Xen project Mailing List

[PATCH v3 02/12] xen: fix len type for guest copy functions

From: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>

Date: Fri, 10 Apr 2026 17:54:48 +0200

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=20251104 header.d=gmail.com header.i="@gmail.com" header.h="Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From"

Cc: Romain Caritey <Romain.Caritey@xxxxxxxxxxxxx>, Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>

Delivery-date: Fri, 10 Apr 2026 15:55:17 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Widen the len argument of copy_to_guest_phys_flush_dcache() and the copy_to_guest_phys_cb typedef from unsigned int to unsigned long, as the function can be used to copy large blobs such as the initrd which may exceed 4GB. Update the internal copy_guest() len argument to unsigned long accordingly. Change the type for local variable size in copy_guest() to avoid compilation error because of type mismatch. raw_* wrappers above copy_guest() keep returning unsigned long to avoid type narrowing; it is not an issue for raw_*'s len argument to remain 'unsigned int' since the assignment to copy_guest()'s wider unsigned long parameter is safe and there is no raw_* users who are using a value bigger than what can fit into 'unsigned int'. Reported-by: Jan Beulich <jbeulich@xxxxxxxx> Signed-off-by: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx> --- Changes in v3: - Correct the declaration of copy_to_guest_phys_cb() instead of return 'unsigned int' to be in sync with len argument, the type of len argument is changed on 'unsigned long' as initrd could be pretty big and also its size is stroed in 'paddr_t' which is 'unsigned long'. - Update copy_guest() prototype to avoid trancation bug for len argument. - Revert prototype changes for raw_* wrappers above copy_guest() as they should keep returning unsigned long to avoid type narrowing; it is not an issue for raw_*'s len argument to remain 'unsigned int' since the assignment to copy_guest()'s wider unsigned long parameter is safe. - Change the type for local variable size in copy_guest() to avoid compilation error because of type mismatch. - Add Reported-by: Jan Beulich <jbeulich@xxxxxxxx> --- Changes in v2: - New patch. --- xen/arch/arm/guestcopy.c | 6 +++--- xen/arch/arm/include/asm/guest_access.h | 2 +- xen/include/xen/fdt-domain-build.h | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/xen/arch/arm/guestcopy.c b/xen/arch/arm/guestcopy.c index fdb06422b8e9..ca0f72a80bff 100644 --- a/xen/arch/arm/guestcopy.c +++ b/xen/arch/arm/guestcopy.c @@ -53,7 +53,7 @@ static struct page_info *translate_get_page(copy_info_t info, uint64_t addr, return page; } -static unsigned long copy_guest(void *buf, uint64_t addr, unsigned int len, +static unsigned long copy_guest(void *buf, uint64_t addr, unsigned long len, copy_info_t info, unsigned int flags) { /* XXX needs to handle faults */ @@ -65,7 +65,7 @@ static unsigned long copy_guest(void *buf, uint64_t addr, unsigned int len, while ( len ) { void *p; - unsigned int size = min(len, (unsigned int)PAGE_SIZE - offset); + unsigned long size = min_t(unsigned long, len, PAGE_SIZE - offset); struct page_info *page; page = translate_get_page(info, addr, flags & COPY_linear, @@ -136,7 +136,7 @@ unsigned long raw_copy_from_guest(void *to, const void __user *from, unsigned long copy_to_guest_phys_flush_dcache(struct domain *d, paddr_t gpa, void *buf, - unsigned int len) + unsigned long len) { return copy_guest(buf, gpa, len, GPA_INFO(d), COPY_to_guest | COPY_ipa | COPY_flush_dcache); diff --git a/xen/arch/arm/include/asm/guest_access.h b/xen/arch/arm/include/asm/guest_access.h index 18c88b70d7ec..c13cbec55b65 100644 --- a/xen/arch/arm/include/asm/guest_access.h +++ b/xen/arch/arm/include/asm/guest_access.h @@ -14,7 +14,7 @@ unsigned long raw_clear_guest(void *to, unsigned int len); unsigned long copy_to_guest_phys_flush_dcache(struct domain *d, paddr_t gpa, void *buf, - unsigned int len); + unsigned long len); int access_guest_memory_by_gpa(struct domain *d, paddr_t gpa, void *buf, uint32_t size, bool is_write); diff --git a/xen/include/xen/fdt-domain-build.h b/xen/include/xen/fdt-domain-build.h index 886a85381651..1d9e77df0eb3 100644 --- a/xen/include/xen/fdt-domain-build.h +++ b/xen/include/xen/fdt-domain-build.h @@ -47,7 +47,7 @@ static inline int get_allocation_size(paddr_t size) typedef unsigned long (*copy_to_guest_phys_cb)(struct domain *d, paddr_t gpa, void *buf, - unsigned int len); + unsigned long len); void initrd_load(struct kernel_info *kinfo, copy_to_guest_phys_cb cb); -- 2.53.0

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.