Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 9 Mar 2023 15:08:12 GMT
From:      =?utf-8?Q?Roger=20Pau=20Monn=C3=A9?= <royger@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: 3688ce5f8484 - main - {emulators,sysutils}/xen-{kernel,tools}: update to 4.17
Message-ID:  <202303091508.329F8CFV083005@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch main has been updated by royger:

URL: https://cgit.FreeBSD.org/ports/commit/?id=3688ce5f8484c0184c5374dc7be04d53a22b9623

commit 3688ce5f8484c0184c5374dc7be04d53a22b9623
Author:     Roger Pau Monné <royger@FreeBSD.org>
AuthorDate: 2023-03-09 14:58:44 +0000
Commit:     Roger Pau Monné <royger@FreeBSD.org>
CommitDate: 2023-03-09 15:06:49 +0000

    {emulators,sysutils}/xen-{kernel,tools}: update to 4.17
    
    While there also update SeaBIOS to 1.16.1.
    
    Sponsored by: Citrix Systems R&D
    Approved by: bapt (implicit)
---
 emulators/xen-kernel/Makefile                      |  22 ++--
 emulators/xen-kernel/distinfo                      |   6 +-
 ...m-introduce-hypercall-to-get-initial-vide.patch |  84 +++++++++++++
 ...ne-split-retpoline-compiler-support-into-.patch |  66 -----------
 ...-x86-spec-ctrl-Drop-use_spec_ctrl-boolean.patch |  65 ----------
 ...Work-around-Clang-IAS-macro-expansion-bug.patch | 107 +++++++++++++++++
 ...1-xen-x86-Remove-the-use-of-K-R-functions.patch |  78 ++++++++++++
 .../0002-x86-clang-add-retpoline-support.patch     |  56 ---------
 ...-ctrl-Introduce-new-has_spec_ctrl-boolean.patch |  97 ---------------
 emulators/xen-kernel/files/xsa395.patch            |  42 -------
 ...spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch | 118 ------------------
 emulators/xen-kernel/files/xsa425.patch            | 132 +++++++++++++++++++++
 emulators/xen-kernel/files/xsa426.patch            | 107 +++++++++++++++++
 misc/seabios/Makefile                              |   2 +-
 misc/seabios/distinfo                              |   6 +-
 sysutils/xen-tools/Makefile                        |   8 +-
 sysutils/xen-tools/distinfo                        |   6 +-
 ...001-tools-Remove-the-use-of-K-R-functions.patch |  41 +++++++
 ...1-xen-x86-Remove-the-use-of-K-R-functions.patch |  78 ++++++++++++
 sysutils/xen-tools/pkg-plist                       |  39 +++---
 20 files changed, 675 insertions(+), 485 deletions(-)

diff --git a/emulators/xen-kernel/Makefile b/emulators/xen-kernel/Makefile
index dbfc3c40ca96..4844d8675227 100644
--- a/emulators/xen-kernel/Makefile
+++ b/emulators/xen-kernel/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	xen
-PORTVERSION=	4.16.0
+PORTVERSION=	4.17.0
 PORTREVISION=	0
 CATEGORIES=	emulators
 MASTER_SITES=	http://downloads.xenproject.org/release/xen/${PORTVERSION}/
@@ -26,17 +26,15 @@ PLIST_FILES=	/boot/xen \
 		lib/debug/boot/xen.debug \
 		lib/debug/boot/xen-debug.debug
 
-# XSA-395
-EXTRA_PATCHES+=	${PATCHDIR}/xsa395.patch:-p1
-
-# XSA-398
-EXTRA_PATCHES+=	${PATCHDIR}/0001-x86-spec-ctrl-Drop-use_spec_ctrl-boolean.patch:-p1 \
-		${PATCHDIR}/0002-x86-spec-ctrl-Introduce-new-has_spec_ctrl-boolean.patch:-p1 \
-		${PATCHDIR}/xsa398-4.16-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch:-p1
-
-# Add retpoline support for clang builds
-EXTRA_PATCHES+=	${PATCHDIR}/0001-x86-retpoline-split-retpoline-compiler-support-into-.patch:-p1 \
-		${PATCHDIR}/0002-x86-clang-add-retpoline-support.patch:-p1
+# XSAs
+EXTRA_PATCHES+=	${PATCHDIR}/xsa425.patch:-p1 \
+		${PATCHDIR}/xsa426.patch:-p1 \
+		${PATCHDIR}/0001-xen-Work-around-Clang-IAS-macro-expansion-bug.patch:-p1
+# Backports
+# clang build fixes
+EXTRA_PATCHES+=	${PATCHDIR}/0001-xen-x86-Remove-the-use-of-K-R-functions.patch:-p1
+# Support for fetching video mode from PVH dom0
+EXTRA_PATCHES+=	${PATCHDIR}/0001-x86-platform-introduce-hypercall-to-get-initial-vide.patch:-p1
 
 .include <bsd.port.options.mk>
 
diff --git a/emulators/xen-kernel/distinfo b/emulators/xen-kernel/distinfo
index d197e536add4..843b42797c93 100644
--- a/emulators/xen-kernel/distinfo
+++ b/emulators/xen-kernel/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1648563575
-SHA256 (xen-4.16.0.tar.gz) = adc87a90e614d090a2014b9aebae8d815a7348bf329d169b3cb655256d0ee995
-SIZE (xen-4.16.0.tar.gz) = 44982322
+TIMESTAMP = 1678353105
+SHA256 (xen-4.17.0.tar.gz) = 119fc44fa3f9b581f1929c2ed8e0f97fac59a1828bc5ec5c244df096e7343ef9
+SIZE (xen-4.17.0.tar.gz) = 46484553
diff --git a/emulators/xen-kernel/files/0001-x86-platform-introduce-hypercall-to-get-initial-vide.patch b/emulators/xen-kernel/files/0001-x86-platform-introduce-hypercall-to-get-initial-vide.patch
new file mode 100644
index 000000000000..747d6167fc59
--- /dev/null
+++ b/emulators/xen-kernel/files/0001-x86-platform-introduce-hypercall-to-get-initial-vide.patch
@@ -0,0 +1,84 @@
+From 4dd160583c798d3a5a451ea74633836891d15354 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 6 Dec 2022 13:53:43 +0100
+Subject: [PATCH] x86/platform: introduce hypercall to get initial video
+ console settings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is required so PVH dom0 can get the initial video console state
+as handled by Xen.  PV dom0 will get this as part of the start_info,
+but it doesn't seem necessary to place such information in the
+HVM start info.
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/platform_hypercall.c | 11 +++++++++++
+ xen/drivers/video/vga.c           |  2 +-
+ xen/include/public/platform.h     |  6 ++++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/xen/arch/x86/platform_hypercall.c b/xen/arch/x86/platform_hypercall.c
+index a7341dc3d7..3f0d0389af 100644
+--- a/xen/arch/x86/platform_hypercall.c
++++ b/xen/arch/x86/platform_hypercall.c
+@@ -839,6 +839,17 @@ ret_t do_platform_op(
+     }
+     break;
+ 
++    case XENPF_get_dom0_console:
++        if ( !fill_console_start_info(&op->u.dom0_console) )
++        {
++            ret = -ENODEV;
++            break;
++        }
++
++        if ( copy_field_to_guest(u_xenpf_op, op, u.dom0_console) )
++            ret = -EFAULT;
++        break;
++
+     default:
+         ret = -ENOSYS;
+         break;
+diff --git a/xen/drivers/video/vga.c b/xen/drivers/video/vga.c
+index 29a88e8241..0a03508bee 100644
+--- a/xen/drivers/video/vga.c
++++ b/xen/drivers/video/vga.c
+@@ -205,7 +205,7 @@ static void cf_check vga_text_puts(const char *s, size_t nr)
+     }
+ }
+ 
+-int __init fill_console_start_info(struct dom0_vga_console_info *ci)
++int fill_console_start_info(struct dom0_vga_console_info *ci)
+ {
+     memcpy(ci, &vga_console_info, sizeof(*ci));
+     return 1;
+diff --git a/xen/include/public/platform.h b/xen/include/public/platform.h
+index 5e1494fe9a..14784dfa77 100644
+--- a/xen/include/public/platform.h
++++ b/xen/include/public/platform.h
+@@ -605,6 +605,11 @@ struct xenpf_symdata {
+ typedef struct xenpf_symdata xenpf_symdata_t;
+ DEFINE_XEN_GUEST_HANDLE(xenpf_symdata_t);
+ 
++/* Fetch the video console information and mode setup by Xen. */
++#define XENPF_get_dom0_console 64
++typedef struct dom0_vga_console_info xenpf_dom0_console_t;
++DEFINE_XEN_GUEST_HANDLE(xenpf_dom0_console_t);
++
+ /*
+  * ` enum neg_errnoval
+  * ` HYPERVISOR_platform_op(const struct xen_platform_op*);
+@@ -635,6 +640,7 @@ struct xen_platform_op {
+         xenpf_core_parking_t          core_parking;
+         xenpf_resource_op_t           resource_op;
+         xenpf_symdata_t               symdata;
++        xenpf_dom0_console_t          dom0_console;
+         uint8_t                       pad[128];
+     } u;
+ };
+-- 
+2.39.0
+
diff --git a/emulators/xen-kernel/files/0001-x86-retpoline-split-retpoline-compiler-support-into-.patch b/emulators/xen-kernel/files/0001-x86-retpoline-split-retpoline-compiler-support-into-.patch
deleted file mode 100644
index bee5db0ab16c..000000000000
--- a/emulators/xen-kernel/files/0001-x86-retpoline-split-retpoline-compiler-support-into-.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From e245bc154300b5d0367b64e8b937c9d1da508ad3 Mon Sep 17 00:00:00 2001
-From: Roger Pau Monne <roger.pau@citrix.com>
-Date: Fri, 18 Feb 2022 15:34:14 +0100
-Subject: [PATCH 1/2] x86/retpoline: split retpoline compiler support into
- separate option
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Keep the previous option as a way to signal generic retpoline support
-regardless of the underlying compiler, while introducing a new
-CC_HAS_INDIRECT_THUNK that signals whether the underlying compiler
-supports retpoline.
-
-No functional change intended.
-
-Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
-Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
----
- xen/arch/x86/Kconfig |  6 +++++-
- xen/arch/x86/arch.mk | 10 ++++++----
- 2 files changed, 11 insertions(+), 5 deletions(-)
-
-diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig
-index b4abfca46f..fe89fa7274 100644
---- a/xen/arch/x86/Kconfig
-+++ b/xen/arch/x86/Kconfig
-@@ -32,9 +32,13 @@ config ARCH_DEFCONFIG
- 	string
- 	default "arch/x86/configs/x86_64_defconfig"
- 
--config INDIRECT_THUNK
-+config CC_HAS_INDIRECT_THUNK
- 	def_bool $(cc-option,-mindirect-branch-register)
- 
-+config INDIRECT_THUNK
-+	def_bool y
-+	depends on CC_HAS_INDIRECT_THUNK
-+
- config HAS_AS_CET_SS
- 	# binutils >= 2.29 or LLVM >= 6
- 	def_bool $(as-instr,wrssq %rax$(comma)0;setssbsy)
-diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk
-index bfd5eaa35f..15d0cbe487 100644
---- a/xen/arch/x86/arch.mk
-+++ b/xen/arch/x86/arch.mk
-@@ -42,10 +42,12 @@ CFLAGS += -mno-red-zone -fpic
- # SSE setup for variadic function calls.
- CFLAGS += -mno-sse $(call cc-option,$(CC),-mskip-rax-setup)
- 
--# Compile with thunk-extern, indirect-branch-register if avaiable.
--CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch=thunk-extern
--CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch-register
--CFLAGS-$(CONFIG_INDIRECT_THUNK) += -fno-jump-tables
-+ifeq ($(CONFIG_INDIRECT_THUNK),y)
-+# Compile with gcc thunk-extern, indirect-branch-register if available.
-+CFLAGS-$(CONFIG_CC_IS_GCC) += -mindirect-branch=thunk-extern
-+CFLAGS-$(CONFIG_CC_IS_GCC) += -mindirect-branch-register
-+CFLAGS-$(CONFIG_CC_IS_GCC) += -fno-jump-tables
-+endif
- 
- # If supported by the compiler, reduce stack alignment to 8 bytes. But allow
- # this to be overridden elsewhere.
--- 
-2.35.1
-
diff --git a/emulators/xen-kernel/files/0001-x86-spec-ctrl-Drop-use_spec_ctrl-boolean.patch b/emulators/xen-kernel/files/0001-x86-spec-ctrl-Drop-use_spec_ctrl-boolean.patch
deleted file mode 100644
index 42bde92c5de5..000000000000
--- a/emulators/xen-kernel/files/0001-x86-spec-ctrl-Drop-use_spec_ctrl-boolean.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 7f34b6a895d10744bab32fc843246c45da444d8b Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Tue, 25 Jan 2022 16:09:59 +0000
-Subject: [PATCH 1/2] x86/spec-ctrl: Drop use_spec_ctrl boolean
-
-Several bugfixes have reduced the utility of this variable from it's original
-purpose, and now all it does is aid in the setup of SCF_ist_wrmsr.
-
-Simplify the logic by drop the variable, and doubling up the setting of
-SCF_ist_wrmsr for the PV and HVM blocks, which will make the AMD SPEC_CTRL
-support easier to follow.  Leave a comment explaining why SCF_ist_wrmsr is
-still necessary for the VMExit case.
-
-No functional change.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-(cherry picked from commit ec083bf552c35e10347449e21809f4780f8155d2)
----
- xen/arch/x86/spec_ctrl.c | 14 ++++++++------
- 1 file changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
-index c18cc8aa49..8a550d0a09 100644
---- a/xen/arch/x86/spec_ctrl.c
-+++ b/xen/arch/x86/spec_ctrl.c
-@@ -927,7 +927,7 @@ static __init void mds_calculations(uint64_t caps)
- void __init init_speculation_mitigations(void)
- {
-     enum ind_thunk thunk = THUNK_DEFAULT;
--    bool use_spec_ctrl = false, ibrs = false, hw_smt_enabled;
-+    bool ibrs = false, hw_smt_enabled;
-     bool cpu_has_bug_taa;
-     uint64_t caps = 0;
- 
-@@ -1016,19 +1016,21 @@ void __init init_speculation_mitigations(void)
-     {
-         if ( opt_msr_sc_pv )
-         {
--            use_spec_ctrl = true;
-+            default_spec_ctrl_flags |= SCF_ist_wrmsr;
-             setup_force_cpu_cap(X86_FEATURE_SC_MSR_PV);
-         }
- 
-         if ( opt_msr_sc_hvm )
-         {
--            use_spec_ctrl = true;
-+            /*
-+             * While the guest MSR_SPEC_CTRL value is loaded/saved atomically,
-+             * Xen's value is not restored atomically.  An early NMI hitting
-+             * the VMExit path needs to restore Xen's value for safety.
-+             */
-+            default_spec_ctrl_flags |= SCF_ist_wrmsr;
-             setup_force_cpu_cap(X86_FEATURE_SC_MSR_HVM);
-         }
- 
--        if ( use_spec_ctrl )
--            default_spec_ctrl_flags |= SCF_ist_wrmsr;
--
-         if ( ibrs )
-             default_xen_spec_ctrl |= SPEC_CTRL_IBRS;
-     }
--- 
-2.35.1
-
diff --git a/emulators/xen-kernel/files/0001-xen-Work-around-Clang-IAS-macro-expansion-bug.patch b/emulators/xen-kernel/files/0001-xen-Work-around-Clang-IAS-macro-expansion-bug.patch
new file mode 100644
index 000000000000..62f912f089e7
--- /dev/null
+++ b/emulators/xen-kernel/files/0001-xen-Work-around-Clang-IAS-macro-expansion-bug.patch
@@ -0,0 +1,107 @@
+From a2adacff0b91cc7b977abb209dc419a2ef15963f Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Fri, 17 Feb 2023 00:12:24 +0000
+Subject: [PATCH] xen: Work around Clang-IAS macro \@ expansion bug
+
+https://github.com/llvm/llvm-project/issues/60792
+
+It turns out that Clang-IAS does not expand \@ uniquely in a translaition
+unit, and the XSA-426 change tickles this bug:
+
+  <instantiation>:4:1: error: invalid symbol redefinition
+  .L1_fill_rsb_loop:
+  ^
+  make[3]: *** [Rules.mk:247: arch/x86/acpi/cpu_idle.o] Error 1
+
+Extend DO_OVERWRITE_RSB with an optional parameter so C callers can mix %= in
+too, which Clang does seem to expand properly.
+
+Fixes: 63305e5392ec ("x86/spec-ctrl: Mitigate Cross-Thread Return Address Predictions")
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/include/asm/spec_ctrl.h     |  4 ++--
+ xen/arch/x86/include/asm/spec_ctrl_asm.h | 19 ++++++++++++-------
+ 2 files changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/xen/arch/x86/include/asm/spec_ctrl.h b/xen/arch/x86/include/asm/spec_ctrl.h
+index 3cf8a7d304..f718f94088 100644
+--- a/xen/arch/x86/include/asm/spec_ctrl.h
++++ b/xen/arch/x86/include/asm/spec_ctrl.h
+@@ -83,7 +83,7 @@ static always_inline void spec_ctrl_new_guest_context(void)
+     wrmsrl(MSR_PRED_CMD, PRED_CMD_IBPB);
+ 
+     /* (ab)use alternative_input() to specify clobbers. */
+-    alternative_input("", "DO_OVERWRITE_RSB", X86_BUG_IBPB_NO_RET,
++    alternative_input("", "DO_OVERWRITE_RSB xu=%=", X86_BUG_IBPB_NO_RET,
+                       : "rax", "rcx");
+ }
+ 
+@@ -172,7 +172,7 @@ static always_inline void spec_ctrl_enter_idle(struct cpu_info *info)
+      *
+      * (ab)use alternative_input() to specify clobbers.
+      */
+-    alternative_input("", "DO_OVERWRITE_RSB", X86_FEATURE_SC_RSB_IDLE,
++    alternative_input("", "DO_OVERWRITE_RSB xu=%=", X86_FEATURE_SC_RSB_IDLE,
+                       : "rax", "rcx");
+ }
+ 
+diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+index fab27ff553..f23bb105c5 100644
+--- a/xen/arch/x86/include/asm/spec_ctrl_asm.h
++++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+@@ -117,11 +117,16 @@
+ .L\@_done:
+ .endm
+ 
+-.macro DO_OVERWRITE_RSB tmp=rax
++.macro DO_OVERWRITE_RSB tmp=rax xu
+ /*
+  * Requires nothing
+  * Clobbers \tmp (%rax by default), %rcx
+  *
++ * xu is an optional parameter to add eXtra Uniqueness.  It is intended for
++ * passing %= in from an asm() block, in order to work around
++ * https://github.com/llvm/llvm-project/issues/60792 where Clang-IAS doesn't
++ * expand \@ uniquely.
++ *
+  * Requires 256 bytes of {,shadow}stack space, but %rsp/SSP has no net
+  * change. Based on Google's performance numbers, the loop is unrolled to 16
+  * iterations and two calls per iteration.
+@@ -136,27 +141,27 @@
+     mov $16, %ecx                   /* 16 iterations, two calls per loop */
+     mov %rsp, %\tmp                 /* Store the current %rsp */
+ 
+-.L\@_fill_rsb_loop:
++.L\@_fill_rsb_loop\xu:
+ 
+     .irp n, 1, 2                    /* Unrolled twice. */
+-    call .L\@_insert_rsb_entry_\n   /* Create an RSB entry. */
++    call .L\@_insert_rsb_entry\xu\n /* Create an RSB entry. */
+     int3                            /* Halt rogue speculation. */
+ 
+-.L\@_insert_rsb_entry_\n:
++.L\@_insert_rsb_entry\xu\n:
+     .endr
+ 
+     sub $1, %ecx
+-    jnz .L\@_fill_rsb_loop
++    jnz .L\@_fill_rsb_loop\xu
+     mov %\tmp, %rsp                 /* Restore old %rsp */
+ 
+ #ifdef CONFIG_XEN_SHSTK
+     mov $1, %ecx
+     rdsspd %ecx
+     cmp $1, %ecx
+-    je .L\@_shstk_done
++    je .L\@_shstk_done\xu
+     mov $64, %ecx                   /* 64 * 4 bytes, given incsspd */
+     incsspd %ecx                    /* Restore old SSP */
+-.L\@_shstk_done:
++.L\@_shstk_done\xu:
+ #endif
+ .endm
+ 
+-- 
+2.39.0
+
diff --git a/emulators/xen-kernel/files/0001-xen-x86-Remove-the-use-of-K-R-functions.patch b/emulators/xen-kernel/files/0001-xen-x86-Remove-the-use-of-K-R-functions.patch
new file mode 100644
index 000000000000..cab6f0e93b9f
--- /dev/null
+++ b/emulators/xen-kernel/files/0001-xen-x86-Remove-the-use-of-K-R-functions.patch
@@ -0,0 +1,78 @@
+From 22b2fa4766728c3057757c00e79da5f7803fff33 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Thu, 16 Feb 2023 22:14:12 +0000
+Subject: [PATCH] xen/x86: Remove the use of K&R functions
+
+Clang-15 (as seen in the FreeBSD 14 tests) complains:
+
+  arch/x86/time.c:1364:20: error: a function declaration without a
+  prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
+  s_time_t get_s_time()
+                     ^
+                      void
+
+The error message is a bit confusing but appears to new as part of
+-Wdeprecated-non-prototype which is part of supporting C2x which formally
+removes K&R syntax.
+
+Either way, fix the identified functions.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/hvm/vmx/vmcs.c     | 2 +-
+ xen/arch/x86/time.c             | 2 +-
+ xen/drivers/passthrough/iommu.c | 4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
+index 09edbd23b3..e1c268789e 100644
+--- a/xen/arch/x86/hvm/vmx/vmcs.c
++++ b/xen/arch/x86/hvm/vmx/vmcs.c
+@@ -781,7 +781,7 @@ static int _vmx_cpu_up(bool bsp)
+     return 0;
+ }
+ 
+-int cf_check vmx_cpu_up()
++int cf_check vmx_cpu_up(void)
+ {
+     return _vmx_cpu_up(false);
+ }
+diff --git a/xen/arch/x86/time.c b/xen/arch/x86/time.c
+index 782b11c8a9..4e44a43cc5 100644
+--- a/xen/arch/x86/time.c
++++ b/xen/arch/x86/time.c
+@@ -1361,7 +1361,7 @@ s_time_t get_s_time_fixed(u64 at_tsc)
+     return t->stamp.local_stime + scale_delta(delta, &t->tsc_scale);
+ }
+ 
+-s_time_t get_s_time()
++s_time_t get_s_time(void)
+ {
+     return get_s_time_fixed(0);
+ }
+diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iommu.c
+index 921b71e819..0e187f6ae3 100644
+--- a/xen/drivers/passthrough/iommu.c
++++ b/xen/drivers/passthrough/iommu.c
+@@ -606,7 +606,7 @@ int __init iommu_setup(void)
+     return rc;
+ }
+ 
+-int iommu_suspend()
++int iommu_suspend(void)
+ {
+     if ( iommu_enabled )
+         return iommu_call(iommu_get_ops(), suspend);
+@@ -614,7 +614,7 @@ int iommu_suspend()
+     return 0;
+ }
+ 
+-void iommu_resume()
++void iommu_resume(void)
+ {
+     if ( iommu_enabled )
+         iommu_vcall(iommu_get_ops(), resume);
+-- 
+2.39.0
+
diff --git a/emulators/xen-kernel/files/0002-x86-clang-add-retpoline-support.patch b/emulators/xen-kernel/files/0002-x86-clang-add-retpoline-support.patch
deleted file mode 100644
index e650a71b59ab..000000000000
--- a/emulators/xen-kernel/files/0002-x86-clang-add-retpoline-support.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 9412486707f8f1ca2eb31c2ef330c5e39c0a2f30 Mon Sep 17 00:00:00 2001
-From: Roger Pau Monne <roger.pau@citrix.com>
-Date: Fri, 18 Feb 2022 15:34:15 +0100
-Subject: [PATCH 2/2] x86/clang: add retpoline support
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Detect whether the compiler supports clang retpoline option and enable
-by default if available, just like it's done for gcc.
-
-Note clang already disables jump tables when retpoline is enabled, so
-there's no need to also pass the fno-jump-tables parameter. Also clang
-already passes the return address in a register always on amd64, so
-there's no need for any equivalent mindirect-branch-register
-parameter.
-
-Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
-Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
----
- xen/arch/x86/Kconfig | 3 ++-
- xen/arch/x86/arch.mk | 3 +++
- 2 files changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig
-index fe89fa7274..1465874097 100644
---- a/xen/arch/x86/Kconfig
-+++ b/xen/arch/x86/Kconfig
-@@ -33,7 +33,8 @@ config ARCH_DEFCONFIG
- 	default "arch/x86/configs/x86_64_defconfig"
- 
- config CC_HAS_INDIRECT_THUNK
--	def_bool $(cc-option,-mindirect-branch-register)
-+	def_bool $(cc-option,-mindirect-branch-register) || \
-+	         $(cc-option,-mretpoline-external-thunk)
- 
- config INDIRECT_THUNK
- 	def_bool y
-diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk
-index 15d0cbe487..edfc043dbb 100644
---- a/xen/arch/x86/arch.mk
-+++ b/xen/arch/x86/arch.mk
-@@ -47,6 +47,9 @@ ifeq ($(CONFIG_INDIRECT_THUNK),y)
- CFLAGS-$(CONFIG_CC_IS_GCC) += -mindirect-branch=thunk-extern
- CFLAGS-$(CONFIG_CC_IS_GCC) += -mindirect-branch-register
- CFLAGS-$(CONFIG_CC_IS_GCC) += -fno-jump-tables
-+
-+# Enable clang retpoline support if available.
-+CFLAGS-$(CONFIG_CC_IS_CLANG) += -mretpoline-external-thunk
- endif
- 
- # If supported by the compiler, reduce stack alignment to 8 bytes. But allow
--- 
-2.35.1
-
diff --git a/emulators/xen-kernel/files/0002-x86-spec-ctrl-Introduce-new-has_spec_ctrl-boolean.patch b/emulators/xen-kernel/files/0002-x86-spec-ctrl-Introduce-new-has_spec_ctrl-boolean.patch
deleted file mode 100644
index 7b6b1e062721..000000000000
--- a/emulators/xen-kernel/files/0002-x86-spec-ctrl-Introduce-new-has_spec_ctrl-boolean.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 08fc03c855c071e9b1aaaa96403f2a90433336a7 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Tue, 25 Jan 2022 17:14:48 +0000
-Subject: [PATCH 2/2] x86/spec-ctrl: Introduce new has_spec_ctrl boolean
-
-Most MSR_SPEC_CTRL setup will be common between Intel and AMD.  Instead of
-opencoding an OR of two features everywhere, introduce has_spec_ctrl instead.
-
-Reword the comment above the Intel specific alternatives block to highlight
-that it is Intel specific, and pull the setting of default_xen_spec_ctrl.IBRS
-out because it will want to be common.
-
-No functional change.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-(cherry picked from commit 5d9eff3a312763d889cfbf3c8468b6dfb3ab490c)
----
- xen/arch/x86/spec_ctrl.c | 22 +++++++++++-----------
- 1 file changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
-index 8a550d0a09..2072daf662 100644
---- a/xen/arch/x86/spec_ctrl.c
-+++ b/xen/arch/x86/spec_ctrl.c
-@@ -927,7 +927,7 @@ static __init void mds_calculations(uint64_t caps)
- void __init init_speculation_mitigations(void)
- {
-     enum ind_thunk thunk = THUNK_DEFAULT;
--    bool ibrs = false, hw_smt_enabled;
-+    bool has_spec_ctrl, ibrs = false, hw_smt_enabled;
-     bool cpu_has_bug_taa;
-     uint64_t caps = 0;
- 
-@@ -936,6 +936,8 @@ void __init init_speculation_mitigations(void)
- 
-     hw_smt_enabled = check_smt_enabled();
- 
-+    has_spec_ctrl = boot_cpu_has(X86_FEATURE_IBRSB);
-+
-     /*
-      * First, disable the use of retpolines if Xen is using shadow stacks, as
-      * they are incompatible.
-@@ -973,11 +975,11 @@ void __init init_speculation_mitigations(void)
-              */
-             else if ( retpoline_safe(caps) )
-                 thunk = THUNK_RETPOLINE;
--            else if ( boot_cpu_has(X86_FEATURE_IBRSB) )
-+            else if ( has_spec_ctrl )
-                 ibrs = true;
-         }
-         /* Without compiler thunk support, use IBRS if available. */
--        else if ( boot_cpu_has(X86_FEATURE_IBRSB) )
-+        else if ( has_spec_ctrl )
-             ibrs = true;
-     }
- 
-@@ -1008,10 +1010,7 @@ void __init init_speculation_mitigations(void)
-     else if ( thunk == THUNK_JMP )
-         setup_force_cpu_cap(X86_FEATURE_IND_THUNK_JMP);
- 
--    /*
--     * If we are on hardware supporting MSR_SPEC_CTRL, see about setting up
--     * the alternatives blocks so we can virtualise support for guests.
--     */
-+    /* Intel hardware: MSR_SPEC_CTRL alternatives setup. */
-     if ( boot_cpu_has(X86_FEATURE_IBRSB) )
-     {
-         if ( opt_msr_sc_pv )
-@@ -1030,11 +1029,12 @@ void __init init_speculation_mitigations(void)
-             default_spec_ctrl_flags |= SCF_ist_wrmsr;
-             setup_force_cpu_cap(X86_FEATURE_SC_MSR_HVM);
-         }
--
--        if ( ibrs )
--            default_xen_spec_ctrl |= SPEC_CTRL_IBRS;
-     }
- 
-+    /* If we have IBRS available, see whether we should use it. */
-+    if ( has_spec_ctrl && ibrs )
-+        default_xen_spec_ctrl |= SPEC_CTRL_IBRS;
-+
-     /* If we have SSBD available, see whether we should use it. */
-     if ( boot_cpu_has(X86_FEATURE_SSBD) && opt_ssbd )
-         default_xen_spec_ctrl |= SPEC_CTRL_SSBD;
-@@ -1268,7 +1268,7 @@ void __init init_speculation_mitigations(void)
-      * boot won't have any other code running in a position to mount an
-      * attack.
-      */
--    if ( boot_cpu_has(X86_FEATURE_IBRSB) )
-+    if ( has_spec_ctrl )
-     {
-         bsp_delay_spec_ctrl = !cpu_has_hypervisor && default_xen_spec_ctrl;
- 
--- 
-2.35.1
-
diff --git a/emulators/xen-kernel/files/xsa395.patch b/emulators/xen-kernel/files/xsa395.patch
deleted file mode 100644
index 13b731102d41..000000000000
--- a/emulators/xen-kernel/files/xsa395.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 4cc924c3e3a0d53306d08b04720c427d1c298ba8 Mon Sep 17 00:00:00 2001
-From: Julien Grall <jgrall@amazon.com>
-Date: Wed, 5 Jan 2022 18:09:20 +0000
-Subject: [PATCH] passthrough/x86: stop pirq iteration immediately in case of
- error
-
-pt_pirq_iterate() will iterate in batch over all the PIRQs. The outer
-loop will bail out if 'rc' is non-zero but the inner loop will continue.
-
-This means 'rc' will get clobbered and we may miss any errors (such as
--ERESTART in the case of the callback pci_clean_dpci_irq()).
-
-This is CVE-2022-23035 / XSA-395.
-
-Fixes: c24536b636f2 ("replace d->nr_pirqs sized arrays with radix tree")
-Fixes: f6dd295381f4 ("dpci: replace tasklet with softirq")
-Signed-off-by: Julien Grall <jgrall@amazon.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
----
- xen/drivers/passthrough/x86/hvm.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/xen/drivers/passthrough/x86/hvm.c b/xen/drivers/passthrough/x86/hvm.c
-index 351daafdc9bf..0b37cd145b60 100644
---- a/xen/drivers/passthrough/x86/hvm.c
-+++ b/xen/drivers/passthrough/x86/hvm.c
-@@ -732,7 +732,11 @@ int pt_pirq_iterate(struct domain *d,
- 
-             pirq = pirqs[i]->pirq;
-             if ( (pirq_dpci->flags & HVM_IRQ_DPCI_MAPPED) )
-+            {
-                 rc = cb(d, pirq_dpci, arg);
-+                if ( rc )
-+                    break;
-+            }
-         }
-     } while ( !rc && ++pirq < d->nr_pirqs && n == ARRAY_SIZE(pirqs) );
- 
--- 
-2.32.0
-
diff --git a/emulators/xen-kernel/files/xsa398-4.16-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch b/emulators/xen-kernel/files/xsa398-4.16-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch
deleted file mode 100644
index 7c28ac096ad0..000000000000
--- a/emulators/xen-kernel/files/xsa398-4.16-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From c374a8c5cc74535e16410b7a0d9e92bf5de54f79 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Mon, 7 Mar 2022 16:35:52 +0000
-Subject: x86/spec-ctrl: Cease using thunk=lfence on AMD
-
-AMD have updated their Spectre v2 guidance, and lfence/jmp is no longer
-considered safe.  AMD are recommending using retpoline everywhere.
-
-Retpoline is incompatible with CET.  All CET-capable hardware has efficient
-IBRS (specifically, not something retrofitted in microcode), so use IBRS (and
-STIBP for consistency sake).
-
-This is a logical change on AMD, but not on Intel as the default calculations
-would end up with these settings anyway.  Leave behind a message if IBRS is
-found to be missing.
-
-Also update the default heuristics to never select THUNK_LFENCE.  This causes
-AMD CPUs to change their default to retpoline.
-
-Also update the printed message to include the AMD MSR_SPEC_CTRL settings, and
-STIBP now that we set it for consistency sake.
-
-This is part of XSA-398 / CVE-2021-26401.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-(cherry picked from commit 8d03080d2a339840d3a59e0932a94f804e45110d)
-
-diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
-index 995197f4b23e..f606dc0e14c1 100644
---- a/docs/misc/xen-command-line.pandoc
-+++ b/docs/misc/xen-command-line.pandoc
-@@ -2269,9 +2269,9 @@ to use.
- 
- If Xen was compiled with INDIRECT_THUNK support, `bti-thunk=` can be used to
- select which of the thunks gets patched into the `__x86_indirect_thunk_%reg`
--locations.  The default thunk is `retpoline` (generally preferred for Intel
--hardware), with the alternatives being `jmp` (a `jmp *%reg` gadget, minimal
--overhead), and `lfence` (an `lfence; jmp *%reg` gadget, preferred for AMD).
-+locations.  The default thunk is `retpoline` (generally preferred), with the
-+alternatives being `jmp` (a `jmp *%reg` gadget, minimal overhead), and
-+`lfence` (an `lfence; jmp *%reg` gadget).
- 
- On hardware supporting IBRS (Indirect Branch Restricted Speculation), the
- `ibrs=` option can be used to force or prevent Xen using the feature itself.
-diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
-index cbeeb199037e..ae076bec3ab0 100644
---- a/xen/arch/x86/spec_ctrl.c
-+++ b/xen/arch/x86/spec_ctrl.c
-@@ -367,14 +367,19 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps)
-                "\n");
- 
-     /* Settings for Xen's protection, irrespective of guests. */
--    printk("  Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s%s\n",
-+    printk("  Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s, Other:%s%s%s%s%s\n",
-            thunk == THUNK_NONE      ? "N/A" :
-            thunk == THUNK_RETPOLINE ? "RETPOLINE" :
-            thunk == THUNK_LFENCE    ? "LFENCE" :
-            thunk == THUNK_JMP       ? "JMP" : "?",
--           !boot_cpu_has(X86_FEATURE_IBRSB)          ? "No" :
-+           (!boot_cpu_has(X86_FEATURE_IBRSB) &&
-+            !boot_cpu_has(X86_FEATURE_IBRS))         ? "No" :
-            (default_xen_spec_ctrl & SPEC_CTRL_IBRS)  ? "IBRS+" :  "IBRS-",
--           !boot_cpu_has(X86_FEATURE_SSBD)           ? "" :
-+           (!boot_cpu_has(X86_FEATURE_STIBP) &&
-+            !boot_cpu_has(X86_FEATURE_AMD_STIBP))    ? "" :
-+           (default_xen_spec_ctrl & SPEC_CTRL_STIBP) ? " STIBP+" : " STIBP-",
-+           (!boot_cpu_has(X86_FEATURE_SSBD) &&
-+            !boot_cpu_has(X86_FEATURE_AMD_SSBD))     ? "" :
-            (default_xen_spec_ctrl & SPEC_CTRL_SSBD)  ? " SSBD+" : " SSBD-",
-            !(caps & ARCH_CAPS_TSX_CTRL)              ? "" :
-            (opt_tsx & 1)                             ? " TSX+" : " TSX-",
-@@ -945,10 +950,23 @@ void __init init_speculation_mitigations(void)
-     /*
-      * First, disable the use of retpolines if Xen is using shadow stacks, as
-      * they are incompatible.
-+     *
-+     * In the absence of retpolines, IBRS needs to be used for speculative
-+     * safety.  All CET-capable hardware has efficient IBRS.
-      */
--    if ( cpu_has_xen_shstk &&
--         (opt_thunk == THUNK_DEFAULT || opt_thunk == THUNK_RETPOLINE) )
--        thunk = THUNK_JMP;
-+    if ( cpu_has_xen_shstk )
-+    {
-+        if ( !has_spec_ctrl )
-+            printk(XENLOG_WARNING "?!? CET active, but no MSR_SPEC_CTRL?\n");
-+        else if ( opt_ibrs == -1 )
-+        {
-+            opt_ibrs = ibrs = true;
-+            default_xen_spec_ctrl |= SPEC_CTRL_IBRS | SPEC_CTRL_STIBP;
-+        }
-+
-+        if ( opt_thunk == THUNK_DEFAULT || opt_thunk == THUNK_RETPOLINE )
-+            thunk = THUNK_JMP;
-+    }
- 
-     /*
-      * Has the user specified any custom BTI mitigations?  If so, follow their
-@@ -968,16 +986,10 @@ void __init init_speculation_mitigations(void)
-         if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) )
-         {
-             /*
--             * AMD's recommended mitigation is to set lfence as being dispatch
--             * serialising, and to use IND_THUNK_LFENCE.
--             */
--            if ( cpu_has_lfence_dispatch )
--                thunk = THUNK_LFENCE;
--            /*
--             * On Intel hardware, we'd like to use retpoline in preference to
-+             * On all hardware, we'd like to use retpoline in preference to
-              * IBRS, but only if it is safe on this hardware.
-              */
--            else if ( retpoline_safe(caps) )
-+            if ( retpoline_safe(caps) )
-                 thunk = THUNK_RETPOLINE;
-             else if ( has_spec_ctrl )
-                 ibrs = true;
diff --git a/emulators/xen-kernel/files/xsa425.patch b/emulators/xen-kernel/files/xsa425.patch
new file mode 100644
index 000000000000..b36732025e83
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa425.patch
@@ -0,0 +1,132 @@
+From: Jason Andryuk <jandryuk@gmail.com>
+Subject: Revert "tools/xenstore: simplify loop handling connection I/O"
+
+I'm observing guest kexec trigger xenstored to abort on a double free.
+
+gdb output:
+Program received signal SIGABRT, Aborted.
+__pthread_kill_implementation (no_tid=0, signo=6, threadid=140645614258112) at ./nptl/pthread_kill.c:44
+44    ./nptl/pthread_kill.c: No such file or directory.
+(gdb) bt
+    at ./nptl/pthread_kill.c:44
+    at ./nptl/pthread_kill.c:78
+    at ./nptl/pthread_kill.c:89
+    at ../sysdeps/posix/raise.c:26
+    at talloc.c:119
+    ptr=ptr@entry=0x559fae724290) at talloc.c:232
+    at xenstored_core.c:2945
+(gdb) frame 5
+    at talloc.c:119
+119            TALLOC_ABORT("Bad talloc magic value - double free");
+(gdb) frame 7
+    at xenstored_core.c:2945
+2945                talloc_increase_ref_count(conn);
+(gdb) p conn
+$1 = (struct connection *) 0x559fae724290
+
+Looking at a xenstore trace, we have:
+IN 0x559fae71f250 20230120 17:40:53 READ (/local/domain/3/image/device-model-dom
+id )
+wrl: dom    0      1  msec      10000 credit     1000000 reserve        100 disc
+ard
+wrl: dom    3      1  msec      10000 credit     1000000 reserve        100 disc
+ard
+wrl: dom    0      0  msec      10000 credit     1000000 reserve          0 disc
+ard
+wrl: dom    3      0  msec      10000 credit     1000000 reserve          0 disc
+ard
+OUT 0x559fae71f250 20230120 17:40:53 ERROR (ENOENT )
+wrl: dom    0      1  msec      10000 credit     1000000 reserve        100 disc
+ard
+wrl: dom    3      1  msec      10000 credit     1000000 reserve        100 disc
+ard
+IN 0x559fae71f250 20230120 17:40:53 RELEASE (3 )
+DESTROY watch 0x559fae73f630
+DESTROY watch 0x559fae75ddf0
+DESTROY watch 0x559fae75ec30
+DESTROY watch 0x559fae75ea60
+DESTROY watch 0x559fae732c00
+DESTROY watch 0x559fae72cea0
+DESTROY watch 0x559fae728fc0
+DESTROY watch 0x559fae729570
+DESTROY connection 0x559fae724290
+orphaned node /local/domain/3/device/suspend/event-channel deleted
+orphaned node /local/domain/3/device/vbd/51712 deleted
+orphaned node /local/domain/3/device/vkbd/0 deleted
+orphaned node /local/domain/3/device/vif/0 deleted
+orphaned node /local/domain/3/control/shutdown deleted
+orphaned node /local/domain/3/control/feature-poweroff deleted
+orphaned node /local/domain/3/control/feature-reboot deleted
+orphaned node /local/domain/3/control/feature-suspend deleted
+orphaned node /local/domain/3/control/feature-s3 deleted
+orphaned node /local/domain/3/control/feature-s4 deleted
+orphaned node /local/domain/3/control/sysrq deleted
+orphaned node /local/domain/3/data deleted
+orphaned node /local/domain/3/drivers deleted
+orphaned node /local/domain/3/feature deleted
+orphaned node /local/domain/3/attr deleted
+orphaned node /local/domain/3/error deleted
+orphaned node /local/domain/3/console/backend-id deleted
+
+and no further output.
+
+The trace shows that DESTROY was called for connection 0x559fae724290,
+but that is the same pointer (conn) main() was looping through from
+connections.  So it wasn't actually removed from the connections list?
+
+Reverting commit e8e6e42279a5 "tools/xenstore: simplify loop handling
+connection I/O" fixes the abort/double free.  I think the use of
+list_for_each_entry_safe is incorrect.  list_for_each_entry_safe makes
+traversal safe for deleting the current iterator, but RELEASE/do_release
+will delete some other entry in the connections list.  I think the
+observed abort is because list_for_each_entry has next pointing to the
+deleted connection, and it is used in the subsequent iteration.
+
+Add a comment explaining the unsuitability of list_for_each_entry_safe.
+Also notice that the old code takes a reference on next which would
+prevents a use-after-free.
+
+This reverts commit e8e6e42279a5723239c5c40ba4c7f579a979465d.
+
+This is XSA-425/CVE-2022-42330.
+
+Fixes: e8e6e42279a5 ("tools/xenstore: simplify loop handling connection I/O")
+Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Julien Grall <jgrall@amazon.com>
+---
+ tools/xenstore/xenstored_core.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
+index 78a3edaa4e..029e3852fc 100644
+--- a/tools/xenstore/xenstored_core.c
++++ b/tools/xenstore/xenstored_core.c
+@@ -2941,8 +2941,23 @@ int main(int argc, char *argv[])
+ 			}
+ 		}
+ 
+-		list_for_each_entry_safe(conn, next, &connections, list) {
+-			talloc_increase_ref_count(conn);
++		/*
++		 * list_for_each_entry_safe is not suitable here because
++		 * handle_input may delete entries besides the current one, but
++		 * those may be in the temporary next which would trigger a
++		 * use-after-free.  list_for_each_entry_safe is only safe for
++		 * deleting the current entry.
++		 */
++		next = list_entry(connections.next, typeof(*conn), list);
++		if (&next->list != &connections)
++			talloc_increase_ref_count(next);
++		while (&next->list != &connections) {
++			conn = next;
++
++			next = list_entry(conn->list.next,
++					  typeof(*conn), list);
++			if (&next->list != &connections)
*** 475 LINES SKIPPED ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202303091508.329F8CFV083005>