[xen staging] tools/oxenstored: Reset quota when resetting permissions

[patchbot@xxxxxxx]

commit af9e77f5ff774a252a89039c281744de64db44bc
Author:     Andrii Sultanov <andriy.sultanov@xxxxxxxxxx>
AuthorDate: Tue Apr 28 13:41:16 2026 +0100
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Apr 28 13:41:32 2026 +0100

    tools/oxenstored: Reset quota when resetting permissions
    
    The quota object contains both limits and the current node usage counts.
    
    When a domain is torn down, the node data itself is cleaned up but the node
    usage counts are not.  A later domain reusing the same domid can create 
fewer
    nodes before being deemed to be over quota.
    
    Reset the count when the node permissions are cleaned up.
    
    This is XSA-483 / CVE-2026-23556.
    
    Signed-off-by: Andrii Sultanov <andriy.sultanov@xxxxxxxxxx>
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 tools/ocaml/xenstored/store.ml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/ocaml/xenstored/store.ml b/tools/ocaml/xenstored/store.ml
index 9b8dd2812d..aa9204ead3 100644
--- a/tools/ocaml/xenstored/store.ml
+++ b/tools/ocaml/xenstored/store.ml
@@ -465,7 +465,8 @@ let reset_permissions store domid =
         if perms <> node.perms then
           Logging.debug "store|node" "Changed permissions for node %s" 
(Node.get_name node);
         Some { node with Node.perms }
-    ) store.root
+    ) store.root;
+  store.quota <- Quota.del store.quota domid
 
 type ops = {
   store: t;
--
generated by git-patchbot for /home/xen/git/xen.git#staging