summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTomáš Mózes <hydrapolic@gmail.com>2024-04-05 08:59:40 +0200
committerTomáš Mózes <hydrapolic@gmail.com>2024-04-05 08:59:40 +0200
commitd0ce95087288b30e5e211bac8e9a0817f2effcf5 (patch)
treece2e128cfdf8d491a494d6583979bc5330db21e2
parentXen 4.17.4-pre-patchset-0 (diff)
downloadxen-upstream-patches-4.17.4-pre-patchset-1.tar.gz
xen-upstream-patches-4.17.4-pre-patchset-1.tar.bz2
xen-upstream-patches-4.17.4-pre-patchset-1.zip
Xen 4.17.4-pre-patchset-14.17.4-pre-patchset-14.17
Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
-rw-r--r--0001-update-Xen-version-to-4.17.4-pre.patch4
-rw-r--r--0002-pci-fail-device-assignment-if-phantom-functions-cann.patch4
-rw-r--r--0003-VT-d-Fix-else-vs-endif-misplacement.patch4
-rw-r--r--0004-x86-amd-Extend-CPU-erratum-1474-fix-to-more-affected.patch4
-rw-r--r--0005-CirrusCI-drop-FreeBSD-12.patch4
-rw-r--r--0006-x86-intel-ensure-Global-Performance-Counter-Control-.patch4
-rw-r--r--0007-x86-vmx-Fix-IRQ-handling-for-EXIT_REASON_INIT.patch4
-rw-r--r--0008-x86-vmx-Disallow-the-use-of-inactivity-states.patch4
-rw-r--r--0009-lib-fdt-elf-move-lib-fdt-elf-temp.o-and-their-deps-t.patch4
-rw-r--r--0010-x86-p2m-pt-fix-off-by-one-in-entry-check-assert.patch4
-rw-r--r--0011-tools-xentop-fix-sorting-bug-for-some-columns.patch67
-rw-r--r--0012-amd-vi-fix-IVMD-memory-type-checks.patch53
-rw-r--r--0013-x86-hvm-Fix-fast-singlestep-state-persistence.patch86
-rw-r--r--0014-x86-HVM-tidy-state-on-hvmemul_map_linear_addr-s-erro.patch63
-rw-r--r--0015-build-Replace-which-with-command-v.patch57
-rw-r--r--0016-libxl-Disable-relocating-memory-for-qemu-xen-in-stub.patch50
-rw-r--r--0017-build-make-sure-build-fails-when-running-kconfig-fai.patch58
-rw-r--r--0018-x86emul-add-missing-EVEX.R-checks.patch50
-rw-r--r--0019-xen-livepatch-fix-norevert-test-hook-setup-typo.patch36
-rw-r--r--0020-xen-cmdline-fix-printf-format-specifier-in-no_config.patch38
-rw-r--r--0021-x86-altcall-use-a-union-as-register-type-for-functio.patch141
-rw-r--r--0022-x86-spec-fix-BRANCH_HARDEN-option-to-only-be-set-whe.patch57
-rw-r--r--0023-x86-account-for-shadow-stack-in-exception-from-stub-.patch212
-rw-r--r--0024-xen-arm-Fix-UBSAN-failure-in-start_xen.patch52
-rw-r--r--0025-x86-HVM-hide-SVM-VMX-when-their-enabling-is-prohibit.patch67
-rw-r--r--0026-xen-sched-Fix-UB-shift-in-compat_set_timer_op.patch86
-rw-r--r--0027-x86-spec-print-the-built-in-SPECULATIVE_HARDEN_-opti.patch54
-rw-r--r--0028-x86-spec-fix-INDIRECT_THUNK-option-to-only-be-set-wh.patch67
-rw-r--r--0029-x86-spec-do-not-print-thunk-option-selection-if-not-.patch50
-rw-r--r--0030-xen-livepatch-register-livepatch-regions-when-loaded.patch159
-rw-r--r--0031-xen-livepatch-search-for-symbols-in-all-loaded-paylo.patch149
-rw-r--r--0032-xen-livepatch-fix-norevert-test-attempt-to-open-code.patch186
-rw-r--r--0033-xen-livepatch-properly-build-the-noapply-and-norever.patch43
-rw-r--r--0034-libxl-Fix-segfault-in-device_model_spawn_outcome.patch39
-rw-r--r--0035-x86-altcall-always-use-a-temporary-parameter-stashin.patch197
-rw-r--r--0036-x86-cpu-policy-Allow-for-levelling-of-VERW-side-effe.patch102
-rw-r--r--0037-hvmloader-PCI-skip-huge-BARs-in-certain-calculations.patch99
-rw-r--r--0038-x86-mm-fix-detection-of-last-L1-entry-in-modify_xen_.patch41
-rw-r--r--0039-x86-entry-Introduce-EFRAME_-constants.patch314
-rw-r--r--0040-x86-Resync-intel-family.h-from-Linux.patch98
-rw-r--r--0041-x86-vmx-Perform-VERW-flushing-later-in-the-VMExit-pa.patch146
-rw-r--r--0042-x86-spec-ctrl-Perform-VERW-flushing-later-in-exit-pa.patch209
-rw-r--r--0043-x86-spec-ctrl-Rename-VERW-related-options.patch248
-rw-r--r--0044-x86-spec-ctrl-VERW-handling-adjustments.patch171
-rw-r--r--0045-x86-spec-ctrl-Mitigation-Register-File-Data-Sampling.patch320
-rw-r--r--0046-x86-paging-Delete-update_cr3-s-do_locking-parameter.patch161
-rw-r--r--0047-xen-Swap-order-of-actions-in-the-FREE-macros.patch58
-rw-r--r--0048-x86-spinlock-introduce-support-for-blocking-speculat.patch331
-rw-r--r--0049-rwlock-introduce-support-for-blocking-speculation-in.patch125
-rw-r--r--0050-percpu-rwlock-introduce-support-for-blocking-specula.patch87
-rw-r--r--0051-locking-attempt-to-ensure-lock-wrappers-are-always-i.patch405
-rw-r--r--0052-x86-mm-add-speculation-barriers-to-open-coded-locks.patch73
-rw-r--r--0053-x86-protect-conditional-lock-taking-from-speculative.patch216
-rw-r--r--0054-tools-ipxe-update-for-fixing-build-with-GCC12.patch33
-rw-r--r--0055-x86-mm-use-block_lock_speculation-in-_mm_write_lock.patch35
-rw-r--r--0056-x86-boot-Fix-setup_apic_nmi_watchdog-to-fail-more-cl.patch120
-rw-r--r--0057-x86-PoD-tie-together-P2M-update-and-increment-of-ent.patch61
-rw-r--r--0058-tools-oxenstored-Use-Map-instead-of-Hashtbl-for-quot.patch143
-rw-r--r--0059-tools-oxenstored-Make-Quota.t-pure.patch121
-rw-r--r--0060-x86-cpu-policy-Hide-x2APIC-from-PV-guests.patch90
-rw-r--r--0061-x86-cpu-policy-Fix-visibility-of-HTT-CMP_LEGACY-in-m.patch85
-rw-r--r--0062-xen-virtual-region-Rename-the-start-end-fields.patch140
-rw-r--r--0063-xen-virtual-region-Include-rodata-pointers.patch71
-rw-r--r--0064-x86-livepatch-Relax-permissions-on-rodata-too.patch85
-rw-r--r--0065-x86-boot-Improve-the-boot-watchdog-determination-of-.patch106
-rw-r--r--0066-x86-boot-Support-the-watchdog-on-newer-AMD-systems.patch48
-rw-r--r--0067-tests-resource-Fix-HVM-guest-in-SHADOW-builds.patch110
-rw-r--r--info.txt4
68 files changed, 6591 insertions, 22 deletions
diff --git a/0001-update-Xen-version-to-4.17.4-pre.patch b/0001-update-Xen-version-to-4.17.4-pre.patch
index b532743..e1070c9 100644
--- a/0001-update-Xen-version-to-4.17.4-pre.patch
+++ b/0001-update-Xen-version-to-4.17.4-pre.patch
@@ -1,7 +1,7 @@
From 4f6e9d4327eb5252f1e8cac97a095d8b8485dadb Mon Sep 17 00:00:00 2001
From: Jan Beulich <jbeulich@suse.com>
Date: Tue, 30 Jan 2024 14:36:44 +0100
-Subject: [PATCH 01/10] update Xen version to 4.17.4-pre
+Subject: [PATCH 01/67] update Xen version to 4.17.4-pre
---
xen/Makefile | 2 +-
@@ -21,5 +21,5 @@ index a46e6330db..dd0b004e1c 100644
-include xen-version
--
-2.43.0
+2.44.0
diff --git a/0002-pci-fail-device-assignment-if-phantom-functions-cann.patch b/0002-pci-fail-device-assignment-if-phantom-functions-cann.patch
index d91802f..bafad55 100644
--- a/0002-pci-fail-device-assignment-if-phantom-functions-cann.patch
+++ b/0002-pci-fail-device-assignment-if-phantom-functions-cann.patch
@@ -1,7 +1,7 @@
From f9e1ed51bdba31017ea17e1819eb2ade6b5c8615 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
Date: Tue, 30 Jan 2024 14:37:39 +0100
-Subject: [PATCH 02/10] pci: fail device assignment if phantom functions cannot
+Subject: [PATCH 02/67] pci: fail device assignment if phantom functions cannot
be assigned
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -87,5 +87,5 @@ index 07d1986d33..8c62b14d19 100644
else if ( d == dom_io )
pdev->quarantine = true;
--
-2.43.0
+2.44.0
diff --git a/0003-VT-d-Fix-else-vs-endif-misplacement.patch b/0003-VT-d-Fix-else-vs-endif-misplacement.patch
index 2e7f78d..622fa18 100644
--- a/0003-VT-d-Fix-else-vs-endif-misplacement.patch
+++ b/0003-VT-d-Fix-else-vs-endif-misplacement.patch
@@ -1,7 +1,7 @@
From 6b1864afc14d484cdbc9754ce3172ac3dc189846 Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Tue, 30 Jan 2024 14:38:38 +0100
-Subject: [PATCH 03/10] VT-d: Fix "else" vs "#endif" misplacement
+Subject: [PATCH 03/67] VT-d: Fix "else" vs "#endif" misplacement
In domain_pgd_maddr() the "#endif" is misplaced with respect to "else". This
generates incorrect logic when CONFIG_HVM is compiled out, as the "else" body
@@ -66,5 +66,5 @@ index b4c11a6b48..908b3ba6ee 100644
if ( !hd->arch.vtd.pgd_maddr )
{
--
-2.43.0
+2.44.0
diff --git a/0004-x86-amd-Extend-CPU-erratum-1474-fix-to-more-affected.patch b/0004-x86-amd-Extend-CPU-erratum-1474-fix-to-more-affected.patch
index f1289aa..fa90a46 100644
--- a/0004-x86-amd-Extend-CPU-erratum-1474-fix-to-more-affected.patch
+++ b/0004-x86-amd-Extend-CPU-erratum-1474-fix-to-more-affected.patch
@@ -1,7 +1,7 @@
From abcc32f0634627fe21117a48bd10e792bfbdd6dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
Date: Fri, 2 Feb 2024 08:01:09 +0100
-Subject: [PATCH 04/10] x86/amd: Extend CPU erratum #1474 fix to more affected
+Subject: [PATCH 04/67] x86/amd: Extend CPU erratum #1474 fix to more affected
models
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -119,5 +119,5 @@ index 29ae97e7c0..3d85e9797d 100644
-presmp_initcall(zen2_c6_errata_check);
+presmp_initcall(amd_check_erratum_1474);
--
-2.43.0
+2.44.0
diff --git a/0005-CirrusCI-drop-FreeBSD-12.patch b/0005-CirrusCI-drop-FreeBSD-12.patch
index cca7bb0..dac712b 100644
--- a/0005-CirrusCI-drop-FreeBSD-12.patch
+++ b/0005-CirrusCI-drop-FreeBSD-12.patch
@@ -1,7 +1,7 @@
From 0ef1fb43ddd61b3c4c953e833e012ac21ad5ca0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
Date: Fri, 2 Feb 2024 08:01:50 +0100
-Subject: [PATCH 05/10] CirrusCI: drop FreeBSD 12
+Subject: [PATCH 05/67] CirrusCI: drop FreeBSD 12
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -35,5 +35,5 @@ index 7e0beb200d..63f3afb104 100644
name: 'FreeBSD 13'
freebsd_instance:
--
-2.43.0
+2.44.0
diff --git a/0006-x86-intel-ensure-Global-Performance-Counter-Control-.patch b/0006-x86-intel-ensure-Global-Performance-Counter-Control-.patch
index dc64ad6..ce07803 100644
--- a/0006-x86-intel-ensure-Global-Performance-Counter-Control-.patch
+++ b/0006-x86-intel-ensure-Global-Performance-Counter-Control-.patch
@@ -1,7 +1,7 @@
From d0ad2cc5eac1b5d3cfd14204d377ce2384f52607 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
Date: Fri, 2 Feb 2024 08:02:20 +0100
-Subject: [PATCH 06/10] x86/intel: ensure Global Performance Counter Control is
+Subject: [PATCH 06/67] x86/intel: ensure Global Performance Counter Control is
setup correctly
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -70,5 +70,5 @@ index b40ac696e6..96723b5d44 100644
if ( !cpu_has(c, X86_FEATURE_XTOPOLOGY) )
--
-2.43.0
+2.44.0
diff --git a/0007-x86-vmx-Fix-IRQ-handling-for-EXIT_REASON_INIT.patch b/0007-x86-vmx-Fix-IRQ-handling-for-EXIT_REASON_INIT.patch
index a1937a7..2100acc 100644
--- a/0007-x86-vmx-Fix-IRQ-handling-for-EXIT_REASON_INIT.patch
+++ b/0007-x86-vmx-Fix-IRQ-handling-for-EXIT_REASON_INIT.patch
@@ -1,7 +1,7 @@
From eca5416f9b0e179de9553900de8de660ab09199d Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Fri, 2 Feb 2024 08:02:51 +0100
-Subject: [PATCH 07/10] x86/vmx: Fix IRQ handling for EXIT_REASON_INIT
+Subject: [PATCH 07/67] x86/vmx: Fix IRQ handling for EXIT_REASON_INIT
When receiving an INIT, a prior bugfix tried to ignore the INIT and continue
onwards.
@@ -61,5 +61,5 @@ index 072288a5ef..31f4a861c6 100644
break;
case EXIT_REASON_TRIPLE_FAULT:
--
-2.43.0
+2.44.0
diff --git a/0008-x86-vmx-Disallow-the-use-of-inactivity-states.patch b/0008-x86-vmx-Disallow-the-use-of-inactivity-states.patch
index 12c2d59..3af45e8 100644
--- a/0008-x86-vmx-Disallow-the-use-of-inactivity-states.patch
+++ b/0008-x86-vmx-Disallow-the-use-of-inactivity-states.patch
@@ -1,7 +1,7 @@
From 7bd612727df792671e44152a8205f0cf821ad984 Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Fri, 2 Feb 2024 08:03:26 +0100
-Subject: [PATCH 08/10] x86/vmx: Disallow the use of inactivity states
+Subject: [PATCH 08/67] x86/vmx: Disallow the use of inactivity states
Right now, vvmx will blindly copy L12's ACTIVITY_STATE into the L02 VMCS and
enter the vCPU. Luckily for us, nested-virt is explicitly unsupported for
@@ -122,5 +122,5 @@ index 78404e42b3..0af021d5f5 100644
#define VMX_MISC_CR3_TARGET 0x01ff0000
#define VMX_MISC_VMWRITE_ALL 0x20000000
--
-2.43.0
+2.44.0
diff --git a/0009-lib-fdt-elf-move-lib-fdt-elf-temp.o-and-their-deps-t.patch b/0009-lib-fdt-elf-move-lib-fdt-elf-temp.o-and-their-deps-t.patch
index 9ee7104..f33d27d 100644
--- a/0009-lib-fdt-elf-move-lib-fdt-elf-temp.o-and-their-deps-t.patch
+++ b/0009-lib-fdt-elf-move-lib-fdt-elf-temp.o-and-their-deps-t.patch
@@ -1,7 +1,7 @@
From afb85cf1e8f165abf88de9d8a6df625692a753b1 Mon Sep 17 00:00:00 2001
From: Michal Orzel <michal.orzel@amd.com>
Date: Fri, 2 Feb 2024 08:04:07 +0100
-Subject: [PATCH 09/10] lib{fdt,elf}: move lib{fdt,elf}-temp.o and their deps
+Subject: [PATCH 09/67] lib{fdt,elf}: move lib{fdt,elf}-temp.o and their deps
to $(targets)
At the moment, trying to run xencov read/reset (calling SYSCTL_coverage_op
@@ -66,5 +66,5 @@ index 75aaefa2e3..4d14fd61ba 100644
-extra-y += libfdt-temp.o $(LIBFDT_OBJS)
+targets += libfdt-temp.o $(LIBFDT_OBJS)
--
-2.43.0
+2.44.0
diff --git a/0010-x86-p2m-pt-fix-off-by-one-in-entry-check-assert.patch b/0010-x86-p2m-pt-fix-off-by-one-in-entry-check-assert.patch
index ba99063..9b3b9a0 100644
--- a/0010-x86-p2m-pt-fix-off-by-one-in-entry-check-assert.patch
+++ b/0010-x86-p2m-pt-fix-off-by-one-in-entry-check-assert.patch
@@ -1,7 +1,7 @@
From 091466ba55d1e2e75738f751818ace2e3ed08ccf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
Date: Fri, 2 Feb 2024 08:04:33 +0100
-Subject: [PATCH 10/10] x86/p2m-pt: fix off by one in entry check assert
+Subject: [PATCH 10/67] x86/p2m-pt: fix off by one in entry check assert
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -32,5 +32,5 @@ index eaba2b0fb4..f02ebae372 100644
new == p2m_mmio_dm )
ASSERT(mfn_valid(mfn) || mfn_eq(mfn, INVALID_MFN));
--
-2.43.0
+2.44.0
diff --git a/0011-tools-xentop-fix-sorting-bug-for-some-columns.patch b/0011-tools-xentop-fix-sorting-bug-for-some-columns.patch
new file mode 100644
index 0000000..6bf11d9
--- /dev/null
+++ b/0011-tools-xentop-fix-sorting-bug-for-some-columns.patch
@@ -0,0 +1,67 @@
+From 61da71968ea44964fd1dd2e449b053c77eb83139 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Cyril=20R=C3=A9bert=20=28zithro=29?= <slack@rabbit.lu>
+Date: Tue, 27 Feb 2024 14:06:53 +0100
+Subject: [PATCH 11/67] tools/xentop: fix sorting bug for some columns
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Sort doesn't work on columns VBD_OO, VBD_RD, VBD_WR and VBD_RSECT.
+Fix by adjusting variables names in compare functions.
+Bug fix only. No functional change.
+
+Fixes: 91c3e3dc91d6 ("tools/xentop: Display '-' when stats are not available.")
+Signed-off-by: Cyril Rébert (zithro) <slack@rabbit.lu>
+Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
+master commit: 29f17d837421f13c0e0010802de1b2d51d2ded4a
+master date: 2024-02-05 17:58:23 +0000
+---
+ tools/xentop/xentop.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/tools/xentop/xentop.c b/tools/xentop/xentop.c
+index 950e8935c4..545bd5e96d 100644
+--- a/tools/xentop/xentop.c
++++ b/tools/xentop/xentop.c
+@@ -684,7 +684,7 @@ static int compare_vbd_oo(xenstat_domain *domain1, xenstat_domain *domain2)
+ unsigned long long dom1_vbd_oo = 0, dom2_vbd_oo = 0;
+
+ tot_vbd_reqs(domain1, FIELD_VBD_OO, &dom1_vbd_oo);
+- tot_vbd_reqs(domain1, FIELD_VBD_OO, &dom2_vbd_oo);
++ tot_vbd_reqs(domain2, FIELD_VBD_OO, &dom2_vbd_oo);
+
+ return -compare(dom1_vbd_oo, dom2_vbd_oo);
+ }
+@@ -711,9 +711,9 @@ static int compare_vbd_rd(xenstat_domain *domain1, xenstat_domain *domain2)
+ unsigned long long dom1_vbd_rd = 0, dom2_vbd_rd = 0;
+
+ tot_vbd_reqs(domain1, FIELD_VBD_RD, &dom1_vbd_rd);
+- tot_vbd_reqs(domain1, FIELD_VBD_RD, &dom2_vbd_rd);
++ tot_vbd_reqs(domain2, FIELD_VBD_RD, &dom2_vbd_rd);
+
+- return -compare(dom1_vbd_rd, dom1_vbd_rd);
++ return -compare(dom1_vbd_rd, dom2_vbd_rd);
+ }
+
+ /* Prints number of total VBD READ requests statistic */
+@@ -738,7 +738,7 @@ static int compare_vbd_wr(xenstat_domain *domain1, xenstat_domain *domain2)
+ unsigned long long dom1_vbd_wr = 0, dom2_vbd_wr = 0;
+
+ tot_vbd_reqs(domain1, FIELD_VBD_WR, &dom1_vbd_wr);
+- tot_vbd_reqs(domain1, FIELD_VBD_WR, &dom2_vbd_wr);
++ tot_vbd_reqs(domain2, FIELD_VBD_WR, &dom2_vbd_wr);
+
+ return -compare(dom1_vbd_wr, dom2_vbd_wr);
+ }
+@@ -765,7 +765,7 @@ static int compare_vbd_rsect(xenstat_domain *domain1, xenstat_domain *domain2)
+ unsigned long long dom1_vbd_rsect = 0, dom2_vbd_rsect = 0;
+
+ tot_vbd_reqs(domain1, FIELD_VBD_RSECT, &dom1_vbd_rsect);
+- tot_vbd_reqs(domain1, FIELD_VBD_RSECT, &dom2_vbd_rsect);
++ tot_vbd_reqs(domain2, FIELD_VBD_RSECT, &dom2_vbd_rsect);
+
+ return -compare(dom1_vbd_rsect, dom2_vbd_rsect);
+ }
+--
+2.44.0
+
diff --git a/0012-amd-vi-fix-IVMD-memory-type-checks.patch b/0012-amd-vi-fix-IVMD-memory-type-checks.patch
new file mode 100644
index 0000000..f38e39e
--- /dev/null
+++ b/0012-amd-vi-fix-IVMD-memory-type-checks.patch
@@ -0,0 +1,53 @@
+From 463aaf3fbf62d24e898ae0c2ba53d85ca0f94d3f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 27 Feb 2024 14:07:12 +0100
+Subject: [PATCH 12/67] amd-vi: fix IVMD memory type checks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The current code that parses the IVMD blocks is relaxed with regard to the
+restriction that such unity regions should always fall into memory ranges
+marked as reserved in the memory map.
+
+However the type checks for the IVMD addresses are inverted, and as a result
+IVMD ranges falling into RAM areas are accepted. Note that having such ranges
+in the first place is a firmware bug, as IVMD should always fall into reserved
+ranges.
+
+Fixes: ed6c77ebf0c1 ('AMD/IOMMU: check / convert IVMD ranges for being / to be reserved')
+Reported-by: Ox <oxjo@proton.me>
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Tested-by: oxjo <oxjo@proton.me>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+master commit: 83afa313583019d9f159c122cecf867735d27ec5
+master date: 2024-02-06 11:56:13 +0100
+---
+ xen/drivers/passthrough/amd/iommu_acpi.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/xen/drivers/passthrough/amd/iommu_acpi.c b/xen/drivers/passthrough/amd/iommu_acpi.c
+index 3b577c9b39..3a7045c39b 100644
+--- a/xen/drivers/passthrough/amd/iommu_acpi.c
++++ b/xen/drivers/passthrough/amd/iommu_acpi.c
+@@ -426,9 +426,14 @@ static int __init parse_ivmd_block(const struct acpi_ivrs_memory *ivmd_block)
+ return -EIO;
+ }
+
+- /* Types which won't be handed out are considered good enough. */
+- if ( !(type & (RAM_TYPE_RESERVED | RAM_TYPE_ACPI |
+- RAM_TYPE_UNUSABLE)) )
++ /*
++ * Types which aren't RAM are considered good enough.
++ * Note that a page being partially RESERVED, ACPI or UNUSABLE will
++ * force Xen into assuming the whole page as having that type in
++ * practice.
++ */
++ if ( type & (RAM_TYPE_RESERVED | RAM_TYPE_ACPI |
++ RAM_TYPE_UNUSABLE) )
+ continue;
+
+ AMD_IOMMU_ERROR("IVMD: page at %lx can't be converted\n", addr);
+--
+2.44.0
+
diff --git a/0013-x86-hvm-Fix-fast-singlestep-state-persistence.patch b/0013-x86-hvm-Fix-fast-singlestep-state-persistence.patch
new file mode 100644
index 0000000..2a14354
--- /dev/null
+++ b/0013-x86-hvm-Fix-fast-singlestep-state-persistence.patch
@@ -0,0 +1,86 @@
+From 415f770d23f9fcbc02436560fa6583dcd8e1343f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Bene=C5=A1?= <w1benny@gmail.com>
+Date: Tue, 27 Feb 2024 14:07:45 +0100
+Subject: [PATCH 13/67] x86/hvm: Fix fast singlestep state persistence
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch addresses an issue where the fast singlestep setting would persist
+despite xc_domain_debug_control being called with XEN_DOMCTL_DEBUG_OP_SINGLE_STEP_OFF.
+Specifically, if fast singlestep was enabled in a VMI session and that session
+stopped before the MTF trap occurred, the fast singlestep setting remained
+active even though MTF itself was disabled. This led to a situation where, upon
+starting a new VMI session, the first event to trigger an EPT violation would
+cause the corresponding EPT event callback to be skipped due to the lingering
+fast singlestep setting.
+
+The fix ensures that the fast singlestep setting is properly reset when
+disabling single step debugging operations.
+
+Signed-off-by: Petr Beneš <w1benny@gmail.com>
+Reviewed-by: Tamas K Lengyel <tamas@tklengyel.com>
+master commit: 897def94b56175ce569673a05909d2f223e1e749
+master date: 2024-02-12 09:37:58 +0100
+---
+ xen/arch/x86/hvm/hvm.c | 34 ++++++++++++++++++++++++----------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
+index d6c6ab8897..558dc3eddc 100644
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -5153,26 +5153,40 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg)
+
+ int hvm_debug_op(struct vcpu *v, int32_t op)
+ {
+- int rc;
++ int rc = 0;
+
+ switch ( op )
+ {
+ case XEN_DOMCTL_DEBUG_OP_SINGLE_STEP_ON:
+ case XEN_DOMCTL_DEBUG_OP_SINGLE_STEP_OFF:
+- rc = -EOPNOTSUPP;
+ if ( !cpu_has_monitor_trap_flag )
+- break;
+- rc = 0;
+- vcpu_pause(v);
+- v->arch.hvm.single_step =
+- (op == XEN_DOMCTL_DEBUG_OP_SINGLE_STEP_ON);
+- vcpu_unpause(v); /* guest will latch new state */
++ return -EOPNOTSUPP;
+ break;
+ default:
+- rc = -ENOSYS;
+- break;
++ return -ENOSYS;
++ }
++
++ vcpu_pause(v);
++
++ switch ( op )
++ {
++ case XEN_DOMCTL_DEBUG_OP_SINGLE_STEP_ON:
++ v->arch.hvm.single_step = true;
++ break;
++
++ case XEN_DOMCTL_DEBUG_OP_SINGLE_STEP_OFF:
++ v->arch.hvm.single_step = false;
++ v->arch.hvm.fast_single_step.enabled = false;
++ v->arch.hvm.fast_single_step.p2midx = 0;
++ break;
++
++ default: /* Excluded above */
++ ASSERT_UNREACHABLE();
++ return -ENOSYS;
+ }
+
++ vcpu_unpause(v); /* guest will latch new state */
++
+ return rc;
+ }
+
+--
+2.44.0
+
diff --git a/0014-x86-HVM-tidy-state-on-hvmemul_map_linear_addr-s-erro.patch b/0014-x86-HVM-tidy-state-on-hvmemul_map_linear_addr-s-erro.patch
new file mode 100644
index 0000000..6536674
--- /dev/null
+++ b/0014-x86-HVM-tidy-state-on-hvmemul_map_linear_addr-s-erro.patch
@@ -0,0 +1,63 @@
+From b3ae0e6201495216b12157bd8b2382b28fdd7dae Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Tue, 27 Feb 2024 14:08:20 +0100
+Subject: [PATCH 14/67] x86/HVM: tidy state on hvmemul_map_linear_addr()'s
+ error path
+
+While in the vast majority of cases failure of the function will not
+be followed by re-invocation with the same emulation context, a few
+very specific insns - involving multiple independent writes, e.g. ENTER
+and PUSHA - exist where this can happen. Since failure of the function
+only signals to the caller that it ought to try an MMIO write instead,
+such failure also cannot be assumed to result in wholesale failure of
+emulation of the current insn. Instead we have to maintain internal
+state such that another invocation of the function with the same
+emulation context remains possible. To achieve that we need to reset MFN
+slots after putting page references on the error path.
+
+Note that all of this affects debugging code only, in causing an
+assertion to trigger (higher up in the function). There's otherwise no
+misbehavior - such a "leftover" slot would simply be overwritten by new
+contents in a release build.
+
+Also extend the related unmap() assertion, to further check for MFN 0.
+
+Fixes: 8cbd4fb0b7ea ("x86/hvm: implement hvmemul_write() using real mappings")
+Reported-by: Manuel Andreas <manuel.andreas@tum.de>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Paul Durrant <paul@xen.org>
+master commit: e72f951df407bc3be82faac64d8733a270036ba1
+master date: 2024-02-13 09:36:14 +0100
+---
+ xen/arch/x86/hvm/emulate.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c
+index 275451dd36..27928dc3f3 100644
+--- a/xen/arch/x86/hvm/emulate.c
++++ b/xen/arch/x86/hvm/emulate.c
+@@ -697,7 +697,12 @@ static void *hvmemul_map_linear_addr(
+ out:
+ /* Drop all held references. */
+ while ( mfn-- > hvmemul_ctxt->mfn )
++ {
+ put_page(mfn_to_page(*mfn));
++#ifndef NDEBUG /* Clean slot for a subsequent map()'s error checking. */
++ *mfn = _mfn(0);
++#endif
++ }
+
+ return err;
+ }
+@@ -719,7 +724,7 @@ static void hvmemul_unmap_linear_addr(
+
+ for ( i = 0; i < nr_frames; i++ )
+ {
+- ASSERT(mfn_valid(*mfn));
++ ASSERT(mfn_x(*mfn) && mfn_valid(*mfn));
+ paging_mark_dirty(currd, *mfn);
+ put_page(mfn_to_page(*mfn));
+
+--
+2.44.0
+
diff --git a/0015-build-Replace-which-with-command-v.patch b/0015-build-Replace-which-with-command-v.patch
new file mode 100644
index 0000000..57f21d4
--- /dev/null
+++ b/0015-build-Replace-which-with-command-v.patch
@@ -0,0 +1,57 @@
+From 1330a5fe44ca91f98857b53fe8bbe06522d9db27 Mon Sep 17 00:00:00 2001
+From: Anthony PERARD <anthony.perard@citrix.com>
+Date: Tue, 27 Feb 2024 14:08:50 +0100
+Subject: [PATCH 15/67] build: Replace `which` with `command -v`
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The `which` command is not standard, may not exist on the build host,
+or may not behave as expected by the build system. It is recommended
+to use `command -v` to find out if a command exist and have its path,
+and it's part of a POSIX shell standard (at least, it seems to be
+mandatory since IEEE Std 1003.1-2008, but was optional before).
+
+Fixes: c8a8645f1efe ("xen/build: Automatically locate a suitable python interpreter")
+Fixes: 3b47bcdb6d38 ("xen/build: Use a distro version of figlet")
+Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
+Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+master commit: f93629b18b528a5ab1b1092949c5420069c7226c
+master date: 2024-02-19 12:45:48 +0100
+---
+ xen/Makefile | 4 ++--
+ xen/build.mk | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/xen/Makefile b/xen/Makefile
+index dd0b004e1c..7ea13a6791 100644
+--- a/xen/Makefile
++++ b/xen/Makefile
+@@ -25,8 +25,8 @@ export XEN_BUILD_HOST := $(shell hostname)
+ endif
+
+ # Best effort attempt to find a python interpreter, defaulting to Python 3 if
+-# available. Fall back to just `python` if `which` is nowhere to be found.
+-PYTHON_INTERPRETER := $(word 1,$(shell which python3 python python2 2>/dev/null) python)
++# available. Fall back to just `python`.
++PYTHON_INTERPRETER := $(word 1,$(shell command -v python3 || command -v python || command -v python2) python)
+ export PYTHON ?= $(PYTHON_INTERPRETER)
+
+ export CHECKPOLICY ?= checkpolicy
+diff --git a/xen/build.mk b/xen/build.mk
+index 9ecb104f1e..b489f77b7c 100644
+--- a/xen/build.mk
++++ b/xen/build.mk
+@@ -1,6 +1,6 @@
+ quiet_cmd_banner = BANNER $@
+ define cmd_banner
+- if which figlet >/dev/null 2>&1 ; then \
++ if command -v figlet >/dev/null 2>&1 ; then \
+ echo " Xen $(XEN_FULLVERSION)" | figlet -f $< > $@.tmp; \
+ else \
+ echo " Xen $(XEN_FULLVERSION)" > $@.tmp; \
+--
+2.44.0
+
diff --git a/0016-libxl-Disable-relocating-memory-for-qemu-xen-in-stub.patch b/0016-libxl-Disable-relocating-memory-for-qemu-xen-in-stub.patch
new file mode 100644
index 0000000..f75e07c
--- /dev/null
+++ b/0016-libxl-Disable-relocating-memory-for-qemu-xen-in-stub.patch
@@ -0,0 +1,50 @@
+From b9745280736ee526374873aa3c4142596e2ba10b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
+ <marmarek@invisiblethingslab.com>
+Date: Tue, 27 Feb 2024 14:09:19 +0100
+Subject: [PATCH 16/67] libxl: Disable relocating memory for qemu-xen in
+ stubdomain too
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+According to comments (and experiments) qemu-xen cannot handle memory
+reolcation done by hvmloader. The code was already disabled when running
+qemu-xen in dom0 (see libxl__spawn_local_dm()), but it was missed when
+adding qemu-xen support to stubdomain. Adjust libxl__spawn_stub_dm() to
+be consistent in this regard.
+
+Reported-by: Neowutran <xen@neowutran.ovh>
+Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Reviewed-by: Jason Andryuk <jandryuk@gmail.com>
+Acked-by: Anthony PERARD <anthony.perard@citrix.com>
+master commit: 97883aa269f6745a6ded232be3a855abb1297e0d
+master date: 2024-02-22 11:48:22 +0100
+---
+ tools/libs/light/libxl_dm.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/tools/libs/light/libxl_dm.c b/tools/libs/light/libxl_dm.c
+index 14b593110f..ed620a9d8e 100644
+--- a/tools/libs/light/libxl_dm.c
++++ b/tools/libs/light/libxl_dm.c
+@@ -2432,6 +2432,16 @@ void libxl__spawn_stub_dm(libxl__egc *egc, libxl__stub_dm_spawn_state *sdss)
+ "%s",
+ libxl_bios_type_to_string(guest_config->b_info.u.hvm.bios));
+ }
++ /* Disable relocating memory to make the MMIO hole larger
++ * unless we're running qemu-traditional and vNUMA is not
++ * configured. */
++ libxl__xs_printf(gc, XBT_NULL,
++ libxl__sprintf(gc, "%s/hvmloader/allow-memory-relocate",
++ libxl__xs_get_dompath(gc, guest_domid)),
++ "%d",
++ guest_config->b_info.device_model_version
++ == LIBXL_DEVICE_MODEL_VERSION_QEMU_XEN_TRADITIONAL &&
++ !libxl__vnuma_configured(&guest_config->b_info));
+ ret = xc_domain_set_target(ctx->xch, dm_domid, guest_domid);
+ if (ret<0) {
+ LOGED(ERROR, guest_domid, "setting target domain %d -> %d",
+--
+2.44.0
+
diff --git a/0017-build-make-sure-build-fails-when-running-kconfig-fai.patch b/0017-build-make-sure-build-fails-when-running-kconfig-fai.patch
new file mode 100644
index 0000000..1bb3aa8
--- /dev/null
+++ b/0017-build-make-sure-build-fails-when-running-kconfig-fai.patch
@@ -0,0 +1,58 @@
+From ea869977271f93945451908be9b6117ffd1fb02d Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Tue, 27 Feb 2024 14:09:37 +0100
+Subject: [PATCH 17/67] build: make sure build fails when running kconfig fails
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Because of using "-include", failure to (re)build auto.conf (with
+auto.conf.cmd produced as a secondary target) won't stop make from
+continuing the build. Arrange for it being possible to drop the - from
+Rules.mk, requiring that the include be skipped for tools-only targets.
+Note that relying on the inclusion in those cases wouldn't be correct
+anyway, as it might be a stale file (yet to be rebuilt) which would be
+included, while during initial build, the file would be absent
+altogether.
+
+Fixes: 8d4c17a90b0a ("xen/build: silence make warnings about missing auto.conf*")
+Reported-by: Roger Pau Monné <roger.pau@citrix.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
+master commit: d34e5fa2e8db19f23081f46a3e710bb122130691
+master date: 2024-02-22 11:52:47 +0100
+---
+ xen/Makefile | 1 +
+ xen/Rules.mk | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/xen/Makefile b/xen/Makefile
+index 7ea13a6791..bac3684a36 100644
+--- a/xen/Makefile
++++ b/xen/Makefile
+@@ -374,6 +374,7 @@ $(KCONFIG_CONFIG): tools_fixdep
+ # This exploits the 'multi-target pattern rule' trick.
+ # The syncconfig should be executed only once to make all the targets.
+ include/config/%.conf include/config/%.conf.cmd: $(KCONFIG_CONFIG)
++ $(Q)rm -f include/config/auto.conf
+ $(Q)$(MAKE) $(build)=tools/kconfig syncconfig
+
+ ifeq ($(CONFIG_DEBUG),y)
+diff --git a/xen/Rules.mk b/xen/Rules.mk
+index 8af3dd7277..d759cccee3 100644
+--- a/xen/Rules.mk
++++ b/xen/Rules.mk
+@@ -15,7 +15,9 @@ srcdir := $(srctree)/$(src)
+ PHONY := __build
+ __build:
+
+--include $(objtree)/include/config/auto.conf
++ifneq ($(firstword $(subst /, ,$(obj))),tools)
++include $(objtree)/include/config/auto.conf
++endif
+
+ include $(XEN_ROOT)/Config.mk
+ include $(srctree)/scripts/Kbuild.include
+--
+2.44.0
+
diff --git a/0018-x86emul-add-missing-EVEX.R-checks.patch b/0018-x86emul-add-missing-EVEX.R-checks.patch
new file mode 100644
index 0000000..12e7702
--- /dev/null
+++ b/0018-x86emul-add-missing-EVEX.R-checks.patch
@@ -0,0 +1,50 @@
+From 16f2e47eb1207d866f95cf694a60a7ceb8f96a36 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Tue, 27 Feb 2024 14:09:55 +0100
+Subject: [PATCH 18/67] x86emul: add missing EVEX.R' checks
+
+EVEX.R' is not ignored in 64-bit code when encoding a GPR or mask
+register. While for mask registers suitable checks are in place (there
+also covering EVEX.R), they were missing for the few cases where in
+EVEX-encoded instructions ModR/M.reg encodes a GPR. While for VPEXTRW
+the bit is replaced before an emulation stub is invoked, for
+VCVT{,T}{S,D,H}2{,U}SI this actually would have led to #UD from inside
+an emulation stub, in turn raising #UD to the guest, but accompanied by
+log messages indicating something's wrong in Xen nevertheless.
+
+Fixes: 001bd91ad864 ("x86emul: support AVX512{F,BW,DQ} extract insns")
+Fixes: baf4a376f550 ("x86emul: support AVX512F legacy-equivalent scalar int/FP conversion insns")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
+master commit: cb319824bfa8d3c9ea0410cc71daaedc3e11aa2a
+master date: 2024-02-22 11:54:07 +0100
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index 0c0336f737..995670cbc8 100644
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -6829,7 +6829,8 @@ x86_emulate(
+ CASE_SIMD_SCALAR_FP(_EVEX, 0x0f, 0x2d): /* vcvts{s,d}2si xmm/mem,reg */
+ CASE_SIMD_SCALAR_FP(_EVEX, 0x0f, 0x78): /* vcvtts{s,d}2usi xmm/mem,reg */
+ CASE_SIMD_SCALAR_FP(_EVEX, 0x0f, 0x79): /* vcvts{s,d}2usi xmm/mem,reg */
+- generate_exception_if((evex.reg != 0xf || !evex.RX || evex.opmsk ||
++ generate_exception_if((evex.reg != 0xf || !evex.RX || !evex.R ||
++ evex.opmsk ||
+ (ea.type != OP_REG && evex.brs)),
+ EXC_UD);
+ host_and_vcpu_must_have(avx512f);
+@@ -10705,7 +10706,7 @@ x86_emulate(
+ goto pextr;
+
+ case X86EMUL_OPC_EVEX_66(0x0f, 0xc5): /* vpextrw $imm8,xmm,reg */
+- generate_exception_if(ea.type != OP_REG, EXC_UD);
++ generate_exception_if(ea.type != OP_REG || !evex.R, EXC_UD);
+ /* Convert to alternative encoding: We want to use a memory operand. */
+ evex.opcx = ext_0f3a;
+ b = 0x15;
+--
+2.44.0
+
diff --git a/0019-xen-livepatch-fix-norevert-test-hook-setup-typo.patch b/0019-xen-livepatch-fix-norevert-test-hook-setup-typo.patch
new file mode 100644
index 0000000..1676f7a
--- /dev/null
+++ b/0019-xen-livepatch-fix-norevert-test-hook-setup-typo.patch
@@ -0,0 +1,36 @@
+From f6b12792542e372f36a71ea4c2563e6dd6e4fa57 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 27 Feb 2024 14:10:24 +0100
+Subject: [PATCH 19/67] xen/livepatch: fix norevert test hook setup typo
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The test code has a typo in using LIVEPATCH_APPLY_HOOK() instead of
+LIVEPATCH_REVERT_HOOK().
+
+Fixes: 6047104c3ccc ('livepatch: Add per-function applied/reverted state tracking marker')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+master commit: f0622dd4fd6ae6ddb523a45d89ed9b8f3a9a8f36
+master date: 2024-02-26 10:13:46 +0100
+---
+ xen/test/livepatch/xen_action_hooks_norevert.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xen/test/livepatch/xen_action_hooks_norevert.c b/xen/test/livepatch/xen_action_hooks_norevert.c
+index 3e21ade6ab..c173855192 100644
+--- a/xen/test/livepatch/xen_action_hooks_norevert.c
++++ b/xen/test/livepatch/xen_action_hooks_norevert.c
+@@ -120,7 +120,7 @@ static void post_revert_hook(livepatch_payload_t *payload)
+ printk(KERN_DEBUG "%s: Hook done.\n", __func__);
+ }
+
+-LIVEPATCH_APPLY_HOOK(revert_hook);
++LIVEPATCH_REVERT_HOOK(revert_hook);
+
+ LIVEPATCH_PREAPPLY_HOOK(pre_apply_hook);
+ LIVEPATCH_POSTAPPLY_HOOK(post_apply_hook);
+--
+2.44.0
+
diff --git a/0020-xen-cmdline-fix-printf-format-specifier-in-no_config.patch b/0020-xen-cmdline-fix-printf-format-specifier-in-no_config.patch
new file mode 100644
index 0000000..b47d9ee
--- /dev/null
+++ b/0020-xen-cmdline-fix-printf-format-specifier-in-no_config.patch
@@ -0,0 +1,38 @@
+From 229e8a72ee4cde5698aaf42cc59ae57446dce60f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 27 Feb 2024 14:10:39 +0100
+Subject: [PATCH 20/67] xen/cmdline: fix printf format specifier in
+ no_config_param()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+'*' sets the width field, which is the minimum number of characters to output,
+but what we want in no_config_param() is the precision instead, which is '.*'
+as it imposes a maximum limit on the output.
+
+Fixes: 68d757df8dd2 ('x86/pv: Options to disable and/or compile out 32bit PV support')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+master commit: ef101f525173cf51dc70f4c77862f6f10a8ddccf
+master date: 2024-02-26 10:17:40 +0100
+---
+ xen/include/xen/param.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xen/include/xen/param.h b/xen/include/xen/param.h
+index 93c3fe7cb7..e02e49635c 100644
+--- a/xen/include/xen/param.h
++++ b/xen/include/xen/param.h
+@@ -191,7 +191,7 @@ static inline void no_config_param(const char *cfg, const char *param,
+ {
+ int len = e ? ({ ASSERT(e >= s); e - s; }) : strlen(s);
+
+- printk(XENLOG_INFO "CONFIG_%s disabled - ignoring '%s=%*s' setting\n",
++ printk(XENLOG_INFO "CONFIG_%s disabled - ignoring '%s=%.*s' setting\n",
+ cfg, param, len, s);
+ }
+
+--
+2.44.0
+
diff --git a/0021-x86-altcall-use-a-union-as-register-type-for-functio.patch b/0021-x86-altcall-use-a-union-as-register-type-for-functio.patch
new file mode 100644
index 0000000..ab050dd
--- /dev/null
+++ b/0021-x86-altcall-use-a-union-as-register-type-for-functio.patch
@@ -0,0 +1,141 @@
+From 1aafe054e7d1efbf8e8482a9cdd4be5753b79e2f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 27 Feb 2024 14:11:04 +0100
+Subject: [PATCH 21/67] x86/altcall: use a union as register type for function
+ parameters on clang
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The current code for alternative calls uses the caller parameter types as the
+types for the register variables that serve as function parameters:
+
+uint8_t foo;
+[...]
+alternative_call(myfunc, foo);
+
+Would expand roughly into:
+
+register unint8_t a1_ asm("rdi") = foo;
+register unsigned long a2_ asm("rsi");
+[...]
+asm volatile ("call *%c[addr](%%rip)"...);
+
+However with -O2 clang will generate incorrect code, given the following
+example:
+
+unsigned int func(uint8_t t)
+{
+ return t;
+}
+
+static void bar(uint8_t b)
+{
+ int ret_;
+ register uint8_t di asm("rdi") = b;
+ register unsigned long si asm("rsi");
+ register unsigned long dx asm("rdx");
+ register unsigned long cx asm("rcx");
+ register unsigned long r8 asm("r8");
+ register unsigned long r9 asm("r9");
+ register unsigned long r10 asm("r10");
+ register unsigned long r11 asm("r11");
+
+ asm volatile ( "call %c[addr]"
+ : "+r" (di), "=r" (si), "=r" (dx),
+ "=r" (cx), "=r" (r8), "=r" (r9),
+ "=r" (r10), "=r" (r11), "=a" (ret_)
+ : [addr] "i" (&(func)), "g" (func)
+ : "memory" );
+}
+
+void foo(unsigned int a)
+{
+ bar(a);
+}
+
+Clang generates the following assembly code:
+
+func: # @func
+ movl %edi, %eax
+ retq
+foo: # @foo
+ callq func
+ retq
+
+Note the truncation of the unsigned int parameter 'a' of foo() to uint8_t when
+passed into bar() is lost. clang doesn't zero extend the parameters in the
+callee when required, as the psABI mandates.
+
+The above can be worked around by using a union when defining the register
+variables, so that `di` becomes:
+
+register union {
+ uint8_t e;
+ unsigned long r;
+} di asm("rdi") = { .e = b };
+
+Which results in following code generated for `foo()`:
+
+foo: # @foo
+ movzbl %dil, %edi
+ callq func
+ retq
+
+So the truncation is not longer lost. Apply such workaround only when built
+with clang.
+
+Reported-by: Matthew Grooms <mgrooms@shrew.net>
+Link: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277200
+Link: https://github.com/llvm/llvm-project/issues/12579
+Link: https://github.com/llvm/llvm-project/issues/82598
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+master commit: 2ce562b2a413cbdb2e1128989ed1722290a27c4e
+master date: 2024-02-26 10:18:01 +0100
+---
+ xen/arch/x86/include/asm/alternative.h | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/xen/arch/x86/include/asm/alternative.h b/xen/arch/x86/include/asm/alternative.h
+index a7a82c2c03..bcb1dc94f4 100644
+--- a/xen/arch/x86/include/asm/alternative.h
++++ b/xen/arch/x86/include/asm/alternative.h
+@@ -167,9 +167,34 @@ extern void alternative_branches(void);
+ #define ALT_CALL_arg5 "r8"
+ #define ALT_CALL_arg6 "r9"
+
++#ifdef CONFIG_CC_IS_CLANG
++/*
++ * Use a union with an unsigned long in order to prevent clang from
++ * skipping a possible truncation of the value. By using the union any
++ * truncation is carried before the call instruction, in turn covering
++ * for ABI-non-compliance in that the necessary clipping / extension of
++ * the value is supposed to be carried out in the callee.
++ *
++ * Note this behavior is not mandated by the standard, and hence could
++ * stop being a viable workaround, or worse, could cause a different set
++ * of code-generation issues in future clang versions.
++ *
++ * This has been reported upstream:
++ * https://github.com/llvm/llvm-project/issues/12579
++ * https://github.com/llvm/llvm-project/issues/82598
++ */
++#define ALT_CALL_ARG(arg, n) \
++ register union { \
++ typeof(arg) e; \
++ unsigned long r; \
++ } a ## n ## _ asm ( ALT_CALL_arg ## n ) = { \
++ .e = ({ BUILD_BUG_ON(sizeof(arg) > sizeof(void *)); (arg); }) \
++ }
++#else
+ #define ALT_CALL_ARG(arg, n) \
+ register typeof(arg) a ## n ## _ asm ( ALT_CALL_arg ## n ) = \
+ ({ BUILD_BUG_ON(sizeof(arg) > sizeof(void *)); (arg); })
++#endif
+ #define ALT_CALL_NO_ARG(n) \
+ register unsigned long a ## n ## _ asm ( ALT_CALL_arg ## n )
+
+--
+2.44.0
+
diff --git a/0022-x86-spec-fix-BRANCH_HARDEN-option-to-only-be-set-whe.patch b/0022-x86-spec-fix-BRANCH_HARDEN-option-to-only-be-set-whe.patch
new file mode 100644
index 0000000..ce01c1a
--- /dev/null
+++ b/0022-x86-spec-fix-BRANCH_HARDEN-option-to-only-be-set-whe.patch
@@ -0,0 +1,57 @@
+From 91650010815f3da0834bc9781c4359350d1162a5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 27 Feb 2024 14:11:40 +0100
+Subject: [PATCH 22/67] x86/spec: fix BRANCH_HARDEN option to only be set when
+ build-enabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The current logic to handle the BRANCH_HARDEN option will report it as enabled
+even when build-time disabled. Fix this by only allowing the option to be set
+when support for it is built into Xen.
+
+Fixes: 2d6f36daa086 ('x86/nospec: Introduce CONFIG_SPECULATIVE_HARDEN_BRANCH')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+master commit: 60e00f77a5cc671d30c5ef3318f5b8e9b74e4aa3
+master date: 2024-02-26 16:06:42 +0100
+---
+ xen/arch/x86/spec_ctrl.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
+index 56e07d7536..661716d695 100644
+--- a/xen/arch/x86/spec_ctrl.c
++++ b/xen/arch/x86/spec_ctrl.c
+@@ -62,7 +62,8 @@ int8_t __initdata opt_psfd = -1;
+ int8_t __ro_after_init opt_ibpb_ctxt_switch = -1;
+ int8_t __read_mostly opt_eager_fpu = -1;
+ int8_t __read_mostly opt_l1d_flush = -1;
+-static bool __initdata opt_branch_harden = true;
++static bool __initdata opt_branch_harden =
++ IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH);
+
+ bool __initdata bsp_delay_spec_ctrl;
+ uint8_t __read_mostly default_xen_spec_ctrl;
+@@ -280,7 +281,16 @@ static int __init cf_check parse_spec_ctrl(const char *s)
+ else if ( (val = parse_boolean("l1d-flush", s, ss)) >= 0 )
+ opt_l1d_flush = val;
+ else if ( (val = parse_boolean("branch-harden", s, ss)) >= 0 )
+- opt_branch_harden = val;
++ {
++ if ( IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH) )
++ opt_branch_harden = val;
++ else
++ {
++ no_config_param("SPECULATIVE_HARDEN_BRANCH", "spec-ctrl", s,
++ ss);
++ rc = -EINVAL;
++ }
++ }
+ else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 )
+ opt_srb_lock = val;
+ else if ( (val = parse_boolean("unpriv-mmio", s, ss)) >= 0 )
+--
+2.44.0
+
diff --git a/0023-x86-account-for-shadow-stack-in-exception-from-stub-.patch b/0023-x86-account-for-shadow-stack-in-exception-from-stub-.patch
new file mode 100644
index 0000000..e23a764
--- /dev/null
+++ b/0023-x86-account-for-shadow-stack-in-exception-from-stub-.patch
@@ -0,0 +1,212 @@
+From 49f77602373b58b7bbdb40cea2b49d2f88d4003d Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Tue, 27 Feb 2024 14:12:11 +0100
+Subject: [PATCH 23/67] x86: account for shadow stack in exception-from-stub
+ recovery
+
+Dealing with exceptions raised from within emulation stubs involves
+discarding return address (replaced by exception related information).
+Such discarding of course also requires removing the corresponding entry
+from the shadow stack.
+
+Also amend the comment in fixup_exception_return(), to further clarify
+why use of ptr[1] can't be an out-of-bounds access.
+
+This is CVE-2023-46841 / XSA-451.
+
+Fixes: 209fb9919b50 ("x86/extable: Adjust extable handling to be shadow stack compatible")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+master commit: 91f5f7a9154919a765c3933521760acffeddbf28
+master date: 2024-02-27 13:49:22 +0100
+---
+ xen/arch/x86/extable.c | 20 ++++++----
+ xen/arch/x86/include/asm/uaccess.h | 3 +-
+ xen/arch/x86/traps.c | 63 +++++++++++++++++++++++++++---
+ 3 files changed, 71 insertions(+), 15 deletions(-)
+
+diff --git a/xen/arch/x86/extable.c b/xen/arch/x86/extable.c
+index 6758ba1dca..dd9583f2a5 100644
+--- a/xen/arch/x86/extable.c
++++ b/xen/arch/x86/extable.c
+@@ -86,26 +86,29 @@ search_one_extable(const struct exception_table_entry *first,
+ }
+
+ unsigned long
+-search_exception_table(const struct cpu_user_regs *regs)
++search_exception_table(const struct cpu_user_regs *regs, unsigned long *stub_ra)
+ {
+ const struct virtual_region *region = find_text_region(regs->rip);
+ unsigned long stub = this_cpu(stubs.addr);
+
+ if ( region && region->ex )
++ {
++ *stub_ra = 0;
+ return search_one_extable(region->ex, region->ex_end, regs->rip);
++ }
+
+ if ( regs->rip >= stub + STUB_BUF_SIZE / 2 &&
+ regs->rip < stub + STUB_BUF_SIZE &&
+ regs->rsp > (unsigned long)regs &&
+ regs->rsp < (unsigned long)get_cpu_info() )
+ {
+- unsigned long retptr = *(unsigned long *)regs->rsp;
++ unsigned long retaddr = *(unsigned long *)regs->rsp, fixup;
+
+- region = find_text_region(retptr);
+- retptr = region && region->ex
+- ? search_one_extable(region->ex, region->ex_end, retptr)
+- : 0;
+- if ( retptr )
++ region = find_text_region(retaddr);
++ fixup = region && region->ex
++ ? search_one_extable(region->ex, region->ex_end, retaddr)
++ : 0;
++ if ( fixup )
+ {
+ /*
+ * Put trap number and error code on the stack (in place of the
+@@ -117,7 +120,8 @@ search_exception_table(const struct cpu_user_regs *regs)
+ };
+
+ *(unsigned long *)regs->rsp = token.raw;
+- return retptr;
++ *stub_ra = retaddr;
++ return fixup;
+ }
+ }
+
+diff --git a/xen/arch/x86/include/asm/uaccess.h b/xen/arch/x86/include/asm/uaccess.h
+index 684fccd95c..74bb222c03 100644
+--- a/xen/arch/x86/include/asm/uaccess.h
++++ b/xen/arch/x86/include/asm/uaccess.h
+@@ -421,7 +421,8 @@ union stub_exception_token {
+ unsigned long raw;
+ };
+
+-extern unsigned long search_exception_table(const struct cpu_user_regs *regs);
++extern unsigned long search_exception_table(const struct cpu_user_regs *regs,
++ unsigned long *stub_ra);
+ extern void sort_exception_tables(void);
+ extern void sort_exception_table(struct exception_table_entry *start,
+ const struct exception_table_entry *stop);
+diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
+index 06c4f3868b..7599bee361 100644
+--- a/xen/arch/x86/traps.c
++++ b/xen/arch/x86/traps.c
+@@ -856,7 +856,7 @@ void do_unhandled_trap(struct cpu_user_regs *regs)
+ }
+
+ static void fixup_exception_return(struct cpu_user_regs *regs,
+- unsigned long fixup)
++ unsigned long fixup, unsigned long stub_ra)
+ {
+ if ( IS_ENABLED(CONFIG_XEN_SHSTK) )
+ {
+@@ -873,7 +873,8 @@ static void fixup_exception_return(struct cpu_user_regs *regs,
+ /*
+ * Search for %rip. The shstk currently looks like this:
+ *
+- * ... [Likely pointed to by SSP]
++ * tok [Supervisor token, == &tok | BUSY, only with FRED inactive]
++ * ... [Pointed to by SSP for most exceptions, empty in IST cases]
+ * %cs [== regs->cs]
+ * %rip [== regs->rip]
+ * SSP [Likely points to 3 slots higher, above %cs]
+@@ -891,7 +892,56 @@ static void fixup_exception_return(struct cpu_user_regs *regs,
+ */
+ if ( ptr[0] == regs->rip && ptr[1] == regs->cs )
+ {
++ unsigned long primary_shstk =
++ (ssp & ~(STACK_SIZE - 1)) +
++ (PRIMARY_SHSTK_SLOT + 1) * PAGE_SIZE - 8;
++
+ wrss(fixup, ptr);
++
++ if ( !stub_ra )
++ goto shstk_done;
++
++ /*
++ * Stub recovery ought to happen only when the outer context
++ * was on the main shadow stack. We need to also "pop" the
++ * stub's return address from the interrupted context's shadow
++ * stack. That is,
++ * - if we're still on the main stack, we need to move the
++ * entire stack (up to and including the exception frame)
++ * up by one slot, incrementing the original SSP in the
++ * exception frame,
++ * - if we're on an IST stack, we need to increment the
++ * original SSP.
++ */
++ BUG_ON((ptr[-1] ^ primary_shstk) >> PAGE_SHIFT);
++
++ if ( (ssp ^ primary_shstk) >> PAGE_SHIFT )
++ {
++ /*
++ * We're on an IST stack. First make sure the two return
++ * addresses actually match. Then increment the interrupted
++ * context's SSP.
++ */
++ BUG_ON(stub_ra != *(unsigned long*)ptr[-1]);
++ wrss(ptr[-1] + 8, &ptr[-1]);
++ goto shstk_done;
++ }
++
++ /* Make sure the two return addresses actually match. */
++ BUG_ON(stub_ra != ptr[2]);
++
++ /* Move exception frame, updating SSP there. */
++ wrss(ptr[1], &ptr[2]); /* %cs */
++ wrss(ptr[0], &ptr[1]); /* %rip */
++ wrss(ptr[-1] + 8, &ptr[0]); /* SSP */
++
++ /* Move all newer entries. */
++ while ( --ptr != _p(ssp) )
++ wrss(ptr[-1], &ptr[0]);
++
++ /* Finally account for our own stack having shifted up. */
++ asm volatile ( "incsspd %0" :: "r" (2) );
++
+ goto shstk_done;
+ }
+ }
+@@ -912,7 +962,8 @@ static void fixup_exception_return(struct cpu_user_regs *regs,
+
+ static bool extable_fixup(struct cpu_user_regs *regs, bool print)
+ {
+- unsigned long fixup = search_exception_table(regs);
++ unsigned long stub_ra = 0;
++ unsigned long fixup = search_exception_table(regs, &stub_ra);
+
+ if ( unlikely(fixup == 0) )
+ return false;
+@@ -926,7 +977,7 @@ static bool extable_fixup(struct cpu_user_regs *regs, bool print)
+ vector_name(regs->entry_vector), regs->error_code,
+ _p(regs->rip), _p(regs->rip), _p(fixup));
+
+- fixup_exception_return(regs, fixup);
++ fixup_exception_return(regs, fixup, stub_ra);
+ this_cpu(last_extable_addr) = regs->rip;
+
+ return true;
+@@ -1214,7 +1265,7 @@ void do_invalid_op(struct cpu_user_regs *regs)
+ void (*fn)(struct cpu_user_regs *) = bug_ptr(bug);
+
+ fn(regs);
+- fixup_exception_return(regs, (unsigned long)eip);
++ fixup_exception_return(regs, (unsigned long)eip, 0);
+ return;
+ }
+
+@@ -1235,7 +1286,7 @@ void do_invalid_op(struct cpu_user_regs *regs)
+ case BUGFRAME_warn:
+ printk("Xen WARN at %s%s:%d\n", prefix, filename, lineno);
+ show_execution_state(regs);
+- fixup_exception_return(regs, (unsigned long)eip);
++ fixup_exception_return(regs, (unsigned long)eip, 0);
+ return;
+
+ case BUGFRAME_bug:
+--
+2.44.0
+
diff --git a/0024-xen-arm-Fix-UBSAN-failure-in-start_xen.patch b/0024-xen-arm-Fix-UBSAN-failure-in-start_xen.patch
new file mode 100644
index 0000000..7bdd651
--- /dev/null
+++ b/0024-xen-arm-Fix-UBSAN-failure-in-start_xen.patch
@@ -0,0 +1,52 @@
+From 6cbccc4071ef49a8c591ecaddfdcb1cc26d28411 Mon Sep 17 00:00:00 2001
+From: Michal Orzel <michal.orzel@amd.com>
+Date: Thu, 8 Feb 2024 11:43:39 +0100
+Subject: [PATCH 24/67] xen/arm: Fix UBSAN failure in start_xen()
+
+When running Xen on arm32, in scenario where Xen is loaded at an address
+such as boot_phys_offset >= 2GB, UBSAN reports the following:
+
+(XEN) UBSAN: Undefined behaviour in arch/arm/setup.c:739:58
+(XEN) pointer operation underflowed 00200000 to 86800000
+(XEN) Xen WARN at common/ubsan/ubsan.c:172
+(XEN) ----[ Xen-4.19-unstable arm32 debug=y ubsan=y Not tainted ]----
+...
+(XEN) Xen call trace:
+(XEN) [<0031b4c0>] ubsan.c#ubsan_epilogue+0x18/0xf0 (PC)
+(XEN) [<0031d134>] __ubsan_handle_pointer_overflow+0xb8/0xd4 (LR)
+(XEN) [<0031d134>] __ubsan_handle_pointer_overflow+0xb8/0xd4
+(XEN) [<004d15a8>] start_xen+0xe0/0xbe0
+(XEN) [<0020007c>] head.o#primary_switched+0x4/0x30
+
+The failure is reported for the following line:
+(paddr_t)(uintptr_t)(_start + boot_phys_offset)
+
+This occurs because the compiler treats (ptr + size) with size bigger than
+PTRDIFF_MAX as undefined behavior. To address this, switch to macro
+virt_to_maddr(), given the future plans to eliminate boot_phys_offset.
+
+Signed-off-by: Michal Orzel <michal.orzel@amd.com>
+Reviewed-by: Luca Fancellu <luca.fancellu@arm.com>
+Tested-by: Luca Fancellu <luca.fancellu@arm.com>
+Acked-by: Julien Grall <jgrall@amazon.com>
+(cherry picked from commit e11f5766503c0ff074b4e0f888bbfc931518a169)
+---
+ xen/arch/arm/setup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c
+index 4395640019..9ee19c2bc1 100644
+--- a/xen/arch/arm/setup.c
++++ b/xen/arch/arm/setup.c
+@@ -1025,7 +1025,7 @@ void __init start_xen(unsigned long boot_phys_offset,
+
+ /* Register Xen's load address as a boot module. */
+ xen_bootmodule = add_boot_module(BOOTMOD_XEN,
+- (paddr_t)(uintptr_t)(_start + boot_phys_offset),
++ virt_to_maddr(_start),
+ (paddr_t)(uintptr_t)(_end - _start), false);
+ BUG_ON(!xen_bootmodule);
+
+--
+2.44.0
+
diff --git a/0025-x86-HVM-hide-SVM-VMX-when-their-enabling-is-prohibit.patch b/0025-x86-HVM-hide-SVM-VMX-when-their-enabling-is-prohibit.patch
new file mode 100644
index 0000000..28e489b
--- /dev/null
+++ b/0025-x86-HVM-hide-SVM-VMX-when-their-enabling-is-prohibit.patch
@@ -0,0 +1,67 @@
+From 9c0d518eb8dc69430e6a8d767bd101dad19b846a Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Tue, 5 Mar 2024 11:56:31 +0100
+Subject: [PATCH 25/67] x86/HVM: hide SVM/VMX when their enabling is prohibited
+ by firmware
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+... or we fail to enable the functionality on the BSP for other reasons.
+The only place where hardware announcing the feature is recorded is the
+raw CPU policy/featureset.
+
+Inspired by https://lore.kernel.org/all/20230921114940.957141-1-pbonzini@redhat.com/.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Roger Pau Monné <roger.pau@citrix.com>
+master commit: 0b5f149338e35a795bf609ce584640b0977f9e6c
+master date: 2024-01-09 14:06:34 +0100
+---
+ xen/arch/x86/hvm/svm/svm.c | 1 +
+ xen/arch/x86/hvm/vmx/vmcs.c | 17 +++++++++++++++++
+ 2 files changed, 18 insertions(+)
+
+diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c
+index fd32600ae3..3c17464550 100644
+--- a/xen/arch/x86/hvm/svm/svm.c
++++ b/xen/arch/x86/hvm/svm/svm.c
+@@ -1669,6 +1669,7 @@ const struct hvm_function_table * __init start_svm(void)
+
+ if ( _svm_cpu_up(true) )
+ {
++ setup_clear_cpu_cap(X86_FEATURE_SVM);
+ printk("SVM: failed to initialise.\n");
+ return NULL;
+ }
+diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
+index bcbecc6945..b5ecc51b43 100644
+--- a/xen/arch/x86/hvm/vmx/vmcs.c
++++ b/xen/arch/x86/hvm/vmx/vmcs.c
+@@ -2163,6 +2163,23 @@ int __init vmx_vmcs_init(void)
+
+ if ( !ret )
+ register_keyhandler('v', vmcs_dump, "dump VT-x VMCSs", 1);
++ else
++ {
++ setup_clear_cpu_cap(X86_FEATURE_VMX);
++
++ /*
++ * _vmx_vcpu_up() may have made it past feature identification.
++ * Make sure all dependent features are off as well.
++ */
++ vmx_basic_msr = 0;
++ vmx_pin_based_exec_control = 0;
++ vmx_cpu_based_exec_control = 0;
++ vmx_secondary_exec_control = 0;
++ vmx_vmexit_control = 0;
++ vmx_vmentry_control = 0;
++ vmx_ept_vpid_cap = 0;
++ vmx_vmfunc = 0;
++ }
+
+ return ret;
+ }
+--
+2.44.0
+
diff --git a/0026-xen-sched-Fix-UB-shift-in-compat_set_timer_op.patch b/0026-xen-sched-Fix-UB-shift-in-compat_set_timer_op.patch
new file mode 100644
index 0000000..4b051ea
--- /dev/null
+++ b/0026-xen-sched-Fix-UB-shift-in-compat_set_timer_op.patch
@@ -0,0 +1,86 @@
+From b75bee183210318150e678e14b35224d7c73edb6 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 5 Mar 2024 11:57:02 +0100
+Subject: [PATCH 26/67] xen/sched: Fix UB shift in compat_set_timer_op()
+
+Tamas reported this UBSAN failure from fuzzing:
+
+ (XEN) ================================================================================
+ (XEN) UBSAN: Undefined behaviour in common/sched/compat.c:48:37
+ (XEN) left shift of negative value -2147425536
+ (XEN) ----[ Xen-4.19-unstable x86_64 debug=y ubsan=y Not tainted ]----
+ ...
+ (XEN) Xen call trace:
+ (XEN) [<ffff82d040307c1c>] R ubsan.c#ubsan_epilogue+0xa/0xd9
+ (XEN) [<ffff82d040308afb>] F __ubsan_handle_shift_out_of_bounds+0x11a/0x1c5
+ (XEN) [<ffff82d040307758>] F compat_set_timer_op+0x41/0x43
+ (XEN) [<ffff82d04040e4cc>] F hvm_do_multicall_call+0x77f/0xa75
+ (XEN) [<ffff82d040519462>] F arch_do_multicall_call+0xec/0xf1
+ (XEN) [<ffff82d040261567>] F do_multicall+0x1dc/0xde3
+ (XEN) [<ffff82d04040d2b3>] F hvm_hypercall+0xa00/0x149a
+ (XEN) [<ffff82d0403cd072>] F vmx_vmexit_handler+0x1596/0x279c
+ (XEN) [<ffff82d0403d909b>] F vmx_asm_vmexit_handler+0xdb/0x200
+
+Left-shifting any negative value is strictly undefined behaviour in C, and
+the two parameters here come straight from the guest.
+
+The fuzzer happened to choose lo 0xf, hi 0x8000e300.
+
+Switch everything to be unsigned values, making the shift well defined.
+
+As GCC documents:
+
+ As an extension to the C language, GCC does not use the latitude given in
+ C99 and C11 only to treat certain aspects of signed '<<' as undefined.
+ However, -fsanitize=shift (and -fsanitize=undefined) will diagnose such
+ cases.
+
+this was deemed not to need an XSA.
+
+Note: The unsigned -> signed conversion for do_set_timer_op()'s s_time_t
+parameter is also well defined. C makes it implementation defined, and GCC
+defines it as reduction modulo 2^N to be within range of the new type.
+
+Fixes: 2942f45e09fb ("Enable compatibility mode operation for HYPERVISOR_sched_op and HYPERVISOR_set_timer_op.")
+Reported-by: Tamas K Lengyel <tamas@tklengyel.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+master commit: ae6d4fd876765e6d623eec67d14f5d0464be09cb
+master date: 2024-02-01 19:52:44 +0000
+---
+ xen/common/sched/compat.c | 4 ++--
+ xen/include/hypercall-defs.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/xen/common/sched/compat.c b/xen/common/sched/compat.c
+index 040b4caca2..b827fdecb8 100644
+--- a/xen/common/sched/compat.c
++++ b/xen/common/sched/compat.c
+@@ -39,9 +39,9 @@ static int compat_poll(struct compat_sched_poll *compat)
+
+ #include "core.c"
+
+-int compat_set_timer_op(u32 lo, s32 hi)
++int compat_set_timer_op(uint32_t lo, uint32_t hi)
+ {
+- return do_set_timer_op(((s64)hi << 32) | lo);
++ return do_set_timer_op(((uint64_t)hi << 32) | lo);
+ }
+
+ /*
+diff --git a/xen/include/hypercall-defs.c b/xen/include/hypercall-defs.c
+index 1896121074..c442dee284 100644
+--- a/xen/include/hypercall-defs.c
++++ b/xen/include/hypercall-defs.c
+@@ -127,7 +127,7 @@ xenoprof_op(int op, void *arg)
+
+ #ifdef CONFIG_COMPAT
+ prefix: compat
+-set_timer_op(uint32_t lo, int32_t hi)
++set_timer_op(uint32_t lo, uint32_t hi)
+ multicall(multicall_entry_compat_t *call_list, uint32_t nr_calls)
+ memory_op(unsigned int cmd, void *arg)
+ #ifdef CONFIG_IOREQ_SERVER
+--
+2.44.0
+
diff --git a/0027-x86-spec-print-the-built-in-SPECULATIVE_HARDEN_-opti.patch b/0027-x86-spec-print-the-built-in-SPECULATIVE_HARDEN_-opti.patch
new file mode 100644
index 0000000..845247a
--- /dev/null
+++ b/0027-x86-spec-print-the-built-in-SPECULATIVE_HARDEN_-opti.patch
@@ -0,0 +1,54 @@
+From 76ea2aab3652cc34e474de0905f0a9cd4df7d087 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 5 Mar 2024 11:57:41 +0100
+Subject: [PATCH 27/67] x86/spec: print the built-in SPECULATIVE_HARDEN_*
+ options
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Just like it's done for INDIRECT_THUNK and SHADOW_PAGING.
+
+Reported-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+master commit: 6e9507f7d51fe49df8bc70f83e49ce06c92e4e54
+master date: 2024-02-27 14:57:52 +0100
+---
+ xen/arch/x86/spec_ctrl.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
+index 661716d695..93f1cf3bb5 100644
+--- a/xen/arch/x86/spec_ctrl.c
++++ b/xen/arch/x86/spec_ctrl.c
+@@ -488,13 +488,25 @@ static void __init print_details(enum ind_thunk thunk)
+ (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : "");
+
+ /* Compiled-in support which pertains to mitigations. */
+- if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) )
++ if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ||
++ IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_ARRAY) ||
++ IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH) ||
++ IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) )
+ printk(" Compiled-in support:"
+ #ifdef CONFIG_INDIRECT_THUNK
+ " INDIRECT_THUNK"
+ #endif
+ #ifdef CONFIG_SHADOW_PAGING
+ " SHADOW_PAGING"
++#endif
++#ifdef CONFIG_SPECULATIVE_HARDEN_ARRAY
++ " HARDEN_ARRAY"
++#endif
++#ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH
++ " HARDEN_BRANCH"
++#endif
++#ifdef CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS
++ " HARDEN_GUEST_ACCESS"
+ #endif
+ "\n");
+
+--
+2.44.0
+
diff --git a/0028-x86-spec-fix-INDIRECT_THUNK-option-to-only-be-set-wh.patch b/0028-x86-spec-fix-INDIRECT_THUNK-option-to-only-be-set-wh.patch
new file mode 100644
index 0000000..dfbf516
--- /dev/null
+++ b/0028-x86-spec-fix-INDIRECT_THUNK-option-to-only-be-set-wh.patch
@@ -0,0 +1,67 @@
+From 693455c3c370e535eb6cd065800ff91e147815fa Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 5 Mar 2024 11:58:04 +0100
+Subject: [PATCH 28/67] x86/spec: fix INDIRECT_THUNK option to only be set when
+ build-enabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Attempt to provide a more helpful error message when the user attempts to set
+spec-ctrl=bti-thunk option but the support is build-time disabled.
+
+While there also adjust the command line documentation to mention
+CONFIG_INDIRECT_THUNK instead of INDIRECT_THUNK.
+
+Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+master commit: 8441fa806a3b778867867cd0159fa1722e90397e
+master date: 2024-02-27 14:58:20 +0100
+---
+ docs/misc/xen-command-line.pandoc | 10 +++++-----
+ xen/arch/x86/spec_ctrl.c | 7 ++++++-
+ 2 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
+index 05f613c71c..2006697226 100644
+--- a/docs/misc/xen-command-line.pandoc
++++ b/docs/misc/xen-command-line.pandoc
+@@ -2378,11 +2378,11 @@ guests to use.
+ performance reasons dom0 is unprotected by default. If it is necessary to
+ protect dom0 too, boot with `spec-ctrl=ibpb-entry`.
+
+-If Xen was compiled with INDIRECT_THUNK support, `bti-thunk=` can be used to
+-select which of the thunks gets patched into the `__x86_indirect_thunk_%reg`
+-locations. The default thunk is `retpoline` (generally preferred), with the
+-alternatives being `jmp` (a `jmp *%reg` gadget, minimal overhead), and
+-`lfence` (an `lfence; jmp *%reg` gadget).
++If Xen was compiled with `CONFIG_INDIRECT_THUNK` support, `bti-thunk=` can be
++used to select which of the thunks gets patched into the
++`__x86_indirect_thunk_%reg` locations. The default thunk is `retpoline`
++(generally preferred), with the alternatives being `jmp` (a `jmp *%reg` gadget,
++minimal overhead), and `lfence` (an `lfence; jmp *%reg` gadget).
+
+ On hardware supporting IBRS (Indirect Branch Restricted Speculation), the
+ `ibrs=` option can be used to force or prevent Xen using the feature itself.
+diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
+index 93f1cf3bb5..098fa3184d 100644
+--- a/xen/arch/x86/spec_ctrl.c
++++ b/xen/arch/x86/spec_ctrl.c
+@@ -253,7 +253,12 @@ static int __init cf_check parse_spec_ctrl(const char *s)
+ {
+ s += 10;
+
+- if ( !cmdline_strcmp(s, "retpoline") )
++ if ( !IS_ENABLED(CONFIG_INDIRECT_THUNK) )
++ {
++ no_config_param("INDIRECT_THUNK", "spec-ctrl", s - 10, ss);
++ rc = -EINVAL;
++ }
++ else if ( !cmdline_strcmp(s, "retpoline") )
+ opt_thunk = THUNK_RETPOLINE;
+ else if ( !cmdline_strcmp(s, "lfence") )
+ opt_thunk = THUNK_LFENCE;
+--
+2.44.0
+
diff --git a/0029-x86-spec-do-not-print-thunk-option-selection-if-not-.patch b/0029-x86-spec-do-not-print-thunk-option-selection-if-not-.patch
new file mode 100644
index 0000000..71e6633
--- /dev/null
+++ b/0029-x86-spec-do-not-print-thunk-option-selection-if-not-.patch
@@ -0,0 +1,50 @@
+From 0ce25b46ab2fb53a1b58f7682ca14971453f4f2c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 5 Mar 2024 11:58:36 +0100
+Subject: [PATCH 29/67] x86/spec: do not print thunk option selection if not
+ built-in
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since the thunk built-in enable is printed as part of the "Compiled-in
+support:" line, avoid printing anything in "Xen settings:" if the thunk is
+disabled at build time.
+
+Note the BTI-Thunk option printing is also adjusted to print a colon in the
+same way the other options on the line do.
+
+Requested-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+master commit: 576528a2a742069af203e90c613c5c93e23c9755
+master date: 2024-02-27 14:58:40 +0100
+---
+ xen/arch/x86/spec_ctrl.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
+index 098fa3184d..25a18ac598 100644
+--- a/xen/arch/x86/spec_ctrl.c
++++ b/xen/arch/x86/spec_ctrl.c
+@@ -516,11 +516,12 @@ static void __init print_details(enum ind_thunk thunk)
+ "\n");
+
+ /* Settings for Xen's protection, irrespective of guests. */
+- printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n",
+- thunk == THUNK_NONE ? "N/A" :
+- thunk == THUNK_RETPOLINE ? "RETPOLINE" :
+- thunk == THUNK_LFENCE ? "LFENCE" :
+- thunk == THUNK_JMP ? "JMP" : "?",
++ printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n",
++ thunk != THUNK_NONE ? "BTI-Thunk: " : "",
++ thunk == THUNK_NONE ? "" :
++ thunk == THUNK_RETPOLINE ? "RETPOLINE, " :
++ thunk == THUNK_LFENCE ? "LFENCE, " :
++ thunk == THUNK_JMP ? "JMP, " : "?, ",
+ (!boot_cpu_has(X86_FEATURE_IBRSB) &&
+ !boot_cpu_has(X86_FEATURE_IBRS)) ? "No" :
+ (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-",
+--
+2.44.0
+
diff --git a/0030-xen-livepatch-register-livepatch-regions-when-loaded.patch b/0030-xen-livepatch-register-livepatch-regions-when-loaded.patch
new file mode 100644
index 0000000..f521ecc
--- /dev/null
+++ b/0030-xen-livepatch-register-livepatch-regions-when-loaded.patch
@@ -0,0 +1,159 @@
+From b11917de0cd261a878beaf50c18a689bde0b2f50 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 5 Mar 2024 11:59:26 +0100
+Subject: [PATCH 30/67] xen/livepatch: register livepatch regions when loaded
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently livepatch regions are registered as virtual regions only after the
+livepatch has been applied.
+
+This can lead to issues when using the pre-apply or post-revert hooks, as at
+that point the livepatch is not in the virtual regions list. If a livepatch
+pre-apply hook contains a WARN() it would trigger an hypervisor crash, as the
+code to handle the bug frame won't be able to find the instruction pointer that
+triggered the #UD in any of the registered virtual regions, and hence crash.
+
+Fix this by adding the livepatch payloads as virtual regions as soon as loaded,
+and only remove them once the payload is unloaded. This requires some changes
+to the virtual regions code, as the removal of the virtual regions is no longer
+done in stop machine context, and hence an RCU barrier is added in order to
+make sure there are no users of the virtual region after it's been removed from
+the list.
+
+Fixes: 8313c864fa95 ('livepatch: Implement pre-|post- apply|revert hooks')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+master commit: a57b4074ab39bee78b6c116277f0a9963bd8e687
+master date: 2024-02-28 16:57:25 +0000
+---
+ xen/common/livepatch.c | 4 ++--
+ xen/common/virtual_region.c | 44 ++++++++++++++-----------------------
+ 2 files changed, 19 insertions(+), 29 deletions(-)
+
+diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c
+index c2ae84d18b..537e9f33e4 100644
+--- a/xen/common/livepatch.c
++++ b/xen/common/livepatch.c
+@@ -1015,6 +1015,7 @@ static int build_symbol_table(struct payload *payload,
+ static void free_payload(struct payload *data)
+ {
+ ASSERT(spin_is_locked(&payload_lock));
++ unregister_virtual_region(&data->region);
+ list_del(&data->list);
+ payload_cnt--;
+ payload_version++;
+@@ -1114,6 +1115,7 @@ static int livepatch_upload(struct xen_sysctl_livepatch_upload *upload)
+ INIT_LIST_HEAD(&data->list);
+ INIT_LIST_HEAD(&data->applied_list);
+
++ register_virtual_region(&data->region);
+ list_add_tail(&data->list, &payload_list);
+ payload_cnt++;
+ payload_version++;
+@@ -1330,7 +1332,6 @@ static inline void apply_payload_tail(struct payload *data)
+ * The applied_list is iterated by the trap code.
+ */
+ list_add_tail_rcu(&data->applied_list, &applied_list);
+- register_virtual_region(&data->region);
+
+ data->state = LIVEPATCH_STATE_APPLIED;
+ }
+@@ -1376,7 +1377,6 @@ static inline void revert_payload_tail(struct payload *data)
+ * The applied_list is iterated by the trap code.
+ */
+ list_del_rcu(&data->applied_list);
+- unregister_virtual_region(&data->region);
+
+ data->reverted = true;
+ data->state = LIVEPATCH_STATE_CHECKED;
+diff --git a/xen/common/virtual_region.c b/xen/common/virtual_region.c
+index 5f89703f51..9f12c30efe 100644
+--- a/xen/common/virtual_region.c
++++ b/xen/common/virtual_region.c
+@@ -23,14 +23,8 @@ static struct virtual_region core_init __initdata = {
+ };
+
+ /*
+- * RCU locking. Additions are done either at startup (when there is only
+- * one CPU) or when all CPUs are running without IRQs.
+- *
+- * Deletions are bit tricky. We do it when Live Patch (all CPUs running
+- * without IRQs) or during bootup (when clearing the init).
+- *
+- * Hence we use list_del_rcu (which sports an memory fence) and a spinlock
+- * on deletion.
++ * RCU locking. Modifications to the list must be done in exclusive mode, and
++ * hence need to hold the spinlock.
+ *
+ * All readers of virtual_region_list MUST use list_for_each_entry_rcu.
+ */
+@@ -58,41 +52,36 @@ const struct virtual_region *find_text_region(unsigned long addr)
+
+ void register_virtual_region(struct virtual_region *r)
+ {
+- ASSERT(!local_irq_is_enabled());
++ unsigned long flags;
+
++ spin_lock_irqsave(&virtual_region_lock, flags);
+ list_add_tail_rcu(&r->list, &virtual_region_list);
++ spin_unlock_irqrestore(&virtual_region_lock, flags);
+ }
+
+-static void remove_virtual_region(struct virtual_region *r)
++/*
++ * Suggest inline so when !CONFIG_LIVEPATCH the function is not left
++ * unreachable after init code is removed.
++ */
++static void inline remove_virtual_region(struct virtual_region *r)
+ {
+ unsigned long flags;
+
+ spin_lock_irqsave(&virtual_region_lock, flags);
+ list_del_rcu(&r->list);
+ spin_unlock_irqrestore(&virtual_region_lock, flags);
+- /*
+- * We do not need to invoke call_rcu.
+- *
+- * This is due to the fact that on the deletion we have made sure
+- * to use spinlocks (to guard against somebody else calling
+- * unregister_virtual_region) and list_deletion spiced with
+- * memory barrier.
+- *
+- * That protects us from corrupting the list as the readers all
+- * use list_for_each_entry_rcu which is safe against concurrent
+- * deletions.
+- */
+ }
+
++#ifdef CONFIG_LIVEPATCH
+ void unregister_virtual_region(struct virtual_region *r)
+ {
+- /* Expected to be called from Live Patch - which has IRQs disabled. */
+- ASSERT(!local_irq_is_enabled());
+-
+ remove_virtual_region(r);
++
++ /* Assert that no CPU might be using the removed region. */
++ rcu_barrier();
+ }
+
+-#if defined(CONFIG_LIVEPATCH) && defined(CONFIG_X86)
++#ifdef CONFIG_X86
+ void relax_virtual_region_perms(void)
+ {
+ const struct virtual_region *region;
+@@ -116,7 +105,8 @@ void tighten_virtual_region_perms(void)
+ PAGE_HYPERVISOR_RX);
+ rcu_read_unlock(&rcu_virtual_region_lock);
+ }
+-#endif
++#endif /* CONFIG_X86 */
++#endif /* CONFIG_LIVEPATCH */
+
+ void __init unregister_init_virtual_region(void)
+ {
+--
+2.44.0
+
diff --git a/0031-xen-livepatch-search-for-symbols-in-all-loaded-paylo.patch b/0031-xen-livepatch-search-for-symbols-in-all-loaded-paylo.patch
new file mode 100644
index 0000000..c778639
--- /dev/null
+++ b/0031-xen-livepatch-search-for-symbols-in-all-loaded-paylo.patch
@@ -0,0 +1,149 @@
+From c54cf903b06fb1933fad053cc547580c92c856ea Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 5 Mar 2024 11:59:35 +0100
+Subject: [PATCH 31/67] xen/livepatch: search for symbols in all loaded
+ payloads
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When checking if an address belongs to a patch, or when resolving a symbol,
+take into account all loaded livepatch payloads, even if not applied.
+
+This is required in order for the pre-apply and post-revert hooks to work
+properly, or else Xen won't detect the instruction pointer belonging to those
+hooks as being part of the currently active text.
+
+Move the RCU handling to be used for payload_list instead of applied_list, as
+now the calls from trap code will iterate over the payload_list.
+
+Fixes: 8313c864fa95 ('livepatch: Implement pre-|post- apply|revert hooks')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+master commit: d2daa40fb3ddb8f83e238e57854bd878924cde90
+master date: 2024-02-28 16:57:25 +0000
+---
+ xen/common/livepatch.c | 49 +++++++++++++++---------------------------
+ 1 file changed, 17 insertions(+), 32 deletions(-)
+
+diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c
+index 537e9f33e4..a129ab9973 100644
+--- a/xen/common/livepatch.c
++++ b/xen/common/livepatch.c
+@@ -36,13 +36,14 @@
+ * caller in schedule_work.
+ */
+ static DEFINE_SPINLOCK(payload_lock);
+-static LIST_HEAD(payload_list);
+-
+ /*
+- * Patches which have been applied. Need RCU in case we crash (and then
+- * traps code would iterate via applied_list) when adding entries on the list.
++ * Need RCU in case we crash (and then traps code would iterate via
++ * payload_list) when adding entries on the list.
+ */
+-static DEFINE_RCU_READ_LOCK(rcu_applied_lock);
++static DEFINE_RCU_READ_LOCK(rcu_payload_lock);
++static LIST_HEAD(payload_list);
++
++/* Patches which have been applied. Only modified from stop machine context. */
+ static LIST_HEAD(applied_list);
+
+ static unsigned int payload_cnt;
+@@ -111,12 +112,8 @@ bool_t is_patch(const void *ptr)
+ const struct payload *data;
+ bool_t r = 0;
+
+- /*
+- * Only RCU locking since this list is only ever changed during apply
+- * or revert context. And in case it dies there we need an safe list.
+- */
+- rcu_read_lock(&rcu_applied_lock);
+- list_for_each_entry_rcu ( data, &applied_list, applied_list )
++ rcu_read_lock(&rcu_payload_lock);
++ list_for_each_entry_rcu ( data, &payload_list, list )
+ {
+ if ( (ptr >= data->rw_addr &&
+ ptr < (data->rw_addr + data->rw_size)) ||
+@@ -130,7 +127,7 @@ bool_t is_patch(const void *ptr)
+ }
+
+ }
+- rcu_read_unlock(&rcu_applied_lock);
++ rcu_read_unlock(&rcu_payload_lock);
+
+ return r;
+ }
+@@ -166,12 +163,8 @@ static const char *cf_check livepatch_symbols_lookup(
+ const void *va = (const void *)addr;
+ const char *n = NULL;
+
+- /*
+- * Only RCU locking since this list is only ever changed during apply
+- * or revert context. And in case it dies there we need an safe list.
+- */
+- rcu_read_lock(&rcu_applied_lock);
+- list_for_each_entry_rcu ( data, &applied_list, applied_list )
++ rcu_read_lock(&rcu_payload_lock);
++ list_for_each_entry_rcu ( data, &payload_list, list )
+ {
+ if ( va < data->text_addr ||
+ va >= (data->text_addr + data->text_size) )
+@@ -200,7 +193,7 @@ static const char *cf_check livepatch_symbols_lookup(
+ n = data->symtab[best].name;
+ break;
+ }
+- rcu_read_unlock(&rcu_applied_lock);
++ rcu_read_unlock(&rcu_payload_lock);
+
+ return n;
+ }
+@@ -1016,7 +1009,8 @@ static void free_payload(struct payload *data)
+ {
+ ASSERT(spin_is_locked(&payload_lock));
+ unregister_virtual_region(&data->region);
+- list_del(&data->list);
++ list_del_rcu(&data->list);
++ rcu_barrier();
+ payload_cnt--;
+ payload_version++;
+ free_payload_data(data);
+@@ -1116,7 +1110,7 @@ static int livepatch_upload(struct xen_sysctl_livepatch_upload *upload)
+ INIT_LIST_HEAD(&data->applied_list);
+
+ register_virtual_region(&data->region);
+- list_add_tail(&data->list, &payload_list);
++ list_add_tail_rcu(&data->list, &payload_list);
+ payload_cnt++;
+ payload_version++;
+ }
+@@ -1327,11 +1321,7 @@ static int apply_payload(struct payload *data)
+
+ static inline void apply_payload_tail(struct payload *data)
+ {
+- /*
+- * We need RCU variant (which has barriers) in case we crash here.
+- * The applied_list is iterated by the trap code.
+- */
+- list_add_tail_rcu(&data->applied_list, &applied_list);
++ list_add_tail(&data->applied_list, &applied_list);
+
+ data->state = LIVEPATCH_STATE_APPLIED;
+ }
+@@ -1371,12 +1361,7 @@ static int revert_payload(struct payload *data)
+
+ static inline void revert_payload_tail(struct payload *data)
+ {
+-
+- /*
+- * We need RCU variant (which has barriers) in case we crash here.
+- * The applied_list is iterated by the trap code.
+- */
+- list_del_rcu(&data->applied_list);
++ list_del(&data->applied_list);
+
+ data->reverted = true;
+ data->state = LIVEPATCH_STATE_CHECKED;
+--
+2.44.0
+
diff --git a/0032-xen-livepatch-fix-norevert-test-attempt-to-open-code.patch b/0032-xen-livepatch-fix-norevert-test-attempt-to-open-code.patch
new file mode 100644
index 0000000..76af9ef
--- /dev/null
+++ b/0032-xen-livepatch-fix-norevert-test-attempt-to-open-code.patch
@@ -0,0 +1,186 @@
+From 5564323f643715f9d364df88e0eb9c7d6fd2c22b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 5 Mar 2024 11:59:43 +0100
+Subject: [PATCH 32/67] xen/livepatch: fix norevert test attempt to open-code
+ revert
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The purpose of the norevert test is to install a dummy handler that replaces
+the internal Xen revert code, and then perform the revert in the post-revert
+hook. For that purpose the usage of the previous common_livepatch_revert() is
+not enough, as that just reverts specific functions, but not the whole state of
+the payload.
+
+Remove both common_livepatch_{apply,revert}() and instead expose
+revert_payload{,_tail}() in order to perform the patch revert from the
+post-revert hook.
+
+Fixes: 6047104c3ccc ('livepatch: Add per-function applied/reverted state tracking marker')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+master commit: cdae267ce10d04d71d1687b5701ff2911a96b6dc
+master date: 2024-02-28 16:57:25 +0000
+---
+ xen/common/livepatch.c | 41 +++++++++++++++++--
+ xen/include/xen/livepatch.h | 32 ++-------------
+ .../livepatch/xen_action_hooks_norevert.c | 22 +++-------
+ 3 files changed, 46 insertions(+), 49 deletions(-)
+
+diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c
+index a129ab9973..a5068a2217 100644
+--- a/xen/common/livepatch.c
++++ b/xen/common/livepatch.c
+@@ -1310,7 +1310,22 @@ static int apply_payload(struct payload *data)
+ ASSERT(!local_irq_is_enabled());
+
+ for ( i = 0; i < data->nfuncs; i++ )
+- common_livepatch_apply(&data->funcs[i], &data->fstate[i]);
++ {
++ const struct livepatch_func *func = &data->funcs[i];
++ struct livepatch_fstate *state = &data->fstate[i];
++
++ /* If the action has been already executed on this function, do nothing. */
++ if ( state->applied == LIVEPATCH_FUNC_APPLIED )
++ {
++ printk(XENLOG_WARNING LIVEPATCH
++ "%s: %s has been already applied before\n",
++ __func__, func->name);
++ continue;
++ }
++
++ arch_livepatch_apply(func, state);
++ state->applied = LIVEPATCH_FUNC_APPLIED;
++ }
+
+ arch_livepatch_revive();
+
+@@ -1326,7 +1341,7 @@ static inline void apply_payload_tail(struct payload *data)
+ data->state = LIVEPATCH_STATE_APPLIED;
+ }
+
+-static int revert_payload(struct payload *data)
++int revert_payload(struct payload *data)
+ {
+ unsigned int i;
+ int rc;
+@@ -1341,7 +1356,25 @@ static int revert_payload(struct payload *data)
+ }
+
+ for ( i = 0; i < data->nfuncs; i++ )
+- common_livepatch_revert(&data->funcs[i], &data->fstate[i]);
++ {
++ const struct livepatch_func *func = &data->funcs[i];
++ struct livepatch_fstate *state = &data->fstate[i];
++
++ /*
++ * If the apply action hasn't been executed on this function, do
++ * nothing.
++ */
++ if ( !func->old_addr || state->applied == LIVEPATCH_FUNC_NOT_APPLIED )
++ {
++ printk(XENLOG_WARNING LIVEPATCH
++ "%s: %s has not been applied before\n",
++ __func__, func->name);
++ continue;
++ }
++
++ arch_livepatch_revert(func, state);
++ state->applied = LIVEPATCH_FUNC_NOT_APPLIED;
++ }
+
+ /*
+ * Since we are running with IRQs disabled and the hooks may call common
+@@ -1359,7 +1392,7 @@ static int revert_payload(struct payload *data)
+ return 0;
+ }
+
+-static inline void revert_payload_tail(struct payload *data)
++void revert_payload_tail(struct payload *data)
+ {
+ list_del(&data->applied_list);
+
+diff --git a/xen/include/xen/livepatch.h b/xen/include/xen/livepatch.h
+index 537d3d58b6..c9ee58fd37 100644
+--- a/xen/include/xen/livepatch.h
++++ b/xen/include/xen/livepatch.h
+@@ -136,35 +136,11 @@ void arch_livepatch_post_action(void);
+ void arch_livepatch_mask(void);
+ void arch_livepatch_unmask(void);
+
+-static inline void common_livepatch_apply(const struct livepatch_func *func,
+- struct livepatch_fstate *state)
+-{
+- /* If the action has been already executed on this function, do nothing. */
+- if ( state->applied == LIVEPATCH_FUNC_APPLIED )
+- {
+- printk(XENLOG_WARNING LIVEPATCH "%s: %s has been already applied before\n",
+- __func__, func->name);
+- return;
+- }
+-
+- arch_livepatch_apply(func, state);
+- state->applied = LIVEPATCH_FUNC_APPLIED;
+-}
++/* Only for testing purposes. */
++struct payload;
++int revert_payload(struct payload *data);
++void revert_payload_tail(struct payload *data);
+
+-static inline void common_livepatch_revert(const struct livepatch_func *func,
+- struct livepatch_fstate *state)
+-{
+- /* If the apply action hasn't been executed on this function, do nothing. */
+- if ( !func->old_addr || state->applied == LIVEPATCH_FUNC_NOT_APPLIED )
+- {
+- printk(XENLOG_WARNING LIVEPATCH "%s: %s has not been applied before\n",
+- __func__, func->name);
+- return;
+- }
+-
+- arch_livepatch_revert(func, state);
+- state->applied = LIVEPATCH_FUNC_NOT_APPLIED;
+-}
+ #else
+
+ /*
+diff --git a/xen/test/livepatch/xen_action_hooks_norevert.c b/xen/test/livepatch/xen_action_hooks_norevert.c
+index c173855192..c5fbab1746 100644
+--- a/xen/test/livepatch/xen_action_hooks_norevert.c
++++ b/xen/test/livepatch/xen_action_hooks_norevert.c
+@@ -96,26 +96,14 @@ static int revert_hook(livepatch_payload_t *payload)
+
+ static void post_revert_hook(livepatch_payload_t *payload)
+ {
+- int i;
++ unsigned long flags;
+
+ printk(KERN_DEBUG "%s: Hook starting.\n", __func__);
+
+- for (i = 0; i < payload->nfuncs; i++)
+- {
+- const struct livepatch_func *func = &payload->funcs[i];
+- struct livepatch_fstate *fstate = &payload->fstate[i];
+-
+- BUG_ON(revert_cnt != 1);
+- BUG_ON(fstate->applied != LIVEPATCH_FUNC_APPLIED);
+-
+- /* Outside of quiesce zone: MAY TRIGGER HOST CRASH/UNDEFINED BEHAVIOR */
+- arch_livepatch_quiesce();
+- common_livepatch_revert(payload);
+- arch_livepatch_revive();
+- BUG_ON(fstate->applied == LIVEPATCH_FUNC_APPLIED);
+-
+- printk(KERN_DEBUG "%s: post reverted: %s\n", __func__, func->name);
+- }
++ local_irq_save(flags);
++ BUG_ON(revert_payload(payload));
++ revert_payload_tail(payload);
++ local_irq_restore(flags);
+
+ printk(KERN_DEBUG "%s: Hook done.\n", __func__);
+ }
+--
+2.44.0
+
diff --git a/0033-xen-livepatch-properly-build-the-noapply-and-norever.patch b/0033-xen-livepatch-properly-build-the-noapply-and-norever.patch
new file mode 100644
index 0000000..76803c6
--- /dev/null
+++ b/0033-xen-livepatch-properly-build-the-noapply-and-norever.patch
@@ -0,0 +1,43 @@
+From a59106b27609b6ae2873bd6755949b1258290872 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 5 Mar 2024 11:59:51 +0100
+Subject: [PATCH 33/67] xen/livepatch: properly build the noapply and norevert
+ tests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It seems the build variables for those tests where copy-pasted from
+xen_action_hooks_marker-objs and not adjusted to use the correct source files.
+
+Fixes: 6047104c3ccc ('livepatch: Add per-function applied/reverted state tracking marker')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+master commit: e579677095782c7dec792597ba8b037b7d716b32
+master date: 2024-02-28 16:57:25 +0000
+---
+ xen/test/livepatch/Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xen/test/livepatch/Makefile b/xen/test/livepatch/Makefile
+index c258ab0b59..d987a8367f 100644
+--- a/xen/test/livepatch/Makefile
++++ b/xen/test/livepatch/Makefile
+@@ -118,12 +118,12 @@ xen_action_hooks_marker-objs := xen_action_hooks_marker.o xen_hello_world_func.o
+ $(obj)/xen_action_hooks_noapply.o: $(obj)/config.h
+
+ extra-y += xen_action_hooks_noapply.livepatch
+-xen_action_hooks_noapply-objs := xen_action_hooks_marker.o xen_hello_world_func.o note.o xen_note.o
++xen_action_hooks_noapply-objs := xen_action_hooks_noapply.o xen_hello_world_func.o note.o xen_note.o
+
+ $(obj)/xen_action_hooks_norevert.o: $(obj)/config.h
+
+ extra-y += xen_action_hooks_norevert.livepatch
+-xen_action_hooks_norevert-objs := xen_action_hooks_marker.o xen_hello_world_func.o note.o xen_note.o
++xen_action_hooks_norevert-objs := xen_action_hooks_norevert.o xen_hello_world_func.o note.o xen_note.o
+
+ EXPECT_BYTES_COUNT := 8
+ CODE_GET_EXPECT=$(shell $(OBJDUMP) -d --insn-width=1 $(1) | sed -n -e '/<'$(2)'>:$$/,/^$$/ p' | tail -n +2 | head -n $(EXPECT_BYTES_COUNT) | awk '{$$0=$$2; printf "%s", substr($$0,length-1)}' | sed 's/.\{2\}/0x&,/g' | sed 's/^/{/;s/,$$/}/g')
+--
+2.44.0
+
diff --git a/0034-libxl-Fix-segfault-in-device_model_spawn_outcome.patch b/0034-libxl-Fix-segfault-in-device_model_spawn_outcome.patch
new file mode 100644
index 0000000..7f23a73
--- /dev/null
+++ b/0034-libxl-Fix-segfault-in-device_model_spawn_outcome.patch
@@ -0,0 +1,39 @@
+From c4ee68eda9937743527fff41f4ede0f6a3228080 Mon Sep 17 00:00:00 2001
+From: Jason Andryuk <jandryuk@gmail.com>
+Date: Tue, 5 Mar 2024 12:00:30 +0100
+Subject: [PATCH 34/67] libxl: Fix segfault in device_model_spawn_outcome
+
+libxl__spawn_qdisk_backend() explicitly sets guest_config to NULL when
+starting QEMU (the usual launch through libxl__spawn_local_dm() has a
+guest_config though).
+
+Bail early on a NULL guest_config/d_config. This skips the QMP queries
+for chardevs and VNC, but this xenpv QEMU instance isn't expected to
+provide those - only qdisk (or 9pfs backends after an upcoming change).
+
+Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
+Acked-by: Anthony PERARD <anthony.perard@citrix.com>
+master commit: d4f3d35f043f6ef29393166b0dd131c8102cf255
+master date: 2024-02-29 08:18:38 +0100
+---
+ tools/libs/light/libxl_dm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/libs/light/libxl_dm.c b/tools/libs/light/libxl_dm.c
+index ed620a9d8e..29b43ed20a 100644
+--- a/tools/libs/light/libxl_dm.c
++++ b/tools/libs/light/libxl_dm.c
+@@ -3172,8 +3172,8 @@ static void device_model_spawn_outcome(libxl__egc *egc,
+
+ /* Check if spawn failed */
+ if (rc) goto out;
+-
+- if (d_config->b_info.device_model_version
++ /* d_config is NULL for xl devd/libxl__spawn_qemu_xenpv_backend(). */
++ if (d_config && d_config->b_info.device_model_version
+ == LIBXL_DEVICE_MODEL_VERSION_QEMU_XEN) {
+ rc = libxl__ev_time_register_rel(ao, &dmss->timeout,
+ devise_model_postconfig_timeout,
+--
+2.44.0
+
diff --git a/0035-x86-altcall-always-use-a-temporary-parameter-stashin.patch b/0035-x86-altcall-always-use-a-temporary-parameter-stashin.patch
new file mode 100644
index 0000000..177c73b
--- /dev/null
+++ b/0035-x86-altcall-always-use-a-temporary-parameter-stashin.patch
@@ -0,0 +1,197 @@
+From 2f49d9f89c14519d4cb1e06ab8370cf4ba50fab7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 5 Mar 2024 12:00:47 +0100
+Subject: [PATCH 35/67] x86/altcall: always use a temporary parameter stashing
+ variable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The usage in ALT_CALL_ARG() on clang of:
+
+register union {
+ typeof(arg) e;
+ const unsigned long r;
+} ...
+
+When `arg` is the first argument to alternative_{,v}call() and
+const_vlapic_vcpu() is used results in clang 3.5.0 complaining with:
+
+arch/x86/hvm/vlapic.c:141:47: error: non-const static data member must be initialized out of line
+ alternative_call(hvm_funcs.test_pir, const_vlapic_vcpu(vlapic), vec) )
+
+Workaround this by pulling `arg1` into a local variable, like it's done for
+further arguments (arg2, arg3...)
+
+Originally arg1 wasn't pulled into a variable because for the a1_ register
+local variable the possible clobbering as a result of operators on other
+variables don't matter:
+
+https://gcc.gnu.org/onlinedocs/gcc/Local-Register-Variables.html#Local-Register-Variables
+
+Note clang version 3.8.1 seems to already be fixed and don't require the
+workaround, but since it's harmless do it uniformly everywhere.
+
+Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Fixes: 2ce562b2a413 ('x86/altcall: use a union as register type for function parameters on clang')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+master commit: c20850540ad6a32f4fc17bde9b01c92b0df18bf0
+master date: 2024-02-29 08:21:49 +0100
+---
+ xen/arch/x86/include/asm/alternative.h | 36 +++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+diff --git a/xen/arch/x86/include/asm/alternative.h b/xen/arch/x86/include/asm/alternative.h
+index bcb1dc94f4..fa04481316 100644
+--- a/xen/arch/x86/include/asm/alternative.h
++++ b/xen/arch/x86/include/asm/alternative.h
+@@ -253,21 +253,24 @@ extern void alternative_branches(void);
+ })
+
+ #define alternative_vcall1(func, arg) ({ \
+- ALT_CALL_ARG(arg, 1); \
++ typeof(arg) v1_ = (arg); \
++ ALT_CALL_ARG(v1_, 1); \
+ ALT_CALL_NO_ARG2; \
+ (void)sizeof(func(arg)); \
+ (void)alternative_callN(1, int, func); \
+ })
+
+ #define alternative_call1(func, arg) ({ \
+- ALT_CALL_ARG(arg, 1); \
++ typeof(arg) v1_ = (arg); \
++ ALT_CALL_ARG(v1_, 1); \
+ ALT_CALL_NO_ARG2; \
+ alternative_callN(1, typeof(func(arg)), func); \
+ })
+
+ #define alternative_vcall2(func, arg1, arg2) ({ \
++ typeof(arg1) v1_ = (arg1); \
+ typeof(arg2) v2_ = (arg2); \
+- ALT_CALL_ARG(arg1, 1); \
++ ALT_CALL_ARG(v1_, 1); \
+ ALT_CALL_ARG(v2_, 2); \
+ ALT_CALL_NO_ARG3; \
+ (void)sizeof(func(arg1, arg2)); \
+@@ -275,17 +278,19 @@ extern void alternative_branches(void);
+ })
+
+ #define alternative_call2(func, arg1, arg2) ({ \
++ typeof(arg1) v1_ = (arg1); \
+ typeof(arg2) v2_ = (arg2); \
+- ALT_CALL_ARG(arg1, 1); \
++ ALT_CALL_ARG(v1_, 1); \
+ ALT_CALL_ARG(v2_, 2); \
+ ALT_CALL_NO_ARG3; \
+ alternative_callN(2, typeof(func(arg1, arg2)), func); \
+ })
+
+ #define alternative_vcall3(func, arg1, arg2, arg3) ({ \
++ typeof(arg1) v1_ = (arg1); \
+ typeof(arg2) v2_ = (arg2); \
+ typeof(arg3) v3_ = (arg3); \
+- ALT_CALL_ARG(arg1, 1); \
++ ALT_CALL_ARG(v1_, 1); \
+ ALT_CALL_ARG(v2_, 2); \
+ ALT_CALL_ARG(v3_, 3); \
+ ALT_CALL_NO_ARG4; \
+@@ -294,9 +299,10 @@ extern void alternative_branches(void);
+ })
+
+ #define alternative_call3(func, arg1, arg2, arg3) ({ \
++ typeof(arg1) v1_ = (arg1); \
+ typeof(arg2) v2_ = (arg2); \
+ typeof(arg3) v3_ = (arg3); \
+- ALT_CALL_ARG(arg1, 1); \
++ ALT_CALL_ARG(v1_, 1); \
+ ALT_CALL_ARG(v2_, 2); \
+ ALT_CALL_ARG(v3_, 3); \
+ ALT_CALL_NO_ARG4; \
+@@ -305,10 +311,11 @@ extern void alternative_branches(void);
+ })
+
+ #define alternative_vcall4(func, arg1, arg2, arg3, arg4) ({ \
++ typeof(arg1) v1_ = (arg1); \
+ typeof(arg2) v2_ = (arg2); \
+ typeof(arg3) v3_ = (arg3); \
+ typeof(arg4) v4_ = (arg4); \
+- ALT_CALL_ARG(arg1, 1); \
++ ALT_CALL_ARG(v1_, 1); \
+ ALT_CALL_ARG(v2_, 2); \
+ ALT_CALL_ARG(v3_, 3); \
+ ALT_CALL_ARG(v4_, 4); \
+@@ -318,10 +325,11 @@ extern void alternative_branches(void);
+ })
+
+ #define alternative_call4(func, arg1, arg2, arg3, arg4) ({ \
++ typeof(arg1) v1_ = (arg1); \
+ typeof(arg2) v2_ = (arg2); \
+ typeof(arg3) v3_ = (arg3); \
+ typeof(arg4) v4_ = (arg4); \
+- ALT_CALL_ARG(arg1, 1); \
++ ALT_CALL_ARG(v1_, 1); \
+ ALT_CALL_ARG(v2_, 2); \
+ ALT_CALL_ARG(v3_, 3); \
+ ALT_CALL_ARG(v4_, 4); \
+@@ -332,11 +340,12 @@ extern void alternative_branches(void);
+ })
+
+ #define alternative_vcall5(func, arg1, arg2, arg3, arg4, arg5) ({ \
++ typeof(arg1) v1_ = (arg1); \
+ typeof(arg2) v2_ = (arg2); \
+ typeof(arg3) v3_ = (arg3); \
+ typeof(arg4) v4_ = (arg4); \
+ typeof(arg5) v5_ = (arg5); \
+- ALT_CALL_ARG(arg1, 1); \
++ ALT_CALL_ARG(v1_, 1); \
+ ALT_CALL_ARG(v2_, 2); \
+ ALT_CALL_ARG(v3_, 3); \
+ ALT_CALL_ARG(v4_, 4); \
+@@ -347,11 +356,12 @@ extern void alternative_branches(void);
+ })
+
+ #define alternative_call5(func, arg1, arg2, arg3, arg4, arg5) ({ \
++ typeof(arg1) v1_ = (arg1); \
+ typeof(arg2) v2_ = (arg2); \
+ typeof(arg3) v3_ = (arg3); \
+ typeof(arg4) v4_ = (arg4); \
+ typeof(arg5) v5_ = (arg5); \
+- ALT_CALL_ARG(arg1, 1); \
++ ALT_CALL_ARG(v1_, 1); \
+ ALT_CALL_ARG(v2_, 2); \
+ ALT_CALL_ARG(v3_, 3); \
+ ALT_CALL_ARG(v4_, 4); \
+@@ -363,12 +373,13 @@ extern void alternative_branches(void);
+ })
+
+ #define alternative_vcall6(func, arg1, arg2, arg3, arg4, arg5, arg6) ({ \
++ typeof(arg1) v1_ = (arg1); \
+ typeof(arg2) v2_ = (arg2); \
+ typeof(arg3) v3_ = (arg3); \
+ typeof(arg4) v4_ = (arg4); \
+ typeof(arg5) v5_ = (arg5); \
+ typeof(arg6) v6_ = (arg6); \
+- ALT_CALL_ARG(arg1, 1); \
++ ALT_CALL_ARG(v1_, 1); \
+ ALT_CALL_ARG(v2_, 2); \
+ ALT_CALL_ARG(v3_, 3); \
+ ALT_CALL_ARG(v4_, 4); \
+@@ -379,12 +390,13 @@ extern void alternative_branches(void);
+ })
+
+ #define alternative_call6(func, arg1, arg2, arg3, arg4, arg5, arg6) ({ \
++ typeof(arg1) v1_ = (arg1); \
+ typeof(arg2) v2_ = (arg2); \
+ typeof(arg3) v3_ = (arg3); \
+ typeof(arg4) v4_ = (arg4); \
+ typeof(arg5) v5_ = (arg5); \
+ typeof(arg6) v6_ = (arg6); \
+- ALT_CALL_ARG(arg1, 1); \
++ ALT_CALL_ARG(v1_, 1); \
+ ALT_CALL_ARG(v2_, 2); \
+ ALT_CALL_ARG(v3_, 3); \
+ ALT_CALL_ARG(v4_, 4); \
+--
+2.44.0
+
diff --git a/0036-x86-cpu-policy-Allow-for-levelling-of-VERW-side-effe.patch b/0036-x86-cpu-policy-Allow-for-levelling-of-VERW-side-effe.patch
new file mode 100644
index 0000000..b91ff52
--- /dev/null
+++ b/0036-x86-cpu-policy-Allow-for-levelling-of-VERW-side-effe.patch
@@ -0,0 +1,102 @@
+From 54dacb5c02cba4676879ed077765734326b78e39 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 5 Mar 2024 12:01:22 +0100
+Subject: [PATCH 36/67] x86/cpu-policy: Allow for levelling of VERW side
+ effects
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+MD_CLEAR and FB_CLEAR need OR-ing across a migrate pool. Allow this, by
+having them unconditinally set in max, with the host values reflected in
+default. Annotate the bits as having special properies.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
+master commit: de17162cafd27f2865a3102a2ec0f386a02ed03d
+master date: 2024-03-01 20:14:19 +0000
+---
+ xen/arch/x86/cpu-policy.c | 24 +++++++++++++++++++++
+ xen/arch/x86/include/asm/cpufeature.h | 1 +
+ xen/include/public/arch-x86/cpufeatureset.h | 4 ++--
+ 3 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c
+index f0f2c8a1c0..7b875a7221 100644
+--- a/xen/arch/x86/cpu-policy.c
++++ b/xen/arch/x86/cpu-policy.c
+@@ -435,6 +435,16 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs)
+ __set_bit(X86_FEATURE_RSBA, fs);
+ __set_bit(X86_FEATURE_RRSBA, fs);
+
++ /*
++ * These bits indicate that the VERW instruction may have gained
++ * scrubbing side effects. With pooling, they mean "you might migrate
++ * somewhere where scrubbing is necessary", and may need exposing on
++ * unaffected hardware. This is fine, because the VERW instruction
++ * has been around since the 286.
++ */
++ __set_bit(X86_FEATURE_MD_CLEAR, fs);
++ __set_bit(X86_FEATURE_FB_CLEAR, fs);
++
+ /*
+ * The Gather Data Sampling microcode mitigation (August 2023) has an
+ * adverse performance impact on the CLWB instruction on SKX/CLX/CPX.
+@@ -469,6 +479,20 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs)
+ cpu_has_rdrand && !is_forced_cpu_cap(X86_FEATURE_RDRAND) )
+ __clear_bit(X86_FEATURE_RDRAND, fs);
+
++ /*
++ * These bits indicate that the VERW instruction may have gained
++ * scrubbing side effects. The max policy has them set for migration
++ * reasons, so reset the default policy back to the host values in
++ * case we're unaffected.
++ */
++ __clear_bit(X86_FEATURE_MD_CLEAR, fs);
++ if ( cpu_has_md_clear )
++ __set_bit(X86_FEATURE_MD_CLEAR, fs);
++
++ __clear_bit(X86_FEATURE_FB_CLEAR, fs);
++ if ( cpu_has_fb_clear )
++ __set_bit(X86_FEATURE_FB_CLEAR, fs);
++
+ /*
+ * The Gather Data Sampling microcode mitigation (August 2023) has an
+ * adverse performance impact on the CLWB instruction on SKX/CLX/CPX.
+diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h
+index 9ef7756593..ec824e8954 100644
+--- a/xen/arch/x86/include/asm/cpufeature.h
++++ b/xen/arch/x86/include/asm/cpufeature.h
+@@ -136,6 +136,7 @@
+ #define cpu_has_avx512_4fmaps boot_cpu_has(X86_FEATURE_AVX512_4FMAPS)
+ #define cpu_has_avx512_vp2intersect boot_cpu_has(X86_FEATURE_AVX512_VP2INTERSECT)
+ #define cpu_has_srbds_ctrl boot_cpu_has(X86_FEATURE_SRBDS_CTRL)
++#define cpu_has_md_clear boot_cpu_has(X86_FEATURE_MD_CLEAR)
+ #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT)
+ #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT)
+ #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE)
+diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h
+index 94d211df2f..aec1407613 100644
+--- a/xen/include/public/arch-x86/cpufeatureset.h
++++ b/xen/include/public/arch-x86/cpufeatureset.h
+@@ -260,7 +260,7 @@ XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) /*A AVX512 Multiply Accumulation Single
+ XEN_CPUFEATURE(FSRM, 9*32+ 4) /*A Fast Short REP MOVS */
+ XEN_CPUFEATURE(AVX512_VP2INTERSECT, 9*32+8) /*a VP2INTERSECT{D,Q} insns */
+ XEN_CPUFEATURE(SRBDS_CTRL, 9*32+ 9) /* MSR_MCU_OPT_CTRL and RNGDS_MITG_DIS. */
+-XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*A VERW clears microarchitectural buffers */
++XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffers */
+ XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */
+ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */
+ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*A SERIALIZE insn */
+@@ -321,7 +321,7 @@ XEN_CPUFEATURE(DOITM, 16*32+12) /* Data Operand Invariant Timing
+ XEN_CPUFEATURE(SBDR_SSDP_NO, 16*32+13) /*A No Shared Buffer Data Read or Sideband Stale Data Propagation */
+ XEN_CPUFEATURE(FBSDP_NO, 16*32+14) /*A No Fill Buffer Stale Data Propagation */
+ XEN_CPUFEATURE(PSDP_NO, 16*32+15) /*A No Primary Stale Data Propagation */
+-XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*A Fill Buffers cleared by VERW */
++XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*!A Fill Buffers cleared by VERW */
+ XEN_CPUFEATURE(FB_CLEAR_CTRL, 16*32+18) /* MSR_OPT_CPU_CTRL.FB_CLEAR_DIS */
+ XEN_CPUFEATURE(RRSBA, 16*32+19) /*! Restricted RSB Alternative */
+ XEN_CPUFEATURE(BHI_NO, 16*32+20) /*A No Branch History Injection */
+--
+2.44.0
+
diff --git a/0037-hvmloader-PCI-skip-huge-BARs-in-certain-calculations.patch b/0037-hvmloader-PCI-skip-huge-BARs-in-certain-calculations.patch
new file mode 100644
index 0000000..a46f913
--- /dev/null
+++ b/0037-hvmloader-PCI-skip-huge-BARs-in-certain-calculations.patch
@@ -0,0 +1,99 @@
+From 1e9808227c10717228969e924cab49cad4af6265 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Tue, 12 Mar 2024 12:08:48 +0100
+Subject: [PATCH 37/67] hvmloader/PCI: skip huge BARs in certain calculations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BARs of size 2Gb and up can't possibly fit below 4Gb: Both the bottom of
+the lower 2Gb range and the top of the higher 2Gb range have special
+purpose. Don't even have them influence whether to (perhaps) relocate
+low RAM.
+
+Reported-by: Neowutran <xen@neowutran.ovh>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Roger Pau Monné <roger.pau@citrix.com>
+master commit: 57acad12a09ffa490e870ebe17596aad858f0191
+master date: 2024-03-06 10:19:29 +0100
+---
+ tools/firmware/hvmloader/pci.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/tools/firmware/hvmloader/pci.c b/tools/firmware/hvmloader/pci.c
+index 257a6feb61..c3c61ca060 100644
+--- a/tools/firmware/hvmloader/pci.c
++++ b/tools/firmware/hvmloader/pci.c
+@@ -33,6 +33,13 @@ uint32_t pci_mem_start = HVM_BELOW_4G_MMIO_START;
+ const uint32_t pci_mem_end = RESERVED_MEMBASE;
+ uint64_t pci_hi_mem_start = 0, pci_hi_mem_end = 0;
+
++/*
++ * BARs larger than this value are put in 64-bit space unconditionally. That
++ * is, such BARs also don't play into the determination of how big the lowmem
++ * MMIO hole needs to be.
++ */
++#define BAR_RELOC_THRESH GB(1)
++
+ enum virtual_vga virtual_vga = VGA_none;
+ unsigned long igd_opregion_pgbase = 0;
+
+@@ -286,9 +293,11 @@ void pci_setup(void)
+ bars[i].bar_reg = bar_reg;
+ bars[i].bar_sz = bar_sz;
+
+- if ( ((bar_data & PCI_BASE_ADDRESS_SPACE) ==
+- PCI_BASE_ADDRESS_SPACE_MEMORY) ||
+- (bar_reg == PCI_ROM_ADDRESS) )
++ if ( is_64bar && bar_sz > BAR_RELOC_THRESH )
++ bar64_relocate = 1;
++ else if ( ((bar_data & PCI_BASE_ADDRESS_SPACE) ==
++ PCI_BASE_ADDRESS_SPACE_MEMORY) ||
++ (bar_reg == PCI_ROM_ADDRESS) )
+ mmio_total += bar_sz;
+
+ nr_bars++;
+@@ -367,7 +376,7 @@ void pci_setup(void)
+ pci_mem_start = hvm_info->low_mem_pgend << PAGE_SHIFT;
+ }
+
+- if ( mmio_total > (pci_mem_end - pci_mem_start) )
++ if ( mmio_total > (pci_mem_end - pci_mem_start) || bar64_relocate )
+ {
+ printf("Low MMIO hole not large enough for all devices,"
+ " relocating some BARs to 64-bit\n");
+@@ -430,7 +439,8 @@ void pci_setup(void)
+
+ /*
+ * Relocate to high memory if the total amount of MMIO needed
+- * is more than the low MMIO available. Because devices are
++ * is more than the low MMIO available or BARs bigger than
++ * BAR_RELOC_THRESH are present. Because devices are
+ * processed in order of bar_sz, this will preferentially
+ * relocate larger devices to high memory first.
+ *
+@@ -446,8 +456,9 @@ void pci_setup(void)
+ * the code here assumes it to be.)
+ * Should either of those two conditions change, this code will break.
+ */
+- using_64bar = bars[i].is_64bar && bar64_relocate
+- && (mmio_total > (mem_resource.max - mem_resource.base));
++ using_64bar = bars[i].is_64bar && bar64_relocate &&
++ (mmio_total > (mem_resource.max - mem_resource.base) ||
++ bar_sz > BAR_RELOC_THRESH);
+ bar_data = pci_readl(devfn, bar_reg);
+
+ if ( (bar_data & PCI_BASE_ADDRESS_SPACE) ==
+@@ -467,7 +478,8 @@ void pci_setup(void)
+ resource = &mem_resource;
+ bar_data &= ~PCI_BASE_ADDRESS_MEM_MASK;
+ }
+- mmio_total -= bar_sz;
++ if ( bar_sz <= BAR_RELOC_THRESH )
++ mmio_total -= bar_sz;
+ }
+ else
+ {
+--
+2.44.0
+
diff --git a/0038-x86-mm-fix-detection-of-last-L1-entry-in-modify_xen_.patch b/0038-x86-mm-fix-detection-of-last-L1-entry-in-modify_xen_.patch
new file mode 100644
index 0000000..66b4db3
--- /dev/null
+++ b/0038-x86-mm-fix-detection-of-last-L1-entry-in-modify_xen_.patch
@@ -0,0 +1,41 @@
+From 1f94117bec55a7b934fed3dfd3529db624eb441f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 12 Mar 2024 12:08:59 +0100
+Subject: [PATCH 38/67] x86/mm: fix detection of last L1 entry in
+ modify_xen_mappings_lite()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The current logic to detect when to switch to the next L1 table is incorrectly
+using l2_table_offset() in order to notice when the last entry on the current
+L1 table has been reached.
+
+It should instead use l1_table_offset() to check whether the index has wrapped
+to point to the first entry, and so the next L1 table should be used.
+
+Fixes: 8676092a0f16 ('x86/livepatch: Fix livepatch application when CET is active')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+master commit: 7c81558208de7858251b62f168a449be84305595
+master date: 2024-03-11 11:09:42 +0000
+---
+ xen/arch/x86/mm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
+index e884a6fdbd..330c4abcd1 100644
+--- a/xen/arch/x86/mm.c
++++ b/xen/arch/x86/mm.c
+@@ -5963,7 +5963,7 @@ void init_or_livepatch modify_xen_mappings_lite(
+
+ v += 1UL << L1_PAGETABLE_SHIFT;
+
+- if ( l2_table_offset(v) == 0 )
++ if ( l1_table_offset(v) == 0 )
+ break;
+ }
+
+--
+2.44.0
+
diff --git a/0039-x86-entry-Introduce-EFRAME_-constants.patch b/0039-x86-entry-Introduce-EFRAME_-constants.patch
new file mode 100644
index 0000000..c280286
--- /dev/null
+++ b/0039-x86-entry-Introduce-EFRAME_-constants.patch
@@ -0,0 +1,314 @@
+From e691f99f17198906f813b85dcabafe5addb9a57a Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Sat, 27 Jan 2024 17:52:09 +0000
+Subject: [PATCH 39/67] x86/entry: Introduce EFRAME_* constants
+
+restore_all_guest() does a lot of manipulation of the stack after popping the
+GPRs, and uses raw %rsp displacements to do so. Also, almost all entrypaths
+use raw %rsp displacements prior to pushing GPRs.
+
+Provide better mnemonics, to aid readability and reduce the chance of errors
+when editing.
+
+No functional change. The resulting binary is identical.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 37541208f119a9c552c6c6c3246ea61be0d44035)
+---
+ xen/arch/x86/x86_64/asm-offsets.c | 17 ++++++++
+ xen/arch/x86/x86_64/compat/entry.S | 2 +-
+ xen/arch/x86/x86_64/entry.S | 70 +++++++++++++++---------------
+ 3 files changed, 53 insertions(+), 36 deletions(-)
+
+diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c
+index 287dac101a..31fa63b77f 100644
+--- a/xen/arch/x86/x86_64/asm-offsets.c
++++ b/xen/arch/x86/x86_64/asm-offsets.c
+@@ -51,6 +51,23 @@ void __dummy__(void)
+ OFFSET(UREGS_kernel_sizeof, struct cpu_user_regs, es);
+ BLANK();
+
++ /*
++ * EFRAME_* is for the entry/exit logic where %rsp is pointing at
++ * UREGS_error_code and GPRs are still/already guest values.
++ */
++#define OFFSET_EF(sym, mem) \
++ DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \
++ offsetof(struct cpu_user_regs, error_code))
++
++ OFFSET_EF(EFRAME_entry_vector, entry_vector);
++ OFFSET_EF(EFRAME_rip, rip);
++ OFFSET_EF(EFRAME_cs, cs);
++ OFFSET_EF(EFRAME_eflags, eflags);
++ OFFSET_EF(EFRAME_rsp, rsp);
++ BLANK();
++
++#undef OFFSET_EF
++
+ OFFSET(VCPU_processor, struct vcpu, processor);
+ OFFSET(VCPU_domain, struct vcpu, domain);
+ OFFSET(VCPU_vcpu_info, struct vcpu, vcpu_info);
+diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
+index 253bb1688c..7c211314d8 100644
+--- a/xen/arch/x86/x86_64/compat/entry.S
++++ b/xen/arch/x86/x86_64/compat/entry.S
+@@ -15,7 +15,7 @@ ENTRY(entry_int82)
+ ENDBR64
+ ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP
+ pushq $0
+- movl $HYPERCALL_VECTOR, 4(%rsp)
++ movl $HYPERCALL_VECTOR, EFRAME_entry_vector(%rsp)
+ SAVE_ALL compat=1 /* DPL1 gate, restricted to 32bit PV guests only. */
+
+ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */
+diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
+index 585b0c9551..412cbeb3ec 100644
+--- a/xen/arch/x86/x86_64/entry.S
++++ b/xen/arch/x86/x86_64/entry.S
+@@ -190,15 +190,15 @@ restore_all_guest:
+ SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */
+
+ RESTORE_ALL
+- testw $TRAP_syscall,4(%rsp)
++ testw $TRAP_syscall, EFRAME_entry_vector(%rsp)
+ jz iret_exit_to_guest
+
+- movq 24(%rsp),%r11 # RFLAGS
++ mov EFRAME_eflags(%rsp), %r11
+ andq $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), %r11
+ orq $X86_EFLAGS_IF,%r11
+
+ /* Don't use SYSRET path if the return address is not canonical. */
+- movq 8(%rsp),%rcx
++ mov EFRAME_rip(%rsp), %rcx
+ sarq $47,%rcx
+ incl %ecx
+ cmpl $1,%ecx
+@@ -213,20 +213,20 @@ restore_all_guest:
+ ALTERNATIVE "", rag_clrssbsy, X86_FEATURE_XEN_SHSTK
+ #endif
+
+- movq 8(%rsp), %rcx # RIP
+- cmpw $FLAT_USER_CS32,16(%rsp)# CS
+- movq 32(%rsp),%rsp # RSP
++ mov EFRAME_rip(%rsp), %rcx
++ cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp)
++ mov EFRAME_rsp(%rsp), %rsp
+ je 1f
+ sysretq
+ 1: sysretl
+
+ ALIGN
+ .Lrestore_rcx_iret_exit_to_guest:
+- movq 8(%rsp), %rcx # RIP
++ mov EFRAME_rip(%rsp), %rcx
+ /* No special register assumptions. */
+ iret_exit_to_guest:
+- andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), 24(%rsp)
+- orl $X86_EFLAGS_IF,24(%rsp)
++ andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp)
++ orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp)
+ addq $8,%rsp
+ .Lft0: iretq
+ _ASM_PRE_EXTABLE(.Lft0, handle_exception)
+@@ -257,7 +257,7 @@ ENTRY(lstar_enter)
+ pushq $FLAT_KERNEL_CS64
+ pushq %rcx
+ pushq $0
+- movl $TRAP_syscall, 4(%rsp)
++ movl $TRAP_syscall, EFRAME_entry_vector(%rsp)
+ SAVE_ALL
+
+ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */
+@@ -294,7 +294,7 @@ ENTRY(cstar_enter)
+ pushq $FLAT_USER_CS32
+ pushq %rcx
+ pushq $0
+- movl $TRAP_syscall, 4(%rsp)
++ movl $TRAP_syscall, EFRAME_entry_vector(%rsp)
+ SAVE_ALL
+
+ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */
+@@ -335,7 +335,7 @@ GLOBAL(sysenter_eflags_saved)
+ pushq $3 /* ring 3 null cs */
+ pushq $0 /* null rip */
+ pushq $0
+- movl $TRAP_syscall, 4(%rsp)
++ movl $TRAP_syscall, EFRAME_entry_vector(%rsp)
+ SAVE_ALL
+
+ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */
+@@ -389,7 +389,7 @@ ENTRY(int80_direct_trap)
+ ENDBR64
+ ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP
+ pushq $0
+- movl $0x80, 4(%rsp)
++ movl $0x80, EFRAME_entry_vector(%rsp)
+ SAVE_ALL
+
+ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */
+@@ -649,7 +649,7 @@ ret_from_intr:
+ .section .init.text, "ax", @progbits
+ ENTRY(early_page_fault)
+ ENDBR64
+- movl $TRAP_page_fault, 4(%rsp)
++ movl $TRAP_page_fault, EFRAME_entry_vector(%rsp)
+ SAVE_ALL
+ movq %rsp, %rdi
+ call do_early_page_fault
+@@ -716,7 +716,7 @@ ENTRY(common_interrupt)
+
+ ENTRY(page_fault)
+ ENDBR64
+- movl $TRAP_page_fault,4(%rsp)
++ movl $TRAP_page_fault, EFRAME_entry_vector(%rsp)
+ /* No special register assumptions. */
+ GLOBAL(handle_exception)
+ ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP
+@@ -892,90 +892,90 @@ FATAL_exception_with_ints_disabled:
+ ENTRY(divide_error)
+ ENDBR64
+ pushq $0
+- movl $TRAP_divide_error,4(%rsp)
++ movl $TRAP_divide_error, EFRAME_entry_vector(%rsp)
+ jmp handle_exception
+
+ ENTRY(coprocessor_error)
+ ENDBR64
+ pushq $0
+- movl $TRAP_copro_error,4(%rsp)
++ movl $TRAP_copro_error, EFRAME_entry_vector(%rsp)
+ jmp handle_exception
+
+ ENTRY(simd_coprocessor_error)
+ ENDBR64
+ pushq $0
+- movl $TRAP_simd_error,4(%rsp)
++ movl $TRAP_simd_error, EFRAME_entry_vector(%rsp)
+ jmp handle_exception
+
+ ENTRY(device_not_available)
+ ENDBR64
+ pushq $0
+- movl $TRAP_no_device,4(%rsp)
++ movl $TRAP_no_device, EFRAME_entry_vector(%rsp)
+ jmp handle_exception
+
+ ENTRY(debug)
+ ENDBR64
+ pushq $0
+- movl $TRAP_debug,4(%rsp)
++ movl $TRAP_debug, EFRAME_entry_vector(%rsp)
+ jmp handle_ist_exception
+
+ ENTRY(int3)
+ ENDBR64
+ pushq $0
+- movl $TRAP_int3,4(%rsp)
++ movl $TRAP_int3, EFRAME_entry_vector(%rsp)
+ jmp handle_exception
+
+ ENTRY(overflow)
+ ENDBR64
+ pushq $0
+- movl $TRAP_overflow,4(%rsp)
++ movl $TRAP_overflow, EFRAME_entry_vector(%rsp)
+ jmp handle_exception
+
+ ENTRY(bounds)
+ ENDBR64
+ pushq $0
+- movl $TRAP_bounds,4(%rsp)
++ movl $TRAP_bounds, EFRAME_entry_vector(%rsp)
+ jmp handle_exception
+
+ ENTRY(invalid_op)
+ ENDBR64
+ pushq $0
+- movl $TRAP_invalid_op,4(%rsp)
++ movl $TRAP_invalid_op, EFRAME_entry_vector(%rsp)
+ jmp handle_exception
+
+ ENTRY(invalid_TSS)
+ ENDBR64
+- movl $TRAP_invalid_tss,4(%rsp)
++ movl $TRAP_invalid_tss, EFRAME_entry_vector(%rsp)
+ jmp handle_exception
+
+ ENTRY(segment_not_present)
+ ENDBR64
+- movl $TRAP_no_segment,4(%rsp)
++ movl $TRAP_no_segment, EFRAME_entry_vector(%rsp)
+ jmp handle_exception
+
+ ENTRY(stack_segment)
+ ENDBR64
+- movl $TRAP_stack_error,4(%rsp)
++ movl $TRAP_stack_error, EFRAME_entry_vector(%rsp)
+ jmp handle_exception
+
+ ENTRY(general_protection)
+ ENDBR64
+- movl $TRAP_gp_fault,4(%rsp)
++ movl $TRAP_gp_fault, EFRAME_entry_vector(%rsp)
+ jmp handle_exception
+
+ ENTRY(alignment_check)
+ ENDBR64
+- movl $TRAP_alignment_check,4(%rsp)
++ movl $TRAP_alignment_check, EFRAME_entry_vector(%rsp)
+ jmp handle_exception
+
+ ENTRY(entry_CP)
+ ENDBR64
+- movl $X86_EXC_CP, 4(%rsp)
++ movl $X86_EXC_CP, EFRAME_entry_vector(%rsp)
+ jmp handle_exception
+
+ ENTRY(double_fault)
+ ENDBR64
+- movl $TRAP_double_fault,4(%rsp)
++ movl $TRAP_double_fault, EFRAME_entry_vector(%rsp)
+ /* Set AC to reduce chance of further SMAP faults */
+ ALTERNATIVE "", stac, X86_FEATURE_XEN_SMAP
+ SAVE_ALL
+@@ -1001,7 +1001,7 @@ ENTRY(double_fault)
+ ENTRY(nmi)
+ ENDBR64
+ pushq $0
+- movl $TRAP_nmi,4(%rsp)
++ movl $TRAP_nmi, EFRAME_entry_vector(%rsp)
+ handle_ist_exception:
+ ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP
+ SAVE_ALL
+@@ -1134,7 +1134,7 @@ handle_ist_exception:
+ ENTRY(machine_check)
+ ENDBR64
+ pushq $0
+- movl $TRAP_machine_check,4(%rsp)
++ movl $TRAP_machine_check, EFRAME_entry_vector(%rsp)
+ jmp handle_ist_exception
+
+ /* No op trap handler. Required for kexec crash path. */
+@@ -1171,7 +1171,7 @@ autogen_stubs: /* Automatically generated stubs. */
+ 1:
+ ENDBR64
+ pushq $0
+- movb $vec,4(%rsp)
++ movb $vec, EFRAME_entry_vector(%rsp)
+ jmp common_interrupt
+
+ entrypoint 1b
+@@ -1185,7 +1185,7 @@ autogen_stubs: /* Automatically generated stubs. */
+ test $8,%spl /* 64bit exception frames are 16 byte aligned, but the word */
+ jz 2f /* size is 8 bytes. Check whether the processor gave us an */
+ pushq $0 /* error code, and insert an empty one if not. */
+-2: movb $vec,4(%rsp)
++2: movb $vec, EFRAME_entry_vector(%rsp)
+ jmp handle_exception
+
+ entrypoint 1b
+--
+2.44.0
+
diff --git a/0040-x86-Resync-intel-family.h-from-Linux.patch b/0040-x86-Resync-intel-family.h-from-Linux.patch
new file mode 100644
index 0000000..84e0304
--- /dev/null
+++ b/0040-x86-Resync-intel-family.h-from-Linux.patch
@@ -0,0 +1,98 @@
+From abc43cf5a6579f1aa0decf0a2349cdd2d2473117 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 27 Feb 2024 16:07:39 +0000
+Subject: [PATCH 40/67] x86: Resync intel-family.h from Linux
+
+From v6.8-rc6
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 195e75371b13c4f7ecdf7b5c50aed0d02f2d7ce8)
+---
+ xen/arch/x86/include/asm/intel-family.h | 38 ++++++++++++++++++++++---
+ 1 file changed, 34 insertions(+), 4 deletions(-)
+
+diff --git a/xen/arch/x86/include/asm/intel-family.h b/xen/arch/x86/include/asm/intel-family.h
+index ffc49151be..b65e9c46b9 100644
+--- a/xen/arch/x86/include/asm/intel-family.h
++++ b/xen/arch/x86/include/asm/intel-family.h
+@@ -26,6 +26,9 @@
+ * _G - parts with extra graphics on
+ * _X - regular server parts
+ * _D - micro server parts
++ * _N,_P - other mobile parts
++ * _H - premium mobile parts
++ * _S - other client parts
+ *
+ * Historical OPTDIFFs:
+ *
+@@ -37,6 +40,9 @@
+ * their own names :-(
+ */
+
++/* Wildcard match for FAM6 so X86_MATCH_INTEL_FAM6_MODEL(ANY) works */
++#define INTEL_FAM6_ANY X86_MODEL_ANY
++
+ #define INTEL_FAM6_CORE_YONAH 0x0E
+
+ #define INTEL_FAM6_CORE2_MEROM 0x0F
+@@ -93,8 +99,6 @@
+ #define INTEL_FAM6_ICELAKE_L 0x7E /* Sunny Cove */
+ #define INTEL_FAM6_ICELAKE_NNPI 0x9D /* Sunny Cove */
+
+-#define INTEL_FAM6_LAKEFIELD 0x8A /* Sunny Cove / Tremont */
+-
+ #define INTEL_FAM6_ROCKETLAKE 0xA7 /* Cypress Cove */
+
+ #define INTEL_FAM6_TIGERLAKE_L 0x8C /* Willow Cove */
+@@ -102,12 +106,31 @@
+
+ #define INTEL_FAM6_SAPPHIRERAPIDS_X 0x8F /* Golden Cove */
+
++#define INTEL_FAM6_EMERALDRAPIDS_X 0xCF
++
++#define INTEL_FAM6_GRANITERAPIDS_X 0xAD
++#define INTEL_FAM6_GRANITERAPIDS_D 0xAE
++
++/* "Hybrid" Processors (P-Core/E-Core) */
++
++#define INTEL_FAM6_LAKEFIELD 0x8A /* Sunny Cove / Tremont */
++
+ #define INTEL_FAM6_ALDERLAKE 0x97 /* Golden Cove / Gracemont */
+ #define INTEL_FAM6_ALDERLAKE_L 0x9A /* Golden Cove / Gracemont */
+
+-#define INTEL_FAM6_RAPTORLAKE 0xB7
++#define INTEL_FAM6_RAPTORLAKE 0xB7 /* Raptor Cove / Enhanced Gracemont */
++#define INTEL_FAM6_RAPTORLAKE_P 0xBA
++#define INTEL_FAM6_RAPTORLAKE_S 0xBF
++
++#define INTEL_FAM6_METEORLAKE 0xAC
++#define INTEL_FAM6_METEORLAKE_L 0xAA
++
++#define INTEL_FAM6_ARROWLAKE_H 0xC5
++#define INTEL_FAM6_ARROWLAKE 0xC6
++
++#define INTEL_FAM6_LUNARLAKE_M 0xBD
+
+-/* "Small Core" Processors (Atom) */
++/* "Small Core" Processors (Atom/E-Core) */
+
+ #define INTEL_FAM6_ATOM_BONNELL 0x1C /* Diamondville, Pineview */
+ #define INTEL_FAM6_ATOM_BONNELL_MID 0x26 /* Silverthorne, Lincroft */
+@@ -134,6 +157,13 @@
+ #define INTEL_FAM6_ATOM_TREMONT 0x96 /* Elkhart Lake */
+ #define INTEL_FAM6_ATOM_TREMONT_L 0x9C /* Jasper Lake */
+
++#define INTEL_FAM6_ATOM_GRACEMONT 0xBE /* Alderlake N */
++
++#define INTEL_FAM6_ATOM_CRESTMONT_X 0xAF /* Sierra Forest */
++#define INTEL_FAM6_ATOM_CRESTMONT 0xB6 /* Grand Ridge */
++
++#define INTEL_FAM6_ATOM_DARKMONT_X 0xDD /* Clearwater Forest */
++
+ /* Xeon Phi */
+
+ #define INTEL_FAM6_XEON_PHI_KNL 0x57 /* Knights Landing */
+--
+2.44.0
+
diff --git a/0041-x86-vmx-Perform-VERW-flushing-later-in-the-VMExit-pa.patch b/0041-x86-vmx-Perform-VERW-flushing-later-in-the-VMExit-pa.patch
new file mode 100644
index 0000000..871f10f
--- /dev/null
+++ b/0041-x86-vmx-Perform-VERW-flushing-later-in-the-VMExit-pa.patch
@@ -0,0 +1,146 @@
+From 77f2bec134049aba29b9b459f955022722d10847 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Fri, 23 Jun 2023 11:32:00 +0100
+Subject: [PATCH 41/67] x86/vmx: Perform VERW flushing later in the VMExit path
+
+Broken out of the following patch because this change is subtle enough on its
+own. See it for the rational of why we're moving VERW.
+
+As for how, extend the trick already used to hold one condition in
+flags (RESUME vs LAUNCH) through the POPing of GPRs.
+
+Move the MOV CR earlier. Intel specify flags to be undefined across it.
+
+Encode the two conditions we want using SF and PF. See the code comment for
+exactly how.
+
+Leave a comment to explain the lack of any content around
+SPEC_CTRL_EXIT_TO_VMX, but leave the block in place. Sods law says if we
+delete it, we'll need to reintroduce it.
+
+This is part of XSA-452 / CVE-2023-28746.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 475fa20b7384464210f42bad7195f87bd6f1c63f)
+---
+ xen/arch/x86/hvm/vmx/entry.S | 36 +++++++++++++++++++++---
+ xen/arch/x86/include/asm/asm_defns.h | 8 ++++++
+ xen/arch/x86/include/asm/spec_ctrl_asm.h | 7 +++++
+ xen/arch/x86/x86_64/asm-offsets.c | 1 +
+ 4 files changed, 48 insertions(+), 4 deletions(-)
+
+diff --git a/xen/arch/x86/hvm/vmx/entry.S b/xen/arch/x86/hvm/vmx/entry.S
+index 5f5de45a13..cdde76e138 100644
+--- a/xen/arch/x86/hvm/vmx/entry.S
++++ b/xen/arch/x86/hvm/vmx/entry.S
+@@ -87,17 +87,39 @@ UNLIKELY_END(realmode)
+
+ /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */
+ /* SPEC_CTRL_EXIT_TO_VMX Req: %rsp=regs/cpuinfo Clob: */
+- DO_SPEC_CTRL_COND_VERW
++ /*
++ * All speculation safety work happens to be elsewhere. VERW is after
++ * popping the GPRs, while restoring the guest MSR_SPEC_CTRL is left
++ * to the MSR load list.
++ */
+
+ mov VCPU_hvm_guest_cr2(%rbx),%rax
++ mov %rax, %cr2
++
++ /*
++ * We need to perform two conditional actions (VERW, and Resume vs
++ * Launch) after popping GPRs. With some cunning, we can encode both
++ * of these in eflags together.
++ *
++ * Parity is only calculated over the bottom byte of the answer, while
++ * Sign is simply the top bit.
++ *
++ * Therefore, the final OR instruction ends up producing:
++ * SF = VCPU_vmx_launched
++ * PF = !SCF_verw
++ */
++ BUILD_BUG_ON(SCF_verw & ~0xff)
++ movzbl VCPU_vmx_launched(%rbx), %ecx
++ shl $31, %ecx
++ movzbl CPUINFO_spec_ctrl_flags(%rsp), %eax
++ and $SCF_verw, %eax
++ or %eax, %ecx
+
+ pop %r15
+ pop %r14
+ pop %r13
+ pop %r12
+ pop %rbp
+- mov %rax,%cr2
+- cmpb $0,VCPU_vmx_launched(%rbx)
+ pop %rbx
+ pop %r11
+ pop %r10
+@@ -108,7 +130,13 @@ UNLIKELY_END(realmode)
+ pop %rdx
+ pop %rsi
+ pop %rdi
+- je .Lvmx_launch
++
++ jpe .L_skip_verw
++ /* VERW clobbers ZF, but preserves all others, including SF. */
++ verw STK_REL(CPUINFO_verw_sel, CPUINFO_error_code)(%rsp)
++.L_skip_verw:
++
++ jns .Lvmx_launch
+
+ /*.Lvmx_resume:*/
+ VMRESUME
+diff --git a/xen/arch/x86/include/asm/asm_defns.h b/xen/arch/x86/include/asm/asm_defns.h
+index d9431180cf..abc6822b08 100644
+--- a/xen/arch/x86/include/asm/asm_defns.h
++++ b/xen/arch/x86/include/asm/asm_defns.h
+@@ -81,6 +81,14 @@ register unsigned long current_stack_pointer asm("rsp");
+
+ #ifdef __ASSEMBLY__
+
++.macro BUILD_BUG_ON condstr, cond:vararg
++ .if \cond
++ .error "Condition \"\condstr\" not satisfied"
++ .endif
++.endm
++/* preprocessor macro to make error message more user friendly */
++#define BUILD_BUG_ON(cond) BUILD_BUG_ON #cond, cond
++
+ #ifdef HAVE_AS_QUOTED_SYM
+ #define SUBSECTION_LBL(tag) \
+ .ifndef .L.tag; \
+diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+index f4b8b9d956..ca9cb0f5dd 100644
+--- a/xen/arch/x86/include/asm/spec_ctrl_asm.h
++++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+@@ -164,6 +164,13 @@
+ #endif
+ .endm
+
++/*
++ * Helper to improve the readibility of stack dispacements with %rsp in
++ * unusual positions. Both @field and @top_of_stack should be constants from
++ * the same object. @top_of_stack should be where %rsp is currently pointing.
++ */
++#define STK_REL(field, top_of_stk) ((field) - (top_of_stk))
++
+ .macro DO_SPEC_CTRL_COND_VERW
+ /*
+ * Requires %rsp=cpuinfo
+diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c
+index 31fa63b77f..a4e94d6930 100644
+--- a/xen/arch/x86/x86_64/asm-offsets.c
++++ b/xen/arch/x86/x86_64/asm-offsets.c
+@@ -135,6 +135,7 @@ void __dummy__(void)
+ #endif
+
+ OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs);
++ OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code);
+ OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel);
+ OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu);
+ OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset);
+--
+2.44.0
+
diff --git a/0042-x86-spec-ctrl-Perform-VERW-flushing-later-in-exit-pa.patch b/0042-x86-spec-ctrl-Perform-VERW-flushing-later-in-exit-pa.patch
new file mode 100644
index 0000000..ac78acd
--- /dev/null
+++ b/0042-x86-spec-ctrl-Perform-VERW-flushing-later-in-exit-pa.patch
@@ -0,0 +1,209 @@
+From 76af773de5d3e68b7140cc9c5343be6746c9101c Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Sat, 27 Jan 2024 18:20:56 +0000
+Subject: [PATCH 42/67] x86/spec-ctrl: Perform VERW flushing later in exit
+ paths
+
+On parts vulnerable to RFDS, VERW's side effects are extended to scrub all
+non-architectural entries in various Physical Register Files. To remove all
+of Xen's values, the VERW must be after popping the GPRs.
+
+Rework SPEC_CTRL_COND_VERW to default to an CPUINFO_error_code %rsp position,
+but with overrides for other contexts. Identify that it clobbers eflags; this
+is particularly relevant for the SYSRET path.
+
+For the IST exit return to Xen, have the main SPEC_CTRL_EXIT_TO_XEN put a
+shadow copy of spec_ctrl_flags, as GPRs can't be used at the point we want to
+issue the VERW.
+
+This is part of XSA-452 / CVE-2023-28746.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 0a666cf2cd99df6faf3eebc81a1fc286e4eca4c7)
+---
+ xen/arch/x86/include/asm/spec_ctrl_asm.h | 36 ++++++++++++++++--------
+ xen/arch/x86/x86_64/asm-offsets.c | 13 +++++++--
+ xen/arch/x86/x86_64/compat/entry.S | 6 ++++
+ xen/arch/x86/x86_64/entry.S | 21 +++++++++++++-
+ 4 files changed, 61 insertions(+), 15 deletions(-)
+
+diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+index ca9cb0f5dd..97a97b2b82 100644
+--- a/xen/arch/x86/include/asm/spec_ctrl_asm.h
++++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+@@ -171,16 +171,23 @@
+ */
+ #define STK_REL(field, top_of_stk) ((field) - (top_of_stk))
+
+-.macro DO_SPEC_CTRL_COND_VERW
++.macro SPEC_CTRL_COND_VERW \
++ scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_error_code), \
++ sel=STK_REL(CPUINFO_verw_sel, CPUINFO_error_code)
+ /*
+- * Requires %rsp=cpuinfo
++ * Requires \scf and \sel as %rsp-relative expressions
++ * Clobbers eflags
++ *
++ * VERW needs to run after guest GPRs have been restored, where only %rsp is
++ * good to use. Default to expecting %rsp pointing at CPUINFO_error_code.
++ * Contexts where this is not true must provide an alternative \scf and \sel.
+ *
+ * Issue a VERW for its flushing side effect, if indicated. This is a Spectre
+ * v1 gadget, but the IRET/VMEntry is serialising.
+ */
+- testb $SCF_verw, CPUINFO_spec_ctrl_flags(%rsp)
++ testb $SCF_verw, \scf(%rsp)
+ jz .L\@_verw_skip
+- verw CPUINFO_verw_sel(%rsp)
++ verw \sel(%rsp)
+ .L\@_verw_skip:
+ .endm
+
+@@ -298,8 +305,6 @@
+ */
+ ALTERNATIVE "", DO_SPEC_CTRL_EXIT_TO_GUEST, X86_FEATURE_SC_MSR_PV
+
+- DO_SPEC_CTRL_COND_VERW
+-
+ ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV
+ .endm
+
+@@ -379,7 +384,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise):
+ */
+ .macro SPEC_CTRL_EXIT_TO_XEN
+ /*
+- * Requires %r12=ist_exit, %r14=stack_end
++ * Requires %r12=ist_exit, %r14=stack_end, %rsp=regs
+ * Clobbers %rax, %rbx, %rcx, %rdx
+ */
+ movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %ebx
+@@ -407,11 +412,18 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise):
+ test %r12, %r12
+ jz .L\@_skip_ist_exit
+
+- /* Logically DO_SPEC_CTRL_COND_VERW but without the %rsp=cpuinfo dependency */
+- testb $SCF_verw, %bl
+- jz .L\@_skip_verw
+- verw STACK_CPUINFO_FIELD(verw_sel)(%r14)
+-.L\@_skip_verw:
++ /*
++ * Stash SCF and verw_sel above eflags in the case of an IST_exit. The
++ * VERW logic needs to run after guest GPRs have been restored; i.e. where
++ * we cannot use %r12 or %r14 for the purposes they have here.
++ *
++ * When the CPU pushed this exception frame, it zero-extended eflags.
++ * Therefore it is safe for the VERW logic to look at the stashed SCF
++ * outside of the ist_exit condition. Also, this stashing won't influence
++ * any other restore_all_guest() paths.
++ */
++ or $(__HYPERVISOR_DS32 << 16), %ebx
++ mov %ebx, UREGS_eflags + 4(%rsp) /* EFRAME_shadow_scf/sel */
+
+ ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV
+
+diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c
+index a4e94d6930..4cd5938d7b 100644
+--- a/xen/arch/x86/x86_64/asm-offsets.c
++++ b/xen/arch/x86/x86_64/asm-offsets.c
+@@ -55,14 +55,22 @@ void __dummy__(void)
+ * EFRAME_* is for the entry/exit logic where %rsp is pointing at
+ * UREGS_error_code and GPRs are still/already guest values.
+ */
+-#define OFFSET_EF(sym, mem) \
++#define OFFSET_EF(sym, mem, ...) \
+ DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \
+- offsetof(struct cpu_user_regs, error_code))
++ offsetof(struct cpu_user_regs, error_code) __VA_ARGS__)
+
+ OFFSET_EF(EFRAME_entry_vector, entry_vector);
+ OFFSET_EF(EFRAME_rip, rip);
+ OFFSET_EF(EFRAME_cs, cs);
+ OFFSET_EF(EFRAME_eflags, eflags);
++
++ /*
++ * These aren't real fields. They're spare space, used by the IST
++ * exit-to-xen path.
++ */
++ OFFSET_EF(EFRAME_shadow_scf, eflags, +4);
++ OFFSET_EF(EFRAME_shadow_sel, eflags, +6);
++
+ OFFSET_EF(EFRAME_rsp, rsp);
+ BLANK();
+
+@@ -136,6 +144,7 @@ void __dummy__(void)
+
+ OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs);
+ OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code);
++ OFFSET(CPUINFO_rip, struct cpu_info, guest_cpu_user_regs.rip);
+ OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel);
+ OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu);
+ OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset);
+diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
+index 7c211314d8..3b2fbcd873 100644
+--- a/xen/arch/x86/x86_64/compat/entry.S
++++ b/xen/arch/x86/x86_64/compat/entry.S
+@@ -161,6 +161,12 @@ ENTRY(compat_restore_all_guest)
+ SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */
+
+ RESTORE_ALL adj=8 compat=1
++
++ /* Account for ev/ec having already been popped off the stack. */
++ SPEC_CTRL_COND_VERW \
++ scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_rip), \
++ sel=STK_REL(CPUINFO_verw_sel, CPUINFO_rip)
++
+ .Lft0: iretq
+ _ASM_PRE_EXTABLE(.Lft0, handle_exception)
+
+diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
+index 412cbeb3ec..ef517e2945 100644
+--- a/xen/arch/x86/x86_64/entry.S
++++ b/xen/arch/x86/x86_64/entry.S
+@@ -214,6 +214,9 @@ restore_all_guest:
+ #endif
+
+ mov EFRAME_rip(%rsp), %rcx
++
++ SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */
++
+ cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp)
+ mov EFRAME_rsp(%rsp), %rsp
+ je 1f
+@@ -227,6 +230,9 @@ restore_all_guest:
+ iret_exit_to_guest:
+ andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp)
+ orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp)
++
++ SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */
++
+ addq $8,%rsp
+ .Lft0: iretq
+ _ASM_PRE_EXTABLE(.Lft0, handle_exception)
+@@ -679,9 +685,22 @@ UNLIKELY_START(ne, exit_cr3)
+ UNLIKELY_END(exit_cr3)
+
+ /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */
+- SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end, Clob: abcd */
++ SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end %rsp=regs, Clob: abcd */
+
+ RESTORE_ALL adj=8
++
++ /*
++ * When the CPU pushed this exception frame, it zero-extended eflags.
++ * For an IST exit, SPEC_CTRL_EXIT_TO_XEN stashed shadow copies of
++ * spec_ctrl_flags and ver_sel above eflags, as we can't use any GPRs,
++ * and we're at a random place on the stack, not in a CPUFINFO block.
++ *
++ * Account for ev/ec having already been popped off the stack.
++ */
++ SPEC_CTRL_COND_VERW \
++ scf=STK_REL(EFRAME_shadow_scf, EFRAME_rip), \
++ sel=STK_REL(EFRAME_shadow_sel, EFRAME_rip)
++
+ iretq
+
+ ENTRY(common_interrupt)
+--
+2.44.0
+
diff --git a/0043-x86-spec-ctrl-Rename-VERW-related-options.patch b/0043-x86-spec-ctrl-Rename-VERW-related-options.patch
new file mode 100644
index 0000000..38edc15
--- /dev/null
+++ b/0043-x86-spec-ctrl-Rename-VERW-related-options.patch
@@ -0,0 +1,248 @@
+From d55d52961d13d4fcd1441fcfca98f690e687b941 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Mon, 12 Feb 2024 17:50:43 +0000
+Subject: [PATCH 43/67] x86/spec-ctrl: Rename VERW related options
+
+VERW is going to be used for a 3rd purpose, and the existing nomenclature
+didn't survive the Stale MMIO issues terribly well.
+
+Rename the command line option from `md-clear=` to `verw=`. This is more
+consistent with other options which tend to be named based on what they're
+doing, not which feature enumeration they use behind the scenes. Retain
+`md-clear=` as a deprecated alias.
+
+Rename opt_md_clear_{pv,hvm} and opt_fb_clear_mmio to opt_verw_{pv,hvm,mmio},
+which has a side effect of making spec_ctrl_init_domain() rather clearer to
+follow.
+
+No functional change.
+
+This is part of XSA-452 / CVE-2023-28746.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit f7603ca252e4226739eb3129a5290ee3da3f8ea4)
+---
+ docs/misc/xen-command-line.pandoc | 15 ++++----
+ xen/arch/x86/spec_ctrl.c | 62 ++++++++++++++++---------------
+ 2 files changed, 40 insertions(+), 37 deletions(-)
+
+diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
+index 2006697226..d909ec94fe 100644
+--- a/docs/misc/xen-command-line.pandoc
++++ b/docs/misc/xen-command-line.pandoc
+@@ -2324,7 +2324,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`).
+
+ ### spec-ctrl (x86)
+ > `= List of [ <bool>, xen=<bool>, {pv,hvm}=<bool>,
+-> {msr-sc,rsb,md-clear,ibpb-entry}=<bool>|{pv,hvm}=<bool>,
++> {msr-sc,rsb,verw,ibpb-entry}=<bool>|{pv,hvm}=<bool>,
+ > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd,
+ > eager-fpu,l1d-flush,branch-harden,srb-lock,
+ > unpriv-mmio,gds-mit,div-scrub}=<bool> ]`
+@@ -2349,7 +2349,7 @@ in place for guests to use.
+
+ Use of a positive boolean value for either of these options is invalid.
+
+-The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `md-clear=` and `ibpb-entry=` options
++The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `verw=` and `ibpb-entry=` options
+ offer fine grained control over the primitives by Xen. These impact Xen's
+ ability to protect itself, and/or Xen's ability to virtualise support for
+ guests to use.
+@@ -2366,11 +2366,12 @@ guests to use.
+ guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc.
+ * `rsb=` offers control over whether to overwrite the Return Stack Buffer /
+ Return Address Stack on entry to Xen and on idle.
+-* `md-clear=` offers control over whether to use VERW to flush
+- microarchitectural buffers on idle and exit from Xen. *Note: For
+- compatibility with development versions of this fix, `mds=` is also accepted
+- on Xen 4.12 and earlier as an alias. Consult vendor documentation in
+- preference to here.*
++* `verw=` offers control over whether to use VERW for its scrubbing side
++ effects at appropriate privilege transitions. The exact side effects are
++ microarchitecture and microcode specific. *Note: `md-clear=` is accepted as
++ a deprecated alias. For compatibility with development versions of XSA-297,
++ `mds=` is also accepted on Xen 4.12 and earlier as an alias. Consult vendor
++ documentation in preference to here.*
+ * `ibpb-entry=` offers control over whether IBPB (Indirect Branch Prediction
+ Barrier) is used on entry to Xen. This is used by default on hardware
+ vulnerable to Branch Type Confusion, and hardware vulnerable to Speculative
+diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
+index 25a18ac598..e12ec9930c 100644
+--- a/xen/arch/x86/spec_ctrl.c
++++ b/xen/arch/x86/spec_ctrl.c
+@@ -37,8 +37,8 @@ static bool __initdata opt_msr_sc_pv = true;
+ static bool __initdata opt_msr_sc_hvm = true;
+ static int8_t __initdata opt_rsb_pv = -1;
+ static bool __initdata opt_rsb_hvm = true;
+-static int8_t __ro_after_init opt_md_clear_pv = -1;
+-static int8_t __ro_after_init opt_md_clear_hvm = -1;
++static int8_t __ro_after_init opt_verw_pv = -1;
++static int8_t __ro_after_init opt_verw_hvm = -1;
+
+ static int8_t __ro_after_init opt_ibpb_entry_pv = -1;
+ static int8_t __ro_after_init opt_ibpb_entry_hvm = -1;
+@@ -78,7 +78,7 @@ static bool __initdata cpu_has_bug_mds; /* Any other M{LP,SB,FB}DS combination.
+
+ static int8_t __initdata opt_srb_lock = -1;
+ static bool __initdata opt_unpriv_mmio;
+-static bool __ro_after_init opt_fb_clear_mmio;
++static bool __ro_after_init opt_verw_mmio;
+ static int8_t __initdata opt_gds_mit = -1;
+ static int8_t __initdata opt_div_scrub = -1;
+
+@@ -120,8 +120,8 @@ static int __init cf_check parse_spec_ctrl(const char *s)
+ disable_common:
+ opt_rsb_pv = false;
+ opt_rsb_hvm = false;
+- opt_md_clear_pv = 0;
+- opt_md_clear_hvm = 0;
++ opt_verw_pv = 0;
++ opt_verw_hvm = 0;
+ opt_ibpb_entry_pv = 0;
+ opt_ibpb_entry_hvm = 0;
+ opt_ibpb_entry_dom0 = false;
+@@ -152,14 +152,14 @@ static int __init cf_check parse_spec_ctrl(const char *s)
+ {
+ opt_msr_sc_pv = val;
+ opt_rsb_pv = val;
+- opt_md_clear_pv = val;
++ opt_verw_pv = val;
+ opt_ibpb_entry_pv = val;
+ }
+ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 )
+ {
+ opt_msr_sc_hvm = val;
+ opt_rsb_hvm = val;
+- opt_md_clear_hvm = val;
++ opt_verw_hvm = val;
+ opt_ibpb_entry_hvm = val;
+ }
+ else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 )
+@@ -204,21 +204,22 @@ static int __init cf_check parse_spec_ctrl(const char *s)
+ break;
+ }
+ }
+- else if ( (val = parse_boolean("md-clear", s, ss)) != -1 )
++ else if ( (val = parse_boolean("verw", s, ss)) != -1 ||
++ (val = parse_boolean("md-clear", s, ss)) != -1 )
+ {
+ switch ( val )
+ {
+ case 0:
+ case 1:
+- opt_md_clear_pv = opt_md_clear_hvm = val;
++ opt_verw_pv = opt_verw_hvm = val;
+ break;
+
+ case -2:
+- s += strlen("md-clear=");
++ s += (*s == 'v') ? strlen("verw=") : strlen("md-clear=");
+ if ( (val = parse_boolean("pv", s, ss)) >= 0 )
+- opt_md_clear_pv = val;
++ opt_verw_pv = val;
+ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 )
+- opt_md_clear_hvm = val;
++ opt_verw_hvm = val;
+ else
+ default:
+ rc = -EINVAL;
+@@ -540,8 +541,8 @@ static void __init print_details(enum ind_thunk thunk)
+ opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-",
+ opt_ibpb_ctxt_switch ? " IBPB-ctxt" : "",
+ opt_l1d_flush ? " L1D_FLUSH" : "",
+- opt_md_clear_pv || opt_md_clear_hvm ||
+- opt_fb_clear_mmio ? " VERW" : "",
++ opt_verw_pv || opt_verw_hvm ||
++ opt_verw_mmio ? " VERW" : "",
+ opt_div_scrub ? " DIV" : "",
+ opt_branch_harden ? " BRANCH_HARDEN" : "");
+
+@@ -562,13 +563,13 @@ static void __init print_details(enum ind_thunk thunk)
+ boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ||
+ boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ||
+ amd_virt_spec_ctrl ||
+- opt_eager_fpu || opt_md_clear_hvm) ? "" : " None",
++ opt_eager_fpu || opt_verw_hvm) ? "" : " None",
+ boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "",
+ (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ||
+ amd_virt_spec_ctrl) ? " MSR_VIRT_SPEC_CTRL" : "",
+ boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : "",
+ opt_eager_fpu ? " EAGER_FPU" : "",
+- opt_md_clear_hvm ? " MD_CLEAR" : "",
++ opt_verw_hvm ? " VERW" : "",
+ boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ? " IBPB-entry" : "");
+
+ #endif
+@@ -577,11 +578,11 @@ static void __init print_details(enum ind_thunk thunk)
+ (boot_cpu_has(X86_FEATURE_SC_MSR_PV) ||
+ boot_cpu_has(X86_FEATURE_SC_RSB_PV) ||
+ boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ||
+- opt_eager_fpu || opt_md_clear_pv) ? "" : " None",
++ opt_eager_fpu || opt_verw_pv) ? "" : " None",
+ boot_cpu_has(X86_FEATURE_SC_MSR_PV) ? " MSR_SPEC_CTRL" : "",
+ boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB" : "",
+ opt_eager_fpu ? " EAGER_FPU" : "",
+- opt_md_clear_pv ? " MD_CLEAR" : "",
++ opt_verw_pv ? " VERW" : "",
+ boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ? " IBPB-entry" : "");
+
+ printk(" XPTI (64-bit PV only): Dom0 %s, DomU %s (with%s PCID)\n",
+@@ -1514,8 +1515,8 @@ void spec_ctrl_init_domain(struct domain *d)
+ {
+ bool pv = is_pv_domain(d);
+
+- bool verw = ((pv ? opt_md_clear_pv : opt_md_clear_hvm) ||
+- (opt_fb_clear_mmio && is_iommu_enabled(d)));
++ bool verw = ((pv ? opt_verw_pv : opt_verw_hvm) ||
++ (opt_verw_mmio && is_iommu_enabled(d)));
+
+ bool ibpb = ((pv ? opt_ibpb_entry_pv : opt_ibpb_entry_hvm) &&
+ (d->domain_id != 0 || opt_ibpb_entry_dom0));
+@@ -1878,19 +1879,20 @@ void __init init_speculation_mitigations(void)
+ * the return-to-guest path.
+ */
+ if ( opt_unpriv_mmio )
+- opt_fb_clear_mmio = cpu_has_fb_clear;
++ opt_verw_mmio = cpu_has_fb_clear;
+
+ /*
+ * By default, enable PV and HVM mitigations on MDS-vulnerable hardware.
+ * This will only be a token effort for MLPDS/MFBDS when HT is enabled,
+ * but it is somewhat better than nothing.
+ */
+- if ( opt_md_clear_pv == -1 )
+- opt_md_clear_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) &&
+- boot_cpu_has(X86_FEATURE_MD_CLEAR));
+- if ( opt_md_clear_hvm == -1 )
+- opt_md_clear_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) &&
+- boot_cpu_has(X86_FEATURE_MD_CLEAR));
++ if ( opt_verw_pv == -1 )
++ opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) &&
++ cpu_has_md_clear);
++
++ if ( opt_verw_hvm == -1 )
++ opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) &&
++ cpu_has_md_clear);
+
+ /*
+ * Enable MDS/MMIO defences as applicable. The Idle blocks need using if
+@@ -1903,12 +1905,12 @@ void __init init_speculation_mitigations(void)
+ * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.)
+ *
+ * After calculating the appropriate idle setting, simplify
+- * opt_md_clear_hvm to mean just "should we VERW on the way into HVM
++ * opt_verw_hvm to mean just "should we VERW on the way into HVM
+ * guests", so spec_ctrl_init_domain() can calculate suitable settings.
+ */
+- if ( opt_md_clear_pv || opt_md_clear_hvm || opt_fb_clear_mmio )
++ if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio )
+ setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE);
+- opt_md_clear_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush;
++ opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush;
+
+ /*
+ * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT
+--
+2.44.0
+
diff --git a/0044-x86-spec-ctrl-VERW-handling-adjustments.patch b/0044-x86-spec-ctrl-VERW-handling-adjustments.patch
new file mode 100644
index 0000000..e2458c9
--- /dev/null
+++ b/0044-x86-spec-ctrl-VERW-handling-adjustments.patch
@@ -0,0 +1,171 @@
+From 6663430b442fdf9698bd8e03f701a4547309ad71 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 5 Mar 2024 19:33:37 +0000
+Subject: [PATCH 44/67] x86/spec-ctrl: VERW-handling adjustments
+
+... before we add yet more complexity to this logic. Mostly expanded
+comments, but with three minor changes.
+
+1) Introduce cpu_has_useful_md_clear to simplify later logic in this patch and
+ future ones.
+
+2) We only ever need SC_VERW_IDLE when SMT is active. If SMT isn't active,
+ then there's no re-partition of pipeline resources based on thread-idleness
+ to worry about.
+
+3) The logic to adjust HVM VERW based on L1D_FLUSH is unmaintainable and, as
+ it turns out, wrong. SKIP_L1DFL is just a hint bit, whereas opt_l1d_flush
+ is the relevant decision of whether to use L1D_FLUSH based on
+ susceptibility and user preference.
+
+ Rewrite the logic so it can be followed, and incorporate the fact that when
+ FB_CLEAR is visible, L1D_FLUSH isn't a safe substitution.
+
+This is part of XSA-452 / CVE-2023-28746.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 1eb91a8a06230b4b64228c9a380194f8cfe6c5e2)
+---
+ xen/arch/x86/spec_ctrl.c | 99 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 73 insertions(+), 26 deletions(-)
+
+diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
+index e12ec9930c..adb6bc74e8 100644
+--- a/xen/arch/x86/spec_ctrl.c
++++ b/xen/arch/x86/spec_ctrl.c
+@@ -1531,7 +1531,7 @@ void __init init_speculation_mitigations(void)
+ {
+ enum ind_thunk thunk = THUNK_DEFAULT;
+ bool has_spec_ctrl, ibrs = false, hw_smt_enabled;
+- bool cpu_has_bug_taa, retpoline_safe;
++ bool cpu_has_bug_taa, cpu_has_useful_md_clear, retpoline_safe;
+
+ hw_smt_enabled = check_smt_enabled();
+
+@@ -1867,50 +1867,97 @@ void __init init_speculation_mitigations(void)
+ "enabled. Please assess your configuration and choose an\n"
+ "explicit 'smt=<bool>' setting. See XSA-273.\n");
+
++ /*
++ * A brief summary of VERW-related changes.
++ *
++ * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html
++ * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html
++ *
++ * Relevant ucodes:
++ *
++ * - May 2019, for MDS. Introduces the MD_CLEAR CPUID bit and VERW side
++ * effects to scrub Store/Load/Fill buffers as applicable. MD_CLEAR
++ * exists architecturally, even when the side effects have been removed.
++ *
++ * Use VERW to scrub on return-to-guest. Parts with L1D_FLUSH to
++ * mitigate L1TF have the same side effect, so no need to do both.
++ *
++ * Various Atoms suffer from Store-buffer sampling only. Store buffers
++ * are statically partitioned between non-idle threads, so scrubbing is
++ * wanted when going idle too.
++ *
++ * Load ports and Fill buffers are competitively shared between threads.
++ * SMT must be disabled for VERW scrubbing to be fully effective.
++ *
++ * - November 2019, for TAA. Extended VERW side effects to TSX-enabled
++ * MDS_NO parts.
++ *
++ * - February 2022, for Client TSX de-feature. Removed VERW side effects
++ * from Client CPUs only.
++ *
++ * - May 2022, for MMIO Stale Data. (Re)introduced Fill Buffer scrubbing
++ * on all MMIO-affected parts which didn't already have it for MDS
++ * reasons, enumerating FB_CLEAR on those parts only.
++ *
++ * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing
++ * side effects as VERW and cannot be used in its place.
++ */
+ mds_calculations();
+
+ /*
+- * Parts which enumerate FB_CLEAR are those which are post-MDS_NO and have
+- * reintroduced the VERW fill buffer flushing side effect because of a
+- * susceptibility to FBSDP.
++ * Parts which enumerate FB_CLEAR are those with now-updated microcode
++ * which weren't susceptible to the original MFBDS (and therefore didn't
++ * have Fill Buffer scrubbing side effects to begin with, or were Client
++ * MDS_NO non-TAA_NO parts where the scrubbing was removed), but have had
++ * the scrubbing reintroduced because of a susceptibility to FBSDP.
+ *
+ * If unprivileged guests have (or will have) MMIO mappings, we can
+ * mitigate cross-domain leakage of fill buffer data by issuing VERW on
+- * the return-to-guest path.
++ * the return-to-guest path. This is only a token effort if SMT is
++ * active.
+ */
+ if ( opt_unpriv_mmio )
+ opt_verw_mmio = cpu_has_fb_clear;
+
+ /*
+- * By default, enable PV and HVM mitigations on MDS-vulnerable hardware.
+- * This will only be a token effort for MLPDS/MFBDS when HT is enabled,
+- * but it is somewhat better than nothing.
++ * MD_CLEAR is enumerated architecturally forevermore, even after the
++ * scrubbing side effects have been removed. Create ourselves an version
++ * which expressed whether we think MD_CLEAR is having any useful side
++ * effect.
++ */
++ cpu_has_useful_md_clear = (cpu_has_md_clear &&
++ (cpu_has_bug_mds || cpu_has_bug_msbds_only));
++
++ /*
++ * By default, use VERW scrubbing on applicable hardware, if we think it's
++ * going to have an effect. This will only be a token effort for
++ * MLPDS/MFBDS when SMT is enabled.
+ */
+ if ( opt_verw_pv == -1 )
+- opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) &&
+- cpu_has_md_clear);
++ opt_verw_pv = cpu_has_useful_md_clear;
+
+ if ( opt_verw_hvm == -1 )
+- opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) &&
+- cpu_has_md_clear);
++ opt_verw_hvm = cpu_has_useful_md_clear;
+
+ /*
+- * Enable MDS/MMIO defences as applicable. The Idle blocks need using if
+- * either the PV or HVM MDS defences are used, or if we may give MMIO
+- * access to untrusted guests.
+- *
+- * HVM is more complicated. The MD_CLEAR microcode extends L1D_FLUSH with
+- * equivalent semantics to avoid needing to perform both flushes on the
+- * HVM path. Therefore, we don't need VERW in addition to L1D_FLUSH (for
+- * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.)
+- *
+- * After calculating the appropriate idle setting, simplify
+- * opt_verw_hvm to mean just "should we VERW on the way into HVM
+- * guests", so spec_ctrl_init_domain() can calculate suitable settings.
++ * If SMT is active, and we're protecting against MDS or MMIO stale data,
++ * we need to scrub before going idle as well as on return to guest.
++ * Various pipeline resources are repartitioned amongst non-idle threads.
+ */
+- if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio )
++ if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) ||
++ opt_verw_mmio) && hw_smt_enabled )
+ setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE);
+- opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush;
++
++ /*
++ * After calculating the appropriate idle setting, simplify opt_verw_hvm
++ * to mean just "should we VERW on the way into HVM guests", so
++ * spec_ctrl_init_domain() can calculate suitable settings.
++ *
++ * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the
++ * only *_CLEAR we can see.
++ */
++ if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear )
++ opt_verw_hvm = false;
+
+ /*
+ * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT
+--
+2.44.0
+
diff --git a/0045-x86-spec-ctrl-Mitigation-Register-File-Data-Sampling.patch b/0045-x86-spec-ctrl-Mitigation-Register-File-Data-Sampling.patch
new file mode 100644
index 0000000..4a10524
--- /dev/null
+++ b/0045-x86-spec-ctrl-Mitigation-Register-File-Data-Sampling.patch
@@ -0,0 +1,320 @@
+From d85481135d87abbbf1feab18b749288fa08b65f2 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Thu, 22 Jun 2023 23:32:19 +0100
+Subject: [PATCH 45/67] x86/spec-ctrl: Mitigation Register File Data Sampling
+
+RFDS affects Atom cores, also branded E-cores, between the Goldmont and
+Gracemont microarchitectures. This includes Alder Lake and Raptor Lake hybrid
+clien systems which have a mix of Gracemont and other types of cores.
+
+Two new bits have been defined; RFDS_CLEAR to indicate VERW has more side
+effets, and RFDS_NO to incidate that the system is unaffected. Plenty of
+unaffected CPUs won't be getting RFDS_NO retrofitted in microcode, so we
+synthesise it. Alder Lake and Raptor Lake Xeon-E's are unaffected due to
+their platform configuration, and we must use the Hybrid CPUID bit to
+distinguish them from their non-Xeon counterparts.
+
+Like MD_CLEAR and FB_CLEAR, RFDS_CLEAR needs OR-ing across a resource pool, so
+set it in the max policies and reflect the host setting in default.
+
+This is part of XSA-452 / CVE-2023-28746.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit fb5b6f6744713410c74cfc12b7176c108e3c9a31)
+---
+ tools/misc/xen-cpuid.c | 5 +-
+ xen/arch/x86/cpu-policy.c | 5 +
+ xen/arch/x86/include/asm/cpufeature.h | 3 +
+ xen/arch/x86/include/asm/msr-index.h | 2 +
+ xen/arch/x86/spec_ctrl.c | 100 +++++++++++++++++++-
+ xen/include/public/arch-x86/cpufeatureset.h | 3 +
+ 6 files changed, 111 insertions(+), 7 deletions(-)
+
+diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c
+index aefc140d66..5ceea8be07 100644
+--- a/tools/misc/xen-cpuid.c
++++ b/tools/misc/xen-cpuid.c
+@@ -172,7 +172,7 @@ static const char *const str_7d0[32] =
+ [ 8] = "avx512-vp2intersect", [ 9] = "srbds-ctrl",
+ [10] = "md-clear", [11] = "rtm-always-abort",
+ /* 12 */ [13] = "tsx-force-abort",
+- [14] = "serialize",
++ [14] = "serialize", [15] = "hybrid",
+ [16] = "tsxldtrk",
+ [18] = "pconfig",
+ [20] = "cet-ibt",
+@@ -237,7 +237,8 @@ static const char *const str_m10Al[32] =
+ [20] = "bhi-no", [21] = "xapic-status",
+ /* 22 */ [23] = "ovrclk-status",
+ [24] = "pbrsb-no", [25] = "gds-ctrl",
+- [26] = "gds-no",
++ [26] = "gds-no", [27] = "rfds-no",
++ [28] = "rfds-clear",
+ };
+
+ static const char *const str_m10Ah[32] =
+diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c
+index 7b875a7221..96c2cee1a8 100644
+--- a/xen/arch/x86/cpu-policy.c
++++ b/xen/arch/x86/cpu-policy.c
+@@ -444,6 +444,7 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs)
+ */
+ __set_bit(X86_FEATURE_MD_CLEAR, fs);
+ __set_bit(X86_FEATURE_FB_CLEAR, fs);
++ __set_bit(X86_FEATURE_RFDS_CLEAR, fs);
+
+ /*
+ * The Gather Data Sampling microcode mitigation (August 2023) has an
+@@ -493,6 +494,10 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs)
+ if ( cpu_has_fb_clear )
+ __set_bit(X86_FEATURE_FB_CLEAR, fs);
+
++ __clear_bit(X86_FEATURE_RFDS_CLEAR, fs);
++ if ( cpu_has_rfds_clear )
++ __set_bit(X86_FEATURE_RFDS_CLEAR, fs);
++
+ /*
+ * The Gather Data Sampling microcode mitigation (August 2023) has an
+ * adverse performance impact on the CLWB instruction on SKX/CLX/CPX.
+diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h
+index ec824e8954..a6b8af1296 100644
+--- a/xen/arch/x86/include/asm/cpufeature.h
++++ b/xen/arch/x86/include/asm/cpufeature.h
+@@ -140,6 +140,7 @@
+ #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT)
+ #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT)
+ #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE)
++#define cpu_has_hybrid boot_cpu_has(X86_FEATURE_HYBRID)
+ #define cpu_has_avx512_fp16 boot_cpu_has(X86_FEATURE_AVX512_FP16)
+ #define cpu_has_arch_caps boot_cpu_has(X86_FEATURE_ARCH_CAPS)
+
+@@ -161,6 +162,8 @@
+ #define cpu_has_rrsba boot_cpu_has(X86_FEATURE_RRSBA)
+ #define cpu_has_gds_ctrl boot_cpu_has(X86_FEATURE_GDS_CTRL)
+ #define cpu_has_gds_no boot_cpu_has(X86_FEATURE_GDS_NO)
++#define cpu_has_rfds_no boot_cpu_has(X86_FEATURE_RFDS_NO)
++#define cpu_has_rfds_clear boot_cpu_has(X86_FEATURE_RFDS_CLEAR)
+
+ /* Synthesized. */
+ #define cpu_has_arch_perfmon boot_cpu_has(X86_FEATURE_ARCH_PERFMON)
+diff --git a/xen/arch/x86/include/asm/msr-index.h b/xen/arch/x86/include/asm/msr-index.h
+index 6abf7bc34a..9b5f67711f 100644
+--- a/xen/arch/x86/include/asm/msr-index.h
++++ b/xen/arch/x86/include/asm/msr-index.h
+@@ -88,6 +88,8 @@
+ #define ARCH_CAPS_PBRSB_NO (_AC(1, ULL) << 24)
+ #define ARCH_CAPS_GDS_CTRL (_AC(1, ULL) << 25)
+ #define ARCH_CAPS_GDS_NO (_AC(1, ULL) << 26)
++#define ARCH_CAPS_RFDS_NO (_AC(1, ULL) << 27)
++#define ARCH_CAPS_RFDS_CLEAR (_AC(1, ULL) << 28)
+
+ #define MSR_FLUSH_CMD 0x0000010b
+ #define FLUSH_CMD_L1D (_AC(1, ULL) << 0)
+diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
+index adb6bc74e8..1ee81e2dfe 100644
+--- a/xen/arch/x86/spec_ctrl.c
++++ b/xen/arch/x86/spec_ctrl.c
+@@ -24,6 +24,7 @@
+
+ #include <asm/amd.h>
+ #include <asm/hvm/svm/svm.h>
++#include <asm/intel-family.h>
+ #include <asm/microcode.h>
+ #include <asm/msr.h>
+ #include <asm/pv/domain.h>
+@@ -447,7 +448,7 @@ static void __init print_details(enum ind_thunk thunk)
+ * Hardware read-only information, stating immunity to certain issues, or
+ * suggestions of which mitigation to use.
+ */
+- printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
++ printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
+ (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "",
+ (caps & ARCH_CAPS_EIBRS) ? " EIBRS" : "",
+ (caps & ARCH_CAPS_RSBA) ? " RSBA" : "",
+@@ -463,6 +464,7 @@ static void __init print_details(enum ind_thunk thunk)
+ (caps & ARCH_CAPS_FB_CLEAR) ? " FB_CLEAR" : "",
+ (caps & ARCH_CAPS_PBRSB_NO) ? " PBRSB_NO" : "",
+ (caps & ARCH_CAPS_GDS_NO) ? " GDS_NO" : "",
++ (caps & ARCH_CAPS_RFDS_NO) ? " RFDS_NO" : "",
+ (e8b & cpufeat_mask(X86_FEATURE_IBRS_ALWAYS)) ? " IBRS_ALWAYS" : "",
+ (e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALWAYS" : "",
+ (e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST" : "",
+@@ -473,7 +475,7 @@ static void __init print_details(enum ind_thunk thunk)
+ (e21a & cpufeat_mask(X86_FEATURE_SRSO_NO)) ? " SRSO_NO" : "");
+
+ /* Hardware features which need driving to mitigate issues. */
+- printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
++ printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
+ (e8b & cpufeat_mask(X86_FEATURE_IBPB)) ||
+ (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBPB" : "",
+ (e8b & cpufeat_mask(X86_FEATURE_IBRS)) ||
+@@ -491,6 +493,7 @@ static void __init print_details(enum ind_thunk thunk)
+ (caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL" : "",
+ (caps & ARCH_CAPS_FB_CLEAR_CTRL) ? " FB_CLEAR_CTRL" : "",
+ (caps & ARCH_CAPS_GDS_CTRL) ? " GDS_CTRL" : "",
++ (caps & ARCH_CAPS_RFDS_CLEAR) ? " RFDS_CLEAR" : "",
+ (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : "");
+
+ /* Compiled-in support which pertains to mitigations. */
+@@ -1359,6 +1362,83 @@ static __init void mds_calculations(void)
+ }
+ }
+
++/*
++ * Register File Data Sampling affects Atom cores from the Goldmont to
++ * Gracemont microarchitectures. The March 2024 microcode adds RFDS_NO to
++ * some but not all unaffected parts, and RFDS_CLEAR to affected parts still
++ * in support.
++ *
++ * Alder Lake and Raptor Lake client CPUs have a mix of P cores
++ * (Golden/Raptor Cove, not vulnerable) and E cores (Gracemont,
++ * vulnerable), and both enumerate RFDS_CLEAR.
++ *
++ * Both exist in a Xeon SKU, which has the E cores (Gracemont) disabled by
++ * platform configuration, and enumerate RFDS_NO.
++ *
++ * With older parts, or with out-of-date microcode, synthesise RFDS_NO when
++ * safe to do so.
++ *
++ * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html
++ */
++static void __init rfds_calculations(void)
++{
++ /* RFDS is only known to affect Intel Family 6 processors at this time. */
++ if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL ||
++ boot_cpu_data.x86 != 6 )
++ return;
++
++ /*
++ * If RFDS_NO or RFDS_CLEAR are visible, we've either got suitable
++ * microcode, or an RFDS-aware hypervisor is levelling us in a pool.
++ */
++ if ( cpu_has_rfds_no || cpu_has_rfds_clear )
++ return;
++
++ /* If we're virtualised, don't attempt to synthesise RFDS_NO. */
++ if ( cpu_has_hypervisor )
++ return;
++
++ /*
++ * Not all CPUs are expected to get a microcode update enumerating one of
++ * RFDS_{NO,CLEAR}, or we might have out-of-date microcode.
++ */
++ switch ( boot_cpu_data.x86_model )
++ {
++ case INTEL_FAM6_ALDERLAKE:
++ case INTEL_FAM6_RAPTORLAKE:
++ /*
++ * Alder Lake and Raptor Lake might be a client SKU (with the
++ * Gracemont cores active, and therefore vulnerable) or might be a
++ * server SKU (with the Gracemont cores disabled, and therefore not
++ * vulnerable).
++ *
++ * See if the CPU identifies as hybrid to distinguish the two cases.
++ */
++ if ( !cpu_has_hybrid )
++ break;
++ fallthrough;
++ case INTEL_FAM6_ALDERLAKE_L:
++ case INTEL_FAM6_RAPTORLAKE_P:
++ case INTEL_FAM6_RAPTORLAKE_S:
++
++ case INTEL_FAM6_ATOM_GOLDMONT: /* Apollo Lake */
++ case INTEL_FAM6_ATOM_GOLDMONT_D: /* Denverton */
++ case INTEL_FAM6_ATOM_GOLDMONT_PLUS: /* Gemini Lake */
++ case INTEL_FAM6_ATOM_TREMONT_D: /* Snow Ridge / Parker Ridge */
++ case INTEL_FAM6_ATOM_TREMONT: /* Elkhart Lake */
++ case INTEL_FAM6_ATOM_TREMONT_L: /* Jasper Lake */
++ case INTEL_FAM6_ATOM_GRACEMONT: /* Alder Lake N */
++ return;
++ }
++
++ /*
++ * We appear to be on an unaffected CPU which didn't enumerate RFDS_NO,
++ * perhaps because of it's age or because of out-of-date microcode.
++ * Synthesise it.
++ */
++ setup_force_cpu_cap(X86_FEATURE_RFDS_NO);
++}
++
+ static bool __init cpu_has_gds(void)
+ {
+ /*
+@@ -1872,6 +1952,7 @@ void __init init_speculation_mitigations(void)
+ *
+ * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html
+ * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html
++ * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html
+ *
+ * Relevant ucodes:
+ *
+@@ -1901,8 +1982,12 @@ void __init init_speculation_mitigations(void)
+ *
+ * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing
+ * side effects as VERW and cannot be used in its place.
++ *
++ * - March 2023, for RFDS. Enumerate RFDS_CLEAR to mean that VERW now
++ * scrubs non-architectural entries from certain register files.
+ */
+ mds_calculations();
++ rfds_calculations();
+
+ /*
+ * Parts which enumerate FB_CLEAR are those with now-updated microcode
+@@ -1934,15 +2019,19 @@ void __init init_speculation_mitigations(void)
+ * MLPDS/MFBDS when SMT is enabled.
+ */
+ if ( opt_verw_pv == -1 )
+- opt_verw_pv = cpu_has_useful_md_clear;
++ opt_verw_pv = cpu_has_useful_md_clear || cpu_has_rfds_clear;
+
+ if ( opt_verw_hvm == -1 )
+- opt_verw_hvm = cpu_has_useful_md_clear;
++ opt_verw_hvm = cpu_has_useful_md_clear || cpu_has_rfds_clear;
+
+ /*
+ * If SMT is active, and we're protecting against MDS or MMIO stale data,
+ * we need to scrub before going idle as well as on return to guest.
+ * Various pipeline resources are repartitioned amongst non-idle threads.
++ *
++ * We don't need to scrub on idle for RFDS. There are no affected cores
++ * which support SMT, despite there being affected cores in hybrid systems
++ * which have SMT elsewhere in the platform.
+ */
+ if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) ||
+ opt_verw_mmio) && hw_smt_enabled )
+@@ -1956,7 +2045,8 @@ void __init init_speculation_mitigations(void)
+ * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the
+ * only *_CLEAR we can see.
+ */
+- if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear )
++ if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear &&
++ !cpu_has_rfds_clear )
+ opt_verw_hvm = false;
+
+ /*
+diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h
+index aec1407613..113e6cadc1 100644
+--- a/xen/include/public/arch-x86/cpufeatureset.h
++++ b/xen/include/public/arch-x86/cpufeatureset.h
+@@ -264,6 +264,7 @@ XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffe
+ XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */
+ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */
+ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*A SERIALIZE insn */
++XEN_CPUFEATURE(HYBRID, 9*32+15) /* Heterogeneous platform */
+ XEN_CPUFEATURE(TSXLDTRK, 9*32+16) /*a TSX load tracking suspend/resume insns */
+ XEN_CPUFEATURE(CET_IBT, 9*32+20) /* CET - Indirect Branch Tracking */
+ XEN_CPUFEATURE(AVX512_FP16, 9*32+23) /* AVX512 FP16 instructions */
+@@ -330,6 +331,8 @@ XEN_CPUFEATURE(OVRCLK_STATUS, 16*32+23) /* MSR_OVERCLOCKING_STATUS */
+ XEN_CPUFEATURE(PBRSB_NO, 16*32+24) /*A No Post-Barrier RSB predictions */
+ XEN_CPUFEATURE(GDS_CTRL, 16*32+25) /* MCU_OPT_CTRL.GDS_MIT_{DIS,LOCK} */
+ XEN_CPUFEATURE(GDS_NO, 16*32+26) /*A No Gather Data Sampling */
++XEN_CPUFEATURE(RFDS_NO, 16*32+27) /*A No Register File Data Sampling */
++XEN_CPUFEATURE(RFDS_CLEAR, 16*32+28) /*!A Register File(s) cleared by VERW */
+
+ /* Intel-defined CPU features, MSR_ARCH_CAPS 0x10a.edx, word 17 */
+
+--
+2.44.0
+
diff --git a/0046-x86-paging-Delete-update_cr3-s-do_locking-parameter.patch b/0046-x86-paging-Delete-update_cr3-s-do_locking-parameter.patch
new file mode 100644
index 0000000..ce397a1
--- /dev/null
+++ b/0046-x86-paging-Delete-update_cr3-s-do_locking-parameter.patch
@@ -0,0 +1,161 @@
+From bf70ce8b3449c49eb828d5b1f4934a49b00fef35 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Wed, 20 Sep 2023 20:06:53 +0100
+Subject: [PATCH 46/67] x86/paging: Delete update_cr3()'s do_locking parameter
+
+Nicola reports that the XSA-438 fix introduced new MISRA violations because of
+some incidental tidying it tried to do. The parameter is useless, so resolve
+the MISRA regression by removing it.
+
+hap_update_cr3() discards the parameter entirely, while sh_update_cr3() uses
+it to distinguish internal and external callers and therefore whether the
+paging lock should be taken.
+
+However, we have paging_lock_recursive() for this purpose, which also avoids
+the ability for the shadow internal callers to accidentally not hold the lock.
+
+Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference")
+Reported-by: Nicola Vetrini <nicola.vetrini@bugseng.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Release-acked-by: Henry Wang <Henry.Wang@arm.com>
+(cherry picked from commit e71157d1ac2a7fbf413130663cf0a93ff9fbcf7e)
+---
+ xen/arch/x86/include/asm/paging.h | 5 ++---
+ xen/arch/x86/mm/hap/hap.c | 5 ++---
+ xen/arch/x86/mm/shadow/common.c | 2 +-
+ xen/arch/x86/mm/shadow/multi.c | 17 ++++++++---------
+ xen/arch/x86/mm/shadow/none.c | 3 +--
+ 5 files changed, 14 insertions(+), 18 deletions(-)
+
+diff --git a/xen/arch/x86/include/asm/paging.h b/xen/arch/x86/include/asm/paging.h
+index 94c590f31a..809ff35d9a 100644
+--- a/xen/arch/x86/include/asm/paging.h
++++ b/xen/arch/x86/include/asm/paging.h
+@@ -138,8 +138,7 @@ struct paging_mode {
+ paddr_t ga, uint32_t *pfec,
+ unsigned int *page_order);
+ #endif
+- pagetable_t (*update_cr3 )(struct vcpu *v, bool do_locking,
+- bool noflush);
++ pagetable_t (*update_cr3 )(struct vcpu *v, bool noflush);
+ void (*update_paging_modes )(struct vcpu *v);
+ bool (*flush_tlb )(const unsigned long *vcpu_bitmap);
+
+@@ -312,7 +311,7 @@ static inline unsigned long paging_ga_to_gfn_cr3(struct vcpu *v,
+ * as the value to load into the host CR3 to schedule this vcpu */
+ static inline pagetable_t paging_update_cr3(struct vcpu *v, bool noflush)
+ {
+- return paging_get_hostmode(v)->update_cr3(v, 1, noflush);
++ return paging_get_hostmode(v)->update_cr3(v, noflush);
+ }
+
+ /* Update all the things that are derived from the guest's CR0/CR3/CR4.
+diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
+index 57a19c3d59..3ad39a7dd7 100644
+--- a/xen/arch/x86/mm/hap/hap.c
++++ b/xen/arch/x86/mm/hap/hap.c
+@@ -739,8 +739,7 @@ static bool cf_check hap_invlpg(struct vcpu *v, unsigned long linear)
+ return 1;
+ }
+
+-static pagetable_t cf_check hap_update_cr3(
+- struct vcpu *v, bool do_locking, bool noflush)
++static pagetable_t cf_check hap_update_cr3(struct vcpu *v, bool noflush)
+ {
+ v->arch.hvm.hw_cr[3] = v->arch.hvm.guest_cr[3];
+ hvm_update_guest_cr3(v, noflush);
+@@ -826,7 +825,7 @@ static void cf_check hap_update_paging_modes(struct vcpu *v)
+ }
+
+ /* CR3 is effectively updated by a mode change. Flush ASIDs, etc. */
+- hap_update_cr3(v, 0, false);
++ hap_update_cr3(v, false);
+
+ unlock:
+ paging_unlock(d);
+diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c
+index c0940f939e..18714dbd02 100644
+--- a/xen/arch/x86/mm/shadow/common.c
++++ b/xen/arch/x86/mm/shadow/common.c
+@@ -2579,7 +2579,7 @@ static void sh_update_paging_modes(struct vcpu *v)
+ }
+ #endif /* OOS */
+
+- v->arch.paging.mode->update_cr3(v, 0, false);
++ v->arch.paging.mode->update_cr3(v, false);
+ }
+
+ void cf_check shadow_update_paging_modes(struct vcpu *v)
+diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
+index c92b354a78..e54a507b54 100644
+--- a/xen/arch/x86/mm/shadow/multi.c
++++ b/xen/arch/x86/mm/shadow/multi.c
+@@ -2506,7 +2506,7 @@ static int cf_check sh_page_fault(
+ * In any case, in the PAE case, the ASSERT is not true; it can
+ * happen because of actions the guest is taking. */
+ #if GUEST_PAGING_LEVELS == 3
+- v->arch.paging.mode->update_cr3(v, 0, false);
++ v->arch.paging.mode->update_cr3(v, false);
+ #else
+ ASSERT(d->is_shutting_down);
+ #endif
+@@ -3224,17 +3224,13 @@ static void cf_check sh_detach_old_tables(struct vcpu *v)
+ }
+ }
+
+-static pagetable_t cf_check sh_update_cr3(struct vcpu *v, bool do_locking,
+- bool noflush)
++static pagetable_t cf_check sh_update_cr3(struct vcpu *v, bool noflush)
+ /* Updates vcpu->arch.cr3 after the guest has changed CR3.
+ * Paravirtual guests should set v->arch.guest_table (and guest_table_user,
+ * if appropriate).
+ * HVM guests should also make sure hvm_get_guest_cntl_reg(v, 3) works;
+ * this function will call hvm_update_guest_cr(v, 3) to tell them where the
+ * shadow tables are.
+- * If do_locking != 0, assume we are being called from outside the
+- * shadow code, and must take and release the paging lock; otherwise
+- * that is the caller's responsibility.
+ */
+ {
+ struct domain *d = v->domain;
+@@ -3252,7 +3248,11 @@ static pagetable_t cf_check sh_update_cr3(struct vcpu *v, bool do_locking,
+ return old_entry;
+ }
+
+- if ( do_locking ) paging_lock(v->domain);
++ /*
++ * This is used externally (with the paging lock not taken) and internally
++ * by the shadow code (with the lock already taken).
++ */
++ paging_lock_recursive(v->domain);
+
+ #if (SHADOW_OPTIMIZATIONS & SHOPT_OUT_OF_SYNC)
+ /* Need to resync all the shadow entries on a TLB flush. Resync
+@@ -3480,8 +3480,7 @@ static pagetable_t cf_check sh_update_cr3(struct vcpu *v, bool do_locking,
+ shadow_sync_other_vcpus(v);
+ #endif
+
+- /* Release the lock, if we took it (otherwise it's the caller's problem) */
+- if ( do_locking ) paging_unlock(v->domain);
++ paging_unlock(v->domain);
+
+ return old_entry;
+ }
+diff --git a/xen/arch/x86/mm/shadow/none.c b/xen/arch/x86/mm/shadow/none.c
+index 743c0ffb85..7e4e386cd0 100644
+--- a/xen/arch/x86/mm/shadow/none.c
++++ b/xen/arch/x86/mm/shadow/none.c
+@@ -52,8 +52,7 @@ static unsigned long cf_check _gva_to_gfn(
+ }
+ #endif
+
+-static pagetable_t cf_check _update_cr3(struct vcpu *v, bool do_locking,
+- bool noflush)
++static pagetable_t cf_check _update_cr3(struct vcpu *v, bool noflush)
+ {
+ ASSERT_UNREACHABLE();
+ return pagetable_null();
+--
+2.44.0
+
diff --git a/0047-xen-Swap-order-of-actions-in-the-FREE-macros.patch b/0047-xen-Swap-order-of-actions-in-the-FREE-macros.patch
new file mode 100644
index 0000000..3e58906
--- /dev/null
+++ b/0047-xen-Swap-order-of-actions-in-the-FREE-macros.patch
@@ -0,0 +1,58 @@
+From 0a53565f1886201cc8a8afe9b2619ee297c20955 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Fri, 2 Feb 2024 00:39:42 +0000
+Subject: [PATCH 47/67] xen: Swap order of actions in the FREE*() macros
+
+Wherever possible, it is a good idea to NULL out the visible reference to an
+object prior to freeing it. The FREE*() macros already collect together both
+parts, making it easy to adjust.
+
+This has a marginal code generation improvement, as some of the calls to the
+free() function can be tailcall optimised.
+
+No functional change.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit c4f427ec879e7c0df6d44d02561e8bee838a293e)
+---
+ xen/include/xen/mm.h | 3 ++-
+ xen/include/xen/xmalloc.h | 7 ++++---
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/xen/include/xen/mm.h b/xen/include/xen/mm.h
+index 3dc61bcc3c..211685a5d2 100644
+--- a/xen/include/xen/mm.h
++++ b/xen/include/xen/mm.h
+@@ -80,8 +80,9 @@ bool scrub_free_pages(void);
+
+ /* Free an allocation, and zero the pointer to it. */
+ #define FREE_XENHEAP_PAGES(p, o) do { \
+- free_xenheap_pages(p, o); \
++ void *_ptr_ = (p); \
+ (p) = NULL; \
++ free_xenheap_pages(_ptr_, o); \
+ } while ( false )
+ #define FREE_XENHEAP_PAGE(p) FREE_XENHEAP_PAGES(p, 0)
+
+diff --git a/xen/include/xen/xmalloc.h b/xen/include/xen/xmalloc.h
+index 16979a117c..d857298011 100644
+--- a/xen/include/xen/xmalloc.h
++++ b/xen/include/xen/xmalloc.h
+@@ -66,9 +66,10 @@
+ extern void xfree(void *);
+
+ /* Free an allocation, and zero the pointer to it. */
+-#define XFREE(p) do { \
+- xfree(p); \
+- (p) = NULL; \
++#define XFREE(p) do { \
++ void *_ptr_ = (p); \
++ (p) = NULL; \
++ xfree(_ptr_); \
+ } while ( false )
+
+ /* Underlying functions */
+--
+2.44.0
+
diff --git a/0048-x86-spinlock-introduce-support-for-blocking-speculat.patch b/0048-x86-spinlock-introduce-support-for-blocking-speculat.patch
new file mode 100644
index 0000000..ecf0830
--- /dev/null
+++ b/0048-x86-spinlock-introduce-support-for-blocking-speculat.patch
@@ -0,0 +1,331 @@
+From 9d2f136328aab5537b7180a1b23e171893ebe455 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 13 Feb 2024 13:08:05 +0100
+Subject: [PATCH 48/67] x86/spinlock: introduce support for blocking
+ speculation into critical regions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Introduce a new Kconfig option to block speculation into lock protected
+critical regions. The Kconfig option is enabled by default, but the mitigation
+won't be engaged unless it's explicitly enabled in the command line using
+`spec-ctrl=lock-harden`.
+
+Convert the spinlock acquire macros into always-inline functions, and introduce
+a speculation barrier after the lock has been taken. Note the speculation
+barrier is not placed inside the implementation of the spin lock functions, as
+to prevent speculation from falling through the call to the lock functions
+resulting in the barrier also being skipped.
+
+trylock variants are protected using a construct akin to the existing
+evaluate_nospec().
+
+This patch only implements the speculation barrier for x86.
+
+Note spin locks are the only locking primitive taken care in this change,
+further locking primitives will be adjusted by separate changes.
+
+This is part of XSA-453 / CVE-2024-2193
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 7ef0084418e188d05f338c3e028fbbe8b6924afa)
+---
+ docs/misc/xen-command-line.pandoc | 7 ++++-
+ xen/arch/x86/include/asm/cpufeatures.h | 2 +-
+ xen/arch/x86/include/asm/nospec.h | 26 ++++++++++++++++++
+ xen/arch/x86/spec_ctrl.c | 26 +++++++++++++++---
+ xen/common/Kconfig | 17 ++++++++++++
+ xen/include/xen/nospec.h | 15 +++++++++++
+ xen/include/xen/spinlock.h | 37 +++++++++++++++++++++-----
+ 7 files changed, 119 insertions(+), 11 deletions(-)
+
+diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
+index d909ec94fe..e1d56407dd 100644
+--- a/docs/misc/xen-command-line.pandoc
++++ b/docs/misc/xen-command-line.pandoc
+@@ -2327,7 +2327,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`).
+ > {msr-sc,rsb,verw,ibpb-entry}=<bool>|{pv,hvm}=<bool>,
+ > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd,
+ > eager-fpu,l1d-flush,branch-harden,srb-lock,
+-> unpriv-mmio,gds-mit,div-scrub}=<bool> ]`
++> unpriv-mmio,gds-mit,div-scrub,lock-harden}=<bool> ]`
+
+ Controls for speculative execution sidechannel mitigations. By default, Xen
+ will pick the most appropriate mitigations based on compiled in support,
+@@ -2454,6 +2454,11 @@ On all hardware, the `div-scrub=` option can be used to force or prevent Xen
+ from mitigating the DIV-leakage vulnerability. By default, Xen will mitigate
+ DIV-leakage on hardware believed to be vulnerable.
+
++If Xen is compiled with `CONFIG_SPECULATIVE_HARDEN_LOCK`, the `lock-harden=`
++boolean can be used to force or prevent Xen from using speculation barriers to
++protect lock critical regions. This mitigation won't be engaged by default,
++and needs to be explicitly enabled on the command line.
++
+ ### sync_console
+ > `= <boolean>`
+
+diff --git a/xen/arch/x86/include/asm/cpufeatures.h b/xen/arch/x86/include/asm/cpufeatures.h
+index c3aad21c3b..7e8221fd85 100644
+--- a/xen/arch/x86/include/asm/cpufeatures.h
++++ b/xen/arch/x86/include/asm/cpufeatures.h
+@@ -24,7 +24,7 @@ XEN_CPUFEATURE(APERFMPERF, X86_SYNTH( 8)) /* APERFMPERF */
+ XEN_CPUFEATURE(MFENCE_RDTSC, X86_SYNTH( 9)) /* MFENCE synchronizes RDTSC */
+ XEN_CPUFEATURE(XEN_SMEP, X86_SYNTH(10)) /* SMEP gets used by Xen itself */
+ XEN_CPUFEATURE(XEN_SMAP, X86_SYNTH(11)) /* SMAP gets used by Xen itself */
+-/* Bit 12 unused. */
++XEN_CPUFEATURE(SC_NO_LOCK_HARDEN, X86_SYNTH(12)) /* (Disable) Lock critical region hardening */
+ XEN_CPUFEATURE(IND_THUNK_LFENCE, X86_SYNTH(13)) /* Use IND_THUNK_LFENCE */
+ XEN_CPUFEATURE(IND_THUNK_JMP, X86_SYNTH(14)) /* Use IND_THUNK_JMP */
+ XEN_CPUFEATURE(SC_NO_BRANCH_HARDEN, X86_SYNTH(15)) /* (Disable) Conditional branch hardening */
+diff --git a/xen/arch/x86/include/asm/nospec.h b/xen/arch/x86/include/asm/nospec.h
+index 7150e76b87..0725839e19 100644
+--- a/xen/arch/x86/include/asm/nospec.h
++++ b/xen/arch/x86/include/asm/nospec.h
+@@ -38,6 +38,32 @@ static always_inline void block_speculation(void)
+ barrier_nospec_true();
+ }
+
++static always_inline void arch_block_lock_speculation(void)
++{
++ alternative("lfence", "", X86_FEATURE_SC_NO_LOCK_HARDEN);
++}
++
++/* Allow to insert a read memory barrier into conditionals */
++static always_inline bool barrier_lock_true(void)
++{
++ alternative("lfence #nospec-true", "", X86_FEATURE_SC_NO_LOCK_HARDEN);
++ return true;
++}
++
++static always_inline bool barrier_lock_false(void)
++{
++ alternative("lfence #nospec-false", "", X86_FEATURE_SC_NO_LOCK_HARDEN);
++ return false;
++}
++
++static always_inline bool arch_lock_evaluate_nospec(bool condition)
++{
++ if ( condition )
++ return barrier_lock_true();
++ else
++ return barrier_lock_false();
++}
++
+ #endif /* _ASM_X86_NOSPEC_H */
+
+ /*
+diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
+index 1ee81e2dfe..ac21af2c5c 100644
+--- a/xen/arch/x86/spec_ctrl.c
++++ b/xen/arch/x86/spec_ctrl.c
+@@ -65,6 +65,7 @@ int8_t __read_mostly opt_eager_fpu = -1;
+ int8_t __read_mostly opt_l1d_flush = -1;
+ static bool __initdata opt_branch_harden =
+ IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH);
++static bool __initdata opt_lock_harden;
+
+ bool __initdata bsp_delay_spec_ctrl;
+ uint8_t __read_mostly default_xen_spec_ctrl;
+@@ -133,6 +134,7 @@ static int __init cf_check parse_spec_ctrl(const char *s)
+ opt_ssbd = false;
+ opt_l1d_flush = 0;
+ opt_branch_harden = false;
++ opt_lock_harden = false;
+ opt_srb_lock = 0;
+ opt_unpriv_mmio = false;
+ opt_gds_mit = 0;
+@@ -298,6 +300,16 @@ static int __init cf_check parse_spec_ctrl(const char *s)
+ rc = -EINVAL;
+ }
+ }
++ else if ( (val = parse_boolean("lock-harden", s, ss)) >= 0 )
++ {
++ if ( IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) )
++ opt_lock_harden = val;
++ else
++ {
++ no_config_param("SPECULATIVE_HARDEN_LOCK", "spec-ctrl", s, ss);
++ rc = -EINVAL;
++ }
++ }
+ else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 )
+ opt_srb_lock = val;
+ else if ( (val = parse_boolean("unpriv-mmio", s, ss)) >= 0 )
+@@ -500,7 +512,8 @@ static void __init print_details(enum ind_thunk thunk)
+ if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ||
+ IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_ARRAY) ||
+ IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH) ||
+- IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) )
++ IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) ||
++ IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) )
+ printk(" Compiled-in support:"
+ #ifdef CONFIG_INDIRECT_THUNK
+ " INDIRECT_THUNK"
+@@ -516,11 +529,14 @@ static void __init print_details(enum ind_thunk thunk)
+ #endif
+ #ifdef CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS
+ " HARDEN_GUEST_ACCESS"
++#endif
++#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK
++ " HARDEN_LOCK"
+ #endif
+ "\n");
+
+ /* Settings for Xen's protection, irrespective of guests. */
+- printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n",
++ printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s%s\n",
+ thunk != THUNK_NONE ? "BTI-Thunk: " : "",
+ thunk == THUNK_NONE ? "" :
+ thunk == THUNK_RETPOLINE ? "RETPOLINE, " :
+@@ -547,7 +563,8 @@ static void __init print_details(enum ind_thunk thunk)
+ opt_verw_pv || opt_verw_hvm ||
+ opt_verw_mmio ? " VERW" : "",
+ opt_div_scrub ? " DIV" : "",
+- opt_branch_harden ? " BRANCH_HARDEN" : "");
++ opt_branch_harden ? " BRANCH_HARDEN" : "",
++ opt_lock_harden ? " LOCK_HARDEN" : "");
+
+ /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */
+ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu )
+@@ -1930,6 +1947,9 @@ void __init init_speculation_mitigations(void)
+ if ( !opt_branch_harden )
+ setup_force_cpu_cap(X86_FEATURE_SC_NO_BRANCH_HARDEN);
+
++ if ( !opt_lock_harden )
++ setup_force_cpu_cap(X86_FEATURE_SC_NO_LOCK_HARDEN);
++
+ /*
+ * We do not disable HT by default on affected hardware.
+ *
+diff --git a/xen/common/Kconfig b/xen/common/Kconfig
+index e7794cb7f6..cd73851538 100644
+--- a/xen/common/Kconfig
++++ b/xen/common/Kconfig
+@@ -173,6 +173,23 @@ config SPECULATIVE_HARDEN_GUEST_ACCESS
+
+ If unsure, say Y.
+
++config SPECULATIVE_HARDEN_LOCK
++ bool "Speculative lock context hardening"
++ default y
++ depends on X86
++ help
++ Contemporary processors may use speculative execution as a
++ performance optimisation, but this can potentially be abused by an
++ attacker to leak data via speculative sidechannels.
++
++ One source of data leakage is via speculative accesses to lock
++ critical regions.
++
++ This option is disabled by default at run time, and needs to be
++ enabled on the command line.
++
++ If unsure, say Y.
++
+ endmenu
+
+ config DIT_DEFAULT
+diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h
+index 76255bc46e..4552846403 100644
+--- a/xen/include/xen/nospec.h
++++ b/xen/include/xen/nospec.h
+@@ -70,6 +70,21 @@ static inline unsigned long array_index_mask_nospec(unsigned long index,
+ #define array_access_nospec(array, index) \
+ (array)[array_index_nospec(index, ARRAY_SIZE(array))]
+
++static always_inline void block_lock_speculation(void)
++{
++#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK
++ arch_block_lock_speculation();
++#endif
++}
++
++static always_inline bool lock_evaluate_nospec(bool condition)
++{
++#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK
++ return arch_lock_evaluate_nospec(condition);
++#endif
++ return condition;
++}
++
+ #endif /* XEN_NOSPEC_H */
+
+ /*
+diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h
+index 961891bea4..daf48fdea7 100644
+--- a/xen/include/xen/spinlock.h
++++ b/xen/include/xen/spinlock.h
+@@ -1,6 +1,7 @@
+ #ifndef __SPINLOCK_H__
+ #define __SPINLOCK_H__
+
++#include <xen/nospec.h>
+ #include <xen/time.h>
+ #include <asm/system.h>
+ #include <asm/spinlock.h>
+@@ -189,13 +190,30 @@ int _spin_trylock_recursive(spinlock_t *lock);
+ void _spin_lock_recursive(spinlock_t *lock);
+ void _spin_unlock_recursive(spinlock_t *lock);
+
+-#define spin_lock(l) _spin_lock(l)
+-#define spin_lock_cb(l, c, d) _spin_lock_cb(l, c, d)
+-#define spin_lock_irq(l) _spin_lock_irq(l)
++static always_inline void spin_lock(spinlock_t *l)
++{
++ _spin_lock(l);
++ block_lock_speculation();
++}
++
++static always_inline void spin_lock_cb(spinlock_t *l, void (*c)(void *data),
++ void *d)
++{
++ _spin_lock_cb(l, c, d);
++ block_lock_speculation();
++}
++
++static always_inline void spin_lock_irq(spinlock_t *l)
++{
++ _spin_lock_irq(l);
++ block_lock_speculation();
++}
++
+ #define spin_lock_irqsave(l, f) \
+ ({ \
+ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \
+ ((f) = _spin_lock_irqsave(l)); \
++ block_lock_speculation(); \
+ })
+
+ #define spin_unlock(l) _spin_unlock(l)
+@@ -203,7 +221,7 @@ void _spin_unlock_recursive(spinlock_t *lock);
+ #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f)
+
+ #define spin_is_locked(l) _spin_is_locked(l)
+-#define spin_trylock(l) _spin_trylock(l)
++#define spin_trylock(l) lock_evaluate_nospec(_spin_trylock(l))
+
+ #define spin_trylock_irqsave(lock, flags) \
+ ({ \
+@@ -224,8 +242,15 @@ void _spin_unlock_recursive(spinlock_t *lock);
+ * are any critical regions that cannot form part of such a set, they can use
+ * standard spin_[un]lock().
+ */
+-#define spin_trylock_recursive(l) _spin_trylock_recursive(l)
+-#define spin_lock_recursive(l) _spin_lock_recursive(l)
++#define spin_trylock_recursive(l) \
++ lock_evaluate_nospec(_spin_trylock_recursive(l))
++
++static always_inline void spin_lock_recursive(spinlock_t *l)
++{
++ _spin_lock_recursive(l);
++ block_lock_speculation();
++}
++
+ #define spin_unlock_recursive(l) _spin_unlock_recursive(l)
+
+ #endif /* __SPINLOCK_H__ */
+--
+2.44.0
+
diff --git a/0049-rwlock-introduce-support-for-blocking-speculation-in.patch b/0049-rwlock-introduce-support-for-blocking-speculation-in.patch
new file mode 100644
index 0000000..593b588
--- /dev/null
+++ b/0049-rwlock-introduce-support-for-blocking-speculation-in.patch
@@ -0,0 +1,125 @@
+From 7454dad6ee15f9fa6d84fc285d366b86f3d47494 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 13 Feb 2024 16:08:52 +0100
+Subject: [PATCH 49/67] rwlock: introduce support for blocking speculation into
+ critical regions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Introduce inline wrappers as required and add direct calls to
+block_lock_speculation() in order to prevent speculation into the rwlock
+protected critical regions.
+
+Note the rwlock primitives are adjusted to use the non speculation safe variants
+of the spinlock handlers, as a speculation barrier is added in the rwlock
+calling wrappers.
+
+trylock variants are protected by using lock_evaluate_nospec().
+
+This is part of XSA-453 / CVE-2024-2193
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit a1fb15f61692b1fa9945fc51f55471ace49cdd59)
+---
+ xen/common/rwlock.c | 14 +++++++++++---
+ xen/include/xen/rwlock.h | 34 ++++++++++++++++++++++++++++------
+ 2 files changed, 39 insertions(+), 9 deletions(-)
+
+diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c
+index aa15529bbe..cda06b9d6e 100644
+--- a/xen/common/rwlock.c
++++ b/xen/common/rwlock.c
+@@ -34,8 +34,11 @@ void queue_read_lock_slowpath(rwlock_t *lock)
+
+ /*
+ * Put the reader into the wait queue.
++ *
++ * Use the speculation unsafe helper, as it's the caller responsibility to
++ * issue a speculation barrier if required.
+ */
+- spin_lock(&lock->lock);
++ _spin_lock(&lock->lock);
+
+ /*
+ * At the head of the wait queue now, wait until the writer state
+@@ -64,8 +67,13 @@ void queue_write_lock_slowpath(rwlock_t *lock)
+ {
+ u32 cnts;
+
+- /* Put the writer into the wait queue. */
+- spin_lock(&lock->lock);
++ /*
++ * Put the writer into the wait queue.
++ *
++ * Use the speculation unsafe helper, as it's the caller responsibility to
++ * issue a speculation barrier if required.
++ */
++ _spin_lock(&lock->lock);
+
+ /* Try to acquire the lock directly if no reader is present. */
+ if ( !atomic_read(&lock->cnts) &&
+diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h
+index 0cc9167715..fd0458be94 100644
+--- a/xen/include/xen/rwlock.h
++++ b/xen/include/xen/rwlock.h
+@@ -247,27 +247,49 @@ static inline int _rw_is_write_locked(rwlock_t *lock)
+ return (atomic_read(&lock->cnts) & _QW_WMASK) == _QW_LOCKED;
+ }
+
+-#define read_lock(l) _read_lock(l)
+-#define read_lock_irq(l) _read_lock_irq(l)
++static always_inline void read_lock(rwlock_t *l)
++{
++ _read_lock(l);
++ block_lock_speculation();
++}
++
++static always_inline void read_lock_irq(rwlock_t *l)
++{
++ _read_lock_irq(l);
++ block_lock_speculation();
++}
++
+ #define read_lock_irqsave(l, f) \
+ ({ \
+ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \
+ ((f) = _read_lock_irqsave(l)); \
++ block_lock_speculation(); \
+ })
+
+ #define read_unlock(l) _read_unlock(l)
+ #define read_unlock_irq(l) _read_unlock_irq(l)
+ #define read_unlock_irqrestore(l, f) _read_unlock_irqrestore(l, f)
+-#define read_trylock(l) _read_trylock(l)
++#define read_trylock(l) lock_evaluate_nospec(_read_trylock(l))
++
++static always_inline void write_lock(rwlock_t *l)
++{
++ _write_lock(l);
++ block_lock_speculation();
++}
++
++static always_inline void write_lock_irq(rwlock_t *l)
++{
++ _write_lock_irq(l);
++ block_lock_speculation();
++}
+
+-#define write_lock(l) _write_lock(l)
+-#define write_lock_irq(l) _write_lock_irq(l)
+ #define write_lock_irqsave(l, f) \
+ ({ \
+ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \
+ ((f) = _write_lock_irqsave(l)); \
++ block_lock_speculation(); \
+ })
+-#define write_trylock(l) _write_trylock(l)
++#define write_trylock(l) lock_evaluate_nospec(_write_trylock(l))
+
+ #define write_unlock(l) _write_unlock(l)
+ #define write_unlock_irq(l) _write_unlock_irq(l)
+--
+2.44.0
+
diff --git a/0050-percpu-rwlock-introduce-support-for-blocking-specula.patch b/0050-percpu-rwlock-introduce-support-for-blocking-specula.patch
new file mode 100644
index 0000000..1da2128
--- /dev/null
+++ b/0050-percpu-rwlock-introduce-support-for-blocking-specula.patch
@@ -0,0 +1,87 @@
+From 468a368b2e5a38fc0be8e9e5f475820f7e4a6b4f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 13 Feb 2024 17:57:38 +0100
+Subject: [PATCH 50/67] percpu-rwlock: introduce support for blocking
+ speculation into critical regions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add direct calls to block_lock_speculation() where required in order to prevent
+speculation into the lock protected critical regions. Also convert
+_percpu_read_lock() from inline to always_inline.
+
+Note that _percpu_write_lock() has been modified the use the non speculation
+safe of the locking primites, as a speculation is added unconditionally by the
+calling wrapper.
+
+This is part of XSA-453 / CVE-2024-2193
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit f218daf6d3a3b847736d37c6a6b76031a0d08441)
+---
+ xen/common/rwlock.c | 6 +++++-
+ xen/include/xen/rwlock.h | 14 ++++++++++----
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c
+index cda06b9d6e..4da0ed8fad 100644
+--- a/xen/common/rwlock.c
++++ b/xen/common/rwlock.c
+@@ -125,8 +125,12 @@ void _percpu_write_lock(percpu_rwlock_t **per_cpudata,
+ /*
+ * First take the write lock to protect against other writers or slow
+ * path readers.
++ *
++ * Note we use the speculation unsafe variant of write_lock(), as the
++ * calling wrapper already adds a speculation barrier after the lock has
++ * been taken.
+ */
+- write_lock(&percpu_rwlock->rwlock);
++ _write_lock(&percpu_rwlock->rwlock);
+
+ /* Now set the global variable so that readers start using read_lock. */
+ percpu_rwlock->writer_activating = 1;
+diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h
+index fd0458be94..abe0804bf7 100644
+--- a/xen/include/xen/rwlock.h
++++ b/xen/include/xen/rwlock.h
+@@ -326,8 +326,8 @@ static inline void _percpu_rwlock_owner_check(percpu_rwlock_t **per_cpudata,
+ #define percpu_rwlock_resource_init(l, owner) \
+ (*(l) = (percpu_rwlock_t)PERCPU_RW_LOCK_UNLOCKED(&get_per_cpu_var(owner)))
+
+-static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata,
+- percpu_rwlock_t *percpu_rwlock)
++static always_inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata,
++ percpu_rwlock_t *percpu_rwlock)
+ {
+ /* Validate the correct per_cpudata variable has been provided. */
+ _percpu_rwlock_owner_check(per_cpudata, percpu_rwlock);
+@@ -362,6 +362,8 @@ static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata,
+ }
+ else
+ {
++ /* Other branch already has a speculation barrier in read_lock(). */
++ block_lock_speculation();
+ /* All other paths have implicit check_lock() calls via read_lock(). */
+ check_lock(&percpu_rwlock->rwlock.lock.debug, false);
+ }
+@@ -410,8 +412,12 @@ static inline void _percpu_write_unlock(percpu_rwlock_t **per_cpudata,
+ _percpu_read_lock(&get_per_cpu_var(percpu), lock)
+ #define percpu_read_unlock(percpu, lock) \
+ _percpu_read_unlock(&get_per_cpu_var(percpu), lock)
+-#define percpu_write_lock(percpu, lock) \
+- _percpu_write_lock(&get_per_cpu_var(percpu), lock)
++
++#define percpu_write_lock(percpu, lock) \
++({ \
++ _percpu_write_lock(&get_per_cpu_var(percpu), lock); \
++ block_lock_speculation(); \
++})
+ #define percpu_write_unlock(percpu, lock) \
+ _percpu_write_unlock(&get_per_cpu_var(percpu), lock)
+
+--
+2.44.0
+
diff --git a/0051-locking-attempt-to-ensure-lock-wrappers-are-always-i.patch b/0051-locking-attempt-to-ensure-lock-wrappers-are-always-i.patch
new file mode 100644
index 0000000..822836d
--- /dev/null
+++ b/0051-locking-attempt-to-ensure-lock-wrappers-are-always-i.patch
@@ -0,0 +1,405 @@
+From 2cc5e57be680a516aa5cdef4281856d09b9d0ea6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Mon, 4 Mar 2024 14:29:36 +0100
+Subject: [PATCH 51/67] locking: attempt to ensure lock wrappers are always
+ inline
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In order to prevent the locking speculation barriers from being inside of
+`call`ed functions that could be speculatively bypassed.
+
+While there also add an extra locking barrier to _mm_write_lock() in the branch
+taken when the lock is already held.
+
+Note some functions are switched to use the unsafe variants (without speculation
+barrier) of the locking primitives, but a speculation barrier is always added
+to the exposed public lock wrapping helper. That's the case with
+sched_spin_lock_double() or pcidevs_lock() for example.
+
+This is part of XSA-453 / CVE-2024-2193
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 197ecd838a2aaf959a469df3696d4559c4f8b762)
+---
+ xen/arch/x86/hvm/vpt.c | 10 +++++++---
+ xen/arch/x86/include/asm/irq.h | 1 +
+ xen/arch/x86/mm/mm-locks.h | 28 +++++++++++++++-------------
+ xen/arch/x86/mm/p2m-pod.c | 2 +-
+ xen/common/event_channel.c | 5 +++--
+ xen/common/grant_table.c | 6 +++---
+ xen/common/sched/core.c | 19 ++++++++++++-------
+ xen/common/sched/private.h | 26 ++++++++++++++++++++++++--
+ xen/common/timer.c | 8 +++++---
+ xen/drivers/passthrough/pci.c | 5 +++--
+ xen/include/xen/event.h | 4 ++--
+ xen/include/xen/pci.h | 8 ++++++--
+ 12 files changed, 82 insertions(+), 40 deletions(-)
+
+diff --git a/xen/arch/x86/hvm/vpt.c b/xen/arch/x86/hvm/vpt.c
+index cb1d81bf9e..66f1095245 100644
+--- a/xen/arch/x86/hvm/vpt.c
++++ b/xen/arch/x86/hvm/vpt.c
+@@ -161,7 +161,7 @@ static int pt_irq_masked(struct periodic_time *pt)
+ * pt->vcpu field, because another thread holding the pt_migrate lock
+ * may already be spinning waiting for your vcpu lock.
+ */
+-static void pt_vcpu_lock(struct vcpu *v)
++static always_inline void pt_vcpu_lock(struct vcpu *v)
+ {
+ spin_lock(&v->arch.hvm.tm_lock);
+ }
+@@ -180,9 +180,13 @@ static void pt_vcpu_unlock(struct vcpu *v)
+ * need to take an additional lock that protects against pt->vcpu
+ * changing.
+ */
+-static void pt_lock(struct periodic_time *pt)
++static always_inline void pt_lock(struct periodic_time *pt)
+ {
+- read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate);
++ /*
++ * Use the speculation unsafe variant for the first lock, as the following
++ * lock taking helper already includes a speculation barrier.
++ */
++ _read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate);
+ spin_lock(&pt->vcpu->arch.hvm.tm_lock);
+ }
+
+diff --git a/xen/arch/x86/include/asm/irq.h b/xen/arch/x86/include/asm/irq.h
+index f6a0207a80..823d627fd0 100644
+--- a/xen/arch/x86/include/asm/irq.h
++++ b/xen/arch/x86/include/asm/irq.h
+@@ -178,6 +178,7 @@ void cf_check irq_complete_move(struct irq_desc *);
+
+ extern struct irq_desc *irq_desc;
+
++/* Not speculation safe, only used for AP bringup. */
+ void lock_vector_lock(void);
+ void unlock_vector_lock(void);
+
+diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h
+index c1523aeccf..265239c49f 100644
+--- a/xen/arch/x86/mm/mm-locks.h
++++ b/xen/arch/x86/mm/mm-locks.h
+@@ -86,8 +86,8 @@ static inline void _set_lock_level(int l)
+ this_cpu(mm_lock_level) = l;
+ }
+
+-static inline void _mm_lock(const struct domain *d, mm_lock_t *l,
+- const char *func, int level, int rec)
++static always_inline void _mm_lock(const struct domain *d, mm_lock_t *l,
++ const char *func, int level, int rec)
+ {
+ if ( !((mm_locked_by_me(l)) && rec) )
+ _check_lock_level(d, level);
+@@ -137,8 +137,8 @@ static inline int mm_write_locked_by_me(mm_rwlock_t *l)
+ return (l->locker == get_processor_id());
+ }
+
+-static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l,
+- const char *func, int level)
++static always_inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l,
++ const char *func, int level)
+ {
+ if ( !mm_write_locked_by_me(l) )
+ {
+@@ -149,6 +149,8 @@ static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l,
+ l->unlock_level = _get_lock_level();
+ _set_lock_level(_lock_level(d, level));
+ }
++ else
++ block_speculation();
+ l->recurse_count++;
+ }
+
+@@ -162,8 +164,8 @@ static inline void mm_write_unlock(mm_rwlock_t *l)
+ percpu_write_unlock(p2m_percpu_rwlock, &l->lock);
+ }
+
+-static inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l,
+- int level)
++static always_inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l,
++ int level)
+ {
+ _check_lock_level(d, level);
+ percpu_read_lock(p2m_percpu_rwlock, &l->lock);
+@@ -178,15 +180,15 @@ static inline void mm_read_unlock(mm_rwlock_t *l)
+
+ /* This wrapper uses the line number to express the locking order below */
+ #define declare_mm_lock(name) \
+- static inline void mm_lock_##name(const struct domain *d, mm_lock_t *l, \
+- const char *func, int rec) \
++ static always_inline void mm_lock_##name( \
++ const struct domain *d, mm_lock_t *l, const char *func, int rec) \
+ { _mm_lock(d, l, func, MM_LOCK_ORDER_##name, rec); }
+ #define declare_mm_rwlock(name) \
+- static inline void mm_write_lock_##name(const struct domain *d, \
+- mm_rwlock_t *l, const char *func) \
++ static always_inline void mm_write_lock_##name( \
++ const struct domain *d, mm_rwlock_t *l, const char *func) \
+ { _mm_write_lock(d, l, func, MM_LOCK_ORDER_##name); } \
+- static inline void mm_read_lock_##name(const struct domain *d, \
+- mm_rwlock_t *l) \
++ static always_inline void mm_read_lock_##name(const struct domain *d, \
++ mm_rwlock_t *l) \
+ { _mm_read_lock(d, l, MM_LOCK_ORDER_##name); }
+ /* These capture the name of the calling function */
+ #define mm_lock(name, d, l) mm_lock_##name(d, l, __func__, 0)
+@@ -321,7 +323,7 @@ declare_mm_lock(altp2mlist)
+ #define MM_LOCK_ORDER_altp2m 40
+ declare_mm_rwlock(altp2m);
+
+-static inline void p2m_lock(struct p2m_domain *p)
++static always_inline void p2m_lock(struct p2m_domain *p)
+ {
+ if ( p2m_is_altp2m(p) )
+ mm_write_lock(altp2m, p->domain, &p->lock);
+diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c
+index fc110506dc..99dbcb3101 100644
+--- a/xen/arch/x86/mm/p2m-pod.c
++++ b/xen/arch/x86/mm/p2m-pod.c
+@@ -36,7 +36,7 @@
+ #define superpage_aligned(_x) (((_x)&(SUPERPAGE_PAGES-1))==0)
+
+ /* Enforce lock ordering when grabbing the "external" page_alloc lock */
+-static inline void lock_page_alloc(struct p2m_domain *p2m)
++static always_inline void lock_page_alloc(struct p2m_domain *p2m)
+ {
+ page_alloc_mm_pre_lock(p2m->domain);
+ spin_lock(&(p2m->domain->page_alloc_lock));
+diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c
+index f5e0b12d15..dada9f15f5 100644
+--- a/xen/common/event_channel.c
++++ b/xen/common/event_channel.c
+@@ -62,7 +62,7 @@
+ * just assume the event channel is free or unbound at the moment when the
+ * evtchn_read_trylock() returns false.
+ */
+-static inline void evtchn_write_lock(struct evtchn *evtchn)
++static always_inline void evtchn_write_lock(struct evtchn *evtchn)
+ {
+ write_lock(&evtchn->lock);
+
+@@ -364,7 +364,8 @@ int evtchn_alloc_unbound(evtchn_alloc_unbound_t *alloc, evtchn_port_t port)
+ return rc;
+ }
+
+-static void double_evtchn_lock(struct evtchn *lchn, struct evtchn *rchn)
++static always_inline void double_evtchn_lock(struct evtchn *lchn,
++ struct evtchn *rchn)
+ {
+ ASSERT(lchn != rchn);
+
+diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
+index ee7cc496b8..62a8685cd5 100644
+--- a/xen/common/grant_table.c
++++ b/xen/common/grant_table.c
+@@ -410,7 +410,7 @@ static inline void act_set_gfn(struct active_grant_entry *act, gfn_t gfn)
+
+ static DEFINE_PERCPU_RWLOCK_GLOBAL(grant_rwlock);
+
+-static inline void grant_read_lock(struct grant_table *gt)
++static always_inline void grant_read_lock(struct grant_table *gt)
+ {
+ percpu_read_lock(grant_rwlock, &gt->lock);
+ }
+@@ -420,7 +420,7 @@ static inline void grant_read_unlock(struct grant_table *gt)
+ percpu_read_unlock(grant_rwlock, &gt->lock);
+ }
+
+-static inline void grant_write_lock(struct grant_table *gt)
++static always_inline void grant_write_lock(struct grant_table *gt)
+ {
+ percpu_write_lock(grant_rwlock, &gt->lock);
+ }
+@@ -457,7 +457,7 @@ nr_active_grant_frames(struct grant_table *gt)
+ return num_act_frames_from_sha_frames(nr_grant_frames(gt));
+ }
+
+-static inline struct active_grant_entry *
++static always_inline struct active_grant_entry *
+ active_entry_acquire(struct grant_table *t, grant_ref_t e)
+ {
+ struct active_grant_entry *act;
+diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c
+index 078beb1adb..29bbab5ac6 100644
+--- a/xen/common/sched/core.c
++++ b/xen/common/sched/core.c
+@@ -348,23 +348,28 @@ uint64_t get_cpu_idle_time(unsigned int cpu)
+ * This avoids dead- or live-locks when this code is running on both
+ * cpus at the same time.
+ */
+-static void sched_spin_lock_double(spinlock_t *lock1, spinlock_t *lock2,
+- unsigned long *flags)
++static always_inline void sched_spin_lock_double(
++ spinlock_t *lock1, spinlock_t *lock2, unsigned long *flags)
+ {
++ /*
++ * In order to avoid extra overhead, use the locking primitives without the
++ * speculation barrier, and introduce a single barrier here.
++ */
+ if ( lock1 == lock2 )
+ {
+- spin_lock_irqsave(lock1, *flags);
++ *flags = _spin_lock_irqsave(lock1);
+ }
+ else if ( lock1 < lock2 )
+ {
+- spin_lock_irqsave(lock1, *flags);
+- spin_lock(lock2);
++ *flags = _spin_lock_irqsave(lock1);
++ _spin_lock(lock2);
+ }
+ else
+ {
+- spin_lock_irqsave(lock2, *flags);
+- spin_lock(lock1);
++ *flags = _spin_lock_irqsave(lock2);
++ _spin_lock(lock1);
+ }
++ block_lock_speculation();
+ }
+
+ static void sched_spin_unlock_double(spinlock_t *lock1, spinlock_t *lock2,
+diff --git a/xen/common/sched/private.h b/xen/common/sched/private.h
+index 0527a8c70d..24a93dd0c1 100644
+--- a/xen/common/sched/private.h
++++ b/xen/common/sched/private.h
+@@ -207,8 +207,24 @@ DECLARE_PER_CPU(cpumask_t, cpumask_scratch);
+ #define cpumask_scratch (&this_cpu(cpumask_scratch))
+ #define cpumask_scratch_cpu(c) (&per_cpu(cpumask_scratch, c))
+
++/*
++ * Deal with _spin_lock_irqsave() returning the flags value instead of storing
++ * it in a passed parameter.
++ */
++#define _sched_spinlock0(lock, irq) _spin_lock##irq(lock)
++#define _sched_spinlock1(lock, irq, arg) ({ \
++ BUILD_BUG_ON(sizeof(arg) != sizeof(unsigned long)); \
++ (arg) = _spin_lock##irq(lock); \
++})
++
++#define _sched_spinlock__(nr) _sched_spinlock ## nr
++#define _sched_spinlock_(nr) _sched_spinlock__(nr)
++#define _sched_spinlock(lock, irq, args...) \
++ _sched_spinlock_(count_args(args))(lock, irq, ## args)
++
+ #define sched_lock(kind, param, cpu, irq, arg...) \
+-static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \
++static always_inline spinlock_t \
++*kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \
+ { \
+ for ( ; ; ) \
+ { \
+@@ -220,10 +236,16 @@ static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \
+ * \
+ * It may also be the case that v->processor may change but the \
+ * lock may be the same; this will succeed in that case. \
++ * \
++ * Use the speculation unsafe locking helper, there's a speculation \
++ * barrier before returning to the caller. \
+ */ \
+- spin_lock##irq(lock, ## arg); \
++ _sched_spinlock(lock, irq, ## arg); \
+ if ( likely(lock == get_sched_res(cpu)->schedule_lock) ) \
++ { \
++ block_lock_speculation(); \
+ return lock; \
++ } \
+ spin_unlock##irq(lock, ## arg); \
+ } \
+ }
+diff --git a/xen/common/timer.c b/xen/common/timer.c
+index 9b5016d5ed..459668d417 100644
+--- a/xen/common/timer.c
++++ b/xen/common/timer.c
+@@ -240,7 +240,7 @@ static inline void deactivate_timer(struct timer *timer)
+ list_add(&timer->inactive, &per_cpu(timers, timer->cpu).inactive);
+ }
+
+-static inline bool_t timer_lock(struct timer *timer)
++static inline bool_t timer_lock_unsafe(struct timer *timer)
+ {
+ unsigned int cpu;
+
+@@ -254,7 +254,8 @@ static inline bool_t timer_lock(struct timer *timer)
+ rcu_read_unlock(&timer_cpu_read_lock);
+ return 0;
+ }
+- spin_lock(&per_cpu(timers, cpu).lock);
++ /* Use the speculation unsafe variant, the wrapper has the barrier. */
++ _spin_lock(&per_cpu(timers, cpu).lock);
+ if ( likely(timer->cpu == cpu) )
+ break;
+ spin_unlock(&per_cpu(timers, cpu).lock);
+@@ -267,8 +268,9 @@ static inline bool_t timer_lock(struct timer *timer)
+ #define timer_lock_irqsave(t, flags) ({ \
+ bool_t __x; \
+ local_irq_save(flags); \
+- if ( !(__x = timer_lock(t)) ) \
++ if ( !(__x = timer_lock_unsafe(t)) ) \
+ local_irq_restore(flags); \
++ block_lock_speculation(); \
+ __x; \
+ })
+
+diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c
+index 8c62b14d19..1b3d285166 100644
+--- a/xen/drivers/passthrough/pci.c
++++ b/xen/drivers/passthrough/pci.c
+@@ -52,9 +52,10 @@ struct pci_seg {
+
+ static spinlock_t _pcidevs_lock = SPIN_LOCK_UNLOCKED;
+
+-void pcidevs_lock(void)
++/* Do not use, as it has no speculation barrier, use pcidevs_lock() instead. */
++void pcidevs_lock_unsafe(void)
+ {
+- spin_lock_recursive(&_pcidevs_lock);
++ _spin_lock_recursive(&_pcidevs_lock);
+ }
+
+ void pcidevs_unlock(void)
+diff --git a/xen/include/xen/event.h b/xen/include/xen/event.h
+index 8eae9984a9..dd96e84c69 100644
+--- a/xen/include/xen/event.h
++++ b/xen/include/xen/event.h
+@@ -114,12 +114,12 @@ void notify_via_xen_event_channel(struct domain *ld, int lport);
+ #define bucket_from_port(d, p) \
+ ((group_from_port(d, p))[((p) % EVTCHNS_PER_GROUP) / EVTCHNS_PER_BUCKET])
+
+-static inline void evtchn_read_lock(struct evtchn *evtchn)
++static always_inline void evtchn_read_lock(struct evtchn *evtchn)
+ {
+ read_lock(&evtchn->lock);
+ }
+
+-static inline bool evtchn_read_trylock(struct evtchn *evtchn)
++static always_inline bool evtchn_read_trylock(struct evtchn *evtchn)
+ {
+ return read_trylock(&evtchn->lock);
+ }
+diff --git a/xen/include/xen/pci.h b/xen/include/xen/pci.h
+index 5975ca2f30..b373f139d1 100644
+--- a/xen/include/xen/pci.h
++++ b/xen/include/xen/pci.h
+@@ -155,8 +155,12 @@ struct pci_dev {
+ * devices, it also sync the access to the msi capability that is not
+ * interrupt handling related (the mask bit register).
+ */
+-
+-void pcidevs_lock(void);
++void pcidevs_lock_unsafe(void);
++static always_inline void pcidevs_lock(void)
++{
++ pcidevs_lock_unsafe();
++ block_lock_speculation();
++}
+ void pcidevs_unlock(void);
+ bool_t __must_check pcidevs_locked(void);
+
+--
+2.44.0
+
diff --git a/0052-x86-mm-add-speculation-barriers-to-open-coded-locks.patch b/0052-x86-mm-add-speculation-barriers-to-open-coded-locks.patch
new file mode 100644
index 0000000..9e20f78
--- /dev/null
+++ b/0052-x86-mm-add-speculation-barriers-to-open-coded-locks.patch
@@ -0,0 +1,73 @@
+From 074b4c8987db235a0b86798810c045f68e4775b6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Mon, 4 Mar 2024 18:08:48 +0100
+Subject: [PATCH 52/67] x86/mm: add speculation barriers to open coded locks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add a speculation barrier to the clearly identified open-coded lock taking
+functions.
+
+Note that the memory sharing page_lock() replacement (_page_lock()) is left
+as-is, as the code is experimental and not security supported.
+
+This is part of XSA-453 / CVE-2024-2193
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 42a572a38e22a97d86a4b648a22597628d5b42e4)
+---
+ xen/arch/x86/include/asm/mm.h | 4 +++-
+ xen/arch/x86/mm.c | 6 ++++--
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/include/asm/mm.h b/xen/arch/x86/include/asm/mm.h
+index a5d7fdd32e..5845b729c3 100644
+--- a/xen/arch/x86/include/asm/mm.h
++++ b/xen/arch/x86/include/asm/mm.h
+@@ -393,7 +393,9 @@ const struct platform_bad_page *get_platform_badpages(unsigned int *array_size);
+ * The use of PGT_locked in mem_sharing does not collide, since mem_sharing is
+ * only supported for hvm guests, which do not have PV PTEs updated.
+ */
+-int page_lock(struct page_info *page);
++int page_lock_unsafe(struct page_info *page);
++#define page_lock(pg) lock_evaluate_nospec(page_lock_unsafe(pg))
++
+ void page_unlock(struct page_info *page);
+
+ void put_page_type(struct page_info *page);
+diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
+index 330c4abcd1..8d19d719bd 100644
+--- a/xen/arch/x86/mm.c
++++ b/xen/arch/x86/mm.c
+@@ -2033,7 +2033,7 @@ static inline bool current_locked_page_ne_check(struct page_info *page) {
+ #define current_locked_page_ne_check(x) true
+ #endif
+
+-int page_lock(struct page_info *page)
++int page_lock_unsafe(struct page_info *page)
+ {
+ unsigned long x, nx;
+
+@@ -2094,7 +2094,7 @@ void page_unlock(struct page_info *page)
+ * l3t_lock(), so to avoid deadlock we must avoid grabbing them in
+ * reverse order.
+ */
+-static void l3t_lock(struct page_info *page)
++static always_inline void l3t_lock(struct page_info *page)
+ {
+ unsigned long x, nx;
+
+@@ -2103,6 +2103,8 @@ static void l3t_lock(struct page_info *page)
+ cpu_relax();
+ nx = x | PGT_locked;
+ } while ( cmpxchg(&page->u.inuse.type_info, x, nx) != x );
++
++ block_lock_speculation();
+ }
+
+ static void l3t_unlock(struct page_info *page)
+--
+2.44.0
+
diff --git a/0053-x86-protect-conditional-lock-taking-from-speculative.patch b/0053-x86-protect-conditional-lock-taking-from-speculative.patch
new file mode 100644
index 0000000..f0caa24
--- /dev/null
+++ b/0053-x86-protect-conditional-lock-taking-from-speculative.patch
@@ -0,0 +1,216 @@
+From 0ebd2e49bcd0f566ba6b9158555942aab8e41332 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Mon, 4 Mar 2024 16:24:21 +0100
+Subject: [PATCH 53/67] x86: protect conditional lock taking from speculative
+ execution
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Conditionally taken locks that use the pattern:
+
+if ( lock )
+ spin_lock(...);
+
+Need an else branch in order to issue an speculation barrier in the else case,
+just like it's done in case the lock needs to be acquired.
+
+eval_nospec() could be used on the condition itself, but that would result in a
+double barrier on the branch where the lock is taken.
+
+Introduce a new pair of helpers, {gfn,spin}_lock_if() that can be used to
+conditionally take a lock in a speculation safe way.
+
+This is part of XSA-453 / CVE-2024-2193
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+(cherry picked from commit 03cf7ca23e0e876075954c558485b267b7d02406)
+---
+ xen/arch/x86/mm.c | 35 +++++++++++++----------------------
+ xen/arch/x86/mm/mm-locks.h | 9 +++++++++
+ xen/arch/x86/mm/p2m.c | 5 ++---
+ xen/include/xen/spinlock.h | 8 ++++++++
+ 4 files changed, 32 insertions(+), 25 deletions(-)
+
+diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
+index 8d19d719bd..d31b8d56ff 100644
+--- a/xen/arch/x86/mm.c
++++ b/xen/arch/x86/mm.c
+@@ -5023,8 +5023,7 @@ static l3_pgentry_t *virt_to_xen_l3e(unsigned long v)
+ if ( !l3t )
+ return NULL;
+ UNMAP_DOMAIN_PAGE(l3t);
+- if ( locking )
+- spin_lock(&map_pgdir_lock);
++ spin_lock_if(locking, &map_pgdir_lock);
+ if ( !(l4e_get_flags(*pl4e) & _PAGE_PRESENT) )
+ {
+ l4_pgentry_t l4e = l4e_from_mfn(l3mfn, __PAGE_HYPERVISOR);
+@@ -5061,8 +5060,7 @@ static l2_pgentry_t *virt_to_xen_l2e(unsigned long v)
+ return NULL;
+ }
+ UNMAP_DOMAIN_PAGE(l2t);
+- if ( locking )
+- spin_lock(&map_pgdir_lock);
++ spin_lock_if(locking, &map_pgdir_lock);
+ if ( !(l3e_get_flags(*pl3e) & _PAGE_PRESENT) )
+ {
+ l3e_write(pl3e, l3e_from_mfn(l2mfn, __PAGE_HYPERVISOR));
+@@ -5100,8 +5098,7 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v)
+ return NULL;
+ }
+ UNMAP_DOMAIN_PAGE(l1t);
+- if ( locking )
+- spin_lock(&map_pgdir_lock);
++ spin_lock_if(locking, &map_pgdir_lock);
+ if ( !(l2e_get_flags(*pl2e) & _PAGE_PRESENT) )
+ {
+ l2e_write(pl2e, l2e_from_mfn(l1mfn, __PAGE_HYPERVISOR));
+@@ -5132,6 +5129,8 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v)
+ do { \
+ if ( locking ) \
+ l3t_lock(page); \
++ else \
++ block_lock_speculation(); \
+ } while ( false )
+
+ #define L3T_UNLOCK(page) \
+@@ -5347,8 +5346,7 @@ int map_pages_to_xen(
+ if ( l3e_get_flags(ol3e) & _PAGE_GLOBAL )
+ flush_flags |= FLUSH_TLB_GLOBAL;
+
+- if ( locking )
+- spin_lock(&map_pgdir_lock);
++ spin_lock_if(locking, &map_pgdir_lock);
+ if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) &&
+ (l3e_get_flags(*pl3e) & _PAGE_PSE) )
+ {
+@@ -5452,8 +5450,7 @@ int map_pages_to_xen(
+ if ( l2e_get_flags(*pl2e) & _PAGE_GLOBAL )
+ flush_flags |= FLUSH_TLB_GLOBAL;
+
+- if ( locking )
+- spin_lock(&map_pgdir_lock);
++ spin_lock_if(locking, &map_pgdir_lock);
+ if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) &&
+ (l2e_get_flags(*pl2e) & _PAGE_PSE) )
+ {
+@@ -5494,8 +5491,7 @@ int map_pages_to_xen(
+ unsigned long base_mfn;
+ const l1_pgentry_t *l1t;
+
+- if ( locking )
+- spin_lock(&map_pgdir_lock);
++ spin_lock_if(locking, &map_pgdir_lock);
+
+ ol2e = *pl2e;
+ /*
+@@ -5549,8 +5545,7 @@ int map_pages_to_xen(
+ unsigned long base_mfn;
+ const l2_pgentry_t *l2t;
+
+- if ( locking )
+- spin_lock(&map_pgdir_lock);
++ spin_lock_if(locking, &map_pgdir_lock);
+
+ ol3e = *pl3e;
+ /*
+@@ -5694,8 +5689,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf)
+ l3e_get_flags(*pl3e)));
+ UNMAP_DOMAIN_PAGE(l2t);
+
+- if ( locking )
+- spin_lock(&map_pgdir_lock);
++ spin_lock_if(locking, &map_pgdir_lock);
+ if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) &&
+ (l3e_get_flags(*pl3e) & _PAGE_PSE) )
+ {
+@@ -5754,8 +5748,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf)
+ l2e_get_flags(*pl2e) & ~_PAGE_PSE));
+ UNMAP_DOMAIN_PAGE(l1t);
+
+- if ( locking )
+- spin_lock(&map_pgdir_lock);
++ spin_lock_if(locking, &map_pgdir_lock);
+ if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) &&
+ (l2e_get_flags(*pl2e) & _PAGE_PSE) )
+ {
+@@ -5799,8 +5792,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf)
+ */
+ if ( (nf & _PAGE_PRESENT) || ((v != e) && (l1_table_offset(v) != 0)) )
+ continue;
+- if ( locking )
+- spin_lock(&map_pgdir_lock);
++ spin_lock_if(locking, &map_pgdir_lock);
+
+ /*
+ * L2E may be already cleared, or set to a superpage, by
+@@ -5847,8 +5839,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf)
+ if ( (nf & _PAGE_PRESENT) ||
+ ((v != e) && (l2_table_offset(v) + l1_table_offset(v) != 0)) )
+ continue;
+- if ( locking )
+- spin_lock(&map_pgdir_lock);
++ spin_lock_if(locking, &map_pgdir_lock);
+
+ /*
+ * L3E may be already cleared, or set to a superpage, by
+diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h
+index 265239c49f..3ea2d8eb03 100644
+--- a/xen/arch/x86/mm/mm-locks.h
++++ b/xen/arch/x86/mm/mm-locks.h
+@@ -347,6 +347,15 @@ static inline void p2m_unlock(struct p2m_domain *p)
+ #define p2m_locked_by_me(p) mm_write_locked_by_me(&(p)->lock)
+ #define gfn_locked_by_me(p,g) p2m_locked_by_me(p)
+
++static always_inline void gfn_lock_if(bool condition, struct p2m_domain *p2m,
++ gfn_t gfn, unsigned int order)
++{
++ if ( condition )
++ gfn_lock(p2m, gfn, order);
++ else
++ block_lock_speculation();
++}
++
+ /* PoD lock (per-p2m-table)
+ *
+ * Protects private PoD data structs: entry and cache
+diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
+index b28c899b5e..1fa9e01012 100644
+--- a/xen/arch/x86/mm/p2m.c
++++ b/xen/arch/x86/mm/p2m.c
+@@ -292,9 +292,8 @@ mfn_t p2m_get_gfn_type_access(struct p2m_domain *p2m, gfn_t gfn,
+ if ( q & P2M_UNSHARE )
+ q |= P2M_ALLOC;
+
+- if ( locked )
+- /* Grab the lock here, don't release until put_gfn */
+- gfn_lock(p2m, gfn, 0);
++ /* Grab the lock here, don't release until put_gfn */
++ gfn_lock_if(locked, p2m, gfn, 0);
+
+ mfn = p2m->get_entry(p2m, gfn, t, a, q, page_order, NULL);
+
+diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h
+index daf48fdea7..7e75d0e2e7 100644
+--- a/xen/include/xen/spinlock.h
++++ b/xen/include/xen/spinlock.h
+@@ -216,6 +216,14 @@ static always_inline void spin_lock_irq(spinlock_t *l)
+ block_lock_speculation(); \
+ })
+
++/* Conditionally take a spinlock in a speculation safe way. */
++static always_inline void spin_lock_if(bool condition, spinlock_t *l)
++{
++ if ( condition )
++ _spin_lock(l);
++ block_lock_speculation();
++}
++
+ #define spin_unlock(l) _spin_unlock(l)
+ #define spin_unlock_irq(l) _spin_unlock_irq(l)
+ #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f)
+--
+2.44.0
+
diff --git a/0054-tools-ipxe-update-for-fixing-build-with-GCC12.patch b/0054-tools-ipxe-update-for-fixing-build-with-GCC12.patch
new file mode 100644
index 0000000..90efaf8
--- /dev/null
+++ b/0054-tools-ipxe-update-for-fixing-build-with-GCC12.patch
@@ -0,0 +1,33 @@
+From a01c0b0f9691a8350e74938329892f949669119e Mon Sep 17 00:00:00 2001
+From: Olaf Hering <olaf@aepfle.de>
+Date: Wed, 27 Mar 2024 12:27:03 +0100
+Subject: [PATCH 54/67] tools: ipxe: update for fixing build with GCC12
+
+Use a snapshot which includes commit
+b0ded89e917b48b73097d3b8b88dfa3afb264ed0 ("[build] Disable dangling
+pointer checking for GCC"), which fixes build with gcc12.
+
+Signed-off-by: Olaf Hering <olaf@aepfle.de>
+Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
+master commit: 18a36b4a9b088875486cfe33a2d4a8ae7eb4ab47
+master date: 2023-04-25 23:47:45 +0100
+---
+ tools/firmware/etherboot/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
+index 4bc3633ba3..7a56fe8014 100644
+--- a/tools/firmware/etherboot/Makefile
++++ b/tools/firmware/etherboot/Makefile
+@@ -11,7 +11,7 @@ IPXE_GIT_URL ?= git://git.ipxe.org/ipxe.git
+ endif
+
+ # put an updated tar.gz on xenbits after changes to this variable
+-IPXE_GIT_TAG := 3c040ad387099483102708bb1839110bc788cefb
++IPXE_GIT_TAG := 1d1cf74a5e58811822bee4b3da3cff7282fcdfca
+
+ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz
+
+--
+2.44.0
+
diff --git a/0055-x86-mm-use-block_lock_speculation-in-_mm_write_lock.patch b/0055-x86-mm-use-block_lock_speculation-in-_mm_write_lock.patch
new file mode 100644
index 0000000..719234c
--- /dev/null
+++ b/0055-x86-mm-use-block_lock_speculation-in-_mm_write_lock.patch
@@ -0,0 +1,35 @@
+From a153b8b42e9027ba3057bc7c8bf55e4d71e86ec3 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Wed, 27 Mar 2024 12:28:24 +0100
+Subject: [PATCH 55/67] x86/mm: use block_lock_speculation() in
+ _mm_write_lock()
+
+I can only guess that using block_speculation() there was a leftover
+from, earlier on, SPECULATIVE_HARDEN_LOCK depending on
+SPECULATIVE_HARDEN_BRANCH.
+
+Fixes: 197ecd838a2a ("locking: attempt to ensure lock wrappers are always inline")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+master commit: 62018f08708a5ff6ef8fc8ff2aaaac46e5a60430
+master date: 2024-03-18 13:53:37 +0100
+---
+ xen/arch/x86/mm/mm-locks.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h
+index 3ea2d8eb03..7d6e4d2a7c 100644
+--- a/xen/arch/x86/mm/mm-locks.h
++++ b/xen/arch/x86/mm/mm-locks.h
+@@ -150,7 +150,7 @@ static always_inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l,
+ _set_lock_level(_lock_level(d, level));
+ }
+ else
+- block_speculation();
++ block_lock_speculation();
+ l->recurse_count++;
+ }
+
+--
+2.44.0
+
diff --git a/0056-x86-boot-Fix-setup_apic_nmi_watchdog-to-fail-more-cl.patch b/0056-x86-boot-Fix-setup_apic_nmi_watchdog-to-fail-more-cl.patch
new file mode 100644
index 0000000..5d549c1
--- /dev/null
+++ b/0056-x86-boot-Fix-setup_apic_nmi_watchdog-to-fail-more-cl.patch
@@ -0,0 +1,120 @@
+From 471b53c6a092940f3629990d9ca946aa22bd8535 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Wed, 27 Mar 2024 12:29:11 +0100
+Subject: [PATCH 56/67] x86/boot: Fix setup_apic_nmi_watchdog() to fail more
+ cleanly
+
+Right now, if the user requests the watchdog on the command line,
+setup_apic_nmi_watchdog() will blindly assume that setting up the watchdog
+worked. Reuse nmi_perfctr_msr to identify when the watchdog has been
+configured.
+
+Rearrange setup_p6_watchdog() to not set nmi_perfctr_msr until the sanity
+checks are complete. Turn setup_p4_watchdog() into a void function, matching
+the others.
+
+If the watchdog isn't set up, inform the user and override to NMI_NONE, which
+will prevent check_nmi_watchdog() from claiming that all CPUs are stuck.
+
+e.g.:
+
+ (XEN) alt table ffff82d040697c38 -> ffff82d0406a97f0
+ (XEN) Failed to configure NMI watchdog
+ (XEN) Brought up 512 CPUs
+ (XEN) Scheduling granularity: cpu, 1 CPU per sched-resource
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+master commit: f658321374687c7339235e1ac643e0427acff717
+master date: 2024-03-19 18:29:37 +0000
+---
+ xen/arch/x86/nmi.c | 25 ++++++++++++-------------
+ 1 file changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/xen/arch/x86/nmi.c b/xen/arch/x86/nmi.c
+index 7656023748..7c9591b65e 100644
+--- a/xen/arch/x86/nmi.c
++++ b/xen/arch/x86/nmi.c
+@@ -323,8 +323,6 @@ static void setup_p6_watchdog(unsigned counter)
+ {
+ unsigned int evntsel;
+
+- nmi_perfctr_msr = MSR_P6_PERFCTR(0);
+-
+ if ( !nmi_p6_event_width && current_cpu_data.cpuid_level >= 0xa )
+ nmi_p6_event_width = MASK_EXTR(cpuid_eax(0xa), P6_EVENT_WIDTH_MASK);
+ if ( !nmi_p6_event_width )
+@@ -334,6 +332,8 @@ static void setup_p6_watchdog(unsigned counter)
+ nmi_p6_event_width > BITS_PER_LONG )
+ return;
+
++ nmi_perfctr_msr = MSR_P6_PERFCTR(0);
++
+ clear_msr_range(MSR_P6_EVNTSEL(0), 2);
+ clear_msr_range(MSR_P6_PERFCTR(0), 2);
+
+@@ -349,13 +349,13 @@ static void setup_p6_watchdog(unsigned counter)
+ wrmsr(MSR_P6_EVNTSEL(0), evntsel, 0);
+ }
+
+-static int setup_p4_watchdog(void)
++static void setup_p4_watchdog(void)
+ {
+ uint64_t misc_enable;
+
+ rdmsrl(MSR_IA32_MISC_ENABLE, misc_enable);
+ if (!(misc_enable & MSR_IA32_MISC_ENABLE_PERF_AVAIL))
+- return 0;
++ return;
+
+ nmi_perfctr_msr = MSR_P4_IQ_PERFCTR0;
+ nmi_p4_cccr_val = P4_NMI_IQ_CCCR0;
+@@ -378,13 +378,12 @@ static int setup_p4_watchdog(void)
+ clear_msr_range(0x3E0, 2);
+ clear_msr_range(MSR_P4_BPU_CCCR0, 18);
+ clear_msr_range(MSR_P4_BPU_PERFCTR0, 18);
+-
++
+ wrmsrl(MSR_P4_CRU_ESCR0, P4_NMI_CRU_ESCR0);
+ wrmsrl(MSR_P4_IQ_CCCR0, P4_NMI_IQ_CCCR0 & ~P4_CCCR_ENABLE);
+ write_watchdog_counter("P4_IQ_COUNTER0");
+ apic_write(APIC_LVTPC, APIC_DM_NMI);
+ wrmsrl(MSR_P4_IQ_CCCR0, nmi_p4_cccr_val);
+- return 1;
+ }
+
+ void setup_apic_nmi_watchdog(void)
+@@ -399,8 +398,6 @@ void setup_apic_nmi_watchdog(void)
+ case 0xf ... 0x19:
+ setup_k7_watchdog();
+ break;
+- default:
+- return;
+ }
+ break;
+ case X86_VENDOR_INTEL:
+@@ -411,14 +408,16 @@ void setup_apic_nmi_watchdog(void)
+ : CORE_EVENT_CPU_CLOCKS_NOT_HALTED);
+ break;
+ case 15:
+- if (!setup_p4_watchdog())
+- return;
++ setup_p4_watchdog();
+ break;
+- default:
+- return;
+ }
+ break;
+- default:
++ }
++
++ if ( nmi_perfctr_msr == 0 )
++ {
++ printk(XENLOG_WARNING "Failed to configure NMI watchdog\n");
++ nmi_watchdog = NMI_NONE;
+ return;
+ }
+
+--
+2.44.0
+
diff --git a/0057-x86-PoD-tie-together-P2M-update-and-increment-of-ent.patch b/0057-x86-PoD-tie-together-P2M-update-and-increment-of-ent.patch
new file mode 100644
index 0000000..dedc1c2
--- /dev/null
+++ b/0057-x86-PoD-tie-together-P2M-update-and-increment-of-ent.patch
@@ -0,0 +1,61 @@
+From bfb69205376d94ff91b09a337c47fb665ee12da3 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Wed, 27 Mar 2024 12:29:33 +0100
+Subject: [PATCH 57/67] x86/PoD: tie together P2M update and increment of entry
+ count
+
+When not holding the PoD lock across the entire region covering P2M
+update and stats update, the entry count - if to be incorrect at all -
+should indicate too large a value in preference to a too small one, to
+avoid functions bailing early when they find the count is zero. However,
+instead of moving the increment ahead (and adjust back upon failure),
+extend the PoD-locked region.
+
+Fixes: 99af3cd40b6e ("x86/mm: Rework locking in the PoD layer")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: George Dunlap <george.dunlap@cloud.com>
+master commit: cc950c49ae6a6690f7fc3041a1f43122c250d250
+master date: 2024-03-21 09:48:10 +0100
+---
+ xen/arch/x86/mm/p2m-pod.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c
+index 99dbcb3101..e903db9d93 100644
+--- a/xen/arch/x86/mm/p2m-pod.c
++++ b/xen/arch/x86/mm/p2m-pod.c
+@@ -1370,19 +1370,28 @@ mark_populate_on_demand(struct domain *d, unsigned long gfn_l,
+ }
+ }
+
++ /*
++ * P2M update and stats increment need to collectively be under PoD lock,
++ * to prevent code elsewhere observing PoD entry count being zero despite
++ * there actually still being PoD entries (created by the p2m_set_entry()
++ * invocation below).
++ */
++ pod_lock(p2m);
++
+ /* Now, actually do the two-way mapping */
+ rc = p2m_set_entry(p2m, gfn, INVALID_MFN, order,
+ p2m_populate_on_demand, p2m->default_access);
+ if ( rc == 0 )
+ {
+- pod_lock(p2m);
+ p2m->pod.entry_count += 1UL << order;
+ p2m->pod.entry_count -= pod_count;
+ BUG_ON(p2m->pod.entry_count < 0);
+- pod_unlock(p2m);
++ }
++
++ pod_unlock(p2m);
+
++ if ( rc == 0 )
+ ioreq_request_mapcache_invalidate(d);
+- }
+ else if ( order )
+ {
+ /*
+--
+2.44.0
+
diff --git a/0058-tools-oxenstored-Use-Map-instead-of-Hashtbl-for-quot.patch b/0058-tools-oxenstored-Use-Map-instead-of-Hashtbl-for-quot.patch
new file mode 100644
index 0000000..dfc7f5a
--- /dev/null
+++ b/0058-tools-oxenstored-Use-Map-instead-of-Hashtbl-for-quot.patch
@@ -0,0 +1,143 @@
+From 7abd305607938b846da1a37dd1bda7bf7d47dba5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edwin.torok@cloud.com>
+Date: Wed, 31 Jan 2024 10:52:55 +0000
+Subject: [PATCH 58/67] tools/oxenstored: Use Map instead of Hashtbl for quotas
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+On a stress test running 1000 VMs flamegraphs have shown that
+`oxenstored` spends a large amount of time in `Hashtbl.copy` and the GC.
+
+Hashtable complexity:
+ * read/write: O(1) average
+ * copy: O(domains) -- copying the entire table
+
+Map complexity:
+ * read/write: O(log n) worst case
+ * copy: O(1) -- a word copy
+
+We always perform at least one 'copy' when processing each xenstore
+packet (regardless whether it is a readonly operation or inside a
+transaction or not), so the actual complexity per packet is:
+ * Hashtbl: O(domains)
+ * Map: O(log domains)
+
+Maps are the clear winner, and a better fit for the immutable xenstore
+tree.
+
+Signed-off-by: Edwin Török <edwin.torok@cloud.com>
+Acked-by: Christian Lindig <christian.lindig@cloud.com>
+(cherry picked from commit b6cf604207fd0a04451a48f2ce6d05fb66c612ab)
+---
+ tools/ocaml/xenstored/quota.ml | 65 ++++++++++++++++++----------------
+ 1 file changed, 34 insertions(+), 31 deletions(-)
+
+diff --git a/tools/ocaml/xenstored/quota.ml b/tools/ocaml/xenstored/quota.ml
+index 6e3d6401ae..ee8dd22581 100644
+--- a/tools/ocaml/xenstored/quota.ml
++++ b/tools/ocaml/xenstored/quota.ml
+@@ -23,66 +23,69 @@ let activate = ref true
+ let maxent = ref (1000)
+ let maxsize = ref (2048)
+
++module Domid = struct
++ type t = Xenctrl.domid
++ let compare (a:t) (b:t) = compare a b
++end
++
++module DomidMap = Map.Make(Domid)
++
+ type t = {
+ maxent: int; (* max entities per domU *)
+ maxsize: int; (* max size of data store in one node *)
+- cur: (Xenctrl.domid, int) Hashtbl.t; (* current domains quota *)
++ mutable cur: int DomidMap.t; (* current domains quota *)
+ }
+
+ let to_string quota domid =
+- if Hashtbl.mem quota.cur domid
+- then Printf.sprintf "dom%i quota: %i/%i" domid (Hashtbl.find quota.cur domid) quota.maxent
+- else Printf.sprintf "dom%i quota: not set" domid
++ try
++ Printf.sprintf "dom%i quota: %i/%i" domid (DomidMap.find domid quota.cur) quota.maxent
++ with Not_found ->
++ Printf.sprintf "dom%i quota: not set" domid
+
+ let create () =
+- { maxent = !maxent; maxsize = !maxsize; cur = Hashtbl.create 100; }
++ { maxent = !maxent; maxsize = !maxsize; cur = DomidMap.empty; }
+
+-let copy quota = { quota with cur = (Hashtbl.copy quota.cur) }
++let copy quota = { quota with cur = quota.cur }
+
+-let del quota id = Hashtbl.remove quota.cur id
++let del quota id = { quota with cur = DomidMap.remove id quota.cur }
+
+ let _check quota id size =
+ if size > quota.maxsize then (
+ warn "domain %u err create entry: data too big %d" id size;
+ raise Data_too_big
+ );
+- if id > 0 && Hashtbl.mem quota.cur id then
+- let entry = Hashtbl.find quota.cur id in
++ if id > 0 then
++ try
++ let entry = DomidMap.find id quota.cur in
+ if entry >= quota.maxent then (
+ warn "domain %u cannot create entry: quota reached" id;
+ raise Limit_reached
+ )
++ with Not_found -> ()
+
+ let check quota id size =
+ if !activate then
+ _check quota id size
+
+-let get_entry quota id = Hashtbl.find quota.cur id
++let find_or_zero quota_cur id =
++ try DomidMap.find id quota_cur with Not_found -> 0
+
+-let set_entry quota id nb =
+- if nb = 0
+- then Hashtbl.remove quota.cur id
+- else begin
+- if Hashtbl.mem quota.cur id then
+- Hashtbl.replace quota.cur id nb
+- else
+- Hashtbl.add quota.cur id nb
+- end
++let update_entry quota_cur id diff =
++ let nb = diff + find_or_zero quota_cur id in
++ if nb = 0 then DomidMap.remove id quota_cur
++ else DomidMap.add id nb quota_cur
+
+ let del_entry quota id =
+- try
+- let nb = get_entry quota id in
+- set_entry quota id (nb - 1)
+- with Not_found -> ()
++ quota.cur <- update_entry quota.cur id (-1)
+
+ let add_entry quota id =
+- let nb = try get_entry quota id with Not_found -> 0 in
+- set_entry quota id (nb + 1)
+-
+-let add quota diff =
+- Hashtbl.iter (fun id nb -> set_entry quota id (get_entry quota id + nb)) diff.cur
++ quota.cur <- update_entry quota.cur id (+1)
+
+ let merge orig_quota mod_quota dest_quota =
+- Hashtbl.iter (fun id nb -> let diff = nb - (try get_entry orig_quota id with Not_found -> 0) in
+- if diff <> 0 then
+- set_entry dest_quota id ((try get_entry dest_quota id with Not_found -> 0) + diff)) mod_quota.cur
++ let fold_merge id nb dest =
++ match nb - find_or_zero orig_quota.cur id with
++ | 0 -> dest (* not modified *)
++ | diff -> update_entry dest id diff (* update with [x=x+diff] *)
++ in
++ dest_quota.cur <- DomidMap.fold fold_merge mod_quota.cur dest_quota.cur
++ (* dest_quota = dest_quota + (mod_quota - orig_quota) *)
+--
+2.44.0
+
diff --git a/0059-tools-oxenstored-Make-Quota.t-pure.patch b/0059-tools-oxenstored-Make-Quota.t-pure.patch
new file mode 100644
index 0000000..7616b90
--- /dev/null
+++ b/0059-tools-oxenstored-Make-Quota.t-pure.patch
@@ -0,0 +1,121 @@
+From f38a815a54000ca51ff5165b2863d60b6bbea49c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edwin.torok@cloud.com>
+Date: Wed, 31 Jan 2024 10:52:56 +0000
+Subject: [PATCH 59/67] tools/oxenstored: Make Quota.t pure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Now that we no longer have a hashtable inside we can make Quota.t pure, and
+push the mutable update to its callers. Store.t already had a mutable Quota.t
+field.
+
+No functional change.
+
+Signed-off-by: Edwin Török <edwin.torok@cloud.com>
+Acked-by: Christian Lindig <christian.lindig@cloud.com>
+(cherry picked from commit 098d868e52ac0165b7f36e22b767ea70cef70054)
+---
+ tools/ocaml/xenstored/quota.ml | 8 ++++----
+ tools/ocaml/xenstored/store.ml | 17 ++++++++++-------
+ 2 files changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/tools/ocaml/xenstored/quota.ml b/tools/ocaml/xenstored/quota.ml
+index ee8dd22581..b3ab678c72 100644
+--- a/tools/ocaml/xenstored/quota.ml
++++ b/tools/ocaml/xenstored/quota.ml
+@@ -33,7 +33,7 @@ module DomidMap = Map.Make(Domid)
+ type t = {
+ maxent: int; (* max entities per domU *)
+ maxsize: int; (* max size of data store in one node *)
+- mutable cur: int DomidMap.t; (* current domains quota *)
++ cur: int DomidMap.t; (* current domains quota *)
+ }
+
+ let to_string quota domid =
+@@ -76,10 +76,10 @@ let update_entry quota_cur id diff =
+ else DomidMap.add id nb quota_cur
+
+ let del_entry quota id =
+- quota.cur <- update_entry quota.cur id (-1)
++ {quota with cur = update_entry quota.cur id (-1)}
+
+ let add_entry quota id =
+- quota.cur <- update_entry quota.cur id (+1)
++ {quota with cur = update_entry quota.cur id (+1)}
+
+ let merge orig_quota mod_quota dest_quota =
+ let fold_merge id nb dest =
+@@ -87,5 +87,5 @@ let merge orig_quota mod_quota dest_quota =
+ | 0 -> dest (* not modified *)
+ | diff -> update_entry dest id diff (* update with [x=x+diff] *)
+ in
+- dest_quota.cur <- DomidMap.fold fold_merge mod_quota.cur dest_quota.cur
++ {dest_quota with cur = DomidMap.fold fold_merge mod_quota.cur dest_quota.cur}
+ (* dest_quota = dest_quota + (mod_quota - orig_quota) *)
+diff --git a/tools/ocaml/xenstored/store.ml b/tools/ocaml/xenstored/store.ml
+index c94dbf3a62..5dd965db15 100644
+--- a/tools/ocaml/xenstored/store.ml
++++ b/tools/ocaml/xenstored/store.ml
+@@ -85,7 +85,9 @@ let check_owner node connection =
+ raise Define.Permission_denied;
+ end
+
+-let rec recurse fct node = fct node; SymbolMap.iter (fun _ -> recurse fct) node.children
++let rec recurse fct node acc =
++ let acc = fct node acc in
++ SymbolMap.fold (fun _ -> recurse fct) node.children acc
+
+ (** [recurse_filter_map f tree] applies [f] on each node in the tree recursively,
+ possibly removing some nodes.
+@@ -408,7 +410,7 @@ let dump_buffer store = dump_store_buf store.root
+ let set_node store path node orig_quota mod_quota =
+ let root = Path.set_node store.root path node in
+ store.root <- root;
+- Quota.merge orig_quota mod_quota store.quota
++ store.quota <- Quota.merge orig_quota mod_quota store.quota
+
+ let write store perm path value =
+ let node, existing = get_deepest_existing_node store path in
+@@ -422,7 +424,7 @@ let write store perm path value =
+ let root, node_created = path_write store perm path value in
+ store.root <- root;
+ if node_created
+- then Quota.add_entry store.quota owner
++ then store.quota <- Quota.add_entry store.quota owner
+
+ let mkdir store perm path =
+ let node, existing = get_deepest_existing_node store path in
+@@ -431,7 +433,7 @@ let mkdir store perm path =
+ if not (existing || (Perms.Connection.is_dom0 perm)) then Quota.check store.quota owner 0;
+ store.root <- path_mkdir store perm path;
+ if not existing then
+- Quota.add_entry store.quota owner
++ store.quota <- Quota.add_entry store.quota owner
+
+ let rm store perm path =
+ let rmed_node = Path.get_node store.root path in
+@@ -439,7 +441,7 @@ let rm store perm path =
+ | None -> raise Define.Doesnt_exist
+ | Some rmed_node ->
+ store.root <- path_rm store perm path;
+- Node.recurse (fun node -> Quota.del_entry store.quota (Node.get_owner node)) rmed_node
++ store.quota <- Node.recurse (fun node quota -> Quota.del_entry quota (Node.get_owner node)) rmed_node store.quota
+
+ let setperms store perm path nperms =
+ match Path.get_node store.root path with
+@@ -450,8 +452,9 @@ let setperms store perm path nperms =
+ if not ((old_owner = new_owner) || (Perms.Connection.is_dom0 perm)) then
+ raise Define.Permission_denied;
+ store.root <- path_setperms store perm path nperms;
+- Quota.del_entry store.quota old_owner;
+- Quota.add_entry store.quota new_owner
++ store.quota <-
++ let quota = Quota.del_entry store.quota old_owner in
++ Quota.add_entry quota new_owner
+
+ let reset_permissions store domid =
+ Logging.info "store|node" "Cleaning up xenstore ACLs for domid %d" domid;
+--
+2.44.0
+
diff --git a/0060-x86-cpu-policy-Hide-x2APIC-from-PV-guests.patch b/0060-x86-cpu-policy-Hide-x2APIC-from-PV-guests.patch
new file mode 100644
index 0000000..ce2b89d
--- /dev/null
+++ b/0060-x86-cpu-policy-Hide-x2APIC-from-PV-guests.patch
@@ -0,0 +1,90 @@
+From bb27e11c56963e170d1f6d2fbddbc956f7164121 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 2 Apr 2024 16:17:25 +0200
+Subject: [PATCH 60/67] x86/cpu-policy: Hide x2APIC from PV guests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+PV guests can't write to MSR_APIC_BASE (in order to set EXTD), nor can they
+access any of the x2APIC MSR range. Therefore they mustn't see the x2APIC
+CPUID bit saying that they can.
+
+Right now, the host x2APIC flag filters into PV guests, meaning that PV guests
+generally see x2APIC except on Zen1-and-older AMD systems.
+
+Linux works around this by explicitly hiding the bit itself, and filtering
+EXTD out of MSR_APIC_BASE reads. NetBSD behaves more in the spirit of PV
+guests, and entirely ignores the APIC when built as a PV guest.
+
+Change the annotation from !A to !S. This has a consequence of stripping it
+out of both PV featuremasks. However, as existing guests may have seen the
+bit, set it back into the PV Max policy; a VM which saw the bit and is alive
+enough to migrate will have ignored it one way or another.
+
+Hiding x2APIC does change the contents of leaf 0xb, but as the information is
+nonsense to begin with, this is likely an improvement on the status quo.
+
+Xen's blind assumption that APIC_ID = vCPU_ID * 2 isn't interlinked with the
+host's topology structure, where a PV guest may see real host values, and the
+APIC_IDs are useless without an MADT to start with. Dom0 is the only PV VM to
+get an MADT but it's the host one, meaning the two sets of APIC_IDs are from
+different address spaces.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
+master commit: 5420aa165dfa5fe95dd84bb71cb96c15459935b1
+master date: 2024-03-01 20:14:19 +0000
+---
+ xen/arch/x86/cpu-policy.c | 11 +++++++++--
+ xen/include/public/arch-x86/cpufeatureset.h | 2 +-
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c
+index 96c2cee1a8..ed64d56294 100644
+--- a/xen/arch/x86/cpu-policy.c
++++ b/xen/arch/x86/cpu-policy.c
+@@ -559,6 +559,14 @@ static void __init calculate_pv_max_policy(void)
+ for ( i = 0; i < ARRAY_SIZE(fs); ++i )
+ fs[i] &= pv_max_featuremask[i];
+
++ /*
++ * Xen at the time of writing (Feb 2024, 4.19 dev cycle) used to leak the
++ * host x2APIC capability into PV guests, but never supported the guest
++ * trying to turn x2APIC mode on. Tolerate an incoming VM which saw the
++ * x2APIC CPUID bit and is alive enough to migrate.
++ */
++ __set_bit(X86_FEATURE_X2APIC, fs);
++
+ /*
+ * If Xen isn't virtualising MSR_SPEC_CTRL for PV guests (functional
+ * availability, or admin choice), hide the feature.
+@@ -837,11 +845,10 @@ void recalculate_cpuid_policy(struct domain *d)
+ }
+
+ /*
+- * Allow the toolstack to set HTT, X2APIC and CMP_LEGACY. These bits
++ * Allow the toolstack to set HTT and CMP_LEGACY. These bits
+ * affect how to interpret topology information in other cpuid leaves.
+ */
+ __set_bit(X86_FEATURE_HTT, max_fs);
+- __set_bit(X86_FEATURE_X2APIC, max_fs);
+ __set_bit(X86_FEATURE_CMP_LEGACY, max_fs);
+
+ /*
+diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h
+index 113e6cadc1..bc971f3c6f 100644
+--- a/xen/include/public/arch-x86/cpufeatureset.h
++++ b/xen/include/public/arch-x86/cpufeatureset.h
+@@ -123,7 +123,7 @@ XEN_CPUFEATURE(PCID, 1*32+17) /*H Process Context ID */
+ XEN_CPUFEATURE(DCA, 1*32+18) /* Direct Cache Access */
+ XEN_CPUFEATURE(SSE4_1, 1*32+19) /*A Streaming SIMD Extensions 4.1 */
+ XEN_CPUFEATURE(SSE4_2, 1*32+20) /*A Streaming SIMD Extensions 4.2 */
+-XEN_CPUFEATURE(X2APIC, 1*32+21) /*!A Extended xAPIC */
++XEN_CPUFEATURE(X2APIC, 1*32+21) /*!S Extended xAPIC */
+ XEN_CPUFEATURE(MOVBE, 1*32+22) /*A movbe instruction */
+ XEN_CPUFEATURE(POPCNT, 1*32+23) /*A POPCNT instruction */
+ XEN_CPUFEATURE(TSC_DEADLINE, 1*32+24) /*S TSC Deadline Timer */
+--
+2.44.0
+
diff --git a/0061-x86-cpu-policy-Fix-visibility-of-HTT-CMP_LEGACY-in-m.patch b/0061-x86-cpu-policy-Fix-visibility-of-HTT-CMP_LEGACY-in-m.patch
new file mode 100644
index 0000000..d1b8786
--- /dev/null
+++ b/0061-x86-cpu-policy-Fix-visibility-of-HTT-CMP_LEGACY-in-m.patch
@@ -0,0 +1,85 @@
+From 70ad9c5fdeac4814050080c87e06d44292ecf868 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 2 Apr 2024 16:18:05 +0200
+Subject: [PATCH 61/67] x86/cpu-policy: Fix visibility of HTT/CMP_LEGACY in max
+ policies
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The block in recalculate_cpuid_policy() predates the proper split between
+default and max policies, and was a "slightly max for a toolstack which knows
+about it" capability. It didn't get transformed properly in Xen 4.14.
+
+Because Xen will accept a VM with HTT/CMP_LEGACY seen, they should be visible
+in the max polices. Keep the default policy matching host settings.
+
+This manifested as an incorrectly-rejected migration across XenServer's Xen
+4.13 -> 4.17 upgrade, as Xapi is slowly growing the logic to check a VM
+against the target max policy.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
+master commit: e2d8a652251660c3252d92b442e1a9c5d6e6a1e9
+master date: 2024-03-01 20:14:19 +0000
+---
+ xen/arch/x86/cpu-policy.c | 29 ++++++++++++++++++++++-------
+ 1 file changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c
+index ed64d56294..24acd12ce2 100644
+--- a/xen/arch/x86/cpu-policy.c
++++ b/xen/arch/x86/cpu-policy.c
+@@ -458,6 +458,16 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs)
+ raw_cpu_policy.feat.clwb )
+ __set_bit(X86_FEATURE_CLWB, fs);
+ }
++
++ /*
++ * Topology information inside the guest is entirely at the toolstack's
++ * discretion, and bears no relationship to the host we're running on.
++ *
++ * HTT identifies p->basic.lppp as valid
++ * CMP_LEGACY identifies p->extd.nc as valid
++ */
++ __set_bit(X86_FEATURE_HTT, fs);
++ __set_bit(X86_FEATURE_CMP_LEGACY, fs);
+ }
+
+ static void __init guest_common_default_feature_adjustments(uint32_t *fs)
+@@ -512,6 +522,18 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs)
+ __clear_bit(X86_FEATURE_CLWB, fs);
+ }
+
++ /*
++ * Topology information is at the toolstack's discretion so these are
++ * unconditionally set in max, but pick a default which matches the host.
++ */
++ __clear_bit(X86_FEATURE_HTT, fs);
++ if ( cpu_has_htt )
++ __set_bit(X86_FEATURE_HTT, fs);
++
++ __clear_bit(X86_FEATURE_CMP_LEGACY, fs);
++ if ( cpu_has_cmp_legacy )
++ __set_bit(X86_FEATURE_CMP_LEGACY, fs);
++
+ /*
+ * On certain hardware, speculative or errata workarounds can result in
+ * TSX being placed in "force-abort" mode, where it doesn't actually
+@@ -844,13 +866,6 @@ void recalculate_cpuid_policy(struct domain *d)
+ }
+ }
+
+- /*
+- * Allow the toolstack to set HTT and CMP_LEGACY. These bits
+- * affect how to interpret topology information in other cpuid leaves.
+- */
+- __set_bit(X86_FEATURE_HTT, max_fs);
+- __set_bit(X86_FEATURE_CMP_LEGACY, max_fs);
+-
+ /*
+ * 32bit PV domains can't use any Long Mode features, and cannot use
+ * SYSCALL on non-AMD hardware.
+--
+2.44.0
+
diff --git a/0062-xen-virtual-region-Rename-the-start-end-fields.patch b/0062-xen-virtual-region-Rename-the-start-end-fields.patch
new file mode 100644
index 0000000..9dbd5c9
--- /dev/null
+++ b/0062-xen-virtual-region-Rename-the-start-end-fields.patch
@@ -0,0 +1,140 @@
+From 2392e958ec6fd2e48e011781344cf94dee6d6142 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 2 Apr 2024 16:18:51 +0200
+Subject: [PATCH 62/67] xen/virtual-region: Rename the start/end fields
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+... to text_{start,end}. We're about to introduce another start/end pair.
+
+Despite it's name, struct virtual_region has always been a module-ish
+description. Call this out specifically.
+
+As minor cleanup, replace ROUNDUP(x, PAGE_SIZE) with the more concise
+PAGE_ALIGN() ahead of duplicating the example.
+
+No functional change.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+master commit: 989556c6f8ca080f5f202417af97d1188b9ba52a
+master date: 2024-03-07 14:24:42 +0000
+---
+ xen/common/livepatch.c | 9 +++++----
+ xen/common/virtual_region.c | 19 ++++++++++---------
+ xen/include/xen/virtual_region.h | 11 +++++++++--
+ 3 files changed, 24 insertions(+), 15 deletions(-)
+
+diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c
+index a5068a2217..29395f286f 100644
+--- a/xen/common/livepatch.c
++++ b/xen/common/livepatch.c
+@@ -785,8 +785,8 @@ static int prepare_payload(struct payload *payload,
+ region = &payload->region;
+
+ region->symbols_lookup = livepatch_symbols_lookup;
+- region->start = payload->text_addr;
+- region->end = payload->text_addr + payload->text_size;
++ region->text_start = payload->text_addr;
++ region->text_end = payload->text_addr + payload->text_size;
+
+ /* Optional sections. */
+ for ( i = 0; i < BUGFRAME_NR; i++ )
+@@ -823,8 +823,9 @@ static int prepare_payload(struct payload *payload,
+ const void *instr = ALT_ORIG_PTR(a);
+ const void *replacement = ALT_REPL_PTR(a);
+
+- if ( (instr < region->start && instr >= region->end) ||
+- (replacement < region->start && replacement >= region->end) )
++ if ( (instr < region->text_start && instr >= region->text_end) ||
++ (replacement < region->text_start &&
++ replacement >= region->text_end) )
+ {
+ printk(XENLOG_ERR LIVEPATCH "%s Alt patching outside payload: %p\n",
+ elf->name, instr);
+diff --git a/xen/common/virtual_region.c b/xen/common/virtual_region.c
+index 9f12c30efe..b22ffb75c4 100644
+--- a/xen/common/virtual_region.c
++++ b/xen/common/virtual_region.c
+@@ -11,15 +11,15 @@
+
+ static struct virtual_region core = {
+ .list = LIST_HEAD_INIT(core.list),
+- .start = _stext,
+- .end = _etext,
++ .text_start = _stext,
++ .text_end = _etext,
+ };
+
+ /* Becomes irrelevant when __init sections are cleared. */
+ static struct virtual_region core_init __initdata = {
+ .list = LIST_HEAD_INIT(core_init.list),
+- .start = _sinittext,
+- .end = _einittext,
++ .text_start = _sinittext,
++ .text_end = _einittext,
+ };
+
+ /*
+@@ -39,7 +39,8 @@ const struct virtual_region *find_text_region(unsigned long addr)
+ rcu_read_lock(&rcu_virtual_region_lock);
+ list_for_each_entry_rcu( region, &virtual_region_list, list )
+ {
+- if ( (void *)addr >= region->start && (void *)addr < region->end )
++ if ( (void *)addr >= region->text_start &&
++ (void *)addr < region->text_end )
+ {
+ rcu_read_unlock(&rcu_virtual_region_lock);
+ return region;
+@@ -88,8 +89,8 @@ void relax_virtual_region_perms(void)
+
+ rcu_read_lock(&rcu_virtual_region_lock);
+ list_for_each_entry_rcu( region, &virtual_region_list, list )
+- modify_xen_mappings_lite((unsigned long)region->start,
+- ROUNDUP((unsigned long)region->end, PAGE_SIZE),
++ modify_xen_mappings_lite((unsigned long)region->text_start,
++ PAGE_ALIGN((unsigned long)region->text_end),
+ PAGE_HYPERVISOR_RWX);
+ rcu_read_unlock(&rcu_virtual_region_lock);
+ }
+@@ -100,8 +101,8 @@ void tighten_virtual_region_perms(void)
+
+ rcu_read_lock(&rcu_virtual_region_lock);
+ list_for_each_entry_rcu( region, &virtual_region_list, list )
+- modify_xen_mappings_lite((unsigned long)region->start,
+- ROUNDUP((unsigned long)region->end, PAGE_SIZE),
++ modify_xen_mappings_lite((unsigned long)region->text_start,
++ PAGE_ALIGN((unsigned long)region->text_end),
+ PAGE_HYPERVISOR_RX);
+ rcu_read_unlock(&rcu_virtual_region_lock);
+ }
+diff --git a/xen/include/xen/virtual_region.h b/xen/include/xen/virtual_region.h
+index d053620711..442a45bf1f 100644
+--- a/xen/include/xen/virtual_region.h
++++ b/xen/include/xen/virtual_region.h
+@@ -9,11 +9,18 @@
+ #include <xen/list.h>
+ #include <xen/symbols.h>
+
++/*
++ * Despite it's name, this is a module(ish) description.
++ *
++ * There's one region for the runtime .text/etc, one region for .init during
++ * boot only, and one region per livepatch.
++ */
+ struct virtual_region
+ {
+ struct list_head list;
+- const void *start; /* Virtual address start. */
+- const void *end; /* Virtual address end. */
++
++ const void *text_start; /* .text virtual address start. */
++ const void *text_end; /* .text virtual address end. */
+
+ /* If this is NULL the default lookup mechanism is used. */
+ symbols_lookup_t *symbols_lookup;
+--
+2.44.0
+
diff --git a/0063-xen-virtual-region-Include-rodata-pointers.patch b/0063-xen-virtual-region-Include-rodata-pointers.patch
new file mode 100644
index 0000000..9f51d4d
--- /dev/null
+++ b/0063-xen-virtual-region-Include-rodata-pointers.patch
@@ -0,0 +1,71 @@
+From 335cbb55567b20df8e8bd2d1b340609e272ddab6 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 2 Apr 2024 16:19:11 +0200
+Subject: [PATCH 63/67] xen/virtual-region: Include rodata pointers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+These are optional. .init doesn't distinguish types of data like this, and
+livepatches don't necesserily have any .rodata either.
+
+No functional change.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+master commit: ef969144a425e39f5b214a875b5713d0ea8575fb
+master date: 2024-03-07 14:24:42 +0000
+---
+ xen/common/livepatch.c | 6 ++++++
+ xen/common/virtual_region.c | 2 ++
+ xen/include/xen/virtual_region.h | 3 +++
+ 3 files changed, 11 insertions(+)
+
+diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c
+index 29395f286f..28c09ddf58 100644
+--- a/xen/common/livepatch.c
++++ b/xen/common/livepatch.c
+@@ -788,6 +788,12 @@ static int prepare_payload(struct payload *payload,
+ region->text_start = payload->text_addr;
+ region->text_end = payload->text_addr + payload->text_size;
+
++ if ( payload->ro_size )
++ {
++ region->rodata_start = payload->ro_addr;
++ region->rodata_end = payload->ro_addr + payload->ro_size;
++ }
++
+ /* Optional sections. */
+ for ( i = 0; i < BUGFRAME_NR; i++ )
+ {
+diff --git a/xen/common/virtual_region.c b/xen/common/virtual_region.c
+index b22ffb75c4..9c566f8ec9 100644
+--- a/xen/common/virtual_region.c
++++ b/xen/common/virtual_region.c
+@@ -13,6 +13,8 @@ static struct virtual_region core = {
+ .list = LIST_HEAD_INIT(core.list),
+ .text_start = _stext,
+ .text_end = _etext,
++ .rodata_start = _srodata,
++ .rodata_end = _erodata,
+ };
+
+ /* Becomes irrelevant when __init sections are cleared. */
+diff --git a/xen/include/xen/virtual_region.h b/xen/include/xen/virtual_region.h
+index 442a45bf1f..dcdc95ba49 100644
+--- a/xen/include/xen/virtual_region.h
++++ b/xen/include/xen/virtual_region.h
+@@ -22,6 +22,9 @@ struct virtual_region
+ const void *text_start; /* .text virtual address start. */
+ const void *text_end; /* .text virtual address end. */
+
++ const void *rodata_start; /* .rodata virtual address start (optional). */
++ const void *rodata_end; /* .rodata virtual address end. */
++
+ /* If this is NULL the default lookup mechanism is used. */
+ symbols_lookup_t *symbols_lookup;
+
+--
+2.44.0
+
diff --git a/0064-x86-livepatch-Relax-permissions-on-rodata-too.patch b/0064-x86-livepatch-Relax-permissions-on-rodata-too.patch
new file mode 100644
index 0000000..bc80769
--- /dev/null
+++ b/0064-x86-livepatch-Relax-permissions-on-rodata-too.patch
@@ -0,0 +1,85 @@
+From c3ff11b11c21777a9b1c616607705f3a7340b391 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 2 Apr 2024 16:19:36 +0200
+Subject: [PATCH 64/67] x86/livepatch: Relax permissions on rodata too
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reinstates the capability to patch .rodata in load/unload hooks, which
+was lost when we stopped using CR0.WP=0 to patch.
+
+This turns out to be rather less of a large TODO than I thought at the time.
+
+Fixes: 8676092a0f16 ("x86/livepatch: Fix livepatch application when CET is active")
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+master commit: b083b1c393dc8961acf0959b1d2e0ad459985ae3
+master date: 2024-03-07 14:24:42 +0000
+---
+ xen/arch/x86/livepatch.c | 4 ++--
+ xen/common/virtual_region.c | 12 ++++++++++++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/xen/arch/x86/livepatch.c b/xen/arch/x86/livepatch.c
+index ee539f001b..4f76127e1f 100644
+--- a/xen/arch/x86/livepatch.c
++++ b/xen/arch/x86/livepatch.c
+@@ -62,7 +62,7 @@ int arch_livepatch_safety_check(void)
+ int noinline arch_livepatch_quiesce(void)
+ {
+ /*
+- * Relax perms on .text to be RWX, so we can modify them.
++ * Relax perms on .text/.rodata, so we can modify them.
+ *
+ * This relaxes perms globally, but all other CPUs are waiting on us.
+ */
+@@ -75,7 +75,7 @@ int noinline arch_livepatch_quiesce(void)
+ void noinline arch_livepatch_revive(void)
+ {
+ /*
+- * Reinstate perms on .text to be RX. This also cleans out the dirty
++ * Reinstate perms on .text/.rodata. This also cleans out the dirty
+ * bits, which matters when CET Shstk is active.
+ *
+ * The other CPUs waiting for us could in principle have re-walked while
+diff --git a/xen/common/virtual_region.c b/xen/common/virtual_region.c
+index 9c566f8ec9..aefc08e75f 100644
+--- a/xen/common/virtual_region.c
++++ b/xen/common/virtual_region.c
+@@ -91,9 +91,15 @@ void relax_virtual_region_perms(void)
+
+ rcu_read_lock(&rcu_virtual_region_lock);
+ list_for_each_entry_rcu( region, &virtual_region_list, list )
++ {
+ modify_xen_mappings_lite((unsigned long)region->text_start,
+ PAGE_ALIGN((unsigned long)region->text_end),
+ PAGE_HYPERVISOR_RWX);
++ if ( region->rodata_start )
++ modify_xen_mappings_lite((unsigned long)region->rodata_start,
++ PAGE_ALIGN((unsigned long)region->rodata_end),
++ PAGE_HYPERVISOR_RW);
++ }
+ rcu_read_unlock(&rcu_virtual_region_lock);
+ }
+
+@@ -103,9 +109,15 @@ void tighten_virtual_region_perms(void)
+
+ rcu_read_lock(&rcu_virtual_region_lock);
+ list_for_each_entry_rcu( region, &virtual_region_list, list )
++ {
+ modify_xen_mappings_lite((unsigned long)region->text_start,
+ PAGE_ALIGN((unsigned long)region->text_end),
+ PAGE_HYPERVISOR_RX);
++ if ( region->rodata_start )
++ modify_xen_mappings_lite((unsigned long)region->rodata_start,
++ PAGE_ALIGN((unsigned long)region->rodata_end),
++ PAGE_HYPERVISOR_RO);
++ }
+ rcu_read_unlock(&rcu_virtual_region_lock);
+ }
+ #endif /* CONFIG_X86 */
+--
+2.44.0
+
diff --git a/0065-x86-boot-Improve-the-boot-watchdog-determination-of-.patch b/0065-x86-boot-Improve-the-boot-watchdog-determination-of-.patch
new file mode 100644
index 0000000..4a46326
--- /dev/null
+++ b/0065-x86-boot-Improve-the-boot-watchdog-determination-of-.patch
@@ -0,0 +1,106 @@
+From 846fb984b506135917c2862d2e4607005d6afdeb Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 2 Apr 2024 16:20:09 +0200
+Subject: [PATCH 65/67] x86/boot: Improve the boot watchdog determination of
+ stuck cpus
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Right now, check_nmi_watchdog() has two processing loops over all online CPUs
+using prev_nmi_count as storage.
+
+Use a cpumask_t instead (1/32th as much initdata) and have wait_for_nmis()
+make the determination of whether it is stuck, rather than having both
+functions needing to agree on how many ticks mean stuck.
+
+More importantly though, it means we can use the standard cpumask
+infrastructure, including turning this:
+
+ (XEN) Brought up 512 CPUs
+ (XEN) Testing NMI watchdog on all CPUs: {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511} stuck
+
+into the rather more manageable:
+
+ (XEN) Brought up 512 CPUs
+ (XEN) Testing NMI watchdog on all CPUs: {0-511} stuck
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
+master commit: 9e18f339830c828798aef465556d4029d83476a0
+master date: 2024-03-19 18:29:37 +0000
+---
+ xen/arch/x86/nmi.c | 33 ++++++++++++++-------------------
+ 1 file changed, 14 insertions(+), 19 deletions(-)
+
+diff --git a/xen/arch/x86/nmi.c b/xen/arch/x86/nmi.c
+index 7c9591b65e..dd31034ac8 100644
+--- a/xen/arch/x86/nmi.c
++++ b/xen/arch/x86/nmi.c
+@@ -150,6 +150,8 @@ int nmi_active;
+
+ static void __init cf_check wait_for_nmis(void *p)
+ {
++ cpumask_t *stuck_cpus = p;
++ unsigned int cpu = smp_processor_id();
+ unsigned int start_count = this_cpu(nmi_count);
+ unsigned long ticks = 10 * 1000 * cpu_khz / nmi_hz;
+ unsigned long s, e;
+@@ -158,42 +160,35 @@ static void __init cf_check wait_for_nmis(void *p)
+ do {
+ cpu_relax();
+ if ( this_cpu(nmi_count) >= start_count + 2 )
+- break;
++ return;
++
+ e = rdtsc();
+- } while( e - s < ticks );
++ } while ( e - s < ticks );
++
++ /* Timeout. Mark ourselves as stuck. */
++ cpumask_set_cpu(cpu, stuck_cpus);
+ }
+
+ void __init check_nmi_watchdog(void)
+ {
+- static unsigned int __initdata prev_nmi_count[NR_CPUS];
+- int cpu;
+- bool ok = true;
++ static cpumask_t __initdata stuck_cpus;
+
+ if ( nmi_watchdog == NMI_NONE )
+ return;
+
+ printk("Testing NMI watchdog on all CPUs:");
+
+- for_each_online_cpu ( cpu )
+- prev_nmi_count[cpu] = per_cpu(nmi_count, cpu);
+-
+ /*
+ * Wait at most 10 ticks for 2 watchdog NMIs on each CPU.
+ * Busy-wait on all CPUs: the LAPIC counter that the NMI watchdog
+ * uses only runs while the core's not halted
+ */
+- on_selected_cpus(&cpu_online_map, wait_for_nmis, NULL, 1);
+-
+- for_each_online_cpu ( cpu )
+- {
+- if ( per_cpu(nmi_count, cpu) - prev_nmi_count[cpu] < 2 )
+- {
+- printk(" %d", cpu);
+- ok = false;
+- }
+- }
++ on_selected_cpus(&cpu_online_map, wait_for_nmis, &stuck_cpus, 1);
+
+- printk(" %s\n", ok ? "ok" : "stuck");
++ if ( cpumask_empty(&stuck_cpus) )
++ printk("ok\n");
++ else
++ printk("{%*pbl} stuck\n", CPUMASK_PR(&stuck_cpus));
+
+ /*
+ * Now that we know it works we can reduce NMI frequency to
+--
+2.44.0
+
diff --git a/0066-x86-boot-Support-the-watchdog-on-newer-AMD-systems.patch b/0066-x86-boot-Support-the-watchdog-on-newer-AMD-systems.patch
new file mode 100644
index 0000000..e501861
--- /dev/null
+++ b/0066-x86-boot-Support-the-watchdog-on-newer-AMD-systems.patch
@@ -0,0 +1,48 @@
+From 2777b499f1f6d5cea68f9479f82d055542b822ad Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 2 Apr 2024 16:20:30 +0200
+Subject: [PATCH 66/67] x86/boot: Support the watchdog on newer AMD systems
+
+The MSRs used by setup_k7_watchdog() are architectural in 64bit. The Unit
+Select (0x76, cycles not in halt state) isn't, but it hasn't changed in 25
+years, making this a trend likely to continue.
+
+Drop the family check. If the Unit Select does happen to change meaning in
+the future, check_nmi_watchdog() will still notice the watchdog not operating
+as expected.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+master commit: 131892e0dcc1265b621c2b7d844cb9e7c3a4404f
+master date: 2024-03-19 18:29:37 +0000
+---
+ xen/arch/x86/nmi.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/xen/arch/x86/nmi.c b/xen/arch/x86/nmi.c
+index dd31034ac8..c7c51614a6 100644
+--- a/xen/arch/x86/nmi.c
++++ b/xen/arch/x86/nmi.c
+@@ -386,15 +386,12 @@ void setup_apic_nmi_watchdog(void)
+ if ( nmi_watchdog == NMI_NONE )
+ return;
+
+- switch (boot_cpu_data.x86_vendor) {
++ switch ( boot_cpu_data.x86_vendor )
++ {
+ case X86_VENDOR_AMD:
+- switch (boot_cpu_data.x86) {
+- case 6:
+- case 0xf ... 0x19:
+- setup_k7_watchdog();
+- break;
+- }
++ setup_k7_watchdog();
+ break;
++
+ case X86_VENDOR_INTEL:
+ switch (boot_cpu_data.x86) {
+ case 6:
+--
+2.44.0
+
diff --git a/0067-tests-resource-Fix-HVM-guest-in-SHADOW-builds.patch b/0067-tests-resource-Fix-HVM-guest-in-SHADOW-builds.patch
new file mode 100644
index 0000000..5ce4e17
--- /dev/null
+++ b/0067-tests-resource-Fix-HVM-guest-in-SHADOW-builds.patch
@@ -0,0 +1,110 @@
+From 9bc40dbcf9eafccc1923b2555286bf6a2af03b7a Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 2 Apr 2024 16:24:07 +0200
+Subject: [PATCH 67/67] tests/resource: Fix HVM guest in !SHADOW builds
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Right now, test-resource always creates HVM Shadow guests. But if Xen has
+SHADOW compiled out, running the test yields:
+
+ $./test-resource
+ XENMEM_acquire_resource tests
+ Test x86 PV
+ Created d1
+ Test grant table
+ Test x86 PVH
+ Skip: 95 - Operation not supported
+
+and doesn't really test HVM guests, but doesn't fail either.
+
+There's nothing paging-mode-specific about this test, so default to HAP if
+possible and provide a more specific message if neither HAP or Shadow are
+available.
+
+As we've got physinfo to hand, also provide more specific message about the
+absence of PV or HVM support.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Roger Pau Monné <roger.pau@citrix.com>
+master commit: 0263dc9069ddb66335c72a159e09050b1600e56a
+master date: 2024-03-01 20:14:19 +0000
+---
+ tools/tests/resource/test-resource.c | 39 ++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/tools/tests/resource/test-resource.c b/tools/tests/resource/test-resource.c
+index 0a950072f9..e2c4ba3478 100644
+--- a/tools/tests/resource/test-resource.c
++++ b/tools/tests/resource/test-resource.c
+@@ -20,6 +20,8 @@ static xc_interface *xch;
+ static xenforeignmemory_handle *fh;
+ static xengnttab_handle *gh;
+
++static xc_physinfo_t physinfo;
++
+ static void test_gnttab(uint32_t domid, unsigned int nr_frames,
+ unsigned long gfn)
+ {
+@@ -172,6 +174,37 @@ static void test_domain_configurations(void)
+
+ printf("Test %s\n", t->name);
+
++#if defined(__x86_64__) || defined(__i386__)
++ if ( t->create.flags & XEN_DOMCTL_CDF_hvm )
++ {
++ if ( !(physinfo.capabilities & XEN_SYSCTL_PHYSCAP_hvm) )
++ {
++ printf(" Skip: HVM not available\n");
++ continue;
++ }
++
++ /*
++ * On x86, use HAP guests if possible, but skip if neither HAP nor
++ * SHADOW is available.
++ */
++ if ( physinfo.capabilities & XEN_SYSCTL_PHYSCAP_hap )
++ t->create.flags |= XEN_DOMCTL_CDF_hap;
++ else if ( !(physinfo.capabilities & XEN_SYSCTL_PHYSCAP_shadow) )
++ {
++ printf(" Skip: Neither HAP or SHADOW available\n");
++ continue;
++ }
++ }
++ else
++ {
++ if ( !(physinfo.capabilities & XEN_SYSCTL_PHYSCAP_pv) )
++ {
++ printf(" Skip: PV not available\n");
++ continue;
++ }
++ }
++#endif
++
+ rc = xc_domain_create(xch, &domid, &t->create);
+ if ( rc )
+ {
+@@ -214,6 +247,8 @@ static void test_domain_configurations(void)
+
+ int main(int argc, char **argv)
+ {
++ int rc;
++
+ printf("XENMEM_acquire_resource tests\n");
+
+ xch = xc_interface_open(NULL, NULL, 0);
+@@ -227,6 +262,10 @@ int main(int argc, char **argv)
+ if ( !gh )
+ err(1, "xengnttab_open");
+
++ rc = xc_physinfo(xch, &physinfo);
++ if ( rc )
++ err(1, "Failed to obtain physinfo");
++
+ test_domain_configurations();
+
+ return !!nr_failures;
+--
+2.44.0
+
diff --git a/info.txt b/info.txt
index 0a99509..fa9f510 100644
--- a/info.txt
+++ b/info.txt
@@ -1,6 +1,6 @@
-Xen upstream patchset #0 for 4.17.4-pre
+Xen upstream patchset #1 for 4.17.4-pre
Containing patches from
RELEASE-4.17.3 (07f413d7ffb06eab36045bd19f53555de1cacf62)
to
-staging-4.17 (091466ba55d1e2e75738f751818ace2e3ed08ccf)
+staging-4.17 (9bc40dbcf9eafccc1923b2555286bf6a2af03b7a)