + return load_addr; +} + +bool __init arch_hwdom_first_bank_can_fit_modules(const struct kernel_info *info, + paddr_t bank_start, + paddr_t bank_size) +{ + const struct boot_module *initrd = info->bd.initrd; + /* + * place_dtb_initrd() rounds the DTB and initrd placement to 2MB boundaries; + * use the same granularity when checking whether the first bank can hold + * them. + */ + const paddr_t initrd_len = ROUNDUP(initrd ? initrd->size : 0, MB(2)); + /* + * The hardware domain FDT has not been generated yet. Use the allocation + * size as a conservative upper bound for the final DTB size. + */ + const paddr_t dtb_len = ROUNDUP(hwdom_get_fdt_alloc_size(), MB(2)); + const paddr_t rambase = bank_start; + const paddr_t ramsize = bank_size; + const paddr_t dtb_initrd_size = initrd_len + dtb_len; + const paddr_t ramend = rambase + ramsize; + paddr_t kernbase; + paddr_t kernend; + paddr_t dtb_base; + + kernbase = kernel_zimage_place_in_bank(info, bank_start, bank_size); + if ( kernbase == INVALID_PADDR ) + return false; + + kernend = kernbase + info->image.len; + + if ( (kernbase < rambase) || (kernend > ramend) ) + return false; + + if ( !first_bank_can_fit_modules(ramsize, kernbase, kernend, + dtb_initrd_size) ) + return false; - return kernel_zimage_place_in_bank(info, mem->bank[0].start, - mem->bank[0].size); + return find_dtb_initrd_placement(rambase, ramend, kernbase, kernend, + dtb_initrd_size, &dtb_base); } static void __init kernel_zimage_load(struct kernel_info *info) diff --git a/xen/common/device-tree/domain-build.c b/xen/common/device-tree/domain-build.c index f3ba496f1e..30a59abfa7 100644 --- a/xen/common/device-tree/domain-build.c +++ b/xen/common/device-tree/domain-build.c @@ -299,20 +299,31 @@ static bool __init allocate_hwdom_memory(struct kernel_info *kinfo) for ( i = 0; (kinfo->unassigned_mem > 0) && (i < nr_banks); i++ ) { - paddr_t bank_size; + const paddr_t bank_start = hwdom_free_mem->bank[i].start; + paddr_t bank_size = hwdom_free_mem->bank[i].size; + + /* + * Check the size that would actually be assigned, not just the size + * of the host region. + */ + bank_size = min(bank_size, kinfo->unassigned_mem); /* * The first bank must be large enough for place_dtb_initrd() to * fit the kernel, DTB and initrd. Skip small regions to avoid * ending up with a tiny first bank. */ - if ( !mem->nr_banks && (hwdom_free_mem->bank[i].size < min_bank_size) ) - continue; + if ( !mem->nr_banks ) + { + if ( bank_size < min_bank_size ) + continue; + + if ( !arch_hwdom_first_bank_can_fit_modules(kinfo, bank_start, + bank_size) ) + continue; + } - bank_size = MIN(hwdom_free_mem->bank[i].size, kinfo->unassigned_mem); - if ( !allocate_bank_memory(kinfo, - gaddr_to_gfn(hwdom_free_mem->bank[i].start), - bank_size) ) + if ( !allocate_bank_memory(kinfo, gaddr_to_gfn(bank_start), bank_size) ) { xfree(hwdom_free_mem); return false; diff --git a/xen/include/xen/fdt-kernel.h b/xen/include/xen/fdt-kernel.h index 00c37be101..95d7a4299e 100644 --- a/xen/include/xen/fdt-kernel.h +++ b/xen/include/xen/fdt-kernel.h @@ -93,6 +93,20 @@ kernel_info_get_mem_const(const struct kernel_info *kinfo) return container_of(&kinfo->mem.common, const struct membanks, common); } +/* + * Return whether the proposed hardware-domain first RAM bank can satisfy the + * architecture-specific kernel, DTB and initrd boot placement requirements. + */ +#ifndef arch_hwdom_first_bank_can_fit_modules +static inline bool +arch_hwdom_first_bank_can_fit_modules(const struct kernel_info *info, + paddr_t bank_start, + paddr_t bank_size) +{ + return true; +} +#endif + #ifndef KERNEL_INFO_SHM_MEM_INIT #ifdef CONFIG_STATIC_SHM -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 10 14:33:07 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 10 Jun 2026 14:33:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1334422.1597474 (Exim 4.92) (envelope-from ) id 1wXJzK-0001R7-Ps; Wed, 10 Jun 2026 14:33:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1334422.1597474; Wed, 10 Jun 2026 14:33:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wXJzK-0001Qz-Md; Wed, 10 Jun 2026 14:33:02 +0000 Received: by outflank-mailman (input) for mailman id 1334422; Wed, 10 Jun 2026 14:33:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wXJzK-0001Qt-7i for xen-changelog@lists.xenproject.org; Wed, 10 Jun 2026 14:33:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wXJzK-003GZj-1P for xen-changelog@lists.xenproject.org; Wed, 10 Jun 2026 14:33:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wXJzK-005I5b-0G for xen-changelog@lists.xenproject.org; Wed, 10 Jun 2026 14:33:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=vrha26QVZmxQ/60a0Cq1xpNjHBXMtpd6yw9NOnBujFo=; b=cK4Ni2q1gGIY7R37C5wepEXvuB BsyxCH3a3okoRtEszXeMZf/Zadz4URnK0wPZ9M5hbAK7Lp+iOzZAUxXPGGaHMcVCN4Ll53ZyGxrjy 0xnUhHwwP3YO2Rni7USi0f4ZbgOWw6kumcGJslZVl5N+IGM5fbF5fyVL6KIjt+YNIN2o=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: Handle XEN_DOMCTL_getpageframeinfo3 without the domctl lock Message-Id: Date: Wed, 10 Jun 2026 14:33:02 +0000 commit 261a2f51df86a5b63c1386e333498211bb364cb7 Author: Ross Lagerwall AuthorDate: Tue Jun 9 16:15:27 2026 +0100 Commit: Roger Pau Monne CommitDate: Wed Jun 10 14:50:40 2026 +0200 domctl: Handle XEN_DOMCTL_getpageframeinfo3 without the domctl lock It does not have side effects and is protected from concurrent changes by the P2M read lock therefore skip taking the domctl lock. Signed-off-by: Ross Lagerwall Reviewed-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/domctl.c | 4 ++++ xen/common/domctl.c | 1 + 2 files changed, 5 insertions(+) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 83bf51e498..0e9a253288 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -301,6 +301,10 @@ long arch_do_domctl( /* Games to allow this code block to handle a compat guest. */ void __user *guest_handle = domctl->u.getpageframeinfo3.array.p; + ret = xsm_domctl(XSM_OTHER, d, domctl); + if ( ret ) + break; + if ( unlikely(num > 1024) || unlikely(num != domctl->u.getpageframeinfo3.num) ) { diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 3efa5b9d55..35144d95b8 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -555,6 +555,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: + case XEN_DOMCTL_getpageframeinfo3: ret = arch_do_domctl(op, d, u_domctl); goto domctl_out_unlock_domonly; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Jun 10 14:33:12 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 10 Jun 2026 14:33:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1334423.1597477 (Exim 4.92) (envelope-from ) id 1wXJzU-0001Sk-Qh; Wed, 10 Jun 2026 14:33:12 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1334423.1597477; Wed, 10 Jun 2026 14:33:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wXJzU-0001Sc-Nx; Wed, 10 Jun 2026 14:33:12 +0000 Received: by outflank-mailman (input) for mailman id 1334423; Wed, 10 Jun 2026 14:33:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wXJzU-0001SU-BY for xen-changelog@lists.xenproject.org; Wed, 10 Jun 2026 14:33:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wXJzU-003GZp-1w for xen-changelog@lists.xenproject.org; Wed, 10 Jun 2026 14:33:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wXJzU-005IAs-0j for xen-changelog@lists.xenproject.org; Wed, 10 Jun 2026 14:33:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Z+OAcibzw5x06C99q+H3RLLiZ6kLypmOs0G8eXyHV/0=; b=E6aIOXjGNeQEB4QhY92lwKGxU4 P3y0BwezaziybyzbClHEMSYFYRyoYpyo1ADOeKePklCiDWtAaLCj9O0yZI/gS4RFIDhXAds8r2ddB t0+j44Ijhi9gNsd9t2Xz1vizhbXt01XddmmZlUZHjy2q7M7aSq9pOyLaZsPObUkFdC9s=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: Handle some of XEN_DOMCTL_shadow_op without the domctl lock Message-Id: Date: Wed, 10 Jun 2026 14:33:12 +0000 commit ffe7a07597b43c77245d7acf3e57d8a2ed0896cf Author: Ross Lagerwall AuthorDate: Tue Jun 9 16:15:28 2026 +0100 Commit: Roger Pau Monne CommitDate: Wed Jun 10 14:54:50 2026 +0200 domctl: Handle some of XEN_DOMCTL_shadow_op without the domctl lock Handle XEN_DOMCTL_SHADOW_OP_{CLEAN,PEEK} without taking the domctl lock. This is safe because for these subops, the paging lock is mostly held which prevents it from operating concurrently on the same domain. There are some parts that are called without the paging lock held: * hvm_mapped_guest_frames_mark_dirty() - The function itself takes a spinlock so is protected from concurrent calls. In any case, it will mark all the pages dirty as required. * domain_{,un}pause() - The toolstack cannot {,un}pause the domain while in paging_log_dirty_op() because the toolstack's pause/unpause ops have a separate ref count. * p2m_flush_hardware_cached_dirty() - This is called elsewhere without the domctl lock held so holding it wouldn't achieve anything. It should be fine as long as it is called at least once. * log_dirty.ops->clean() - If the callback is hap_clean_dirty_bitmap(), then it will hold the p2m lock while modifying the table. If the callback is sh_clean_dirty_bitmap(), it will hold the paging lock while modifying the table. In both cases, this is OK. Signed-off-by: Ross Lagerwall Reviewed-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/mm/paging.c | 8 ++++++-- xen/common/domctl.c | 13 +++++++++++++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index 1a58228086..bfb5b423a0 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -746,11 +746,15 @@ long do_paging_domctl_cont( ret = xsm_domctl(XSM_OTHER, d, &op); if ( !ret ) { - if ( domctl_lock_acquire() ) + bool lock = !(op.u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_CLEAN || + op.u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_PEEK); + + if ( !lock || domctl_lock_acquire() ) { ret = paging_domctl(d, &op.u.shadow_op, u_domctl, 1); - domctl_lock_release(); + if ( lock ) + domctl_lock_release(); } else ret = -ERESTART; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 35144d95b8..6f71a68d51 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -546,6 +546,19 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) /* Other sub-ops handled further down. */ break; + case XEN_DOMCTL_shadow_op: + if ( op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_CLEAN || + op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_PEEK ) + { + ret = xsm_domctl(XSM_OTHER, d, op); + if ( ret ) + goto domctl_out_unlock_domonly; + + ret = arch_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + } + break; + case XEN_DOMCTL_get_device_group: ret = iommu_do_domctl(op, d, u_domctl); goto domctl_out_unlock_domonly; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Jun 10 15:11:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 10 Jun 2026 15:11:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1334468.1597489 (Exim 4.92) (envelope-from ) id 1wXKa7-0007aj-RP; Wed, 10 Jun 2026 15:11:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1334468.1597489; Wed, 10 Jun 2026 15:11:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wXKa7-0007ab-P0; Wed, 10 Jun 2026 15:11:03 +0000 Received: by outflank-mailman (input) for mailman id 1334468; Wed, 10 Jun 2026 15:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wXKa6-0007aV-DI for xen-changelog@lists.xenproject.org; Wed, 10 Jun 2026 15:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wXKa6-003HHd-1q for xen-changelog@lists.xenproject.org; Wed, 10 Jun 2026 15:11:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wXKa6-005joe-0k for xen-changelog@lists.xenproject.org; Wed, 10 Jun 2026 15:11:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Wg/kqixYq3ita0xkJLtHxZhspno+xeIeIEypNqmxkEA=; b=AAANiTNn03CSBzbCDYTLmZ/0ob Ha0D0QXZB1hU1gZ90dV0o5I8/VpxIGObZeXXUwM4jKX7r7HPg4rskK6rUQWUAHPY6sOo3euL2tfhw uojtE5V+8AE37gK6EnarnWm6y1DqNGybnSucdzFJuwuF54iQZMI6hoTyuCT492NjH5w4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: Handle XEN_DOMCTL_getpageframeinfo3 without the domctl lock Message-Id: Date: Wed, 10 Jun 2026 15:11:02 +0000 commit 261a2f51df86a5b63c1386e333498211bb364cb7 Author: Ross Lagerwall AuthorDate: Tue Jun 9 16:15:27 2026 +0100 Commit: Roger Pau Monne CommitDate: Wed Jun 10 14:50:40 2026 +0200 domctl: Handle XEN_DOMCTL_getpageframeinfo3 without the domctl lock It does not have side effects and is protected from concurrent changes by the P2M read lock therefore skip taking the domctl lock. Signed-off-by: Ross Lagerwall Reviewed-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/domctl.c | 4 ++++ xen/common/domctl.c | 1 + 2 files changed, 5 insertions(+) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 83bf51e498..0e9a253288 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -301,6 +301,10 @@ long arch_do_domctl( /* Games to allow this code block to handle a compat guest. */ void __user *guest_handle = domctl->u.getpageframeinfo3.array.p; + ret = xsm_domctl(XSM_OTHER, d, domctl); + if ( ret ) + break; + if ( unlikely(num > 1024) || unlikely(num != domctl->u.getpageframeinfo3.num) ) { diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 3efa5b9d55..35144d95b8 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -555,6 +555,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: + case XEN_DOMCTL_getpageframeinfo3: ret = arch_do_domctl(op, d, u_domctl); goto domctl_out_unlock_domonly; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 10 15:11:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 10 Jun 2026 15:11:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1334469.1597494 (Exim 4.92) (envelope-from ) id 1wXKaH-0007dh-Sz; Wed, 10 Jun 2026 15:11:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1334469.1597494; Wed, 10 Jun 2026 15:11:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wXKaH-0007dZ-QN; Wed, 10 Jun 2026 15:11:13 +0000 Received: by outflank-mailman (input) for mailman id 1334469; Wed, 10 Jun 2026 15:11:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wXKaG-0007dQ-I8 for xen-changelog@lists.xenproject.org; Wed, 10 Jun 2026 15:11:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wXKaG-003HHh-2P for xen-changelog@lists.xenproject.org; Wed, 10 Jun 2026 15:11:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wXKaG-005jxw-18 for xen-changelog@lists.xenproject.org; Wed, 10 Jun 2026 15:11:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=vSbazC6cfnYeumTlORg3unIvRQWfyco8FWMkwwB+OfI=; b=gXlqrVrIWVnysXw1PuSYe3SbeQ j6B905n+/zqotPMAIOsdr4vCACOHTGquAxRNuogJ93JQbVxYASF3qwemYVOyNvdVNS9ss4XebzQzB 058wy5iZ4ao4Z1gvggHgHuWHlslrt/HDcM+CwZ/ctF7CiOvV6G8z3lqLX5vwGbd6csYI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: Handle some of XEN_DOMCTL_shadow_op without the domctl lock Message-Id: Date: Wed, 10 Jun 2026 15:11:12 +0000 commit ffe7a07597b43c77245d7acf3e57d8a2ed0896cf Author: Ross Lagerwall AuthorDate: Tue Jun 9 16:15:28 2026 +0100 Commit: Roger Pau Monne CommitDate: Wed Jun 10 14:54:50 2026 +0200 domctl: Handle some of XEN_DOMCTL_shadow_op without the domctl lock Handle XEN_DOMCTL_SHADOW_OP_{CLEAN,PEEK} without taking the domctl lock. This is safe because for these subops, the paging lock is mostly held which prevents it from operating concurrently on the same domain. There are some parts that are called without the paging lock held: * hvm_mapped_guest_frames_mark_dirty() - The function itself takes a spinlock so is protected from concurrent calls. In any case, it will mark all the pages dirty as required. * domain_{,un}pause() - The toolstack cannot {,un}pause the domain while in paging_log_dirty_op() because the toolstack's pause/unpause ops have a separate ref count. * p2m_flush_hardware_cached_dirty() - This is called elsewhere without the domctl lock held so holding it wouldn't achieve anything. It should be fine as long as it is called at least once. * log_dirty.ops->clean() - If the callback is hap_clean_dirty_bitmap(), then it will hold the p2m lock while modifying the table. If the callback is sh_clean_dirty_bitmap(), it will hold the paging lock while modifying the table. In both cases, this is OK. Signed-off-by: Ross Lagerwall Reviewed-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/mm/paging.c | 8 ++++++-- xen/common/domctl.c | 13 +++++++++++++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index 1a58228086..bfb5b423a0 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -746,11 +746,15 @@ long do_paging_domctl_cont( ret = xsm_domctl(XSM_OTHER, d, &op); if ( !ret ) { - if ( domctl_lock_acquire() ) + bool lock = !(op.u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_CLEAN || + op.u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_PEEK); + + if ( !lock || domctl_lock_acquire() ) { ret = paging_domctl(d, &op.u.shadow_op, u_domctl, 1); - domctl_lock_release(); + if ( lock ) + domctl_lock_release(); } else ret = -ERESTART; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 35144d95b8..6f71a68d51 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -546,6 +546,19 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) /* Other sub-ops handled further down. */ break; + case XEN_DOMCTL_shadow_op: + if ( op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_CLEAN || + op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_PEEK ) + { + ret = xsm_domctl(XSM_OTHER, d, op); + if ( ret ) + goto domctl_out_unlock_domonly; + + ret = arch_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_domonly; + } + break; + case XEN_DOMCTL_get_device_group: ret = iommu_do_domctl(op, d, u_domctl); goto domctl_out_unlock_domonly; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 12 09:22:08 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 12 Jun 2026 09:22:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1336435.1598191 (Exim 4.92) (envelope-from ) id 1wXy5U-0001V1-6v; Fri, 12 Jun 2026 09:22:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1336435.1598191; Fri, 12 Jun 2026 09:22:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wXy5U-0001Us-3P; Fri, 12 Jun 2026 09:22:04 +0000 Received: by outflank-mailman (input) for mailman id 1336435; Fri, 12 Jun 2026 09:22:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wXy5S-0001UT-8B for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 09:22:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wXy5S-006IlU-0o for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 09:22:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wXy5R-003qRl-2m for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 09:22:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=+naDdDolQ+SVEul11Em9MnCnRTKEQM/XXFiXJ8K5X1M=; b=VfTXATtEpSGNzz44/BuV60Gh/t Mc7Yv9Z3Rn1eUanpdqU9BWVKPCTRN0/PiOPIg/GyX9MIWQq+Sw2atfziPD1a7dOnkIcq5Jckr4K44 ldDJWVls4nelIpAZ1eyR9Y/lCby7CwjA8lGw9D5bV3Zy3CrziHSy1+NosjqtXEFPaP88=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/decompress: resolve MISRA R5.5 identifier/macro name conflicts Message-Id: Date: Fri, 12 Jun 2026 09:22:01 +0000 commit 4c0c96167476a808c2c81a2821722981677062db Author: Dmytro Prokopchuk AuthorDate: Fri Jun 12 09:26:21 2026 +0200 Commit: Jan Beulich CommitDate: Fri Jun 12 09:26:21 2026 +0200 xen/decompress: resolve MISRA R5.5 identifier/macro name conflicts Convert 'free' macro in 'decompress.h' from object-like to function-like form. The object-like macro '#define free xfree' performs unconditional text replacement, causing conflicts with identifiers named 'free', such as struct fields in 'page_info' unions defined in 'xen/arch/arm/include/asm/mm.h'. Function-like macros only match when followed by parentheses, allowing 'free' to be used both as a macro and as a struct field without conflicts. Applying function-like form to 'malloc', 'large_malloc' and 'large_free' ensures consistent macro style. Additionally moved 'large_{malloc,free}' past the #endif to reduce redundancy. While function-like macros prevent uses where the underlying function identifier is needed directly, such as taking a function pointer, no such uses exist in the current Xen codebase. Signed-off-by: Dmytro Prokopchuk Acked-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/common/decompress.h | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/xen/common/decompress.h b/xen/common/decompress.h index 034c833665..b347d91980 100644 --- a/xen/common/decompress.h +++ b/xen/common/decompress.h @@ -9,11 +9,8 @@ #include #include -#define malloc xmalloc_bytes -#define free xfree - -#define large_malloc xmalloc_bytes -#define large_free xfree +#define malloc(s) xmalloc_bytes(s) +#define free(p) xfree(p) #else @@ -21,9 +18,9 @@ #define __init #define __initdata -#define large_malloc malloc -#define large_free free - #endif +#define large_malloc(s) malloc(s) +#define large_free(p) free(p) + #endif /* DECOMPRESS_H */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 12 09:22:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 12 Jun 2026 09:22:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1336436.1598193 (Exim 4.92) (envelope-from ) id 1wXy5e-0001Ws-7T; Fri, 12 Jun 2026 09:22:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1336436.1598193; Fri, 12 Jun 2026 09:22:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wXy5e-0001Wk-4n; Fri, 12 Jun 2026 09:22:14 +0000 Received: by outflank-mailman (input) for mailman id 1336436; Fri, 12 Jun 2026 09:22:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wXy5c-0001WP-52 for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 09:22:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wXy5c-006Ilt-1I for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 09:22:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wXy5c-003qqT-06 for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 09:22:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=lAel0Ac96cBn9KxY5htu0xPOAAyDdhEUYyb3ocKjyi8=; b=LRf5KOi0TFOhOp5ywymXFVJRrA CE38eiOU4SKc9A9GnqvaBMRb7+BKaix4ePbf9Ccf4QybLwXZvvGzk9+Z/blmcfrJl9QAqlprn7pEu VPyEca+VaeFPnBtCv2Mk9yDVKfAyt78IsOBN3NtFSXPhq5FkS3FYU+hR20mbPXi9gBtU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] MAINTAINERS: remove RTDS specific entry Message-Id: Date: Fri, 12 Jun 2026 09:22:12 +0000 commit 50936ea05660a603ab36f7dd50f2b9d7bfb4fa6e Author: Juergen Gross AuthorDate: Fri Jun 12 09:27:22 2026 +0200 Commit: Jan Beulich CommitDate: Fri Jun 12 09:27:22 2026 +0200 MAINTAINERS: remove RTDS specific entry Remove the RTDS scheduler specific entry in MAINTAINERS. The effective changes will be: - Meng will no longer be a maintainer. His last Ack on a RTDS patch was given in 2019, since then I can't remember having seen any reaction on a RTDS patch. - I'll be made a maintainer of this scheduler. Dario has indicated that he doesn't have lots of cycles for doing reviews, so he would be grateful for not being effectively the only maintainer of the RTDS scheduler. Signed-off-by: Juergen Gross Acked-by: Stefano Stabellini --- MAINTAINERS | 6 ------ 1 file changed, 6 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index ccb01b8e39..195d6cb0e2 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -515,12 +515,6 @@ S: Supported F: config/riscv64.mk F: xen/arch/riscv/ -RTDS SCHEDULER -M: Dario Faggioli -M: Meng Xu -S: Supported -F: xen/common/sched/rt.c - SCHEDULING M: Dario Faggioli M: Juergen Gross -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 12 10:55:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 12 Jun 2026 10:55:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1336607.1598440 (Exim 4.92) (envelope-from ) id 1wXzXT-0005zj-8k; Fri, 12 Jun 2026 10:55:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1336607.1598440; Fri, 12 Jun 2026 10:55:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wXzXT-0005zb-6D; Fri, 12 Jun 2026 10:55:03 +0000 Received: by outflank-mailman (input) for mailman id 1336607; Fri, 12 Jun 2026 10:55:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wXzXS-0005zV-Eo for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 10:55:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wXzXS-006KOY-2G for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 10:55:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wXzXS-0079ac-14 for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 10:55:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=nrYXMD7+JEi+ikuvBmIk2uh47r53cE/7ndluwYGSUwk=; b=BqTBiebfy1Px18uNEwMvgyNHdZ ICM1vgJduIP0F8iIktT2dfJKhHCkuCfgdgRiQtvGmqFuJKC+KGkaBC4X9Qp6XXSyiQbRBXwHglu70 Gop03HpI3oWo1DxD2Vc8AmWUbKbTwGQo88Fw9b30I4tUgf+YUYsfsyKgoVbOtsW/mwNc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/decompress: resolve MISRA R5.5 identifier/macro name conflicts Message-Id: Date: Fri, 12 Jun 2026 10:55:02 +0000 commit 4c0c96167476a808c2c81a2821722981677062db Author: Dmytro Prokopchuk AuthorDate: Fri Jun 12 09:26:21 2026 +0200 Commit: Jan Beulich CommitDate: Fri Jun 12 09:26:21 2026 +0200 xen/decompress: resolve MISRA R5.5 identifier/macro name conflicts Convert 'free' macro in 'decompress.h' from object-like to function-like form. The object-like macro '#define free xfree' performs unconditional text replacement, causing conflicts with identifiers named 'free', such as struct fields in 'page_info' unions defined in 'xen/arch/arm/include/asm/mm.h'. Function-like macros only match when followed by parentheses, allowing 'free' to be used both as a macro and as a struct field without conflicts. Applying function-like form to 'malloc', 'large_malloc' and 'large_free' ensures consistent macro style. Additionally moved 'large_{malloc,free}' past the #endif to reduce redundancy. While function-like macros prevent uses where the underlying function identifier is needed directly, such as taking a function pointer, no such uses exist in the current Xen codebase. Signed-off-by: Dmytro Prokopchuk Acked-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/common/decompress.h | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/xen/common/decompress.h b/xen/common/decompress.h index 034c833665..b347d91980 100644 --- a/xen/common/decompress.h +++ b/xen/common/decompress.h @@ -9,11 +9,8 @@ #include #include -#define malloc xmalloc_bytes -#define free xfree - -#define large_malloc xmalloc_bytes -#define large_free xfree +#define malloc(s) xmalloc_bytes(s) +#define free(p) xfree(p) #else @@ -21,9 +18,9 @@ #define __init #define __initdata -#define large_malloc malloc -#define large_free free - #endif +#define large_malloc(s) malloc(s) +#define large_free(p) free(p) + #endif /* DECOMPRESS_H */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 12 10:55:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 12 Jun 2026 10:55:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1336608.1598444 (Exim 4.92) (envelope-from ) id 1wXzXe-00061t-A5; Fri, 12 Jun 2026 10:55:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1336608.1598444; Fri, 12 Jun 2026 10:55:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wXzXe-00061l-7V; Fri, 12 Jun 2026 10:55:14 +0000 Received: by outflank-mailman (input) for mailman id 1336608; Fri, 12 Jun 2026 10:55:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wXzXc-00061V-JR for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 10:55:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wXzXc-006KQf-2j for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 10:55:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wXzXc-0079o8-1W for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 10:55:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=WFq8in/FCQO8G+BvjnwpaSWdPslkcymzKj4w6R6G05I=; b=MMJDo33xXXpc8+Qu2kywC/YWIl fNWGAfjYuhddyRJGgkAdj59/RFB0o0m1YosI/Gw9VEMihpVHklcvHmzKfFKass7PbhSf9Nr7najW3 f3xBUsEgE/Quy4fX56ofL9upNLyKqENYwB2aBk9i2+vH0XbHXJHDT50q1vE6dqfzRIPo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] MAINTAINERS: remove RTDS specific entry Message-Id: Date: Fri, 12 Jun 2026 10:55:12 +0000 commit 50936ea05660a603ab36f7dd50f2b9d7bfb4fa6e Author: Juergen Gross AuthorDate: Fri Jun 12 09:27:22 2026 +0200 Commit: Jan Beulich CommitDate: Fri Jun 12 09:27:22 2026 +0200 MAINTAINERS: remove RTDS specific entry Remove the RTDS scheduler specific entry in MAINTAINERS. The effective changes will be: - Meng will no longer be a maintainer. His last Ack on a RTDS patch was given in 2019, since then I can't remember having seen any reaction on a RTDS patch. - I'll be made a maintainer of this scheduler. Dario has indicated that he doesn't have lots of cycles for doing reviews, so he would be grateful for not being effectively the only maintainer of the RTDS scheduler. Signed-off-by: Juergen Gross Acked-by: Stefano Stabellini --- MAINTAINERS | 6 ------ 1 file changed, 6 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index ccb01b8e39..195d6cb0e2 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -515,12 +515,6 @@ S: Supported F: config/riscv64.mk F: xen/arch/riscv/ -RTDS SCHEDULER -M: Dario Faggioli -M: Meng Xu -S: Supported -F: xen/common/sched/rt.c - SCHEDULING M: Dario Faggioli M: Juergen Gross -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 12 11:22:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 12 Jun 2026 11:22:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1336623.1598447 (Exim 4.92) (envelope-from ) id 1wXzxc-0002dw-3F; Fri, 12 Jun 2026 11:22:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1336623.1598447; Fri, 12 Jun 2026 11:22:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wXzxc-0002do-0h; Fri, 12 Jun 2026 11:22:04 +0000 Received: by outflank-mailman (input) for mailman id 1336623; Fri, 12 Jun 2026 11:22:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wXzxa-0002di-9e for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 11:22:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wXzxa-006Kvo-1N for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 11:22:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wXzxa-007w2R-0B for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 11:22:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=kF1yNk3kTwpverxwxXqKTMpIBgQLD56Oi8WywD+L5wc=; b=RTg1oh4eSujiCTLdOJJBl6fKsr gUivn4hzhH+1xN3/3dGvxitMUVzb5f/o0bzfOLWY+ZdQg55lsEWyFbwwOoGMDDvI4P3ZhCuCUsiaR 1E2Le35tkbec36Nk6Q87vsA6EFgYfhw0atmAiN8QIL74CoV6cDVG2GpMVVvezITpt7do=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/x86: Change stub page allocation/free Message-Id: Date: Fri, 12 Jun 2026 11:22:02 +0000 commit 4f2c223c59eb25fe8e9e3632a78541a1fddaa921 Author: Jason Andryuk AuthorDate: Thu Jun 11 09:02:18 2026 +0200 Commit: Roger Pau Monne CommitDate: Fri Jun 12 12:00:12 2026 +0200 xen/x86: Change stub page allocation/free Today the inline tracking of the stub page is problematic. 0xcc is used to indicate unused, but it is also a "clear value." A !CONFIG_PV build or when running with FRED support will not populate the LSTAR/CSTAR stubs at CPU bringup. If a CPU is then offlined, the stubs page will be freed as its content will be all 0xcc, regardless of the stubs page still begin referenced by other CPUs. The new approach uses a global, CPU-indexed dynamically allocated array of stub addresses. However, to handle NUMA aware allocations, we cannot allocate all the memory in advance because of the NUMA dependency. Take advantage of the fact that Xen will attempt to contiguously pack CPUs on the same NUMA node (see normalise_cpu_order()), and on CPU bringup use the same stubs page the previous CPU did if suitable. Note the code would still function properly even if CPUs from NUMA nodes are not contiguously packed, it just consumes more memory. Stubs pages are no longer freed. They remain referenced in the global CPU-indexed array and are re-used if the CPU is re-onlined. The stubs array doesn't have an explicit lock. During boot it's accessed single threaded. During runtime, &cpu_add_remove_lock serializes access. Fixes: 7a66ac8d1633 ("x86: move syscall trampolines off the stack") Signed-off-by: Jason Andryuk Signed-off-by: Roger Pau Monné Tested-by: Jason Andryuk Reviewed-by: Jason Andryuk Reviewed-by: Jan Beulich Reviewed-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/include/asm/stubs.h | 2 +- xen/arch/x86/setup.c | 4 +- xen/arch/x86/smpboot.c | 94 +++++++++++++++++++++------------------- 3 files changed, 52 insertions(+), 48 deletions(-) diff --git a/xen/arch/x86/include/asm/stubs.h b/xen/arch/x86/include/asm/stubs.h index a520928e9a..6f843a0f48 100644 --- a/xen/arch/x86/include/asm/stubs.h +++ b/xen/arch/x86/include/asm/stubs.h @@ -32,6 +32,6 @@ struct stubs { }; DECLARE_PER_CPU(struct stubs, stubs); -unsigned long alloc_stub_page(unsigned int cpu, unsigned long *mfn); +void init_stubs(void); #endif /* X86_ASM_STUBS_H */ diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 4192edf635..7d71fea6c0 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -2089,9 +2089,7 @@ void asmlinkage __init noreturn __start_xen(void) init_idle_domain(); - this_cpu(stubs.addr) = alloc_stub_page(smp_processor_id(), - &this_cpu(stubs).mfn); - BUG_ON(!this_cpu(stubs.addr)); + init_stubs(); bsp_traps_reinit(); /* Needs stubs allocated, must be before presmp_initcalls. */ diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c index d8fd71ffab..84e9e4beed 100644 --- a/xen/arch/x86/smpboot.c +++ b/xen/arch/x86/smpboot.c @@ -20,6 +20,7 @@ #include #include #include +#include #include #include @@ -641,41 +642,64 @@ static int do_boot_cpu(int apicid, int cpu) return rc; } -#define STUB_BUF_CPU_OFFS(cpu) (((cpu) & (STUBS_PER_PAGE - 1)) * STUB_BUF_SIZE) +/* Dynamically allocated, indexed by CPU. Store physical address of stubs. */ +static paddr_t *__ro_after_init stubs; -unsigned long alloc_stub_page(unsigned int cpu, unsigned long *mfn) +static bool assign_stub_page(unsigned int cpu) { unsigned long stub_va; - struct page_info *pg; + paddr_t addr = stubs[cpu]; - BUILD_BUG_ON(STUBS_PER_PAGE & (STUBS_PER_PAGE - 1)); - - if ( *mfn ) - pg = mfn_to_page(_mfn(*mfn)); - else + if ( addr == INVALID_PADDR ) { - nodeid_t node = cpu_to_node(cpu); - unsigned int memflags = node != NUMA_NO_NODE ? MEMF_node(node) : 0; + nodeid_t nid = cpu_to_node(cpu); + + /* + * Attempt to use the same page as the previous CPU if possible, + * otherwise allocate a new one. + */ + if ( cpu && nid == cpu_to_node(cpu - 1) && + stubs[cpu - 1] != INVALID_PADDR && + PAGE_OFFSET(stubs[cpu - 1] + STUB_BUF_SIZE) ) + addr = stubs[cpu - 1] + STUB_BUF_SIZE; + else + { + struct page_info *pg = alloc_domheap_page(NULL, MEMF_node(nid)); - pg = alloc_domheap_page(NULL, memflags); - if ( !pg ) - return 0; + if ( !pg ) + return false; - unmap_domain_page(memset(__map_domain_page(pg), 0xcc, PAGE_SIZE)); + unmap_domain_page(memset(__map_domain_page(pg), 0xcc, PAGE_SIZE)); + addr = page_to_maddr(pg); + } + stubs[cpu] = addr; } stub_va = XEN_VIRT_END - FIXADDR_X_SIZE - (cpu + 1) * PAGE_SIZE; - if ( map_pages_to_xen(stub_va, page_to_mfn(pg), 1, + if ( map_pages_to_xen(stub_va, maddr_to_mfn(addr), 1, PAGE_HYPERVISOR_RX | MAP_SMALL_PAGES) ) - { - if ( !*mfn ) - free_domheap_page(pg); - stub_va = 0; - } - else if ( !*mfn ) - *mfn = mfn_x(page_to_mfn(pg)); + return false; + + per_cpu(stubs.mfn, cpu) = PFN_DOWN(addr); + per_cpu(stubs.addr, cpu) = stub_va + PAGE_OFFSET(addr); + return true; +} + +void __init init_stubs(void) +{ + const unsigned int num_cpus = num_present_cpus(); + unsigned int i; + + ASSERT(!stubs); + stubs = xvmalloc_array(typeof(*stubs), num_cpus); + if ( !stubs ) + panic("Unable to allocate stub array\n"); - return stub_va; + for ( i = 0; i < num_cpus; i++ ) + stubs[i] = INVALID_PADDR; + + if ( !assign_stub_page(0) ) + panic("Unable to initialize BSP stub region\n"); } void cpu_exit_clear(unsigned int cpu) @@ -990,19 +1014,12 @@ static void cpu_smpboot_free(unsigned int cpu, bool remove) { mfn_t mfn = _mfn(per_cpu(stubs.mfn, cpu)); unsigned char *stub_page = map_domain_page(mfn); - unsigned int i; - memset(stub_page + STUB_BUF_CPU_OFFS(cpu), 0xcc, STUB_BUF_SIZE); - for ( i = 0; i < STUBS_PER_PAGE; ++i ) - if ( stub_page[i * STUB_BUF_SIZE] != 0xcc ) - break; + memset(stub_page + PAGE_OFFSET(stubs[cpu]), 0xcc, STUB_BUF_SIZE); unmap_domain_page(stub_page); destroy_xen_mappings(per_cpu(stubs.addr, cpu) & PAGE_MASK, (per_cpu(stubs.addr, cpu) | ~PAGE_MASK) + 1); per_cpu(stubs.addr, cpu) = 0; - per_cpu(stubs.mfn, cpu) = 0; - if ( i == STUBS_PER_PAGE ) - free_domheap_page(mfn_to_page(mfn)); } if ( IS_ENABLED(CONFIG_PV32) ) @@ -1041,10 +1058,9 @@ void *cpu_alloc_stack(unsigned int cpu) static int cpu_smpboot_alloc(unsigned int cpu) { struct cpu_info *info; - unsigned int i, memflags = 0; + unsigned int memflags = 0; nodeid_t node = cpu_to_node(cpu); seg_desc_t *gdt; - unsigned long stub_page; int rc = -ENOMEM; if ( node != NUMA_NO_NODE ) @@ -1092,18 +1108,8 @@ static int cpu_smpboot_alloc(unsigned int cpu) memcpy(per_cpu(idt, cpu), bsp_idt, sizeof(bsp_idt)); disable_each_ist(per_cpu(idt, cpu)); - for ( stub_page = 0, i = cpu & ~(STUBS_PER_PAGE - 1); - i < nr_cpu_ids && i <= (cpu | (STUBS_PER_PAGE - 1)); ++i ) - if ( cpu_online(i) && cpu_to_node(i) == node ) - { - per_cpu(stubs.mfn, cpu) = per_cpu(stubs.mfn, i); - break; - } - BUG_ON(i == cpu); - stub_page = alloc_stub_page(cpu, &per_cpu(stubs.mfn, cpu)); - if ( !stub_page ) + if ( !assign_stub_page(cpu) ) goto out; - per_cpu(stubs.addr, cpu) = stub_page + STUB_BUF_CPU_OFFS(cpu); rc = setup_cpu_root_pgt(cpu); if ( rc ) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 12 12:11:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 12 Jun 2026 12:11:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1336659.1598480 (Exim 4.92) (envelope-from ) id 1wY0j1-0003Ax-6q; Fri, 12 Jun 2026 12:11:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1336659.1598480; Fri, 12 Jun 2026 12:11:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wY0j1-0003Ao-3o; Fri, 12 Jun 2026 12:11:03 +0000 Received: by outflank-mailman (input) for mailman id 1336659; Fri, 12 Jun 2026 12:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wY0j0-0003Ai-38 for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 12:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wY0j0-006LpR-0P for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 12:11:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wY0iz-009KGq-2b for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 12:11:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=dRV1c5jfgtBlbnvNmtNdH8u/AiWgNo+Qw296nnn3BoA=; b=kntJnqy04kF50rB/Svw9L+dKuh 8xpCGtf91g3R1RcxvXWO2gnT1/lHcDCmOJxLvFc3wvWWEh4++nMyYHgaD9ZMQCM7Wd87NUTIyLSed o6u6UKvfcWY4IqlkYB6aHoFpAOs5LclJ5rotbw5vfEZRGnUk+tt4/IHUS2K0bbBlgSXE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/x86: Change stub page allocation/free Message-Id: Date: Fri, 12 Jun 2026 12:11:01 +0000 commit 4f2c223c59eb25fe8e9e3632a78541a1fddaa921 Author: Jason Andryuk AuthorDate: Thu Jun 11 09:02:18 2026 +0200 Commit: Roger Pau Monne CommitDate: Fri Jun 12 12:00:12 2026 +0200 xen/x86: Change stub page allocation/free Today the inline tracking of the stub page is problematic. 0xcc is used to indicate unused, but it is also a "clear value." A !CONFIG_PV build or when running with FRED support will not populate the LSTAR/CSTAR stubs at CPU bringup. If a CPU is then offlined, the stubs page will be freed as its content will be all 0xcc, regardless of the stubs page still begin referenced by other CPUs. The new approach uses a global, CPU-indexed dynamically allocated array of stub addresses. However, to handle NUMA aware allocations, we cannot allocate all the memory in advance because of the NUMA dependency. Take advantage of the fact that Xen will attempt to contiguously pack CPUs on the same NUMA node (see normalise_cpu_order()), and on CPU bringup use the same stubs page the previous CPU did if suitable. Note the code would still function properly even if CPUs from NUMA nodes are not contiguously packed, it just consumes more memory. Stubs pages are no longer freed. They remain referenced in the global CPU-indexed array and are re-used if the CPU is re-onlined. The stubs array doesn't have an explicit lock. During boot it's accessed single threaded. During runtime, &cpu_add_remove_lock serializes access. Fixes: 7a66ac8d1633 ("x86: move syscall trampolines off the stack") Signed-off-by: Jason Andryuk Signed-off-by: Roger Pau Monné Tested-by: Jason Andryuk Reviewed-by: Jason Andryuk Reviewed-by: Jan Beulich Reviewed-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/include/asm/stubs.h | 2 +- xen/arch/x86/setup.c | 4 +- xen/arch/x86/smpboot.c | 94 +++++++++++++++++++++------------------- 3 files changed, 52 insertions(+), 48 deletions(-) diff --git a/xen/arch/x86/include/asm/stubs.h b/xen/arch/x86/include/asm/stubs.h index a520928e9a..6f843a0f48 100644 --- a/xen/arch/x86/include/asm/stubs.h +++ b/xen/arch/x86/include/asm/stubs.h @@ -32,6 +32,6 @@ struct stubs { }; DECLARE_PER_CPU(struct stubs, stubs); -unsigned long alloc_stub_page(unsigned int cpu, unsigned long *mfn); +void init_stubs(void); #endif /* X86_ASM_STUBS_H */ diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 4192edf635..7d71fea6c0 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -2089,9 +2089,7 @@ void asmlinkage __init noreturn __start_xen(void) init_idle_domain(); - this_cpu(stubs.addr) = alloc_stub_page(smp_processor_id(), - &this_cpu(stubs).mfn); - BUG_ON(!this_cpu(stubs.addr)); + init_stubs(); bsp_traps_reinit(); /* Needs stubs allocated, must be before presmp_initcalls. */ diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c index d8fd71ffab..84e9e4beed 100644 --- a/xen/arch/x86/smpboot.c +++ b/xen/arch/x86/smpboot.c @@ -20,6 +20,7 @@ #include #include #include +#include #include #include @@ -641,41 +642,64 @@ static int do_boot_cpu(int apicid, int cpu) return rc; } -#define STUB_BUF_CPU_OFFS(cpu) (((cpu) & (STUBS_PER_PAGE - 1)) * STUB_BUF_SIZE) +/* Dynamically allocated, indexed by CPU. Store physical address of stubs. */ +static paddr_t *__ro_after_init stubs; -unsigned long alloc_stub_page(unsigned int cpu, unsigned long *mfn) +static bool assign_stub_page(unsigned int cpu) { unsigned long stub_va; - struct page_info *pg; + paddr_t addr = stubs[cpu]; - BUILD_BUG_ON(STUBS_PER_PAGE & (STUBS_PER_PAGE - 1)); - - if ( *mfn ) - pg = mfn_to_page(_mfn(*mfn)); - else + if ( addr == INVALID_PADDR ) { - nodeid_t node = cpu_to_node(cpu); - unsigned int memflags = node != NUMA_NO_NODE ? MEMF_node(node) : 0; + nodeid_t nid = cpu_to_node(cpu); + + /* + * Attempt to use the same page as the previous CPU if possible, + * otherwise allocate a new one. + */ + if ( cpu && nid == cpu_to_node(cpu - 1) && + stubs[cpu - 1] != INVALID_PADDR && + PAGE_OFFSET(stubs[cpu - 1] + STUB_BUF_SIZE) ) + addr = stubs[cpu - 1] + STUB_BUF_SIZE; + else + { + struct page_info *pg = alloc_domheap_page(NULL, MEMF_node(nid)); - pg = alloc_domheap_page(NULL, memflags); - if ( !pg ) - return 0; + if ( !pg ) + return false; - unmap_domain_page(memset(__map_domain_page(pg), 0xcc, PAGE_SIZE)); + unmap_domain_page(memset(__map_domain_page(pg), 0xcc, PAGE_SIZE)); + addr = page_to_maddr(pg); + } + stubs[cpu] = addr; } stub_va = XEN_VIRT_END - FIXADDR_X_SIZE - (cpu + 1) * PAGE_SIZE; - if ( map_pages_to_xen(stub_va, page_to_mfn(pg), 1, + if ( map_pages_to_xen(stub_va, maddr_to_mfn(addr), 1, PAGE_HYPERVISOR_RX | MAP_SMALL_PAGES) ) - { - if ( !*mfn ) - free_domheap_page(pg); - stub_va = 0; - } - else if ( !*mfn ) - *mfn = mfn_x(page_to_mfn(pg)); + return false; + + per_cpu(stubs.mfn, cpu) = PFN_DOWN(addr); + per_cpu(stubs.addr, cpu) = stub_va + PAGE_OFFSET(addr); + return true; +} + +void __init init_stubs(void) +{ + const unsigned int num_cpus = num_present_cpus(); + unsigned int i; + + ASSERT(!stubs); + stubs = xvmalloc_array(typeof(*stubs), num_cpus); + if ( !stubs ) + panic("Unable to allocate stub array\n"); - return stub_va; + for ( i = 0; i < num_cpus; i++ ) + stubs[i] = INVALID_PADDR; + + if ( !assign_stub_page(0) ) + panic("Unable to initialize BSP stub region\n"); } void cpu_exit_clear(unsigned int cpu) @@ -990,19 +1014,12 @@ static void cpu_smpboot_free(unsigned int cpu, bool remove) { mfn_t mfn = _mfn(per_cpu(stubs.mfn, cpu)); unsigned char *stub_page = map_domain_page(mfn); - unsigned int i; - memset(stub_page + STUB_BUF_CPU_OFFS(cpu), 0xcc, STUB_BUF_SIZE); - for ( i = 0; i < STUBS_PER_PAGE; ++i ) - if ( stub_page[i * STUB_BUF_SIZE] != 0xcc ) - break; + memset(stub_page + PAGE_OFFSET(stubs[cpu]), 0xcc, STUB_BUF_SIZE); unmap_domain_page(stub_page); destroy_xen_mappings(per_cpu(stubs.addr, cpu) & PAGE_MASK, (per_cpu(stubs.addr, cpu) | ~PAGE_MASK) + 1); per_cpu(stubs.addr, cpu) = 0; - per_cpu(stubs.mfn, cpu) = 0; - if ( i == STUBS_PER_PAGE ) - free_domheap_page(mfn_to_page(mfn)); } if ( IS_ENABLED(CONFIG_PV32) ) @@ -1041,10 +1058,9 @@ void *cpu_alloc_stack(unsigned int cpu) static int cpu_smpboot_alloc(unsigned int cpu) { struct cpu_info *info; - unsigned int i, memflags = 0; + unsigned int memflags = 0; nodeid_t node = cpu_to_node(cpu); seg_desc_t *gdt; - unsigned long stub_page; int rc = -ENOMEM; if ( node != NUMA_NO_NODE ) @@ -1092,18 +1108,8 @@ static int cpu_smpboot_alloc(unsigned int cpu) memcpy(per_cpu(idt, cpu), bsp_idt, sizeof(bsp_idt)); disable_each_ist(per_cpu(idt, cpu)); - for ( stub_page = 0, i = cpu & ~(STUBS_PER_PAGE - 1); - i < nr_cpu_ids && i <= (cpu | (STUBS_PER_PAGE - 1)); ++i ) - if ( cpu_online(i) && cpu_to_node(i) == node ) - { - per_cpu(stubs.mfn, cpu) = per_cpu(stubs.mfn, i); - break; - } - BUG_ON(i == cpu); - stub_page = alloc_stub_page(cpu, &per_cpu(stubs.mfn, cpu)); - if ( !stub_page ) + if ( !assign_stub_page(cpu) ) goto out; - per_cpu(stubs.addr, cpu) = stub_page + STUB_BUF_CPU_OFFS(cpu); rc = setup_cpu_root_pgt(cpu); if ( rc ) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 12 14:11:08 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 12 Jun 2026 14:11:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1336719.1598501 (Exim 4.92) (envelope-from ) id 1wY2b9-0003L6-IN; Fri, 12 Jun 2026 14:11:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1336719.1598501; Fri, 12 Jun 2026 14:11:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wY2b9-0003Ky-Fe; Fri, 12 Jun 2026 14:11:03 +0000 Received: by outflank-mailman (input) for mailman id 1336719; Fri, 12 Jun 2026 14:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wY2b8-0003Ks-9z for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 14:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wY2b8-006O5L-1e for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 14:11:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wY2b8-00DlsI-0b for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 14:11:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=KGuP4pz5RvMCK1/qBrd7EIXvGT1wBCGgkVHbodkgV9I=; b=JTQokeeMXXiJuxTr5Prm5mB2Cb 1VQkjpyFXpDFtOe4q1Bnap5r+nvoQGCHyFndfW82odV5h+CRlbmNYSQ7T5FrE+aAJGw8/dTM98A76 5CUwW1MJSTi/gAFPryL5T4VJpWFsJT3DPtaPBu3eOBsLPzxOp63LjoiG4dfo/QmX9xQo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CI: Fixes to containerize Message-Id: Date: Fri, 12 Jun 2026 14:11:02 +0000 commit 2a52894017d19156543ec0681b08357cab8c357a Author: Andrew Cooper AuthorDate: Mon Jun 8 18:43:06 2026 +0100 Commit: Andrew Cooper CommitDate: Fri Jun 12 15:00:38 2026 +0100 CI: Fixes to containerize These were missed from prior changes. Signed-off-by: Andrew Cooper Reviewed-by: Anthony PERARD Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- automation/scripts/containerize | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/automation/scripts/containerize b/automation/scripts/containerize index 8bd2a847aa..70494645e0 100755 --- a/automation/scripts/containerize +++ b/automation/scripts/containerize @@ -27,8 +27,7 @@ case "_${CONTAINER}" in _alpine) CONTAINER="${BASE}/alpine:3.18" ;; _alpine-arm64v8) CONTAINER="${BASE}/alpine:3.18-arm64v8" ;; _archlinux|_arch) CONTAINER="${BASE}/archlinux:current" ;; - _centos7) CONTAINER="${BASE}/centos:7" ;; - _fedora) CONTAINER="${BASE}/fedora:41-x86_64";; + _fedora) CONTAINER="${BASE}/fedora:43-x86_64";; _bullseye-ppc64le) CONTAINER="${BASE}/debian:11-ppc64le" ;; _bookworm-ppc64le) CONTAINER="${BASE}/debian:12-ppc64le" ;; _trixie-ppc64le) CONTAINER="${BASE}/debian:13-ppc64le" ;; @@ -42,13 +41,13 @@ case "_${CONTAINER}" in _bookworm-arm64v8) CONTAINER="${BASE}/debian:12-arm64v8" ;; _bookworm-cppcheck) CONTAINER="${BASE}/debian:12-arm64v8-cppcheck" ;; _trixie-arm64v8) CONTAINER="${BASE}/debian:13-arm64v8" ;; - _opensuse-leap|_leap) CONTAINER="${BASE}/opensuse:leap-15.6-x86_64" ;; + _opensuse-leap|_leap) CONTAINER="${BASE}/opensuse:leap-16.0-x86_64" ;; _opensuse-tumbleweed|_tumbleweed) CONTAINER="${BASE}/opensuse:tumbleweed-x86_64" ;; - _xenial) CONTAINER="${BASE}/ubuntu:16.04-x86_64" ;; _bionic) CONTAINER="${BASE}/ubuntu:18.04-x86_64" ;; _focal) CONTAINER="${BASE}/ubuntu:20.04-x86_64" ;; _jammy) CONTAINER="${BASE}/ubuntu:22.04-x86_64" ;; _noble) CONTAINER="${BASE}/ubuntu:24.04-x86_64" ;; + _resolute) CONTAINER="${BASE}/ubuntu:26.04-x86_64" ;; esac # Use this variable to control whether root should be used -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 12 14:11:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 12 Jun 2026 14:11:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1336720.1598504 (Exim 4.92) (envelope-from ) id 1wY2bJ-0003N3-JX; Fri, 12 Jun 2026 14:11:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1336720.1598504; Fri, 12 Jun 2026 14:11:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wY2bJ-0003Mv-H3; Fri, 12 Jun 2026 14:11:13 +0000 Received: by outflank-mailman (input) for mailman id 1336720; Fri, 12 Jun 2026 14:11:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wY2bI-0003Mm-CB for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 14:11:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wY2bI-006O5P-20 for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 14:11:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wY2bI-00DmMF-0w for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 14:11:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=mXXuEN8LojMUHmFaEIRtn7wIiBf1xluG3kQ8HegYoko=; b=daufJ/6AwUhbAI4GqY+J+vVEYm aEiXTBbUQbyBNfWKPCo91JlPOhrfluRJonfD5qnjbgLK0Ikni3TjScAnzpSbrtU1DjKlffAQMpe+m tB/3u+eHaD9QhR+mgvbhkui6Ajf5efDzK/PRRZjAtg6fBNETokMwUr7y/sK0ai+Juric=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CI: Rework the archlinux container Message-Id: Date: Fri, 12 Jun 2026 14:11:12 +0000 commit 3ddcb957b5245f677ee7569a36093985ee49d56c Author: Andrew Cooper AuthorDate: Tue Jun 9 15:37:29 2026 +0100 Commit: Andrew Cooper CommitDate: Fri Jun 12 15:00:38 2026 +0100 CI: Rework the archlinux container Rename it to have an x86_64 suffix, updating the build job names and scheduled rebuild task. Apply standard cleanups. Trim the package list down to what is actually needed. Archlinux's base-devel contains most libraries, but some of the listed packages have never been dependenices for Xen, and a lot are QEMU dependenices which aren't useful owing to the lack of the ninja package. This shrinks the container from 533MB to 380MB. No practical change. Signed-off-by: Andrew Cooper Reviewed-by: Anthony PERARD Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- .../build/archlinux/current-x86_64.dockerfile | 33 ++++++++++++++ automation/build/archlinux/current.dockerfile | 53 ---------------------- automation/gitlab-ci/build.yaml | 8 ++-- automation/gitlab-ci/containers.yaml | 4 +- automation/scripts/containerize | 2 +- 5 files changed, 40 insertions(+), 60 deletions(-) diff --git a/automation/build/archlinux/current-x86_64.dockerfile b/automation/build/archlinux/current-x86_64.dockerfile new file mode 100644 index 0000000000..4449cf952c --- /dev/null +++ b/automation/build/archlinux/current-x86_64.dockerfile @@ -0,0 +1,33 @@ +# syntax=docker/dockerfile:1 +FROM --platform=linux/amd64 archlinux:base-devel +LABEL maintainer.name="The Xen Project" +LABEL maintainer.email="xen-devel@lists.xenproject.org" + +RUN < Envelope-to: archives@lists.xen.org Delivery-date: Fri, 12 Jun 2026 14:11:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1336721.1598508 (Exim 4.92) (envelope-from ) id 1wY2bT-0003P8-L1; Fri, 12 Jun 2026 14:11:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1336721.1598508; Fri, 12 Jun 2026 14:11:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wY2bT-0003P0-IX; Fri, 12 Jun 2026 14:11:23 +0000 Received: by outflank-mailman (input) for mailman id 1336721; Fri, 12 Jun 2026 14:11:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wY2bS-0003Ot-FZ for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 14:11:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wY2bS-006O5n-2J for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 14:11:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wY2bS-00Dmpd-1I for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 14:11:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=vCeLdU4Ve4qHPsNqaLbTQxjJ2bZZzciaSzxfRWRcLFQ=; b=ZtxVMY/T0LWHHr1x7/pZjXsbws uALKFHrGqlogZ1/Ko34RWkCTctyv2f+zmjR3ttLqk1bofdH8+4n5iMHoHlyouv0rfoCDHV05TIWnc MASffyFODiGrHkOguQwSjERJVxnQWCdyvI8+heL1u7Z3l5euqSo6xvLrARuirRyqCP9A=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CI: Rename xenial-xilinx to xilinx-hw-runner Message-Id: Date: Fri, 12 Jun 2026 14:11:22 +0000 commit ffb9c3016be3beb4228e9975bfb5f8ca5b5ccd56 Author: Andrew Cooper AuthorDate: Mon Jun 8 18:47:54 2026 +0100 Commit: Andrew Cooper CommitDate: Fri Jun 12 15:00:38 2026 +0100 CI: Rename xenial-xilinx to xilinx-hw-runner The container is tied to the runner, not a version of Ubuntu. Intentionally give it a generic name so it need not change in the future. Apply standard cleanup to the dockerfile, except that it must continue to be a root container to drive real hardware. Explicitly install ca-certificates to compensate for --no-install-recommends. No practical change. Signed-off-by: Andrew Cooper Reviewed-by: Anthony PERARD Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- automation/build/ubuntu/xenial-xilinx.dockerfile | 27 ------------------ .../build/ubuntu/xilinx-hw-runner.dockerfile | 32 ++++++++++++++++++++++ automation/gitlab-ci/test.yaml | 4 +-- 3 files changed, 34 insertions(+), 29 deletions(-) diff --git a/automation/build/ubuntu/xenial-xilinx.dockerfile b/automation/build/ubuntu/xenial-xilinx.dockerfile deleted file mode 100644 index 6107d8b771..0000000000 --- a/automation/build/ubuntu/xenial-xilinx.dockerfile +++ /dev/null @@ -1,27 +0,0 @@ -# syntax=docker/dockerfile:1 -FROM --platform=linux/amd64 ubuntu:16.04 -LABEL maintainer.name="The Xen Project " \ - maintainer.email="xen-devel@lists.xenproject.org" - -ENV DEBIAN_FRONTEND=noninteractive -ENV USER root - -RUN mkdir /build -WORKDIR /build - -# board bringup depends -RUN apt-get update && \ - apt-get --quiet --yes install \ - snmp \ - snmp-mibs-downloader \ - u-boot-tools \ - device-tree-compiler \ - cpio \ - git \ - gzip \ - file \ - expect \ - && \ - apt-get autoremove -y && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* diff --git a/automation/build/ubuntu/xilinx-hw-runner.dockerfile b/automation/build/ubuntu/xilinx-hw-runner.dockerfile new file mode 100644 index 0000000000..1855b11af3 --- /dev/null +++ b/automation/build/ubuntu/xilinx-hw-runner.dockerfile @@ -0,0 +1,32 @@ +# syntax=docker/dockerfile:1 +FROM --platform=linux/amd64 ubuntu:16.04 +LABEL maintainer.name="The Xen Project" +LABEL maintainer.email="xen-devel@lists.xenproject.org" + +ENV DEBIAN_FRONTEND=noninteractive + +RUN < Envelope-to: archives@lists.xen.org Delivery-date: Fri, 12 Jun 2026 14:55:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1336790.1598575 (Exim 4.92) (envelope-from ) id 1wY3Hj-0003iZ-Cs; Fri, 12 Jun 2026 14:55:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1336790.1598575; Fri, 12 Jun 2026 14:55:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wY3Hj-0003iR-9y; Fri, 12 Jun 2026 14:55:03 +0000 Received: by outflank-mailman (input) for mailman id 1336790; Fri, 12 Jun 2026 14:55:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wY3Hh-0003hy-Ve for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 14:55:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wY3Hi-006OnJ-0c for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 14:55:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wY3Hh-00FVcD-2l for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 14:55:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=WH+C6vqD9kK/eNvw350wBSfJRhEeNM0sy4T0j+Fznak=; b=wlfN7CmOXhE6noXOeNQcqK6kGW /OxWSFPpFigx7YU8Uv+Ug3uUWqcxMPjrA1SUn/axXqOZyevemhpIYJZqpljQGCt78DKrLl1tpcDF5 H6CyeOBAJfNGXdGMhf6Xq4Qjbbp13bMDvdXgzrJpODXOeItXqXafbvtBTEeNB0wdRRSk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: Fixes to containerize Message-Id: Date: Fri, 12 Jun 2026 14:55:01 +0000 commit 2a52894017d19156543ec0681b08357cab8c357a Author: Andrew Cooper AuthorDate: Mon Jun 8 18:43:06 2026 +0100 Commit: Andrew Cooper CommitDate: Fri Jun 12 15:00:38 2026 +0100 CI: Fixes to containerize These were missed from prior changes. Signed-off-by: Andrew Cooper Reviewed-by: Anthony PERARD Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- automation/scripts/containerize | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/automation/scripts/containerize b/automation/scripts/containerize index 8bd2a847aa..70494645e0 100755 --- a/automation/scripts/containerize +++ b/automation/scripts/containerize @@ -27,8 +27,7 @@ case "_${CONTAINER}" in _alpine) CONTAINER="${BASE}/alpine:3.18" ;; _alpine-arm64v8) CONTAINER="${BASE}/alpine:3.18-arm64v8" ;; _archlinux|_arch) CONTAINER="${BASE}/archlinux:current" ;; - _centos7) CONTAINER="${BASE}/centos:7" ;; - _fedora) CONTAINER="${BASE}/fedora:41-x86_64";; + _fedora) CONTAINER="${BASE}/fedora:43-x86_64";; _bullseye-ppc64le) CONTAINER="${BASE}/debian:11-ppc64le" ;; _bookworm-ppc64le) CONTAINER="${BASE}/debian:12-ppc64le" ;; _trixie-ppc64le) CONTAINER="${BASE}/debian:13-ppc64le" ;; @@ -42,13 +41,13 @@ case "_${CONTAINER}" in _bookworm-arm64v8) CONTAINER="${BASE}/debian:12-arm64v8" ;; _bookworm-cppcheck) CONTAINER="${BASE}/debian:12-arm64v8-cppcheck" ;; _trixie-arm64v8) CONTAINER="${BASE}/debian:13-arm64v8" ;; - _opensuse-leap|_leap) CONTAINER="${BASE}/opensuse:leap-15.6-x86_64" ;; + _opensuse-leap|_leap) CONTAINER="${BASE}/opensuse:leap-16.0-x86_64" ;; _opensuse-tumbleweed|_tumbleweed) CONTAINER="${BASE}/opensuse:tumbleweed-x86_64" ;; - _xenial) CONTAINER="${BASE}/ubuntu:16.04-x86_64" ;; _bionic) CONTAINER="${BASE}/ubuntu:18.04-x86_64" ;; _focal) CONTAINER="${BASE}/ubuntu:20.04-x86_64" ;; _jammy) CONTAINER="${BASE}/ubuntu:22.04-x86_64" ;; _noble) CONTAINER="${BASE}/ubuntu:24.04-x86_64" ;; + _resolute) CONTAINER="${BASE}/ubuntu:26.04-x86_64" ;; esac # Use this variable to control whether root should be used -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 12 14:55:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 12 Jun 2026 14:55:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1336791.1598580 (Exim 4.92) (envelope-from ) id 1wY3Ht-0003ob-FF; Fri, 12 Jun 2026 14:55:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1336791.1598580; Fri, 12 Jun 2026 14:55:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wY3Ht-0003oT-CZ; Fri, 12 Jun 2026 14:55:13 +0000 Received: by outflank-mailman (input) for mailman id 1336791; Fri, 12 Jun 2026 14:55:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wY3Hs-0003nq-59 for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 14:55:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wY3Hs-006OoI-18 for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 14:55:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wY3Hr-00FVwx-38 for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 14:55:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=VrnSbwrIEQwqfOeq0CGAuhAkzO+dDQPo+aHfZ/i0t0s=; b=sKs4dxkeYXhZfQn8K4Vue+Kr3H tKXNFc5XRhQQ2a7aUNY3074nCNU+ieaTYV6AIpL5GM2+3ktLKt4q/D8Ra9DpxOxc/ctWI7d/T+Q+4 qwq+1hxQfgPD0stI0bsx7Ee45G8U1ub0TsBVAilYJOzzusoU0xXABX9YlH+W9QIXfFRI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: Rework the archlinux container Message-Id: Date: Fri, 12 Jun 2026 14:55:11 +0000 commit 3ddcb957b5245f677ee7569a36093985ee49d56c Author: Andrew Cooper AuthorDate: Tue Jun 9 15:37:29 2026 +0100 Commit: Andrew Cooper CommitDate: Fri Jun 12 15:00:38 2026 +0100 CI: Rework the archlinux container Rename it to have an x86_64 suffix, updating the build job names and scheduled rebuild task. Apply standard cleanups. Trim the package list down to what is actually needed. Archlinux's base-devel contains most libraries, but some of the listed packages have never been dependenices for Xen, and a lot are QEMU dependenices which aren't useful owing to the lack of the ninja package. This shrinks the container from 533MB to 380MB. No practical change. Signed-off-by: Andrew Cooper Reviewed-by: Anthony PERARD Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- .../build/archlinux/current-x86_64.dockerfile | 33 ++++++++++++++ automation/build/archlinux/current.dockerfile | 53 ---------------------- automation/gitlab-ci/build.yaml | 8 ++-- automation/gitlab-ci/containers.yaml | 4 +- automation/scripts/containerize | 2 +- 5 files changed, 40 insertions(+), 60 deletions(-) diff --git a/automation/build/archlinux/current-x86_64.dockerfile b/automation/build/archlinux/current-x86_64.dockerfile new file mode 100644 index 0000000000..4449cf952c --- /dev/null +++ b/automation/build/archlinux/current-x86_64.dockerfile @@ -0,0 +1,33 @@ +# syntax=docker/dockerfile:1 +FROM --platform=linux/amd64 archlinux:base-devel +LABEL maintainer.name="The Xen Project" +LABEL maintainer.email="xen-devel@lists.xenproject.org" + +RUN < Envelope-to: archives@lists.xen.org Delivery-date: Fri, 12 Jun 2026 14:55:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1336793.1598583 (Exim 4.92) (envelope-from ) id 1wY3I3-0003uZ-Gc; Fri, 12 Jun 2026 14:55:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1336793.1598583; Fri, 12 Jun 2026 14:55:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wY3I3-0003uQ-Dw; Fri, 12 Jun 2026 14:55:23 +0000 Received: by outflank-mailman (input) for mailman id 1336793; Fri, 12 Jun 2026 14:55:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wY3I2-0003u5-6T for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 14:55:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wY3I2-006Opr-1R for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 14:55:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wY3I2-00FWTQ-0Q for xen-changelog@lists.xenproject.org; Fri, 12 Jun 2026 14:55:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=knFBztgXlU421LWgvM3XVRgJHjT2dpyCKy9w/5xDVYA=; b=IFl8RKZjPp0WwMQ+/WKPvROwrp QRr1w6sH8+NgwT/Anl+p75OC9ufl7vxJHuGweCBW8GUCLgY2GgY9oHwVjuiZ7ceny78dAktlfVjRA vdnqEmRw0oYGuYcT2ssU/H8KtXXkNFMYB4jN0/mjBeLVKIk0bmr1A1JaVG5+HRfeub0Q=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: Rename xenial-xilinx to xilinx-hw-runner Message-Id: Date: Fri, 12 Jun 2026 14:55:22 +0000 commit ffb9c3016be3beb4228e9975bfb5f8ca5b5ccd56 Author: Andrew Cooper AuthorDate: Mon Jun 8 18:47:54 2026 +0100 Commit: Andrew Cooper CommitDate: Fri Jun 12 15:00:38 2026 +0100 CI: Rename xenial-xilinx to xilinx-hw-runner The container is tied to the runner, not a version of Ubuntu. Intentionally give it a generic name so it need not change in the future. Apply standard cleanup to the dockerfile, except that it must continue to be a root container to drive real hardware. Explicitly install ca-certificates to compensate for --no-install-recommends. No practical change. Signed-off-by: Andrew Cooper Reviewed-by: Anthony PERARD Acked-by: Stefano Stabellini Release-Acked-by: Oleksii Kurochko --- automation/build/ubuntu/xenial-xilinx.dockerfile | 27 ------------------ .../build/ubuntu/xilinx-hw-runner.dockerfile | 32 ++++++++++++++++++++++ automation/gitlab-ci/test.yaml | 4 +-- 3 files changed, 34 insertions(+), 29 deletions(-) diff --git a/automation/build/ubuntu/xenial-xilinx.dockerfile b/automation/build/ubuntu/xenial-xilinx.dockerfile deleted file mode 100644 index 6107d8b771..0000000000 --- a/automation/build/ubuntu/xenial-xilinx.dockerfile +++ /dev/null @@ -1,27 +0,0 @@ -# syntax=docker/dockerfile:1 -FROM --platform=linux/amd64 ubuntu:16.04 -LABEL maintainer.name="The Xen Project " \ - maintainer.email="xen-devel@lists.xenproject.org" - -ENV DEBIAN_FRONTEND=noninteractive -ENV USER root - -RUN mkdir /build -WORKDIR /build - -# board bringup depends -RUN apt-get update && \ - apt-get --quiet --yes install \ - snmp \ - snmp-mibs-downloader \ - u-boot-tools \ - device-tree-compiler \ - cpio \ - git \ - gzip \ - file \ - expect \ - && \ - apt-get autoremove -y && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* diff --git a/automation/build/ubuntu/xilinx-hw-runner.dockerfile b/automation/build/ubuntu/xilinx-hw-runner.dockerfile new file mode 100644 index 0000000000..1855b11af3 --- /dev/null +++ b/automation/build/ubuntu/xilinx-hw-runner.dockerfile @@ -0,0 +1,32 @@ +# syntax=docker/dockerfile:1 +FROM --platform=linux/amd64 ubuntu:16.04 +LABEL maintainer.name="The Xen Project" +LABEL maintainer.email="xen-devel@lists.xenproject.org" + +ENV DEBIAN_FRONTEND=noninteractive + +RUN < Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 13:22:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338223.1599215 (Exim 4.92) (envelope-from ) id 1wZ7GM-0000hs-PK; Mon, 15 Jun 2026 13:22:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338223.1599215; Mon, 15 Jun 2026 13:22:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZ7GM-0000hk-MX; Mon, 15 Jun 2026 13:22:02 +0000 Received: by outflank-mailman (input) for mailman id 1338223; Mon, 15 Jun 2026 13:22:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZ7GL-0000he-W3 for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 13:22:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZ7GL-00B5mv-3D for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 13:22:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZ7GL-00DX7i-21 for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 13:22:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=o030Q/GxroSXRUUeUN5Db9JanuFPJZQtxQP59z97Rec=; b=ijtOkrDw/rVWbW+DRJn7DcGW17 eKVWPsa6qzzb86lmx4DSdHZiv/udb5Nnf0REcSDpHdtiwNETnAYmbOw3AUOrKPInBWK5Kde32lbQm /NHf0HCP8rKhghjrlrJwbMDz2gBTcWXCMI9hV7zumr7aqaC58qkUNqzawIzL66ZEvz18=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [qemu-xen staging] mkvenv: Support pip 25.2 Message-Id: Date: Mon, 15 Jun 2026 13:22:01 +0000 commit 0edeb44c093bea39f0fe4d936ee363b99113ffe1 Author: Sv. Lockal AuthorDate: Mon Aug 11 15:01:59 2025 -0400 Commit: Anthony PERARD CommitDate: Mon Jun 15 14:28:53 2026 +0200 mkvenv: Support pip 25.2 Fix compilation with pip-25.2 due to missing distlib.version Bug: https://gitlab.com/qemu-project/qemu/-/issues/3062 Signed-off-by: Sv. Lockal [Edits: Type "safety" whackamole --js] Signed-off-by: John Snow Message-ID: <20250811190159.237321-1-jsnow@redhat.com> Signed-off-by: Stefan Hajnoczi (cherry picked from commit 6ad034e71232c2929ed546304c9d249312bb632f) --- python/scripts/mkvenv.py | 64 +++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 60 insertions(+), 4 deletions(-) diff --git a/python/scripts/mkvenv.py b/python/scripts/mkvenv.py index f2526af0a0..601df930e5 100644 --- a/python/scripts/mkvenv.py +++ b/python/scripts/mkvenv.py @@ -84,6 +84,7 @@ from typing import ( Sequence, Tuple, Union, + cast, ) import venv @@ -94,17 +95,39 @@ import venv HAVE_DISTLIB = True try: import distlib.scripts - import distlib.version except ImportError: try: # Reach into pip's cookie jar. pylint and flake8 don't understand # that these imports will be used via distlib.xxx. from pip._vendor import distlib import pip._vendor.distlib.scripts # noqa, pylint: disable=unused-import - import pip._vendor.distlib.version # noqa, pylint: disable=unused-import except ImportError: HAVE_DISTLIB = False +# pip 25.2 does not vendor distlib.version, but it uses vendored +# packaging.version +HAVE_DISTLIB_VERSION = True +try: + import distlib.version # pylint: disable=ungrouped-imports +except ImportError: + try: + # pylint: disable=unused-import,ungrouped-imports + import pip._vendor.distlib.version # noqa + except ImportError: + HAVE_DISTLIB_VERSION = False + +HAVE_PACKAGING_VERSION = True +try: + # Do not bother importing non-vendored packaging, because it is not + # in stdlib. + from pip._vendor import packaging + # pylint: disable=unused-import + import pip._vendor.packaging.requirements # noqa + import pip._vendor.packaging.version # noqa +except ImportError: + HAVE_PACKAGING_VERSION = False + + # Try to load tomllib, with a fallback to tomli. # HAVE_TOMLLIB is checked below, just-in-time, so that mkvenv does not fail # outside the venv or before a potential call to ensurepip in checkpip(). @@ -133,6 +156,39 @@ class Ouch(RuntimeError): """An Exception class we can't confuse with a builtin.""" +class Matcher: + """Compatibility appliance for version/requirement string parsing.""" + def __init__(self, name_and_constraint: str): + """Create a matcher from a requirement-like string.""" + if HAVE_DISTLIB_VERSION: + self._m = distlib.version.LegacyMatcher(name_and_constraint) + elif HAVE_PACKAGING_VERSION: + self._m = packaging.requirements.Requirement(name_and_constraint) + else: + raise Ouch("found neither distlib.version nor packaging.version") + self.name = self._m.name + + def match(self, version_str: str) -> bool: + """Return True if `version` satisfies the stored constraint.""" + if HAVE_DISTLIB_VERSION: + return cast( + bool, + self._m.match(distlib.version.LegacyVersion(version_str)) + ) + + assert HAVE_PACKAGING_VERSION + return cast( + bool, + self._m.specifier.contains( + packaging.version.Version(version_str), prereleases=True + ) + ) + + def __repr__(self) -> str: + """Stable debug representation delegated to the backend.""" + return repr(self._m) + + class QemuEnvBuilder(venv.EnvBuilder): """ An extension of venv.EnvBuilder for building QEMU's configure-time venv. @@ -666,7 +722,7 @@ def _do_ensure( canary = None for name, info in group.items(): constraint = _make_version_constraint(info, False) - matcher = distlib.version.LegacyMatcher(name + constraint) + matcher = Matcher(name + constraint) print(f"mkvenv: checking for {matcher}", file=sys.stderr) dist: Optional[Distribution] = None @@ -680,7 +736,7 @@ def _do_ensure( # Always pass installed package to pip, so that they can be # updated if the requested version changes or not _is_system_package(dist) - or not matcher.match(distlib.version.LegacyVersion(dist.version)) + or not matcher.match(dist.version) ): absent.append(name + _make_version_constraint(info, True)) if len(absent) == 1: -- generated by git-patchbot for /home/xen/git/qemu-xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 15 13:33:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 13:33:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338232.1599228 (Exim 4.92) (envelope-from ) id 1wZ7R1-0002QP-Ph; Mon, 15 Jun 2026 13:33:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338232.1599228; Mon, 15 Jun 2026 13:33:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZ7R1-0002QH-Mx; Mon, 15 Jun 2026 13:33:03 +0000 Received: by outflank-mailman (input) for mailman id 1338232; Mon, 15 Jun 2026 13:33:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZ7R0-0002QB-CK for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 13:33:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZ7R0-00B5xv-0p for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 13:33:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZ7Qz-00DbAI-30 for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 13:33:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=2r6bklInCl0k+vI37AptmWRMBBbIpQBAvtF0KoJRf84=; b=q4NCvHnnBBM5fNwWXrtRrkocM+ YB/Di4TaEBCAlM7l1aN/M1g2C1l1Dj6rb1/Zw2TkWjF1QxKQpAozldTw+YMrbN0/w22/KLcY5/9VY s/g317mn/7oxy0oRAQBwayHQyfjYDStN3dENJRIU9esmx+zY8uv8XMe457GGGbPsHUqA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [qemu-xen master] mkvenv: Support pip 25.2 Message-Id: Date: Mon, 15 Jun 2026 13:33:01 +0000 commit 0edeb44c093bea39f0fe4d936ee363b99113ffe1 Author: Sv. Lockal AuthorDate: Mon Aug 11 15:01:59 2025 -0400 Commit: Anthony PERARD CommitDate: Mon Jun 15 14:28:53 2026 +0200 mkvenv: Support pip 25.2 Fix compilation with pip-25.2 due to missing distlib.version Bug: https://gitlab.com/qemu-project/qemu/-/issues/3062 Signed-off-by: Sv. Lockal [Edits: Type "safety" whackamole --js] Signed-off-by: John Snow Message-ID: <20250811190159.237321-1-jsnow@redhat.com> Signed-off-by: Stefan Hajnoczi (cherry picked from commit 6ad034e71232c2929ed546304c9d249312bb632f) --- python/scripts/mkvenv.py | 64 +++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 60 insertions(+), 4 deletions(-) diff --git a/python/scripts/mkvenv.py b/python/scripts/mkvenv.py index f2526af0a0..601df930e5 100644 --- a/python/scripts/mkvenv.py +++ b/python/scripts/mkvenv.py @@ -84,6 +84,7 @@ from typing import ( Sequence, Tuple, Union, + cast, ) import venv @@ -94,17 +95,39 @@ import venv HAVE_DISTLIB = True try: import distlib.scripts - import distlib.version except ImportError: try: # Reach into pip's cookie jar. pylint and flake8 don't understand # that these imports will be used via distlib.xxx. from pip._vendor import distlib import pip._vendor.distlib.scripts # noqa, pylint: disable=unused-import - import pip._vendor.distlib.version # noqa, pylint: disable=unused-import except ImportError: HAVE_DISTLIB = False +# pip 25.2 does not vendor distlib.version, but it uses vendored +# packaging.version +HAVE_DISTLIB_VERSION = True +try: + import distlib.version # pylint: disable=ungrouped-imports +except ImportError: + try: + # pylint: disable=unused-import,ungrouped-imports + import pip._vendor.distlib.version # noqa + except ImportError: + HAVE_DISTLIB_VERSION = False + +HAVE_PACKAGING_VERSION = True +try: + # Do not bother importing non-vendored packaging, because it is not + # in stdlib. + from pip._vendor import packaging + # pylint: disable=unused-import + import pip._vendor.packaging.requirements # noqa + import pip._vendor.packaging.version # noqa +except ImportError: + HAVE_PACKAGING_VERSION = False + + # Try to load tomllib, with a fallback to tomli. # HAVE_TOMLLIB is checked below, just-in-time, so that mkvenv does not fail # outside the venv or before a potential call to ensurepip in checkpip(). @@ -133,6 +156,39 @@ class Ouch(RuntimeError): """An Exception class we can't confuse with a builtin.""" +class Matcher: + """Compatibility appliance for version/requirement string parsing.""" + def __init__(self, name_and_constraint: str): + """Create a matcher from a requirement-like string.""" + if HAVE_DISTLIB_VERSION: + self._m = distlib.version.LegacyMatcher(name_and_constraint) + elif HAVE_PACKAGING_VERSION: + self._m = packaging.requirements.Requirement(name_and_constraint) + else: + raise Ouch("found neither distlib.version nor packaging.version") + self.name = self._m.name + + def match(self, version_str: str) -> bool: + """Return True if `version` satisfies the stored constraint.""" + if HAVE_DISTLIB_VERSION: + return cast( + bool, + self._m.match(distlib.version.LegacyVersion(version_str)) + ) + + assert HAVE_PACKAGING_VERSION + return cast( + bool, + self._m.specifier.contains( + packaging.version.Version(version_str), prereleases=True + ) + ) + + def __repr__(self) -> str: + """Stable debug representation delegated to the backend.""" + return repr(self._m) + + class QemuEnvBuilder(venv.EnvBuilder): """ An extension of venv.EnvBuilder for building QEMU's configure-time venv. @@ -666,7 +722,7 @@ def _do_ensure( canary = None for name, info in group.items(): constraint = _make_version_constraint(info, False) - matcher = distlib.version.LegacyMatcher(name + constraint) + matcher = Matcher(name + constraint) print(f"mkvenv: checking for {matcher}", file=sys.stderr) dist: Optional[Distribution] = None @@ -680,7 +736,7 @@ def _do_ensure( # Always pass installed package to pip, so that they can be # updated if the requested version changes or not _is_system_package(dist) - or not matcher.match(distlib.version.LegacyVersion(dist.version)) + or not matcher.match(dist.version) ): absent.append(name + _make_version_constraint(info, True)) if len(absent) == 1: -- generated by git-patchbot for /home/xen/git/qemu-xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Jun 15 13:44:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 13:44:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338240.1599241 (Exim 4.92) (envelope-from ) id 1wZ7bf-000458-On; Mon, 15 Jun 2026 13:44:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338240.1599241; Mon, 15 Jun 2026 13:44:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZ7bf-000450-M8; Mon, 15 Jun 2026 13:44:03 +0000 Received: by outflank-mailman (input) for mailman id 1338240; Mon, 15 Jun 2026 13:44:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZ7be-00044u-Ls for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 13:44:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZ7be-00B68p-1z for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 13:44:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZ7be-00Dfso-0u for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 13:44:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=gZDINWp/zaxDpRK6fK6CqUCQp/gB5ZR4/fMMHR+gmEc=; b=XlcUCQOHDyV/90NgFwSTv5ZoWb 6D8adIHNe2pQVI19DrAOWyb+Gg9LdrixSwNwJ7H9y4R/5X9sTq5JcIZ5CedtHk2yp0uxp6bZTV9e0 M0STGd/rKFt/zTuZXXa9qt/o5WozCe9YG89CSOLVeEQMOuByWfMPuT4Z3zPHmq9LkIFc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CI: Use more specific Xilinx runner tags Message-Id: Date: Mon, 15 Jun 2026 13:44:02 +0000 commit efcb4c5e2f2734cd4cac38a9f01e03c5e54c8eb8 Author: Andrew Cooper AuthorDate: Fri Jun 12 18:24:57 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 15 12:42:55 2026 +0100 CI: Use more specific Xilinx runner tags In order to avoid serialising the testing on both boards, the runner configuration is being adjusted. Have the .xilinx-arm64 and .xilinx-x86_64 templates choose the board directly using a more specific tag. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Victor Lira Release-Acked-by: Oleksii Kurochko --- automation/gitlab-ci/test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml index 89760b24e6..c375c97309 100644 --- a/automation/gitlab-ci/test.yaml +++ b/automation/gitlab-ci/test.yaml @@ -119,7 +119,7 @@ && $CI_COMMIT_REF_PROTECTED == "true" when: on_success tags: - - xilinx + - xilinx-zynq-423 .xilinx-x86_64: extends: .test-jobs-common @@ -139,7 +139,7 @@ && $CI_COMMIT_REF_PROTECTED == "true" when: on_success tags: - - xilinx + - xilinx-crater-001 .adl-x86-64: extends: .test-jobs-common -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 15 16:00:07 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 16:00:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338436.1599466 (Exim 4.92) (envelope-from ) id 1wZ9jG-0000kV-B7; Mon, 15 Jun 2026 16:00:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338436.1599466; Mon, 15 Jun 2026 16:00:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZ9jG-0000jz-7a; Mon, 15 Jun 2026 16:00:02 +0000 Received: by outflank-mailman (input) for mailman id 1338436; Mon, 15 Jun 2026 16:00:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZ9jF-0000T0-PO for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 16:00:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZ9jF-00B8eW-2A for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 16:00:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZ9jF-00EXRP-19 for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 16:00:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=J7hQWlMN7pS7ZdZ0D+9wd4r5MwsYc+Y6rgei978DMzw=; b=fVPnI8A4310wfq1XyeYFg+Bsnd F3UPl/KbT6TYrormItCkdrKeawUwlLpJdm+ogAM7zPH04pvFNKxt2cA3hxpGfqD+n+ywM/86cyLoZ cMWXraTAUZbh4az6zyXf7nsity4umubHSSpyKo4GsK14jH5TNY+7Z5JBDBz8Ue/wgVJU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: Use more specific Xilinx runner tags Message-Id: Date: Mon, 15 Jun 2026 16:00:01 +0000 commit efcb4c5e2f2734cd4cac38a9f01e03c5e54c8eb8 Author: Andrew Cooper AuthorDate: Fri Jun 12 18:24:57 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 15 12:42:55 2026 +0100 CI: Use more specific Xilinx runner tags In order to avoid serialising the testing on both boards, the runner configuration is being adjusted. Have the .xilinx-arm64 and .xilinx-x86_64 templates choose the board directly using a more specific tag. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Victor Lira Release-Acked-by: Oleksii Kurochko --- automation/gitlab-ci/test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml index 89760b24e6..c375c97309 100644 --- a/automation/gitlab-ci/test.yaml +++ b/automation/gitlab-ci/test.yaml @@ -119,7 +119,7 @@ && $CI_COMMIT_REF_PROTECTED == "true" when: on_success tags: - - xilinx + - xilinx-zynq-423 .xilinx-x86_64: extends: .test-jobs-common @@ -139,7 +139,7 @@ && $CI_COMMIT_REF_PROTECTED == "true" when: on_success tags: - - xilinx + - xilinx-crater-001 .adl-x86-64: extends: .test-jobs-common -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Jun 15 19:22:07 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 19:22:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338532.1599567 (Exim 4.92) (envelope-from ) id 1wZCsl-0001Jt-VI; Mon, 15 Jun 2026 19:22:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338532.1599567; Mon, 15 Jun 2026 19:22:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZCsl-0001Jk-Sg; Mon, 15 Jun 2026 19:22:03 +0000 Received: by outflank-mailman (input) for mailman id 1338532; Mon, 15 Jun 2026 19:22:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZCsl-0001Je-2O for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:22:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZCsk-00BCsN-2n for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:22:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZCsk-00FwWm-1W for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:22:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=nB8T0G0e1221ja1wqj0iKPMmjjZRk0UJArgpNKw3Mms=; b=B+fHK1IX6d0CDNcMO0XI9YSV4e 3NK6EhsHxkTtSj+eZ9Vre5Lkw1PkJphzzUZTOKz47uqKVY/W1pRGD363YZhwDIeIzGhRBrouV4w/y aFYFTbkuj+4cI58BMxMSrKBYPgK1ZmQjYAEQ/afh6CVbGxmLjtuqS4LDFqxPJpSbX0fY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] tools/xenalyze: Fix -Werror=nonnull failure Message-Id: Date: Mon, 15 Jun 2026 19:22:02 +0000 commit 1a485996d9c50f968e0cb437d3fc91d3942434e3 Author: Andrew Cooper AuthorDate: Fri Jun 12 17:42:56 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 15 18:04:20 2026 +0100 tools/xenalyze: Fix -Werror=nonnull failure GCC 15.2 with Alpine Linux 3.24 fails with -Werror=nonnull, complaining that we're calling bzero(NULL, 128). This is a legitimate diagnostic. xenalyze has it's own error() function shadowing the standard library one, and can in principle return when p is NULL. Extend the check in error() with ERR_MAX_TOLERABLE to short circuit the variable tolerance check. Suggested-by: Anthony PERARD Signed-off-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- tools/xentrace/xenalyze.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/xentrace/xenalyze.c b/tools/xentrace/xenalyze.c index 876d59d42c..42feeb282e 100644 --- a/tools/xentrace/xenalyze.c +++ b/tools/xentrace/xenalyze.c @@ -8767,7 +8767,7 @@ void dump_raw(const char * s, struct record_info *ri) void error(enum error_level l, struct record_info *ri) { - if ( l > opt.tolerance ) + if ( l > ERR_MAX_TOLERABLE || l > opt.tolerance ) { if ( ri ) dump_generic(warn, ri); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 15 19:22:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 19:22:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338533.1599571 (Exim 4.92) (envelope-from ) id 1wZCsw-0001Lp-0L; Mon, 15 Jun 2026 19:22:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338533.1599571; Mon, 15 Jun 2026 19:22:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZCsv-0001Lh-U4; Mon, 15 Jun 2026 19:22:13 +0000 Received: by outflank-mailman (input) for mailman id 1338533; Mon, 15 Jun 2026 19:22:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZCsu-0001LY-OB for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:22:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZCsu-00BCsR-3A for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:22:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZCsu-00FwbZ-24 for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:22:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=e8CK2g49NvxjQgT+IqbbeKVafAwkBbEoQPtreW6JF+E=; b=Z+lRKwcpgH4wn76PmLC4G1ByU1 agsi4CdWG4RRlHRF6zQR/zBfRagwNaG4jpWBeMOlvUmHAn4Y/TJM3BIdLW071PgsSFeBFgRsa4+g9 2Oa9URRO9ldNrUr50daK+10vXo2OqrYd1pRLy52YkmjzeOnQWHX4P+C2cS4oYzD/1LXI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] Config.mk: Update QEMU to include pip-25.2 bugfix Message-Id: Date: Mon, 15 Jun 2026 19:22:12 +0000 commit be361c42853a92980c6f5d7d3a11260121268783 Author: Andrew Cooper AuthorDate: Fri Jun 12 19:33:07 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 15 18:04:20 2026 +0100 Config.mk: Update QEMU to include pip-25.2 bugfix Specifically: commit 6ad034e71232c2929ed546304c9d249312bb632f Author: Sv. Lockal Date: Mon Aug 11 20:01:59 2025 mkvenv: Support pip 25.2 Fix compilation with pip-25.2 due to missing distlib.version Bug: https://gitlab.com/qemu-project/qemu/-/issues/3062 from upstream QEMU. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Acked-by: Anthony PERARD Release-Acked-by: Oleksii Kurochko --- Config.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Config.mk b/Config.mk index 86a4999246..bf0f30424c 100644 --- a/Config.mk +++ b/Config.mk @@ -214,7 +214,7 @@ OVMF_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/ovmf.git OVMF_UPSTREAM_REVISION ?= ba91d0292e593df8528b66f99c1b0b14fadc8e16 QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git -QEMU_UPSTREAM_REVISION ?= e064f42c80be6f6ff8c12dcb2a663bdf70f965f6 +QEMU_UPSTREAM_REVISION ?= 0edeb44c093bea39f0fe4d936ee363b99113ffe1 MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git MINIOS_UPSTREAM_REVISION ?= b6f79f5f44cf69044079c042b88fe9d75367642e -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 15 19:22:24 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 19:22:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338534.1599575 (Exim 4.92) (envelope-from ) id 1wZCt6-0001No-1r; Mon, 15 Jun 2026 19:22:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338534.1599575; Mon, 15 Jun 2026 19:22:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZCt5-0001Ne-VP; Mon, 15 Jun 2026 19:22:23 +0000 Received: by outflank-mailman (input) for mailman id 1338534; Mon, 15 Jun 2026 19:22:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZCt4-0001NW-QX for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:22:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZCt5-00BCsn-0E for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:22:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZCt4-00Fwga-2R for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:22:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=AA+Xy6cQZV2pWlUgtkmtcgiLa/095Cp7c2Br2P8y18w=; b=skeJPxX9rFK/YQr/x5I1fT+F1C SintYMXuImpadqkp40PQwZsBURvI2KsJgrOJzHAotU9JZpSiesWhoKM4VqQg0O/hk9AeD2SndISLn hyhTvm+FyoMt22RjKyL+niLm4/ibt1u3IoT3d+Ped38DLJ7UzKuhXg5foXPh6OlqOZgA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CI: Introduce new qubes-hw-runner.dockerfile Message-Id: Date: Mon, 15 Jun 2026 19:22:22 +0000 commit 4dff3f89c1c5f22f751f1ca9790a6cf23ad09356 Author: Andrew Cooper AuthorDate: Mon Jun 8 20:16:57 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 15 18:04:20 2026 +0100 CI: Introduce new qubes-hw-runner.dockerfile This container is tied to gitlab-runner environment in the RPis driving the test systems, not a specific version of Alpine. Intentionally give it a generic name so it need not change in the future. Switch to Alpine 3.24 right away, as it doesn't interact with the 3.18 builds under test. The container needs to remain a root container. By no longer using the arm64v8 build container for dual-purpose, we can finally make the build containers be non-root. No practical change. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Acked-by: Marek Marczykowski-Górecki Release-Acked-by: Oleksii Kurochko --- automation/build/alpine/qubes-hw-runner.dockerfile | 21 +++++++++++++++++++++ automation/gitlab-ci/test.yaml | 2 +- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/automation/build/alpine/qubes-hw-runner.dockerfile b/automation/build/alpine/qubes-hw-runner.dockerfile new file mode 100644 index 0000000000..8b11164872 --- /dev/null +++ b/automation/build/alpine/qubes-hw-runner.dockerfile @@ -0,0 +1,21 @@ +# syntax=docker/dockerfile:1 +FROM --platform=linux/arm64/v8 alpine:3.24 +LABEL maintainer.name="The Xen Project" +LABEL maintainer.email="xen-devel@lists.xenproject.org" + +RUN apk --no-cache add bash + +RUN < Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 19:22:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338535.1599579 (Exim 4.92) (envelope-from ) id 1wZCtG-0001QI-4b; Mon, 15 Jun 2026 19:22:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338535.1599579; Mon, 15 Jun 2026 19:22:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZCtG-0001QA-1t; Mon, 15 Jun 2026 19:22:34 +0000 Received: by outflank-mailman (input) for mailman id 1338535; Mon, 15 Jun 2026 19:22:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZCtE-0001Q0-Tz for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:22:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZCtF-00BCsu-0W for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:22:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZCtE-00FwkK-2k for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:22:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Kyx8YYTcD9bj7YrYPpqTMbGHySPrOj0zCGEEKPQZq9o=; b=z3UQLsDsCVc4ZatiSg2UuVz9B1 DTZGNzItCT4C8ftlf4SJNJIjNAlaVxboYOWR7e+ykMOLmiFdFzlhUqlnRXa26LwAKu/rczgoBDIru zaprKgpKypPhh68JXxSJO9Gaz2dxOpCfXrNTK7y9NwG1lLZWxmwqcr8bY7jXZGhDXVrU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CI: Update the Alpine x86_64 container to 3.24 Message-Id: Date: Mon, 15 Jun 2026 19:22:32 +0000 commit 694302cc84db4a221560def6c12c18d8bdca4c95 Author: Andrew Cooper AuthorDate: Fri Jun 12 16:07:38 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 15 18:04:20 2026 +0100 CI: Update the Alpine x86_64 container to 3.24 Perform standard syntax cleanup and make it a non-root container. Switch yajl for json-c given the deprecation of the former. Add an x86_64 suffix for naming consistency with everything else. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Release-Acked-by: Oleksii Kurochko --- automation/build/alpine/3.18.dockerfile | 52 -------------------- automation/build/alpine/3.24-x86_64.dockerfile | 65 +++++++++++++++++++++++++ automation/gitlab-ci/build.yaml | 16 +++---- automation/gitlab-ci/test.yaml | 66 +++++++++++++------------- automation/scripts/containerize | 2 +- 5 files changed, 107 insertions(+), 94 deletions(-) diff --git a/automation/build/alpine/3.18.dockerfile b/automation/build/alpine/3.18.dockerfile deleted file mode 100644 index 263e9e90d8..0000000000 --- a/automation/build/alpine/3.18.dockerfile +++ /dev/null @@ -1,52 +0,0 @@ -# syntax=docker/dockerfile:1 -FROM --platform=linux/amd64 alpine:3.18 -LABEL maintainer.name="The Xen Project" \ - maintainer.email="xen-devel@lists.xenproject.org" - -ENV USER root - -RUN mkdir /build -WORKDIR /build - -# build depends -RUN apk --no-cache add \ - \ - # xen build deps - argp-standalone \ - autoconf \ - bash \ - bison \ - clang \ - curl \ - dev86 \ - flex \ - g++ \ - gcc \ - git \ - grep \ - iasl \ - libaio-dev \ - libc6-compat \ - linux-headers \ - make \ - musl-dev \ - ncurses-dev \ - ocaml \ - ocaml-findlib \ - patch \ - python3-dev \ - py3-setuptools \ - texinfo \ - util-linux-dev \ - xz-dev \ - yajl-dev \ - zlib-dev \ - \ - # qemu build deps - glib-dev \ - libattr \ - libcap-ng-dev \ - ninja \ - pixman-dev \ - # livepatch-tools deps - elfutils-dev \ diff --git a/automation/build/alpine/3.24-x86_64.dockerfile b/automation/build/alpine/3.24-x86_64.dockerfile new file mode 100644 index 0000000000..f93158e018 --- /dev/null +++ b/automation/build/alpine/3.24-x86_64.dockerfile @@ -0,0 +1,65 @@ +# syntax=docker/dockerfile:1 +FROM --platform=linux/amd64 alpine:3.24 +LABEL maintainer.name="The Xen Project" +LABEL maintainer.email="xen-devel@lists.xenproject.org" + +RUN apk --no-cache add bash + +RUN <&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug xilinx-smoke-dom0-x86_64-gcc-debug-argo: extends: .xilinx-x86_64 script: - ./automation/scripts/xilinx-smoke-dom0-x86_64.sh argo 2>&1 | tee ${LOGFILE} needs: - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug - project: xen-project/hardware/test-artifacts job: linux-6.6.56-x86_64 ref: master - project: xen-project/hardware/test-artifacts - job: alpine-3.18-x86_64-rootfs + job: alpine-3.24-x86_64-rootfs ref: master - project: xen-project/hardware/test-artifacts job: microcode-x86 @@ -260,7 +260,7 @@ adl-smoke-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pv 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug adl-smoke-x86-64-dom0pvh-gcc-debug: extends: .adl-x86-64 @@ -268,7 +268,7 @@ adl-smoke-x86-64-dom0pvh-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pvh 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug adl-smoke-x86-64-dom0pvh-hvm-gcc-debug: extends: .adl-x86-64 @@ -276,7 +276,7 @@ adl-smoke-x86-64-dom0pvh-hvm-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pvh-hvm 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug adl-suspend-x86-64-gcc-debug: extends: .adl-x86-64 @@ -284,7 +284,7 @@ adl-suspend-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh s3 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug adl-pci-pv-x86-64-gcc-debug: extends: .adl-x86-64 @@ -292,7 +292,7 @@ adl-pci-pv-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh pci-pv 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug adl-pci-hvm-x86-64-gcc-debug: extends: .adl-x86-64 @@ -300,7 +300,7 @@ adl-pci-hvm-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh pci-hvm 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug adl-pvshim-x86-64-gcc-debug: extends: .adl-x86-64 @@ -308,7 +308,7 @@ adl-pvshim-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh pvshim 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug adl-tools-tests-pv-x86-64-gcc-debug: extends: .adl-x86-64 @@ -319,7 +319,7 @@ adl-tools-tests-pv-x86-64-gcc-debug: junit: tests-junit.xml needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug adl-tools-tests-pvh-x86-64-gcc-debug: extends: .adl-x86-64 @@ -330,7 +330,7 @@ adl-tools-tests-pvh-x86-64-gcc-debug: junit: tests-junit.xml needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug kbl-smoke-x86-64-gcc-debug: extends: .kbl-x86-64 @@ -338,7 +338,7 @@ kbl-smoke-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pv 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug kbl-smoke-x86-64-dom0pvh-gcc-debug: extends: .kbl-x86-64 @@ -346,7 +346,7 @@ kbl-smoke-x86-64-dom0pvh-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pvh 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug kbl-smoke-x86-64-dom0pvh-hvm-gcc-debug: extends: .kbl-x86-64 @@ -354,7 +354,7 @@ kbl-smoke-x86-64-dom0pvh-hvm-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pvh-hvm 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug kbl-suspend-x86-64-gcc-debug: extends: .kbl-x86-64 @@ -362,7 +362,7 @@ kbl-suspend-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh s3 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug kbl-pci-pv-x86-64-gcc-debug: extends: .kbl-x86-64 @@ -370,7 +370,7 @@ kbl-pci-pv-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh pci-pv 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug kbl-pci-hvm-x86-64-gcc-debug: extends: .kbl-x86-64 @@ -378,7 +378,7 @@ kbl-pci-hvm-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh pci-hvm 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug kbl-pvshim-x86-64-gcc-debug: extends: .kbl-x86-64 @@ -386,7 +386,7 @@ kbl-pvshim-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh pvshim 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug kbl-tools-tests-pv-x86-64-gcc-debug: extends: .kbl-x86-64 @@ -397,7 +397,7 @@ kbl-tools-tests-pv-x86-64-gcc-debug: junit: tests-junit.xml needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug kbl-tools-tests-pvh-x86-64-gcc-debug: extends: .kbl-x86-64 @@ -408,7 +408,7 @@ kbl-tools-tests-pvh-x86-64-gcc-debug: junit: tests-junit.xml needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug zen2-smoke-x86-64-gcc-debug: extends: .zen2-x86-64 @@ -416,7 +416,7 @@ zen2-smoke-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pv 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug zen2-suspend-x86-64-gcc-debug: extends: .zen2-x86-64 @@ -424,7 +424,7 @@ zen2-suspend-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh s3 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug zen3p-smoke-x86-64-gcc-debug: extends: .zen3p-x86-64 @@ -432,7 +432,7 @@ zen3p-smoke-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pv 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug zen3p-smoke-x86-64-dom0pvh-gcc-debug: extends: .zen3p-x86-64 @@ -440,7 +440,7 @@ zen3p-smoke-x86-64-dom0pvh-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pvh 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug zen3p-smoke-x86-64-dom0pvh-hvm-gcc-debug: extends: .zen3p-x86-64 @@ -448,7 +448,7 @@ zen3p-smoke-x86-64-dom0pvh-hvm-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pvh-hvm 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug zen3p-pci-hvm-x86-64-gcc-debug: extends: .zen3p-x86-64 @@ -456,7 +456,7 @@ zen3p-pci-hvm-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh pci-hvm 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug zen3p-pvshim-x86-64-gcc-debug: extends: .zen3p-x86-64 @@ -464,7 +464,7 @@ zen3p-pvshim-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh pvshim 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug zen3p-tools-tests-pv-x86-64-gcc-debug: extends: .zen3p-x86-64 @@ -475,7 +475,7 @@ zen3p-tools-tests-pv-x86-64-gcc-debug: junit: tests-junit.xml needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug zen3p-tools-tests-pvh-x86-64-gcc-debug: extends: .zen3p-x86-64 @@ -486,7 +486,7 @@ zen3p-tools-tests-pvh-x86-64-gcc-debug: junit: tests-junit.xml needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug qemu-smoke-dom0-arm64-gcc: extends: .qemu-arm64 @@ -654,7 +654,7 @@ qemu-alpine-x86_64-gcc: - ./automation/scripts/qemu-alpine-x86_64.sh 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc + - alpine-3.24-x86_64-gcc qemu-smoke-x86-64-gcc: extends: .qemu-smoke-x86-64 @@ -698,7 +698,7 @@ qemu-xtf-argo-x86_64-gcc-debug: script: - ./automation/scripts/qemu-xtf.sh x86-64 pv64 argo 2>&1 | tee ${LOGFILE} needs: - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug qemu-smoke-riscv64-gcc: extends: .qemu-riscv64 diff --git a/automation/scripts/containerize b/automation/scripts/containerize index aea842e1ff..e9b2f6122f 100755 --- a/automation/scripts/containerize +++ b/automation/scripts/containerize @@ -24,7 +24,7 @@ die() { # BASE="registry.gitlab.com/xen-project/xen" case "_${CONTAINER}" in - _alpine) CONTAINER="${BASE}/alpine:3.18" ;; + _alpine) CONTAINER="${BASE}/alpine:3.24-x86_64" ;; _alpine-arm64v8) CONTAINER="${BASE}/alpine:3.18-arm64v8" ;; _archlinux|_arch) CONTAINER="${BASE}/archlinux:current-x86_64" ;; _fedora) CONTAINER="${BASE}/fedora:43-x86_64";; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 15 19:22:44 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 19:22:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338537.1599591 (Exim 4.92) (envelope-from ) id 1wZCtQ-0001j1-Cs; Mon, 15 Jun 2026 19:22:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338537.1599591; Mon, 15 Jun 2026 19:22:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZCtQ-0001iv-A0; Mon, 15 Jun 2026 19:22:44 +0000 Received: by outflank-mailman (input) for mailman id 1338537; Mon, 15 Jun 2026 19:22:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZCtP-0001i6-0e for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:22:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZCtP-00BCsy-0s for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:22:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZCtO-00FwnY-33 for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:22:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=lHbSey+qi208JhFZx1bxqjrFSOt8DMrNP1igC/X40IM=; b=q1vvqhaD4/S3slXxNSHPqTzXkp JxrMaSMROACgM5+s26Xvsyk9Ot/yQUdXyMyMIl9c8+4V/wGqougLHknr8Z5ZfrI2yV7ZUbditDLUb JBPHiM9q9Zp52nxVJ7lkvpyDR80ot/m5vruadg8c1HU9i7FbDnIt2ADzbSs9jpKvtlgA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CI: Update the Alpine arm64 container to 3.24 Message-Id: Date: Mon, 15 Jun 2026 19:22:42 +0000 commit cfaaf09a5ec434ea6c454e911a4485970db16458 Author: Andrew Cooper AuthorDate: Fri Jun 12 16:08:17 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 15 18:04:20 2026 +0100 CI: Update the Alpine arm64 container to 3.24 Perform standard syntax cleanup and make it a non-root container. Switch yajl for json-c given the deprecation of the former. Drop dev86 which is an x86-only dependency, and QEMU dependencies as we don't build QEMU in this environment any more. When updating the job names, also rename some for consistency so the arm64 fragment comes before the compiler. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Release-Acked-by: Oleksii Kurochko --- automation/build/alpine/3.18-arm64v8.dockerfile | 51 ------------------------ automation/build/alpine/3.24-arm64v8.dockerfile | 53 +++++++++++++++++++++++++ automation/gitlab-ci/build.yaml | 32 +++++++-------- automation/gitlab-ci/test.yaml | 30 +++++++------- automation/scripts/containerize | 2 +- 5 files changed, 85 insertions(+), 83 deletions(-) diff --git a/automation/build/alpine/3.18-arm64v8.dockerfile b/automation/build/alpine/3.18-arm64v8.dockerfile deleted file mode 100644 index b8482d5bf4..0000000000 --- a/automation/build/alpine/3.18-arm64v8.dockerfile +++ /dev/null @@ -1,51 +0,0 @@ -# syntax=docker/dockerfile:1 -FROM --platform=linux/arm64/v8 alpine:3.18 -LABEL maintainer.name="The Xen Project" \ - maintainer.email="xen-devel@lists.xenproject.org" - -ENV USER root - -RUN mkdir /build -WORKDIR /build - -# build depends -RUN apk --no-cache add \ - \ - # xen build deps - argp-standalone \ - autoconf \ - bash \ - bison \ - curl \ - dev86 \ - dtc-dev \ - flex \ - gcc \ - git \ - iasl \ - libaio-dev \ - libfdt \ - linux-headers \ - make \ - musl-dev \ - ncurses-dev \ - ocaml \ - ocaml-findlib \ - patch \ - python3-dev \ - py3-setuptools \ - texinfo \ - util-linux-dev \ - xz-dev \ - yajl-dev \ - zlib-dev \ - \ - # qemu build deps - glib-dev \ - libattr \ - libcap-ng-dev \ - pixman-dev \ - # qubes test deps - openssh-client \ - fakeroot \ - expect \ diff --git a/automation/build/alpine/3.24-arm64v8.dockerfile b/automation/build/alpine/3.24-arm64v8.dockerfile new file mode 100644 index 0000000000..5b28d874ef --- /dev/null +++ b/automation/build/alpine/3.24-arm64v8.dockerfile @@ -0,0 +1,53 @@ +# syntax=docker/dockerfile:1 +FROM --platform=linux/arm64/v8 alpine:3.24 +LABEL maintainer.name="The Xen Project" +LABEL maintainer.email="xen-devel@lists.xenproject.org" + +RUN apk --no-cache add bash + +RUN <&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64 + - alpine-3.24-arm64-gcc-debug xilinx-smoke-dom0less-arm64-gcc-debug-gem-passthrough: extends: .xilinx-arm64 @@ -228,7 +228,7 @@ xilinx-smoke-dom0less-arm64-gcc-debug-gem-passthrough: - ./automation/scripts/xilinx-smoke-dom0less-arm64.sh gem-passthrough 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64 + - alpine-3.24-arm64-gcc-debug xilinx-smoke-dom0-x86_64-gcc-debug: extends: .xilinx-x86_64 @@ -494,7 +494,7 @@ qemu-smoke-dom0-arm64-gcc: - ./automation/scripts/qemu-smoke-dom0-arm64.sh 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-arm64 + - alpine-3.24-arm64-gcc qemu-smoke-dom0-arm64-gcc-debug: extends: .qemu-arm64 @@ -502,7 +502,7 @@ qemu-smoke-dom0-arm64-gcc-debug: - ./automation/scripts/qemu-smoke-dom0-arm64.sh 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64 + - alpine-3.24-arm64-gcc-debug qemu-smoke-dom0less-arm64-gcc: extends: .qemu-arm64 @@ -510,7 +510,7 @@ qemu-smoke-dom0less-arm64-gcc: - ./automation/scripts/qemu-smoke-dom0less-arm64.sh 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-arm64 + - alpine-3.24-arm64-gcc qemu-smoke-dom0less-arm64-gcc-debug: extends: .qemu-arm64 @@ -518,7 +518,7 @@ qemu-smoke-dom0less-arm64-gcc-debug: - ./automation/scripts/qemu-smoke-dom0less-arm64.sh 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64 + - alpine-3.24-arm64-gcc-debug qemu-smoke-dom0less-arm64-gcc-debug-gicv3: extends: .qemu-arm64 @@ -526,7 +526,7 @@ qemu-smoke-dom0less-arm64-gcc-debug-gicv3: - ./automation/scripts/qemu-smoke-dom0less-arm64.sh gicv3 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64 + - alpine-3.24-arm64-gcc-debug qemu-smoke-dom0less-arm64-gcc-debug-staticmem: extends: .qemu-arm64 @@ -534,7 +534,7 @@ qemu-smoke-dom0less-arm64-gcc-debug-staticmem: - ./automation/scripts/qemu-smoke-dom0less-arm64.sh static-mem 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64-staticmem + - alpine-3.24-arm64-gcc-debug-staticmem qemu-smoke-dom0less-arm64-gcc-debug-staticheap: extends: .qemu-arm64 @@ -542,7 +542,7 @@ qemu-smoke-dom0less-arm64-gcc-debug-staticheap: - ./automation/scripts/qemu-smoke-dom0less-arm64.sh static-heap 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64 + - alpine-3.24-arm64-gcc-debug qemu-smoke-dom0less-arm64-gcc-debug-static-shared-mem: extends: .qemu-arm64 @@ -550,7 +550,7 @@ qemu-smoke-dom0less-arm64-gcc-debug-static-shared-mem: - ./automation/scripts/qemu-smoke-dom0less-arm64.sh static-shared-mem 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64-static-shared-mem + - alpine-3.24-arm64-gcc-debug-static-shared-mem qemu-smoke-dom0less-arm64-gcc-debug-boot-cpupools: extends: .qemu-arm64 @@ -558,7 +558,7 @@ qemu-smoke-dom0less-arm64-gcc-debug-boot-cpupools: - ./automation/scripts/qemu-smoke-dom0less-arm64.sh boot-cpupools 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64-boot-cpupools + - alpine-3.24-arm64-gcc-debug-boot-cpupools qemu-smoke-dom0less-arm64-gcc-debug-earlyprintk: extends: .qemu-arm64 @@ -566,7 +566,7 @@ qemu-smoke-dom0less-arm64-gcc-debug-earlyprintk: - ./automation/scripts/qemu-smoke-dom0less-arm64.sh earlyprintk 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64-earlyprintk + - alpine-3.24-arm64-gcc-debug-earlyprintk qemu-xtf-dom0less-arm64-gcc-hyp-xen-version: extends: .qemu-arm64 @@ -574,7 +574,7 @@ qemu-xtf-dom0less-arm64-gcc-hyp-xen-version: - ./automation/scripts/qemu-xtf.sh arm64 mmu64le hyp-xen-version 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-arm64 + - alpine-3.24-arm64-gcc qemu-xtf-dom0less-arm64-gcc-debug-hyp-xen-version: extends: .qemu-arm64 @@ -582,7 +582,7 @@ qemu-xtf-dom0less-arm64-gcc-debug-hyp-xen-version: - ./automation/scripts/qemu-xtf.sh arm64 mmu64le hyp-xen-version 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64 + - alpine-3.24-arm64-gcc-debug qemu-smoke-dom0-arm32-gcc: extends: .qemu-arm32 diff --git a/automation/scripts/containerize b/automation/scripts/containerize index e9b2f6122f..feadd9e82f 100755 --- a/automation/scripts/containerize +++ b/automation/scripts/containerize @@ -25,7 +25,7 @@ die() { BASE="registry.gitlab.com/xen-project/xen" case "_${CONTAINER}" in _alpine) CONTAINER="${BASE}/alpine:3.24-x86_64" ;; - _alpine-arm64v8) CONTAINER="${BASE}/alpine:3.18-arm64v8" ;; + _alpine-arm64v8) CONTAINER="${BASE}/alpine:3.24-arm64v8" ;; _archlinux|_arch) CONTAINER="${BASE}/archlinux:current-x86_64" ;; _fedora) CONTAINER="${BASE}/fedora:43-x86_64";; _bullseye-ppc64le) CONTAINER="${BASE}/debian:11-ppc64le" ;; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 15 19:22:54 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 19:22:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338540.1599596 (Exim 4.92) (envelope-from ) id 1wZCta-0001s2-G9; Mon, 15 Jun 2026 19:22:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338540.1599596; Mon, 15 Jun 2026 19:22:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZCta-0001rv-D1; Mon, 15 Jun 2026 19:22:54 +0000 Received: by outflank-mailman (input) for mailman id 1338540; Mon, 15 Jun 2026 19:22:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZCtZ-0001qK-5a for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:22:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZCtZ-00BCt4-1L for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:22:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZCtZ-00Fwqj-0A for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:22:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=T4/fQP8FozUqXl/tS0aL7uptU3HR4CBlx1eRN2SFT+U=; b=5tTHxC+gMMF0XxU3xFzoQfJ3U2 BYWlbQ+qGjwtsmycZ0tupE8qGdp27UOcNZ+DHK0/QlIf65UKoXk3mtaTNJTUfRnXLgNcSTm84Q9LO mZoftoLwce82bQvGZRnSMkxA8kgb3G8gsGSU1enUobwOWvpEa/H3IKe73mSY/vBplMhM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CI: Fix inconsistent use of x86-{64,32} vs x86_{64,32} Message-Id: Date: Mon, 15 Jun 2026 19:22:53 +0000 commit 66f59e7657d697a1c117808c6062fb0930423a0f Author: Andrew Cooper AuthorDate: Fri Jun 12 22:23:16 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 15 18:04:20 2026 +0100 CI: Fix inconsistent use of x86-{64,32} vs x86_{64,32} The configuration uses a mix of dashes and underscores, which is irritating to develop for. Switch to using the underscore form consistently; it is the more common form and it has the benefit that it allows splitting on dashes to work sensibly. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Release-Acked-by: Oleksii Kurochko --- automation/gitlab-ci/build.yaml | 154 +++++------ automation/gitlab-ci/test.yaml | 280 +++++++++---------- .../scripts/include/configs/xtf-x86-64-config | 0 .../scripts/include/configs/xtf-x86-64-efi-config | 0 .../scripts/include/configs/xtf-x86_64-config | 0 .../scripts/include/configs/xtf-x86_64-efi-config | 0 automation/scripts/include/xtf-x86-64 | 32 --- automation/scripts/include/xtf-x86-64-efi | 59 ---- automation/scripts/include/xtf-x86_64 | 32 +++ automation/scripts/include/xtf-x86_64-efi | 59 ++++ automation/scripts/qubes-x86-64.sh | 302 --------------------- automation/scripts/qubes-x86_64.sh | 302 +++++++++++++++++++++ 12 files changed, 610 insertions(+), 610 deletions(-) diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml index fa054a8280..d5929e34ec 100644 --- a/automation/gitlab-ci/build.yaml +++ b/automation/gitlab-ci/build.yaml @@ -36,77 +36,77 @@ CXX: clang++ clang: y -.x86-64-build-tmpl: +.x86_64-build-tmpl: <<: *build variables: XEN_TARGET_ARCH: x86_64 tags: - x86_64 -.x86-64-build: - extends: .x86-64-build-tmpl +.x86_64-build: + extends: .x86_64-build-tmpl variables: debug: n -.x86-64-build-debug: - extends: .x86-64-build-tmpl +.x86_64-build-debug: + extends: .x86_64-build-tmpl variables: debug: y -.x86-32-build-tmpl: +.x86_32-build-tmpl: <<: *build variables: XEN_TARGET_ARCH: x86_32 tags: - x86_32 -.x86-32-build: - extends: .x86-32-build-tmpl +.x86_32-build: + extends: .x86_32-build-tmpl variables: debug: n -.x86-32-build-debug: - extends: .x86-32-build-tmpl +.x86_32-build-debug: + extends: .x86_32-build-tmpl variables: debug: y -.gcc-x86-64-build: - extends: .x86-64-build +.gcc-x86_64-build: + extends: .x86_64-build variables: <<: *gcc -.gcc-x86-64-build-debug: - extends: .x86-64-build-debug +.gcc-x86_64-build-debug: + extends: .x86_64-build-debug variables: <<: *gcc -.gcc-x86-32-build: - extends: .x86-32-build +.gcc-x86_32-build: + extends: .x86_32-build variables: <<: *gcc -.gcc-x86-32-build-debug: - extends: .x86-32-build-debug +.gcc-x86_32-build-debug: + extends: .x86_32-build-debug variables: <<: *gcc -.clang-x86-64-build: - extends: .x86-64-build +.clang-x86_64-build: + extends: .x86_64-build variables: <<: *clang -.clang-x86-64-build-debug: - extends: .x86-64-build-debug +.clang-x86_64-build-debug: + extends: .x86_64-build-debug variables: <<: *clang -.clang-x86-32-build: - extends: .x86-32-build +.clang-x86_32-build: + extends: .x86_32-build variables: <<: *clang -.clang-x86-32-build-debug: - extends: .x86-32-build-debug +.clang-x86_32-build-debug: + extends: .x86_32-build-debug variables: <<: *clang @@ -244,25 +244,25 @@ tags: - arm64 -.yocto-test-x86-64: +.yocto-test-x86_64: extends: .yocto-test tags: - x86_64 -.x86-64-cross-build-tmpl: +.x86_64-cross-build-tmpl: <<: *build variables: XEN_TARGET_ARCH: x86_64 tags: - arm64 -.x86-64-cross-build: - extends: .x86-64-cross-build-tmpl +.x86_64-cross-build: + extends: .x86_64-cross-build-tmpl variables: debug: n -.gcc-x86-64-cross-build: - extends: .x86-64-cross-build +.gcc-x86_64-cross-build: + extends: .x86_64-cross-build variables: <<: *gcc @@ -271,13 +271,13 @@ # Build jobs needed for tests alpine-3.24-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build <<: *build-test variables: CONTAINER: alpine:3.24-x86_64 alpine-3.24-x86_64-gcc-debug: - extends: .gcc-x86-64-build-debug + extends: .gcc-x86_64-build-debug <<: *build-test variables: CONTAINER: alpine:3.24-x86_64 @@ -292,13 +292,13 @@ alpine-3.24-x86_64-gcc-debug: CONFIG_XHCI=y debian-13-x86_64-gcc-debug: - extends: .gcc-x86-64-build-debug + extends: .gcc-x86_64-build-debug <<: *build-test variables: CONTAINER: debian:13-x86_64 debian-13-x86_64-clang-debug: - extends: .clang-x86-64-build-debug + extends: .clang-x86_64-build-debug <<: *build-test variables: CONTAINER: debian:13-x86_64 @@ -482,14 +482,14 @@ yocto-qemuarm: YOCTO_OUTPUT: --copy-output yocto-qemux86-64: - extends: .yocto-test-x86-64 + extends: .yocto-test-x86_64 variables: YOCTO_BOARD: qemux86-64 # Cppcheck analysis jobs debian-12-x86_64-gcc-cppcheck: - extends: .gcc-x86-64-cross-build + extends: .gcc-x86_64-cross-build variables: CONTAINER: debian:12-arm64v8-cppcheck CROSS_COMPILE: /usr/bin/x86_64-linux-gnu- @@ -514,29 +514,29 @@ debian-12-arm64-gcc-cppcheck: # Build jobs not needed for tests alpine-3.24-x86_64-clang: - extends: .clang-x86-64-build + extends: .clang-x86_64-build variables: CONTAINER: alpine:3.24-x86_64 alpine-3.24-x86_64-clang-debug: - extends: .clang-x86-64-build-debug + extends: .clang-x86_64-build-debug variables: CONTAINER: alpine:3.24-x86_64 archlinux-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: archlinux:current-x86_64 allow_failure: true archlinux-x86_64-gcc-debug: - extends: .gcc-x86-64-build-debug + extends: .gcc-x86_64-build-debug variables: CONTAINER: archlinux:current-x86_64 allow_failure: true debian-12-x86_64-gcc-ibt: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: debian:12-x86_64-gcc-ibt RANDCONFIG: y @@ -544,42 +544,42 @@ debian-12-x86_64-gcc-ibt: CONFIG_XEN_IBT=y debian-12-x86_64-clang: - extends: .clang-x86-64-build + extends: .clang-x86_64-build variables: CONTAINER: debian:12-x86_64 debian-12-x86_64-clang-debug: - extends: .clang-x86-64-build-debug + extends: .clang-x86_64-build-debug variables: CONTAINER: debian:12-x86_64 debian-12-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: debian:12-x86_64 debian-12-x86_64-gcc-debug: - extends: .gcc-x86-64-build-debug + extends: .gcc-x86_64-build-debug variables: CONTAINER: debian:12-x86_64 debian-12-x86_32-clang-debug: - extends: .clang-x86-32-build-debug + extends: .clang-x86_32-build-debug variables: CONTAINER: debian:12-x86_32 debian-12-x86_32-gcc-debug: - extends: .gcc-x86-32-build-debug + extends: .gcc-x86_32-build-debug variables: CONTAINER: debian:12-x86_32 debian-13-x86_64-clang: - extends: .clang-x86-64-build + extends: .clang-x86_64-build variables: CONTAINER: debian:13-x86_64 debian-13-x86_64-clang-randconfig: - extends: .clang-x86-64-build + extends: .clang-x86_64-build variables: CONTAINER: debian:13-x86_64 RANDCONFIG: y @@ -587,136 +587,136 @@ debian-13-x86_64-clang-randconfig: CONFIG_COVERAGE=n # Disable coverage otherwise build times out. debian-13-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: debian:13-x86_64 debian-13-x86_64-gcc-randconfig: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: debian:13-x86_64 RANDCONFIG: y debian-13-x86_32-clang-debug: - extends: .clang-x86-32-build-debug + extends: .clang-x86_32-build-debug variables: CONTAINER: debian:13-x86_32 debian-13-x86_32-gcc-debug: - extends: .gcc-x86-32-build-debug + extends: .gcc-x86_32-build-debug variables: CONTAINER: debian:13-x86_32 fedora-43-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: fedora:43-x86_64 fedora-43-x86_64-gcc-debug: - extends: .gcc-x86-64-build-debug + extends: .gcc-x86_64-build-debug variables: CONTAINER: fedora:43-x86_64 ubuntu-18.04-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: ubuntu:18.04-x86_64 ubuntu-18.04-x86_64-gcc-debug: - extends: .gcc-x86-64-build-debug + extends: .gcc-x86_64-build-debug variables: CONTAINER: ubuntu:18.04-x86_64 ubuntu-20.04-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: ubuntu:20.04-x86_64 ubuntu-22.04-x86_64-clang: - extends: .clang-x86-64-build + extends: .clang-x86_64-build variables: CONTAINER: ubuntu:22.04-x86_64 ubuntu-22.04-x86_64-clang-debug: - extends: .clang-x86-64-build-debug + extends: .clang-x86_64-build-debug variables: CONTAINER: ubuntu:22.04-x86_64 ubuntu-22.04-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: ubuntu:22.04-x86_64 ubuntu-24.04-x86_64-clang: - extends: .clang-x86-64-build + extends: .clang-x86_64-build variables: CONTAINER: ubuntu:24.04-x86_64 ubuntu-24.04-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: ubuntu:24.04-x86_64 ubuntu-26.04-x86_64-clang: - extends: .clang-x86-64-build + extends: .clang-x86_64-build variables: CONTAINER: ubuntu:26.04-x86_64 ubuntu-26.04-x86_64-clang-debug: - extends: .clang-x86-64-build-debug + extends: .clang-x86_64-build-debug variables: CONTAINER: ubuntu:26.04-x86_64 ubuntu-26.04-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: ubuntu:26.04-x86_64 ubuntu-26.04-x86_64-gcc-debug: - extends: .gcc-x86-64-build-debug + extends: .gcc-x86_64-build-debug variables: CONTAINER: ubuntu:26.04-x86_64 opensuse-leap-16.0-clang: - extends: .clang-x86-64-build + extends: .clang-x86_64-build variables: CONTAINER: opensuse:leap-16.0-x86_64 opensuse-leap-16.0-clang-debug: - extends: .clang-x86-64-build-debug + extends: .clang-x86_64-build-debug variables: CONTAINER: opensuse:leap-16.0-x86_64 opensuse-leap-16.0-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: opensuse:leap-16.0-x86_64 opensuse-leap-16.0-gcc-debug: - extends: .gcc-x86-64-build-debug + extends: .gcc-x86_64-build-debug variables: CONTAINER: opensuse:leap-16.0-x86_64 opensuse-tumbleweed-clang: - extends: .clang-x86-64-build + extends: .clang-x86_64-build variables: CONTAINER: opensuse:tumbleweed-x86_64 allow_failure: true opensuse-tumbleweed-clang-debug: - extends: .clang-x86-64-build-debug + extends: .clang-x86_64-build-debug variables: CONTAINER: opensuse:tumbleweed-x86_64 allow_failure: true opensuse-tumbleweed-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: opensuse:tumbleweed-x86_64 allow_failure: true opensuse-tumbleweed-gcc-debug: - extends: .gcc-x86-64-build-debug + extends: .gcc-x86_64-build-debug variables: CONTAINER: opensuse:tumbleweed-x86_64 allow_failure: true diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml index cae8dfe970..87b2018a29 100644 --- a/automation/gitlab-ci/test.yaml +++ b/automation/gitlab-ci/test.yaml @@ -21,7 +21,7 @@ job: microcode-x86 ref: $ARTIFACTS_BRANCH -.x86-64-test-needs: &x86-64-test-needs +.x86_64-test-needs: &x86_64-test-needs - project: $ARTIFACTS_REPO job: $LINUX_JOB_X86_64 ref: $ARTIFACTS_BRANCH @@ -58,11 +58,11 @@ tags: - arm64 -.qemu-x86-64: +.qemu-x86_64: extends: .test-jobs-common variables: CONTAINER: debian:13-x86_64 - LOGFILE: qemu-smoke-x86-64.log + LOGFILE: qemu-smoke-x86_64.log artifacts: paths: - smoke.serial @@ -71,8 +71,8 @@ tags: - x86_64 -.qemu-smoke-x86-64: - extends: .qemu-x86-64 +.qemu-smoke-x86_64: + extends: .qemu-x86_64 variables: TEST_TIMEOUT_OVERRIDE: 120 @@ -141,7 +141,7 @@ tags: - xilinx-crater-001 -.adl-x86-64: +.adl-x86_64: extends: .test-jobs-common variables: # the test controller runs on RPi4 @@ -164,9 +164,9 @@ tags: - qubes-hw2 -.kbl-x86-64: +.kbl-x86_64: # it's really similar to the ADL one - extends: .adl-x86-64 + extends: .adl-x86_64 variables: PCIDEV: "00:1f.6" PCIDEV_INTR: "MSI" @@ -175,9 +175,9 @@ tags: - qubes-hw3 -.zen2-x86-64: +.zen2-x86_64: # it's really similar to the above - extends: .adl-x86-64 + extends: .adl-x86_64 variables: PCIDEV: "01:00.0" PCIDEV_INTR: "MSI-X" @@ -186,9 +186,9 @@ tags: - qubes-hw1 -.zen3p-x86-64: +.zen3p-x86_64: # it's really similar to the above - extends: .adl-x86-64 + extends: .adl-x86_64 variables: PCIDEV: "01:00.0" PCIDEV_INTR: "MSI-X" @@ -235,7 +235,7 @@ xilinx-smoke-dom0-x86_64-gcc-debug: script: - ./automation/scripts/xilinx-smoke-dom0-x86_64.sh ping 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug xilinx-smoke-dom0-x86_64-gcc-debug-argo: @@ -254,238 +254,238 @@ xilinx-smoke-dom0-x86_64-gcc-debug-argo: job: microcode-x86 ref: master -adl-smoke-x86-64-gcc-debug: - extends: .adl-x86-64 +adl-smoke-x86_64-gcc-debug: + extends: .adl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pv 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pv 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -adl-smoke-x86-64-dom0pvh-gcc-debug: - extends: .adl-x86-64 +adl-smoke-x86_64-dom0pvh-gcc-debug: + extends: .adl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pvh 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pvh 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -adl-smoke-x86-64-dom0pvh-hvm-gcc-debug: - extends: .adl-x86-64 +adl-smoke-x86_64-dom0pvh-hvm-gcc-debug: + extends: .adl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pvh-hvm 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pvh-hvm 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -adl-suspend-x86-64-gcc-debug: - extends: .adl-x86-64 +adl-suspend-x86_64-gcc-debug: + extends: .adl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh s3 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh s3 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -adl-pci-pv-x86-64-gcc-debug: - extends: .adl-x86-64 +adl-pci-pv-x86_64-gcc-debug: + extends: .adl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh pci-pv 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh pci-pv 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -adl-pci-hvm-x86-64-gcc-debug: - extends: .adl-x86-64 +adl-pci-hvm-x86_64-gcc-debug: + extends: .adl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh pci-hvm 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh pci-hvm 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -adl-pvshim-x86-64-gcc-debug: - extends: .adl-x86-64 +adl-pvshim-x86_64-gcc-debug: + extends: .adl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh pvshim 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh pvshim 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -adl-tools-tests-pv-x86-64-gcc-debug: - extends: .adl-x86-64 +adl-tools-tests-pv-x86_64-gcc-debug: + extends: .adl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh tools-tests-pv 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh tools-tests-pv 2>&1 | tee ${LOGFILE} artifacts: reports: junit: tests-junit.xml needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -adl-tools-tests-pvh-x86-64-gcc-debug: - extends: .adl-x86-64 +adl-tools-tests-pvh-x86_64-gcc-debug: + extends: .adl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh tools-tests-pvh 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh tools-tests-pvh 2>&1 | tee ${LOGFILE} artifacts: reports: junit: tests-junit.xml needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -kbl-smoke-x86-64-gcc-debug: - extends: .kbl-x86-64 +kbl-smoke-x86_64-gcc-debug: + extends: .kbl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pv 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pv 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -kbl-smoke-x86-64-dom0pvh-gcc-debug: - extends: .kbl-x86-64 +kbl-smoke-x86_64-dom0pvh-gcc-debug: + extends: .kbl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pvh 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pvh 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -kbl-smoke-x86-64-dom0pvh-hvm-gcc-debug: - extends: .kbl-x86-64 +kbl-smoke-x86_64-dom0pvh-hvm-gcc-debug: + extends: .kbl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pvh-hvm 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pvh-hvm 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -kbl-suspend-x86-64-gcc-debug: - extends: .kbl-x86-64 +kbl-suspend-x86_64-gcc-debug: + extends: .kbl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh s3 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh s3 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -kbl-pci-pv-x86-64-gcc-debug: - extends: .kbl-x86-64 +kbl-pci-pv-x86_64-gcc-debug: + extends: .kbl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh pci-pv 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh pci-pv 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -kbl-pci-hvm-x86-64-gcc-debug: - extends: .kbl-x86-64 +kbl-pci-hvm-x86_64-gcc-debug: + extends: .kbl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh pci-hvm 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh pci-hvm 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -kbl-pvshim-x86-64-gcc-debug: - extends: .kbl-x86-64 +kbl-pvshim-x86_64-gcc-debug: + extends: .kbl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh pvshim 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh pvshim 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -kbl-tools-tests-pv-x86-64-gcc-debug: - extends: .kbl-x86-64 +kbl-tools-tests-pv-x86_64-gcc-debug: + extends: .kbl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh tools-tests-pv 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh tools-tests-pv 2>&1 | tee ${LOGFILE} artifacts: reports: junit: tests-junit.xml needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -kbl-tools-tests-pvh-x86-64-gcc-debug: - extends: .kbl-x86-64 +kbl-tools-tests-pvh-x86_64-gcc-debug: + extends: .kbl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh tools-tests-pvh 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh tools-tests-pvh 2>&1 | tee ${LOGFILE} artifacts: reports: junit: tests-junit.xml needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -zen2-smoke-x86-64-gcc-debug: - extends: .zen2-x86-64 +zen2-smoke-x86_64-gcc-debug: + extends: .zen2-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pv 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pv 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -zen2-suspend-x86-64-gcc-debug: - extends: .zen2-x86-64 +zen2-suspend-x86_64-gcc-debug: + extends: .zen2-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh s3 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh s3 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -zen3p-smoke-x86-64-gcc-debug: - extends: .zen3p-x86-64 +zen3p-smoke-x86_64-gcc-debug: + extends: .zen3p-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pv 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pv 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -zen3p-smoke-x86-64-dom0pvh-gcc-debug: - extends: .zen3p-x86-64 +zen3p-smoke-x86_64-dom0pvh-gcc-debug: + extends: .zen3p-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pvh 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pvh 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -zen3p-smoke-x86-64-dom0pvh-hvm-gcc-debug: - extends: .zen3p-x86-64 +zen3p-smoke-x86_64-dom0pvh-hvm-gcc-debug: + extends: .zen3p-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pvh-hvm 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pvh-hvm 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -zen3p-pci-hvm-x86-64-gcc-debug: - extends: .zen3p-x86-64 +zen3p-pci-hvm-x86_64-gcc-debug: + extends: .zen3p-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh pci-hvm 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh pci-hvm 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -zen3p-pvshim-x86-64-gcc-debug: - extends: .zen3p-x86-64 +zen3p-pvshim-x86_64-gcc-debug: + extends: .zen3p-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh pvshim 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh pvshim 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -zen3p-tools-tests-pv-x86-64-gcc-debug: - extends: .zen3p-x86-64 +zen3p-tools-tests-pv-x86_64-gcc-debug: + extends: .zen3p-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh tools-tests-pv 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh tools-tests-pv 2>&1 | tee ${LOGFILE} artifacts: reports: junit: tests-junit.xml needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -zen3p-tools-tests-pvh-x86-64-gcc-debug: - extends: .zen3p-x86-64 +zen3p-tools-tests-pvh-x86_64-gcc-debug: + extends: .zen3p-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh tools-tests-pvh 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh tools-tests-pvh 2>&1 | tee ${LOGFILE} artifacts: reports: junit: tests-junit.xml needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug qemu-smoke-dom0-arm64-gcc: @@ -649,54 +649,54 @@ qemu-smoke-dom0less-arm32-gcc-debug-earlyprintk: - debian-12-arm32-gcc-debug-earlyprintk qemu-alpine-x86_64-gcc: - extends: .qemu-x86-64 + extends: .qemu-x86_64 script: - ./automation/scripts/qemu-alpine-x86_64.sh 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc -qemu-smoke-x86-64-gcc: - extends: .qemu-smoke-x86-64 +qemu-smoke-x86_64-gcc: + extends: .qemu-smoke-x86_64 script: - - ./automation/scripts/qemu-xtf.sh x86-64 pv64 example 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qemu-xtf.sh x86_64 pv64 example 2>&1 | tee ${LOGFILE} needs: - debian-13-x86_64-gcc-debug -qemu-smoke-x86-64-clang: - extends: .qemu-smoke-x86-64 +qemu-smoke-x86_64-clang: + extends: .qemu-smoke-x86_64 script: - - ./automation/scripts/qemu-xtf.sh x86-64 pv64 example 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qemu-xtf.sh x86_64 pv64 example 2>&1 | tee ${LOGFILE} needs: - debian-13-x86_64-clang-debug -qemu-smoke-x86-64-gcc-pvh: - extends: .qemu-smoke-x86-64 +qemu-smoke-x86_64-gcc-pvh: + extends: .qemu-smoke-x86_64 script: - - ./automation/scripts/qemu-xtf.sh x86-64 hvm64 example 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qemu-xtf.sh x86_64 hvm64 example 2>&1 | tee ${LOGFILE} needs: - debian-13-x86_64-gcc-debug -qemu-smoke-x86-64-clang-pvh: - extends: .qemu-smoke-x86-64 +qemu-smoke-x86_64-clang-pvh: + extends: .qemu-smoke-x86_64 script: - - ./automation/scripts/qemu-xtf.sh x86-64 hvm64 example 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qemu-xtf.sh x86_64 hvm64 example 2>&1 | tee ${LOGFILE} needs: - debian-13-x86_64-clang-debug -qemu-smoke-x86-64-gcc-efi: - extends: .qemu-smoke-x86-64 +qemu-smoke-x86_64-gcc-efi: + extends: .qemu-smoke-x86_64 script: - - ./automation/scripts/qemu-xtf.sh x86-64-efi pv64 example 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qemu-xtf.sh x86_64-efi pv64 example 2>&1 | tee ${LOGFILE} needs: - debian-13-x86_64-gcc-debug qemu-xtf-argo-x86_64-gcc-debug: - extends: .qemu-smoke-x86-64 + extends: .qemu-smoke-x86_64 variables: TEST_TIMEOUT_OVERRIDE: 60 script: - - ./automation/scripts/qemu-xtf.sh x86-64 pv64 argo 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qemu-xtf.sh x86_64 pv64 argo 2>&1 | tee ${LOGFILE} needs: - alpine-3.24-x86_64-gcc-debug diff --git a/automation/scripts/include/configs/xtf-x86-64-config b/automation/scripts/include/configs/xtf-x86-64-config deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/automation/scripts/include/configs/xtf-x86-64-efi-config b/automation/scripts/include/configs/xtf-x86-64-efi-config deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/automation/scripts/include/configs/xtf-x86_64-config b/automation/scripts/include/configs/xtf-x86_64-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/automation/scripts/include/configs/xtf-x86_64-efi-config b/automation/scripts/include/configs/xtf-x86_64-efi-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/automation/scripts/include/xtf-x86-64 b/automation/scripts/include/xtf-x86-64 deleted file mode 100644 index 186f074bd8..0000000000 --- a/automation/scripts/include/xtf-x86-64 +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/bash -# -# XTF test utilities (x86_64). -# - -# Arch-specific environment overrides. -function xtf_arch_prepare() -{ - export FW_PREFIX="${FW_PREFIX:-}" - export QEMU_PREFIX="${QEMU_PREFIX:-}" - export XEN_BINARY="${XEN_BINARY:-${WORKDIR}/xen}" - export XEN_CMDLINE="${XEN_CMDLINE:-loglvl=all noreboot console_timestamps=boot console=com1}" - export XTF_SRC_BRANCH="${XTF_SRC_BRANCH:-master}" - export XTF_SRC_URI="${XTF_SRC_URI:-https://xenbits.xen.org/git-http/xtf.git}" - export XTF_SRC_VARIANTS="hvm64 pv64" -} - -# Perform arch-specific XTF environment setup. -function xtf_arch_setup() -{ - export TEST_CMD="${QEMU_PREFIX}qemu-system-x86_64 \ - -no-reboot \ - -nographic \ - -monitor none \ - -serial stdio \ - -m 2048 \ - -smp 2 \ - -kernel ${XEN_BINARY} \ - -initrd ${XTF_BINARY} \ - -append \"${XEN_CMDLINE}\" \ - " -} diff --git a/automation/scripts/include/xtf-x86-64-efi b/automation/scripts/include/xtf-x86-64-efi deleted file mode 100644 index 15c6463dcd..0000000000 --- a/automation/scripts/include/xtf-x86-64-efi +++ /dev/null @@ -1,59 +0,0 @@ -#!/bin/bash -# -# XTF test utilities (x86_64, EFI). -# - -# Arch-specific environment overrides. -function xtf_arch_prepare() -{ - export FW_PREFIX="${FW_PREFIX:-/usr/share/OVMF/}" - export QEMU_PREFIX="${QEMU_PREFIX:-}" - export XEN_BINARY="${XEN_BINARY:-${WORKDIR}/xen.efi}" - export XEN_CMDLINE="${XEN_CMDLINE:-loglvl=all noreboot console_timestamps=boot console=com1}" - export XTF_SRC_BRANCH="${XTF_SRC_BRANCH:-master}" - export XTF_SRC_URI="${XTF_SRC_URI:-https://xenbits.xen.org/git-http/xtf.git}" - export XTF_SRC_VARIANTS="hvm64 pv64" -} - -# Perform arch-specific XTF environment setup. -function xtf_arch_setup() -{ - local esp_dir="${WORKDIR}/boot-esp" - local efi_dir="${esp_dir}/EFI/BOOT" - local suff= - - # Generate EFI boot environment - mkdir -p ${efi_dir} - cp ${XEN_BINARY} ${efi_dir}/BOOTX64.EFI - cp ${XTF_BINARY} ${efi_dir}/kernel - - cat > ${efi_dir}/BOOTX64.cfg < ${efi_dir}/BOOTX64.cfg < /sys/power/mem_sleep -echo mem > /sys/power/state -xl list -xl dmesg | grep 'Finishing wakeup from ACPI S3 state' || exit 1 -# check if domU is still alive -ping -c 10 192.168.0.2 || exit 1 -echo \"${passed}\" -" - ;; - - ### test: pci-pv, pci-hvm - "pci-pv"|"pci-hvm") - - if [ -z "$PCIDEV" ]; then - echo "Please set 'PCIDEV' variable with BDF of test network adapter" >&2 - echo "Optionally set also 'PCIDEV_INTR' to 'MSI' or 'MSI-X'" >&2 - exit 1 - fi - - passed="pci test passed" - - domU_type="${test_variant#pci-}" - domU_vif="" - - domU_extra_config=' -extra = "earlyprintk=xen" -pci = [ "'$PCIDEV',seize=1" ] -on_reboot = "destroy" -' - - domU_check=" -set -x -e -interface=eth0 -while ! [ -e \"/sys/class/net/\$interface\" ]; do sleep 1; done -ip link set \"\$interface\" up -timeout 30s udhcpc -i \"\$interface\" -pingip=\$(ip -o -4 r show default|cut -f 3 -d ' ') -ping -c 10 \"\$pingip\" -echo domU started -pcidevice=\$(realpath /sys/class/net/\$interface/device | - sed 's#.*pci0000:00/\\([^/]*\\).*#\\1#') -lspci -vs \$pcidevice -" - if [ -n "$PCIDEV_INTR" ]; then - domU_check="$domU_check -lspci -vs \$pcidevice | fgrep '$PCIDEV_INTR: Enable+' -" - fi - domU_check="$domU_check -echo \"${passed}\" -" - - dom0_check=" -until grep -q \"^domU Welcome to Alpine Linux\" /var/log/xen/console/guest-domU.log; do - sleep 1 -done -" - ;; - - ### tests: tools-tests-pv, tools-tests-pvh - "tools-tests-pv"|"tools-tests-pvh") - retrieve_xml=1 - passed="test passed" - domU_check="" - dom0_check=" -/root/run-tools-tests /usr/lib/xen/tests /tmp/tests-junit.xml && echo \"${passed}\" -nc -l -p 8080 < /tmp/tests-junit.xml >/dev/null & -" - if [ "${test_variant}" = "tools-tests-pvh" ]; then - extra_xen_opts="dom0=pvh" - fi - - ;; - - *) - echo "Unrecognised test_variant '${test_variant}'" >&2 - exit 1 - ;; -esac - -domU_config=" -type = '${domU_type}' -name = 'domU' -kernel = '/boot/vmlinuz-domU' -ramdisk = '/boot/initrd-domU' -cmdline = 'root=/dev/ram0 console=hvc0' -memory = 512 -vif = [ ${domU_vif} ] -disk = [ ] -${domU_extra_config} -" - -if [ -n "$domU_check" ]; then - # DomU rootfs - cp binaries/rootfs.cpio.gz binaries/domU-rootfs.cpio.gz - - # test-local configuration - mkdir -p rootfs - cd rootfs - mkdir -p etc/local.d - echo "#!/bin/sh - -echo 8 > /proc/sys/kernel/printk - -${domU_check} -" > etc/local.d/xen.start - chmod +x etc/local.d/xen.start - echo "domU Welcome to Alpine Linux -Kernel \r on an \m (\l) - -" > etc/issue - find . | cpio -R 0:0 -H newc -o | gzip >> ../binaries/domU-rootfs.cpio.gz - cd .. - rm -rf rootfs - - # Package domU kernel+rootfs in /boot for dom0 (uncompressed) - mkdir -p rootfs/boot - cd rootfs - cp ../binaries/bzImage boot/vmlinuz-domU - cp ../binaries/domU-rootfs.cpio.gz boot/initrd-domU - find . | cpio -R 0:0 -H newc -o > ../binaries/domU-in-dom0.cpio - cd .. - rm -rf rootfs - - dom0_rootfs_extra_uncomp+=(binaries/domU-in-dom0.cpio) -fi - -# Dom0 rootfs. The order of concatenation is important; ucode wants to come -# first, and all uncompressed must be ahead of compressed. -dom0_rootfs_parts=( - binaries/ucode.cpio - "${dom0_rootfs_extra_uncomp[@]}" - binaries/rootfs.cpio.gz - binaries/xen-tools.cpio.gz - "${dom0_rootfs_extra_comp[@]}" -) -cat "${dom0_rootfs_parts[@]}" > binaries/dom0-rootfs.cpio.gz - -# test-local configuration -mkdir -p rootfs -cd rootfs -mkdir -p boot etc/local.d root -cp -a ../automation/scripts/run-tools-tests root/ - -echo "#!/bin/bash - -bash /etc/init.d/xencommons start - -brctl addbr xenbr0 -brctl addif xenbr0 eth0 -ifconfig eth0 up -ifconfig xenbr0 up -ifconfig xenbr0 192.168.0.1 - -" > etc/local.d/xen.start - -if [ -n "$retrieve_xml" ]; then - echo "timeout 30s udhcpc -i xenbr0" >> etc/local.d/xen.start -fi - -if [ -n "$domU_check" ]; then - echo " -# get domU console content into test log -tail -F /var/log/xen/console/guest-domU.log 2>/dev/null | sed -e \"s/^/(domU) /\" & -tail -F /var/log/xen/qemu-dm-domU.log 2>/dev/null | sed -e \"s/^/(qemu-dm) /\" & -xl -vvv create /etc/xen/domU.cfg -" >> etc/local.d/xen.start -fi - -echo "${dom0_check}" >> etc/local.d/xen.start - -chmod +x etc/local.d/xen.start -mkdir -p etc/xen -echo "$domU_config" > etc/xen/domU.cfg - -mkdir -p etc/default -echo "XENCONSOLED_TRACE=all" >> etc/default/xencommons -echo "QEMU_XEN=/bin/false" >> etc/default/xencommons -mkdir -p var/log/xen/console -find . | cpio -R 0:0 -H newc -o | gzip >> ../binaries/dom0-rootfs.cpio.gz -cd .. - - -TFTP=/scratch/gitlab-runner/tftp -CONTROLLER=control@thor.testnet - -echo " -multiboot2 (http)/gitlab-ci/xen $CONSOLE_OPTS loglvl=all guest_loglvl=all dom0_mem=4G console_timestamps=boot watchdog $extra_xen_opts -module2 (http)/gitlab-ci/vmlinuz console=hvc0 root=/dev/ram0 earlyprintk=xen -module2 --nounzip (http)/gitlab-ci/initrd-dom0 -" > $TFTP/grub.cfg - -echo "#!ipxe - -kernel /gitlab-ci/xen $CONSOLE_OPTS loglvl=all guest_loglvl=all dom0_mem=4G console_timestamps=boot watchdog $extra_xen_opts || reboot -module /gitlab-ci/vmlinuz console=hvc0 root=/dev/ram0 earlyprintk=xen || reboot -module /gitlab-ci/initrd-dom0 || reboot -boot -" > $TFTP/boot.ipxe - -cp -f binaries/xen $TFTP/xen -cp -f binaries/bzImage $TFTP/vmlinuz -cp -f binaries/dom0-rootfs.cpio.gz $TFTP/initrd-dom0 - -# start the system pointing at gitlab-ci predefined config -ssh $CONTROLLER gitlabci poweron -trap "ssh $CONTROLLER poweroff" EXIT - -if [ -n "$wait_and_wakeup" ]; then - export SUSPEND_MSG="$wait_and_wakeup" - export WAKEUP_CMD="ssh $CONTROLLER wake" -fi - -export PASSED="${passed}" -export BOOT_MSG="Latest ChangeSet: " -export LOG_MSG="\nWelcome to Alpine Linux" -export TEST_CMD="ssh $CONTROLLER console" -export TEST_LOG="smoke.serial" -export TEST_TIMEOUT="$timeout" -./automation/scripts/console.exp |& sed 's/\r\+$//' -TEST_RESULT=$? - -if [ -n "$retrieve_xml" ]; then - nc -w 10 "$SUT_ADDR" 8080 > tests-junit.xml /sys/power/mem_sleep +echo mem > /sys/power/state +xl list +xl dmesg | grep 'Finishing wakeup from ACPI S3 state' || exit 1 +# check if domU is still alive +ping -c 10 192.168.0.2 || exit 1 +echo \"${passed}\" +" + ;; + + ### test: pci-pv, pci-hvm + "pci-pv"|"pci-hvm") + + if [ -z "$PCIDEV" ]; then + echo "Please set 'PCIDEV' variable with BDF of test network adapter" >&2 + echo "Optionally set also 'PCIDEV_INTR' to 'MSI' or 'MSI-X'" >&2 + exit 1 + fi + + passed="pci test passed" + + domU_type="${test_variant#pci-}" + domU_vif="" + + domU_extra_config=' +extra = "earlyprintk=xen" +pci = [ "'$PCIDEV',seize=1" ] +on_reboot = "destroy" +' + + domU_check=" +set -x -e +interface=eth0 +while ! [ -e \"/sys/class/net/\$interface\" ]; do sleep 1; done +ip link set \"\$interface\" up +timeout 30s udhcpc -i \"\$interface\" +pingip=\$(ip -o -4 r show default|cut -f 3 -d ' ') +ping -c 10 \"\$pingip\" +echo domU started +pcidevice=\$(realpath /sys/class/net/\$interface/device | + sed 's#.*pci0000:00/\\([^/]*\\).*#\\1#') +lspci -vs \$pcidevice +" + if [ -n "$PCIDEV_INTR" ]; then + domU_check="$domU_check +lspci -vs \$pcidevice | fgrep '$PCIDEV_INTR: Enable+' +" + fi + domU_check="$domU_check +echo \"${passed}\" +" + + dom0_check=" +until grep -q \"^domU Welcome to Alpine Linux\" /var/log/xen/console/guest-domU.log; do + sleep 1 +done +" + ;; + + ### tests: tools-tests-pv, tools-tests-pvh + "tools-tests-pv"|"tools-tests-pvh") + retrieve_xml=1 + passed="test passed" + domU_check="" + dom0_check=" +/root/run-tools-tests /usr/lib/xen/tests /tmp/tests-junit.xml && echo \"${passed}\" +nc -l -p 8080 < /tmp/tests-junit.xml >/dev/null & +" + if [ "${test_variant}" = "tools-tests-pvh" ]; then + extra_xen_opts="dom0=pvh" + fi + + ;; + + *) + echo "Unrecognised test_variant '${test_variant}'" >&2 + exit 1 + ;; +esac + +domU_config=" +type = '${domU_type}' +name = 'domU' +kernel = '/boot/vmlinuz-domU' +ramdisk = '/boot/initrd-domU' +cmdline = 'root=/dev/ram0 console=hvc0' +memory = 512 +vif = [ ${domU_vif} ] +disk = [ ] +${domU_extra_config} +" + +if [ -n "$domU_check" ]; then + # DomU rootfs + cp binaries/rootfs.cpio.gz binaries/domU-rootfs.cpio.gz + + # test-local configuration + mkdir -p rootfs + cd rootfs + mkdir -p etc/local.d + echo "#!/bin/sh + +echo 8 > /proc/sys/kernel/printk + +${domU_check} +" > etc/local.d/xen.start + chmod +x etc/local.d/xen.start + echo "domU Welcome to Alpine Linux +Kernel \r on an \m (\l) + +" > etc/issue + find . | cpio -R 0:0 -H newc -o | gzip >> ../binaries/domU-rootfs.cpio.gz + cd .. + rm -rf rootfs + + # Package domU kernel+rootfs in /boot for dom0 (uncompressed) + mkdir -p rootfs/boot + cd rootfs + cp ../binaries/bzImage boot/vmlinuz-domU + cp ../binaries/domU-rootfs.cpio.gz boot/initrd-domU + find . | cpio -R 0:0 -H newc -o > ../binaries/domU-in-dom0.cpio + cd .. + rm -rf rootfs + + dom0_rootfs_extra_uncomp+=(binaries/domU-in-dom0.cpio) +fi + +# Dom0 rootfs. The order of concatenation is important; ucode wants to come +# first, and all uncompressed must be ahead of compressed. +dom0_rootfs_parts=( + binaries/ucode.cpio + "${dom0_rootfs_extra_uncomp[@]}" + binaries/rootfs.cpio.gz + binaries/xen-tools.cpio.gz + "${dom0_rootfs_extra_comp[@]}" +) +cat "${dom0_rootfs_parts[@]}" > binaries/dom0-rootfs.cpio.gz + +# test-local configuration +mkdir -p rootfs +cd rootfs +mkdir -p boot etc/local.d root +cp -a ../automation/scripts/run-tools-tests root/ + +echo "#!/bin/bash + +bash /etc/init.d/xencommons start + +brctl addbr xenbr0 +brctl addif xenbr0 eth0 +ifconfig eth0 up +ifconfig xenbr0 up +ifconfig xenbr0 192.168.0.1 + +" > etc/local.d/xen.start + +if [ -n "$retrieve_xml" ]; then + echo "timeout 30s udhcpc -i xenbr0" >> etc/local.d/xen.start +fi + +if [ -n "$domU_check" ]; then + echo " +# get domU console content into test log +tail -F /var/log/xen/console/guest-domU.log 2>/dev/null | sed -e \"s/^/(domU) /\" & +tail -F /var/log/xen/qemu-dm-domU.log 2>/dev/null | sed -e \"s/^/(qemu-dm) /\" & +xl -vvv create /etc/xen/domU.cfg +" >> etc/local.d/xen.start +fi + +echo "${dom0_check}" >> etc/local.d/xen.start + +chmod +x etc/local.d/xen.start +mkdir -p etc/xen +echo "$domU_config" > etc/xen/domU.cfg + +mkdir -p etc/default +echo "XENCONSOLED_TRACE=all" >> etc/default/xencommons +echo "QEMU_XEN=/bin/false" >> etc/default/xencommons +mkdir -p var/log/xen/console +find . | cpio -R 0:0 -H newc -o | gzip >> ../binaries/dom0-rootfs.cpio.gz +cd .. + + +TFTP=/scratch/gitlab-runner/tftp +CONTROLLER=control@thor.testnet + +echo " +multiboot2 (http)/gitlab-ci/xen $CONSOLE_OPTS loglvl=all guest_loglvl=all dom0_mem=4G console_timestamps=boot watchdog $extra_xen_opts +module2 (http)/gitlab-ci/vmlinuz console=hvc0 root=/dev/ram0 earlyprintk=xen +module2 --nounzip (http)/gitlab-ci/initrd-dom0 +" > $TFTP/grub.cfg + +echo "#!ipxe + +kernel /gitlab-ci/xen $CONSOLE_OPTS loglvl=all guest_loglvl=all dom0_mem=4G console_timestamps=boot watchdog $extra_xen_opts || reboot +module /gitlab-ci/vmlinuz console=hvc0 root=/dev/ram0 earlyprintk=xen || reboot +module /gitlab-ci/initrd-dom0 || reboot +boot +" > $TFTP/boot.ipxe + +cp -f binaries/xen $TFTP/xen +cp -f binaries/bzImage $TFTP/vmlinuz +cp -f binaries/dom0-rootfs.cpio.gz $TFTP/initrd-dom0 + +# start the system pointing at gitlab-ci predefined config +ssh $CONTROLLER gitlabci poweron +trap "ssh $CONTROLLER poweroff" EXIT + +if [ -n "$wait_and_wakeup" ]; then + export SUSPEND_MSG="$wait_and_wakeup" + export WAKEUP_CMD="ssh $CONTROLLER wake" +fi + +export PASSED="${passed}" +export BOOT_MSG="Latest ChangeSet: " +export LOG_MSG="\nWelcome to Alpine Linux" +export TEST_CMD="ssh $CONTROLLER console" +export TEST_LOG="smoke.serial" +export TEST_TIMEOUT="$timeout" +./automation/scripts/console.exp |& sed 's/\r\+$//' +TEST_RESULT=$? + +if [ -n "$retrieve_xml" ]; then + nc -w 10 "$SUT_ADDR" 8080 > tests-junit.xml Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 19:23:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338543.1599600 (Exim 4.92) (envelope-from ) id 1wZCtk-00020E-Jc; Mon, 15 Jun 2026 19:23:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338543.1599600; Mon, 15 Jun 2026 19:23:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZCtk-000207-Gr; Mon, 15 Jun 2026 19:23:04 +0000 Received: by outflank-mailman (input) for mailman id 1338543; Mon, 15 Jun 2026 19:23:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZCtj-0001yr-8Z for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:23:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZCtj-00BCtW-1d for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:23:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZCtj-00Fwx0-0d for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:23:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=rTh8tKa3Zzyj7StnaluBpjCua7+EXzBxY/DPBLFu3+8=; b=c5wiSehj4r6ImS8eLLzrIl+F6V +Z/xvkTP4bbkgCmn2tEWFeNPbU1yryRsbxwQ1aSQNYqrryfvOHEn8BeqYVea/rHnkA6jSAjRCyz6l qEabErj0u8yUyXjJqK8hkQzt5DSGLirYxCQtZ6sxlqCAabJI0IK//JGs9ypU79qCBMRI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CI: Remove x86 microcode from arm32 jobs Message-Id: Date: Mon, 15 Jun 2026 19:23:03 +0000 commit c109c7aa44ba339f0e6aeaa46b182ba9c0787eed Author: Andrew Cooper AuthorDate: Fri Jun 12 22:43:28 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 15 18:04:20 2026 +0100 CI: Remove x86 microcode from arm32 jobs All build containers are non-root now. Complete the todo by dropping the workaround. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Release-Acked-by: Oleksii Kurochko --- automation/gitlab-ci/test.yaml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml index 87b2018a29..20db71b1c9 100644 --- a/automation/gitlab-ci/test.yaml +++ b/automation/gitlab-ci/test.yaml @@ -14,12 +14,7 @@ ref: $ARTIFACTS_BRANCH .arm32-test-needs: &arm32-test-needs - # Bodge to ensure binaries/ is non-root. Can be any artefact which comes - # from a non-root container, and microcode-x86 is the smallest. Remove when - # all build containers have become non-root. - - project: $ARTIFACTS_REPO - job: microcode-x86 - ref: $ARTIFACTS_BRANCH + - .x86_64-test-needs: &x86_64-test-needs - project: $ARTIFACTS_REPO -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 15 19:23:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 19:23:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338544.1599604 (Exim 4.92) (envelope-from ) id 1wZCtu-00022s-L3; Mon, 15 Jun 2026 19:23:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338544.1599604; Mon, 15 Jun 2026 19:23:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZCtu-00022k-IU; Mon, 15 Jun 2026 19:23:14 +0000 Received: by outflank-mailman (input) for mailman id 1338544; Mon, 15 Jun 2026 19:23:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZCtt-00022c-BF for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:23:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZCtt-00BCta-1v for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:23:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZCtt-00Fx12-0u for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 19:23:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=iYFryDG7GGQZjX1WVzo6Q6o4ZhqHwB4HhMcHa/1/drI=; b=OA/uVw23uIQhF5DxTFnmIUd+R7 D5brIuqW8idacRX6qfXdglWFJ0VLrDHOz3eC07F44iiRoOhr7qpBlPA94zP2izbJfUYBfq4Gh2Ulz zLr8v0JzXvhUkwpaKH3MsSlBYcXDCf3jTD7DmDDjOb4KPJMLHyTK3A4/Z3z+ES6Ajr1A=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] Update Xen version to 4.22.0-rc2 Message-Id: Date: Mon, 15 Jun 2026 19:23:13 +0000 commit 1cfceee62d8b086a1713d04522f741a09d50cbb3 Author: Andrew Cooper AuthorDate: Mon Jun 15 20:16:58 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 15 20:16:58 2026 +0100 Update Xen version to 4.22.0-rc2 Signed-off-by: Andrew Cooper --- xen/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/Makefile b/xen/Makefile index 1f11610b5f..419c5eac38 100644 --- a/xen/Makefile +++ b/xen/Makefile @@ -6,7 +6,7 @@ this-makefile := $(call lastword,$(MAKEFILE_LIST)) # All other places this is stored (eg. compile.h) should be autogenerated. export XEN_VERSION = 4 export XEN_SUBVERSION = 22 -export XEN_EXTRAVERSION ?= .0-rc1$(XEN_VENDORVERSION) +export XEN_EXTRAVERSION ?= .0-rc2$(XEN_VENDORVERSION) export XEN_FULLVERSION = $(XEN_VERSION).$(XEN_SUBVERSION)$(XEN_EXTRAVERSION) -include xen-version -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 15 20:44:10 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 20:44:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338579.1599635 (Exim 4.92) (envelope-from ) id 1wZEA8-0005Jt-NN; Mon, 15 Jun 2026 20:44:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338579.1599635; Mon, 15 Jun 2026 20:44:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZEA8-0005Jl-Ks; Mon, 15 Jun 2026 20:44:04 +0000 Received: by outflank-mailman (input) for mailman id 1338579; Mon, 15 Jun 2026 20:44:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZEA7-0005Jf-Ng for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:44:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZEA6-00BEMk-2h for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:44:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZEA6-00GTr1-1T for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:44:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Nm6tXu54HMsBPLPuzcj6wCemSV+O/U/Gh1kI5OFkZl0=; b=Qo/ju7uGnd2WJ3hzalwFoqdpvg Et0Kl2bhFR7L7kvumugOJJ6TsixH4oLVIgEA8gylk7N73xdur363277xzOML+obH+vp6LlDLVubHw z8tfZQsw7Wv3W92GEU5SqicmdMvl3GwSTFK71h3nnyVJjszXNxeFtt360HiAH2f79QEQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/xenalyze: Fix -Werror=nonnull failure Message-Id: Date: Mon, 15 Jun 2026 20:44:02 +0000 commit 1a485996d9c50f968e0cb437d3fc91d3942434e3 Author: Andrew Cooper AuthorDate: Fri Jun 12 17:42:56 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 15 18:04:20 2026 +0100 tools/xenalyze: Fix -Werror=nonnull failure GCC 15.2 with Alpine Linux 3.24 fails with -Werror=nonnull, complaining that we're calling bzero(NULL, 128). This is a legitimate diagnostic. xenalyze has it's own error() function shadowing the standard library one, and can in principle return when p is NULL. Extend the check in error() with ERR_MAX_TOLERABLE to short circuit the variable tolerance check. Suggested-by: Anthony PERARD Signed-off-by: Andrew Cooper Release-Acked-by: Oleksii Kurochko --- tools/xentrace/xenalyze.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/xentrace/xenalyze.c b/tools/xentrace/xenalyze.c index 876d59d42c..42feeb282e 100644 --- a/tools/xentrace/xenalyze.c +++ b/tools/xentrace/xenalyze.c @@ -8767,7 +8767,7 @@ void dump_raw(const char * s, struct record_info *ri) void error(enum error_level l, struct record_info *ri) { - if ( l > opt.tolerance ) + if ( l > ERR_MAX_TOLERABLE || l > opt.tolerance ) { if ( ri ) dump_generic(warn, ri); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Jun 15 20:44:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 20:44:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338580.1599639 (Exim 4.92) (envelope-from ) id 1wZEAH-0005LM-Os; Mon, 15 Jun 2026 20:44:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338580.1599639; Mon, 15 Jun 2026 20:44:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZEAH-0005LE-ME; Mon, 15 Jun 2026 20:44:13 +0000 Received: by outflank-mailman (input) for mailman id 1338580; Mon, 15 Jun 2026 20:44:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZEAG-0005L4-O5 for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:44:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZEAG-00BEMr-2z for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:44:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZEAG-00GTvC-1y for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:44:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=0grHrAS/8T4HqPc17nKyQUypXErw4V1PH9RMhpHTRbc=; b=Qfy8Wryk0BNwMNwzgIb1NMhTcJ GyWbileiJZYvSVdivpIyR8ePSydrmiVyyVM2HK7WDkz/gJhl4LCPhCgyhuZ62R5+6/kI80IjqedAH /sltGwZpBbZRxKM8UhxNvQKYy+KEXWPo22tznXuzuHbCIqpok1SXsSMgirxPAMkne+gw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] Config.mk: Update QEMU to include pip-25.2 bugfix Message-Id: Date: Mon, 15 Jun 2026 20:44:12 +0000 commit be361c42853a92980c6f5d7d3a11260121268783 Author: Andrew Cooper AuthorDate: Fri Jun 12 19:33:07 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 15 18:04:20 2026 +0100 Config.mk: Update QEMU to include pip-25.2 bugfix Specifically: commit 6ad034e71232c2929ed546304c9d249312bb632f Author: Sv. Lockal Date: Mon Aug 11 20:01:59 2025 mkvenv: Support pip 25.2 Fix compilation with pip-25.2 due to missing distlib.version Bug: https://gitlab.com/qemu-project/qemu/-/issues/3062 from upstream QEMU. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Acked-by: Anthony PERARD Release-Acked-by: Oleksii Kurochko --- Config.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Config.mk b/Config.mk index 86a4999246..bf0f30424c 100644 --- a/Config.mk +++ b/Config.mk @@ -214,7 +214,7 @@ OVMF_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/ovmf.git OVMF_UPSTREAM_REVISION ?= ba91d0292e593df8528b66f99c1b0b14fadc8e16 QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git -QEMU_UPSTREAM_REVISION ?= e064f42c80be6f6ff8c12dcb2a663bdf70f965f6 +QEMU_UPSTREAM_REVISION ?= 0edeb44c093bea39f0fe4d936ee363b99113ffe1 MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git MINIOS_UPSTREAM_REVISION ?= b6f79f5f44cf69044079c042b88fe9d75367642e -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Jun 15 20:44:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 20:44:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338581.1599643 (Exim 4.92) (envelope-from ) id 1wZEAR-0005NV-QK; Mon, 15 Jun 2026 20:44:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338581.1599643; Mon, 15 Jun 2026 20:44:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZEAR-0005NN-Nn; Mon, 15 Jun 2026 20:44:23 +0000 Received: by outflank-mailman (input) for mailman id 1338581; Mon, 15 Jun 2026 20:44:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZEAQ-0005ND-Tw for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:44:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZEAR-00BEND-0O for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:44:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZEAQ-00GTz2-2G for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:44:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=EQRTqe5JISElkhkwgje7HIyVo4bhvDYZgWtGAWV0sEE=; b=5UD7ZYbex6SOQIZAw6Lscw/VFI Ns9xUYTRTkXDMxSOZ8U5ouYIUymY2OAqvt2NSFPOlOHovzveApzULNUw+qD7gZHenrznwyC6rfAM/ ycWwhOGJirOA22O6dIPBn6sMwVNht9KRtybRfM5IOeAcGAQnzR9fkJZbF2M0zxqO/ST0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: Introduce new qubes-hw-runner.dockerfile Message-Id: Date: Mon, 15 Jun 2026 20:44:22 +0000 commit 4dff3f89c1c5f22f751f1ca9790a6cf23ad09356 Author: Andrew Cooper AuthorDate: Mon Jun 8 20:16:57 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 15 18:04:20 2026 +0100 CI: Introduce new qubes-hw-runner.dockerfile This container is tied to gitlab-runner environment in the RPis driving the test systems, not a specific version of Alpine. Intentionally give it a generic name so it need not change in the future. Switch to Alpine 3.24 right away, as it doesn't interact with the 3.18 builds under test. The container needs to remain a root container. By no longer using the arm64v8 build container for dual-purpose, we can finally make the build containers be non-root. No practical change. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Acked-by: Marek Marczykowski-Górecki Release-Acked-by: Oleksii Kurochko --- automation/build/alpine/qubes-hw-runner.dockerfile | 21 +++++++++++++++++++++ automation/gitlab-ci/test.yaml | 2 +- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/automation/build/alpine/qubes-hw-runner.dockerfile b/automation/build/alpine/qubes-hw-runner.dockerfile new file mode 100644 index 0000000000..8b11164872 --- /dev/null +++ b/automation/build/alpine/qubes-hw-runner.dockerfile @@ -0,0 +1,21 @@ +# syntax=docker/dockerfile:1 +FROM --platform=linux/arm64/v8 alpine:3.24 +LABEL maintainer.name="The Xen Project" +LABEL maintainer.email="xen-devel@lists.xenproject.org" + +RUN apk --no-cache add bash + +RUN < Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 20:44:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338582.1599647 (Exim 4.92) (envelope-from ) id 1wZEAb-0005Pe-S4; Mon, 15 Jun 2026 20:44:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338582.1599647; Mon, 15 Jun 2026 20:44:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZEAb-0005PW-P6; Mon, 15 Jun 2026 20:44:33 +0000 Received: by outflank-mailman (input) for mailman id 1338582; Mon, 15 Jun 2026 20:44:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZEAb-0005PP-02 for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:44:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZEAb-00BENH-0k for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:44:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZEAa-00GU35-2u for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:44:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=m0aGwSrMTh8r6Rg5BFxOZntWE+DiaJYiJNdYev/La8U=; b=JfoEEv+9veVOCnhmPPUaX/jo/I 17oGYAG3B3HwBLnu61GW25r40lHhiJ5wErOuX6/1tNE8DLLDmQwwlDBviXShI+oFJB8Zqc6gNvC10 GW/iPTrmdaCFE6twF1DJ2gU3Orw9uJKKc1r4V8T+agMl/PxLdP8yxFIl/v29vWs1ElS8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: Update the Alpine x86_64 container to 3.24 Message-Id: Date: Mon, 15 Jun 2026 20:44:32 +0000 commit 694302cc84db4a221560def6c12c18d8bdca4c95 Author: Andrew Cooper AuthorDate: Fri Jun 12 16:07:38 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 15 18:04:20 2026 +0100 CI: Update the Alpine x86_64 container to 3.24 Perform standard syntax cleanup and make it a non-root container. Switch yajl for json-c given the deprecation of the former. Add an x86_64 suffix for naming consistency with everything else. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Release-Acked-by: Oleksii Kurochko --- automation/build/alpine/3.18.dockerfile | 52 -------------------- automation/build/alpine/3.24-x86_64.dockerfile | 65 +++++++++++++++++++++++++ automation/gitlab-ci/build.yaml | 16 +++---- automation/gitlab-ci/test.yaml | 66 +++++++++++++------------- automation/scripts/containerize | 2 +- 5 files changed, 107 insertions(+), 94 deletions(-) diff --git a/automation/build/alpine/3.18.dockerfile b/automation/build/alpine/3.18.dockerfile deleted file mode 100644 index 263e9e90d8..0000000000 --- a/automation/build/alpine/3.18.dockerfile +++ /dev/null @@ -1,52 +0,0 @@ -# syntax=docker/dockerfile:1 -FROM --platform=linux/amd64 alpine:3.18 -LABEL maintainer.name="The Xen Project" \ - maintainer.email="xen-devel@lists.xenproject.org" - -ENV USER root - -RUN mkdir /build -WORKDIR /build - -# build depends -RUN apk --no-cache add \ - \ - # xen build deps - argp-standalone \ - autoconf \ - bash \ - bison \ - clang \ - curl \ - dev86 \ - flex \ - g++ \ - gcc \ - git \ - grep \ - iasl \ - libaio-dev \ - libc6-compat \ - linux-headers \ - make \ - musl-dev \ - ncurses-dev \ - ocaml \ - ocaml-findlib \ - patch \ - python3-dev \ - py3-setuptools \ - texinfo \ - util-linux-dev \ - xz-dev \ - yajl-dev \ - zlib-dev \ - \ - # qemu build deps - glib-dev \ - libattr \ - libcap-ng-dev \ - ninja \ - pixman-dev \ - # livepatch-tools deps - elfutils-dev \ diff --git a/automation/build/alpine/3.24-x86_64.dockerfile b/automation/build/alpine/3.24-x86_64.dockerfile new file mode 100644 index 0000000000..f93158e018 --- /dev/null +++ b/automation/build/alpine/3.24-x86_64.dockerfile @@ -0,0 +1,65 @@ +# syntax=docker/dockerfile:1 +FROM --platform=linux/amd64 alpine:3.24 +LABEL maintainer.name="The Xen Project" +LABEL maintainer.email="xen-devel@lists.xenproject.org" + +RUN apk --no-cache add bash + +RUN <&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug xilinx-smoke-dom0-x86_64-gcc-debug-argo: extends: .xilinx-x86_64 script: - ./automation/scripts/xilinx-smoke-dom0-x86_64.sh argo 2>&1 | tee ${LOGFILE} needs: - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug - project: xen-project/hardware/test-artifacts job: linux-6.6.56-x86_64 ref: master - project: xen-project/hardware/test-artifacts - job: alpine-3.18-x86_64-rootfs + job: alpine-3.24-x86_64-rootfs ref: master - project: xen-project/hardware/test-artifacts job: microcode-x86 @@ -260,7 +260,7 @@ adl-smoke-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pv 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug adl-smoke-x86-64-dom0pvh-gcc-debug: extends: .adl-x86-64 @@ -268,7 +268,7 @@ adl-smoke-x86-64-dom0pvh-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pvh 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug adl-smoke-x86-64-dom0pvh-hvm-gcc-debug: extends: .adl-x86-64 @@ -276,7 +276,7 @@ adl-smoke-x86-64-dom0pvh-hvm-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pvh-hvm 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug adl-suspend-x86-64-gcc-debug: extends: .adl-x86-64 @@ -284,7 +284,7 @@ adl-suspend-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh s3 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug adl-pci-pv-x86-64-gcc-debug: extends: .adl-x86-64 @@ -292,7 +292,7 @@ adl-pci-pv-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh pci-pv 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug adl-pci-hvm-x86-64-gcc-debug: extends: .adl-x86-64 @@ -300,7 +300,7 @@ adl-pci-hvm-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh pci-hvm 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug adl-pvshim-x86-64-gcc-debug: extends: .adl-x86-64 @@ -308,7 +308,7 @@ adl-pvshim-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh pvshim 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug adl-tools-tests-pv-x86-64-gcc-debug: extends: .adl-x86-64 @@ -319,7 +319,7 @@ adl-tools-tests-pv-x86-64-gcc-debug: junit: tests-junit.xml needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug adl-tools-tests-pvh-x86-64-gcc-debug: extends: .adl-x86-64 @@ -330,7 +330,7 @@ adl-tools-tests-pvh-x86-64-gcc-debug: junit: tests-junit.xml needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug kbl-smoke-x86-64-gcc-debug: extends: .kbl-x86-64 @@ -338,7 +338,7 @@ kbl-smoke-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pv 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug kbl-smoke-x86-64-dom0pvh-gcc-debug: extends: .kbl-x86-64 @@ -346,7 +346,7 @@ kbl-smoke-x86-64-dom0pvh-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pvh 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug kbl-smoke-x86-64-dom0pvh-hvm-gcc-debug: extends: .kbl-x86-64 @@ -354,7 +354,7 @@ kbl-smoke-x86-64-dom0pvh-hvm-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pvh-hvm 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug kbl-suspend-x86-64-gcc-debug: extends: .kbl-x86-64 @@ -362,7 +362,7 @@ kbl-suspend-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh s3 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug kbl-pci-pv-x86-64-gcc-debug: extends: .kbl-x86-64 @@ -370,7 +370,7 @@ kbl-pci-pv-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh pci-pv 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug kbl-pci-hvm-x86-64-gcc-debug: extends: .kbl-x86-64 @@ -378,7 +378,7 @@ kbl-pci-hvm-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh pci-hvm 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug kbl-pvshim-x86-64-gcc-debug: extends: .kbl-x86-64 @@ -386,7 +386,7 @@ kbl-pvshim-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh pvshim 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug kbl-tools-tests-pv-x86-64-gcc-debug: extends: .kbl-x86-64 @@ -397,7 +397,7 @@ kbl-tools-tests-pv-x86-64-gcc-debug: junit: tests-junit.xml needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug kbl-tools-tests-pvh-x86-64-gcc-debug: extends: .kbl-x86-64 @@ -408,7 +408,7 @@ kbl-tools-tests-pvh-x86-64-gcc-debug: junit: tests-junit.xml needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug zen2-smoke-x86-64-gcc-debug: extends: .zen2-x86-64 @@ -416,7 +416,7 @@ zen2-smoke-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pv 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug zen2-suspend-x86-64-gcc-debug: extends: .zen2-x86-64 @@ -424,7 +424,7 @@ zen2-suspend-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh s3 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug zen3p-smoke-x86-64-gcc-debug: extends: .zen3p-x86-64 @@ -432,7 +432,7 @@ zen3p-smoke-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pv 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug zen3p-smoke-x86-64-dom0pvh-gcc-debug: extends: .zen3p-x86-64 @@ -440,7 +440,7 @@ zen3p-smoke-x86-64-dom0pvh-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pvh 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug zen3p-smoke-x86-64-dom0pvh-hvm-gcc-debug: extends: .zen3p-x86-64 @@ -448,7 +448,7 @@ zen3p-smoke-x86-64-dom0pvh-hvm-gcc-debug: - ./automation/scripts/qubes-x86-64.sh dom0pvh-hvm 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug zen3p-pci-hvm-x86-64-gcc-debug: extends: .zen3p-x86-64 @@ -456,7 +456,7 @@ zen3p-pci-hvm-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh pci-hvm 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug zen3p-pvshim-x86-64-gcc-debug: extends: .zen3p-x86-64 @@ -464,7 +464,7 @@ zen3p-pvshim-x86-64-gcc-debug: - ./automation/scripts/qubes-x86-64.sh pvshim 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug zen3p-tools-tests-pv-x86-64-gcc-debug: extends: .zen3p-x86-64 @@ -475,7 +475,7 @@ zen3p-tools-tests-pv-x86-64-gcc-debug: junit: tests-junit.xml needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug zen3p-tools-tests-pvh-x86-64-gcc-debug: extends: .zen3p-x86-64 @@ -486,7 +486,7 @@ zen3p-tools-tests-pvh-x86-64-gcc-debug: junit: tests-junit.xml needs: - *x86-64-test-needs - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug qemu-smoke-dom0-arm64-gcc: extends: .qemu-arm64 @@ -654,7 +654,7 @@ qemu-alpine-x86_64-gcc: - ./automation/scripts/qemu-alpine-x86_64.sh 2>&1 | tee ${LOGFILE} needs: - *x86-64-test-needs - - alpine-3.18-gcc + - alpine-3.24-x86_64-gcc qemu-smoke-x86-64-gcc: extends: .qemu-smoke-x86-64 @@ -698,7 +698,7 @@ qemu-xtf-argo-x86_64-gcc-debug: script: - ./automation/scripts/qemu-xtf.sh x86-64 pv64 argo 2>&1 | tee ${LOGFILE} needs: - - alpine-3.18-gcc-debug + - alpine-3.24-x86_64-gcc-debug qemu-smoke-riscv64-gcc: extends: .qemu-riscv64 diff --git a/automation/scripts/containerize b/automation/scripts/containerize index aea842e1ff..e9b2f6122f 100755 --- a/automation/scripts/containerize +++ b/automation/scripts/containerize @@ -24,7 +24,7 @@ die() { # BASE="registry.gitlab.com/xen-project/xen" case "_${CONTAINER}" in - _alpine) CONTAINER="${BASE}/alpine:3.18" ;; + _alpine) CONTAINER="${BASE}/alpine:3.24-x86_64" ;; _alpine-arm64v8) CONTAINER="${BASE}/alpine:3.18-arm64v8" ;; _archlinux|_arch) CONTAINER="${BASE}/archlinux:current-x86_64" ;; _fedora) CONTAINER="${BASE}/fedora:43-x86_64";; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Jun 15 20:44:43 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 20:44:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338583.1599651 (Exim 4.92) (envelope-from ) id 1wZEAl-0005S2-V3; Mon, 15 Jun 2026 20:44:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338583.1599651; Mon, 15 Jun 2026 20:44:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZEAl-0005Ru-ST; Mon, 15 Jun 2026 20:44:43 +0000 Received: by outflank-mailman (input) for mailman id 1338583; Mon, 15 Jun 2026 20:44:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZEAl-0005Rn-4a for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:44:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZEAl-00BENL-1E for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:44:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZEAl-00GUA4-02 for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:44:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ilKZlEvd/H3jM53ly3to+JXomKu2rRIM5AW1vVrkuh4=; b=OgEGH4Du3TZjK/NzXCsWFhl8LI u9Wxco22YAG9o3Pllkw1f4CYZ6AESLl6P6qDv1Wy5nICZYboyp3hnaRPqCwkIpTmhHBYy/odHcfyU v4BQFjoAdVj+FRHCuG9Mn8q/llTOZDV5WK1N3O1CeRle3wge+wIuOPZXBSUyaJB4mMXo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: Update the Alpine arm64 container to 3.24 Message-Id: Date: Mon, 15 Jun 2026 20:44:43 +0000 commit cfaaf09a5ec434ea6c454e911a4485970db16458 Author: Andrew Cooper AuthorDate: Fri Jun 12 16:08:17 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 15 18:04:20 2026 +0100 CI: Update the Alpine arm64 container to 3.24 Perform standard syntax cleanup and make it a non-root container. Switch yajl for json-c given the deprecation of the former. Drop dev86 which is an x86-only dependency, and QEMU dependencies as we don't build QEMU in this environment any more. When updating the job names, also rename some for consistency so the arm64 fragment comes before the compiler. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Release-Acked-by: Oleksii Kurochko --- automation/build/alpine/3.18-arm64v8.dockerfile | 51 ------------------------ automation/build/alpine/3.24-arm64v8.dockerfile | 53 +++++++++++++++++++++++++ automation/gitlab-ci/build.yaml | 32 +++++++-------- automation/gitlab-ci/test.yaml | 30 +++++++------- automation/scripts/containerize | 2 +- 5 files changed, 85 insertions(+), 83 deletions(-) diff --git a/automation/build/alpine/3.18-arm64v8.dockerfile b/automation/build/alpine/3.18-arm64v8.dockerfile deleted file mode 100644 index b8482d5bf4..0000000000 --- a/automation/build/alpine/3.18-arm64v8.dockerfile +++ /dev/null @@ -1,51 +0,0 @@ -# syntax=docker/dockerfile:1 -FROM --platform=linux/arm64/v8 alpine:3.18 -LABEL maintainer.name="The Xen Project" \ - maintainer.email="xen-devel@lists.xenproject.org" - -ENV USER root - -RUN mkdir /build -WORKDIR /build - -# build depends -RUN apk --no-cache add \ - \ - # xen build deps - argp-standalone \ - autoconf \ - bash \ - bison \ - curl \ - dev86 \ - dtc-dev \ - flex \ - gcc \ - git \ - iasl \ - libaio-dev \ - libfdt \ - linux-headers \ - make \ - musl-dev \ - ncurses-dev \ - ocaml \ - ocaml-findlib \ - patch \ - python3-dev \ - py3-setuptools \ - texinfo \ - util-linux-dev \ - xz-dev \ - yajl-dev \ - zlib-dev \ - \ - # qemu build deps - glib-dev \ - libattr \ - libcap-ng-dev \ - pixman-dev \ - # qubes test deps - openssh-client \ - fakeroot \ - expect \ diff --git a/automation/build/alpine/3.24-arm64v8.dockerfile b/automation/build/alpine/3.24-arm64v8.dockerfile new file mode 100644 index 0000000000..5b28d874ef --- /dev/null +++ b/automation/build/alpine/3.24-arm64v8.dockerfile @@ -0,0 +1,53 @@ +# syntax=docker/dockerfile:1 +FROM --platform=linux/arm64/v8 alpine:3.24 +LABEL maintainer.name="The Xen Project" +LABEL maintainer.email="xen-devel@lists.xenproject.org" + +RUN apk --no-cache add bash + +RUN <&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64 + - alpine-3.24-arm64-gcc-debug xilinx-smoke-dom0less-arm64-gcc-debug-gem-passthrough: extends: .xilinx-arm64 @@ -228,7 +228,7 @@ xilinx-smoke-dom0less-arm64-gcc-debug-gem-passthrough: - ./automation/scripts/xilinx-smoke-dom0less-arm64.sh gem-passthrough 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64 + - alpine-3.24-arm64-gcc-debug xilinx-smoke-dom0-x86_64-gcc-debug: extends: .xilinx-x86_64 @@ -494,7 +494,7 @@ qemu-smoke-dom0-arm64-gcc: - ./automation/scripts/qemu-smoke-dom0-arm64.sh 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-arm64 + - alpine-3.24-arm64-gcc qemu-smoke-dom0-arm64-gcc-debug: extends: .qemu-arm64 @@ -502,7 +502,7 @@ qemu-smoke-dom0-arm64-gcc-debug: - ./automation/scripts/qemu-smoke-dom0-arm64.sh 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64 + - alpine-3.24-arm64-gcc-debug qemu-smoke-dom0less-arm64-gcc: extends: .qemu-arm64 @@ -510,7 +510,7 @@ qemu-smoke-dom0less-arm64-gcc: - ./automation/scripts/qemu-smoke-dom0less-arm64.sh 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-arm64 + - alpine-3.24-arm64-gcc qemu-smoke-dom0less-arm64-gcc-debug: extends: .qemu-arm64 @@ -518,7 +518,7 @@ qemu-smoke-dom0less-arm64-gcc-debug: - ./automation/scripts/qemu-smoke-dom0less-arm64.sh 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64 + - alpine-3.24-arm64-gcc-debug qemu-smoke-dom0less-arm64-gcc-debug-gicv3: extends: .qemu-arm64 @@ -526,7 +526,7 @@ qemu-smoke-dom0less-arm64-gcc-debug-gicv3: - ./automation/scripts/qemu-smoke-dom0less-arm64.sh gicv3 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64 + - alpine-3.24-arm64-gcc-debug qemu-smoke-dom0less-arm64-gcc-debug-staticmem: extends: .qemu-arm64 @@ -534,7 +534,7 @@ qemu-smoke-dom0less-arm64-gcc-debug-staticmem: - ./automation/scripts/qemu-smoke-dom0less-arm64.sh static-mem 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64-staticmem + - alpine-3.24-arm64-gcc-debug-staticmem qemu-smoke-dom0less-arm64-gcc-debug-staticheap: extends: .qemu-arm64 @@ -542,7 +542,7 @@ qemu-smoke-dom0less-arm64-gcc-debug-staticheap: - ./automation/scripts/qemu-smoke-dom0less-arm64.sh static-heap 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64 + - alpine-3.24-arm64-gcc-debug qemu-smoke-dom0less-arm64-gcc-debug-static-shared-mem: extends: .qemu-arm64 @@ -550,7 +550,7 @@ qemu-smoke-dom0less-arm64-gcc-debug-static-shared-mem: - ./automation/scripts/qemu-smoke-dom0less-arm64.sh static-shared-mem 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64-static-shared-mem + - alpine-3.24-arm64-gcc-debug-static-shared-mem qemu-smoke-dom0less-arm64-gcc-debug-boot-cpupools: extends: .qemu-arm64 @@ -558,7 +558,7 @@ qemu-smoke-dom0less-arm64-gcc-debug-boot-cpupools: - ./automation/scripts/qemu-smoke-dom0less-arm64.sh boot-cpupools 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64-boot-cpupools + - alpine-3.24-arm64-gcc-debug-boot-cpupools qemu-smoke-dom0less-arm64-gcc-debug-earlyprintk: extends: .qemu-arm64 @@ -566,7 +566,7 @@ qemu-smoke-dom0less-arm64-gcc-debug-earlyprintk: - ./automation/scripts/qemu-smoke-dom0less-arm64.sh earlyprintk 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64-earlyprintk + - alpine-3.24-arm64-gcc-debug-earlyprintk qemu-xtf-dom0less-arm64-gcc-hyp-xen-version: extends: .qemu-arm64 @@ -574,7 +574,7 @@ qemu-xtf-dom0less-arm64-gcc-hyp-xen-version: - ./automation/scripts/qemu-xtf.sh arm64 mmu64le hyp-xen-version 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-arm64 + - alpine-3.24-arm64-gcc qemu-xtf-dom0less-arm64-gcc-debug-hyp-xen-version: extends: .qemu-arm64 @@ -582,7 +582,7 @@ qemu-xtf-dom0less-arm64-gcc-debug-hyp-xen-version: - ./automation/scripts/qemu-xtf.sh arm64 mmu64le hyp-xen-version 2>&1 | tee ${LOGFILE} needs: - *arm64-test-needs - - alpine-3.18-gcc-debug-arm64 + - alpine-3.24-arm64-gcc-debug qemu-smoke-dom0-arm32-gcc: extends: .qemu-arm32 diff --git a/automation/scripts/containerize b/automation/scripts/containerize index e9b2f6122f..feadd9e82f 100755 --- a/automation/scripts/containerize +++ b/automation/scripts/containerize @@ -25,7 +25,7 @@ die() { BASE="registry.gitlab.com/xen-project/xen" case "_${CONTAINER}" in _alpine) CONTAINER="${BASE}/alpine:3.24-x86_64" ;; - _alpine-arm64v8) CONTAINER="${BASE}/alpine:3.18-arm64v8" ;; + _alpine-arm64v8) CONTAINER="${BASE}/alpine:3.24-arm64v8" ;; _archlinux|_arch) CONTAINER="${BASE}/archlinux:current-x86_64" ;; _fedora) CONTAINER="${BASE}/fedora:43-x86_64";; _bullseye-ppc64le) CONTAINER="${BASE}/debian:11-ppc64le" ;; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Jun 15 20:44:54 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 20:44:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338584.1599655 (Exim 4.92) (envelope-from ) id 1wZEAw-0005Tq-12; Mon, 15 Jun 2026 20:44:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338584.1599655; Mon, 15 Jun 2026 20:44:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZEAv-0005Tj-Tx; Mon, 15 Jun 2026 20:44:53 +0000 Received: by outflank-mailman (input) for mailman id 1338584; Mon, 15 Jun 2026 20:44:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZEAv-0005Td-79 for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:44:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZEAv-00BENR-1V for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:44:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZEAv-00GUFD-0V for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:44:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=iFoWvsMOOUwyCAZ3XyOgyxW8RFuFJwnUPzgSPUeg0hM=; b=Uk4j1FIKhHmaRVw18afZ8rRvoP hLU3pFAc8F1+16vleMxiJ9cKVURfvGCIikIDmgDeRq98lnRqtfAICLyCDsoulX9u0m0GrQyJ75zEm grMXXO5lr6W3NwIwb+FFxoNYQXM2uVNBLb5Qg/33mSwXCJwctPhjzlSArs7Xl3NFO7ZQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: Fix inconsistent use of x86-{64,32} vs x86_{64,32} Message-Id: Date: Mon, 15 Jun 2026 20:44:53 +0000 commit 66f59e7657d697a1c117808c6062fb0930423a0f Author: Andrew Cooper AuthorDate: Fri Jun 12 22:23:16 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 15 18:04:20 2026 +0100 CI: Fix inconsistent use of x86-{64,32} vs x86_{64,32} The configuration uses a mix of dashes and underscores, which is irritating to develop for. Switch to using the underscore form consistently; it is the more common form and it has the benefit that it allows splitting on dashes to work sensibly. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Release-Acked-by: Oleksii Kurochko --- automation/gitlab-ci/build.yaml | 154 +++++------ automation/gitlab-ci/test.yaml | 280 +++++++++---------- .../scripts/include/configs/xtf-x86-64-config | 0 .../scripts/include/configs/xtf-x86-64-efi-config | 0 .../scripts/include/configs/xtf-x86_64-config | 0 .../scripts/include/configs/xtf-x86_64-efi-config | 0 automation/scripts/include/xtf-x86-64 | 32 --- automation/scripts/include/xtf-x86-64-efi | 59 ---- automation/scripts/include/xtf-x86_64 | 32 +++ automation/scripts/include/xtf-x86_64-efi | 59 ++++ automation/scripts/qubes-x86-64.sh | 302 --------------------- automation/scripts/qubes-x86_64.sh | 302 +++++++++++++++++++++ 12 files changed, 610 insertions(+), 610 deletions(-) diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml index fa054a8280..d5929e34ec 100644 --- a/automation/gitlab-ci/build.yaml +++ b/automation/gitlab-ci/build.yaml @@ -36,77 +36,77 @@ CXX: clang++ clang: y -.x86-64-build-tmpl: +.x86_64-build-tmpl: <<: *build variables: XEN_TARGET_ARCH: x86_64 tags: - x86_64 -.x86-64-build: - extends: .x86-64-build-tmpl +.x86_64-build: + extends: .x86_64-build-tmpl variables: debug: n -.x86-64-build-debug: - extends: .x86-64-build-tmpl +.x86_64-build-debug: + extends: .x86_64-build-tmpl variables: debug: y -.x86-32-build-tmpl: +.x86_32-build-tmpl: <<: *build variables: XEN_TARGET_ARCH: x86_32 tags: - x86_32 -.x86-32-build: - extends: .x86-32-build-tmpl +.x86_32-build: + extends: .x86_32-build-tmpl variables: debug: n -.x86-32-build-debug: - extends: .x86-32-build-tmpl +.x86_32-build-debug: + extends: .x86_32-build-tmpl variables: debug: y -.gcc-x86-64-build: - extends: .x86-64-build +.gcc-x86_64-build: + extends: .x86_64-build variables: <<: *gcc -.gcc-x86-64-build-debug: - extends: .x86-64-build-debug +.gcc-x86_64-build-debug: + extends: .x86_64-build-debug variables: <<: *gcc -.gcc-x86-32-build: - extends: .x86-32-build +.gcc-x86_32-build: + extends: .x86_32-build variables: <<: *gcc -.gcc-x86-32-build-debug: - extends: .x86-32-build-debug +.gcc-x86_32-build-debug: + extends: .x86_32-build-debug variables: <<: *gcc -.clang-x86-64-build: - extends: .x86-64-build +.clang-x86_64-build: + extends: .x86_64-build variables: <<: *clang -.clang-x86-64-build-debug: - extends: .x86-64-build-debug +.clang-x86_64-build-debug: + extends: .x86_64-build-debug variables: <<: *clang -.clang-x86-32-build: - extends: .x86-32-build +.clang-x86_32-build: + extends: .x86_32-build variables: <<: *clang -.clang-x86-32-build-debug: - extends: .x86-32-build-debug +.clang-x86_32-build-debug: + extends: .x86_32-build-debug variables: <<: *clang @@ -244,25 +244,25 @@ tags: - arm64 -.yocto-test-x86-64: +.yocto-test-x86_64: extends: .yocto-test tags: - x86_64 -.x86-64-cross-build-tmpl: +.x86_64-cross-build-tmpl: <<: *build variables: XEN_TARGET_ARCH: x86_64 tags: - arm64 -.x86-64-cross-build: - extends: .x86-64-cross-build-tmpl +.x86_64-cross-build: + extends: .x86_64-cross-build-tmpl variables: debug: n -.gcc-x86-64-cross-build: - extends: .x86-64-cross-build +.gcc-x86_64-cross-build: + extends: .x86_64-cross-build variables: <<: *gcc @@ -271,13 +271,13 @@ # Build jobs needed for tests alpine-3.24-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build <<: *build-test variables: CONTAINER: alpine:3.24-x86_64 alpine-3.24-x86_64-gcc-debug: - extends: .gcc-x86-64-build-debug + extends: .gcc-x86_64-build-debug <<: *build-test variables: CONTAINER: alpine:3.24-x86_64 @@ -292,13 +292,13 @@ alpine-3.24-x86_64-gcc-debug: CONFIG_XHCI=y debian-13-x86_64-gcc-debug: - extends: .gcc-x86-64-build-debug + extends: .gcc-x86_64-build-debug <<: *build-test variables: CONTAINER: debian:13-x86_64 debian-13-x86_64-clang-debug: - extends: .clang-x86-64-build-debug + extends: .clang-x86_64-build-debug <<: *build-test variables: CONTAINER: debian:13-x86_64 @@ -482,14 +482,14 @@ yocto-qemuarm: YOCTO_OUTPUT: --copy-output yocto-qemux86-64: - extends: .yocto-test-x86-64 + extends: .yocto-test-x86_64 variables: YOCTO_BOARD: qemux86-64 # Cppcheck analysis jobs debian-12-x86_64-gcc-cppcheck: - extends: .gcc-x86-64-cross-build + extends: .gcc-x86_64-cross-build variables: CONTAINER: debian:12-arm64v8-cppcheck CROSS_COMPILE: /usr/bin/x86_64-linux-gnu- @@ -514,29 +514,29 @@ debian-12-arm64-gcc-cppcheck: # Build jobs not needed for tests alpine-3.24-x86_64-clang: - extends: .clang-x86-64-build + extends: .clang-x86_64-build variables: CONTAINER: alpine:3.24-x86_64 alpine-3.24-x86_64-clang-debug: - extends: .clang-x86-64-build-debug + extends: .clang-x86_64-build-debug variables: CONTAINER: alpine:3.24-x86_64 archlinux-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: archlinux:current-x86_64 allow_failure: true archlinux-x86_64-gcc-debug: - extends: .gcc-x86-64-build-debug + extends: .gcc-x86_64-build-debug variables: CONTAINER: archlinux:current-x86_64 allow_failure: true debian-12-x86_64-gcc-ibt: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: debian:12-x86_64-gcc-ibt RANDCONFIG: y @@ -544,42 +544,42 @@ debian-12-x86_64-gcc-ibt: CONFIG_XEN_IBT=y debian-12-x86_64-clang: - extends: .clang-x86-64-build + extends: .clang-x86_64-build variables: CONTAINER: debian:12-x86_64 debian-12-x86_64-clang-debug: - extends: .clang-x86-64-build-debug + extends: .clang-x86_64-build-debug variables: CONTAINER: debian:12-x86_64 debian-12-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: debian:12-x86_64 debian-12-x86_64-gcc-debug: - extends: .gcc-x86-64-build-debug + extends: .gcc-x86_64-build-debug variables: CONTAINER: debian:12-x86_64 debian-12-x86_32-clang-debug: - extends: .clang-x86-32-build-debug + extends: .clang-x86_32-build-debug variables: CONTAINER: debian:12-x86_32 debian-12-x86_32-gcc-debug: - extends: .gcc-x86-32-build-debug + extends: .gcc-x86_32-build-debug variables: CONTAINER: debian:12-x86_32 debian-13-x86_64-clang: - extends: .clang-x86-64-build + extends: .clang-x86_64-build variables: CONTAINER: debian:13-x86_64 debian-13-x86_64-clang-randconfig: - extends: .clang-x86-64-build + extends: .clang-x86_64-build variables: CONTAINER: debian:13-x86_64 RANDCONFIG: y @@ -587,136 +587,136 @@ debian-13-x86_64-clang-randconfig: CONFIG_COVERAGE=n # Disable coverage otherwise build times out. debian-13-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: debian:13-x86_64 debian-13-x86_64-gcc-randconfig: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: debian:13-x86_64 RANDCONFIG: y debian-13-x86_32-clang-debug: - extends: .clang-x86-32-build-debug + extends: .clang-x86_32-build-debug variables: CONTAINER: debian:13-x86_32 debian-13-x86_32-gcc-debug: - extends: .gcc-x86-32-build-debug + extends: .gcc-x86_32-build-debug variables: CONTAINER: debian:13-x86_32 fedora-43-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: fedora:43-x86_64 fedora-43-x86_64-gcc-debug: - extends: .gcc-x86-64-build-debug + extends: .gcc-x86_64-build-debug variables: CONTAINER: fedora:43-x86_64 ubuntu-18.04-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: ubuntu:18.04-x86_64 ubuntu-18.04-x86_64-gcc-debug: - extends: .gcc-x86-64-build-debug + extends: .gcc-x86_64-build-debug variables: CONTAINER: ubuntu:18.04-x86_64 ubuntu-20.04-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: ubuntu:20.04-x86_64 ubuntu-22.04-x86_64-clang: - extends: .clang-x86-64-build + extends: .clang-x86_64-build variables: CONTAINER: ubuntu:22.04-x86_64 ubuntu-22.04-x86_64-clang-debug: - extends: .clang-x86-64-build-debug + extends: .clang-x86_64-build-debug variables: CONTAINER: ubuntu:22.04-x86_64 ubuntu-22.04-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: ubuntu:22.04-x86_64 ubuntu-24.04-x86_64-clang: - extends: .clang-x86-64-build + extends: .clang-x86_64-build variables: CONTAINER: ubuntu:24.04-x86_64 ubuntu-24.04-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: ubuntu:24.04-x86_64 ubuntu-26.04-x86_64-clang: - extends: .clang-x86-64-build + extends: .clang-x86_64-build variables: CONTAINER: ubuntu:26.04-x86_64 ubuntu-26.04-x86_64-clang-debug: - extends: .clang-x86-64-build-debug + extends: .clang-x86_64-build-debug variables: CONTAINER: ubuntu:26.04-x86_64 ubuntu-26.04-x86_64-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: ubuntu:26.04-x86_64 ubuntu-26.04-x86_64-gcc-debug: - extends: .gcc-x86-64-build-debug + extends: .gcc-x86_64-build-debug variables: CONTAINER: ubuntu:26.04-x86_64 opensuse-leap-16.0-clang: - extends: .clang-x86-64-build + extends: .clang-x86_64-build variables: CONTAINER: opensuse:leap-16.0-x86_64 opensuse-leap-16.0-clang-debug: - extends: .clang-x86-64-build-debug + extends: .clang-x86_64-build-debug variables: CONTAINER: opensuse:leap-16.0-x86_64 opensuse-leap-16.0-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: opensuse:leap-16.0-x86_64 opensuse-leap-16.0-gcc-debug: - extends: .gcc-x86-64-build-debug + extends: .gcc-x86_64-build-debug variables: CONTAINER: opensuse:leap-16.0-x86_64 opensuse-tumbleweed-clang: - extends: .clang-x86-64-build + extends: .clang-x86_64-build variables: CONTAINER: opensuse:tumbleweed-x86_64 allow_failure: true opensuse-tumbleweed-clang-debug: - extends: .clang-x86-64-build-debug + extends: .clang-x86_64-build-debug variables: CONTAINER: opensuse:tumbleweed-x86_64 allow_failure: true opensuse-tumbleweed-gcc: - extends: .gcc-x86-64-build + extends: .gcc-x86_64-build variables: CONTAINER: opensuse:tumbleweed-x86_64 allow_failure: true opensuse-tumbleweed-gcc-debug: - extends: .gcc-x86-64-build-debug + extends: .gcc-x86_64-build-debug variables: CONTAINER: opensuse:tumbleweed-x86_64 allow_failure: true diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml index cae8dfe970..87b2018a29 100644 --- a/automation/gitlab-ci/test.yaml +++ b/automation/gitlab-ci/test.yaml @@ -21,7 +21,7 @@ job: microcode-x86 ref: $ARTIFACTS_BRANCH -.x86-64-test-needs: &x86-64-test-needs +.x86_64-test-needs: &x86_64-test-needs - project: $ARTIFACTS_REPO job: $LINUX_JOB_X86_64 ref: $ARTIFACTS_BRANCH @@ -58,11 +58,11 @@ tags: - arm64 -.qemu-x86-64: +.qemu-x86_64: extends: .test-jobs-common variables: CONTAINER: debian:13-x86_64 - LOGFILE: qemu-smoke-x86-64.log + LOGFILE: qemu-smoke-x86_64.log artifacts: paths: - smoke.serial @@ -71,8 +71,8 @@ tags: - x86_64 -.qemu-smoke-x86-64: - extends: .qemu-x86-64 +.qemu-smoke-x86_64: + extends: .qemu-x86_64 variables: TEST_TIMEOUT_OVERRIDE: 120 @@ -141,7 +141,7 @@ tags: - xilinx-crater-001 -.adl-x86-64: +.adl-x86_64: extends: .test-jobs-common variables: # the test controller runs on RPi4 @@ -164,9 +164,9 @@ tags: - qubes-hw2 -.kbl-x86-64: +.kbl-x86_64: # it's really similar to the ADL one - extends: .adl-x86-64 + extends: .adl-x86_64 variables: PCIDEV: "00:1f.6" PCIDEV_INTR: "MSI" @@ -175,9 +175,9 @@ tags: - qubes-hw3 -.zen2-x86-64: +.zen2-x86_64: # it's really similar to the above - extends: .adl-x86-64 + extends: .adl-x86_64 variables: PCIDEV: "01:00.0" PCIDEV_INTR: "MSI-X" @@ -186,9 +186,9 @@ tags: - qubes-hw1 -.zen3p-x86-64: +.zen3p-x86_64: # it's really similar to the above - extends: .adl-x86-64 + extends: .adl-x86_64 variables: PCIDEV: "01:00.0" PCIDEV_INTR: "MSI-X" @@ -235,7 +235,7 @@ xilinx-smoke-dom0-x86_64-gcc-debug: script: - ./automation/scripts/xilinx-smoke-dom0-x86_64.sh ping 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug xilinx-smoke-dom0-x86_64-gcc-debug-argo: @@ -254,238 +254,238 @@ xilinx-smoke-dom0-x86_64-gcc-debug-argo: job: microcode-x86 ref: master -adl-smoke-x86-64-gcc-debug: - extends: .adl-x86-64 +adl-smoke-x86_64-gcc-debug: + extends: .adl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pv 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pv 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -adl-smoke-x86-64-dom0pvh-gcc-debug: - extends: .adl-x86-64 +adl-smoke-x86_64-dom0pvh-gcc-debug: + extends: .adl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pvh 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pvh 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -adl-smoke-x86-64-dom0pvh-hvm-gcc-debug: - extends: .adl-x86-64 +adl-smoke-x86_64-dom0pvh-hvm-gcc-debug: + extends: .adl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pvh-hvm 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pvh-hvm 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -adl-suspend-x86-64-gcc-debug: - extends: .adl-x86-64 +adl-suspend-x86_64-gcc-debug: + extends: .adl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh s3 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh s3 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -adl-pci-pv-x86-64-gcc-debug: - extends: .adl-x86-64 +adl-pci-pv-x86_64-gcc-debug: + extends: .adl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh pci-pv 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh pci-pv 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -adl-pci-hvm-x86-64-gcc-debug: - extends: .adl-x86-64 +adl-pci-hvm-x86_64-gcc-debug: + extends: .adl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh pci-hvm 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh pci-hvm 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -adl-pvshim-x86-64-gcc-debug: - extends: .adl-x86-64 +adl-pvshim-x86_64-gcc-debug: + extends: .adl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh pvshim 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh pvshim 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -adl-tools-tests-pv-x86-64-gcc-debug: - extends: .adl-x86-64 +adl-tools-tests-pv-x86_64-gcc-debug: + extends: .adl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh tools-tests-pv 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh tools-tests-pv 2>&1 | tee ${LOGFILE} artifacts: reports: junit: tests-junit.xml needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -adl-tools-tests-pvh-x86-64-gcc-debug: - extends: .adl-x86-64 +adl-tools-tests-pvh-x86_64-gcc-debug: + extends: .adl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh tools-tests-pvh 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh tools-tests-pvh 2>&1 | tee ${LOGFILE} artifacts: reports: junit: tests-junit.xml needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -kbl-smoke-x86-64-gcc-debug: - extends: .kbl-x86-64 +kbl-smoke-x86_64-gcc-debug: + extends: .kbl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pv 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pv 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -kbl-smoke-x86-64-dom0pvh-gcc-debug: - extends: .kbl-x86-64 +kbl-smoke-x86_64-dom0pvh-gcc-debug: + extends: .kbl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pvh 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pvh 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -kbl-smoke-x86-64-dom0pvh-hvm-gcc-debug: - extends: .kbl-x86-64 +kbl-smoke-x86_64-dom0pvh-hvm-gcc-debug: + extends: .kbl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pvh-hvm 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pvh-hvm 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -kbl-suspend-x86-64-gcc-debug: - extends: .kbl-x86-64 +kbl-suspend-x86_64-gcc-debug: + extends: .kbl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh s3 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh s3 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -kbl-pci-pv-x86-64-gcc-debug: - extends: .kbl-x86-64 +kbl-pci-pv-x86_64-gcc-debug: + extends: .kbl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh pci-pv 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh pci-pv 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -kbl-pci-hvm-x86-64-gcc-debug: - extends: .kbl-x86-64 +kbl-pci-hvm-x86_64-gcc-debug: + extends: .kbl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh pci-hvm 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh pci-hvm 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -kbl-pvshim-x86-64-gcc-debug: - extends: .kbl-x86-64 +kbl-pvshim-x86_64-gcc-debug: + extends: .kbl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh pvshim 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh pvshim 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -kbl-tools-tests-pv-x86-64-gcc-debug: - extends: .kbl-x86-64 +kbl-tools-tests-pv-x86_64-gcc-debug: + extends: .kbl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh tools-tests-pv 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh tools-tests-pv 2>&1 | tee ${LOGFILE} artifacts: reports: junit: tests-junit.xml needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -kbl-tools-tests-pvh-x86-64-gcc-debug: - extends: .kbl-x86-64 +kbl-tools-tests-pvh-x86_64-gcc-debug: + extends: .kbl-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh tools-tests-pvh 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh tools-tests-pvh 2>&1 | tee ${LOGFILE} artifacts: reports: junit: tests-junit.xml needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -zen2-smoke-x86-64-gcc-debug: - extends: .zen2-x86-64 +zen2-smoke-x86_64-gcc-debug: + extends: .zen2-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pv 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pv 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -zen2-suspend-x86-64-gcc-debug: - extends: .zen2-x86-64 +zen2-suspend-x86_64-gcc-debug: + extends: .zen2-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh s3 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh s3 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -zen3p-smoke-x86-64-gcc-debug: - extends: .zen3p-x86-64 +zen3p-smoke-x86_64-gcc-debug: + extends: .zen3p-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pv 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pv 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -zen3p-smoke-x86-64-dom0pvh-gcc-debug: - extends: .zen3p-x86-64 +zen3p-smoke-x86_64-dom0pvh-gcc-debug: + extends: .zen3p-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pvh 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pvh 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -zen3p-smoke-x86-64-dom0pvh-hvm-gcc-debug: - extends: .zen3p-x86-64 +zen3p-smoke-x86_64-dom0pvh-hvm-gcc-debug: + extends: .zen3p-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh dom0pvh-hvm 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh dom0pvh-hvm 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -zen3p-pci-hvm-x86-64-gcc-debug: - extends: .zen3p-x86-64 +zen3p-pci-hvm-x86_64-gcc-debug: + extends: .zen3p-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh pci-hvm 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh pci-hvm 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -zen3p-pvshim-x86-64-gcc-debug: - extends: .zen3p-x86-64 +zen3p-pvshim-x86_64-gcc-debug: + extends: .zen3p-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh pvshim 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh pvshim 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -zen3p-tools-tests-pv-x86-64-gcc-debug: - extends: .zen3p-x86-64 +zen3p-tools-tests-pv-x86_64-gcc-debug: + extends: .zen3p-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh tools-tests-pv 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh tools-tests-pv 2>&1 | tee ${LOGFILE} artifacts: reports: junit: tests-junit.xml needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug -zen3p-tools-tests-pvh-x86-64-gcc-debug: - extends: .zen3p-x86-64 +zen3p-tools-tests-pvh-x86_64-gcc-debug: + extends: .zen3p-x86_64 script: - - ./automation/scripts/qubes-x86-64.sh tools-tests-pvh 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qubes-x86_64.sh tools-tests-pvh 2>&1 | tee ${LOGFILE} artifacts: reports: junit: tests-junit.xml needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc-debug qemu-smoke-dom0-arm64-gcc: @@ -649,54 +649,54 @@ qemu-smoke-dom0less-arm32-gcc-debug-earlyprintk: - debian-12-arm32-gcc-debug-earlyprintk qemu-alpine-x86_64-gcc: - extends: .qemu-x86-64 + extends: .qemu-x86_64 script: - ./automation/scripts/qemu-alpine-x86_64.sh 2>&1 | tee ${LOGFILE} needs: - - *x86-64-test-needs + - *x86_64-test-needs - alpine-3.24-x86_64-gcc -qemu-smoke-x86-64-gcc: - extends: .qemu-smoke-x86-64 +qemu-smoke-x86_64-gcc: + extends: .qemu-smoke-x86_64 script: - - ./automation/scripts/qemu-xtf.sh x86-64 pv64 example 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qemu-xtf.sh x86_64 pv64 example 2>&1 | tee ${LOGFILE} needs: - debian-13-x86_64-gcc-debug -qemu-smoke-x86-64-clang: - extends: .qemu-smoke-x86-64 +qemu-smoke-x86_64-clang: + extends: .qemu-smoke-x86_64 script: - - ./automation/scripts/qemu-xtf.sh x86-64 pv64 example 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qemu-xtf.sh x86_64 pv64 example 2>&1 | tee ${LOGFILE} needs: - debian-13-x86_64-clang-debug -qemu-smoke-x86-64-gcc-pvh: - extends: .qemu-smoke-x86-64 +qemu-smoke-x86_64-gcc-pvh: + extends: .qemu-smoke-x86_64 script: - - ./automation/scripts/qemu-xtf.sh x86-64 hvm64 example 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qemu-xtf.sh x86_64 hvm64 example 2>&1 | tee ${LOGFILE} needs: - debian-13-x86_64-gcc-debug -qemu-smoke-x86-64-clang-pvh: - extends: .qemu-smoke-x86-64 +qemu-smoke-x86_64-clang-pvh: + extends: .qemu-smoke-x86_64 script: - - ./automation/scripts/qemu-xtf.sh x86-64 hvm64 example 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qemu-xtf.sh x86_64 hvm64 example 2>&1 | tee ${LOGFILE} needs: - debian-13-x86_64-clang-debug -qemu-smoke-x86-64-gcc-efi: - extends: .qemu-smoke-x86-64 +qemu-smoke-x86_64-gcc-efi: + extends: .qemu-smoke-x86_64 script: - - ./automation/scripts/qemu-xtf.sh x86-64-efi pv64 example 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qemu-xtf.sh x86_64-efi pv64 example 2>&1 | tee ${LOGFILE} needs: - debian-13-x86_64-gcc-debug qemu-xtf-argo-x86_64-gcc-debug: - extends: .qemu-smoke-x86-64 + extends: .qemu-smoke-x86_64 variables: TEST_TIMEOUT_OVERRIDE: 60 script: - - ./automation/scripts/qemu-xtf.sh x86-64 pv64 argo 2>&1 | tee ${LOGFILE} + - ./automation/scripts/qemu-xtf.sh x86_64 pv64 argo 2>&1 | tee ${LOGFILE} needs: - alpine-3.24-x86_64-gcc-debug diff --git a/automation/scripts/include/configs/xtf-x86-64-config b/automation/scripts/include/configs/xtf-x86-64-config deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/automation/scripts/include/configs/xtf-x86-64-efi-config b/automation/scripts/include/configs/xtf-x86-64-efi-config deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/automation/scripts/include/configs/xtf-x86_64-config b/automation/scripts/include/configs/xtf-x86_64-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/automation/scripts/include/configs/xtf-x86_64-efi-config b/automation/scripts/include/configs/xtf-x86_64-efi-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/automation/scripts/include/xtf-x86-64 b/automation/scripts/include/xtf-x86-64 deleted file mode 100644 index 186f074bd8..0000000000 --- a/automation/scripts/include/xtf-x86-64 +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/bash -# -# XTF test utilities (x86_64). -# - -# Arch-specific environment overrides. -function xtf_arch_prepare() -{ - export FW_PREFIX="${FW_PREFIX:-}" - export QEMU_PREFIX="${QEMU_PREFIX:-}" - export XEN_BINARY="${XEN_BINARY:-${WORKDIR}/xen}" - export XEN_CMDLINE="${XEN_CMDLINE:-loglvl=all noreboot console_timestamps=boot console=com1}" - export XTF_SRC_BRANCH="${XTF_SRC_BRANCH:-master}" - export XTF_SRC_URI="${XTF_SRC_URI:-https://xenbits.xen.org/git-http/xtf.git}" - export XTF_SRC_VARIANTS="hvm64 pv64" -} - -# Perform arch-specific XTF environment setup. -function xtf_arch_setup() -{ - export TEST_CMD="${QEMU_PREFIX}qemu-system-x86_64 \ - -no-reboot \ - -nographic \ - -monitor none \ - -serial stdio \ - -m 2048 \ - -smp 2 \ - -kernel ${XEN_BINARY} \ - -initrd ${XTF_BINARY} \ - -append \"${XEN_CMDLINE}\" \ - " -} diff --git a/automation/scripts/include/xtf-x86-64-efi b/automation/scripts/include/xtf-x86-64-efi deleted file mode 100644 index 15c6463dcd..0000000000 --- a/automation/scripts/include/xtf-x86-64-efi +++ /dev/null @@ -1,59 +0,0 @@ -#!/bin/bash -# -# XTF test utilities (x86_64, EFI). -# - -# Arch-specific environment overrides. -function xtf_arch_prepare() -{ - export FW_PREFIX="${FW_PREFIX:-/usr/share/OVMF/}" - export QEMU_PREFIX="${QEMU_PREFIX:-}" - export XEN_BINARY="${XEN_BINARY:-${WORKDIR}/xen.efi}" - export XEN_CMDLINE="${XEN_CMDLINE:-loglvl=all noreboot console_timestamps=boot console=com1}" - export XTF_SRC_BRANCH="${XTF_SRC_BRANCH:-master}" - export XTF_SRC_URI="${XTF_SRC_URI:-https://xenbits.xen.org/git-http/xtf.git}" - export XTF_SRC_VARIANTS="hvm64 pv64" -} - -# Perform arch-specific XTF environment setup. -function xtf_arch_setup() -{ - local esp_dir="${WORKDIR}/boot-esp" - local efi_dir="${esp_dir}/EFI/BOOT" - local suff= - - # Generate EFI boot environment - mkdir -p ${efi_dir} - cp ${XEN_BINARY} ${efi_dir}/BOOTX64.EFI - cp ${XTF_BINARY} ${efi_dir}/kernel - - cat > ${efi_dir}/BOOTX64.cfg < ${efi_dir}/BOOTX64.cfg < /sys/power/mem_sleep -echo mem > /sys/power/state -xl list -xl dmesg | grep 'Finishing wakeup from ACPI S3 state' || exit 1 -# check if domU is still alive -ping -c 10 192.168.0.2 || exit 1 -echo \"${passed}\" -" - ;; - - ### test: pci-pv, pci-hvm - "pci-pv"|"pci-hvm") - - if [ -z "$PCIDEV" ]; then - echo "Please set 'PCIDEV' variable with BDF of test network adapter" >&2 - echo "Optionally set also 'PCIDEV_INTR' to 'MSI' or 'MSI-X'" >&2 - exit 1 - fi - - passed="pci test passed" - - domU_type="${test_variant#pci-}" - domU_vif="" - - domU_extra_config=' -extra = "earlyprintk=xen" -pci = [ "'$PCIDEV',seize=1" ] -on_reboot = "destroy" -' - - domU_check=" -set -x -e -interface=eth0 -while ! [ -e \"/sys/class/net/\$interface\" ]; do sleep 1; done -ip link set \"\$interface\" up -timeout 30s udhcpc -i \"\$interface\" -pingip=\$(ip -o -4 r show default|cut -f 3 -d ' ') -ping -c 10 \"\$pingip\" -echo domU started -pcidevice=\$(realpath /sys/class/net/\$interface/device | - sed 's#.*pci0000:00/\\([^/]*\\).*#\\1#') -lspci -vs \$pcidevice -" - if [ -n "$PCIDEV_INTR" ]; then - domU_check="$domU_check -lspci -vs \$pcidevice | fgrep '$PCIDEV_INTR: Enable+' -" - fi - domU_check="$domU_check -echo \"${passed}\" -" - - dom0_check=" -until grep -q \"^domU Welcome to Alpine Linux\" /var/log/xen/console/guest-domU.log; do - sleep 1 -done -" - ;; - - ### tests: tools-tests-pv, tools-tests-pvh - "tools-tests-pv"|"tools-tests-pvh") - retrieve_xml=1 - passed="test passed" - domU_check="" - dom0_check=" -/root/run-tools-tests /usr/lib/xen/tests /tmp/tests-junit.xml && echo \"${passed}\" -nc -l -p 8080 < /tmp/tests-junit.xml >/dev/null & -" - if [ "${test_variant}" = "tools-tests-pvh" ]; then - extra_xen_opts="dom0=pvh" - fi - - ;; - - *) - echo "Unrecognised test_variant '${test_variant}'" >&2 - exit 1 - ;; -esac - -domU_config=" -type = '${domU_type}' -name = 'domU' -kernel = '/boot/vmlinuz-domU' -ramdisk = '/boot/initrd-domU' -cmdline = 'root=/dev/ram0 console=hvc0' -memory = 512 -vif = [ ${domU_vif} ] -disk = [ ] -${domU_extra_config} -" - -if [ -n "$domU_check" ]; then - # DomU rootfs - cp binaries/rootfs.cpio.gz binaries/domU-rootfs.cpio.gz - - # test-local configuration - mkdir -p rootfs - cd rootfs - mkdir -p etc/local.d - echo "#!/bin/sh - -echo 8 > /proc/sys/kernel/printk - -${domU_check} -" > etc/local.d/xen.start - chmod +x etc/local.d/xen.start - echo "domU Welcome to Alpine Linux -Kernel \r on an \m (\l) - -" > etc/issue - find . | cpio -R 0:0 -H newc -o | gzip >> ../binaries/domU-rootfs.cpio.gz - cd .. - rm -rf rootfs - - # Package domU kernel+rootfs in /boot for dom0 (uncompressed) - mkdir -p rootfs/boot - cd rootfs - cp ../binaries/bzImage boot/vmlinuz-domU - cp ../binaries/domU-rootfs.cpio.gz boot/initrd-domU - find . | cpio -R 0:0 -H newc -o > ../binaries/domU-in-dom0.cpio - cd .. - rm -rf rootfs - - dom0_rootfs_extra_uncomp+=(binaries/domU-in-dom0.cpio) -fi - -# Dom0 rootfs. The order of concatenation is important; ucode wants to come -# first, and all uncompressed must be ahead of compressed. -dom0_rootfs_parts=( - binaries/ucode.cpio - "${dom0_rootfs_extra_uncomp[@]}" - binaries/rootfs.cpio.gz - binaries/xen-tools.cpio.gz - "${dom0_rootfs_extra_comp[@]}" -) -cat "${dom0_rootfs_parts[@]}" > binaries/dom0-rootfs.cpio.gz - -# test-local configuration -mkdir -p rootfs -cd rootfs -mkdir -p boot etc/local.d root -cp -a ../automation/scripts/run-tools-tests root/ - -echo "#!/bin/bash - -bash /etc/init.d/xencommons start - -brctl addbr xenbr0 -brctl addif xenbr0 eth0 -ifconfig eth0 up -ifconfig xenbr0 up -ifconfig xenbr0 192.168.0.1 - -" > etc/local.d/xen.start - -if [ -n "$retrieve_xml" ]; then - echo "timeout 30s udhcpc -i xenbr0" >> etc/local.d/xen.start -fi - -if [ -n "$domU_check" ]; then - echo " -# get domU console content into test log -tail -F /var/log/xen/console/guest-domU.log 2>/dev/null | sed -e \"s/^/(domU) /\" & -tail -F /var/log/xen/qemu-dm-domU.log 2>/dev/null | sed -e \"s/^/(qemu-dm) /\" & -xl -vvv create /etc/xen/domU.cfg -" >> etc/local.d/xen.start -fi - -echo "${dom0_check}" >> etc/local.d/xen.start - -chmod +x etc/local.d/xen.start -mkdir -p etc/xen -echo "$domU_config" > etc/xen/domU.cfg - -mkdir -p etc/default -echo "XENCONSOLED_TRACE=all" >> etc/default/xencommons -echo "QEMU_XEN=/bin/false" >> etc/default/xencommons -mkdir -p var/log/xen/console -find . | cpio -R 0:0 -H newc -o | gzip >> ../binaries/dom0-rootfs.cpio.gz -cd .. - - -TFTP=/scratch/gitlab-runner/tftp -CONTROLLER=control@thor.testnet - -echo " -multiboot2 (http)/gitlab-ci/xen $CONSOLE_OPTS loglvl=all guest_loglvl=all dom0_mem=4G console_timestamps=boot watchdog $extra_xen_opts -module2 (http)/gitlab-ci/vmlinuz console=hvc0 root=/dev/ram0 earlyprintk=xen -module2 --nounzip (http)/gitlab-ci/initrd-dom0 -" > $TFTP/grub.cfg - -echo "#!ipxe - -kernel /gitlab-ci/xen $CONSOLE_OPTS loglvl=all guest_loglvl=all dom0_mem=4G console_timestamps=boot watchdog $extra_xen_opts || reboot -module /gitlab-ci/vmlinuz console=hvc0 root=/dev/ram0 earlyprintk=xen || reboot -module /gitlab-ci/initrd-dom0 || reboot -boot -" > $TFTP/boot.ipxe - -cp -f binaries/xen $TFTP/xen -cp -f binaries/bzImage $TFTP/vmlinuz -cp -f binaries/dom0-rootfs.cpio.gz $TFTP/initrd-dom0 - -# start the system pointing at gitlab-ci predefined config -ssh $CONTROLLER gitlabci poweron -trap "ssh $CONTROLLER poweroff" EXIT - -if [ -n "$wait_and_wakeup" ]; then - export SUSPEND_MSG="$wait_and_wakeup" - export WAKEUP_CMD="ssh $CONTROLLER wake" -fi - -export PASSED="${passed}" -export BOOT_MSG="Latest ChangeSet: " -export LOG_MSG="\nWelcome to Alpine Linux" -export TEST_CMD="ssh $CONTROLLER console" -export TEST_LOG="smoke.serial" -export TEST_TIMEOUT="$timeout" -./automation/scripts/console.exp |& sed 's/\r\+$//' -TEST_RESULT=$? - -if [ -n "$retrieve_xml" ]; then - nc -w 10 "$SUT_ADDR" 8080 > tests-junit.xml /sys/power/mem_sleep +echo mem > /sys/power/state +xl list +xl dmesg | grep 'Finishing wakeup from ACPI S3 state' || exit 1 +# check if domU is still alive +ping -c 10 192.168.0.2 || exit 1 +echo \"${passed}\" +" + ;; + + ### test: pci-pv, pci-hvm + "pci-pv"|"pci-hvm") + + if [ -z "$PCIDEV" ]; then + echo "Please set 'PCIDEV' variable with BDF of test network adapter" >&2 + echo "Optionally set also 'PCIDEV_INTR' to 'MSI' or 'MSI-X'" >&2 + exit 1 + fi + + passed="pci test passed" + + domU_type="${test_variant#pci-}" + domU_vif="" + + domU_extra_config=' +extra = "earlyprintk=xen" +pci = [ "'$PCIDEV',seize=1" ] +on_reboot = "destroy" +' + + domU_check=" +set -x -e +interface=eth0 +while ! [ -e \"/sys/class/net/\$interface\" ]; do sleep 1; done +ip link set \"\$interface\" up +timeout 30s udhcpc -i \"\$interface\" +pingip=\$(ip -o -4 r show default|cut -f 3 -d ' ') +ping -c 10 \"\$pingip\" +echo domU started +pcidevice=\$(realpath /sys/class/net/\$interface/device | + sed 's#.*pci0000:00/\\([^/]*\\).*#\\1#') +lspci -vs \$pcidevice +" + if [ -n "$PCIDEV_INTR" ]; then + domU_check="$domU_check +lspci -vs \$pcidevice | fgrep '$PCIDEV_INTR: Enable+' +" + fi + domU_check="$domU_check +echo \"${passed}\" +" + + dom0_check=" +until grep -q \"^domU Welcome to Alpine Linux\" /var/log/xen/console/guest-domU.log; do + sleep 1 +done +" + ;; + + ### tests: tools-tests-pv, tools-tests-pvh + "tools-tests-pv"|"tools-tests-pvh") + retrieve_xml=1 + passed="test passed" + domU_check="" + dom0_check=" +/root/run-tools-tests /usr/lib/xen/tests /tmp/tests-junit.xml && echo \"${passed}\" +nc -l -p 8080 < /tmp/tests-junit.xml >/dev/null & +" + if [ "${test_variant}" = "tools-tests-pvh" ]; then + extra_xen_opts="dom0=pvh" + fi + + ;; + + *) + echo "Unrecognised test_variant '${test_variant}'" >&2 + exit 1 + ;; +esac + +domU_config=" +type = '${domU_type}' +name = 'domU' +kernel = '/boot/vmlinuz-domU' +ramdisk = '/boot/initrd-domU' +cmdline = 'root=/dev/ram0 console=hvc0' +memory = 512 +vif = [ ${domU_vif} ] +disk = [ ] +${domU_extra_config} +" + +if [ -n "$domU_check" ]; then + # DomU rootfs + cp binaries/rootfs.cpio.gz binaries/domU-rootfs.cpio.gz + + # test-local configuration + mkdir -p rootfs + cd rootfs + mkdir -p etc/local.d + echo "#!/bin/sh + +echo 8 > /proc/sys/kernel/printk + +${domU_check} +" > etc/local.d/xen.start + chmod +x etc/local.d/xen.start + echo "domU Welcome to Alpine Linux +Kernel \r on an \m (\l) + +" > etc/issue + find . | cpio -R 0:0 -H newc -o | gzip >> ../binaries/domU-rootfs.cpio.gz + cd .. + rm -rf rootfs + + # Package domU kernel+rootfs in /boot for dom0 (uncompressed) + mkdir -p rootfs/boot + cd rootfs + cp ../binaries/bzImage boot/vmlinuz-domU + cp ../binaries/domU-rootfs.cpio.gz boot/initrd-domU + find . | cpio -R 0:0 -H newc -o > ../binaries/domU-in-dom0.cpio + cd .. + rm -rf rootfs + + dom0_rootfs_extra_uncomp+=(binaries/domU-in-dom0.cpio) +fi + +# Dom0 rootfs. The order of concatenation is important; ucode wants to come +# first, and all uncompressed must be ahead of compressed. +dom0_rootfs_parts=( + binaries/ucode.cpio + "${dom0_rootfs_extra_uncomp[@]}" + binaries/rootfs.cpio.gz + binaries/xen-tools.cpio.gz + "${dom0_rootfs_extra_comp[@]}" +) +cat "${dom0_rootfs_parts[@]}" > binaries/dom0-rootfs.cpio.gz + +# test-local configuration +mkdir -p rootfs +cd rootfs +mkdir -p boot etc/local.d root +cp -a ../automation/scripts/run-tools-tests root/ + +echo "#!/bin/bash + +bash /etc/init.d/xencommons start + +brctl addbr xenbr0 +brctl addif xenbr0 eth0 +ifconfig eth0 up +ifconfig xenbr0 up +ifconfig xenbr0 192.168.0.1 + +" > etc/local.d/xen.start + +if [ -n "$retrieve_xml" ]; then + echo "timeout 30s udhcpc -i xenbr0" >> etc/local.d/xen.start +fi + +if [ -n "$domU_check" ]; then + echo " +# get domU console content into test log +tail -F /var/log/xen/console/guest-domU.log 2>/dev/null | sed -e \"s/^/(domU) /\" & +tail -F /var/log/xen/qemu-dm-domU.log 2>/dev/null | sed -e \"s/^/(qemu-dm) /\" & +xl -vvv create /etc/xen/domU.cfg +" >> etc/local.d/xen.start +fi + +echo "${dom0_check}" >> etc/local.d/xen.start + +chmod +x etc/local.d/xen.start +mkdir -p etc/xen +echo "$domU_config" > etc/xen/domU.cfg + +mkdir -p etc/default +echo "XENCONSOLED_TRACE=all" >> etc/default/xencommons +echo "QEMU_XEN=/bin/false" >> etc/default/xencommons +mkdir -p var/log/xen/console +find . | cpio -R 0:0 -H newc -o | gzip >> ../binaries/dom0-rootfs.cpio.gz +cd .. + + +TFTP=/scratch/gitlab-runner/tftp +CONTROLLER=control@thor.testnet + +echo " +multiboot2 (http)/gitlab-ci/xen $CONSOLE_OPTS loglvl=all guest_loglvl=all dom0_mem=4G console_timestamps=boot watchdog $extra_xen_opts +module2 (http)/gitlab-ci/vmlinuz console=hvc0 root=/dev/ram0 earlyprintk=xen +module2 --nounzip (http)/gitlab-ci/initrd-dom0 +" > $TFTP/grub.cfg + +echo "#!ipxe + +kernel /gitlab-ci/xen $CONSOLE_OPTS loglvl=all guest_loglvl=all dom0_mem=4G console_timestamps=boot watchdog $extra_xen_opts || reboot +module /gitlab-ci/vmlinuz console=hvc0 root=/dev/ram0 earlyprintk=xen || reboot +module /gitlab-ci/initrd-dom0 || reboot +boot +" > $TFTP/boot.ipxe + +cp -f binaries/xen $TFTP/xen +cp -f binaries/bzImage $TFTP/vmlinuz +cp -f binaries/dom0-rootfs.cpio.gz $TFTP/initrd-dom0 + +# start the system pointing at gitlab-ci predefined config +ssh $CONTROLLER gitlabci poweron +trap "ssh $CONTROLLER poweroff" EXIT + +if [ -n "$wait_and_wakeup" ]; then + export SUSPEND_MSG="$wait_and_wakeup" + export WAKEUP_CMD="ssh $CONTROLLER wake" +fi + +export PASSED="${passed}" +export BOOT_MSG="Latest ChangeSet: " +export LOG_MSG="\nWelcome to Alpine Linux" +export TEST_CMD="ssh $CONTROLLER console" +export TEST_LOG="smoke.serial" +export TEST_TIMEOUT="$timeout" +./automation/scripts/console.exp |& sed 's/\r\+$//' +TEST_RESULT=$? + +if [ -n "$retrieve_xml" ]; then + nc -w 10 "$SUT_ADDR" 8080 > tests-junit.xml Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 20:45:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338585.1599659 (Exim 4.92) (envelope-from ) id 1wZEB7-0005Wf-44; Mon, 15 Jun 2026 20:45:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338585.1599659; Mon, 15 Jun 2026 20:45:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZEB7-0005WW-1J; Mon, 15 Jun 2026 20:45:05 +0000 Received: by outflank-mailman (input) for mailman id 1338585; Mon, 15 Jun 2026 20:45:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZEB5-0005WL-AV for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:45:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZEB5-00BENs-1q for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:45:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZEB5-00GUKe-0m for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:45:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=UrhWrNAm96LzDURB3b+sEbHMQeykRBNCk4neHsArbNE=; b=CH/6RpJe0doZanI5eUJX+diEaQ AavHVRlhwjw+OqLmbjmmohMJ7ZtpPXLT2PHYqa6aVRx+LrHL1YYtQ6pzVMtESN7l3fII+TGatMw3y K1Td+OGUuZ/Mojj4sNLgKohlw5xmNITDXPuIZVD83lyYJ6asg1x822uo3iucCbWHziCw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: Remove x86 microcode from arm32 jobs Message-Id: Date: Mon, 15 Jun 2026 20:45:03 +0000 commit c109c7aa44ba339f0e6aeaa46b182ba9c0787eed Author: Andrew Cooper AuthorDate: Fri Jun 12 22:43:28 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 15 18:04:20 2026 +0100 CI: Remove x86 microcode from arm32 jobs All build containers are non-root now. Complete the todo by dropping the workaround. Signed-off-by: Andrew Cooper Reviewed-by: Denis Mukhin Release-Acked-by: Oleksii Kurochko --- automation/gitlab-ci/test.yaml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml index 87b2018a29..20db71b1c9 100644 --- a/automation/gitlab-ci/test.yaml +++ b/automation/gitlab-ci/test.yaml @@ -14,12 +14,7 @@ ref: $ARTIFACTS_BRANCH .arm32-test-needs: &arm32-test-needs - # Bodge to ensure binaries/ is non-root. Can be any artefact which comes - # from a non-root container, and microcode-x86 is the smallest. Remove when - # all build containers have become non-root. - - project: $ARTIFACTS_REPO - job: microcode-x86 - ref: $ARTIFACTS_BRANCH + - .x86_64-test-needs: &x86_64-test-needs - project: $ARTIFACTS_REPO -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Jun 15 20:45:15 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Jun 2026 20:45:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1338586.1599663 (Exim 4.92) (envelope-from ) id 1wZEBH-0005Yb-5L; Mon, 15 Jun 2026 20:45:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1338586.1599663; Mon, 15 Jun 2026 20:45:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZEBH-0005YU-2e; Mon, 15 Jun 2026 20:45:15 +0000 Received: by outflank-mailman (input) for mailman id 1338586; Mon, 15 Jun 2026 20:45:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZEBF-0005YM-Cu for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:45:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZEBF-00BEPv-26 for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:45:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZEBF-00GUOM-17 for xen-changelog@lists.xenproject.org; Mon, 15 Jun 2026 20:45:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=16dJl6Pf7PDx1GYgahCHVv1pBGJAr9qdfB1lZfKGerE=; b=21m6+nqVhOonkjkONcHWUj+NnY WhW13Zq+HQU0JQT0RZNFsEAqC3Qvfz+rCDGXTDBg5/hEHN5LAFn0DZ+MirjShA09pkANpYxX/0LOb 6lpuSJHErKMEX2cz9pBA2fbXAGJKENnNmnTtsg53J9+lszCHyu3W9fPRH2j/zzJStYrg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] Update Xen version to 4.22.0-rc2 Message-Id: Date: Mon, 15 Jun 2026 20:45:13 +0000 commit 1cfceee62d8b086a1713d04522f741a09d50cbb3 Author: Andrew Cooper AuthorDate: Mon Jun 15 20:16:58 2026 +0100 Commit: Andrew Cooper CommitDate: Mon Jun 15 20:16:58 2026 +0100 Update Xen version to 4.22.0-rc2 Signed-off-by: Andrew Cooper --- xen/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/Makefile b/xen/Makefile index 1f11610b5f..419c5eac38 100644 --- a/xen/Makefile +++ b/xen/Makefile @@ -6,7 +6,7 @@ this-makefile := $(call lastword,$(MAKEFILE_LIST)) # All other places this is stored (eg. compile.h) should be autogenerated. export XEN_VERSION = 4 export XEN_SUBVERSION = 22 -export XEN_EXTRAVERSION ?= .0-rc1$(XEN_VENDORVERSION) +export XEN_EXTRAVERSION ?= .0-rc2$(XEN_VENDORVERSION) export XEN_FULLVERSION = $(XEN_VERSION).$(XEN_SUBVERSION)$(XEN_EXTRAVERSION) -include xen-version -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 13:55:07 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 13:55:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339272.1600432 (Exim 4.92) (envelope-from ) id 1wZUFr-0008MY-Kp; Tue, 16 Jun 2026 13:55:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339272.1600432; Tue, 16 Jun 2026 13:55:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZUFr-0008MQ-IH; Tue, 16 Jun 2026 13:55:03 +0000 Received: by outflank-mailman (input) for mailman id 1339272; Tue, 16 Jun 2026 13:55:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZUFq-0008MI-MX for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 13:55:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZUFq-00Cfgm-2H for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 13:55:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZUFq-006S8H-1A for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 13:55:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=HhhMppmv4geodj5P2nBCLYsN5X06BL/KzZriWdNAvCQ=; b=A7TWAn+4MUh3toLPeqlCGDSewH uKCxrr3xKA5HnANL2H6SX47Exx+nEkARJ0JtAbAuzIORGSGeIfGTmWJmOzN6V1XcCKJ40J0Sc5dJt DZkPpmwq5Om2otIYi/i/sebUCmRC0D/rka8A6e9v5+bZIDKt2RTtygrCv4Ybt0SEpvMQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/efi: Skip FPU save/restore for idle vCPU in EFI runtime path Message-Id: Date: Tue, 16 Jun 2026 13:55:02 +0000 commit 5740b8b0f3c7fcbd3a2fa33b47e57afc9c8bcef7 Author: Bernhard Kaindl AuthorDate: Tue Jun 16 14:15:30 2026 +0200 Commit: Jan Beulich CommitDate: Tue Jun 16 14:15:30 2026 +0200 x86/efi: Skip FPU save/restore for idle vCPU in EFI runtime path Anthony reported a boot-time assertion in init_xen_time() via efi_get_time() -> efi_rs_enter() in vcpu_save_fpu() on a Broadwell-D system: Assertion '!is_idle_vcpu(v)' failed at arch/x86/i387.c:195 This became fragile after the lazy-FPU removal cleanup series: In 1792bb9a99d2 ("x86: Cleanup cr0.TS flag handling"), efi_rs_enter() was changed from save_fpu_enable() to vcpu_save_fpu(curr), which unconditionally asserts !is_idle_vcpu(v) so an EFI runtime call in idle context now asserts. Likewise, in dba44e051209 ("x86: Remove fully_eager_fpu"), efi_rs_leave() was changed to call vcpu_restore_fpu(curr), which has the same assertion and can fail for the same reason. Guard both EFI runtime FPU calls with !is_idle_vcpu() to skip save/restore for idle vCPUs, which don't have an FPU context to save/restore, much like the calls are guarded in __context_switch(), where save/restore is done only for non-idle vCPUs. Fixes: 1792bb9a99d2 ("x86: Cleanup cr0.TS flag handling") Fixes: dba44e051209 ("x86: Remove fully_eager_fpu") Reported-by: Anthony PERARD Suggested-by: Jan Beulich Signed-off-by: Bernhard Kaindl Tested-by: Anthony PERARD Acked-by: Marek Marczykowski-Górecki Release-Acked-by: Oleksii Kurochko --- xen/common/efi/runtime.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c index a23fa75e37..596f2710fb 100644 --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -98,7 +98,8 @@ struct efi_rs_state efi_rs_enter(void) */ sync_local_execstate(); state.cr3 = read_cr3(); - vcpu_save_fpu(current); + if ( !is_idle_vcpu(current) ) + vcpu_save_fpu(current); asm volatile ( "fnclex; fldcw %0" :: "m" (fcw) ); asm volatile ( "ldmxcsr %0" :: "m" (mxcsr) ); @@ -159,7 +160,8 @@ void efi_rs_leave(struct efi_rs_state *state) } irq_exit(); spin_unlock(&efi_rs_lock); - vcpu_restore_fpu(curr); + if ( !is_idle_vcpu(curr) ) + vcpu_restore_fpu(curr); } unsigned long efi_get_time(void) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 13:55:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 13:55:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339273.1600436 (Exim 4.92) (envelope-from ) id 1wZUG1-0008Qn-MY; Tue, 16 Jun 2026 13:55:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339273.1600436; Tue, 16 Jun 2026 13:55:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZUG1-0008Qf-Ja; Tue, 16 Jun 2026 13:55:13 +0000 Received: by outflank-mailman (input) for mailman id 1339273; Tue, 16 Jun 2026 13:55:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZUG0-0008QX-J3 for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 13:55:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZUG0-00Cfib-2e for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 13:55:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZUG0-006Sba-1a for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 13:55:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=0X9qkNSeUf56d0NB0AMJxgd/zTsI2iq/N5HNRFjiDTg=; b=baVDRMg9EArA7lbG0ypdHb3XOc 2yP+Wy/i0dqRLPI/mHkiWKpPjagPxGmN0eyqwUVcUZACvCEV+ljYxja16k8rYU65EX6w8oX8uDOij wjt6pCZnfmhutBHrwz+TzTU32DXzG2Yru37gLedluMYzrQ/T55s6iyEkQGC64HaHowgI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: move XEN_DOMCTL_irq_permission handling to x86 code Message-Id: Date: Tue, 16 Jun 2026 13:55:12 +0000 commit 345ca8b6e74769f95acd3e7853ff84f460bd0dc3 Author: Jan Beulich AuthorDate: Tue Jun 16 14:16:33 2026 +0200 Commit: Jan Beulich CommitDate: Tue Jun 16 14:16:33 2026 +0200 domctl: move XEN_DOMCTL_irq_permission handling to x86 code HAS_PIRQ is selected by x86 only, and that's expected to remain that way. Avoid the #ifdef needed by moving the logic to arch_do_domctl(). Leverage "currd" being available as a local variable there while doing so. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/domctl.c | 30 ++++++++++++++++++++++++++++++ xen/common/domctl.c | 33 +-------------------------------- 2 files changed, 31 insertions(+), 32 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 0e9a253288..d1bd753481 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -258,6 +258,36 @@ long arch_do_domctl( break; } + case XEN_DOMCTL_irq_permission: + { + unsigned int pirq = domctl->u.irq_permission.pirq, irq; + bool allow = domctl->u.irq_permission.allow_access; + + ret = -EINVAL; + if ( pirq >= currd->nr_pirqs ) + break; + + irq = domain_pirq_to_irq(currd, pirq); + + ret = -EPERM; + if ( irq ) + ret = xsm_irq_permission(XSM_PRIV, d, irq, allow); + if ( ret ) + break; + + iocaps_double_lock(d, true); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( allow ) + ret = irq_permit_access(d, irq); + else + ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); + break; + } + case XEN_DOMCTL_gsi_permission: { int irq; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 6f71a68d51..23406548c1 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -473,38 +473,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } -#ifdef CONFIG_HAS_PIRQ - case XEN_DOMCTL_irq_permission: - { - unsigned int pirq = op->u.irq_permission.pirq, irq; - bool allow = op->u.irq_permission.allow_access; - - ret = -EINVAL; - if ( pirq >= current->domain->nr_pirqs ) - goto domctl_out_unlock_domonly; - - irq = domain_pirq_to_irq(current->domain, pirq); - - ret = -EPERM; - if ( irq ) - ret = xsm_irq_permission(XSM_PRIV, d, irq, allow); - if ( ret ) - goto domctl_out_unlock_domonly; - - iocaps_double_lock(d, true); - - if ( !irq_access_permitted(current->domain, irq) ) - ret = -EPERM; - else if ( allow ) - ret = irq_permit_access(d, irq); - else - ret = irq_deny_access(d, irq); - - iocaps_double_unlock(d, true); - goto domctl_out_unlock_domonly; - } -#endif - case XEN_DOMCTL_set_target: { struct domain *e = get_domain_by_id(op->u.set_target.target); @@ -565,6 +533,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 13:55:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 13:55:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339274.1600440 (Exim 4.92) (envelope-from ) id 1wZUGB-0008Tw-Nk; Tue, 16 Jun 2026 13:55:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339274.1600440; Tue, 16 Jun 2026 13:55:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZUGB-0008To-L6; Tue, 16 Jun 2026 13:55:23 +0000 Received: by outflank-mailman (input) for mailman id 1339274; Tue, 16 Jun 2026 13:55:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZUGA-0008Th-Lu for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 13:55:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZUGA-00Cfiv-2w for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 13:55:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZUGA-006Sz9-1w for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 13:55:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=37XPCAfas7vRAKMa0uI6ejDCe3pTSH+/XhJ2ve5AyuY=; b=ScAx39jHmfT8tUH6wKmvR9t29b /2B//pdX5rVrL4cHIr0A2rVJmutYsBxWloctOXZjAkN2VJh/XVnHZij1WydLsF7Bd5nhqRndV7DPr ZNUuAvw9vEPB/GaToQhDbCtHhKe7Agk2wkM9pDpaFqCXHgHoxuI5yOuzp9smpGEfD5s4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: rename a label Message-Id: Date: Tue, 16 Jun 2026 13:55:22 +0000 commit 3af7339eaef114642603ef1cd218dd256864ec79 Author: Jan Beulich AuthorDate: Tue Jun 16 14:17:04 2026 +0200 Commit: Jan Beulich CommitDate: Tue Jun 16 14:17:04 2026 +0200 domctl: rename a label There's no real domain unlocking here, it's merely RCU which is being "unlocked". Suggested-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné Release-Acked-by: Oleskii Kurochko --- xen/common/domctl.c | 42 ++++++++++++++++++++---------------------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 23406548c1..0c11ddc2f7 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -375,7 +375,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = true; } - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; case XEN_DOMCTL_get_domain_state: ret = xsm_get_domain_state(XSM_XS_PRIV, d); @@ -383,7 +383,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = get_domain_state(&op->u.get_domain_state, d, &op->domain); if ( !ret ) copyback = true; - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; case XEN_DOMCTL_iomem_permission: { @@ -393,11 +393,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -EINVAL; if ( (mfn + nr_mfns - 1) < mfn ) /* Wrap? */ - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; ret = xsm_iomem_permission(XSM_PRIV, d, mfn, mfn + nr_mfns - 1, allow); if ( ret ) - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; iocaps_double_lock(d, true); @@ -410,7 +410,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); iocaps_double_unlock(d, true); - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; } case XEN_DOMCTL_memory_mapping: @@ -425,17 +425,17 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( mfn_end < mfn || /* Wrap? */ ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || (gfn + nr_mfns - 1) < gfn ) /* Wrap? */ - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; ret = xsm_iomem_mapping(XSM_DM_PRIV, d, mfn, mfn_end, add); if ( ret || !paging_mode_translate(d) ) - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; #ifndef CONFIG_X86 /* XXX ARM!? */ ret = -E2BIG; /* Must break hypercall up as this could take a while. */ if ( nr_mfns > 64 ) - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; #endif iocaps_double_lock(d, false); @@ -470,7 +470,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } iocaps_double_unlock(d, false); - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; } case XEN_DOMCTL_set_target: @@ -479,7 +479,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -ESRCH; if ( !e ) - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; if ( d == e ) ret = -EINVAL; @@ -494,7 +494,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( ret ) put_domain(e); - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; } case XEN_DOMCTL_vm_event_op: @@ -504,12 +504,12 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = vm_event_domctl(d, &op->u.vm_event_op); if ( !ret ) copyback = true; - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; } if ( !d ) { ret = -ESRCH; - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; } /* Other sub-ops handled further down. */ break; @@ -519,17 +519,15 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_PEEK ) { ret = xsm_domctl(XSM_OTHER, d, op); - if ( ret ) - goto domctl_out_unlock_domonly; - - ret = arch_do_domctl(op, d, u_domctl); - goto domctl_out_unlock_domonly; + if ( !ret ) + ret = arch_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_rcuonly; } break; case XEN_DOMCTL_get_device_group: ret = iommu_do_domctl(op, d, u_domctl); - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: @@ -539,7 +537,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_unbind_pt_irq: case XEN_DOMCTL_getpageframeinfo3: ret = arch_do_domctl(op, d, u_domctl); - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; default: /* Everything else handled further down. */ @@ -548,7 +546,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = xsm_domctl(XSM_OTHER, d, op); if ( ret ) - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; if ( !domctl_lock_acquire() ) { @@ -946,7 +944,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) domctl_lock_release(); - domctl_out_unlock_domonly: + domctl_out_unlock_rcuonly: if ( d && !is_system_domain(d) ) rcu_unlock_domain(d); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 13:55:33 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 13:55:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339275.1600444 (Exim 4.92) (envelope-from ) id 1wZUGL-00006V-P2; Tue, 16 Jun 2026 13:55:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339275.1600444; Tue, 16 Jun 2026 13:55:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZUGL-00006N-MS; Tue, 16 Jun 2026 13:55:33 +0000 Received: by outflank-mailman (input) for mailman id 1339275; Tue, 16 Jun 2026 13:55:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZUGK-00006H-OE for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 13:55:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZUGK-00Cfiz-3C for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 13:55:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZUGK-006TIE-2D for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 13:55:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=K4PWRMGboo7vTygLnZZ3+poLSrkq5DemfXFtyD3d/v4=; b=1c1dljSi0NKqFhE/9K7i5t0xvp RC8ykmgGlz/uluWOMCrfZtCjleOSFxKwVwBexTbqtULy0+x165KzraFl7kfVdvb8V3hDT8Rr4gvPv 0PlVrppb+KBcRRHo7VXb7C5+C9jeLxbMq7otxK4EK4VgR3AUYo5FpsqFJA9bWNVSqugI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: error code adjustment for unpriv callers Message-Id: Date: Tue, 16 Jun 2026 13:55:32 +0000 commit a89ca78901656c81003e61d88bc8327a57c7ce9c Author: Jan Beulich AuthorDate: Tue Jun 16 14:17:30 2026 +0200 Commit: Jan Beulich CommitDate: Tue Jun 16 14:17:30 2026 +0200 domctl: error code adjustment for unpriv callers Unprivileged callers better wouldn't be in the position of figuring out domain existence from error codes. Adjust the respective path sitting ahead of XSM checks to produce -EPERM in such cases, just like the subsequent XSM check would yield. Suggested-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- xen/common/domctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 0c11ddc2f7..61149d740e 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -358,7 +358,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) default: d = rcu_lock_domain_by_id(op->domain); if ( !d ) - return -ESRCH; + return is_control_domain(current->domain) ? -ESRCH : -EPERM; break; } -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 13:55:43 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 13:55:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339276.1600448 (Exim 4.92) (envelope-from ) id 1wZUGV-00008d-Qe; Tue, 16 Jun 2026 13:55:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339276.1600448; Tue, 16 Jun 2026 13:55:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZUGV-00008T-Nt; Tue, 16 Jun 2026 13:55:43 +0000 Received: by outflank-mailman (input) for mailman id 1339276; Tue, 16 Jun 2026 13:55:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZUGU-00008N-Sg for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 13:55:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZUGV-00CfjR-0R for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 13:55:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZUGU-006TcD-2T for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 13:55:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7Rr8dH8LfCIAUY0Srn9OLaDsIzgPh4ODTFnUkypLDkg=; b=Ji9rlJCNYm6XRzLikh+7+GN7zR Xc0lKhoaP7VejE1nej6kRVp5xdWl2aPFNlQmMsE18kQOrV9d/ABGzQugpJboRHot4/JPcYR2Kkl51 HzffqORhQDptA1/K48a2GZE50nmphfEqFsvbIp/QBjHVLy1juuat+YAEi4bxdMEifKLE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] Revert "xen/cpufreq: fix usages of align_timer() in the on-demand governor" Message-Id: Date: Tue, 16 Jun 2026 13:55:42 +0000 commit e301cd36de9e81879b4cd70cd5272cc81392b7f9 Author: Jason Andryuk AuthorDate: Tue Jun 16 14:17:58 2026 +0200 Commit: Jan Beulich CommitDate: Tue Jun 16 14:17:58 2026 +0200 Revert "xen/cpufreq: fix usages of align_timer() in the on-demand governor" The original commit showed a ~6% regression in a benchmark. The call to align_timer(firsttick, period) rounds firsttick up to the next mutiple of the period, if firsttick % period != 0: align_timer(0, period) -> 0 align_timer(1, period) -> period align_timer(period, period) -> period align_timer(period + 1, period) -> 2 * period So adding the period (sampling_rate) before calling align_timer() will in most cases incease the expiration to 2 * period (sampling_rate) (the exception being firsttick % period == 0). This longer timer slows the reaction time of the algorithm. This reverts commit a0ed5bcfbeee81c91c574ad484faa057054eaf09, just without re-introducing the style issues that were there. Fixes: a0ed5bcfbeee ("xen/cpufreq: fix usages of align_timer() in the on-demand governor") Signed-off-by: Jason Andryuk Acked-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- xen/drivers/cpufreq/cpufreq_ondemand.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/xen/drivers/cpufreq/cpufreq_ondemand.c b/xen/drivers/cpufreq/cpufreq_ondemand.c index 0d94c0e464..0a5d609b02 100644 --- a/xen/drivers/cpufreq/cpufreq_ondemand.c +++ b/xen/drivers/cpufreq/cpufreq_ondemand.c @@ -185,8 +185,7 @@ static void cf_check do_dbs_timer(void *dbs) dbs_check_cpu(dbs_info); set_timer(&per_cpu(dbs_timer, dbs_info->cpu), - align_timer(NOW() + dbs_tuners_ins.sampling_rate, - dbs_tuners_ins.sampling_rate)); + align_timer(NOW(), dbs_tuners_ins.sampling_rate)); } static void dbs_timer_init(struct cpu_dbs_info_s *dbs_info) @@ -401,6 +400,6 @@ void cpufreq_dbs_timer_resume(void) (void)cmpxchg(stoppable, -1, 1); } else - set_timer(t, align_timer(t->expires, dbs_tuners_ins.sampling_rate)); + set_timer(t, align_timer(now, dbs_tuners_ins.sampling_rate)); } } -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 13:55:54 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 13:55:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339277.1600452 (Exim 4.92) (envelope-from ) id 1wZUGg-0000Bx-Rn; Tue, 16 Jun 2026 13:55:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339277.1600452; Tue, 16 Jun 2026 13:55:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZUGg-0000Bq-PB; Tue, 16 Jun 2026 13:55:54 +0000 Received: by outflank-mailman (input) for mailman id 1339277; Tue, 16 Jun 2026 13:55:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZUGf-0000Bh-0v for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 13:55:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZUGf-00CfjX-0t for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 13:55:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZUGe-006TqE-2x for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 13:55:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=E3q9IpTXUUaAGT9v1TSRzhRYr2WjKN11Y3UGxIXUtBU=; b=DILrO2eEgzum2zgQx9a67EJLEF VdFAdQv+7pJLW6MmJ7wGH1xAhJmj7beHzn6YpPgv1GLCrOesPEt143QGu8Eoc6uTWG8lsjVM7svUN C8+t3okgma2vqTseuYzNoOogWEjOujdYMOGtKhje1Cup4Yw8GV8ZgvuUzibwIuntltQ0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] gnttab: drop dead local variable from gnttab_map_frame_begin() Message-Id: Date: Tue, 16 Jun 2026 13:55:52 +0000 commit 9ddb2a2132d01f21ebe7ade826eed58671c51b17 Author: Jan Beulich AuthorDate: Tue Jun 16 14:18:39 2026 +0200 Commit: Jan Beulich CommitDate: Tue Jun 16 14:18:39 2026 +0200 gnttab: drop dead local variable from gnttab_map_frame_begin() As Michal had indicated in review, status is now a variable that is set but never read. I made the resulting change locally, but then committed a stale version of the patch (also omitting Michal's R-b). Amends: eff88c4d3543 ("gnttab: simplify (really: drop) gnttab_set_frame_gfn()") Reported-by: Michal Orzel Signed-off-by: Jan Beulich Reviewed-by: Michal Orzel Release-Acked-by: Oleksii Kurochko --- xen/common/grant_table.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index ac9fed6001..17e1af9fcf 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -4255,7 +4255,6 @@ int gnttab_map_frame_begin( { int rc = 0; struct grant_table *gt = d->grant_table; - bool status = false; if ( gfn_eq(gfn, INVALID_GFN) ) { @@ -4268,8 +4267,6 @@ int gnttab_map_frame_begin( if ( evaluate_nospec(gt->gt_version == 2) && (idx & XENMAPIDX_grant_table_status) ) { idx &= ~XENMAPIDX_grant_table_status; - status = true; - rc = gnttab_get_status_frame_mfn(d, idx, mfn); } else -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 15:11:07 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 15:11:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339389.1600581 (Exim 4.92) (envelope-from ) id 1wZVRQ-0007Jb-4X; Tue, 16 Jun 2026 15:11:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339389.1600581; Tue, 16 Jun 2026 15:11:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZVRQ-0007JT-1q; Tue, 16 Jun 2026 15:11:04 +0000 Received: by outflank-mailman (input) for mailman id 1339389; Tue, 16 Jun 2026 15:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZVRO-0007JN-MV for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 15:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZVRO-00Ch8y-2L for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 15:11:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZVRO-009CIG-1G for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 15:11:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=fqnGCyxRS65biu+vZvhv9XOSc/NGbveyVLn4ewMQgY4=; b=haENwcwHPVHhx5RLBtw6wB89WY +SqZJsvbEDEG0E+JF0v6d+LkkmMaBojgGqggFwQq5V9lfOozBGk9VKTEaLhobY44+AdESNcYinmgm sVtLB7/qrfJAsxA9lEnOE0JBXhNt16X3sr3Pvoi4KLiZwkXbhyVQS+AJb43Xrym3zndI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/efi: Skip FPU save/restore for idle vCPU in EFI runtime path Message-Id: Date: Tue, 16 Jun 2026 15:11:02 +0000 commit 5740b8b0f3c7fcbd3a2fa33b47e57afc9c8bcef7 Author: Bernhard Kaindl AuthorDate: Tue Jun 16 14:15:30 2026 +0200 Commit: Jan Beulich CommitDate: Tue Jun 16 14:15:30 2026 +0200 x86/efi: Skip FPU save/restore for idle vCPU in EFI runtime path Anthony reported a boot-time assertion in init_xen_time() via efi_get_time() -> efi_rs_enter() in vcpu_save_fpu() on a Broadwell-D system: Assertion '!is_idle_vcpu(v)' failed at arch/x86/i387.c:195 This became fragile after the lazy-FPU removal cleanup series: In 1792bb9a99d2 ("x86: Cleanup cr0.TS flag handling"), efi_rs_enter() was changed from save_fpu_enable() to vcpu_save_fpu(curr), which unconditionally asserts !is_idle_vcpu(v) so an EFI runtime call in idle context now asserts. Likewise, in dba44e051209 ("x86: Remove fully_eager_fpu"), efi_rs_leave() was changed to call vcpu_restore_fpu(curr), which has the same assertion and can fail for the same reason. Guard both EFI runtime FPU calls with !is_idle_vcpu() to skip save/restore for idle vCPUs, which don't have an FPU context to save/restore, much like the calls are guarded in __context_switch(), where save/restore is done only for non-idle vCPUs. Fixes: 1792bb9a99d2 ("x86: Cleanup cr0.TS flag handling") Fixes: dba44e051209 ("x86: Remove fully_eager_fpu") Reported-by: Anthony PERARD Suggested-by: Jan Beulich Signed-off-by: Bernhard Kaindl Tested-by: Anthony PERARD Acked-by: Marek Marczykowski-Górecki Release-Acked-by: Oleksii Kurochko --- xen/common/efi/runtime.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c index a23fa75e37..596f2710fb 100644 --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -98,7 +98,8 @@ struct efi_rs_state efi_rs_enter(void) */ sync_local_execstate(); state.cr3 = read_cr3(); - vcpu_save_fpu(current); + if ( !is_idle_vcpu(current) ) + vcpu_save_fpu(current); asm volatile ( "fnclex; fldcw %0" :: "m" (fcw) ); asm volatile ( "ldmxcsr %0" :: "m" (mxcsr) ); @@ -159,7 +160,8 @@ void efi_rs_leave(struct efi_rs_state *state) } irq_exit(); spin_unlock(&efi_rs_lock); - vcpu_restore_fpu(curr); + if ( !is_idle_vcpu(curr) ) + vcpu_restore_fpu(curr); } unsigned long efi_get_time(void) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 15:11:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 15:11:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339390.1600586 (Exim 4.92) (envelope-from ) id 1wZVRa-0007Nh-7J; Tue, 16 Jun 2026 15:11:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339390.1600586; Tue, 16 Jun 2026 15:11:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZVRa-0007NZ-4f; Tue, 16 Jun 2026 15:11:14 +0000 Received: by outflank-mailman (input) for mailman id 1339390; Tue, 16 Jun 2026 15:11:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZVRY-0007NJ-Iv for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 15:11:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZVRY-00Ch92-2h for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 15:11:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZVRY-009CSn-1d for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 15:11:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=sr4uEK4MED1WAJsJUkM58Ek7aGb/1Y1Y9TvxwuU8FsE=; b=RTBuxJqqsXpK29VWjeUeubaz8n lfP1fnCfTaz7mbWTmxIIKkz/E2YrRMMZHohSlTv8u2yjaP6pUrb+npQ6nA3WXOGGEFFUpWLAAp1uf nOPfskXrba32yJR0m56cX6hC3XWFTaTHEckE/riKqVBB8BSCnBwDA8Jbfbh2oxRgqs68=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: move XEN_DOMCTL_irq_permission handling to x86 code Message-Id: Date: Tue, 16 Jun 2026 15:11:12 +0000 commit 345ca8b6e74769f95acd3e7853ff84f460bd0dc3 Author: Jan Beulich AuthorDate: Tue Jun 16 14:16:33 2026 +0200 Commit: Jan Beulich CommitDate: Tue Jun 16 14:16:33 2026 +0200 domctl: move XEN_DOMCTL_irq_permission handling to x86 code HAS_PIRQ is selected by x86 only, and that's expected to remain that way. Avoid the #ifdef needed by moving the logic to arch_do_domctl(). Leverage "currd" being available as a local variable there while doing so. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/domctl.c | 30 ++++++++++++++++++++++++++++++ xen/common/domctl.c | 33 +-------------------------------- 2 files changed, 31 insertions(+), 32 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 0e9a253288..d1bd753481 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -258,6 +258,36 @@ long arch_do_domctl( break; } + case XEN_DOMCTL_irq_permission: + { + unsigned int pirq = domctl->u.irq_permission.pirq, irq; + bool allow = domctl->u.irq_permission.allow_access; + + ret = -EINVAL; + if ( pirq >= currd->nr_pirqs ) + break; + + irq = domain_pirq_to_irq(currd, pirq); + + ret = -EPERM; + if ( irq ) + ret = xsm_irq_permission(XSM_PRIV, d, irq, allow); + if ( ret ) + break; + + iocaps_double_lock(d, true); + + if ( !irq_access_permitted(currd, irq) ) + ret = -EPERM; + else if ( allow ) + ret = irq_permit_access(d, irq); + else + ret = irq_deny_access(d, irq); + + iocaps_double_unlock(d, true); + break; + } + case XEN_DOMCTL_gsi_permission: { int irq; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 6f71a68d51..23406548c1 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -473,38 +473,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_domonly; } -#ifdef CONFIG_HAS_PIRQ - case XEN_DOMCTL_irq_permission: - { - unsigned int pirq = op->u.irq_permission.pirq, irq; - bool allow = op->u.irq_permission.allow_access; - - ret = -EINVAL; - if ( pirq >= current->domain->nr_pirqs ) - goto domctl_out_unlock_domonly; - - irq = domain_pirq_to_irq(current->domain, pirq); - - ret = -EPERM; - if ( irq ) - ret = xsm_irq_permission(XSM_PRIV, d, irq, allow); - if ( ret ) - goto domctl_out_unlock_domonly; - - iocaps_double_lock(d, true); - - if ( !irq_access_permitted(current->domain, irq) ) - ret = -EPERM; - else if ( allow ) - ret = irq_permit_access(d, irq); - else - ret = irq_deny_access(d, irq); - - iocaps_double_unlock(d, true); - goto domctl_out_unlock_domonly; - } -#endif - case XEN_DOMCTL_set_target: { struct domain *e = get_domain_by_id(op->u.set_target.target); @@ -565,6 +533,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: + case XEN_DOMCTL_irq_permission: case XEN_DOMCTL_gsi_permission: case XEN_DOMCTL_bind_pt_irq: case XEN_DOMCTL_unbind_pt_irq: -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 15:11:24 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 15:11:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339391.1600590 (Exim 4.92) (envelope-from ) id 1wZVRk-0007QE-8u; Tue, 16 Jun 2026 15:11:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339391.1600590; Tue, 16 Jun 2026 15:11:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZVRk-0007Q6-5y; Tue, 16 Jun 2026 15:11:24 +0000 Received: by outflank-mailman (input) for mailman id 1339391; Tue, 16 Jun 2026 15:11:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZVRi-0007Pu-No for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 15:11:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZVRi-00Ch9A-2z for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 15:11:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZVRi-009Cik-1y for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 15:11:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=5VBHK2jI04KJkyjFdUE/23iZkELTkkaLWJ9hmX38uOw=; b=ub1qiT9cD1EY4nzq9cstqdZqbr rrMLXlcvTwh0qEZGBr7gD3VpQ0gc5RDHirVpxeiw0v8K/qcK4ONE5g03JdhHDlNZsCBnP6U8jXZfe oRA9DplMIxs7nGPv5VxYnHfdV3/oe3f/iHgfRU1OyPZYzloU3NBSXcRZL8a9aJa8eEUg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: rename a label Message-Id: Date: Tue, 16 Jun 2026 15:11:22 +0000 commit 3af7339eaef114642603ef1cd218dd256864ec79 Author: Jan Beulich AuthorDate: Tue Jun 16 14:17:04 2026 +0200 Commit: Jan Beulich CommitDate: Tue Jun 16 14:17:04 2026 +0200 domctl: rename a label There's no real domain unlocking here, it's merely RCU which is being "unlocked". Suggested-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné Release-Acked-by: Oleskii Kurochko --- xen/common/domctl.c | 42 ++++++++++++++++++++---------------------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 23406548c1..0c11ddc2f7 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -375,7 +375,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) copyback = true; } - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; case XEN_DOMCTL_get_domain_state: ret = xsm_get_domain_state(XSM_XS_PRIV, d); @@ -383,7 +383,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = get_domain_state(&op->u.get_domain_state, d, &op->domain); if ( !ret ) copyback = true; - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; case XEN_DOMCTL_iomem_permission: { @@ -393,11 +393,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -EINVAL; if ( (mfn + nr_mfns - 1) < mfn ) /* Wrap? */ - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; ret = xsm_iomem_permission(XSM_PRIV, d, mfn, mfn + nr_mfns - 1, allow); if ( ret ) - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; iocaps_double_lock(d, true); @@ -410,7 +410,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); iocaps_double_unlock(d, true); - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; } case XEN_DOMCTL_memory_mapping: @@ -425,17 +425,17 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( mfn_end < mfn || /* Wrap? */ ((mfn | mfn_end) >> (paddr_bits - PAGE_SHIFT)) || (gfn + nr_mfns - 1) < gfn ) /* Wrap? */ - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; ret = xsm_iomem_mapping(XSM_DM_PRIV, d, mfn, mfn_end, add); if ( ret || !paging_mode_translate(d) ) - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; #ifndef CONFIG_X86 /* XXX ARM!? */ ret = -E2BIG; /* Must break hypercall up as this could take a while. */ if ( nr_mfns > 64 ) - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; #endif iocaps_double_lock(d, false); @@ -470,7 +470,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } iocaps_double_unlock(d, false); - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; } case XEN_DOMCTL_set_target: @@ -479,7 +479,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = -ESRCH; if ( !e ) - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; if ( d == e ) ret = -EINVAL; @@ -494,7 +494,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( ret ) put_domain(e); - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; } case XEN_DOMCTL_vm_event_op: @@ -504,12 +504,12 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = vm_event_domctl(d, &op->u.vm_event_op); if ( !ret ) copyback = true; - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; } if ( !d ) { ret = -ESRCH; - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; } /* Other sub-ops handled further down. */ break; @@ -519,17 +519,15 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_PEEK ) { ret = xsm_domctl(XSM_OTHER, d, op); - if ( ret ) - goto domctl_out_unlock_domonly; - - ret = arch_do_domctl(op, d, u_domctl); - goto domctl_out_unlock_domonly; + if ( !ret ) + ret = arch_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_rcuonly; } break; case XEN_DOMCTL_get_device_group: ret = iommu_do_domctl(op, d, u_domctl); - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; case XEN_DOMCTL_ioport_permission: case XEN_DOMCTL_ioport_mapping: @@ -539,7 +537,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_unbind_pt_irq: case XEN_DOMCTL_getpageframeinfo3: ret = arch_do_domctl(op, d, u_domctl); - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; default: /* Everything else handled further down. */ @@ -548,7 +546,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = xsm_domctl(XSM_OTHER, d, op); if ( ret ) - goto domctl_out_unlock_domonly; + goto domctl_out_unlock_rcuonly; if ( !domctl_lock_acquire() ) { @@ -946,7 +944,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) domctl_lock_release(); - domctl_out_unlock_domonly: + domctl_out_unlock_rcuonly: if ( d && !is_system_domain(d) ) rcu_unlock_domain(d); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 15:11:34 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 15:11:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339392.1600594 (Exim 4.92) (envelope-from ) id 1wZVRu-0007Tm-A8; Tue, 16 Jun 2026 15:11:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339392.1600594; Tue, 16 Jun 2026 15:11:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZVRu-0007Te-7T; Tue, 16 Jun 2026 15:11:34 +0000 Received: by outflank-mailman (input) for mailman id 1339392; Tue, 16 Jun 2026 15:11:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZVRs-0007TP-PV for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 15:11:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZVRt-00Ch9E-05 for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 15:11:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZVRs-009Cwz-2H for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 15:11:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=uJkx1aioSe9gWol5lnqH5G2WyaHalXuu0cseVIFi750=; b=hCPN+ER3zKLn8FMcjiuh619jN5 3QkxPv08XQ/4e46VxxNixTrp7XCFkF/DxUjD/PA6LhdYBX/a7GXJq+lqnKBzN1dWzACukhuGnw4Rx SKFHk+6+JG7r3H5x44d4cTbHMTIXIwISzcpz0AdEB0Va228qQQn/bK7E3TAqcDQEwQhE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: error code adjustment for unpriv callers Message-Id: Date: Tue, 16 Jun 2026 15:11:32 +0000 commit a89ca78901656c81003e61d88bc8327a57c7ce9c Author: Jan Beulich AuthorDate: Tue Jun 16 14:17:30 2026 +0200 Commit: Jan Beulich CommitDate: Tue Jun 16 14:17:30 2026 +0200 domctl: error code adjustment for unpriv callers Unprivileged callers better wouldn't be in the position of figuring out domain existence from error codes. Adjust the respective path sitting ahead of XSM checks to produce -EPERM in such cases, just like the subsequent XSM check would yield. Suggested-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- xen/common/domctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 0c11ddc2f7..61149d740e 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -358,7 +358,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) default: d = rcu_lock_domain_by_id(op->domain); if ( !d ) - return -ESRCH; + return is_control_domain(current->domain) ? -ESRCH : -EPERM; break; } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 15:11:44 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 15:11:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339393.1600598 (Exim 4.92) (envelope-from ) id 1wZVS4-0007XP-BZ; Tue, 16 Jun 2026 15:11:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339393.1600598; Tue, 16 Jun 2026 15:11:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZVS4-0007XH-8t; Tue, 16 Jun 2026 15:11:44 +0000 Received: by outflank-mailman (input) for mailman id 1339393; Tue, 16 Jun 2026 15:11:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZVS2-0007W5-SS for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 15:11:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZVS3-00Ch9b-0M for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 15:11:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZVS2-009DFD-2a for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 15:11:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=uiZM2sELuzLzPBl6TncpFdcwNUkg3MU86BZmV6Fhfcs=; b=2xrJs8/JOIREQ0n70vqm0JNkCP 3Msby9lqya/zA43laDBaC2l2QdZF+1kIcMQofqE69J3tPJ6D7dTCgjTZ7XYbo4fbsZbKyYuZuKjEC 8UzQyfWNKfBcf5U4rYIJ4SOGhreZpCLzJy6vJ6GN/3DTbHrr6M7cz1garItTAQFJxrDk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] Revert "xen/cpufreq: fix usages of align_timer() in the on-demand governor" Message-Id: Date: Tue, 16 Jun 2026 15:11:42 +0000 commit e301cd36de9e81879b4cd70cd5272cc81392b7f9 Author: Jason Andryuk AuthorDate: Tue Jun 16 14:17:58 2026 +0200 Commit: Jan Beulich CommitDate: Tue Jun 16 14:17:58 2026 +0200 Revert "xen/cpufreq: fix usages of align_timer() in the on-demand governor" The original commit showed a ~6% regression in a benchmark. The call to align_timer(firsttick, period) rounds firsttick up to the next mutiple of the period, if firsttick % period != 0: align_timer(0, period) -> 0 align_timer(1, period) -> period align_timer(period, period) -> period align_timer(period + 1, period) -> 2 * period So adding the period (sampling_rate) before calling align_timer() will in most cases incease the expiration to 2 * period (sampling_rate) (the exception being firsttick % period == 0). This longer timer slows the reaction time of the algorithm. This reverts commit a0ed5bcfbeee81c91c574ad484faa057054eaf09, just without re-introducing the style issues that were there. Fixes: a0ed5bcfbeee ("xen/cpufreq: fix usages of align_timer() in the on-demand governor") Signed-off-by: Jason Andryuk Acked-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- xen/drivers/cpufreq/cpufreq_ondemand.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/xen/drivers/cpufreq/cpufreq_ondemand.c b/xen/drivers/cpufreq/cpufreq_ondemand.c index 0d94c0e464..0a5d609b02 100644 --- a/xen/drivers/cpufreq/cpufreq_ondemand.c +++ b/xen/drivers/cpufreq/cpufreq_ondemand.c @@ -185,8 +185,7 @@ static void cf_check do_dbs_timer(void *dbs) dbs_check_cpu(dbs_info); set_timer(&per_cpu(dbs_timer, dbs_info->cpu), - align_timer(NOW() + dbs_tuners_ins.sampling_rate, - dbs_tuners_ins.sampling_rate)); + align_timer(NOW(), dbs_tuners_ins.sampling_rate)); } static void dbs_timer_init(struct cpu_dbs_info_s *dbs_info) @@ -401,6 +400,6 @@ void cpufreq_dbs_timer_resume(void) (void)cmpxchg(stoppable, -1, 1); } else - set_timer(t, align_timer(t->expires, dbs_tuners_ins.sampling_rate)); + set_timer(t, align_timer(now, dbs_tuners_ins.sampling_rate)); } } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 15:11:54 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 15:11:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339394.1600602 (Exim 4.92) (envelope-from ) id 1wZVSE-0007aa-Cr; Tue, 16 Jun 2026 15:11:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339394.1600602; Tue, 16 Jun 2026 15:11:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZVSE-0007aT-AH; Tue, 16 Jun 2026 15:11:54 +0000 Received: by outflank-mailman (input) for mailman id 1339394; Tue, 16 Jun 2026 15:11:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZVSC-0007aG-Ux for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 15:11:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZVSD-00Ch9g-0f for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 15:11:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZVSC-009Dky-2s for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 15:11:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=BF4zHTRHqsRuGqNClOY+aancscHvDS4dE/4Kmx/KBjg=; b=dxdhs77IKGUe/L2zk4QROS2cGc JYeRquqSg55shk2xU65Q4agHEHWGC45SBEm20j3QqxoDaaw5RINijk1jAu7VtNdTyHogz2sVMzCFq M7lqq2nU6ySDQkmojS6sPcsXWv5WTjR/hdzj/NYL5w+1jDpwiXppf5P/Po47EpfwA0OE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] gnttab: drop dead local variable from gnttab_map_frame_begin() Message-Id: Date: Tue, 16 Jun 2026 15:11:52 +0000 commit 9ddb2a2132d01f21ebe7ade826eed58671c51b17 Author: Jan Beulich AuthorDate: Tue Jun 16 14:18:39 2026 +0200 Commit: Jan Beulich CommitDate: Tue Jun 16 14:18:39 2026 +0200 gnttab: drop dead local variable from gnttab_map_frame_begin() As Michal had indicated in review, status is now a variable that is set but never read. I made the resulting change locally, but then committed a stale version of the patch (also omitting Michal's R-b). Amends: eff88c4d3543 ("gnttab: simplify (really: drop) gnttab_set_frame_gfn()") Reported-by: Michal Orzel Signed-off-by: Jan Beulich Reviewed-by: Michal Orzel Release-Acked-by: Oleksii Kurochko --- xen/common/grant_table.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index ac9fed6001..17e1af9fcf 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -4255,7 +4255,6 @@ int gnttab_map_frame_begin( { int rc = 0; struct grant_table *gt = d->grant_table; - bool status = false; if ( gfn_eq(gfn, INVALID_GFN) ) { @@ -4268,8 +4267,6 @@ int gnttab_map_frame_begin( if ( evaluate_nospec(gt->gt_version == 2) && (idx & XENMAPIDX_grant_table_status) ) { idx &= ~XENMAPIDX_grant_table_status; - status = true; - rc = gnttab_get_status_frame_mfn(d, idx, mfn); } else -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 17:22:07 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 17:22:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339498.1600687 (Exim 4.92) (envelope-from ) id 1wZXUA-0003d9-TI; Tue, 16 Jun 2026 17:22:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339498.1600687; Tue, 16 Jun 2026 17:22:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZXUA-0003d0-Qa; Tue, 16 Jun 2026 17:22:02 +0000 Received: by outflank-mailman (input) for mailman id 1339498; Tue, 16 Jun 2026 17:22:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZXUA-0003cu-4U for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:22:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZXUA-00Cjv0-0x for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:22:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZXU9-00DNkY-36 for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:22:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=sXm9MtuHqhODndcB03uustZTrQyrj/ng0zqyQPhHONk=; b=wFbAD88BPA75gXoKB8AtY1+1Or RFdWBcMTLfbR7GhAOP4lzYZ5eK9RCmmA49KgSbJw2hy1Db/oDipKvNOSQpRc9ehKXEKnTZuHRv7PC 6OrU/02efe7R5UgW5mYws1V+dUMhZA8QfD2HZmxCu28O0+rdh8hGt9WBaYXtZj07lXWg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] tools/ocaml: silence ocaml_deprecated_auto_include alert Message-Id: Date: Tue, 16 Jun 2026 17:22:01 +0000 commit 6082b3764b848981c1aecdd3ae53b1b05bc25396 Author: Guillaume Thouvenin AuthorDate: Tue Jun 9 09:36:35 2026 +0200 Commit: Andrew Cooper CommitDate: Tue Jun 16 18:15:22 2026 +0100 tools/ocaml: silence ocaml_deprecated_auto_include alert Ocaml's lib directory layout changed in 5.0: the unix and dynlink libraries have been moved out of the standard library directory into subdirectories. The compiler still locates them automatically but emits an ocaml_deprecated_auto_include alert when doing so. This patch sets the paths explicitly with -I +unix and -I +dynlink to silence the alert. Signed-off-by: Guillaume Thouvenin Reviewed-by: Andrii Sultanov Tested-by: Andrii Sultanov Acked-by: Andrew Cooper (cherry picked from commit c3cf7c41214ac180902ca7dc826047774d3c5fb1) --- tools/ocaml/common.make | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/ocaml/common.make b/tools/ocaml/common.make index c7eefceeb4..0e6714e25a 100644 --- a/tools/ocaml/common.make +++ b/tools/ocaml/common.make @@ -11,6 +11,7 @@ OCAMLFIND ?= ocamlfind CFLAGS += -fPIC -I$(shell ocamlc -where) +OCAMLINCLUDE += -I +unix -I +dynlink OCAMLOPTFLAGS = -g -ccopt "$(LDFLAGS)" -dtypes $(OCAMLINCLUDE) -w F -warn-error F OCAMLCFLAGS += -g $(OCAMLINCLUDE) -w F -warn-error F -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 17:22:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 17:22:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339499.1600691 (Exim 4.92) (envelope-from ) id 1wZXUL-0003gK-Ux; Tue, 16 Jun 2026 17:22:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339499.1600691; Tue, 16 Jun 2026 17:22:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZXUL-0003gC-Rt; Tue, 16 Jun 2026 17:22:13 +0000 Received: by outflank-mailman (input) for mailman id 1339499; Tue, 16 Jun 2026 17:22:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZXUK-0003fz-Ad for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:22:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZXUK-00Cjv4-1h for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:22:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZXUK-00DNnr-0E for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:22:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=WtnxLNz8ViK9CaZkMIbTJQ+PjauUvPCMKqM6i1saVz0=; b=plxRwE4nFdaZg2drDif6hQgRV8 d859cQRiFo6oIZVKtL2AQKRkde/23fgd7hIVxaMxPX6xpRSNFI5h8FedWgo4ldLuGsDLD3gjoQxLN /nr0cJfGa+lc1Gj8QT8y7Mb0SAe8Tv8k4KwRzzaRvomCK9MQx4x/VcbLJ0RdSsLgJh+s=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.21] CI: Use more specific Xilinx runner tags Message-Id: Date: Tue, 16 Jun 2026 17:22:12 +0000 commit adfd3d303312b9d4f833ef724f552f2ac859c0b6 Author: Andrew Cooper AuthorDate: Fri Jun 12 18:24:57 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 16 18:15:22 2026 +0100 CI: Use more specific Xilinx runner tags In order to avoid serialising the testing on both boards, the runner configuration is being adjusted. Have the .xilinx-arm64 and .xilinx-x86_64 templates choose the board directly using a more specific tag. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Victor Lira (cherry picked from commit efcb4c5e2f2734cd4cac38a9f01e03c5e54c8eb8) --- automation/gitlab-ci/test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml index 8d8f62c8d0..a3f661d380 100644 --- a/automation/gitlab-ci/test.yaml +++ b/automation/gitlab-ci/test.yaml @@ -118,7 +118,7 @@ when: never - if: $XILINX_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true" tags: - - xilinx + - xilinx-zynq-423 .xilinx-x86_64: extends: .test-jobs-common @@ -139,7 +139,7 @@ when: never - if: $XILINX_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true" tags: - - xilinx + - xilinx-crater-001 .adl-x86-64: extends: .test-jobs-common -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 17:22:24 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 17:22:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339501.1600695 (Exim 4.92) (envelope-from ) id 1wZXUW-0003j6-1M; Tue, 16 Jun 2026 17:22:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339501.1600695; Tue, 16 Jun 2026 17:22:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZXUV-0003iy-Uu; Tue, 16 Jun 2026 17:22:23 +0000 Received: by outflank-mailman (input) for mailman id 1339501; Tue, 16 Jun 2026 17:22:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZXUU-0003ir-OJ for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:22:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZXUV-00Cjv8-00 for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:22:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZXUU-00DNvN-22 for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:22:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=aT/AY8J+F2MEMhYHUw+OZOWjBIl7hPY7DV2qagPfsEE=; b=4ZL4Jk606o13bf0GWC9LczInoL xZLqlfhD6iaOME6Pi4auiLkntB7n73ZZs7+JAGwnoz+sOfGYWJ7xurt4mbUNX14EF6awEqRkv81v9 kGi2Foy+ZLRvX4VDedxK5LQfRK5+IdjmjU54f+Zxbqk6zPOjlJmkOaR+PXBoBJv0v2sk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] tools/ocaml: silence ocaml_deprecated_auto_include alert Message-Id: Date: Tue, 16 Jun 2026 17:22:22 +0000 commit a3628d10a56351e6df03df40814e191c493900ba Author: Guillaume Thouvenin AuthorDate: Tue Jun 9 09:36:35 2026 +0200 Commit: Andrew Cooper CommitDate: Tue Jun 16 18:16:38 2026 +0100 tools/ocaml: silence ocaml_deprecated_auto_include alert Ocaml's lib directory layout changed in 5.0: the unix and dynlink libraries have been moved out of the standard library directory into subdirectories. The compiler still locates them automatically but emits an ocaml_deprecated_auto_include alert when doing so. This patch sets the paths explicitly with -I +unix and -I +dynlink to silence the alert. Signed-off-by: Guillaume Thouvenin Reviewed-by: Andrii Sultanov Tested-by: Andrii Sultanov Acked-by: Andrew Cooper (cherry picked from commit c3cf7c41214ac180902ca7dc826047774d3c5fb1) --- tools/ocaml/common.make | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/ocaml/common.make b/tools/ocaml/common.make index c7eefceeb4..0e6714e25a 100644 --- a/tools/ocaml/common.make +++ b/tools/ocaml/common.make @@ -11,6 +11,7 @@ OCAMLFIND ?= ocamlfind CFLAGS += -fPIC -I$(shell ocamlc -where) +OCAMLINCLUDE += -I +unix -I +dynlink OCAMLOPTFLAGS = -g -ccopt "$(LDFLAGS)" -dtypes $(OCAMLINCLUDE) -w F -warn-error F OCAMLCFLAGS += -g $(OCAMLINCLUDE) -w F -warn-error F -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 17:22:34 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 17:22:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339502.1600699 (Exim 4.92) (envelope-from ) id 1wZXUg-0003l6-2a; Tue, 16 Jun 2026 17:22:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339502.1600699; Tue, 16 Jun 2026 17:22:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZXUf-0003ky-WE; Tue, 16 Jun 2026 17:22:34 +0000 Received: by outflank-mailman (input) for mailman id 1339502; Tue, 16 Jun 2026 17:22:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZXUe-0003kq-TF for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:22:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZXUf-00CjvF-0V for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:22:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZXUe-00DO0H-2V for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:22:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RrvtH0I7ZStEAza0GHx1iCEuqQT+uc6Ujez2KknM3s8=; b=cIQUpQ6RK5IuKBH/Zzxx6/zoNL 9/N6z4bNhvMsLqudv8udL2AdZLAon4simpTmlJ4SWaaBHey/TVVd0mZtyp0pMfDBhCnuMPRGOLPg5 Kf1Z4rPgzFBPupGALceQOfTFoPT8YS+XfIrX7w+re3/sgh3CMAI0oKNwq7NS3rrFCfa4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.20] CI: Use more specific Xilinx runner tags Message-Id: Date: Tue, 16 Jun 2026 17:22:32 +0000 commit babf4f0b36503d472b36c612d64e985a1e8bc2ef Author: Andrew Cooper AuthorDate: Fri Jun 12 18:24:57 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 16 18:16:38 2026 +0100 CI: Use more specific Xilinx runner tags In order to avoid serialising the testing on both boards, the runner configuration is being adjusted. Have the .xilinx-arm64 and .xilinx-x86_64 templates choose the board directly using a more specific tag. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Victor Lira (cherry picked from commit efcb4c5e2f2734cd4cac38a9f01e03c5e54c8eb8) --- automation/gitlab-ci/test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml index 5ce445b78f..0a2b80956b 100644 --- a/automation/gitlab-ci/test.yaml +++ b/automation/gitlab-ci/test.yaml @@ -118,7 +118,7 @@ when: never - if: $XILINX_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true" tags: - - xilinx + - xilinx-zynq-423 .xilinx-x86_64: extends: .test-jobs-common @@ -139,7 +139,7 @@ when: never - if: $XILINX_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true" tags: - - xilinx + - xilinx-crater-001 .adl-x86-64: extends: .test-jobs-common -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 17:22:44 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 17:22:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339503.1600703 (Exim 4.92) (envelope-from ) id 1wZXUq-0003pk-3v; Tue, 16 Jun 2026 17:22:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339503.1600703; Tue, 16 Jun 2026 17:22:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZXUq-0003pc-1H; Tue, 16 Jun 2026 17:22:44 +0000 Received: by outflank-mailman (input) for mailman id 1339503; Tue, 16 Jun 2026 17:22:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZXUp-0003pW-6K for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:22:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZXUp-00CjvZ-1Q for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:22:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZXUp-00DO5C-0K for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:22:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=R5lOlcII2jG3+pYSD2heldezKT8lTHDhfKgWIduycAk=; b=wllpMvMcqZoof2nJq3xce/eFei KsT8ObgsjGSE67N6YSa1nViPqPIA23d9paOXm1YXM0T7Ijx/25/SqZSGtA48ulH3Ns668dVG8XhkS Cd6+jQqtTS0tG8NLOq+jVR4xYKwVfh1oJZyCtXZnRKD/2HI0NbSbe7L/s6rZwow9toVQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.19] CI: Use more specific Xilinx runner tags Message-Id: Date: Tue, 16 Jun 2026 17:22:43 +0000 commit ecf0e89c29cb497d8b44c1ffb4d962160e0cdaa0 Author: Andrew Cooper AuthorDate: Fri Jun 12 18:24:57 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 16 18:17:45 2026 +0100 CI: Use more specific Xilinx runner tags In order to avoid serialising the testing on both boards, the runner configuration is being adjusted. Have the .xilinx-arm64 and .xilinx-x86_64 templates choose the board directly using a more specific tag. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Victor Lira (cherry picked from commit efcb4c5e2f2734cd4cac38a9f01e03c5e54c8eb8) --- automation/gitlab-ci/test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml index 649e80c4dd..8d85e293db 100644 --- a/automation/gitlab-ci/test.yaml +++ b/automation/gitlab-ci/test.yaml @@ -115,7 +115,7 @@ when: never - if: $XILINX_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true" tags: - - xilinx + - xilinx-zynq-423 .xilinx-x86_64: extends: .test-jobs-common @@ -136,7 +136,7 @@ when: never - if: $XILINX_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true" tags: - - xilinx + - xilinx-crater-001 .adl-x86-64: extends: .test-jobs-common -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 17:22:55 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 17:22:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339504.1600707 (Exim 4.92) (envelope-from ) id 1wZXV1-0003tu-5F; Tue, 16 Jun 2026 17:22:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339504.1600707; Tue, 16 Jun 2026 17:22:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZXV1-0003tn-2a; Tue, 16 Jun 2026 17:22:55 +0000 Received: by outflank-mailman (input) for mailman id 1339504; Tue, 16 Jun 2026 17:22:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZXUz-0003tg-ID for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:22:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZXUz-00Cjvf-2c for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:22:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZXUz-00DOBp-1F for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:22:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=lREcdfMKRHw1HUaoVQJt2touXjqK/8RTMmqUwuX51MQ=; b=ajOfcRP2d55SMEdhuCoMu4aSQG fRybnb6lE2im3S6fnPUp5fTbv2yjVB/ZcVE2/jg0uEjqVLL+YBf4+OFsX9aqxCvnIGDQ+2CXqFTpm /zjOXBqna5jIWVa10kJPl4QeLX6+tE0p5SkohBEib2H9z/UuWvJiC1/K5/r/PyUzeiH8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] CI: Use more specific Xilinx runner tags Message-Id: Date: Tue, 16 Jun 2026 17:22:53 +0000 commit a055d7290ce31cdb2ba49e5eb05b3dd14f0f3682 Author: Andrew Cooper AuthorDate: Fri Jun 12 18:24:57 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 16 18:19:26 2026 +0100 CI: Use more specific Xilinx runner tags In order to avoid serialising the testing on both boards, the runner configuration is being adjusted. Have the .xilinx-arm64 and .xilinx-x86_64 templates choose the board directly using a more specific tag. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Victor Lira (cherry picked from commit efcb4c5e2f2734cd4cac38a9f01e03c5e54c8eb8) --- automation/gitlab-ci/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml index 4d190777e1..aaa2e2b9a4 100644 --- a/automation/gitlab-ci/test.yaml +++ b/automation/gitlab-ci/test.yaml @@ -94,7 +94,7 @@ variables: - $XILINX_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true" tags: - - xilinx + - xilinx-zynq-423 .adl-x86-64: extends: .test-jobs-common -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 17:44:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 17:44:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339557.1600774 (Exim 4.92) (envelope-from ) id 1wZXpT-0003ZB-CO; Tue, 16 Jun 2026 17:44:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339557.1600774; Tue, 16 Jun 2026 17:44:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZXpT-0003Z3-9t; Tue, 16 Jun 2026 17:44:03 +0000 Received: by outflank-mailman (input) for mailman id 1339557; Tue, 16 Jun 2026 17:44:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZXpR-0003Yt-Va for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:44:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZXpS-00CkGi-0T for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:44:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZXpR-00Dm0u-2g for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 17:44:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=hUARAVpsIUoX38F6VZeI9viM12gcRl2QFTqz1RnEfYg=; b=66B/ZjFaLfaWwQxPxKfH0VC+PK wxirqD6Oz4A/3OKWkBQz2koCjA5btOrOddRAYJjij/4MEPlxjeKepkbzPVN/jkRUnpkATGgKq1qJ0 3pz3RrbSvB7nK2LQlCrnfALAFsvvEplSbO+G+ccleL5aLj0s85uR5qPebfLA5sJ6CF6E=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/ucode: Exclude Zen6 from entrysign digest checking Message-Id: Date: Tue, 16 Jun 2026 17:44:01 +0000 commit 6ba5e9c7b887d85c7e7f385892d7edbf2573a279 Author: Andrew Cooper AuthorDate: Tue Jun 16 11:37:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 16 18:33:39 2026 +0100 x86/ucode: Exclude Zen6 from entrysign digest checking There is a 3rd path which should have gained an is_zen6_uarch() check to exclude Zen6 from entrysign mitigations. Fixes: bd15fdedafb3 ("x86/ucode: Exclude Zen6 from entrysign mitigations") Signed-off-by: Andrew Cooper Reviewed-by: Teddy Astie Acked-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/cpu/microcode/amd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/amd.c index 2ba1fa825f..2d49110228 100644 --- a/xen/arch/x86/cpu/microcode/amd.c +++ b/xen/arch/x86/cpu/microcode/amd.c @@ -128,7 +128,8 @@ static bool check_digest(const struct container_microcode *mc) * the digest of the patch against a list of known provenance. */ if ( boot_cpu_data.family < 0x17 || boot_cpu_data.family > 0x1a || - entrysign_mitigated_in_firmware || !opt_digest_check ) + is_zen6_uarch() || entrysign_mitigated_in_firmware || + !opt_digest_check ) return true; pd = bsearch(&patch->patch_id, patch_digests, ARRAY_SIZE(patch_digests), -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 18:22:08 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 18:22:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339605.1600795 (Exim 4.92) (envelope-from ) id 1wZYQF-0004gL-AW; Tue, 16 Jun 2026 18:22:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339605.1600795; Tue, 16 Jun 2026 18:22:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZYQF-0004gD-7a; Tue, 16 Jun 2026 18:22:03 +0000 Received: by outflank-mailman (input) for mailman id 1339605; Tue, 16 Jun 2026 18:22:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZYQE-0004g3-Bs for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 18:22:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZYQE-00CkzM-14 for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 18:22:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZYQE-00EaN8-04 for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 18:22:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=yMzP6gmewrRtcd10PIaT1SPBN5tKIol2oqUsCrvSU5c=; b=5y+MdZJt5BXi5gGUzx/IlTDTju PKbHV3+GGQKphCHv6PQAEb9EzIi9y6go6rdwo7CAUD0UmK0YcDXmVhBlpQZptPUQ5eNIjreU/UKHd s/BvA9uQrI/iejnE1ks6B8VJx0IKJ9R/j6PThJ8lpNB8/pz9kVDWRO9kxLY8AEmXqSZA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] tools/ocaml: silence ocaml_deprecated_auto_include alert Message-Id: Date: Tue, 16 Jun 2026 18:22:02 +0000 commit 6082b3764b848981c1aecdd3ae53b1b05bc25396 Author: Guillaume Thouvenin AuthorDate: Tue Jun 9 09:36:35 2026 +0200 Commit: Andrew Cooper CommitDate: Tue Jun 16 18:15:22 2026 +0100 tools/ocaml: silence ocaml_deprecated_auto_include alert Ocaml's lib directory layout changed in 5.0: the unix and dynlink libraries have been moved out of the standard library directory into subdirectories. The compiler still locates them automatically but emits an ocaml_deprecated_auto_include alert when doing so. This patch sets the paths explicitly with -I +unix and -I +dynlink to silence the alert. Signed-off-by: Guillaume Thouvenin Reviewed-by: Andrii Sultanov Tested-by: Andrii Sultanov Acked-by: Andrew Cooper (cherry picked from commit c3cf7c41214ac180902ca7dc826047774d3c5fb1) --- tools/ocaml/common.make | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/ocaml/common.make b/tools/ocaml/common.make index c7eefceeb4..0e6714e25a 100644 --- a/tools/ocaml/common.make +++ b/tools/ocaml/common.make @@ -11,6 +11,7 @@ OCAMLFIND ?= ocamlfind CFLAGS += -fPIC -I$(shell ocamlc -where) +OCAMLINCLUDE += -I +unix -I +dynlink OCAMLOPTFLAGS = -g -ccopt "$(LDFLAGS)" -dtypes $(OCAMLINCLUDE) -w F -warn-error F OCAMLCFLAGS += -g $(OCAMLINCLUDE) -w F -warn-error F -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 18:22:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 18:22:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339606.1600800 (Exim 4.92) (envelope-from ) id 1wZYQP-0004ie-CA; Tue, 16 Jun 2026 18:22:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339606.1600800; Tue, 16 Jun 2026 18:22:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZYQP-0004iU-8z; Tue, 16 Jun 2026 18:22:13 +0000 Received: by outflank-mailman (input) for mailman id 1339606; Tue, 16 Jun 2026 18:22:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZYQO-0004iI-8F for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 18:22:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZYQO-00CkzR-1R for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 18:22:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZYQO-00EaYH-0M for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 18:22:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=kFuhlIPUp4ZrtD4omoPfwmvZkyNoRssYga0eIiMlSAg=; b=aOTvRuHRLfF5t91eWgW0/NNfdV zHBMOLTUHy3TzHA9u7z3/hykJtT+65xqdjfs9vFWjmQfYS3qP4I4HyBkcOP9c/kc7GwGgcNTLP4dG gr+w/t7ohZje8TYJZIik/tEVcvzADe4hdt0pxfdhCh0hhcmvcETVhqUThxlQhRACpgS8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.21] CI: Use more specific Xilinx runner tags Message-Id: Date: Tue, 16 Jun 2026 18:22:12 +0000 commit adfd3d303312b9d4f833ef724f552f2ac859c0b6 Author: Andrew Cooper AuthorDate: Fri Jun 12 18:24:57 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 16 18:15:22 2026 +0100 CI: Use more specific Xilinx runner tags In order to avoid serialising the testing on both boards, the runner configuration is being adjusted. Have the .xilinx-arm64 and .xilinx-x86_64 templates choose the board directly using a more specific tag. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Victor Lira (cherry picked from commit efcb4c5e2f2734cd4cac38a9f01e03c5e54c8eb8) --- automation/gitlab-ci/test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml index 8d8f62c8d0..a3f661d380 100644 --- a/automation/gitlab-ci/test.yaml +++ b/automation/gitlab-ci/test.yaml @@ -118,7 +118,7 @@ when: never - if: $XILINX_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true" tags: - - xilinx + - xilinx-zynq-423 .xilinx-x86_64: extends: .test-jobs-common @@ -139,7 +139,7 @@ when: never - if: $XILINX_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true" tags: - - xilinx + - xilinx-crater-001 .adl-x86-64: extends: .test-jobs-common -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.21 From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 18:55:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 18:55:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339610.1600802 (Exim 4.92) (envelope-from ) id 1wZYwB-0002Sy-HU; Tue, 16 Jun 2026 18:55:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339610.1600802; Tue, 16 Jun 2026 18:55:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZYwB-0002Sq-Eg; Tue, 16 Jun 2026 18:55:03 +0000 Received: by outflank-mailman (input) for mailman id 1339610; Tue, 16 Jun 2026 18:55:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZYwA-0002Sh-Ha for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 18:55:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZYwA-00ClVl-1Z for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 18:55:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZYwA-00F7N3-0D for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 18:55:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=YzvvNhuFqAo8kwpNM/yPeLYT4nxdU0/MwD9ZzBOHOa0=; b=q7tN4Lv6lIEtSZSnhGzmmUp+rl U2ClAGTFgBaN4GkxwuUQ1mn5HkSmbZPNxsKRLdRGp+acMgi8xL+T3cKOPZlbCW/zZ1HHvxeHwfbQb gzauEquvoVe+mcZOq6Zx5gGgm0pmXbPGbiHYLkLM9C/vXSmO5K/+guK5hVvUXeccv+Mk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] tools/ocaml: silence ocaml_deprecated_auto_include alert Message-Id: Date: Tue, 16 Jun 2026 18:55:02 +0000 commit a3628d10a56351e6df03df40814e191c493900ba Author: Guillaume Thouvenin AuthorDate: Tue Jun 9 09:36:35 2026 +0200 Commit: Andrew Cooper CommitDate: Tue Jun 16 18:16:38 2026 +0100 tools/ocaml: silence ocaml_deprecated_auto_include alert Ocaml's lib directory layout changed in 5.0: the unix and dynlink libraries have been moved out of the standard library directory into subdirectories. The compiler still locates them automatically but emits an ocaml_deprecated_auto_include alert when doing so. This patch sets the paths explicitly with -I +unix and -I +dynlink to silence the alert. Signed-off-by: Guillaume Thouvenin Reviewed-by: Andrii Sultanov Tested-by: Andrii Sultanov Acked-by: Andrew Cooper (cherry picked from commit c3cf7c41214ac180902ca7dc826047774d3c5fb1) --- tools/ocaml/common.make | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/ocaml/common.make b/tools/ocaml/common.make index c7eefceeb4..0e6714e25a 100644 --- a/tools/ocaml/common.make +++ b/tools/ocaml/common.make @@ -11,6 +11,7 @@ OCAMLFIND ?= ocamlfind CFLAGS += -fPIC -I$(shell ocamlc -where) +OCAMLINCLUDE += -I +unix -I +dynlink OCAMLOPTFLAGS = -g -ccopt "$(LDFLAGS)" -dtypes $(OCAMLINCLUDE) -w F -warn-error F OCAMLCFLAGS += -g $(OCAMLINCLUDE) -w F -warn-error F -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 18:55:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 18:55:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339612.1600806 (Exim 4.92) (envelope-from ) id 1wZYwL-0002V5-Ir; Tue, 16 Jun 2026 18:55:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339612.1600806; Tue, 16 Jun 2026 18:55:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZYwL-0002Uy-G2; Tue, 16 Jun 2026 18:55:13 +0000 Received: by outflank-mailman (input) for mailman id 1339612; Tue, 16 Jun 2026 18:55:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZYwK-0002Uq-B0 for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 18:55:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZYwK-00ClWq-1r for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 18:55:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZYwK-00F7QU-0r for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 18:55:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=z73NJC47RBSkTn0MzB9K6KW1zNVPxssdtsiXxVE/lNs=; b=gwFLQx2C3X+4I96SUNl2jrKaFh +tNF6gCVBEKUzJdIBqx4AptJLIC4k/r9wtkx0kRk8Sn7G9RDjwOvcfAjgnqZkHQN/ibkwg/Z4hft+ GGXBM3n56eoeinll8SwhXxgGiOnTb16hqImjgZJwLW2wLibqmKzMfVjeNOJJ7lSd5Dpk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.20] CI: Use more specific Xilinx runner tags Message-Id: Date: Tue, 16 Jun 2026 18:55:12 +0000 commit babf4f0b36503d472b36c612d64e985a1e8bc2ef Author: Andrew Cooper AuthorDate: Fri Jun 12 18:24:57 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 16 18:16:38 2026 +0100 CI: Use more specific Xilinx runner tags In order to avoid serialising the testing on both boards, the runner configuration is being adjusted. Have the .xilinx-arm64 and .xilinx-x86_64 templates choose the board directly using a more specific tag. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Victor Lira (cherry picked from commit efcb4c5e2f2734cd4cac38a9f01e03c5e54c8eb8) --- automation/gitlab-ci/test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml index 5ce445b78f..0a2b80956b 100644 --- a/automation/gitlab-ci/test.yaml +++ b/automation/gitlab-ci/test.yaml @@ -118,7 +118,7 @@ when: never - if: $XILINX_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true" tags: - - xilinx + - xilinx-zynq-423 .xilinx-x86_64: extends: .test-jobs-common @@ -139,7 +139,7 @@ when: never - if: $XILINX_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true" tags: - - xilinx + - xilinx-crater-001 .adl-x86-64: extends: .test-jobs-common -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.20 From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 19:55:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 19:55:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339623.1600819 (Exim 4.92) (envelope-from ) id 1wZZsF-0005fI-OK; Tue, 16 Jun 2026 19:55:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339623.1600819; Tue, 16 Jun 2026 19:55:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZZsF-0005fA-La; Tue, 16 Jun 2026 19:55:03 +0000 Received: by outflank-mailman (input) for mailman id 1339623; Tue, 16 Jun 2026 19:55:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZZsE-0005ex-DM for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 19:55:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZZsE-00CmWT-0p for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 19:55:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZZsD-00FbZn-2z for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 19:55:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ElTXB6UN+rJxqw90kCgs9VS63Vep+Mir62z+vUe83dQ=; b=ZyBk7fS9F8q5aAAVaMvUiCQ6rW aW+U1L3yvy0Adp/XWWcjCv9UuXURDNcykRH2N4EWZEbAzPxiVJJB7JMw7vWllsVyct4dUakYovpYE Khz6Y1vEVqYCKTnI/Zljapw/2lDzMLX5UBHqDmI8eGhM/l3BhLSzugfMbPkNT69o4IVg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] CI: Use more specific Xilinx runner tags Message-Id: Date: Tue, 16 Jun 2026 19:55:01 +0000 commit a055d7290ce31cdb2ba49e5eb05b3dd14f0f3682 Author: Andrew Cooper AuthorDate: Fri Jun 12 18:24:57 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 16 18:19:26 2026 +0100 CI: Use more specific Xilinx runner tags In order to avoid serialising the testing on both boards, the runner configuration is being adjusted. Have the .xilinx-arm64 and .xilinx-x86_64 templates choose the board directly using a more specific tag. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Victor Lira (cherry picked from commit efcb4c5e2f2734cd4cac38a9f01e03c5e54c8eb8) --- automation/gitlab-ci/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml index 4d190777e1..aaa2e2b9a4 100644 --- a/automation/gitlab-ci/test.yaml +++ b/automation/gitlab-ci/test.yaml @@ -94,7 +94,7 @@ variables: - $XILINX_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true" tags: - - xilinx + - xilinx-zynq-423 .adl-x86-64: extends: .test-jobs-common -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 20:11:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 20:11:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339637.1600841 (Exim 4.92) (envelope-from ) id 1wZa7j-0001IK-7N; Tue, 16 Jun 2026 20:11:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339637.1600841; Tue, 16 Jun 2026 20:11:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZa7j-0001IC-4a; Tue, 16 Jun 2026 20:11:03 +0000 Received: by outflank-mailman (input) for mailman id 1339637; Tue, 16 Jun 2026 20:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZa7i-0001I6-Jf for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 20:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZa7i-00Cmtt-1l for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 20:11:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZa7i-00FjdI-0h for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 20:11:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=OBxf4sNXzcmAhzP5D+UY8/UfI9lHOySaGOSuAUbwoy8=; b=vRzgQRJQr6FdItKEihUny8dqKp YYuE/u1MVJyCaYHn5H+I8nd2dToGZ9S5CQW4q906DmDnkuvX2HYBXOa5UMEVrB8fsJgOJiPLtJ9NO gMFXG7CpfdBUL3BzMy1Erh5KR0yvWRXNhYimCPg9sIJoFBDoUI4QD7Jb4+4e8iLLD33E=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.19] CI: Use more specific Xilinx runner tags Message-Id: Date: Tue, 16 Jun 2026 20:11:02 +0000 commit ecf0e89c29cb497d8b44c1ffb4d962160e0cdaa0 Author: Andrew Cooper AuthorDate: Fri Jun 12 18:24:57 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 16 18:17:45 2026 +0100 CI: Use more specific Xilinx runner tags In order to avoid serialising the testing on both boards, the runner configuration is being adjusted. Have the .xilinx-arm64 and .xilinx-x86_64 templates choose the board directly using a more specific tag. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Victor Lira (cherry picked from commit efcb4c5e2f2734cd4cac38a9f01e03c5e54c8eb8) --- automation/gitlab-ci/test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml index 649e80c4dd..8d85e293db 100644 --- a/automation/gitlab-ci/test.yaml +++ b/automation/gitlab-ci/test.yaml @@ -115,7 +115,7 @@ when: never - if: $XILINX_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true" tags: - - xilinx + - xilinx-zynq-423 .xilinx-x86_64: extends: .test-jobs-common @@ -136,7 +136,7 @@ when: never - if: $XILINX_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true" tags: - - xilinx + - xilinx-crater-001 .adl-x86-64: extends: .test-jobs-common -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.19 From xen-changelog-bounces@lists.xenproject.org Tue Jun 16 21:11:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jun 2026 21:11:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339646.1600845 (Exim 4.92) (envelope-from ) id 1wZb3n-0007Lw-6L; Tue, 16 Jun 2026 21:11:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339646.1600845; Tue, 16 Jun 2026 21:11:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZb3n-0007Lo-3b; Tue, 16 Jun 2026 21:11:03 +0000 Received: by outflank-mailman (input) for mailman id 1339646; Tue, 16 Jun 2026 21:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZb3m-0007Li-7y for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 21:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZb3m-00Cnvj-0U for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 21:11:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZb3l-00GDlK-2T for xen-changelog@lists.xenproject.org; Tue, 16 Jun 2026 21:11:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=kgkf17YymPhaHzL08djWFQm9wTGtzgBx/mY7x4LA8IQ=; b=u475u91W3vj0ffw39h1/vPdPUD VC/qSXIvEpoVgjXwWLEKN96pehM3T61LvRW2RcjnKNqS3vcEZxa/6tYXOq/rcNN9CIXBh0x8bvh2Y 0CLI/I0eNEhoigX5Df9NdsH59UvujE8eOa0e159Ao1cVSmfmjXT3EYtyu1BD6agoLTAU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/ucode: Exclude Zen6 from entrysign digest checking Message-Id: Date: Tue, 16 Jun 2026 21:11:01 +0000 commit 6ba5e9c7b887d85c7e7f385892d7edbf2573a279 Author: Andrew Cooper AuthorDate: Tue Jun 16 11:37:44 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 16 18:33:39 2026 +0100 x86/ucode: Exclude Zen6 from entrysign digest checking There is a 3rd path which should have gained an is_zen6_uarch() check to exclude Zen6 from entrysign mitigations. Fixes: bd15fdedafb3 ("x86/ucode: Exclude Zen6 from entrysign mitigations") Signed-off-by: Andrew Cooper Reviewed-by: Teddy Astie Acked-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/cpu/microcode/amd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/amd.c index 2ba1fa825f..2d49110228 100644 --- a/xen/arch/x86/cpu/microcode/amd.c +++ b/xen/arch/x86/cpu/microcode/amd.c @@ -128,7 +128,8 @@ static bool check_digest(const struct container_microcode *mc) * the digest of the patch against a list of known provenance. */ if ( boot_cpu_data.family < 0x17 || boot_cpu_data.family > 0x1a || - entrysign_mitigated_in_firmware || !opt_digest_check ) + is_zen6_uarch() || entrysign_mitigated_in_firmware || + !opt_digest_check ) return true; pd = bsearch(&patch->patch_id, patch_digests, ARRAY_SIZE(patch_digests), -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 17 08:55:11 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 17 Jun 2026 08:55:11 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339890.1600935 (Exim 4.92) (envelope-from ) id 1wZm37-0000Y9-3M; Wed, 17 Jun 2026 08:55:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339890.1600935; Wed, 17 Jun 2026 08:55:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZm37-0000Y0-0m; Wed, 17 Jun 2026 08:55:05 +0000 Received: by outflank-mailman (input) for mailman id 1339890; Wed, 17 Jun 2026 08:55:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZm35-0000Xu-HG for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 08:55:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZm35-00E8sY-0u for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 08:55:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZm34-00AwIG-35 for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 08:55:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=SQb/zGNGlTP38+eR3HXnLftGt2jiFxo9j9W/+LDNWpk=; b=Q6fd7+QPuctcWscXW7cJb/i5Vi dPyqb380q0bLpDT6rOjED+VowUIolEdzYNAXdiUqIJ4E2spN/tYSUoJanYouqN+gc7AgO92eATPKf /Y//lUYMm+T4F+CDRsm/J4lKvMm0J3kR6BpWJxC+4tzvlbJxIsv3UnMqASCacV0CPDlA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] libfdt: fix UBSAN null pointer in fdt_property() Message-Id: Date: Wed, 17 Jun 2026 08:55:02 +0000 commit be18ad502e5d4f9248e1f020d3e0d55a7b9ea986 Author: Oleksii Kurochko AuthorDate: Wed Jun 17 09:20:51 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 17 09:20:51 2026 +0200 libfdt: fix UBSAN null pointer in fdt_property() fdt_property() unconditionally calls memcpy(ptr, val, len) even when len is zero and val is NULL. This is a legitimate calling convention for adding empty FDT properties such as "interrupt-controller", which carry no payload. However, compilers that treat memcpy as nonnull on its pointer arguments will fire UBSAN before observing that len is zero. Guard the memcpy() with a check on len so it is skipped entirely when there is no payload to copy, bringing the code in line with the nonnull contract. Signed-off-by: Oleksii Kurochko Signed-off-by: David Gibson Origin: git://git.kernel.org/pub/scm/utils/dtc/dtc.git f57e7df35df4 Fixes: f0ea06558068 ("libfdt: add version 1.3.0") Signed-off-by: Oleksii Kurochko Reviewed-by: Baptiste Le Duc Reviewed-by: Michal Orzel Release-Acked-by: Oleksii Kurochko --- xen/common/libfdt/fdt_sw.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xen/common/libfdt/fdt_sw.c b/xen/common/libfdt/fdt_sw.c index 4c569ee7eb..96d4cf5713 100644 --- a/xen/common/libfdt/fdt_sw.c +++ b/xen/common/libfdt/fdt_sw.c @@ -330,7 +330,8 @@ int fdt_property(void *fdt, const char *name, const void *val, int len) ret = fdt_property_placeholder(fdt, name, len, &ptr); if (ret) return ret; - memcpy(ptr, val, len); + if (len) + memcpy(ptr, val, len); return 0; } -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Jun 17 08:55:15 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 17 Jun 2026 08:55:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1339891.1600938 (Exim 4.92) (envelope-from ) id 1wZm3H-0000Zj-5S; Wed, 17 Jun 2026 08:55:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1339891.1600938; Wed, 17 Jun 2026 08:55:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZm3H-0000Za-27; Wed, 17 Jun 2026 08:55:15 +0000 Received: by outflank-mailman (input) for mailman id 1339891; Wed, 17 Jun 2026 08:55:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZm3F-0000ZI-8H for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 08:55:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZm3F-00E8ub-1c for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 08:55:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZm3F-00AwnS-0F for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 08:55:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=5yo+eXEsUnohW3iHC0TOFOr6hxO5NlddwqmIBUvJEf4=; b=l6yhzwfyT3V8/JhwEd5br29OYl a4NMCSHTY5SlYu0Pt1hRsT1zgudQAup2tnt/osHqsSf/kmJx2xMhzxtg10OLVS3mN4oZFwb2h/jaN 4+BgbOjxB+Iy6+GnDl9bn0u9udFF5WpkZCmHE2I0L48qLh++aUAVwrA58Mlab8tGb/lo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl/XSM: avoid XSM_OTHER with xsm_domctl() Message-Id: Date: Wed, 17 Jun 2026 08:55:13 +0000 commit 88845240803ef3b601207ea368c98403c92f3fdc Author: Jan Beulich AuthorDate: Wed Jun 17 09:21:38 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 17 09:21:38 2026 +0200 domctl/XSM: avoid XSM_OTHER with xsm_domctl() Make explicit at the call sites what (default) permission is required. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/domctl.c | 2 +- xen/arch/x86/mm/paging.c | 2 +- xen/common/domctl.c | 4 ++-- xen/include/xsm/dummy.h | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index d1bd753481..07f712a0a4 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -331,7 +331,7 @@ long arch_do_domctl( /* Games to allow this code block to handle a compat guest. */ void __user *guest_handle = domctl->u.getpageframeinfo3.array.p; - ret = xsm_domctl(XSM_OTHER, d, domctl); + ret = xsm_domctl(XSM_PRIV, d, domctl); if ( ret ) break; diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index bfb5b423a0..14ab7defd8 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -743,7 +743,7 @@ long do_paging_domctl_cont( if ( d == NULL ) return -ESRCH; - ret = xsm_domctl(XSM_OTHER, d, &op); + ret = xsm_domctl(XSM_PRIV, d, &op); if ( !ret ) { bool lock = !(op.u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_CLEAN || diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 61149d740e..32ef5b2e38 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -518,7 +518,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_CLEAN || op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_PEEK ) { - ret = xsm_domctl(XSM_OTHER, d, op); + ret = xsm_domctl(XSM_PRIV, d, op); if ( !ret ) ret = arch_do_domctl(op, d, u_domctl); goto domctl_out_unlock_rcuonly; @@ -544,7 +544,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - ret = xsm_domctl(XSM_OTHER, d, op); + ret = xsm_domctl(XSM_PRIV, d, op); if ( ret ) goto domctl_out_unlock_rcuonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 36369da963..74b1c0ed39 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -157,7 +157,7 @@ static XSM_INLINE int cf_check xsm_set_target( static XSM_INLINE int cf_check xsm_domctl( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl *op) { - XSM_ASSERT_ACTION(XSM_OTHER); + XSM_ASSERT_ACTION(XSM_PRIV); switch ( op->cmd ) { case XEN_DOMCTL_bind_pt_irq: @@ -176,7 +176,7 @@ static XSM_INLINE int cf_check xsm_domctl( return -EILSEQ; default: - return xsm_default_action(XSM_PRIV, current->domain, d); + return xsm_default_action(action, current->domain, d); } } -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Jun 17 10:44:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 17 Jun 2026 10:44:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1340042.1601041 (Exim 4.92) (envelope-from ) id 1wZnkZ-00038y-UO; Wed, 17 Jun 2026 10:44:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1340042.1601041; Wed, 17 Jun 2026 10:44:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZnkZ-00038q-Rq; Wed, 17 Jun 2026 10:44:03 +0000 Received: by outflank-mailman (input) for mailman id 1340042; Wed, 17 Jun 2026 10:44:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZnkY-00038i-2O for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 10:44:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZnkY-00EAqv-0X for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 10:44:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZnkX-00CWgt-2k for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 10:44:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=tYAtDLMfCVbeBX71PFIsLeigMBVWY+LDGV74APM/XA4=; b=rziGheu7Lx0mYnnVqDRry8mgcX FbHajSIUWSnzT9xzak0cHe1lML31QHJWgE/pBlBNzw5Lwq7vXJUfCasstQ1c4NIoadK/oWGt8nDIC 21kgG6FWJGBCL7764TmY1MfzCNc9zLNtvuGP4FpMlTxYlA/f2pVuRebghGKTC5X34CP0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] libfdt: fix UBSAN null pointer in fdt_property() Message-Id: Date: Wed, 17 Jun 2026 10:44:01 +0000 commit be18ad502e5d4f9248e1f020d3e0d55a7b9ea986 Author: Oleksii Kurochko AuthorDate: Wed Jun 17 09:20:51 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 17 09:20:51 2026 +0200 libfdt: fix UBSAN null pointer in fdt_property() fdt_property() unconditionally calls memcpy(ptr, val, len) even when len is zero and val is NULL. This is a legitimate calling convention for adding empty FDT properties such as "interrupt-controller", which carry no payload. However, compilers that treat memcpy as nonnull on its pointer arguments will fire UBSAN before observing that len is zero. Guard the memcpy() with a check on len so it is skipped entirely when there is no payload to copy, bringing the code in line with the nonnull contract. Signed-off-by: Oleksii Kurochko Signed-off-by: David Gibson Origin: git://git.kernel.org/pub/scm/utils/dtc/dtc.git f57e7df35df4 Fixes: f0ea06558068 ("libfdt: add version 1.3.0") Signed-off-by: Oleksii Kurochko Reviewed-by: Baptiste Le Duc Reviewed-by: Michal Orzel Release-Acked-by: Oleksii Kurochko --- xen/common/libfdt/fdt_sw.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xen/common/libfdt/fdt_sw.c b/xen/common/libfdt/fdt_sw.c index 4c569ee7eb..96d4cf5713 100644 --- a/xen/common/libfdt/fdt_sw.c +++ b/xen/common/libfdt/fdt_sw.c @@ -330,7 +330,8 @@ int fdt_property(void *fdt, const char *name, const void *val, int len) ret = fdt_property_placeholder(fdt, name, len, &ptr); if (ret) return ret; - memcpy(ptr, val, len); + if (len) + memcpy(ptr, val, len); return 0; } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 17 10:44:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 17 Jun 2026 10:44:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1340043.1601046 (Exim 4.92) (envelope-from ) id 1wZnkj-0003Ap-Vs; Wed, 17 Jun 2026 10:44:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1340043.1601046; Wed, 17 Jun 2026 10:44:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZnkj-0003Ah-TI; Wed, 17 Jun 2026 10:44:13 +0000 Received: by outflank-mailman (input) for mailman id 1340043; Wed, 17 Jun 2026 10:44:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZnki-0003AX-2j for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 10:44:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZnki-00EAr0-0t for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 10:44:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZnkh-00CWoc-33 for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 10:44:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=noa+Jh8u8x4QhGvmcNUYn9Hh5S1o52ZEFalCwSZmetU=; b=IQt/r237XKLKDWTusnEntXhQaG MnXpVx9/OLb3sHd1m6OmHXjNqOfzwO6ey0EzGpGHbUfv164XcZwXEfHk8so1KgZ/B1qBjBc01F1bw N9UTmNUkBJZy9oRkUI4fFefwkPdr9cbWixVYUxW07ur+pqeZ+sd7ddnd7WjJE3p06pTk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl/XSM: avoid XSM_OTHER with xsm_domctl() Message-Id: Date: Wed, 17 Jun 2026 10:44:11 +0000 commit 88845240803ef3b601207ea368c98403c92f3fdc Author: Jan Beulich AuthorDate: Wed Jun 17 09:21:38 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 17 09:21:38 2026 +0200 domctl/XSM: avoid XSM_OTHER with xsm_domctl() Make explicit at the call sites what (default) permission is required. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/domctl.c | 2 +- xen/arch/x86/mm/paging.c | 2 +- xen/common/domctl.c | 4 ++-- xen/include/xsm/dummy.h | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index d1bd753481..07f712a0a4 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -331,7 +331,7 @@ long arch_do_domctl( /* Games to allow this code block to handle a compat guest. */ void __user *guest_handle = domctl->u.getpageframeinfo3.array.p; - ret = xsm_domctl(XSM_OTHER, d, domctl); + ret = xsm_domctl(XSM_PRIV, d, domctl); if ( ret ) break; diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index bfb5b423a0..14ab7defd8 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -743,7 +743,7 @@ long do_paging_domctl_cont( if ( d == NULL ) return -ESRCH; - ret = xsm_domctl(XSM_OTHER, d, &op); + ret = xsm_domctl(XSM_PRIV, d, &op); if ( !ret ) { bool lock = !(op.u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_CLEAN || diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 61149d740e..32ef5b2e38 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -518,7 +518,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_CLEAN || op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_PEEK ) { - ret = xsm_domctl(XSM_OTHER, d, op); + ret = xsm_domctl(XSM_PRIV, d, op); if ( !ret ) ret = arch_do_domctl(op, d, u_domctl); goto domctl_out_unlock_rcuonly; @@ -544,7 +544,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - ret = xsm_domctl(XSM_OTHER, d, op); + ret = xsm_domctl(XSM_PRIV, d, op); if ( ret ) goto domctl_out_unlock_rcuonly; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 36369da963..74b1c0ed39 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -157,7 +157,7 @@ static XSM_INLINE int cf_check xsm_set_target( static XSM_INLINE int cf_check xsm_domctl( XSM_DEFAULT_ARG struct domain *d, struct xen_domctl *op) { - XSM_ASSERT_ACTION(XSM_OTHER); + XSM_ASSERT_ACTION(XSM_PRIV); switch ( op->cmd ) { case XEN_DOMCTL_bind_pt_irq: @@ -176,7 +176,7 @@ static XSM_INLINE int cf_check xsm_domctl( return -EILSEQ; default: - return xsm_default_action(XSM_PRIV, current->domain, d); + return xsm_default_action(action, current->domain, d); } } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 17 12:11:07 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 17 Jun 2026 12:11:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1340398.1601445 (Exim 4.92) (envelope-from ) id 1wZp6m-0005yF-CY; Wed, 17 Jun 2026 12:11:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1340398.1601445; Wed, 17 Jun 2026 12:11:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZp6m-0005y7-9s; Wed, 17 Jun 2026 12:11:04 +0000 Received: by outflank-mailman (input) for mailman id 1340398; Wed, 17 Jun 2026 12:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZp6k-0005xy-JR for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 12:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZp6k-00ECPs-1L for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 12:11:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZp6k-00EHb8-09 for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 12:11:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=NDFI4WZgUTiDNv/lMKW3cgM9KiLj45VFg4MiRe5oI7A=; b=tRAjII/33QXcuGMhb0sDhz98o/ /a7d9tPT4aDGN/0EPf6o25o3mkritnp4YFcKtRWcV69EPSMT5C5tmTHFVvaceEpAle8ievFXAnRuI N2ZBQ2PgBTuUcThh5WyQha08Vg2nD1ztRBTgYMKXOXTH76CAUIjk1R6jPoWhR43146Z4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] sched: introduce specialization of "running only" vcpu_runstate_get() Message-Id: Date: Wed, 17 Jun 2026 12:11:02 +0000 commit 519bf1f8f3bb78ae1d826f22d593a486cd302266 Author: Jan Beulich AuthorDate: Wed Jun 17 12:39:36 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 17 12:39:36 2026 +0200 sched: introduce specialization of "running only" vcpu_runstate_get() About half the callers of vcpu_runstate_get() are solely after the "running" time of a vCPU. Introduce a specialization with a smaller read critical section and thus reduced risk of a need for retries. Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné Reviewed-by: Juergen Gross Release-Acked-by: Oleksii Kurochko --- xen/common/domctl.c | 11 +++-------- xen/common/sched/core.c | 30 +++++++++++++++++++++++++----- xen/include/xen/sched.h | 1 + 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 32ef5b2e38..e98fddf515 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -56,7 +56,6 @@ void getdomaininfo(struct domain *d, struct xen_domctl_getdomaininfo *info) struct vcpu *v; u64 cpu_time = 0; int flags = XEN_DOMINF_blocked; - struct vcpu_runstate_info runstate; memset(info, 0, sizeof(*info)); @@ -69,8 +68,7 @@ void getdomaininfo(struct domain *d, struct xen_domctl_getdomaininfo *info) */ for_each_vcpu ( d, v ) { - vcpu_runstate_get(v, &runstate); - cpu_time += runstate.time[RUNSTATE_running]; + cpu_time += vcpu_runstate_get_running(v); info->max_vcpu_id = v->vcpu_id; if ( !(v->pause_flags & VPF_down) ) { @@ -796,8 +794,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_getvcpuinfo: { - struct vcpu *v; - struct vcpu_runstate_info runstate; + const struct vcpu *v; ret = -EINVAL; if ( op->u.getvcpuinfo.vcpu >= d->max_vcpus ) @@ -807,12 +804,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( (v = d->vcpu[op->u.getvcpuinfo.vcpu]) == NULL ) break; - vcpu_runstate_get(v, &runstate); - op->u.getvcpuinfo.online = !(v->pause_flags & VPF_down); op->u.getvcpuinfo.blocked = !!(v->pause_flags & VPF_blocked); op->u.getvcpuinfo.running = v->is_running; - op->u.getvcpuinfo.cpu_time = runstate.time[RUNSTATE_running]; + op->u.getvcpuinfo.cpu_time = vcpu_runstate_get_running(v); op->u.getvcpuinfo.cpu = v->processor; ret = 0; copyback = 1; diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index cf7c4e7a8a..c59c1dc872 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -325,15 +325,35 @@ void vcpu_runstate_get(const struct vcpu *v, } } -uint64_t get_cpu_idle_time(unsigned int cpu) +uint64_t vcpu_runstate_get_running(const struct vcpu *v) { - struct vcpu_runstate_info state = { 0 }; - const struct vcpu *v = idle_vcpu[cpu]; + struct seqcount seq = SEQCNT_ZERO(); + const struct seqcount *s = v == current ? &seq : &v->runstate_seq; + unsigned int count; + uint64_t running; + s_time_t delta; + + do { + count = read_seqcount_begin(s); + + running = v->runstate.time[RUNSTATE_running]; + delta = v->runstate.state == RUNSTATE_running + ? NOW() - v->runstate.state_entry_time + : 0; + } while ( read_seqcount_retry(s, count) ); + + if ( delta > 0 ) + running += delta; + return running; +} + +uint64_t get_cpu_idle_time(unsigned int cpu) +{ if ( cpu_online(cpu) && get_sched_res(cpu) ) - vcpu_runstate_get(v, &state); + return vcpu_runstate_get_running(idle_vcpu[cpu]); - return state.time[RUNSTATE_running]; + return 0; } /* diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 11ffebbea4..91f6db7a32 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -1121,6 +1121,7 @@ int vcpu_affinity_domctl(struct domain *d, uint32_t cmd, void vcpu_runstate_get(const struct vcpu *v, struct vcpu_runstate_info *runstate); +uint64_t vcpu_runstate_get_running(const struct vcpu *v); uint64_t get_cpu_idle_time(unsigned int cpu); void sched_guest_idle(void (*idle) (void), unsigned int cpu); void scheduler_enable(void); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Jun 17 12:11:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 17 Jun 2026 12:11:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1340399.1601450 (Exim 4.92) (envelope-from ) id 1wZp6v-00061V-Di; Wed, 17 Jun 2026 12:11:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1340399.1601450; Wed, 17 Jun 2026 12:11:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZp6v-00061N-B7; Wed, 17 Jun 2026 12:11:13 +0000 Received: by outflank-mailman (input) for mailman id 1340399; Wed, 17 Jun 2026 12:11:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZp6u-000606-8y for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 12:11:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZp6u-00ECPx-1g for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 12:11:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZp6u-00EHoo-0c for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 12:11:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=orW0lzKjr9XdTf/3fUF2j1ATf4aZjik2vvlG8HQUmEY=; b=AifMNCoPOcpka7JI6oXf2iL6pQ Rjx9FntvI7tQ33Te56YRRlyfmaEBWhMIXupY7QbSln/3x1Pndd0oQdJN+W6xh+tXeRDXpeYeWFsrA 33w7i9WrrW71SdSwLRbPGiP1eo8jy9Ac9MkQqiPDsNNwBMZ7AJhy+Tyadhu5f8Zo2/JY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: handle XEN_DOMCTL_getvcpuinfo without acquiring domctl lock Message-Id: Date: Wed, 17 Jun 2026 12:11:12 +0000 commit 0fbf40089a6fc7c3b8ec1da5def155b23b536c83 Author: Jan Beulich AuthorDate: Wed Jun 17 12:40:00 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 17 12:40:00 2026 +0200 domctl: handle XEN_DOMCTL_getvcpuinfo without acquiring domctl lock Like for XEN_DOMCTL_getdomaininfo there's no need to hold the domctl lock for XEN_DOMCTL_getvcpuinfo. While moving the code also switch to using domain_vcpu(). Signed-off-by: Jan Beulich Tentatively-acked-by: Andrew Cooper Acked-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- xen/common/domctl.c | 49 +++++++++++++++++++++++++++---------------------- 1 file changed, 27 insertions(+), 22 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index e98fddf515..07793a9d0b 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -546,6 +546,33 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( ret ) goto domctl_out_unlock_rcuonly; + switch ( op->cmd ) + { + case XEN_DOMCTL_getvcpuinfo: + { + const struct vcpu *v = domain_vcpu(d, op->u.getvcpuinfo.vcpu); + + if ( !v ) + { + ret = -ENOENT; + goto domctl_out_unlock_rcuonly; + } + + op->u.getvcpuinfo.online = !(v->pause_flags & VPF_down); + op->u.getvcpuinfo.blocked = !!(v->pause_flags & VPF_blocked); + op->u.getvcpuinfo.running = v->is_running; + op->u.getvcpuinfo.cpu_time = vcpu_runstate_get_running(v); + op->u.getvcpuinfo.cpu = v->processor; + + copyback = true; + goto domctl_out_unlock_rcuonly; + } + + default: + /* Everything else handled further up or further down. */ + break; + } + if ( !domctl_lock_acquire() ) { if ( d && d != dom_io ) @@ -792,28 +819,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - case XEN_DOMCTL_getvcpuinfo: - { - const struct vcpu *v; - - ret = -EINVAL; - if ( op->u.getvcpuinfo.vcpu >= d->max_vcpus ) - break; - - ret = -ESRCH; - if ( (v = d->vcpu[op->u.getvcpuinfo.vcpu]) == NULL ) - break; - - op->u.getvcpuinfo.online = !(v->pause_flags & VPF_down); - op->u.getvcpuinfo.blocked = !!(v->pause_flags & VPF_blocked); - op->u.getvcpuinfo.running = v->is_running; - op->u.getvcpuinfo.cpu_time = vcpu_runstate_get_running(v); - op->u.getvcpuinfo.cpu = v->processor; - ret = 0; - copyback = 1; - break; - } - case XEN_DOMCTL_max_mem: { uint64_t new_max = op->u.max_mem.max_memkb >> (PAGE_SHIFT - 10); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Jun 17 13:33:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 17 Jun 2026 13:33:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1340449.1601472 (Exim 4.92) (envelope-from ) id 1wZqO7-0000Vp-Hi; Wed, 17 Jun 2026 13:33:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1340449.1601472; Wed, 17 Jun 2026 13:33:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZqO7-0000Vh-Et; Wed, 17 Jun 2026 13:33:03 +0000 Received: by outflank-mailman (input) for mailman id 1340449; Wed, 17 Jun 2026 13:33:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZqO6-0000Vb-1p for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 13:33:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZqO6-00EDnj-03 for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 13:33:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZqO5-00FbQh-1x for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 13:33:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ryCX6aAz9CkEr889PdqQHzACzYngcI8ojeHtB6wAXZA=; b=DE8cqylLMyOH/GDGPUReIkhzZX rIygmAsHr1fWuSLvivAllFCr7S1smn009EjfsaWz9fUk/wChkEaxcP8lnVyKAnfTUpOpNmqQS6FId 0eGCBv/7730kcoUXNT5SVHJtd0ghfAZ5ibaAXsK1Xs3rmoQIHZjXCnwzOV4IS5/mdzw4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] sched: introduce specialization of "running only" vcpu_runstate_get() Message-Id: Date: Wed, 17 Jun 2026 13:33:01 +0000 commit 519bf1f8f3bb78ae1d826f22d593a486cd302266 Author: Jan Beulich AuthorDate: Wed Jun 17 12:39:36 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 17 12:39:36 2026 +0200 sched: introduce specialization of "running only" vcpu_runstate_get() About half the callers of vcpu_runstate_get() are solely after the "running" time of a vCPU. Introduce a specialization with a smaller read critical section and thus reduced risk of a need for retries. Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné Reviewed-by: Juergen Gross Release-Acked-by: Oleksii Kurochko --- xen/common/domctl.c | 11 +++-------- xen/common/sched/core.c | 30 +++++++++++++++++++++++++----- xen/include/xen/sched.h | 1 + 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 32ef5b2e38..e98fddf515 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -56,7 +56,6 @@ void getdomaininfo(struct domain *d, struct xen_domctl_getdomaininfo *info) struct vcpu *v; u64 cpu_time = 0; int flags = XEN_DOMINF_blocked; - struct vcpu_runstate_info runstate; memset(info, 0, sizeof(*info)); @@ -69,8 +68,7 @@ void getdomaininfo(struct domain *d, struct xen_domctl_getdomaininfo *info) */ for_each_vcpu ( d, v ) { - vcpu_runstate_get(v, &runstate); - cpu_time += runstate.time[RUNSTATE_running]; + cpu_time += vcpu_runstate_get_running(v); info->max_vcpu_id = v->vcpu_id; if ( !(v->pause_flags & VPF_down) ) { @@ -796,8 +794,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) case XEN_DOMCTL_getvcpuinfo: { - struct vcpu *v; - struct vcpu_runstate_info runstate; + const struct vcpu *v; ret = -EINVAL; if ( op->u.getvcpuinfo.vcpu >= d->max_vcpus ) @@ -807,12 +804,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( (v = d->vcpu[op->u.getvcpuinfo.vcpu]) == NULL ) break; - vcpu_runstate_get(v, &runstate); - op->u.getvcpuinfo.online = !(v->pause_flags & VPF_down); op->u.getvcpuinfo.blocked = !!(v->pause_flags & VPF_blocked); op->u.getvcpuinfo.running = v->is_running; - op->u.getvcpuinfo.cpu_time = runstate.time[RUNSTATE_running]; + op->u.getvcpuinfo.cpu_time = vcpu_runstate_get_running(v); op->u.getvcpuinfo.cpu = v->processor; ret = 0; copyback = 1; diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index cf7c4e7a8a..c59c1dc872 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -325,15 +325,35 @@ void vcpu_runstate_get(const struct vcpu *v, } } -uint64_t get_cpu_idle_time(unsigned int cpu) +uint64_t vcpu_runstate_get_running(const struct vcpu *v) { - struct vcpu_runstate_info state = { 0 }; - const struct vcpu *v = idle_vcpu[cpu]; + struct seqcount seq = SEQCNT_ZERO(); + const struct seqcount *s = v == current ? &seq : &v->runstate_seq; + unsigned int count; + uint64_t running; + s_time_t delta; + + do { + count = read_seqcount_begin(s); + + running = v->runstate.time[RUNSTATE_running]; + delta = v->runstate.state == RUNSTATE_running + ? NOW() - v->runstate.state_entry_time + : 0; + } while ( read_seqcount_retry(s, count) ); + + if ( delta > 0 ) + running += delta; + return running; +} + +uint64_t get_cpu_idle_time(unsigned int cpu) +{ if ( cpu_online(cpu) && get_sched_res(cpu) ) - vcpu_runstate_get(v, &state); + return vcpu_runstate_get_running(idle_vcpu[cpu]); - return state.time[RUNSTATE_running]; + return 0; } /* diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 11ffebbea4..91f6db7a32 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -1121,6 +1121,7 @@ int vcpu_affinity_domctl(struct domain *d, uint32_t cmd, void vcpu_runstate_get(const struct vcpu *v, struct vcpu_runstate_info *runstate); +uint64_t vcpu_runstate_get_running(const struct vcpu *v); uint64_t get_cpu_idle_time(unsigned int cpu); void sched_guest_idle(void (*idle) (void), unsigned int cpu); void scheduler_enable(void); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 17 13:33:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 17 Jun 2026 13:33:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1340450.1601476 (Exim 4.92) (envelope-from ) id 1wZqOH-0000Xk-J2; Wed, 17 Jun 2026 13:33:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1340450.1601476; Wed, 17 Jun 2026 13:33:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZqOH-0000Xc-GD; Wed, 17 Jun 2026 13:33:13 +0000 Received: by outflank-mailman (input) for mailman id 1340450; Wed, 17 Jun 2026 13:33:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZqOG-0000XM-0a for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 13:33:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wZqOG-00EDno-0h for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 13:33:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wZqOF-00FbaH-2Z for xen-changelog@lists.xenproject.org; Wed, 17 Jun 2026 13:33:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6xLHyyMJ1uucVtKsVwRVWY+Mc2Vis5tzUor8450+QfY=; b=Vq4latY5XQZgP/KgSZleXHuw8+ dP0swhlbW83m3ZwhNQLJ4ogh/AACRyAcbu8IvQoAt1wIpIIbAhXWDN14vrPlgNQP6Bf/hWpm7d19z nvViiYBLPqZZ3KWlPzYAd3YDMPe2uQ0J0Nk11AdGW7ndAbQaPRu8ZzQnOp5Nn/ijCik4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: handle XEN_DOMCTL_getvcpuinfo without acquiring domctl lock Message-Id: Date: Wed, 17 Jun 2026 13:33:11 +0000 commit 0fbf40089a6fc7c3b8ec1da5def155b23b536c83 Author: Jan Beulich AuthorDate: Wed Jun 17 12:40:00 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 17 12:40:00 2026 +0200 domctl: handle XEN_DOMCTL_getvcpuinfo without acquiring domctl lock Like for XEN_DOMCTL_getdomaininfo there's no need to hold the domctl lock for XEN_DOMCTL_getvcpuinfo. While moving the code also switch to using domain_vcpu(). Signed-off-by: Jan Beulich Tentatively-acked-by: Andrew Cooper Acked-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- xen/common/domctl.c | 49 +++++++++++++++++++++++++++---------------------- 1 file changed, 27 insertions(+), 22 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index e98fddf515..07793a9d0b 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -546,6 +546,33 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) if ( ret ) goto domctl_out_unlock_rcuonly; + switch ( op->cmd ) + { + case XEN_DOMCTL_getvcpuinfo: + { + const struct vcpu *v = domain_vcpu(d, op->u.getvcpuinfo.vcpu); + + if ( !v ) + { + ret = -ENOENT; + goto domctl_out_unlock_rcuonly; + } + + op->u.getvcpuinfo.online = !(v->pause_flags & VPF_down); + op->u.getvcpuinfo.blocked = !!(v->pause_flags & VPF_blocked); + op->u.getvcpuinfo.running = v->is_running; + op->u.getvcpuinfo.cpu_time = vcpu_runstate_get_running(v); + op->u.getvcpuinfo.cpu = v->processor; + + copyback = true; + goto domctl_out_unlock_rcuonly; + } + + default: + /* Everything else handled further up or further down. */ + break; + } + if ( !domctl_lock_acquire() ) { if ( d && d != dom_io ) @@ -792,28 +819,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } - case XEN_DOMCTL_getvcpuinfo: - { - const struct vcpu *v; - - ret = -EINVAL; - if ( op->u.getvcpuinfo.vcpu >= d->max_vcpus ) - break; - - ret = -ESRCH; - if ( (v = d->vcpu[op->u.getvcpuinfo.vcpu]) == NULL ) - break; - - op->u.getvcpuinfo.online = !(v->pause_flags & VPF_down); - op->u.getvcpuinfo.blocked = !!(v->pause_flags & VPF_blocked); - op->u.getvcpuinfo.running = v->is_running; - op->u.getvcpuinfo.cpu_time = vcpu_runstate_get_running(v); - op->u.getvcpuinfo.cpu = v->processor; - ret = 0; - copyback = 1; - break; - } - case XEN_DOMCTL_max_mem: { uint64_t new_max = op->u.max_mem.max_memkb >> (PAGE_SHIFT - 10); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Jun 18 09:22:12 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 18 Jun 2026 09:22:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1340874.1601552 (Exim 4.92) (envelope-from ) id 1wa8wl-00072a-Fq; Thu, 18 Jun 2026 09:22:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1340874.1601552; Thu, 18 Jun 2026 09:22:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wa8wl-00072R-Cu; Thu, 18 Jun 2026 09:22:03 +0000 Received: by outflank-mailman (input) for mailman id 1340874; Thu, 18 Jun 2026 09:22:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wa8wk-00072L-IE for xen-changelog@lists.xenproject.org; Thu, 18 Jun 2026 09:22:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wa8wk-00FiWB-1D for xen-changelog@lists.xenproject.org; Thu, 18 Jun 2026 09:22:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wa8wk-004Dbr-0B for xen-changelog@lists.xenproject.org; Thu, 18 Jun 2026 09:22:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=pd5Xod729oqsY4VLgnyGC0oZoU2jK2tOllNz4IIr3XM=; b=2iqKculdIHK+2mbM71+N4rZEyJ lEIAeL0ntOqZBawBAei7+vS6n+QpueHZFvBh1KN5u9+XeRYHP6vgPxA9f5cfnFmtr6UE7jdR0VWww RVJog0vuzzg/0PVJWk88pDn0qx9JRI203+T1LGrsq2T5fOfG9b11CTPyvDkt5knNE6zA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: move early special casing of XEN_DOMCTL_shadow_op Message-Id: Date: Thu, 18 Jun 2026 09:22:02 +0000 commit 77e03ac856b3a948ace816e27bb652f872ffbd02 Author: Jan Beulich AuthorDate: Thu Jun 18 10:01:30 2026 +0200 Commit: Jan Beulich CommitDate: Thu Jun 18 10:01:30 2026 +0200 domctl: move early special casing of XEN_DOMCTL_shadow_op This wants xsm_domctl() invoked, but the domctl lock not taken. Move the handling to the respective switch(), thus eliminating the need for a separate xsm_domctl() invocation. Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- xen/common/domctl.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 07793a9d0b..b3f3c99c41 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -512,17 +512,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) /* Other sub-ops handled further down. */ break; - case XEN_DOMCTL_shadow_op: - if ( op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_CLEAN || - op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_PEEK ) - { - ret = xsm_domctl(XSM_PRIV, d, op); - if ( !ret ) - ret = arch_do_domctl(op, d, u_domctl); - goto domctl_out_unlock_rcuonly; - } - break; - case XEN_DOMCTL_get_device_group: ret = iommu_do_domctl(op, d, u_domctl); goto domctl_out_unlock_rcuonly; @@ -568,6 +557,16 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_rcuonly; } + case XEN_DOMCTL_shadow_op: + if ( op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_CLEAN || + op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_PEEK ) + { + ret = arch_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_rcuonly; + } + /* Other sub-ops handled by arch_do_domctl() further down. */ + break; + default: /* Everything else handled further up or further down. */ break; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Jun 18 09:22:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 18 Jun 2026 09:22:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1340875.1601557 (Exim 4.92) (envelope-from ) id 1wa8wv-000741-HV; Thu, 18 Jun 2026 09:22:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1340875.1601557; Thu, 18 Jun 2026 09:22:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wa8wv-00073u-EH; Thu, 18 Jun 2026 09:22:13 +0000 Received: by outflank-mailman (input) for mailman id 1340875; Thu, 18 Jun 2026 09:22:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wa8wu-00073d-96 for xen-changelog@lists.xenproject.org; Thu, 18 Jun 2026 09:22:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wa8wu-00FiWF-1X for xen-changelog@lists.xenproject.org; Thu, 18 Jun 2026 09:22:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wa8wu-004Dcn-0U for xen-changelog@lists.xenproject.org; Thu, 18 Jun 2026 09:22:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=n+we4iS4HAsE4wyNZXaZnJnTEG4ONBtGYqdIHpdTXmM=; b=BdQ27LPG5/PlyqFESJC30gVXmt 7qWxV6JU+RIM9BVXHX/7ILaKwvUnJFXQbPuGXNKmddmV2lLTsrYlkEFV+OeEE/oiEp4pG922Z8M1Y hG06JOyF8151amTx0jQcnztlojrQcwftN27dkQSzrWJBIRoHixiyqD6xTv4vw62qoHaY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: restrict permission check for XEN_DOMCTL_memory_mapping's remove form Message-Id: Date: Thu, 18 Jun 2026 09:22:12 +0000 commit 6df6f24251dbc13c02c25ac71d463cdaf60795e0 Author: Jan Beulich AuthorDate: Thu Jun 18 10:01:55 2026 +0200 Commit: Jan Beulich CommitDate: Thu Jun 18 10:01:55 2026 +0200 domctl: restrict permission check for XEN_DOMCTL_memory_mapping's remove form Be less strict with permissions checks when removing a mapping and only request the caller domain to have access to the region. Keep the same permission checks for addition operations. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- xen/common/domctl.c | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index b3f3c99c41..e30b38a337 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -436,25 +436,16 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_rcuonly; #endif + /* + * NB: The double lock isn't really needed when !add, but is used anyway + * to keep things simple. + */ iocaps_double_lock(d, false); ret = -EPERM; - if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) ) + if ( !iomem_access_permitted(current->domain, mfn, mfn_end) ) /* Nothing. */; - else if ( add ) - { - printk(XENLOG_G_DEBUG - "memory_map:add: %pd gfn=%lx mfn=%lx nr=%lx\n", - d, gfn, mfn, nr_mfns); - - ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 ) - printk(XENLOG_G_WARNING - "memory_map:fail: %pd gfn=%lx mfn=%lx nr=%lx ret:%ld\n", - d, gfn, mfn, nr_mfns, ret); - } - else + else if ( !add ) { printk(XENLOG_G_DEBUG "memory_map:remove: %pd gfn=%lx mfn=%lx nr=%lx\n", @@ -466,6 +457,18 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) "memory_map: error %ld removing %pd access to [%lx,%lx]\n", ret, d, mfn, mfn_end); } + else if ( iomem_access_permitted(d, mfn, mfn_end) ) + { + printk(XENLOG_G_DEBUG + "memory_map:add: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 ) + printk(XENLOG_G_WARNING + "memory_map:fail: %pd gfn=%lx mfn=%lx nr=%lx ret:%ld\n", + d, gfn, mfn, nr_mfns, ret); + } iocaps_double_unlock(d, false); goto domctl_out_unlock_rcuonly; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Jun 18 09:22:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 18 Jun 2026 09:22:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1340876.1601560 (Exim 4.92) (envelope-from ) id 1wa8x5-00076n-L8; Thu, 18 Jun 2026 09:22:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1340876.1601560; Thu, 18 Jun 2026 09:22:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wa8x5-00076e-IN; Thu, 18 Jun 2026 09:22:23 +0000 Received: by outflank-mailman (input) for mailman id 1340876; Thu, 18 Jun 2026 09:22:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wa8x4-00076Y-DI for xen-changelog@lists.xenproject.org; Thu, 18 Jun 2026 09:22:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wa8x4-00FiWe-22 for xen-changelog@lists.xenproject.org; Thu, 18 Jun 2026 09:22:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wa8x4-004DeQ-0p for xen-changelog@lists.xenproject.org; Thu, 18 Jun 2026 09:22:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6OF2bi0f6YNLy+z9X8qN1d///bzTMPReTNvD2EwB1GY=; b=sGpoVHdcDtsR8xb9vxEqRORF9y hXkoht4oct8+w9MHDBYboE1wrCQAO/039rr9zOUmC20Ovwxf+qw5g49uZ0J9fEotcztR+YS0wlYOe kVV8WbWfJmOM36IoPZa3IRf/n7uYMz5beRpbR4pcJcy4L3jbK/x1mnGi4xurTOsGQBQM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] domctl: correct return value of XEN_DOMCTL_[gs]etvcpuaffinity Message-Id: Date: Thu, 18 Jun 2026 09:22:22 +0000 commit 6a21252a742ec021a814e124b88d273da37065db Author: Jan Beulich AuthorDate: Thu Jun 18 10:02:34 2026 +0200 Commit: Jan Beulich CommitDate: Thu Jun 18 10:02:34 2026 +0200 domctl: correct return value of XEN_DOMCTL_[gs]etvcpuaffinity cpumask_to_xenctl_bitmap() may return errors. Clearing the error indicator of an earlier such call by a (successful) later call is misleading the caller. For "set", keep setting soft affinity if the hard affinity copy- back fails; only accumulate respective errors. While fiddling with return values, also drop a redundant clearing of "ret". This eliminates a Misra C:2012 rule 2.2 ("There shall be no dead code") violation. Fixes: 6e4ecc6d5884 ("sched: DOMCTL_*vcpuaffinity works with hard and soft affinity") Signed-off-by: Jan Beulich Reviewed-by: Juergen Gross Reviewed-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- xen/common/sched/core.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index c59c1dc872..3609721426 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -1708,7 +1708,7 @@ int vcpu_affinity_domctl(struct domain *d, uint32_t cmd, { struct vcpu *v; const struct sched_unit *unit; - int ret = 0; + int ret = 0, hret = 0; if ( vcpuaff->vcpu >= d->max_vcpus ) return -EINVAL; @@ -1746,19 +1746,17 @@ int vcpu_affinity_domctl(struct domain *d, uint32_t cmd, if ( vcpuaff->flags & XEN_VCPUAFFINITY_FORCE ) vcpu_temporary_affinity(v, NR_CPUS, VCPU_AFFINITY_OVERRIDE); - ret = 0; - /* * We both set a new affinity and report back to the caller what * the scheduler will be effectively using. */ if ( vcpuaff->flags & XEN_VCPUAFFINITY_HARD ) { - ret = xenctl_bitmap_to_bitmap(cpumask_bits(new_affinity), - &vcpuaff->cpumap_hard, nr_cpu_ids); - if ( !ret ) - ret = vcpu_set_hard_affinity(v, new_affinity); - if ( ret ) + hret = xenctl_bitmap_to_bitmap(cpumask_bits(new_affinity), + &vcpuaff->cpumap_hard, nr_cpu_ids); + if ( !hret ) + hret = vcpu_set_hard_affinity(v, new_affinity); + if ( hret ) goto setvcpuaffinity_out; /* @@ -1766,7 +1764,7 @@ int vcpu_affinity_domctl(struct domain *d, uint32_t cmd, * cpupool's online mask and the new hard affinity. */ cpumask_and(new_affinity, online, unit->cpu_hard_affinity); - ret = cpumask_to_xenctl_bitmap(&vcpuaff->cpumap_hard, new_affinity); + hret = cpumask_to_xenctl_bitmap(&vcpuaff->cpumap_hard, new_affinity); } if ( vcpuaff->flags & XEN_VCPUAFFINITY_SOFT ) { @@ -1804,14 +1802,14 @@ int vcpu_affinity_domctl(struct domain *d, uint32_t cmd, else { if ( vcpuaff->flags & XEN_VCPUAFFINITY_HARD ) - ret = cpumask_to_xenctl_bitmap(&vcpuaff->cpumap_hard, - unit->cpu_hard_affinity); + hret = cpumask_to_xenctl_bitmap(&vcpuaff->cpumap_hard, + unit->cpu_hard_affinity); if ( vcpuaff->flags & XEN_VCPUAFFINITY_SOFT ) ret = cpumask_to_xenctl_bitmap(&vcpuaff->cpumap_soft, unit->cpu_soft_affinity); } - return ret; + return hret ?: ret; } bool alloc_affinity_masks(struct affinity_masks *affinity) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Jun 18 10:33:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 18 Jun 2026 10:33:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1340922.1601577 (Exim 4.92) (envelope-from ) id 1waA3c-0000Z3-Pi; Thu, 18 Jun 2026 10:33:12 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1340922.1601577; Thu, 18 Jun 2026 10:33:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1waA3c-0000Yv-N4; Thu, 18 Jun 2026 10:33:12 +0000 Received: by outflank-mailman (input) for mailman id 1340922; Thu, 18 Jun 2026 10:33:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1waA3b-0000Yl-K7 for xen-changelog@lists.xenproject.org; Thu, 18 Jun 2026 10:33:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1waA3b-00FjpE-2n for xen-changelog@lists.xenproject.org; Thu, 18 Jun 2026 10:33:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1waA3b-004IiF-1i for xen-changelog@lists.xenproject.org; Thu, 18 Jun 2026 10:33:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=jaxZD+Ue1tAlzGUw+dAT8CBE0sY2dMz3D2ueO9md6NQ=; b=wgWdTWA0rx9hiGytJGcBq8lqE1 3ge+GrX+xHuax+0SwkexkRGHTAtMepM8XSPZPklweqX/SBs5rUhkqlvAmlYy2qZpJrOvsYPChvVFJ HP1mM5xniG0RHe2KbFOI9p2RFdPqMAyFWKrPZgg6FLEAAikukzLJCEPEmP8+atml5+KU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: restrict permission check for XEN_DOMCTL_memory_mapping's remove form Message-Id: Date: Thu, 18 Jun 2026 10:33:11 +0000 commit 6df6f24251dbc13c02c25ac71d463cdaf60795e0 Author: Jan Beulich AuthorDate: Thu Jun 18 10:01:55 2026 +0200 Commit: Jan Beulich CommitDate: Thu Jun 18 10:01:55 2026 +0200 domctl: restrict permission check for XEN_DOMCTL_memory_mapping's remove form Be less strict with permissions checks when removing a mapping and only request the caller domain to have access to the region. Keep the same permission checks for addition operations. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- xen/common/domctl.c | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index b3f3c99c41..e30b38a337 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -436,25 +436,16 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_rcuonly; #endif + /* + * NB: The double lock isn't really needed when !add, but is used anyway + * to keep things simple. + */ iocaps_double_lock(d, false); ret = -EPERM; - if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) ) + if ( !iomem_access_permitted(current->domain, mfn, mfn_end) ) /* Nothing. */; - else if ( add ) - { - printk(XENLOG_G_DEBUG - "memory_map:add: %pd gfn=%lx mfn=%lx nr=%lx\n", - d, gfn, mfn, nr_mfns); - - ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); - if ( ret < 0 ) - printk(XENLOG_G_WARNING - "memory_map:fail: %pd gfn=%lx mfn=%lx nr=%lx ret:%ld\n", - d, gfn, mfn, nr_mfns, ret); - } - else + else if ( !add ) { printk(XENLOG_G_DEBUG "memory_map:remove: %pd gfn=%lx mfn=%lx nr=%lx\n", @@ -466,6 +457,18 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) "memory_map: error %ld removing %pd access to [%lx,%lx]\n", ret, d, mfn, mfn_end); } + else if ( iomem_access_permitted(d, mfn, mfn_end) ) + { + printk(XENLOG_G_DEBUG + "memory_map:add: %pd gfn=%lx mfn=%lx nr=%lx\n", + d, gfn, mfn, nr_mfns); + + ret = map_mmio_regions(d, _gfn(gfn), nr_mfns, _mfn(mfn)); + if ( ret < 0 ) + printk(XENLOG_G_WARNING + "memory_map:fail: %pd gfn=%lx mfn=%lx nr=%lx ret:%ld\n", + d, gfn, mfn, nr_mfns, ret); + } iocaps_double_unlock(d, false); goto domctl_out_unlock_rcuonly; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Jun 18 10:33:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 18 Jun 2026 10:33:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1340920.1601573 (Exim 4.92) (envelope-from ) id 1waA3T-0000Xa-O4; Thu, 18 Jun 2026 10:33:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1340920.1601573; Thu, 18 Jun 2026 10:33:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1waA3T-0000XT-LW; Thu, 18 Jun 2026 10:33:03 +0000 Received: by outflank-mailman (input) for mailman id 1340920; Thu, 18 Jun 2026 10:33:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1waA3R-0000XN-RE for xen-changelog@lists.xenproject.org; Thu, 18 Jun 2026 10:33:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1waA3R-00Fjow-2Q for xen-changelog@lists.xenproject.org; Thu, 18 Jun 2026 10:33:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1waA3R-004Ih6-1H for xen-changelog@lists.xenproject.org; Thu, 18 Jun 2026 10:33:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=EG+uuKKGILri4HyhiYW3QFJWN2Ng+BEbyurwsOTm6Sk=; b=F2rGtocGQsJknzRpdEy4cpOjmb ogqLKjw1VVJlvPT7lDHq6KWE1/ku8zKRp/fA3gaiL4FokZtgsZ4wJet9JYit6eKzWZ4LomQC/S8tT 4bgo/mZnaaBpMXJUNWhOrak2vzuYnPAfqV1gAd+vlZmqjT2+ariH8qCW726Rrf3hznCE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: move early special casing of XEN_DOMCTL_shadow_op Message-Id: Date: Thu, 18 Jun 2026 10:33:01 +0000 commit 77e03ac856b3a948ace816e27bb652f872ffbd02 Author: Jan Beulich AuthorDate: Thu Jun 18 10:01:30 2026 +0200 Commit: Jan Beulich CommitDate: Thu Jun 18 10:01:30 2026 +0200 domctl: move early special casing of XEN_DOMCTL_shadow_op This wants xsm_domctl() invoked, but the domctl lock not taken. Move the handling to the respective switch(), thus eliminating the need for a separate xsm_domctl() invocation. Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- xen/common/domctl.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 07793a9d0b..b3f3c99c41 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -512,17 +512,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) /* Other sub-ops handled further down. */ break; - case XEN_DOMCTL_shadow_op: - if ( op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_CLEAN || - op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_PEEK ) - { - ret = xsm_domctl(XSM_PRIV, d, op); - if ( !ret ) - ret = arch_do_domctl(op, d, u_domctl); - goto domctl_out_unlock_rcuonly; - } - break; - case XEN_DOMCTL_get_device_group: ret = iommu_do_domctl(op, d, u_domctl); goto domctl_out_unlock_rcuonly; @@ -568,6 +557,16 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) goto domctl_out_unlock_rcuonly; } + case XEN_DOMCTL_shadow_op: + if ( op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_CLEAN || + op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_PEEK ) + { + ret = arch_do_domctl(op, d, u_domctl); + goto domctl_out_unlock_rcuonly; + } + /* Other sub-ops handled by arch_do_domctl() further down. */ + break; + default: /* Everything else handled further up or further down. */ break; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Jun 18 10:33:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 18 Jun 2026 10:33:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1340923.1601581 (Exim 4.92) (envelope-from ) id 1waA3n-0000bU-RG; Thu, 18 Jun 2026 10:33:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1340923.1601581; Thu, 18 Jun 2026 10:33:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1waA3n-0000bM-OR; Thu, 18 Jun 2026 10:33:23 +0000 Received: by outflank-mailman (input) for mailman id 1340923; Thu, 18 Jun 2026 10:33:21 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1waA3l-0000bE-Nf for xen-changelog@lists.xenproject.org; Thu, 18 Jun 2026 10:33:21 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1waA3l-00Fjpc-39 for xen-changelog@lists.xenproject.org; Thu, 18 Jun 2026 10:33:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1waA3l-004Iib-25 for xen-changelog@lists.xenproject.org; Thu, 18 Jun 2026 10:33:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=qcmAjK66aP83wwiHNPq1oh26kWVjbLikSIZ/6r56sxc=; b=3qe8EnSSNOT6tx0/kckSjkZRG5 8bWRJG9rWggIt96j5UwgbC/NkhvhuuSkAaDNLlPsg1emn0t4Z9vQFlI3HyJTRHbVp7RiLuGtT8Hn2 n96lQDIQowuLKW3obReZaILPEKj8noeHvO/85I65Dp1sSPvMxLIofsYWYOPn/8F9fw9Q=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domctl: correct return value of XEN_DOMCTL_[gs]etvcpuaffinity Message-Id: Date: Thu, 18 Jun 2026 10:33:21 +0000 commit 6a21252a742ec021a814e124b88d273da37065db Author: Jan Beulich AuthorDate: Thu Jun 18 10:02:34 2026 +0200 Commit: Jan Beulich CommitDate: Thu Jun 18 10:02:34 2026 +0200 domctl: correct return value of XEN_DOMCTL_[gs]etvcpuaffinity cpumask_to_xenctl_bitmap() may return errors. Clearing the error indicator of an earlier such call by a (successful) later call is misleading the caller. For "set", keep setting soft affinity if the hard affinity copy- back fails; only accumulate respective errors. While fiddling with return values, also drop a redundant clearing of "ret". This eliminates a Misra C:2012 rule 2.2 ("There shall be no dead code") violation. Fixes: 6e4ecc6d5884 ("sched: DOMCTL_*vcpuaffinity works with hard and soft affinity") Signed-off-by: Jan Beulich Reviewed-by: Juergen Gross Reviewed-by: Roger Pau Monné Release-Acked-by: Oleksii Kurochko --- xen/common/sched/core.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index c59c1dc872..3609721426 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -1708,7 +1708,7 @@ int vcpu_affinity_domctl(struct domain *d, uint32_t cmd, { struct vcpu *v; const struct sched_unit *unit; - int ret = 0; + int ret = 0, hret = 0; if ( vcpuaff->vcpu >= d->max_vcpus ) return -EINVAL; @@ -1746,19 +1746,17 @@ int vcpu_affinity_domctl(struct domain *d, uint32_t cmd, if ( vcpuaff->flags & XEN_VCPUAFFINITY_FORCE ) vcpu_temporary_affinity(v, NR_CPUS, VCPU_AFFINITY_OVERRIDE); - ret = 0; - /* * We both set a new affinity and report back to the caller what * the scheduler will be effectively using. */ if ( vcpuaff->flags & XEN_VCPUAFFINITY_HARD ) { - ret = xenctl_bitmap_to_bitmap(cpumask_bits(new_affinity), - &vcpuaff->cpumap_hard, nr_cpu_ids); - if ( !ret ) - ret = vcpu_set_hard_affinity(v, new_affinity); - if ( ret ) + hret = xenctl_bitmap_to_bitmap(cpumask_bits(new_affinity), + &vcpuaff->cpumap_hard, nr_cpu_ids); + if ( !hret ) + hret = vcpu_set_hard_affinity(v, new_affinity); + if ( hret ) goto setvcpuaffinity_out; /* @@ -1766,7 +1764,7 @@ int vcpu_affinity_domctl(struct domain *d, uint32_t cmd, * cpupool's online mask and the new hard affinity. */ cpumask_and(new_affinity, online, unit->cpu_hard_affinity); - ret = cpumask_to_xenctl_bitmap(&vcpuaff->cpumap_hard, new_affinity); + hret = cpumask_to_xenctl_bitmap(&vcpuaff->cpumap_hard, new_affinity); } if ( vcpuaff->flags & XEN_VCPUAFFINITY_SOFT ) { @@ -1804,14 +1802,14 @@ int vcpu_affinity_domctl(struct domain *d, uint32_t cmd, else { if ( vcpuaff->flags & XEN_VCPUAFFINITY_HARD ) - ret = cpumask_to_xenctl_bitmap(&vcpuaff->cpumap_hard, - unit->cpu_hard_affinity); + hret = cpumask_to_xenctl_bitmap(&vcpuaff->cpumap_hard, + unit->cpu_hard_affinity); if ( vcpuaff->flags & XEN_VCPUAFFINITY_SOFT ) ret = cpumask_to_xenctl_bitmap(&vcpuaff->cpumap_soft, unit->cpu_soft_affinity); } - return ret; + return hret ?: ret; } bool alloc_affinity_masks(struct affinity_masks *affinity) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 19 20:55:08 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 19 Jun 2026 20:55:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1342658.1602692 (Exim 4.92) (envelope-from ) id 1wagEy-0004ym-8a; Fri, 19 Jun 2026 20:55:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1342658.1602692; Fri, 19 Jun 2026 20:55:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wagEy-0004ye-5q; Fri, 19 Jun 2026 20:55:04 +0000 Received: by outflank-mailman (input) for mailman id 1342658; Fri, 19 Jun 2026 20:55:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wagEw-0004yB-3G for xen-changelog@lists.xenproject.org; Fri, 19 Jun 2026 20:55:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wagEw-00HV8G-0H for xen-changelog@lists.xenproject.org; Fri, 19 Jun 2026 20:55:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wagEv-00AcKs-2T for xen-changelog@lists.xenproject.org; Fri, 19 Jun 2026 20:55:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=mLBHtytkKvyU6Nk+qHnHVjqEYKMGAl+FieMqkf5hiIg=; b=OeRDhy5j6ORxkDL3IU5vobp9Yj BJbCTROSey1SYNmhniYV4klS/nbf4kIWUvJdypObIIkZpX3TRaInGfUjJVoKsZOWOXN13Ao6wpr4p yh28X7kVCFp2/Ul7nnDqLy1uapdpD3Hhqs9C1mlmjH/+9po2RgIkwNQsWSLmTilgIm2s=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] docs/process: document AI-assisted patch tags Message-Id: Date: Fri, 19 Jun 2026 20:55:01 +0000 commit b13f2f3fb1915d68dfd98ba134fd92e5442a9f7c Author: Cody Zuschlag AuthorDate: Wed May 27 19:45:28 2026 +0200 Commit: Andrew Cooper CommitDate: Fri Jun 19 17:23:46 2026 +0100 docs/process: document AI-assisted patch tags Add documentation for the Assisted-by tag to clarify how AI-assisted tooling may be disclosed in Xen patches. The guidance follows the Linux kernel documentation. Signed-off-by: Cody Zuschlag Signed-off-by: Andrew Cooper Acked-by: Roger Pau Monné Acked-by: Anthony PERARD --- docs/process/sending-patches.pandoc | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/docs/process/sending-patches.pandoc b/docs/process/sending-patches.pandoc index 798ecceb39..b924fa2b87 100644 --- a/docs/process/sending-patches.pandoc +++ b/docs/process/sending-patches.pandoc @@ -195,6 +195,28 @@ E.g.: Requested-by: Jane Doe +### Assisted-by: + +When AI tools contribute to Xen development, proper attribution +helps track the evolving role of AI in the development process. +Contributions should include an `Assisted-by:` tag in the +following format: + + Assisted-by: AGENT_NAME:MODEL_VERSION [, ...] + +Where: + +* `AGENT_NAME` is the name of the AI tool or framework +* `MODEL_VERSION` is the specific model version used + +Basic development tools (git, gcc, make, editors) should not be listed. +Specialised but deterministic tools may optionally be listed, but their use +should be clear from other context in the commit message. + +Example: + + Assisted-by: Claude:claude-3-opus + ### Signed-off-by: This mandatory tag specifies the author(s) of a patch (for each author a @@ -209,6 +231,15 @@ E.g.: The author must be a natural person (not a team or just a company) and the `Signed-off-by:` tag must include the real name of the author (no pseudonym). +AI agents MUST NOT add `Signed-off-by:` tags. Only humans can legally +certify the Developer Certificate of Origin (DCO). The human submitter +is responsible for: + +* Reviewing all AI-generated code +* Ensuring compliance with licensing requirements +* Adding their own `Signed-off-by:` tag to certify the DCO +* Taking full responsibility for the contribution + By signing the patch with her/his name the author explicitly confirms to have made the contribution conforming to the `Developer's Certificate of Origin`: -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 19 21:44:09 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 19 Jun 2026 21:44:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1342681.1602714 (Exim 4.92) (envelope-from ) id 1wah0M-0005pO-TT; Fri, 19 Jun 2026 21:44:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1342681.1602714; Fri, 19 Jun 2026 21:44:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wah0M-0005pE-Qr; Fri, 19 Jun 2026 21:44:02 +0000 Received: by outflank-mailman (input) for mailman id 1342681; Fri, 19 Jun 2026 21:44:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wah0L-0005p4-Ue for xen-changelog@lists.xenproject.org; Fri, 19 Jun 2026 21:44:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wah0M-00HW1c-0H for xen-changelog@lists.xenproject.org; Fri, 19 Jun 2026 21:44:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wah0L-00C8Ox-2T for xen-changelog@lists.xenproject.org; Fri, 19 Jun 2026 21:44:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=usrHblVxIgygDERIUqmHKwnX5/1ULBECGiuDKfSEb7w=; b=YC/1uSJMio20V0EA9SSUVTGGCd 6VbnkD31bOvXc9mb4zz63qry4HfdnorZBwEBNgiRmhcK0To45msT3mV4ED9rcgA60sbZdrw9XzM0b I+XhEXcoxjvhn2Xn3IIL9OVTAcPiiOyFAD1fP6n8dR2oNse05Fn50ztvbvIYFCxOXRvk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] docs/process: document AI-assisted patch tags Message-Id: Date: Fri, 19 Jun 2026 21:44:01 +0000 commit b13f2f3fb1915d68dfd98ba134fd92e5442a9f7c Author: Cody Zuschlag AuthorDate: Wed May 27 19:45:28 2026 +0200 Commit: Andrew Cooper CommitDate: Fri Jun 19 17:23:46 2026 +0100 docs/process: document AI-assisted patch tags Add documentation for the Assisted-by tag to clarify how AI-assisted tooling may be disclosed in Xen patches. The guidance follows the Linux kernel documentation. Signed-off-by: Cody Zuschlag Signed-off-by: Andrew Cooper Acked-by: Roger Pau Monné Acked-by: Anthony PERARD --- docs/process/sending-patches.pandoc | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/docs/process/sending-patches.pandoc b/docs/process/sending-patches.pandoc index 798ecceb39..b924fa2b87 100644 --- a/docs/process/sending-patches.pandoc +++ b/docs/process/sending-patches.pandoc @@ -195,6 +195,28 @@ E.g.: Requested-by: Jane Doe +### Assisted-by: + +When AI tools contribute to Xen development, proper attribution +helps track the evolving role of AI in the development process. +Contributions should include an `Assisted-by:` tag in the +following format: + + Assisted-by: AGENT_NAME:MODEL_VERSION [, ...] + +Where: + +* `AGENT_NAME` is the name of the AI tool or framework +* `MODEL_VERSION` is the specific model version used + +Basic development tools (git, gcc, make, editors) should not be listed. +Specialised but deterministic tools may optionally be listed, but their use +should be clear from other context in the commit message. + +Example: + + Assisted-by: Claude:claude-3-opus + ### Signed-off-by: This mandatory tag specifies the author(s) of a patch (for each author a @@ -209,6 +231,15 @@ E.g.: The author must be a natural person (not a team or just a company) and the `Signed-off-by:` tag must include the real name of the author (no pseudonym). +AI agents MUST NOT add `Signed-off-by:` tags. Only humans can legally +certify the Developer Certificate of Origin (DCO). The human submitter +is responsible for: + +* Reviewing all AI-generated code +* Ensuring compliance with licensing requirements +* Adding their own `Signed-off-by:` tag to certify the DCO +* Taking full responsibility for the contribution + By signing the patch with her/his name the author explicitly confirms to have made the contribution conforming to the `Developer's Certificate of Origin`: -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Jun 22 13:44:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 22 Jun 2026 13:44:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1343768.1602988 (Exim 4.92) (envelope-from ) id 1wbewU-0003fz-Tu; Mon, 22 Jun 2026 13:44:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1343768.1602988; Mon, 22 Jun 2026 13:44:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wbewU-0003fq-R1; Mon, 22 Jun 2026 13:44:02 +0000 Received: by outflank-mailman (input) for mailman id 1343768; Mon, 22 Jun 2026 13:44:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wbewT-0003fk-TC for xen-changelog@lists.xenproject.org; Mon, 22 Jun 2026 13:44:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wbewT-004XcH-2w for xen-changelog@lists.xenproject.org; Mon, 22 Jun 2026 13:44:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wbewT-0004oz-1n for xen-changelog@lists.xenproject.org; Mon, 22 Jun 2026 13:44:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RbCM5xJbSylfbiBflMFmj0f6PHTmpvOt8sXMPiaXhT4=; b=MN8u2Xg6TL1Zx4Zlob5m+myu8+ yYWPy6gHFdogSCJo1CSIx2+1+Rio1B39kRRgAKtNHzPRHRcjLGTmGYZAieUTk58niL/OYsnYsa3Wf 1V6kkHCSxe44mm9GTA3/q9OSV/JfCT6WtFlBIEFJRN+oCHJW3bZDEao+rzj82H+EUURQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] XSM: guard .sysctl() and .readconsole() hooks Message-Id: Date: Mon, 22 Jun 2026 13:44:01 +0000 commit 3270f9602d394d17f9adf4adce54b5f2a06c9c5f Author: Jan Beulich AuthorDate: Mon Jun 22 10:05:57 2026 +0200 Commit: Jan Beulich CommitDate: Mon Jun 22 10:05:57 2026 +0200 XSM: guard .sysctl() and .readconsole() hooks Leaving the hook pointers in struct xsm_ops when !SYSCTL would lead to the BUG_ON() in xsm_fixup_ops() triggering for respectively configured hypervisors. While moving the #ifdef for the corresponding xsm_*() wrappers, also move those for xsm_page_offline() (where the hook pointer field already is suitably guarded). Fixes: c9eabaa03a68 ("xen/xsm: wrap around xsm_sysctl with CONFIG_SYSCTL") Fixes: bddd9af6049f ("xen/sysctl: wrap around XEN_SYSCTL_readconsole") Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper Acked-by: Daniel P. Smith Release-Acked-by: Oleskii Kurochko --- xen/include/xsm/xsm.h | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index fb622c62ce..89823abbf8 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -61,8 +61,10 @@ struct xsm_ops { #endif int (*set_target)(struct domain *d, struct domain *e); int (*domctl)(struct domain *d, struct xen_domctl *op); +#ifdef CONFIG_SYSCTL int (*sysctl)(int cmd); int (*readconsole)(uint32_t clear); +#endif int (*evtchn_unbound)(struct domain *d, struct evtchn *chn, domid_t id2); int (*evtchn_interdomain)(struct domain *d1, struct evtchn *chn1, @@ -248,23 +250,17 @@ static inline int xsm_domctl(xsm_default_t def, struct domain *d, return alternative_call(xsm_ops.domctl, d, op); } +#ifdef CONFIG_SYSCTL static inline int xsm_sysctl(xsm_default_t def, int cmd) { -#ifdef CONFIG_SYSCTL return alternative_call(xsm_ops.sysctl, cmd); -#else - return -EOPNOTSUPP; -#endif } static inline int xsm_readconsole(xsm_default_t def, uint32_t clear) { -#ifdef CONFIG_SYSCTL return alternative_call(xsm_ops.readconsole, clear); -#else - return -EOPNOTSUPP; -#endif } +#endif static inline int xsm_evtchn_unbound( xsm_default_t def, struct domain *d1, struct evtchn *chn, domid_t id2) @@ -558,14 +554,12 @@ static inline int xsm_resource_setup_misc(xsm_default_t def) return alternative_call(xsm_ops.resource_setup_misc); } +#ifdef CONFIG_SYSCTL static inline int xsm_page_offline(xsm_default_t def, uint32_t cmd) { -#ifdef CONFIG_SYSCTL return alternative_call(xsm_ops.page_offline, cmd); -#else - return -EOPNOTSUPP; -#endif } +#endif static inline int xsm_hypfs_op(xsm_default_t def) { -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Jun 22 14:33:08 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 22 Jun 2026 14:33:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1343811.1603027 (Exim 4.92) (envelope-from ) id 1wbfhv-0003hZ-1x; Mon, 22 Jun 2026 14:33:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1343811.1603027; Mon, 22 Jun 2026 14:33:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wbfhu-0003hQ-VX; Mon, 22 Jun 2026 14:33:02 +0000 Received: by outflank-mailman (input) for mailman id 1343811; Mon, 22 Jun 2026 14:33:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wbfht-0003hK-Pv for xen-changelog@lists.xenproject.org; Mon, 22 Jun 2026 14:33:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wbfht-004YX8-2i for xen-changelog@lists.xenproject.org; Mon, 22 Jun 2026 14:33:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wbfht-000O31-1W for xen-changelog@lists.xenproject.org; Mon, 22 Jun 2026 14:33:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=nlqf3N398y4wX+NOfC/dmRzSeLp5LxwkTR2WNbqcyUc=; b=suD2VRIgdYvweCw48QK/i1VK/m FQkCPfB/UIxG74+xFXH0JrJ/CgcjCKM4C8cUC7epNOf/li9pxQl2j9UHr3LuCii6yXqH6Uat42Efq vjrG5lInzyy8jEIl+8VFsc3GbBOpaq6bT3hLulcTpwsB8EmmwUsLLZFgEeK4ACPRpnpo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] XSM: guard .sysctl() and .readconsole() hooks Message-Id: Date: Mon, 22 Jun 2026 14:33:01 +0000 commit 3270f9602d394d17f9adf4adce54b5f2a06c9c5f Author: Jan Beulich AuthorDate: Mon Jun 22 10:05:57 2026 +0200 Commit: Jan Beulich CommitDate: Mon Jun 22 10:05:57 2026 +0200 XSM: guard .sysctl() and .readconsole() hooks Leaving the hook pointers in struct xsm_ops when !SYSCTL would lead to the BUG_ON() in xsm_fixup_ops() triggering for respectively configured hypervisors. While moving the #ifdef for the corresponding xsm_*() wrappers, also move those for xsm_page_offline() (where the hook pointer field already is suitably guarded). Fixes: c9eabaa03a68 ("xen/xsm: wrap around xsm_sysctl with CONFIG_SYSCTL") Fixes: bddd9af6049f ("xen/sysctl: wrap around XEN_SYSCTL_readconsole") Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper Acked-by: Daniel P. Smith Release-Acked-by: Oleskii Kurochko --- xen/include/xsm/xsm.h | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index fb622c62ce..89823abbf8 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -61,8 +61,10 @@ struct xsm_ops { #endif int (*set_target)(struct domain *d, struct domain *e); int (*domctl)(struct domain *d, struct xen_domctl *op); +#ifdef CONFIG_SYSCTL int (*sysctl)(int cmd); int (*readconsole)(uint32_t clear); +#endif int (*evtchn_unbound)(struct domain *d, struct evtchn *chn, domid_t id2); int (*evtchn_interdomain)(struct domain *d1, struct evtchn *chn1, @@ -248,23 +250,17 @@ static inline int xsm_domctl(xsm_default_t def, struct domain *d, return alternative_call(xsm_ops.domctl, d, op); } +#ifdef CONFIG_SYSCTL static inline int xsm_sysctl(xsm_default_t def, int cmd) { -#ifdef CONFIG_SYSCTL return alternative_call(xsm_ops.sysctl, cmd); -#else - return -EOPNOTSUPP; -#endif } static inline int xsm_readconsole(xsm_default_t def, uint32_t clear) { -#ifdef CONFIG_SYSCTL return alternative_call(xsm_ops.readconsole, clear); -#else - return -EOPNOTSUPP; -#endif } +#endif static inline int xsm_evtchn_unbound( xsm_default_t def, struct domain *d1, struct evtchn *chn, domid_t id2) @@ -558,14 +554,12 @@ static inline int xsm_resource_setup_misc(xsm_default_t def) return alternative_call(xsm_ops.resource_setup_misc); } +#ifdef CONFIG_SYSCTL static inline int xsm_page_offline(xsm_default_t def, uint32_t cmd) { -#ifdef CONFIG_SYSCTL return alternative_call(xsm_ops.page_offline, cmd); -#else - return -EOPNOTSUPP; -#endif } +#endif static inline int xsm_hypfs_op(xsm_default_t def) { -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Jun 23 21:44:11 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 23 Jun 2026 21:44:11 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1344524.1603557 (Exim 4.92) (envelope-from ) id 1wc8uZ-0006V0-FA; Tue, 23 Jun 2026 21:44:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1344524.1603557; Tue, 23 Jun 2026 21:44:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wc8uZ-0006Ur-CX; Tue, 23 Jun 2026 21:44:03 +0000 Received: by outflank-mailman (input) for mailman id 1344524; Tue, 23 Jun 2026 21:44:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wc8uX-0006Ul-Ve for xen-changelog@lists.xenproject.org; Tue, 23 Jun 2026 21:44:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wc8uY-006HKb-0Q for xen-changelog@lists.xenproject.org; Tue, 23 Jun 2026 21:44:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wc8uX-00FW6u-2Z for xen-changelog@lists.xenproject.org; Tue, 23 Jun 2026 21:44:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=1KdyUj6RHAMeG/tV3tWFhrkk228oF7tKjKhXIRV3Kuo=; b=vBy7ON2oDkBQch5UP/6+LkbS9l AQ4uJ+S6oIaCyF9bXm7J8relyf4VbZrW2lH9LntXvDjL0uy/2CnVoQuHfDzte+RrjYpR/HsTeJNIx owf1PlICU2V4cPrt7b8j3xjSIxoCnLu4yjW3KhhKLPQQLGskIOTL8lRrIqDJJP+deEgk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/kexec: Stop hooking NMIs with trap_nop() Message-Id: Date: Tue, 23 Jun 2026 21:44:01 +0000 commit ad9c7d86c9235891bd27e6e126ac9d1d2fc868c9 Author: Andrew Cooper AuthorDate: Wed Mar 18 11:49:46 2026 +0000 Commit: Andrew Cooper CommitDate: Tue Jun 23 19:15:51 2026 +0100 x86/kexec: Stop hooking NMIs with trap_nop() When FRED is active, it is not possible to hook NMIs like this. NMI hooking in the crash path has undergone several revisions since its introduction. Notably since commit e7f147bf4ac7 ("x86/crash: Drop manual hooking of exception_table[]") we use the regular nmi_callback() infrastructure. Instead of asserting that we don't enter do_nmi_crash() on the crashing CPU, tolerate it and return early. It's a marginally longer codepath but behaves the same and is compatible with FRED. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/crash.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/xen/arch/x86/crash.c b/xen/arch/x86/crash.c index 1e4b0eeff2..04fd04393b 100644 --- a/xen/arch/x86/crash.c +++ b/xen/arch/x86/crash.c @@ -37,14 +37,18 @@ static cpumask_t waiting_to_crash; static unsigned int crashing_cpu; static DEFINE_PER_CPU_READ_MOSTLY(bool, crash_save_done); -/* This becomes the NMI handler for non-crashing CPUs, when Xen is crashing. */ -static int noreturn cf_check do_nmi_crash( +/* This becomes the NMI handler for all CPUs when Xen is crashing. */ +static int cf_check do_nmi_crash( const struct cpu_user_regs *regs, int cpu) { stac(); - /* nmi_shootdown_cpus() should ensure that this assertion is correct. */ - ASSERT(cpu != crashing_cpu); + /* + * If we are the crashing CPU, do nothing. We need to get back to the + * interrupted codepath to contine with the kexec transition. + */ + if ( cpu == crashing_cpu ) + return 1; /* Save crash information and shut down CPU. Attempt only once. */ if ( !this_cpu(crash_save_done) ) @@ -114,6 +118,8 @@ static int noreturn cf_check do_nmi_crash( for ( ; ; ) halt(); + + unreachable(); } static void nmi_shootdown_cpus(void) @@ -130,11 +136,7 @@ static void nmi_shootdown_cpus(void) cpumask_andnot(&waiting_to_crash, &cpu_online_map, cpumask_of(cpu)); - /* - * Disable IST for MCEs to avoid stack corruption race conditions, and - * change the NMI handler to a nop to avoid deviation from this codepath. - */ - _set_gate_lower(&idt[X86_EXC_NMI], SYS_DESC_irq_gate, 0, &trap_nop); + /* Disable IST for MCEs to avoid stack corruption race conditions */ set_ist(&idt[X86_EXC_MC], IST_NONE); set_nmi_callback(do_nmi_crash); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 23 21:44:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 23 Jun 2026 21:44:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1344525.1603561 (Exim 4.92) (envelope-from ) id 1wc8uj-0006Ww-GU; Tue, 23 Jun 2026 21:44:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1344525.1603561; Tue, 23 Jun 2026 21:44:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wc8uj-0006Wq-Dq; Tue, 23 Jun 2026 21:44:13 +0000 Received: by outflank-mailman (input) for mailman id 1344525; Tue, 23 Jun 2026 21:44:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wc8uh-0006Wa-WB for xen-changelog@lists.xenproject.org; Tue, 23 Jun 2026 21:44:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wc8ui-006HL0-0k for xen-changelog@lists.xenproject.org; Tue, 23 Jun 2026 21:44:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wc8uh-00FWG3-2w for xen-changelog@lists.xenproject.org; Tue, 23 Jun 2026 21:44:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=IHMp13j0sQoOVfskbdnrSm/SfLHOhah7ma0Rfo/LjGQ=; b=4VwV9uKSaXupL4vM5Dd2HlZ6WH G4/YZgcAXnhbf1ZvmSPcw60S0PLocLjqIZCu73pHc7rX97Y/JQVpJgk1uVPS38oouXP2KxGTipNI4 MfLuYzmrdlr/203se65eLtupz/WfDGk/YUJij/55JV3NqywtOCcYqKJ8bn3jf2dNLmGc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/kexec: Fix and expand comments for kexec_reloc() Message-Id: Date: Tue, 23 Jun 2026 21:44:11 +0000 commit 5cdae3c505f3c0e9c261e19a5b3733161e696603 Author: Andrew Cooper AuthorDate: Tue Mar 17 19:44:56 2026 +0000 Commit: Andrew Cooper CommitDate: Tue Jun 23 19:15:51 2026 +0100 x86/kexec: Fix and expand comments for kexec_reloc() The order of shutdown is delicate. Explain things a little better. Fix two comments about leaving Long Mode. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/x86_64/kexec_reloc.S | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/x86_64/kexec_reloc.S b/xen/arch/x86/x86_64/kexec_reloc.S index b52d31a654..d0951ea1e1 100644 --- a/xen/arch/x86/x86_64/kexec_reloc.S +++ b/xen/arch/x86/x86_64/kexec_reloc.S @@ -27,6 +27,14 @@ .section .text.kexec, "ax", @progbits .code64 + /* + * kexec_reloc() is entered in it's natural position within Xen. + * + * A copy of .text.kexec is identity mapped at %rdi within the + * pagetables in %rsi. Xen's .text is mapped into %rsi at it's high + * alias allowing to pivot, but most other things including the stacks + * are not mapped. + */ FUNC(kexec_reloc, PAGE_SIZE) /* %rdi - code page maddr */ /* %rsi - page table maddr */ @@ -36,10 +44,17 @@ FUNC(kexec_reloc, PAGE_SIZE) movq %rcx, %rbp - /* Setup stack. */ + /* + * Move to the identity mapped stack. + * + * Note this mapping doesn't exist until the pagetable switch. + */ leaq (.Lreloc_stack_base - kexec_reloc)(%rdi), %rsp - /* Load reloc page table. */ + /* + * Move to the relocation pagetables. Xen's .text is mapped allowing + * the pivot, but very little else is. + */ movq %rsi, %cr3 /* Jump to identity mapped code. */ @@ -153,12 +168,12 @@ FUNC_LOCAL(compatibility_mode) movl %eax, %gs movl %eax, %ss - /* Disable paging and therefore leave 64 bit mode. */ + /* Disable paging and therefore leave long mode. */ movl %cr0, %eax andl $~X86_CR0_PG, %eax movl %eax, %cr0 - /* Disable long mode */ + /* Clear EFER.LME */ movl $MSR_EFER, %ecx rdmsr andl $~EFER_LME, %eax -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 23 21:44:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 23 Jun 2026 21:44:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1344526.1603565 (Exim 4.92) (envelope-from ) id 1wc8ut-0006Z8-Hi; Tue, 23 Jun 2026 21:44:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1344526.1603565; Tue, 23 Jun 2026 21:44:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wc8ut-0006Z0-FB; Tue, 23 Jun 2026 21:44:23 +0000 Received: by outflank-mailman (input) for mailman id 1344526; Tue, 23 Jun 2026 21:44:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wc8us-0006Ys-2y for xen-changelog@lists.xenproject.org; Tue, 23 Jun 2026 21:44:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wc8us-006HL4-14 for xen-changelog@lists.xenproject.org; Tue, 23 Jun 2026 21:44:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wc8us-00FWKe-02 for xen-changelog@lists.xenproject.org; Tue, 23 Jun 2026 21:44:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=WpvDsUEdjRLR6RYNSbtSxpud6Foh44P+vfx5HXzyYhc=; b=BqqvAw0CPlsagp6Ip7D24sgfg+ jO/n8k4MteoY/kbUeagSdNiMGvHw5mgQsDwGwo2ItQ9PeLITjyTpNltCkpXc4uiRQuuzRckhKfZk/ zsj6T3PKoUkusiqGdk5TMJw6m9sxJrBKcWVzR46o8YWcfhnSm8mEfniNukuY0dPZstaw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/kexec: Invalidate the IDT earlier in kexec_reloc() Message-Id: Date: Tue, 23 Jun 2026 21:44:22 +0000 commit c3974cbf207716d87c66ee01b5f69b11fa461edb Author: Andrew Cooper AuthorDate: Mon Mar 16 14:26:09 2026 +0000 Commit: Andrew Cooper CommitDate: Tue Jun 23 19:15:51 2026 +0100 x86/kexec: Invalidate the IDT earlier in kexec_reloc() After switching stack, it is not safe to run any exception handlers, because attempts to access the cpu_info block are out-of-bounds and will generate wild accesses. Invalidating the IDT in the common path means there's no need to do so again in the 32bit path, so drop compat_mode_idt entirely. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/x86_64/kexec_reloc.S | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/xen/arch/x86/x86_64/kexec_reloc.S b/xen/arch/x86/x86_64/kexec_reloc.S index d0951ea1e1..7a6dd2cbe7 100644 --- a/xen/arch/x86/x86_64/kexec_reloc.S +++ b/xen/arch/x86/x86_64/kexec_reloc.S @@ -44,6 +44,16 @@ FUNC(kexec_reloc, PAGE_SIZE) movq %rcx, %rbp + /* + * Invalidate the IDT. After switching off Xen's stacks, the + * exception handlers are unsafe to use, because there's no way to + * perform arithmetic on the stack pointer to find the cpu_info block. + */ + push $0 + pushw $0 + lidt (%rsp) + add $10, %rsp + /* * Move to the identity mapped stack. * @@ -94,8 +104,6 @@ FUNC(kexec_reloc, PAGE_SIZE) jmp *%rbp .L_call_32_bit: - /* Setup IDT. */ - lidt compat_mode_idt(%rip) /* Load compat GDT. */ leaq compat_mode_gdt(%rip), %rax @@ -202,11 +210,6 @@ DATA_LOCAL(compat_mode_gdt, 8) .Lcompat_mode_gdt_end: END(compat_mode_gdt) -DATA_LOCAL(compat_mode_idt) - .word 0 /* limit */ - .long 0 /* base */ -END(compat_mode_idt) - /* * 16 words of stack are more than enough. */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 23 21:44:33 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 23 Jun 2026 21:44:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1344527.1603570 (Exim 4.92) (envelope-from ) id 1wc8v3-0006b4-JH; Tue, 23 Jun 2026 21:44:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1344527.1603570; Tue, 23 Jun 2026 21:44:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wc8v3-0006aw-GW; Tue, 23 Jun 2026 21:44:33 +0000 Received: by outflank-mailman (input) for mailman id 1344527; Tue, 23 Jun 2026 21:44:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wc8v2-0006ap-6c for xen-changelog@lists.xenproject.org; Tue, 23 Jun 2026 21:44:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wc8v2-006HL8-1S for xen-changelog@lists.xenproject.org; Tue, 23 Jun 2026 21:44:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wc8v2-00FWUj-0N for xen-changelog@lists.xenproject.org; Tue, 23 Jun 2026 21:44:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=U9Dt3RMlVfh8BR+THCljfv8EMRSwoVG+enLt3ChskW8=; b=BQf52lclBNvDGCKctpE6rlNjH3 acoYjCLZeXnFH0IqlrUwxAnEidCmwx/J9L1khsTEE7LweuQlHnFwNQunIrk+c105PFbitdnXP9v1P FH8jlWRT4rIvjpDTZW2mCBYe+wk+CZ7+sC+g7Ep6mzRMCXOoVfiRJRYTmJGRFyHeYxvc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/kexec: Disable FRED earlier in kexec_reloc() Message-Id: Date: Tue, 23 Jun 2026 21:44:32 +0000 commit 4665d1796736cd999a3a8d291d4fbb4da637f440 Author: Andrew Cooper AuthorDate: Tue Mar 17 19:33:09 2026 +0000 Commit: Andrew Cooper CommitDate: Tue Jun 23 19:15:51 2026 +0100 x86/kexec: Disable FRED earlier in kexec_reloc() With FRED just as with IDT, it's unsafe to run the exception handlers after switching stack. To remove this unsafe window, %cr4 needs clearing earlier. In turn, we may need to switch to PCID 0 earlier too in order to be able to clear CR4.PCIDE. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- CC: Jan Beulich CC: Roger Pau Monné --- xen/arch/x86/x86_64/kexec_reloc.S | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/xen/arch/x86/x86_64/kexec_reloc.S b/xen/arch/x86/x86_64/kexec_reloc.S index 7a6dd2cbe7..81da81a827 100644 --- a/xen/arch/x86/x86_64/kexec_reloc.S +++ b/xen/arch/x86/x86_64/kexec_reloc.S @@ -54,6 +54,21 @@ FUNC(kexec_reloc, PAGE_SIZE) lidt (%rsp) add $10, %rsp + /* Move to PCID 0 if necessary, as a prerequisite to clearing CR4.PCIDE */ + mov %cr3, %rax + test $0xfff, %eax + jz 1f + and $~0xfff, %rax + mov %rax, %cr3 +1: + + /* + * Set CR4 to PAE only. This may disable FRED, which must happen + * before switching off Xen's stack. + */ + mov $X86_CR4_PAE, %eax + mov %rax, %cr4 + /* * Move to the identity mapped stack. * @@ -86,13 +101,6 @@ FUNC(kexec_reloc, PAGE_SIZE) orl $(X86_CR0_PG | X86_CR0_PE), %eax movq %rax, %cr0 - /* - * Set cr4 to a known state: - * - physical address extension enabled - */ - movl $X86_CR4_PAE, %eax - movq %rax, %cr4 - movq %rdx, %rdi call relocate_pages -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Jun 23 21:44:43 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 23 Jun 2026 21:44:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1344528.1603572 (Exim 4.92) (envelope-from ) id 1wc8vD-0006cx-KI; Tue, 23 Jun 2026 21:44:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1344528.1603572; Tue, 23 Jun 2026 21:44:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wc8vD-0006cp-Hp; Tue, 23 Jun 2026 21:44:43 +0000 Received: by outflank-mailman (input) for mailman id 1344528; Tue, 23 Jun 2026 21:44:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wc8vC-0006ci-9m for xen-changelog@lists.xenproject.org; Tue, 23 Jun 2026 21:44:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wc8vC-006HLE-1l for xen-changelog@lists.xenproject.org; Tue, 23 Jun 2026 21:44:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wc8vC-00FWdd-0k for xen-changelog@lists.xenproject.org; Tue, 23 Jun 2026 21:44:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=l8rpxQrd7UTqc63nh6B1L4scZIjMZVNdcOOTW4ghswc=; b=oclrKyflkX7OVmep+JA4KZdOrA vp0bQGT/0FiIAi7C9XiNWPirsNgaXxhQeH3P2o9IkzjF68J3b5dHPzZM6R6p+bK7oZnUBsEFd3Wm9 H16vUu2VpD1y/4WTa49f7snwCFS0XzM28YVLeYLrGTyJiyU8F4Twro73O+XBBotSQwxg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/kexec: Check for a good per-cpu area before accessing IDTs Message-Id: Date: Tue, 23 Jun 2026 21:44:42 +0000 commit 2c9829a2611e4ac1d9200af6f159605fc8849bf2 Author: Andrew Cooper AuthorDate: Mon Jun 22 17:51:10 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 23 19:15:51 2026 +0100 x86/kexec: Check for a good per-cpu area before accessing IDTs Prior to commit 9c20d3c5915d ("x86/IDT: Make idt_tables[] be per_cpu(idt)"), the global idt_tables[] was always safe to use for CPUs in any state. However, not-yet-onlined CPUs (e.g. MADT with more entries than exist in practice) or offlined CPUs (e.g. xen-hptool) have their per-cpu pointer poisoned to detect incorrect uses. machine_kexec() trips over the posion when clobbering #MC entry paths. Update the comment to discuss parked CPUs, and to remove discussion which isn't particularly relevant to the actions at hand. This fixes a fatal #GP (non-canonical memory reference) when trying to enter the crash kernel. Fixes: 9c20d3c5915d ("x86/IDT: Make idt_tables[] be per_cpu(idt)") Reported-by: Lin Liu Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/machine_kexec.c | 19 ++++++++++--------- xen/common/percpu.c | 1 - xen/include/xen/percpu.h | 1 + 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/xen/arch/x86/machine_kexec.c b/xen/arch/x86/machine_kexec.c index f921eec5aa..038670922d 100644 --- a/xen/arch/x86/machine_kexec.c +++ b/xen/arch/x86/machine_kexec.c @@ -18,6 +18,7 @@ #include #include #include +#include #include #include @@ -159,19 +160,19 @@ void machine_kexec(struct kexec_image *image) */ local_irq_disable(); - /* Now regular interrupts are disabled, we need to reduce the impact - * of interrupts not disabled by 'cli'. - * - * The NMI handlers have already been set up nmi_shootdown_cpus(). All - * pcpus other than us have the nmi_crash handler, while we have the nop - * handler. - * + /* * The MCE handlers touch extensive areas of Xen code and data. At this - * point, there is nothing we can usefully do, so set the nop handler. + * point, there is nothing we can usefully do, so set the NOP handler even + * for parked CPUs. */ for ( i = 0; i < nr_cpu_ids; i++ ) { - idt_entry_t *idt = per_cpu(idt, i); + idt_entry_t *idt; + + if ( __per_cpu_offset[i] == INVALID_PERCPU_AREA ) + continue; + + idt = per_cpu(idt, i); if ( !idt ) continue; diff --git a/xen/common/percpu.c b/xen/common/percpu.c index cdd70acbea..f180f37253 100644 --- a/xen/common/percpu.c +++ b/xen/common/percpu.c @@ -13,7 +13,6 @@ #define PERCPU_ORDER get_order_from_bytes(__per_cpu_data_end - __per_cpu_start) -extern char __per_cpu_start[]; extern const char __per_cpu_data_end[]; unsigned long __read_mostly __per_cpu_offset[NR_CPUS]; diff --git a/xen/include/xen/percpu.h b/xen/include/xen/percpu.h index fcf2095bd5..30609f49f0 100644 --- a/xen/include/xen/percpu.h +++ b/xen/include/xen/percpu.h @@ -43,6 +43,7 @@ #endif extern unsigned long __per_cpu_offset[]; +extern char __per_cpu_start[]; #define per_cpu(var, cpu) \ (*RELOC_HIDE(&per_cpu__##var, __per_cpu_offset[cpu])) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Jun 24 06:22:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Jun 2026 06:22:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1344548.1603585 (Exim 4.92) (envelope-from ) id 1wcGzs-0003gF-7A; Wed, 24 Jun 2026 06:22:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1344548.1603585; Wed, 24 Jun 2026 06:22:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcGzs-0003g7-4Z; Wed, 24 Jun 2026 06:22:04 +0000 Received: by outflank-mailman (input) for mailman id 1344548; Wed, 24 Jun 2026 06:22:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcGzq-0003g1-E5 for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 06:22:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wcGzq-007Ylb-1X for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 06:22:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wcGzq-004H6s-0T for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 06:22:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=2TopYYdmw8IOp6B0CDMIBnZNK5QrZbHjzAW5ULRe+Fg=; b=c0+FlhaO0umpZQ8L1Z+r1S/NXt ed78OobGMig7FZgfOoQvtBu0l9VHSTIyIp4J0QM5NiCV9fvg94bh7tXlDFL5wRNJI8t6sADMBk6XN svTQxE9ZG8j/ewI4NeMCC0LwLSQGoQmq9zkDs/avwlxgSQ2pIlH2t+//9j7HJH+RsIoY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/kexec: Stop hooking NMIs with trap_nop() Message-Id: Date: Wed, 24 Jun 2026 06:22:02 +0000 commit ad9c7d86c9235891bd27e6e126ac9d1d2fc868c9 Author: Andrew Cooper AuthorDate: Wed Mar 18 11:49:46 2026 +0000 Commit: Andrew Cooper CommitDate: Tue Jun 23 19:15:51 2026 +0100 x86/kexec: Stop hooking NMIs with trap_nop() When FRED is active, it is not possible to hook NMIs like this. NMI hooking in the crash path has undergone several revisions since its introduction. Notably since commit e7f147bf4ac7 ("x86/crash: Drop manual hooking of exception_table[]") we use the regular nmi_callback() infrastructure. Instead of asserting that we don't enter do_nmi_crash() on the crashing CPU, tolerate it and return early. It's a marginally longer codepath but behaves the same and is compatible with FRED. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/crash.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/xen/arch/x86/crash.c b/xen/arch/x86/crash.c index 1e4b0eeff2..04fd04393b 100644 --- a/xen/arch/x86/crash.c +++ b/xen/arch/x86/crash.c @@ -37,14 +37,18 @@ static cpumask_t waiting_to_crash; static unsigned int crashing_cpu; static DEFINE_PER_CPU_READ_MOSTLY(bool, crash_save_done); -/* This becomes the NMI handler for non-crashing CPUs, when Xen is crashing. */ -static int noreturn cf_check do_nmi_crash( +/* This becomes the NMI handler for all CPUs when Xen is crashing. */ +static int cf_check do_nmi_crash( const struct cpu_user_regs *regs, int cpu) { stac(); - /* nmi_shootdown_cpus() should ensure that this assertion is correct. */ - ASSERT(cpu != crashing_cpu); + /* + * If we are the crashing CPU, do nothing. We need to get back to the + * interrupted codepath to contine with the kexec transition. + */ + if ( cpu == crashing_cpu ) + return 1; /* Save crash information and shut down CPU. Attempt only once. */ if ( !this_cpu(crash_save_done) ) @@ -114,6 +118,8 @@ static int noreturn cf_check do_nmi_crash( for ( ; ; ) halt(); + + unreachable(); } static void nmi_shootdown_cpus(void) @@ -130,11 +136,7 @@ static void nmi_shootdown_cpus(void) cpumask_andnot(&waiting_to_crash, &cpu_online_map, cpumask_of(cpu)); - /* - * Disable IST for MCEs to avoid stack corruption race conditions, and - * change the NMI handler to a nop to avoid deviation from this codepath. - */ - _set_gate_lower(&idt[X86_EXC_NMI], SYS_DESC_irq_gate, 0, &trap_nop); + /* Disable IST for MCEs to avoid stack corruption race conditions */ set_ist(&idt[X86_EXC_MC], IST_NONE); set_nmi_callback(do_nmi_crash); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 24 06:22:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Jun 2026 06:22:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1344549.1603590 (Exim 4.92) (envelope-from ) id 1wcH02-0003hy-8l; Wed, 24 Jun 2026 06:22:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1344549.1603590; Wed, 24 Jun 2026 06:22:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcH02-0003ho-5r; Wed, 24 Jun 2026 06:22:14 +0000 Received: by outflank-mailman (input) for mailman id 1344549; Wed, 24 Jun 2026 06:22:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcH00-0003hC-BR for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 06:22:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wcH00-007Ylj-1v for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 06:22:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wcH00-004HAB-0p for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 06:22:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=WRuvy1BTuQDKqWeqpH8or6jogXLrw6cBkrNIzrYWLp8=; b=b20ZtYavnAs4SBWg+qEavlEeJ0 V19qY2Ha65BI6PIpl86s9unj9MVx10rQPJvuxa2ltRRLjqRk2GSsH89FK182uru+BuNnmPRxGuNz1 Qgm93wuMJrKKaL+MJYvBAenLV4RnYayLgbSaHHHTtxcT5xqRQ874Yjsg5kdXcOym+BTo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/kexec: Fix and expand comments for kexec_reloc() Message-Id: Date: Wed, 24 Jun 2026 06:22:12 +0000 commit 5cdae3c505f3c0e9c261e19a5b3733161e696603 Author: Andrew Cooper AuthorDate: Tue Mar 17 19:44:56 2026 +0000 Commit: Andrew Cooper CommitDate: Tue Jun 23 19:15:51 2026 +0100 x86/kexec: Fix and expand comments for kexec_reloc() The order of shutdown is delicate. Explain things a little better. Fix two comments about leaving Long Mode. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/x86_64/kexec_reloc.S | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/x86_64/kexec_reloc.S b/xen/arch/x86/x86_64/kexec_reloc.S index b52d31a654..d0951ea1e1 100644 --- a/xen/arch/x86/x86_64/kexec_reloc.S +++ b/xen/arch/x86/x86_64/kexec_reloc.S @@ -27,6 +27,14 @@ .section .text.kexec, "ax", @progbits .code64 + /* + * kexec_reloc() is entered in it's natural position within Xen. + * + * A copy of .text.kexec is identity mapped at %rdi within the + * pagetables in %rsi. Xen's .text is mapped into %rsi at it's high + * alias allowing to pivot, but most other things including the stacks + * are not mapped. + */ FUNC(kexec_reloc, PAGE_SIZE) /* %rdi - code page maddr */ /* %rsi - page table maddr */ @@ -36,10 +44,17 @@ FUNC(kexec_reloc, PAGE_SIZE) movq %rcx, %rbp - /* Setup stack. */ + /* + * Move to the identity mapped stack. + * + * Note this mapping doesn't exist until the pagetable switch. + */ leaq (.Lreloc_stack_base - kexec_reloc)(%rdi), %rsp - /* Load reloc page table. */ + /* + * Move to the relocation pagetables. Xen's .text is mapped allowing + * the pivot, but very little else is. + */ movq %rsi, %cr3 /* Jump to identity mapped code. */ @@ -153,12 +168,12 @@ FUNC_LOCAL(compatibility_mode) movl %eax, %gs movl %eax, %ss - /* Disable paging and therefore leave 64 bit mode. */ + /* Disable paging and therefore leave long mode. */ movl %cr0, %eax andl $~X86_CR0_PG, %eax movl %eax, %cr0 - /* Disable long mode */ + /* Clear EFER.LME */ movl $MSR_EFER, %ecx rdmsr andl $~EFER_LME, %eax -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 24 06:22:23 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Jun 2026 06:22:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1344550.1603595 (Exim 4.92) (envelope-from ) id 1wcH0B-0003kq-Bh; Wed, 24 Jun 2026 06:22:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1344550.1603595; Wed, 24 Jun 2026 06:22:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcH0B-0003ki-8u; Wed, 24 Jun 2026 06:22:23 +0000 Received: by outflank-mailman (input) for mailman id 1344550; Wed, 24 Jun 2026 06:22:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcH0A-0003kZ-GV for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 06:22:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wcH0A-007Ym6-2G for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 06:22:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wcH0A-004HDg-1D for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 06:22:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Vk9RlU0jUYopgtNBcADHdiF7924+8zehV3J40/zOJw4=; b=eDhFmO7jGlfKKIoJ7DGVXOy8HK TMxAWA08ePRporXcn3du8F5HdN7KELLUrNw7kyfsZ85g9SfHi2xeHyJdrKgbKjQRbSmTg3aQ/mw9e zKlh7I7GoLMmXu/xaZgfcMzhFg/Ux/BzcgEGz/A8d8lgCCxRqwztACWlu6sWPlAFbIIM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/kexec: Invalidate the IDT earlier in kexec_reloc() Message-Id: Date: Wed, 24 Jun 2026 06:22:22 +0000 commit c3974cbf207716d87c66ee01b5f69b11fa461edb Author: Andrew Cooper AuthorDate: Mon Mar 16 14:26:09 2026 +0000 Commit: Andrew Cooper CommitDate: Tue Jun 23 19:15:51 2026 +0100 x86/kexec: Invalidate the IDT earlier in kexec_reloc() After switching stack, it is not safe to run any exception handlers, because attempts to access the cpu_info block are out-of-bounds and will generate wild accesses. Invalidating the IDT in the common path means there's no need to do so again in the 32bit path, so drop compat_mode_idt entirely. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/x86_64/kexec_reloc.S | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/xen/arch/x86/x86_64/kexec_reloc.S b/xen/arch/x86/x86_64/kexec_reloc.S index d0951ea1e1..7a6dd2cbe7 100644 --- a/xen/arch/x86/x86_64/kexec_reloc.S +++ b/xen/arch/x86/x86_64/kexec_reloc.S @@ -44,6 +44,16 @@ FUNC(kexec_reloc, PAGE_SIZE) movq %rcx, %rbp + /* + * Invalidate the IDT. After switching off Xen's stacks, the + * exception handlers are unsafe to use, because there's no way to + * perform arithmetic on the stack pointer to find the cpu_info block. + */ + push $0 + pushw $0 + lidt (%rsp) + add $10, %rsp + /* * Move to the identity mapped stack. * @@ -94,8 +104,6 @@ FUNC(kexec_reloc, PAGE_SIZE) jmp *%rbp .L_call_32_bit: - /* Setup IDT. */ - lidt compat_mode_idt(%rip) /* Load compat GDT. */ leaq compat_mode_gdt(%rip), %rax @@ -202,11 +210,6 @@ DATA_LOCAL(compat_mode_gdt, 8) .Lcompat_mode_gdt_end: END(compat_mode_gdt) -DATA_LOCAL(compat_mode_idt) - .word 0 /* limit */ - .long 0 /* base */ -END(compat_mode_idt) - /* * 16 words of stack are more than enough. */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 24 06:22:33 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Jun 2026 06:22:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1344551.1603598 (Exim 4.92) (envelope-from ) id 1wcH0L-0003mi-D7; Wed, 24 Jun 2026 06:22:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1344551.1603598; Wed, 24 Jun 2026 06:22:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcH0L-0003mZ-AZ; Wed, 24 Jun 2026 06:22:33 +0000 Received: by outflank-mailman (input) for mailman id 1344551; Wed, 24 Jun 2026 06:22:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcH0K-0003mQ-HV for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 06:22:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wcH0K-007YmD-2X for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 06:22:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wcH0K-004HHY-1X for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 06:22:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=96K9AHStl7725O702G4RlWWR6JEfzD7J3ctD1iTUYy0=; b=wvmgVdhehKJmtNeA8AP5PUJcVA eehXaUqt6m+8AnoEJCc9AjzsInQRZ0Kz7x7FFTUX+gbq+ps5XMjNF3sgVYw9WyU4PI1AEHxyXr70n 1j2cX4velJZnJNtigwfT4RUwjDyKZRLcH44ftjgScl9I+Lo7C/BX/+95bX8SPGZTdSLU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/kexec: Disable FRED earlier in kexec_reloc() Message-Id: Date: Wed, 24 Jun 2026 06:22:32 +0000 commit 4665d1796736cd999a3a8d291d4fbb4da637f440 Author: Andrew Cooper AuthorDate: Tue Mar 17 19:33:09 2026 +0000 Commit: Andrew Cooper CommitDate: Tue Jun 23 19:15:51 2026 +0100 x86/kexec: Disable FRED earlier in kexec_reloc() With FRED just as with IDT, it's unsafe to run the exception handlers after switching stack. To remove this unsafe window, %cr4 needs clearing earlier. In turn, we may need to switch to PCID 0 earlier too in order to be able to clear CR4.PCIDE. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- CC: Jan Beulich CC: Roger Pau Monné --- xen/arch/x86/x86_64/kexec_reloc.S | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/xen/arch/x86/x86_64/kexec_reloc.S b/xen/arch/x86/x86_64/kexec_reloc.S index 7a6dd2cbe7..81da81a827 100644 --- a/xen/arch/x86/x86_64/kexec_reloc.S +++ b/xen/arch/x86/x86_64/kexec_reloc.S @@ -54,6 +54,21 @@ FUNC(kexec_reloc, PAGE_SIZE) lidt (%rsp) add $10, %rsp + /* Move to PCID 0 if necessary, as a prerequisite to clearing CR4.PCIDE */ + mov %cr3, %rax + test $0xfff, %eax + jz 1f + and $~0xfff, %rax + mov %rax, %cr3 +1: + + /* + * Set CR4 to PAE only. This may disable FRED, which must happen + * before switching off Xen's stack. + */ + mov $X86_CR4_PAE, %eax + mov %rax, %cr4 + /* * Move to the identity mapped stack. * @@ -86,13 +101,6 @@ FUNC(kexec_reloc, PAGE_SIZE) orl $(X86_CR0_PG | X86_CR0_PE), %eax movq %rax, %cr0 - /* - * Set cr4 to a known state: - * - physical address extension enabled - */ - movl $X86_CR4_PAE, %eax - movq %rax, %cr4 - movq %rdx, %rdi call relocate_pages -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 24 06:22:43 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Jun 2026 06:22:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1344552.1603602 (Exim 4.92) (envelope-from ) id 1wcH0V-0003qE-Ec; Wed, 24 Jun 2026 06:22:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1344552.1603602; Wed, 24 Jun 2026 06:22:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcH0V-0003q6-Bz; Wed, 24 Jun 2026 06:22:43 +0000 Received: by outflank-mailman (input) for mailman id 1344552; Wed, 24 Jun 2026 06:22:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcH0U-0003q0-KD for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 06:22:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wcH0U-007YmH-2o for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 06:22:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wcH0U-004HL8-1p for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 06:22:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=c7WEu0g2ZbFh/dRFQizBI6OosayI/0dIAoJ66zL1cf4=; b=2a6+ptPsmaS+WRb3Kw51BM2nBK iFUOaXGPqoaAWiGEVitehEIfLmbPyOK6pXzHp91S2Hgofhs+JKPYevZ8reZeWwh3la+oKzw3+PQwg pBlveTLlpHQ25mlgv+EEpXw0Z7WbEIHi0nYQ5DE491jMeCCZNaeiqEznjoOVImqw7lFc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/kexec: Check for a good per-cpu area before accessing IDTs Message-Id: Date: Wed, 24 Jun 2026 06:22:42 +0000 commit 2c9829a2611e4ac1d9200af6f159605fc8849bf2 Author: Andrew Cooper AuthorDate: Mon Jun 22 17:51:10 2026 +0100 Commit: Andrew Cooper CommitDate: Tue Jun 23 19:15:51 2026 +0100 x86/kexec: Check for a good per-cpu area before accessing IDTs Prior to commit 9c20d3c5915d ("x86/IDT: Make idt_tables[] be per_cpu(idt)"), the global idt_tables[] was always safe to use for CPUs in any state. However, not-yet-onlined CPUs (e.g. MADT with more entries than exist in practice) or offlined CPUs (e.g. xen-hptool) have their per-cpu pointer poisoned to detect incorrect uses. machine_kexec() trips over the posion when clobbering #MC entry paths. Update the comment to discuss parked CPUs, and to remove discussion which isn't particularly relevant to the actions at hand. This fixes a fatal #GP (non-canonical memory reference) when trying to enter the crash kernel. Fixes: 9c20d3c5915d ("x86/IDT: Make idt_tables[] be per_cpu(idt)") Reported-by: Lin Liu Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/machine_kexec.c | 19 ++++++++++--------- xen/common/percpu.c | 1 - xen/include/xen/percpu.h | 1 + 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/xen/arch/x86/machine_kexec.c b/xen/arch/x86/machine_kexec.c index f921eec5aa..038670922d 100644 --- a/xen/arch/x86/machine_kexec.c +++ b/xen/arch/x86/machine_kexec.c @@ -18,6 +18,7 @@ #include #include #include +#include #include #include @@ -159,19 +160,19 @@ void machine_kexec(struct kexec_image *image) */ local_irq_disable(); - /* Now regular interrupts are disabled, we need to reduce the impact - * of interrupts not disabled by 'cli'. - * - * The NMI handlers have already been set up nmi_shootdown_cpus(). All - * pcpus other than us have the nmi_crash handler, while we have the nop - * handler. - * + /* * The MCE handlers touch extensive areas of Xen code and data. At this - * point, there is nothing we can usefully do, so set the nop handler. + * point, there is nothing we can usefully do, so set the NOP handler even + * for parked CPUs. */ for ( i = 0; i < nr_cpu_ids; i++ ) { - idt_entry_t *idt = per_cpu(idt, i); + idt_entry_t *idt; + + if ( __per_cpu_offset[i] == INVALID_PERCPU_AREA ) + continue; + + idt = per_cpu(idt, i); if ( !idt ) continue; diff --git a/xen/common/percpu.c b/xen/common/percpu.c index cdd70acbea..f180f37253 100644 --- a/xen/common/percpu.c +++ b/xen/common/percpu.c @@ -13,7 +13,6 @@ #define PERCPU_ORDER get_order_from_bytes(__per_cpu_data_end - __per_cpu_start) -extern char __per_cpu_start[]; extern const char __per_cpu_data_end[]; unsigned long __read_mostly __per_cpu_offset[NR_CPUS]; diff --git a/xen/include/xen/percpu.h b/xen/include/xen/percpu.h index fcf2095bd5..30609f49f0 100644 --- a/xen/include/xen/percpu.h +++ b/xen/include/xen/percpu.h @@ -43,6 +43,7 @@ #endif extern unsigned long __per_cpu_offset[]; +extern char __per_cpu_start[]; #define per_cpu(var, cpu) \ (*RELOC_HIDE(&per_cpu__##var, __per_cpu_offset[cpu])) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 24 06:55:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Jun 2026 06:55:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1344573.1603629 (Exim 4.92) (envelope-from ) id 1wcHVn-0008Id-BH; Wed, 24 Jun 2026 06:55:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1344573.1603629; Wed, 24 Jun 2026 06:55:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcHVn-0008Hd-7Y; Wed, 24 Jun 2026 06:55:03 +0000 Received: by outflank-mailman (input) for mailman id 1344573; Wed, 24 Jun 2026 06:55:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcHVm-0008Fa-AL for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 06:55:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wcHVm-007ZJW-1V for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 06:55:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wcHVm-004YYD-0P for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 06:55:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=F5bIw9hD6MLy6hrEnzpVE7qM7m1r7Wm9slEsNaaZGqE=; b=5lbeh3gEKq87Wxn2vFSBu0trU/ +rYJz5QKv1Yve4bVARSsH+zs3+JrCxWLvfINoJ+K3v2BUwvCMt92Ql8/IVUSj3ZjdLD0i85Wrav/T ijx3BceyRhMbKm2iMlu5Q+cxObG9OPzUe7oI6Hlw5OVA9QZRH1AogR5v3eadpRoT3+UQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] MAINTAINERS: update Jens Wiklander's email address Message-Id: Date: Wed, 24 Jun 2026 06:55:02 +0000 commit d42ace60290a4b4184ee2133b245b134fdf96fed Author: Jens Wiklander AuthorDate: Mon Jun 22 16:10:28 2026 +0200 Commit: Michal Orzel CommitDate: Wed Jun 24 08:48:11 2026 +0200 MAINTAINERS: update Jens Wiklander's email address Update Jens Wiklander's email address to @kernel.org. Signed-off-by: Jens Wiklander Acked-by: Michal Orzel --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 195d6cb0e2..81bd0dfeec 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -544,7 +544,7 @@ F: stubdom/ TEE MEDIATORS M: Volodymyr Babchuk M: Bertrand Marquis -R: Jens Wiklander +R: Jens Wiklander S: Supported F: xen/arch/arm/include/asm/tee/ F: xen/arch/arm/tee/ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Jun 24 14:55:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Jun 2026 14:55:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1345077.1604074 (Exim 4.92) (envelope-from ) id 1wcP0J-0007nb-5V; Wed, 24 Jun 2026 14:55:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1345077.1604074; Wed, 24 Jun 2026 14:55:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcP0J-0007nT-2t; Wed, 24 Jun 2026 14:55:03 +0000 Received: by outflank-mailman (input) for mailman id 1345077; Wed, 24 Jun 2026 14:55:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcP0I-0007nN-3T for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 14:55:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wcP0I-007iTT-0I for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 14:55:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wcP0H-0099BU-2V for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 14:55:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=DOzVPZ97Siuemc3y/MscflaNpDQ8+/3B/zfJd1ucjyA=; b=GmrmxwayWStmDUJXW7fXzNVOts U3apnn8ASLKbIgJ6yWo/C/b4ETkaXC9VZ8Tc1S/kkzY+oVgva9qZ0RwcPkOpxUUOpWTV5hjl1KGmU hI0hiCr8XWA73HJivJXKO6UmzeXNqxxFKqV/aRV0H7IewgB3JLHXeFCcGG6AmU1xl3qs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/EFI: arrange for non-discardable .reloc in xen.efi Message-Id: Date: Wed, 24 Jun 2026 14:55:01 +0000 commit 00a659a26c8b92cc47622fc75b9acb8fdf34fa5e Author: Jan Beulich AuthorDate: Wed Jun 24 15:56:20 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 24 15:56:20 2026 +0200 x86/EFI: arrange for non-discardable .reloc in xen.efi Loaders respecting IMAGE_SCN_MEM_DISCARDABLE would not load such sections, yet we need to access it ourselves when switching out of "physical mode". Leverage behavior new to GNU ld 2.46: Any contribution to .reloc which doesn't have the discardable flag set (which cannot even be expressed in ELF) will yield the output section also non-discardable. Since for intermediate binaries we don't care about section attributes, link in the new object only on the final linking pass. Reported-by: Yann Sionneau Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné Acked-by: Marek Marczykowski-Górecki Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/Makefile | 7 ++++--- xen/arch/x86/efi/Makefile | 2 +- xen/arch/x86/efi/relocs-empty.S | 8 ++++++++ 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile index 47dd6c50fe..c4c38516a7 100644 --- a/xen/arch/x86/Makefile +++ b/xen/arch/x86/Makefile @@ -196,7 +196,8 @@ note_file_option ?= $(note_file) extra-$(XEN_BUILD_PE) += efi.lds ifeq ($(XEN_BUILD_PE),y) -$(TARGET).efi: $(objtree)/prelink.o $(note_file) $(obj)/efi.lds $(obj)/efi/relocs-dummy.o $(obj)/efi/mkreloc +$(TARGET).efi: $(obj)/efi/relocs-dummy.o $(obj)/efi/relocs-empty.o $(obj)/efi/mkreloc +$(TARGET).efi: $(objtree)/prelink.o $(note_file) $(obj)/efi.lds ifeq ($(CONFIG_DEBUG_INFO),y) $(if $(filter --strip-debug,$(EFI_LDFLAGS)),echo,:) "Will strip debug info from $(@F)" endif @@ -227,7 +228,7 @@ endif $(MAKE) $(build)=$(@D) .$(@F).2r.o .$(@F).2s.o $(call compare-symbol-tables, $(dot-target).1r.o, $(dot-target).2r.o) $(call compare-symbol-tables, $(dot-target).1s.o, $(dot-target).2s.o) - $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T $(obj)/efi.lds $< \ + $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T $(obj)/efi.lds $< $(obj)/efi/relocs-empty.o \ $(dot-target).2r.o $(dot-target).2s.o $(orphan-handling-y) \ $(note_file_option) -o $@ $(NM) -pa --format=sysv $@ \ @@ -247,7 +248,7 @@ $(TARGET).efi: FORCE endif # These should already have been rebuilt when building the prerequisite of "prelink.o" -$(obj)/efi/buildid.o $(obj)/efi/relocs-dummy.o: ; +$(obj)/efi/buildid.o $(obj)/efi/relocs-dummy.o $(obj)/efi/relocs-empty.o: ; .PHONY: include include: $(objtree)/arch/x86/include/asm/asm-macros.h diff --git a/xen/arch/x86/efi/Makefile b/xen/arch/x86/efi/Makefile index 3e88f552d2..ad6cb6100e 100644 --- a/xen/arch/x86/efi/Makefile +++ b/xen/arch/x86/efi/Makefile @@ -17,5 +17,5 @@ obj-y := common-stub.o stub.o obj-$(XEN_BUILD_EFI) := $(filter-out %.init.o,$(EFIOBJ-y)) obj-bin-$(XEN_BUILD_EFI) := $(filter %.init.o,$(EFIOBJ-y)) obj-bin-y += mbi2.init.o -extra-$(XEN_BUILD_EFI) += buildid.o relocs-dummy.o +extra-$(XEN_BUILD_EFI) += buildid.o relocs-dummy.o relocs-empty.o nocov-$(XEN_BUILD_EFI) += stub.o diff --git a/xen/arch/x86/efi/relocs-empty.S b/xen/arch/x86/efi/relocs-empty.S new file mode 100644 index 0000000000..991bf2ca93 --- /dev/null +++ b/xen/arch/x86/efi/relocs-empty.S @@ -0,0 +1,8 @@ +/* + * Empty .reloc section, simply to indicate to GNU ld that the output .reloc + * section in xen.efi should not be marked IMAGE_SCN_MEM_DISCARDABLE. This + * requires GNU ld 2.46 or newer to actually be understood in the intended way. + */ + + .section .reloc, "a", @progbits + .balign 4 -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Jun 24 16:22:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Jun 2026 16:22:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1345156.1604132 (Exim 4.92) (envelope-from ) id 1wcQMU-0004zF-B2; Wed, 24 Jun 2026 16:22:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1345156.1604132; Wed, 24 Jun 2026 16:22:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcQMU-0004z7-8R; Wed, 24 Jun 2026 16:22:02 +0000 Received: by outflank-mailman (input) for mailman id 1345156; Wed, 24 Jun 2026 16:22:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcQMT-0004z1-OG for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 16:22:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wcQMT-007kTD-2J for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 16:22:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wcQMT-00B8bD-1I for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 16:22:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=4+R01xMzVzYIBBUk0ys5nDhgJSdyZTThYigEugx53rQ=; b=Ib4KlXukVooArLaerzkD6j/NDm IDmOvF6kmbUYEWOV4VBBn8rkepiC06ohlmAPgT+0DHaZN8GVdrEGlAszZMfjhoHNSj2JHWqm02ipP Lk81SmAx3ArmZe8w0DLY7aUVW/z7uyYBtmn56/+IbznG6eipaZk+NXjEBx2iewRORi6M=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] MAINTAINERS: update Jens Wiklander's email address Message-Id: Date: Wed, 24 Jun 2026 16:22:01 +0000 commit d42ace60290a4b4184ee2133b245b134fdf96fed Author: Jens Wiklander AuthorDate: Mon Jun 22 16:10:28 2026 +0200 Commit: Michal Orzel CommitDate: Wed Jun 24 08:48:11 2026 +0200 MAINTAINERS: update Jens Wiklander's email address Update Jens Wiklander's email address to @kernel.org. Signed-off-by: Jens Wiklander Acked-by: Michal Orzel --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 195d6cb0e2..81bd0dfeec 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -544,7 +544,7 @@ F: stubdom/ TEE MEDIATORS M: Volodymyr Babchuk M: Bertrand Marquis -R: Jens Wiklander +R: Jens Wiklander S: Supported F: xen/arch/arm/include/asm/tee/ F: xen/arch/arm/tee/ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Jun 24 16:22:12 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Jun 2026 16:22:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1345157.1604136 (Exim 4.92) (envelope-from ) id 1wcQMe-000511-CR; Wed, 24 Jun 2026 16:22:12 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1345157.1604136; Wed, 24 Jun 2026 16:22:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcQMe-00050t-9n; Wed, 24 Jun 2026 16:22:12 +0000 Received: by outflank-mailman (input) for mailman id 1345157; Wed, 24 Jun 2026 16:22:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcQMd-00050j-Io for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 16:22:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wcQMd-007kTH-2e for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 16:22:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wcQMd-00B8nT-1a for xen-changelog@lists.xenproject.org; Wed, 24 Jun 2026 16:22:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=nZODKgersl46WkpbgmV+ebo/boBu4gYa9cLjclIeBFk=; b=wjelfcTmHkgQnMXro4zgd6i+ht B8K5hVbJp4ez9sruosEsTZDvPGHWBY8/H28M8CaI8TSPjaJqHmLFzoRw+vo+JED5Nr8+BvAFsn8p0 GLMZGkTQlxJoi+p+L19W6J3kOeSedcL1UenJvaEEyFamBFv/BgIQiXyznTINb93jkfPc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/EFI: arrange for non-discardable .reloc in xen.efi Message-Id: Date: Wed, 24 Jun 2026 16:22:11 +0000 commit 00a659a26c8b92cc47622fc75b9acb8fdf34fa5e Author: Jan Beulich AuthorDate: Wed Jun 24 15:56:20 2026 +0200 Commit: Jan Beulich CommitDate: Wed Jun 24 15:56:20 2026 +0200 x86/EFI: arrange for non-discardable .reloc in xen.efi Loaders respecting IMAGE_SCN_MEM_DISCARDABLE would not load such sections, yet we need to access it ourselves when switching out of "physical mode". Leverage behavior new to GNU ld 2.46: Any contribution to .reloc which doesn't have the discardable flag set (which cannot even be expressed in ELF) will yield the output section also non-discardable. Since for intermediate binaries we don't care about section attributes, link in the new object only on the final linking pass. Reported-by: Yann Sionneau Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné Acked-by: Marek Marczykowski-Górecki Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/Makefile | 7 ++++--- xen/arch/x86/efi/Makefile | 2 +- xen/arch/x86/efi/relocs-empty.S | 8 ++++++++ 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile index 47dd6c50fe..c4c38516a7 100644 --- a/xen/arch/x86/Makefile +++ b/xen/arch/x86/Makefile @@ -196,7 +196,8 @@ note_file_option ?= $(note_file) extra-$(XEN_BUILD_PE) += efi.lds ifeq ($(XEN_BUILD_PE),y) -$(TARGET).efi: $(objtree)/prelink.o $(note_file) $(obj)/efi.lds $(obj)/efi/relocs-dummy.o $(obj)/efi/mkreloc +$(TARGET).efi: $(obj)/efi/relocs-dummy.o $(obj)/efi/relocs-empty.o $(obj)/efi/mkreloc +$(TARGET).efi: $(objtree)/prelink.o $(note_file) $(obj)/efi.lds ifeq ($(CONFIG_DEBUG_INFO),y) $(if $(filter --strip-debug,$(EFI_LDFLAGS)),echo,:) "Will strip debug info from $(@F)" endif @@ -227,7 +228,7 @@ endif $(MAKE) $(build)=$(@D) .$(@F).2r.o .$(@F).2s.o $(call compare-symbol-tables, $(dot-target).1r.o, $(dot-target).2r.o) $(call compare-symbol-tables, $(dot-target).1s.o, $(dot-target).2s.o) - $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T $(obj)/efi.lds $< \ + $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T $(obj)/efi.lds $< $(obj)/efi/relocs-empty.o \ $(dot-target).2r.o $(dot-target).2s.o $(orphan-handling-y) \ $(note_file_option) -o $@ $(NM) -pa --format=sysv $@ \ @@ -247,7 +248,7 @@ $(TARGET).efi: FORCE endif # These should already have been rebuilt when building the prerequisite of "prelink.o" -$(obj)/efi/buildid.o $(obj)/efi/relocs-dummy.o: ; +$(obj)/efi/buildid.o $(obj)/efi/relocs-dummy.o $(obj)/efi/relocs-empty.o: ; .PHONY: include include: $(objtree)/arch/x86/include/asm/asm-macros.h diff --git a/xen/arch/x86/efi/Makefile b/xen/arch/x86/efi/Makefile index 3e88f552d2..ad6cb6100e 100644 --- a/xen/arch/x86/efi/Makefile +++ b/xen/arch/x86/efi/Makefile @@ -17,5 +17,5 @@ obj-y := common-stub.o stub.o obj-$(XEN_BUILD_EFI) := $(filter-out %.init.o,$(EFIOBJ-y)) obj-bin-$(XEN_BUILD_EFI) := $(filter %.init.o,$(EFIOBJ-y)) obj-bin-y += mbi2.init.o -extra-$(XEN_BUILD_EFI) += buildid.o relocs-dummy.o +extra-$(XEN_BUILD_EFI) += buildid.o relocs-dummy.o relocs-empty.o nocov-$(XEN_BUILD_EFI) += stub.o diff --git a/xen/arch/x86/efi/relocs-empty.S b/xen/arch/x86/efi/relocs-empty.S new file mode 100644 index 0000000000..991bf2ca93 --- /dev/null +++ b/xen/arch/x86/efi/relocs-empty.S @@ -0,0 +1,8 @@ +/* + * Empty .reloc section, simply to indicate to GNU ld that the output .reloc + * section in xen.efi should not be marked IMAGE_SCN_MEM_DISCARDABLE. This + * requires GNU ld 2.46 or newer to actually be understood in the intended way. + */ + + .section .reloc, "a", @progbits + .balign 4 -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Jun 25 10:11:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 25 Jun 2026 10:11:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1345429.1604291 (Exim 4.92) (envelope-from ) id 1wch31-000430-Hl; Thu, 25 Jun 2026 10:11:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1345429.1604291; Thu, 25 Jun 2026 10:11:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wch31-00042s-Er; Thu, 25 Jun 2026 10:11:03 +0000 Received: by outflank-mailman (input) for mailman id 1345429; Thu, 25 Jun 2026 10:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wch30-00042m-CY for xen-changelog@lists.xenproject.org; Thu, 25 Jun 2026 10:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wch30-009C3r-12 for xen-changelog@lists.xenproject.org; Thu, 25 Jun 2026 10:11:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wch2z-00BUec-3A for xen-changelog@lists.xenproject.org; Thu, 25 Jun 2026 10:11:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=myRw+/puRNd1uzOSVTAzbOf60d1mSI+/7xKU//XfwcI=; b=aHUcmre4YsZ1Fftgc2hsBCwK4e jWnEeE6Age/8G5gjVObBctsibcZlj6U0Ye68zF0VIMW5VmnafJQgLJqwTwDpFG9bPdVC1Z3m+gQYV ZWzOHwG3AhBKmUYFH376xaGg8+NWB1FEdC7DSbMCNibWTVO+1+PG5Tg8fnaDZJim88ds=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/fred: Send an EVENT_CHECK IPI on exit from NMI Message-Id: Date: Thu, 25 Jun 2026 10:11:01 +0000 commit 76fc7763924121abf515ef0a26b332ff39f1720e Author: Andrew Cooper AuthorDate: Wed Jun 24 14:57:43 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 25 11:08:02 2026 +0100 x86/fred: Send an EVENT_CHECK IPI on exit from NMI Returning from an NMI which hits guest context needs special casing in FRED mode just like it does in IDT mode. Break nmi_exit_to_guest() out of handle_ist_exception(), and use it in entry_FRED_R3() also. Expand the comment a little, and invert the conditional jump to compat_restore_all_guest() to avoid needing an #else clause for CONFIG_PV32. Fixes: 87cfcbe9f0b5 ("x86/pv: Guest exception handling in FRED mode") Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Relase-Acked-by: Oleksii Kurochko --- xen/arch/x86/x86_64/entry-fred.S | 6 +++++ xen/arch/x86/x86_64/entry.S | 49 ++++++++++++++++++++++++---------------- 2 files changed, 36 insertions(+), 19 deletions(-) diff --git a/xen/arch/x86/x86_64/entry-fred.S b/xen/arch/x86/x86_64/entry-fred.S index e9c84423da..1ad9694a04 100644 --- a/xen/arch/x86/x86_64/entry-fred.S +++ b/xen/arch/x86/x86_64/entry-fred.S @@ -20,6 +20,12 @@ FUNC(entry_FRED_R3, 4096) GET_STACK_END(14) movq STACK_CPUINFO_FIELD(current_vcpu)(%r14), %rbx + /* NMIs need special handling on return to guest. */ + movzbl UREGS_ss + 6(%rsp), %eax + and $0xf, %eax + cmp $X86_ET_NMI, %al + je nmi_exit_to_guest + jmp test_all_events #else BUG /* Not Reached */ diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 17ca6a4939..de5d854f55 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -146,6 +146,35 @@ process_trap: jmp test_all_events END(switch_to_kernel) +/* + * When returning to guest from an NMI, we must execute an IRET/ERETU to + * re-enable NMIs, and must not process softirqs which can e.g. schedule + * rather than returning to guest context. + * + * If a softirq is pending, send ourselves an EVENT_CHECK IPI to compensate. + * This will cause softirq processing to occur upon leaving NMI context. + * + * %rbx: struct vcpu, %r14 stack_end + */ +FUNC(nmi_exit_to_guest) + mov STACK_CPUINFO_FIELD(processor_id)(%r14), %eax + shl $IRQSTAT_shift, %eax + lea irq_stat + IRQSTAT_softirq_pending(%rip), %rcx + cmpl $0, (%rcx, %rax, 1) + je 1f + mov $EVENT_CHECK_VECTOR, %edi + call send_IPI_self +1: + /* For restore_all_guest. */ + mov STACK_CPUINFO_FIELD(current_vcpu)(%r14), %rbx +#ifdef CONFIG_PV32 + mov VCPU_domain(%rbx), %rax + cmpb $0, DOMAIN_is_32bit_pv(%rax) + jne compat_restore_all_guest +#endif + jmp restore_all_guest +END(nmi_exit_to_guest) + .section .text.entry, "ax", @progbits /* %rbx: struct vcpu, interrupts disabled */ @@ -1209,25 +1238,7 @@ FUNC(handle_ist_exception) #ifdef CONFIG_PV testb $3,UREGS_cs(%rsp) jz restore_all_xen - /* Send an IPI to ourselves to cover for the lack of event checking. */ - mov STACK_CPUINFO_FIELD(processor_id)(%r14), %eax - shll $IRQSTAT_shift,%eax - leaq irq_stat+IRQSTAT_softirq_pending(%rip),%rcx - cmpl $0,(%rcx,%rax,1) - je 1f - movl $EVENT_CHECK_VECTOR,%edi - call send_IPI_self -1: - /* For restore_all_guest. */ - mov STACK_CPUINFO_FIELD(current_vcpu)(%r14), %rbx -#ifdef CONFIG_PV32 - movq VCPU_domain(%rbx),%rax - cmpb $0,DOMAIN_is_32bit_pv(%rax) - je restore_all_guest - jmp compat_restore_all_guest -#else - jmp restore_all_guest -#endif + jmp nmi_exit_to_guest #else ASSERT_CONTEXT_IS_XEN jmp restore_all_xen -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Jun 25 11:00:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 25 Jun 2026 11:00:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1345462.1604313 (Exim 4.92) (envelope-from ) id 1wchoR-0004n6-7T; Thu, 25 Jun 2026 11:00:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1345462.1604313; Thu, 25 Jun 2026 11:00:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wchoR-0004mj-4a; Thu, 25 Jun 2026 11:00:03 +0000 Received: by outflank-mailman (input) for mailman id 1345462; Thu, 25 Jun 2026 11:00:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wchoQ-0004UW-00 for xen-changelog@lists.xenproject.org; Thu, 25 Jun 2026 11:00:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wchoP-009Crc-2v for xen-changelog@lists.xenproject.org; Thu, 25 Jun 2026 11:00:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wchoP-00CUFL-1r for xen-changelog@lists.xenproject.org; Thu, 25 Jun 2026 11:00:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7skdjlbPI8EMDg7WrhNkOV7OOiwuZNTb1MoEyVi0aIc=; b=L4WgLVyzPQH6g3xWsX/McGOjFY AMslFtBl2luYB1MgGfaBbFS0xqrLL9FqMNFx1A0lqJ3p2e9yQczZYXmhGHDD6czMbYaRoxx3EXCDg /n2eEFo8HxhI2AxNnC98Ra4XJ/dPFdO2vEv/jY5spQcPh6yJyWhgV1nfP8J9rNC163EE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/fred: Send an EVENT_CHECK IPI on exit from NMI Message-Id: Date: Thu, 25 Jun 2026 11:00:01 +0000 commit 76fc7763924121abf515ef0a26b332ff39f1720e Author: Andrew Cooper AuthorDate: Wed Jun 24 14:57:43 2026 +0100 Commit: Andrew Cooper CommitDate: Thu Jun 25 11:08:02 2026 +0100 x86/fred: Send an EVENT_CHECK IPI on exit from NMI Returning from an NMI which hits guest context needs special casing in FRED mode just like it does in IDT mode. Break nmi_exit_to_guest() out of handle_ist_exception(), and use it in entry_FRED_R3() also. Expand the comment a little, and invert the conditional jump to compat_restore_all_guest() to avoid needing an #else clause for CONFIG_PV32. Fixes: 87cfcbe9f0b5 ("x86/pv: Guest exception handling in FRED mode") Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Relase-Acked-by: Oleksii Kurochko --- xen/arch/x86/x86_64/entry-fred.S | 6 +++++ xen/arch/x86/x86_64/entry.S | 49 ++++++++++++++++++++++++---------------- 2 files changed, 36 insertions(+), 19 deletions(-) diff --git a/xen/arch/x86/x86_64/entry-fred.S b/xen/arch/x86/x86_64/entry-fred.S index e9c84423da..1ad9694a04 100644 --- a/xen/arch/x86/x86_64/entry-fred.S +++ b/xen/arch/x86/x86_64/entry-fred.S @@ -20,6 +20,12 @@ FUNC(entry_FRED_R3, 4096) GET_STACK_END(14) movq STACK_CPUINFO_FIELD(current_vcpu)(%r14), %rbx + /* NMIs need special handling on return to guest. */ + movzbl UREGS_ss + 6(%rsp), %eax + and $0xf, %eax + cmp $X86_ET_NMI, %al + je nmi_exit_to_guest + jmp test_all_events #else BUG /* Not Reached */ diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 17ca6a4939..de5d854f55 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -146,6 +146,35 @@ process_trap: jmp test_all_events END(switch_to_kernel) +/* + * When returning to guest from an NMI, we must execute an IRET/ERETU to + * re-enable NMIs, and must not process softirqs which can e.g. schedule + * rather than returning to guest context. + * + * If a softirq is pending, send ourselves an EVENT_CHECK IPI to compensate. + * This will cause softirq processing to occur upon leaving NMI context. + * + * %rbx: struct vcpu, %r14 stack_end + */ +FUNC(nmi_exit_to_guest) + mov STACK_CPUINFO_FIELD(processor_id)(%r14), %eax + shl $IRQSTAT_shift, %eax + lea irq_stat + IRQSTAT_softirq_pending(%rip), %rcx + cmpl $0, (%rcx, %rax, 1) + je 1f + mov $EVENT_CHECK_VECTOR, %edi + call send_IPI_self +1: + /* For restore_all_guest. */ + mov STACK_CPUINFO_FIELD(current_vcpu)(%r14), %rbx +#ifdef CONFIG_PV32 + mov VCPU_domain(%rbx), %rax + cmpb $0, DOMAIN_is_32bit_pv(%rax) + jne compat_restore_all_guest +#endif + jmp restore_all_guest +END(nmi_exit_to_guest) + .section .text.entry, "ax", @progbits /* %rbx: struct vcpu, interrupts disabled */ @@ -1209,25 +1238,7 @@ FUNC(handle_ist_exception) #ifdef CONFIG_PV testb $3,UREGS_cs(%rsp) jz restore_all_xen - /* Send an IPI to ourselves to cover for the lack of event checking. */ - mov STACK_CPUINFO_FIELD(processor_id)(%r14), %eax - shll $IRQSTAT_shift,%eax - leaq irq_stat+IRQSTAT_softirq_pending(%rip),%rcx - cmpl $0,(%rcx,%rax,1) - je 1f - movl $EVENT_CHECK_VECTOR,%edi - call send_IPI_self -1: - /* For restore_all_guest. */ - mov STACK_CPUINFO_FIELD(current_vcpu)(%r14), %rbx -#ifdef CONFIG_PV32 - movq VCPU_domain(%rbx),%rax - cmpb $0,DOMAIN_is_32bit_pv(%rax) - je restore_all_guest - jmp compat_restore_all_guest -#else - jmp restore_all_guest -#endif + jmp nmi_exit_to_guest #else ASSERT_CONTEXT_IS_XEN jmp restore_all_xen -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Jun 25 13:11:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 25 Jun 2026 13:11:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1345624.1604434 (Exim 4.92) (envelope-from ) id 1wcjrC-00014g-Rn; Thu, 25 Jun 2026 13:11:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1345624.1604434; Thu, 25 Jun 2026 13:11:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcjrC-00014Y-PG; Thu, 25 Jun 2026 13:11:02 +0000 Received: by outflank-mailman (input) for mailman id 1345624; Thu, 25 Jun 2026 13:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcjrB-00014R-W8 for xen-changelog@lists.xenproject.org; Thu, 25 Jun 2026 13:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wcjrC-009F8L-0G for xen-changelog@lists.xenproject.org; Thu, 25 Jun 2026 13:11:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wcjrB-00FYaa-2P for xen-changelog@lists.xenproject.org; Thu, 25 Jun 2026 13:11:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=R6zR+L7bQWGnaP3x7pX3ES/0DA/IcW0oxv7UzR/7JGg=; b=PhTz0FYv3JGWBpZQGdl6WncKqC koBG94BsBn48nTf5vPllB1jtxoQs6AXEMLfufzChXr7JWWlEhEknnYqEnQUFYrhGT0qzfKTPg1ne1 JUIbkevMzs+F96P64uDmyrdxEmjNrfudUyRFNU94xqp8t8m25hCFHTftcj/LAC3E0PFs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] sched/rtds: refill cur_budget when extratime is toggled on a depleted vCPU Message-Id: Date: Thu, 25 Jun 2026 13:11:01 +0000 commit 37b49cb48ed96c0f5a90391b2c93cac1f33e3bc4 Author: Oleksii Moisieiev AuthorDate: Thu Jun 25 13:36:43 2026 +0200 Commit: Jan Beulich CommitDate: Thu Jun 25 13:36:43 2026 +0200 sched/rtds: refill cur_budget when extratime is toggled on a depleted vCPU XEN_DOMCTL_SCHEDOP_putvcpuinfo can flip the RTDS_extratime bit on a vCPU that is currently depleted (cur_budget == 0, possibly sitting on the depleted queue). rt_dom_cntl() touches only svc->flags; cur_budget is left unchanged. As a result the next code path that calls runq_insert() on this vCPU - rt_unit_wake() after a domain_unpause(), rt_context_saved() following a delayed runq add, or repl_timer_handler() after a replenishment - places the vCPU on the run queue, because has_extratime(svc) is now true and runq_insert() admits extratime units regardless of cur_budget: /* add svc to runq if svc still has budget or its extratime is set */ if ( svc->cur_budget > 0 || has_extratime(svc) ) deadline_runq_insert(svc, &svc->q_elem, runq); else list_add(&svc->q_elem, &prv->depletedq); The very next rt_schedule() iterates the run queue from runq_pick() and trips the ASSERT(iter_svc->cur_budget > 0) at the bottom of the loop, panicking the host. Observed trace: Assertion 'iter_svc->cur_budget > 0' failed at common/sched/rt.c:1035 ----[ Xen-4.22-unstable arm64 debug=y ubsan=y Not tainted ]---- [<...>] rt.c#rt_schedule+0x1558/0x33e0 (PC) [<...>] core.c#do_schedule+0x2e4/0x15b4 [<...>] core.c#schedule+0xb14/0xe50 [<...>] softirq.c#__do_softirq+0x20c/0x3d4 [<...>] do_softirq+0x14/0x1c [<...>] domain.c#idle_loop+0x194/0x558 Minimal reproducer: pin a single-vCPU domU to a pCPU, program RTDS with extratime off and a low utilisation (e.g. budget = 10ms / period = 100ms) so the vCPU spends most of its time in the depleted queue, pause the domain, issue a putvcpuinfo that sets XEN_DOMCTL_SCHEDRT_extra, then unpause. As soon as the schedule softirq fires on the pCPU, the BUG hits. The same sequence is reachable without an explicit pause: any window in which rt_dom_cntl() runs between burn_budget()'s budget exhaustion and rt_context_saved()'s runq_insert() also closes onto the same broken state, because the per-scheduler lock is dropped between those two points. The semantics for "extratime gets exhausted budget refilled" already live in burn_budget(): if ( has_extratime(svc) ) { svc->priority_level++; svc->cur_budget = svc->budget; } Apply the same priority-demotion-and-refill in rt_dom_cntl() when the flag transitions from off to on while the vCPU is depleted, clear RTDS_depleted to match, and - if the vCPU is currently on the depleted queue - move it to the run queue using the same q_remove() + runq_insert() pattern already used by repl_timer_handler(). The vCPU remains on the replenishment queue throughout, so its normal replenishment cadence is preserved. The complementary transition (on -> off) is already safe: clearing the flag only narrows the runq_insert() admission condition, so subsequent depleted insertions correctly route to the depleted queue. No other call sites need changes: with cur_budget restored before the flag is observable to runq_insert(), runq_pick()'s long-standing invariant (every run-queue entry has cur_budget > 0) is preserved. Fixes: 463b95831778 ("xen:rtds: towards work conserving RTDS") Signed-off-by: Oleksii Moisieiev Reviewed-by: Juergen Gross Release-Acked-by: Oleksii Kurochko --- xen/common/sched/rt.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/xen/common/sched/rt.c b/xen/common/sched/rt.c index b9a3e7720e..0fe045e591 100644 --- a/xen/common/sched/rt.c +++ b/xen/common/sched/rt.c @@ -1480,7 +1480,41 @@ rt_dom_cntl( svc->period = period; svc->budget = budget; if ( local_sched.u.rtds.flags & XEN_DOMCTL_SCHEDRT_extra ) + { + /* + * Turning extratime on while the vCPU is depleted + * (cur_budget <= 0) leaves cur_budget unchanged. The + * next runq_insert() on this vCPU - from + * rt_unit_wake() after a domain unpause, + * rt_context_saved() following a delayed runq add, or + * repl_timer_handler() - then places it on the run + * queue because has_extratime() is now true, even + * though cur_budget is 0. The very next rt_schedule() + * iterates the run queue from runq_pick() and trips + * the ASSERT(iter_svc->cur_budget > 0). + * + * Apply the same priority-demotion-and-refill that + * burn_budget() would have performed if the flag had + * been set when the budget ran out, clear the + * depleted state, and - if the vCPU is currently on + * the depleted queue - move it to the run queue so + * the new extratime allocation is picked up + * immediately instead of waiting for the next + * replenishment. + */ + if ( !has_extratime(svc) && svc->cur_budget <= 0 ) + { + svc->priority_level++; + svc->cur_budget = svc->budget; + __clear_bit(__RTDS_depleted, &svc->flags); + if ( unit_on_q(svc) ) + { + q_remove(svc); + runq_insert(ops, svc); + } + } __set_bit(__RTDS_extratime, &svc->flags); + } else __clear_bit(__RTDS_extratime, &svc->flags); spin_unlock_irqrestore(&prv->lock, flags); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Jun 25 13:11:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 25 Jun 2026 13:11:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1345625.1604439 (Exim 4.92) (envelope-from ) id 1wcjrM-00017Z-TA; Thu, 25 Jun 2026 13:11:12 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1345625.1604439; Thu, 25 Jun 2026 13:11:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcjrM-00017R-QZ; Thu, 25 Jun 2026 13:11:12 +0000 Received: by outflank-mailman (input) for mailman id 1345625; Thu, 25 Jun 2026 13:11:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wcjrL-00016E-W8 for xen-changelog@lists.xenproject.org; Thu, 25 Jun 2026 13:11:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wcjrM-009F8P-0j for xen-changelog@lists.xenproject.org; Thu, 25 Jun 2026 13:11:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wcjrL-00FYoR-2l for xen-changelog@lists.xenproject.org; Thu, 25 Jun 2026 13:11:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=nSHhHv7a7NvyApGfJBPk90Jj5iK3K2dgSvq1q55y7kE=; b=3i/DJdeB2LpfbN3FmCL2FKuW5A CVnpEs4nHoNjbUYv+emR65TeDym0G9cP+NieepLzC1ptd3cfhE0sp0gDuQtZ1hWcHmBrkpTYPXh+T 2YAfhLGDYG1MHQHnADgVgKaLp72h3AaPUghCzTiQMk/mErWmCwHrgGDXIP/BGqV4skLw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/boot: don't blindly mark VGA in graphics mode on MB2 path Message-Id: Date: Thu, 25 Jun 2026 13:11:11 +0000 commit c7b742985499a5e99456456bac47a13b2987e550 Author: Jan Beulich AuthorDate: Thu Jun 25 13:37:33 2026 +0200 Commit: Jan Beulich CommitDate: Thu Jun 25 13:37:33 2026 +0200 x86/boot: don't blindly mark VGA in graphics mode on MB2 path Setting ->orig_video_isVGA to the specific marker should be done only when the VBE tag is present and the FRAMEBUFFER is either absent or indicates RGB type. Since the "video" variable now starts out non-NULL, this property was broken when in particular neither of the tags are present. To move back to at least close to original behavior, add a 2nd check to said conditional. Fixes: d5a73cdc6b90 ("x86/boot: Use boot_vid_info variable directly from C code") Reported-by: Marek Marczykowski-Górecki Signed-off-by: Jan Beulich Tested-by: Marek Marczykowski-Górecki Acked-by: Andrew Cooper Reviewed-by: Teddy Astie Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/boot/reloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/boot/reloc.c b/xen/arch/x86/boot/reloc.c index 7a375ad41c..2aa6ebb16b 100644 --- a/xen/arch/x86/boot/reloc.c +++ b/xen/arch/x86/boot/reloc.c @@ -339,7 +339,7 @@ static multiboot_info_t *mbi2_reloc(uint32_t mbi_in, memctx *ctx) end: #ifdef CONFIG_VIDEO - if ( video ) + if ( video && video->lfb_size ) video->orig_video_isVGA = 0x23; #endif -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Jun 25 14:00:06 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 25 Jun 2026 14:00:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1345664.1604460 (Exim 4.92) (envelope-from ) id 1wckce-0001FR-FR; Thu, 25 Jun 2026 14:00:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1345664.1604460; Thu, 25 Jun 2026 14:00:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wckce-0001F4-Cq; Thu, 25 Jun 2026 14:00:04 +0000 Received: by outflank-mailman (input) for mailman id 1345664; Thu, 25 Jun 2026 14:00:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wckcc-0000tw-KY for xen-changelog@lists.xenproject.org; Thu, 25 Jun 2026 14:00:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wckcc-009FzW-2R for xen-changelog@lists.xenproject.org; Thu, 25 Jun 2026 14:00:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wckcc-00HCbz-1H for xen-changelog@lists.xenproject.org; Thu, 25 Jun 2026 14:00:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=x0c7j0QnImIYUZigIU2olh23Vej+nohgKhM5gr+xmXQ=; b=10OqclVsNSsDNTrXuNCLTllixU dgX0Taqs+vk65DvVk1L5vrpb1+hxQrDug/PDcDoHVOWD5ENxgGHOv85G9iNxYw6br3Iroxf1r8B3c x2GGuVM1xewGSvFR+Y0ONta/tD94qcEIbHSEwEMZ8lo9tzVUR3m2FbGxxnB/grcYR5Dw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] sched/rtds: refill cur_budget when extratime is toggled on a depleted vCPU Message-Id: Date: Thu, 25 Jun 2026 14:00:02 +0000 commit 37b49cb48ed96c0f5a90391b2c93cac1f33e3bc4 Author: Oleksii Moisieiev AuthorDate: Thu Jun 25 13:36:43 2026 +0200 Commit: Jan Beulich CommitDate: Thu Jun 25 13:36:43 2026 +0200 sched/rtds: refill cur_budget when extratime is toggled on a depleted vCPU XEN_DOMCTL_SCHEDOP_putvcpuinfo can flip the RTDS_extratime bit on a vCPU that is currently depleted (cur_budget == 0, possibly sitting on the depleted queue). rt_dom_cntl() touches only svc->flags; cur_budget is left unchanged. As a result the next code path that calls runq_insert() on this vCPU - rt_unit_wake() after a domain_unpause(), rt_context_saved() following a delayed runq add, or repl_timer_handler() after a replenishment - places the vCPU on the run queue, because has_extratime(svc) is now true and runq_insert() admits extratime units regardless of cur_budget: /* add svc to runq if svc still has budget or its extratime is set */ if ( svc->cur_budget > 0 || has_extratime(svc) ) deadline_runq_insert(svc, &svc->q_elem, runq); else list_add(&svc->q_elem, &prv->depletedq); The very next rt_schedule() iterates the run queue from runq_pick() and trips the ASSERT(iter_svc->cur_budget > 0) at the bottom of the loop, panicking the host. Observed trace: Assertion 'iter_svc->cur_budget > 0' failed at common/sched/rt.c:1035 ----[ Xen-4.22-unstable arm64 debug=y ubsan=y Not tainted ]---- [<...>] rt.c#rt_schedule+0x1558/0x33e0 (PC) [<...>] core.c#do_schedule+0x2e4/0x15b4 [<...>] core.c#schedule+0xb14/0xe50 [<...>] softirq.c#__do_softirq+0x20c/0x3d4 [<...>] do_softirq+0x14/0x1c [<...>] domain.c#idle_loop+0x194/0x558 Minimal reproducer: pin a single-vCPU domU to a pCPU, program RTDS with extratime off and a low utilisation (e.g. budget = 10ms / period = 100ms) so the vCPU spends most of its time in the depleted queue, pause the domain, issue a putvcpuinfo that sets XEN_DOMCTL_SCHEDRT_extra, then unpause. As soon as the schedule softirq fires on the pCPU, the BUG hits. The same sequence is reachable without an explicit pause: any window in which rt_dom_cntl() runs between burn_budget()'s budget exhaustion and rt_context_saved()'s runq_insert() also closes onto the same broken state, because the per-scheduler lock is dropped between those two points. The semantics for "extratime gets exhausted budget refilled" already live in burn_budget(): if ( has_extratime(svc) ) { svc->priority_level++; svc->cur_budget = svc->budget; } Apply the same priority-demotion-and-refill in rt_dom_cntl() when the flag transitions from off to on while the vCPU is depleted, clear RTDS_depleted to match, and - if the vCPU is currently on the depleted queue - move it to the run queue using the same q_remove() + runq_insert() pattern already used by repl_timer_handler(). The vCPU remains on the replenishment queue throughout, so its normal replenishment cadence is preserved. The complementary transition (on -> off) is already safe: clearing the flag only narrows the runq_insert() admission condition, so subsequent depleted insertions correctly route to the depleted queue. No other call sites need changes: with cur_budget restored before the flag is observable to runq_insert(), runq_pick()'s long-standing invariant (every run-queue entry has cur_budget > 0) is preserved. Fixes: 463b95831778 ("xen:rtds: towards work conserving RTDS") Signed-off-by: Oleksii Moisieiev Reviewed-by: Juergen Gross Release-Acked-by: Oleksii Kurochko --- xen/common/sched/rt.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/xen/common/sched/rt.c b/xen/common/sched/rt.c index b9a3e7720e..0fe045e591 100644 --- a/xen/common/sched/rt.c +++ b/xen/common/sched/rt.c @@ -1480,7 +1480,41 @@ rt_dom_cntl( svc->period = period; svc->budget = budget; if ( local_sched.u.rtds.flags & XEN_DOMCTL_SCHEDRT_extra ) + { + /* + * Turning extratime on while the vCPU is depleted + * (cur_budget <= 0) leaves cur_budget unchanged. The + * next runq_insert() on this vCPU - from + * rt_unit_wake() after a domain unpause, + * rt_context_saved() following a delayed runq add, or + * repl_timer_handler() - then places it on the run + * queue because has_extratime() is now true, even + * though cur_budget is 0. The very next rt_schedule() + * iterates the run queue from runq_pick() and trips + * the ASSERT(iter_svc->cur_budget > 0). + * + * Apply the same priority-demotion-and-refill that + * burn_budget() would have performed if the flag had + * been set when the budget ran out, clear the + * depleted state, and - if the vCPU is currently on + * the depleted queue - move it to the run queue so + * the new extratime allocation is picked up + * immediately instead of waiting for the next + * replenishment. + */ + if ( !has_extratime(svc) && svc->cur_budget <= 0 ) + { + svc->priority_level++; + svc->cur_budget = svc->budget; + __clear_bit(__RTDS_depleted, &svc->flags); + if ( unit_on_q(svc) ) + { + q_remove(svc); + runq_insert(ops, svc); + } + } __set_bit(__RTDS_extratime, &svc->flags); + } else __clear_bit(__RTDS_extratime, &svc->flags); spin_unlock_irqrestore(&prv->lock, flags); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Jun 25 14:00:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 25 Jun 2026 14:00:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1345665.1604464 (Exim 4.92) (envelope-from ) id 1wckcn-0001ci-Gw; Thu, 25 Jun 2026 14:00:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1345665.1604464; Thu, 25 Jun 2026 14:00:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wckcn-0001cZ-E5; Thu, 25 Jun 2026 14:00:13 +0000 Received: by outflank-mailman (input) for mailman id 1345665; Thu, 25 Jun 2026 14:00:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wckcm-0001cQ-Kd for xen-changelog@lists.xenproject.org; Thu, 25 Jun 2026 14:00:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wckcm-009G1L-2p for xen-changelog@lists.xenproject.org; Thu, 25 Jun 2026 14:00:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wckcm-00HDAb-1m for xen-changelog@lists.xenproject.org; Thu, 25 Jun 2026 14:00:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=+AARlnDCw18f3MkTvtL+GyKQFh4bawC2ND6FvZTY3wk=; b=Sg+vNruNK7tvhbJj9IWYj4FpJ3 MuahQckbvtWI8OiY3BzZDWkCHaCrv5XUeYaMy20RDZIuuqlhFwmLnbMKZoZ3pGHkZJSEx2VYYnrNs CXyhIAEYRm3WqopCvID1Fpwwzhe065n8qA/xzMv1HRFbaL7upZGnnkFyRh0zKTYAWT3Q=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/boot: don't blindly mark VGA in graphics mode on MB2 path Message-Id: Date: Thu, 25 Jun 2026 14:00:12 +0000 commit c7b742985499a5e99456456bac47a13b2987e550 Author: Jan Beulich AuthorDate: Thu Jun 25 13:37:33 2026 +0200 Commit: Jan Beulich CommitDate: Thu Jun 25 13:37:33 2026 +0200 x86/boot: don't blindly mark VGA in graphics mode on MB2 path Setting ->orig_video_isVGA to the specific marker should be done only when the VBE tag is present and the FRAMEBUFFER is either absent or indicates RGB type. Since the "video" variable now starts out non-NULL, this property was broken when in particular neither of the tags are present. To move back to at least close to original behavior, add a 2nd check to said conditional. Fixes: d5a73cdc6b90 ("x86/boot: Use boot_vid_info variable directly from C code") Reported-by: Marek Marczykowski-Górecki Signed-off-by: Jan Beulich Tested-by: Marek Marczykowski-Górecki Acked-by: Andrew Cooper Reviewed-by: Teddy Astie Release-Acked-by: Oleksii Kurochko --- xen/arch/x86/boot/reloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/boot/reloc.c b/xen/arch/x86/boot/reloc.c index 7a375ad41c..2aa6ebb16b 100644 --- a/xen/arch/x86/boot/reloc.c +++ b/xen/arch/x86/boot/reloc.c @@ -339,7 +339,7 @@ static multiboot_info_t *mbi2_reloc(uint32_t mbi_in, memctx *ctx) end: #ifdef CONFIG_VIDEO - if ( video ) + if ( video && video->lfb_size ) video->orig_video_isVGA = 0x23; #endif -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 26 09:33:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 26 Jun 2026 09:33:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1345989.1604561 (Exim 4.92) (envelope-from ) id 1wd2vx-0007MM-Hl; Fri, 26 Jun 2026 09:33:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1345989.1604561; Fri, 26 Jun 2026 09:33:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wd2vx-0007ME-FC; Fri, 26 Jun 2026 09:33:13 +0000 Received: by outflank-mailman (input) for mailman id 1345989; Fri, 26 Jun 2026 09:33:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wd2vw-0007M2-A6 for xen-changelog@lists.xenproject.org; Fri, 26 Jun 2026 09:33:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wd2vw-00AkU9-1k for xen-changelog@lists.xenproject.org; Fri, 26 Jun 2026 09:33:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wd2vw-002AlP-0V for xen-changelog@lists.xenproject.org; Fri, 26 Jun 2026 09:33:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=TEtvGu8Nk8CyzsEyVCYxQqpPPLsdV6rYQ4y2hSvE1sk=; b=EenMgnOAu0yuYI57vHPfZREdGR B1NZrd+nfkPifOA8VccpLKhFqXHS6pPwWj+yFnnrpSF8+QlK382ftbTIzbO6zCkpim/0nHjdUxXaU A0wcoLS85t3E9mVZi8uegg8HpHb368oBZecDdVb/p+2aWaQ1UHu1XG0UMXir2CB+TUk0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] bootfdt: Fix infinite loop in device_tree_for_each_node() Message-Id: Date: Fri, 26 Jun 2026 09:33:12 +0000 commit 3b717f57dca508f546303dd34067b7b906ba459e Author: Dmytro Prokopchuk1 AuthorDate: Fri Jun 26 07:57:33 2026 +0000 Commit: Michal Orzel CommitDate: Fri Jun 26 10:08:15 2026 +0200 bootfdt: Fix infinite loop in device_tree_for_each_node() When a node's depth exceeds DEVICE_TREE_MAX_DEPTH inside the device_tree_for_each_node() loop, the code prints a warning and executes 'continue;' statement, which jumps to condition check, bypassing the iterator update step: node = fdt_next_node(fdt, node, &depth). The node and depth are not updated, the loop repeatedly evaluates the same too-deep node, causing a hang. Fix this by wrapping the node processing logic in an 'else' block. This ensures the loop update step is executed on every iteration, safely skipping deeply nested nodes and doing the traversal. Fixes: 40f2ea3df2e2 ("xen/arm: pass node to device_tree_for_each_node") Signed-off-by: Dmytro Prokopchuk Reviewed-by: Michal Orzel Release-Acked-by: Oleskii Kurochko --- xen/common/device-tree/bootfdt.c | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/xen/common/device-tree/bootfdt.c b/xen/common/device-tree/bootfdt.c index 7c790b9a4d..8e9b45d1a7 100644 --- a/xen/common/device-tree/bootfdt.c +++ b/xen/common/device-tree/bootfdt.c @@ -90,23 +90,28 @@ int __init device_tree_for_each_node(const void *fdt, int node, { printk("Warning: device tree node `%s' is nested too deep\n", name); - continue; } - - as = depth > 0 ? address_cells[depth-1] : DT_ROOT_NODE_ADDR_CELLS_DEFAULT; - ss = depth > 0 ? size_cells[depth-1] : DT_ROOT_NODE_SIZE_CELLS_DEFAULT; - - address_cells[depth] = device_tree_get_u32(fdt, node, - "#address-cells", as); - size_cells[depth] = device_tree_get_u32(fdt, node, - "#size-cells", ss); - - /* skip the first node */ - if ( node != first_node ) + else { - ret = func(fdt, node, name, depth, as, ss, data); - if ( ret != 0 ) - return ret; + as = depth > 0 ? + address_cells[depth - 1] : + DT_ROOT_NODE_ADDR_CELLS_DEFAULT; + ss = depth > 0 ? + size_cells[depth - 1] : + DT_ROOT_NODE_SIZE_CELLS_DEFAULT; + + address_cells[depth] = device_tree_get_u32(fdt, node, + "#address-cells", as); + size_cells[depth] = device_tree_get_u32(fdt, node, + "#size-cells", ss); + + /* skip the first node */ + if ( node != first_node ) + { + ret = func(fdt, node, name, depth, as, ss, data); + if ( ret != 0 ) + return ret; + } } node = fdt_next_node(fdt, node, &depth); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 26 09:33:14 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 26 Jun 2026 09:33:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1345988.1604560 (Exim 4.92) (envelope-from ) id 1wd2vo-0007Jb-H0; Fri, 26 Jun 2026 09:33:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1345988.1604560; Fri, 26 Jun 2026 09:33:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wd2vo-0007JS-Cj; Fri, 26 Jun 2026 09:33:04 +0000 Received: by outflank-mailman (input) for mailman id 1345988; Fri, 26 Jun 2026 09:33:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wd2vm-0007JM-Dh for xen-changelog@lists.xenproject.org; Fri, 26 Jun 2026 09:33:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wd2vm-00AkU5-1C for xen-changelog@lists.xenproject.org; Fri, 26 Jun 2026 09:33:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wd2vm-002AFQ-06 for xen-changelog@lists.xenproject.org; Fri, 26 Jun 2026 09:33:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Ur5NLabelppaJKEDS4sm2NpuIh5qzoSeir8jRxmvyJQ=; b=RCFrar5VbX8ciaQNk555Hyp1ZS HJo8SeT+fd1m4J/EcBjPnxsIoQWigj5sQoZALb4yLTccfV10Iihdhz4a6icmX11eA5dmLPPIBnOV6 LuBiigHfl6+htLYc4Fbp2EFM9q3oAt5ypd6T12xCiSWQ04IEjxAc+lRj6K6Z6IWRJE4Q=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/arm: gic: defer host LPI allocation until after ITS init Message-Id: Date: Fri, 26 Jun 2026 09:33:02 +0000 commit 9b3a73a0282559fff77eba576cfe275b83ddf0bb Author: Mykola Kvach AuthorDate: Fri Jun 19 08:45:52 2026 +0300 Commit: Michal Orzel CommitDate: Fri Jun 26 10:06:08 2026 +0200 xen/arm: gic: defer host LPI allocation until after ITS init gicv3_lpi_init_host_lpis() initializes Xen-side host LPI bookkeeping, registers the CPU notifier, and allocates the boot CPU pending table. The pending table allocation uses gicv3_its_get_memflags(). ITS quirks are discovered by gicv3_its_init(), so allocating the boot CPU pending table from gicv3_dist_init() can happen before the memory restrictions required by the ITS are known. On affected systems this can leave the pending table allocated using the default memory policy. Move host LPI initialization after gicv3_its_init(), and only run it when a host ITS was found. The old call ignored the return value. Now that the call is made from gicv3_init(), check it and panic on failure because Redistributor LPI initialization relies on that state being available. Although this reorders host LPI bookkeeping with respect to ITS initialization, it does not change the hardware-visible LPI setup sequence. gicv3_lpi_init_host_lpis() does not program the Redistributor or submit any ITS commands. gicv3_cpu_init() still programs GICR_PENDBASER/GICR_PROPBASER via gicv3_lpi_init_rdist(), sets GICR_CTLR.EnableLPIs, and only then calls gicv3_its_setup_collection(), which submits the first MAPC/SYNC commands. Therefore, the ordering introduced by 95604873cc remains unchanged. This also narrows the condition for host LPI initialization from "GICD advertises LPIs" to "a host ITS was discovered". This is intentional: Xen currently has no supported LPI path without a host ITS, and gicv3_lpi_init_rdist() already rejects that case with -ENODEV. Therefore, on systems where GICD_TYPE_LPIS is set but no host ITS is present, skipping gicv3_lpi_init_host_lpis() only avoids allocating host LPI state that cannot be used by a supported Xen LPI path. Fixes: dcb6cb263689 ("ARM: GICv3 ITS: introduce host LPI array") Fixes: 751ec850ec1d ("ARM: ITS: implement quirks and add support for Renesas Gen4 ITS") Signed-off-by: Mykola Kvach Reviewed-by: Oleksandr Tyshchenko Reviewed-by: Michal Orzel Release-Acked-by: Oleksii Kurochko --- xen/arch/arm/gic-v3.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/xen/arch/arm/gic-v3.c b/xen/arch/arm/gic-v3.c index 17ff85ef5d..acdac22953 100644 --- a/xen/arch/arm/gic-v3.c +++ b/xen/arch/arm/gic-v3.c @@ -764,9 +764,6 @@ static void __init gicv3_dist_init(void) type = readl_relaxed(GICD + GICD_TYPER); nr_lines = 32 * ((type & GICD_TYPE_LINES) + 1); - if ( type & GICD_TYPE_LPIS ) - gicv3_lpi_init_host_lpis(GICD_TYPE_ID_BITS(type)); - /* Only 1020 interrupts are supported */ nr_lines = min(1020U, nr_lines); gicv3_info.nr_lines = nr_lines; @@ -1990,6 +1987,17 @@ static int __init gicv3_init(void) res = gicv3_its_init(); if ( res ) panic("GICv3: ITS: initialization failed: %d\n", res); + + /* + * Host LPI allocation uses ITS-derived memory attributes, so defer it + * until after gicv3_its_init() has discovered ITS workarounds. + */ + if ( gicv3_its_host_has_its() ) + { + res = gicv3_lpi_init_host_lpis(intid_bits); + if ( res ) + panic("GICv3: LPI initialization failed: %d\n", res); + } } res = gicv3_cpu_init(); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Jun 26 10:22:05 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 26 Jun 2026 10:22:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1346012.1604575 (Exim 4.92) (envelope-from ) id 1wd3hD-0005r0-0H; Fri, 26 Jun 2026 10:22:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1346012.1604575; Fri, 26 Jun 2026 10:22:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wd3hC-0005qs-Tq; Fri, 26 Jun 2026 10:22:02 +0000 Received: by outflank-mailman (input) for mailman id 1346012; Fri, 26 Jun 2026 10:22:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wd3hC-0005qm-BJ for xen-changelog@lists.xenproject.org; Fri, 26 Jun 2026 10:22:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wd3hC-00AlP5-19 for xen-changelog@lists.xenproject.org; Fri, 26 Jun 2026 10:22:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wd3hC-003t3Z-08 for xen-changelog@lists.xenproject.org; Fri, 26 Jun 2026 10:22:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=DAbmHjWLvGyWGemRaeWFq+I36mBNoPC2HkK4lDseijY=; b=Vp5NdkMKfPXW/qNYTJLvsUotPp fUvq3bx91O+xzA745WkeIqseWelBdO8NBRiEqrwgmX+LuhGncqKW0/rJO+RNPnPCOsXF3Py5K/qLL YpxlxYzMrJIlrYlwEMgCMHa5m/8eB3UuNpx7fRL1bqwR0COZCmXWMxLc5fgqCU7FmKO4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/arm: gic: defer host LPI allocation until after ITS init Message-Id: Date: Fri, 26 Jun 2026 10:22:02 +0000 commit 9b3a73a0282559fff77eba576cfe275b83ddf0bb Author: Mykola Kvach AuthorDate: Fri Jun 19 08:45:52 2026 +0300 Commit: Michal Orzel CommitDate: Fri Jun 26 10:06:08 2026 +0200 xen/arm: gic: defer host LPI allocation until after ITS init gicv3_lpi_init_host_lpis() initializes Xen-side host LPI bookkeeping, registers the CPU notifier, and allocates the boot CPU pending table. The pending table allocation uses gicv3_its_get_memflags(). ITS quirks are discovered by gicv3_its_init(), so allocating the boot CPU pending table from gicv3_dist_init() can happen before the memory restrictions required by the ITS are known. On affected systems this can leave the pending table allocated using the default memory policy. Move host LPI initialization after gicv3_its_init(), and only run it when a host ITS was found. The old call ignored the return value. Now that the call is made from gicv3_init(), check it and panic on failure because Redistributor LPI initialization relies on that state being available. Although this reorders host LPI bookkeeping with respect to ITS initialization, it does not change the hardware-visible LPI setup sequence. gicv3_lpi_init_host_lpis() does not program the Redistributor or submit any ITS commands. gicv3_cpu_init() still programs GICR_PENDBASER/GICR_PROPBASER via gicv3_lpi_init_rdist(), sets GICR_CTLR.EnableLPIs, and only then calls gicv3_its_setup_collection(), which submits the first MAPC/SYNC commands. Therefore, the ordering introduced by 95604873cc remains unchanged. This also narrows the condition for host LPI initialization from "GICD advertises LPIs" to "a host ITS was discovered". This is intentional: Xen currently has no supported LPI path without a host ITS, and gicv3_lpi_init_rdist() already rejects that case with -ENODEV. Therefore, on systems where GICD_TYPE_LPIS is set but no host ITS is present, skipping gicv3_lpi_init_host_lpis() only avoids allocating host LPI state that cannot be used by a supported Xen LPI path. Fixes: dcb6cb263689 ("ARM: GICv3 ITS: introduce host LPI array") Fixes: 751ec850ec1d ("ARM: ITS: implement quirks and add support for Renesas Gen4 ITS") Signed-off-by: Mykola Kvach Reviewed-by: Oleksandr Tyshchenko Reviewed-by: Michal Orzel Release-Acked-by: Oleksii Kurochko --- xen/arch/arm/gic-v3.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/xen/arch/arm/gic-v3.c b/xen/arch/arm/gic-v3.c index 17ff85ef5d..acdac22953 100644 --- a/xen/arch/arm/gic-v3.c +++ b/xen/arch/arm/gic-v3.c @@ -764,9 +764,6 @@ static void __init gicv3_dist_init(void) type = readl_relaxed(GICD + GICD_TYPER); nr_lines = 32 * ((type & GICD_TYPE_LINES) + 1); - if ( type & GICD_TYPE_LPIS ) - gicv3_lpi_init_host_lpis(GICD_TYPE_ID_BITS(type)); - /* Only 1020 interrupts are supported */ nr_lines = min(1020U, nr_lines); gicv3_info.nr_lines = nr_lines; @@ -1990,6 +1987,17 @@ static int __init gicv3_init(void) res = gicv3_its_init(); if ( res ) panic("GICv3: ITS: initialization failed: %d\n", res); + + /* + * Host LPI allocation uses ITS-derived memory attributes, so defer it + * until after gicv3_its_init() has discovered ITS workarounds. + */ + if ( gicv3_its_host_has_its() ) + { + res = gicv3_lpi_init_host_lpis(intid_bits); + if ( res ) + panic("GICv3: LPI initialization failed: %d\n", res); + } } res = gicv3_cpu_init(); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Jun 26 10:22:13 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 26 Jun 2026 10:22:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1346013.1604579 (Exim 4.92) (envelope-from ) id 1wd3hN-0005sy-1a; Fri, 26 Jun 2026 10:22:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1346013.1604579; Fri, 26 Jun 2026 10:22:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wd3hM-0005sq-VE; Fri, 26 Jun 2026 10:22:12 +0000 Received: by outflank-mailman (input) for mailman id 1346013; Fri, 26 Jun 2026 10:22:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wd3hM-0005sj-6w for xen-changelog@lists.xenproject.org; Fri, 26 Jun 2026 10:22:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wd3hM-00AlP9-1S for xen-changelog@lists.xenproject.org; Fri, 26 Jun 2026 10:22:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wd3hM-003tZp-0R for xen-changelog@lists.xenproject.org; Fri, 26 Jun 2026 10:22:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xenproject.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=NgqUyRHtIcLQsRVcy3wsNLrNHTwxAg+egsY8HJXN1qI=; b=MU+wS9aJgiEAnMHEjzJFuoR+xL +OV8xVHH8yAZp+bqWNHAlt8SgeVtvV+brwSdGx0beJRHhcoTsc5Ef/mhHrghBcZYQr6kcMDCdY7Y+ 9h97QWzrWSrDyx0UK2y19o4SHTkip02Mi5jqv2LI9FI66WX8r/c5R0KntWNt9SZ3z2sk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] bootfdt: Fix infinite loop in device_tree_for_each_node() Message-Id: Date: Fri, 26 Jun 2026 10:22:12 +0000 commit 3b717f57dca508f546303dd34067b7b906ba459e Author: Dmytro Prokopchuk1 AuthorDate: Fri Jun 26 07:57:33 2026 +0000 Commit: Michal Orzel CommitDate: Fri Jun 26 10:08:15 2026 +0200 bootfdt: Fix infinite loop in device_tree_for_each_node() When a node's depth exceeds DEVICE_TREE_MAX_DEPTH inside the device_tree_for_each_node() loop, the code prints a warning and executes 'continue;' statement, which jumps to condition check, bypassing the iterator update step: node = fdt_next_node(fdt, node, &depth). The node and depth are not updated, the loop repeatedly evaluates the same too-deep node, causing a hang. Fix this by wrapping the node processing logic in an 'else' block. This ensures the loop update step is executed on every iteration, safely skipping deeply nested nodes and doing the traversal. Fixes: 40f2ea3df2e2 ("xen/arm: pass node to device_tree_for_each_node") Signed-off-by: Dmytro Prokopchuk Reviewed-by: Michal Orzel Release-Acked-by: Oleskii Kurochko --- xen/common/device-tree/bootfdt.c | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/xen/common/device-tree/bootfdt.c b/xen/common/device-tree/bootfdt.c index 7c790b9a4d..8e9b45d1a7 100644 --- a/xen/common/device-tree/bootfdt.c +++ b/xen/common/device-tree/bootfdt.c @@ -90,23 +90,28 @@ int __init device_tree_for_each_node(const void *fdt, int node, { printk("Warning: device tree node `%s' is nested too deep\n", name); - continue; } - - as = depth > 0 ? address_cells[depth-1] : DT_ROOT_NODE_ADDR_CELLS_DEFAULT; - ss = depth > 0 ? size_cells[depth-1] : DT_ROOT_NODE_SIZE_CELLS_DEFAULT; - - address_cells[depth] = device_tree_get_u32(fdt, node, - "#address-cells", as); - size_cells[depth] = device_tree_get_u32(fdt, node, - "#size-cells", ss); - - /* skip the first node */ - if ( node != first_node ) + else { - ret = func(fdt, node, name, depth, as, ss, data); - if ( ret != 0 ) - return ret; + as = depth > 0 ? + address_cells[depth - 1] : + DT_ROOT_NODE_ADDR_CELLS_DEFAULT; + ss = depth > 0 ? + size_cells[depth - 1] : + DT_ROOT_NODE_SIZE_CELLS_DEFAULT; + + address_cells[depth] = device_tree_get_u32(fdt, node, + "#address-cells", as); + size_cells[depth] = device_tree_get_u32(fdt, node, + "#size-cells", ss); + + /* skip the first node */ + if ( node != first_node ) + { + ret = func(fdt, node, name, depth, as, ss, data); + if ( ret != 0 ) + return ret; + } } node = fdt_next_node(fdt, node, &depth); -- generated by git-patchbot for /home/xen/git/xen.git#master