main/xen: upgrade to 4.18.0

main/xen/APKBUILD

 # Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=xen
-pkgver=4.17.2
-pkgrel=4
+pkgver=4.18.0
+pkgrel=0
 pkgdesc="Xen hypervisor"
 url="https://www.xenproject.org/"
 arch="x86_64 armv7 aarch64"
@@ -387,7 +387,7 @@ _POLARSSL_VERSION="1.1.4"
 _TPMEMU_VERSION="0.7.4"
 
 # grep ^IPXE_GIT_TAG tools/firmware/etherboot/Makefile
-_IPXE_GIT_TAG=3c040ad387099483102708bb1839110bc788cefb
+_IPXE_GIT_TAG=1d1cf74a5e58811822bee4b3da3cff7282fcdfca
 
 source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz
 	https://xenbits.xen.org/xen-extfiles/gmp-$_GMP_VERSION.tar.bz2
@@ -400,26 +400,6 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz
 	https://xenbits.xen.org/xen-extfiles/zlib-$_ZLIB_VERSION.tar.gz
 	https://xenbits.xen.org/xen-extfiles/ipxe-git-$_IPXE_GIT_TAG.tar.gz
 
-	xen-stable-4.17-20230920.patch
-
-	xsa440-4.17.patch
-	xsa442-4.17.patch
-	xsa443-4.17-01.patch
-	xsa443-4.17-02.patch
-	xsa443-4.17-03.patch
-	xsa443-4.17-04.patch
-	xsa443-4.17-05.patch
-	xsa443-4.17-06.patch
-	xsa443-4.17-07.patch
-	xsa443-4.17-08.patch
-	xsa443-4.17-09.patch
-	xsa443-4.17-10.patch
-	xsa443-4.17-11.patch
-	xsa444-4.17-1.patch
-	xsa444-4.17-2.patch
-	xsa445-4.17.patch
-	xsa446.patch
-
 	mini-os-__divmoddi4.patch
 	qemu-xen_paths.patch
 
@@ -500,11 +480,6 @@ munge_cflags() {
 	unset LDFLAGS
 	unset LANG
 	unset LC_ALL
-
-	case "$CARCH" in
-	arm*) export CFLAGS="-mcpu=cortex-a15";;
-	aarch64) export CFLAGS="-mcpu=cortex-a53";;
-	esac
 }
 
 # These tasks are added as separate tasks to enable a packager
@@ -697,25 +672,7 @@ qemu() {
 }
 
 sha512sums="
-0bc475483676e4aa27735695f9a8d2821059e7a55984adb8a29badb5c09a4e7cf8ea29cbc9691be616cc0d7a5ee6b6dacc59ba29c2b16e0919ebdf7dfc54201a  xen-4.17.2.tar.gz
-916758f0a8d3eb8a396643a25259f6908f8ec81a0ac7e977592352a088e8de5f40b27b81ae83562cd2f4914ee6775f9cc5efc2250039932e06b5f6943ea3c090  xen-stable-4.17-20230920.patch
-505d1a7b5b5664ae07984900963c1bf13f59be2b910ce7cb076031e6a79aad87e6f1bf7e2cc168f8e4b09aa76ccb18a96209b3528ed7225cebce1fa17ff18ad0  xsa440-4.17.patch
-109f3127382fe5e38e29e2147d2ac730b672b777d370b91d5eec80f90d0ce66963d5b5caea7bf5bb79aff37e93e3c5588872fec96f4a942cf2027bf8bf463f8f  xsa442-4.17.patch
-908723dc968b2b148dc0308b6924eddbad0564968ddfa9bb21428ffcd798c6f2e632edf77c1d35296dd93616a593f76aa52a8b37327a982aaec1d1eef97bbf32  xsa443-4.17-01.patch
-ad4343f2343522e883499b53fa2f159f985edf13e767dd9f6972f56515818b291cf5222a515ff7f204e05b6bd625816a1c26e6463a3ffdadb41c8522939a9c54  xsa443-4.17-02.patch
-ccfa83ab3e8ab324b9321280a4037d543fce21254c72133a8508d6f7cff656c170d3784deca75f6820d4be77fa50341a5b0456d5b5c97a1aefa0f306f9cf775d  xsa443-4.17-03.patch
-25e81972ecf3d69474f4460875104c46c1ba695e93b46b68431783da90c4456ba155c54d13729aee4dd8d2f05c96751b670bb7c844551f3abaa8c0a4f827e9ee  xsa443-4.17-04.patch
-1ab0dabc67a10b43b3f8ca50d3bf4d7a6594c0248b8989845aaea6ad2668eeb72b804b0f9a5f645e2738a645673d4f6e20af25abc6cbee244de5a592b0d2a33e  xsa443-4.17-05.patch
-95f12e7177e6b7bcb7189aaf77a3bea7c107375e77f5dde8de9de4729618195f9fe5eab5ae3efb742fbbacf45235ee5fe567b1b29719b5b2fa32c692c433311f  xsa443-4.17-06.patch
-575f16cfd5937bbd351e635c29d82cf6f650d8d979b0dff9d30d355ec2fa54323ef01bc3c4d0da46da3be872f5bc01574f382dacaa7fa7850e155c2577e71809  xsa443-4.17-07.patch
-2a0237faa6955706f02d291cc4595ed56eabd5d0a6f30c517de2e3088e751b9e1041b8fdb1c344f1ba335a0345b3618f6f045c59cbd6c0315880333df2a263ca  xsa443-4.17-08.patch
-b6b9472bbd6942002314dd0acc165d816c34d156dcf991a01304ee354f9e41b8d896c6c9c0a60d1e0bec6047fe5a7b2f3dc850bce69d53f3e62952009792ac05  xsa443-4.17-09.patch
-e247c6c399c49393418e0c0da4b24fa9cb0d99f22e763b1fc621ca6cac5583b390174356a8d9e06e06cfcd0703e5fb5ff4709e58601ad00a3bf0440b0953cc0e  xsa443-4.17-10.patch
-eff01dd358fa3f55c8f19caea0831adeeedd127d6d4cb8f1c2d77f48a77746c7b17b5abb4c610add2e4b9ab44c362e3d4b9f5e03478e19ed3d4463ac5e536f85  xsa443-4.17-11.patch
-12a3a5916965dab7acfc1859ebfefd025acbe8554f71b9eb0fdae392e7af8a8452d1b492e1ba9929f0ff4cfad692af0fb47ce1ba57291af90e8a04bec0fb1da5  xsa444-4.17-1.patch
-56be5069289b5eb1dff4d078770523b62e0045a9d874806ebdc817c9d19dce98a1688ed2d63c6ffe29c83bd05a9d0e941be79de894f88acb1036ad5b0ab9c06d  xsa444-4.17-2.patch
-42c6094ae9cd1902beb535310fefd408af97241b088b282089b1257fd3d7260cd87481b312680f905e3c11e7c342e2c68bd5fc765a87270752e02865d97881db  xsa445-4.17.patch
-229319de61f83d98b41ff7bf8ac944f7d5283f190ae54ed01087409b2cf42c141455b2a56c28898288db85780587803670671c1f5f446359a1d9767259f975d5  xsa446.patch
+4cc9fd155144045a173c5f8ecc45f149817f1034eec618cb6f8b0494ef2fb5b95c4c60cf0bf4bec4bef8a622c35b6a3cb7dedc38e6d95e726f1611c73ddb3273  xen-4.18.0.tar.gz
 2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf  gmp-4.3.2.tar.bz2
 c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb  grub-0.97.tar.gz
 1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d  lwip-1.3.0.tar.gz
@@ -724,12 +681,12 @@ c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a36
 88da614e4d3f4409c4fd3bb3e44c7587ba051e3fed4e33d526069a67e8180212e1ea22da984656f50e290049f60ddca65383e5983c0f8884f648d71f698303ad  polarssl-1.1.4-gpl.tgz
 4928b5b82f57645be9408362706ff2c4d9baa635b21b0d41b1c82930e8c60a759b1ea4fa74d7e6c7cae1b7692d006aa5cb72df0c3b88bf049779aa2b566f9d35  tpm_emulator-0.7.4.tar.gz
 021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e  zlib-1.2.3.tar.gz
-4ac1d07ce879a3a8c6c260380258c37f5e4ecddc880b27fb59afc38fbf3718e81b04a4dda2b58fe7a438a23175e00b6179fc067acbc4a75e33d93c4b85ff5d68  ipxe-git-3c040ad387099483102708bb1839110bc788cefb.tar.gz
+e27644cbb030c43e2841058003bedea6deb979ba71591f967e01312527ed869bb863f9a03fc7b5a266752433d30164929ea1b935953a245600ad713c9fb25cb5  ipxe-git-1d1cf74a5e58811822bee4b3da3cff7282fcdfca.tar.gz
 b9c754220187955d01ffbb6e030dace9d9aaae755db1765d07e407858c71a2cb0de04e0ab2099cd121d9e1bc1978af06c7dbd2fd805e06eca12ac5d527f15a52  mini-os-__divmoddi4.patch
-fe3c253d03e1962ca4dd6bccd2e51817075450f51aa66e8ab9673bdd5a530dc08f1ed7817a1271ada028b0c34162f37cd6b24d84334403767caacd8206284cbb  qemu-xen_paths.patch
+15de6a62394ef9f338fbe25a434fe5c3725abef5fd98966b863e14a58dc447014c49ed890c4d469f60d63a0db763f3e84f0407201d71eb9bfe42a00054eee1d8  qemu-xen_paths.patch
 1c9cb24bf67a2e84466572198315d5501627addf1ccd55d8d83df8d77d269a6696cd45e4a55601495168284e3bff58fb39853f56c46aaddd14f6191821678cf6  hotplug-vif-vtrill.patch
 8c9cfc6afca325df1d8026e21ed03fa8cd2c7e1a21a56cc1968301c5ab634bfe849951899e75d328951d7a41273d1e49a2448edbadec0029ed410c43c0549812  hotplug-Linux-iscsi-block-handle-lun-1.patch
-6c28470dab368ce94d94db9e66954e4d915394ea730f6d4abb198ae122dbd7412453d6d8054f0a348d43d7f807fb13294363162f8b19f47311e802ffa9a40a90  stubdom-hack.patch
+ed0ab25cd1966df7df503d285c17ede434033665d1569f8fb28172f37a10222b30d662e2ea867519eb40843de58dc3a56883d6f66a4fafa0a6ee1056ba72c25d  stubdom-hack.patch
 9430940692d6bfb58b1438e0f5f84cb703fbca9ce9cc157a1313ab1ceff63222a1ae31c991543b20c8fc84300df2b22f4614b27bbff32f82e17f27fcd953143c  xenstored.initd
 093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0  xenstored.confd
 1dd04f4bf1890771aa7eef0b6e46f7139487da0907d28dcdbef9fbe335dcf731ca391cfcb175dd82924f637a308de00a69ae981f67348c34f04489ec5e5dc3b7  xenconsoled.initd

main/xen/qemu-xen_paths.patch

 --- a/tools/Makefile
 +++ b/tools/Makefile
-@@ -245,6 +245,7 @@ subdir-all-qemu-xen-dir: qemu-xen-dir-fi
+@@ -244,6 +244,7 @@ subdir-all-qemu-xen-dir: qemu-xen-dir-fi
  		$(EXTRA_CFLAGS_QEMU_XEN)" \
  		--extra-ldflags="$(QEMU_UPSTREAM_RPATH)" \
  		--bindir=$(LIBEXEC_BIN) \

main/xen/stubdom-hack.patch

 --- xen-4.15.0.orig/stubdom/Makefile
 +++ xen-4.15.0/stubdom/Makefile
-@@ -186,7 +186,7 @@
+@@ -188,7 +188,7 @@
  	rm $@ -rf || :
  	mv gmp-$(GMP_VERSION) $@
  	#patch -d $@ -p0 < gmp.patch

main/xen/xsa440-4.17.patch

-From 5d8b3d1ec98e56155d9650d7f4a70cd8ba9dc27d Mon Sep 17 00:00:00 2001
-From: Julien Grall <jgrall@amazon.com>
-Date: Fri, 22 Sep 2023 11:32:16 +0100
-Subject: tools/xenstored: domain_entry_fix(): Handle conflicting transaction
-
-The function domain_entry_fix() will be initially called to check if the
-quota is correct before attempt to commit any nodes. So it would be
-possible that accounting is temporarily negative. This is the case
-in the following sequence:
-
-  1) Create 50 nodes
-  2) Start two transactions
-  3) Delete all the nodes in each transaction
-  4) Commit the two transactions
-
-Because the first transaction will have succeed and updated the
-accounting, there is no guarantee that 'd->nbentry + num' will still
-be above 0. So the assert() would be triggered.
-The assert() was introduced in dbef1f748289 ("tools/xenstore: simplify
-and fix per domain node accounting") with the assumption that the
-value can't be negative. As this is not true revert to the original
-check but restricted to the path where we don't update. Take the
-opportunity to explain the rationale behind the check.
-
-This CVE-2023-34323 / XSA-440.
-
-Reported-by: Stanislav Uschakow <suschako@amazon.de>
-Fixes: dbef1f748289 ("tools/xenstore: simplify and fix per domain node accounting")
-Signed-off-by: Julien Grall <jgrall@amazon.com>
-Reviewed-by: Juergen Gross <jgross@suse.com>
-
-diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
-index aa86892fed9e..6074df210c6e 100644
---- a/tools/xenstore/xenstored_domain.c
-+++ b/tools/xenstore/xenstored_domain.c
-@@ -1094,10 +1094,20 @@ int domain_entry_fix(unsigned int domid, int num, bool update)
- 	}
- 
- 	cnt = d->nbentry + num;
--	assert(cnt >= 0);
- 
--	if (update)
-+	if (update) {
-+		assert(cnt >= 0);
- 		d->nbentry = cnt;
-+	} else if (cnt < 0) {
-+		/*
-+		 * In a transaction when a node is being added/removed AND
-+		 * the same node has been added/removed outside the
-+		 * transaction in parallel, the result value may be negative.
-+		 * This is no problem, as the transaction will fail due to
-+		 * the resulting conflict. So override 'cnt'.
-+		 */
-+		cnt = 0;
-+	}
- 
- 	return domid_is_unprivileged(domid) ? cnt : 0;
- }

main/xen/xsa442-4.17.patch

-From 5b2ccb60ff22fbff44dd66214c2956a434ee6271 Mon Sep 17 00:00:00 2001
-From: Roger Pau Monne <roger.pau@citrix.com>
-Date: Tue, 13 Jun 2023 15:01:05 +0200
-Subject: [PATCH] iommu/amd-vi: flush IOMMU TLB when flushing the DTE
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The caching invalidation guidelines from the AMD-Vi specification (48882—Rev
-3.07-PUB—Oct 2022) seem to be misleading on some hardware, as devices will
-malfunction (see stale DMA mappings) if some fields of the DTE are updated but
-the IOMMU TLB is not flushed. This has been observed in practice on AMD
-systems.  Due to the lack of guidance from the currently published
-specification this patch aims to increase the flushing done in order to prevent
-device malfunction.
-
-In order to fix, issue an INVALIDATE_IOMMU_PAGES command from
-amd_iommu_flush_device(), flushing all the address space.  Note this requires
-callers to be adjusted in order to pass the DomID on the DTE previous to the
-modification.
-
-Some call sites don't provide a valid DomID to amd_iommu_flush_device() in
-order to avoid the flush.  That's because the device had address translations
-disabled and hence the previous DomID on the DTE is not valid.  Note the
-current logic relies on the entity disabling address translations to also flush
-the TLB of the in use DomID.
-
-Device I/O TLB flushing when ATS are enabled is not covered by the current
-change, as ATS usage is not security supported.
-
-This is XSA-442 / CVE-2023-34326
-
-Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
----
- xen/drivers/passthrough/amd/iommu.h         |  3 ++-
- xen/drivers/passthrough/amd/iommu_cmd.c     | 10 +++++++++-
- xen/drivers/passthrough/amd/iommu_guest.c   |  5 +++--
- xen/drivers/passthrough/amd/iommu_init.c    |  6 +++++-
- xen/drivers/passthrough/amd/pci_amd_iommu.c | 14 ++++++++++----
- 5 files changed, 29 insertions(+), 9 deletions(-)
-
-diff --git a/xen/drivers/passthrough/amd/iommu.h b/xen/drivers/passthrough/amd/iommu.h
-index 5429ada58ef5..a58be28bf96d 100644
---- a/xen/drivers/passthrough/amd/iommu.h
-+++ b/xen/drivers/passthrough/amd/iommu.h
-@@ -283,7 +283,8 @@ void amd_iommu_flush_pages(struct domain *d, unsigned long dfn,
-                            unsigned int order);
- void amd_iommu_flush_iotlb(u8 devfn, const struct pci_dev *pdev,
-                            uint64_t gaddr, unsigned int order);
--void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf);
-+void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf,
-+                            domid_t domid);
- void amd_iommu_flush_intremap(struct amd_iommu *iommu, uint16_t bdf);
- void amd_iommu_flush_all_caches(struct amd_iommu *iommu);
- 
-diff --git a/xen/drivers/passthrough/amd/iommu_cmd.c b/xen/drivers/passthrough/amd/iommu_cmd.c
-index 40ddf366bb4d..cb28b36abc38 100644
---- a/xen/drivers/passthrough/amd/iommu_cmd.c
-+++ b/xen/drivers/passthrough/amd/iommu_cmd.c
-@@ -363,10 +363,18 @@ void amd_iommu_flush_pages(struct domain *d,
-     _amd_iommu_flush_pages(d, __dfn_to_daddr(dfn), order);
- }
- 
--void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf)
-+void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf,
-+                            domid_t domid)
- {
-     invalidate_dev_table_entry(iommu, bdf);
-     flush_command_buffer(iommu, 0);
-+
-+    /* Also invalidate IOMMU TLB entries when flushing the DTE. */
-+    if ( domid != DOMID_INVALID )
-+    {
-+        invalidate_iommu_pages(iommu, INV_IOMMU_ALL_PAGES_ADDRESS, domid, 0);
-+        flush_command_buffer(iommu, 0);
-+    }
- }
- 
- void amd_iommu_flush_intremap(struct amd_iommu *iommu, uint16_t bdf)
-diff --git a/xen/drivers/passthrough/amd/iommu_guest.c b/xen/drivers/passthrough/amd/iommu_guest.c
-index 80a331f546ed..be86bce6fb03 100644
---- a/xen/drivers/passthrough/amd/iommu_guest.c
-+++ b/xen/drivers/passthrough/amd/iommu_guest.c
-@@ -385,7 +385,7 @@ static int do_completion_wait(struct domain *d, cmd_entry_t *cmd)
- 
- static int do_invalidate_dte(struct domain *d, cmd_entry_t *cmd)
- {
--    uint16_t gbdf, mbdf, req_id, gdom_id, hdom_id;
-+    uint16_t gbdf, mbdf, req_id, gdom_id, hdom_id, prev_domid;
-     struct amd_iommu_dte *gdte, *mdte, *dte_base;
-     struct amd_iommu *iommu = NULL;
-     struct guest_iommu *g_iommu;
-@@ -445,13 +445,14 @@ static int do_invalidate_dte(struct domain *d, cmd_entry_t *cmd)
-     req_id = get_dma_requestor_id(iommu->seg, mbdf);
-     dte_base = iommu->dev_table.buffer;
-     mdte = &dte_base[req_id];
-+    prev_domid = mdte->domain_id;
- 
-     spin_lock_irqsave(&iommu->lock, flags);
-     dte_set_gcr3_table(mdte, hdom_id, gcr3_mfn << PAGE_SHIFT, gv, glx);
- 
-     spin_unlock_irqrestore(&iommu->lock, flags);
- 
--    amd_iommu_flush_device(iommu, req_id);
-+    amd_iommu_flush_device(iommu, req_id, prev_domid);
- 
-     return 0;
- }
-diff --git a/xen/drivers/passthrough/amd/iommu_init.c b/xen/drivers/passthrough/amd/iommu_init.c
-index 166570648d26..101a60ce1794 100644
---- a/xen/drivers/passthrough/amd/iommu_init.c
-+++ b/xen/drivers/passthrough/amd/iommu_init.c
-@@ -1547,7 +1547,11 @@ static int cf_check _invalidate_all_devices(
-         req_id = ivrs_mappings[bdf].dte_requestor_id;
-         if ( iommu )
-         {
--            amd_iommu_flush_device(iommu, req_id);
-+            /*
-+             * IOMMU TLB flush performed separately (see
-+             * invalidate_all_domain_pages()).
-+             */
-+            amd_iommu_flush_device(iommu, req_id, DOMID_INVALID);
-             amd_iommu_flush_intremap(iommu, req_id);
-         }
-     }
-diff --git a/xen/drivers/passthrough/amd/pci_amd_iommu.c b/xen/drivers/passthrough/amd/pci_amd_iommu.c
-index 94e37755064b..8641b84712a0 100644
---- a/xen/drivers/passthrough/amd/pci_amd_iommu.c
-+++ b/xen/drivers/passthrough/amd/pci_amd_iommu.c
-@@ -192,10 +192,13 @@ static int __must_check amd_iommu_setup_domain_device(
- 
-         spin_unlock_irqrestore(&iommu->lock, flags);
- 
--        amd_iommu_flush_device(iommu, req_id);
-+        /* DTE didn't have DMA translations enabled, do not flush the TLB. */
-+        amd_iommu_flush_device(iommu, req_id, DOMID_INVALID);
-     }
-     else if ( dte->pt_root != mfn_x(page_to_mfn(root_pg)) )
-     {
-+        domid_t prev_domid = dte->domain_id;
-+
-         /*
-          * Strictly speaking if the device is the only one with this requestor
-          * ID, it could be allowed to be re-assigned regardless of unity map
-@@ -252,7 +255,7 @@ static int __must_check amd_iommu_setup_domain_device(
- 
-         spin_unlock_irqrestore(&iommu->lock, flags);
- 
--        amd_iommu_flush_device(iommu, req_id);
-+        amd_iommu_flush_device(iommu, req_id, prev_domid);
-     }
-     else
-         spin_unlock_irqrestore(&iommu->lock, flags);
-@@ -421,6 +424,8 @@ static void amd_iommu_disable_domain_device(const struct domain *domain,
-     spin_lock_irqsave(&iommu->lock, flags);
-     if ( dte->tv || dte->v )
-     {
-+        domid_t prev_domid = dte->domain_id;
-+
-         /* See the comment in amd_iommu_setup_device_table(). */
-         dte->int_ctl = IOMMU_DEV_TABLE_INT_CONTROL_ABORTED;
-         smp_wmb();
-@@ -439,7 +444,7 @@ static void amd_iommu_disable_domain_device(const struct domain *domain,
- 
-         spin_unlock_irqrestore(&iommu->lock, flags);
- 
--        amd_iommu_flush_device(iommu, req_id);
-+        amd_iommu_flush_device(iommu, req_id, prev_domid);
- 
-         AMD_IOMMU_DEBUG("Disable: device id = %#x, "
-                         "domain = %d, paging mode = %d\n",
-@@ -610,7 +615,8 @@ static int cf_check amd_iommu_add_device(u8 devfn, struct pci_dev *pdev)
- 
-         spin_unlock_irqrestore(&iommu->lock, flags);
- 
--        amd_iommu_flush_device(iommu, bdf);
-+        /* DTE didn't have DMA translations enabled, do not flush the TLB. */
-+        amd_iommu_flush_device(iommu, bdf, DOMID_INVALID);
-     }
- 
-     if ( amd_iommu_reserve_domain_unity_map(
--- 
-2.42.0
-

main/xen/xsa443-4.17-01.patch

-From 7e48562bf34e90f907491a0595782d2daa1ff3ad Mon Sep 17 00:00:00 2001
-From: Alejandro Vallejo <alejandro.vallejo@cloud.com>
-Date: Thu, 14 Sep 2023 13:22:50 +0100
-Subject: [PATCH 01/11] libfsimage/xfs: Remove dead code
-
-xfs_info.agnolog (and related code) and XFS_INO_AGBNO_BITS are dead code
-that serve no purpose.
-
-This is part of XSA-443 / CVE-2023-34325
-
-Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
----
- tools/libfsimage/xfs/fsys_xfs.c | 18 ------------------
- 1 file changed, 18 deletions(-)
-
-diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c
-index d735a88e55f3..2800699f5985 100644
---- a/tools/libfsimage/xfs/fsys_xfs.c
-+++ b/tools/libfsimage/xfs/fsys_xfs.c
-@@ -37,7 +37,6 @@ struct xfs_info {
- 	int blklog;
- 	int inopblog;
- 	int agblklog;
--	int agnolog;
- 	unsigned int nextents;
- 	xfs_daddr_t next;
- 	xfs_daddr_t daddr;
-@@ -65,9 +64,7 @@ static struct xfs_info xfs;
- 
- #define	XFS_INO_MASK(k)		((xfs_uint32_t)((1ULL << (k)) - 1))
- #define	XFS_INO_OFFSET_BITS	xfs.inopblog
--#define	XFS_INO_AGBNO_BITS	xfs.agblklog
- #define	XFS_INO_AGINO_BITS	(xfs.agblklog + xfs.inopblog)
--#define	XFS_INO_AGNO_BITS	xfs.agnolog
- 
- static inline xfs_agblock_t
- agino2agbno (xfs_agino_t agino)
-@@ -149,20 +146,6 @@ xt_len (xfs_bmbt_rec_32_t *r)
- 	return le32(r->l3) & mask32lo(21);
- }
- 
--static inline int
--xfs_highbit32(xfs_uint32_t v)
--{
--	int i;
--
--	if (--v) {
--		for (i = 0; i < 31; i++, v >>= 1) {
--			if (v == 0)
--				return i;
--		}
--	}
--	return 0;
--}
--
- static int
- isinxt (xfs_fileoff_t key, xfs_fileoff_t offset, xfs_filblks_t len)
- {
-@@ -472,7 +455,6 @@ xfs_mount (fsi_file_t *ffi, const char *options)
- 
- 	xfs.inopblog = super.sb_inopblog;
- 	xfs.agblklog = super.sb_agblklog;
--	xfs.agnolog = xfs_highbit32 (le32(super.sb_agcount));
- 
- 	xfs.btnode_ptr0_off =
- 		((xfs.bsize - sizeof(xfs_btree_block_t)) /
--- 
-2.42.0
-

main/xen/xsa443-4.17-02.patch

-From c26327795b78c93f6fa6d5d46e34f59dc4046601 Mon Sep 17 00:00:00 2001
-From: Alejandro Vallejo <alejandro.vallejo@cloud.com>
-Date: Thu, 14 Sep 2023 13:22:51 +0100
-Subject: [PATCH 02/11] libfsimage/xfs: Amend mask32lo() to allow the value 32
-
-agblklog could plausibly be 32, but that would overflow this shift.
-Perform the shift as ULL and cast to u32 at the end instead.
-
-This is part of XSA-443 / CVE-2023-34325
-
-Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
-Acked-by: Jan Beulich <jbeulich@suse.com>
----
- tools/libfsimage/xfs/fsys_xfs.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c
-index 2800699f5985..4720bb4505c8 100644
---- a/tools/libfsimage/xfs/fsys_xfs.c
-+++ b/tools/libfsimage/xfs/fsys_xfs.c
-@@ -60,7 +60,7 @@ static struct xfs_info xfs;
- #define inode		((xfs_dinode_t *)((char *)FSYS_BUF + 8192))
- #define icore		(inode->di_core)
- 
--#define	mask32lo(n)	(((xfs_uint32_t)1 << (n)) - 1)
-+#define	mask32lo(n)	((xfs_uint32_t)((1ull << (n)) - 1))
- 
- #define	XFS_INO_MASK(k)		((xfs_uint32_t)((1ULL << (k)) - 1))
- #define	XFS_INO_OFFSET_BITS	xfs.inopblog
--- 
-2.42.0
-

main/xen/xsa443-4.17-03.patch

-From 199f0538bbec052028679a55ea512437170854c9 Mon Sep 17 00:00:00 2001
-From: Alejandro Vallejo <alejandro.vallejo@cloud.com>
-Date: Thu, 14 Sep 2023 13:22:52 +0100
-Subject: [PATCH 03/11] libfsimage/xfs: Sanity-check the superblock during
- mounts
-
-Sanity-check the XFS superblock for wellformedness at the mount handler.
-This forces pygrub to abort parsing a potentially malformed filesystem and
-ensures the invariants assumed throughout the rest of the code hold.
-
-Also, derive parameters from previously sanitized parameters where possible
-(rather than reading them off the superblock)
-
-The code doesn't try to avoid overflowing the end of the disk, because
-that's an unlikely and benign error. Parameters used in calculations of
-xfs_daddr_t (like the root inode index) aren't in critical need of being
-sanitized.
-
-The sanitization of agblklog is basically checking that no obvious
-overflows happen on agblklog, and then ensuring agblocks is contained in
-the range (2^(sb_agblklog-1), 2^sb_agblklog].
-
-This is part of XSA-443 / CVE-2023-34325
-
-Reported-by: Ferdinand Nölscher <noelscher@google.com>
-Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
----
- tools/libfsimage/xfs/fsys_xfs.c | 48 ++++++++++++++++++++++++++-------
- tools/libfsimage/xfs/xfs.h      | 12 +++++++++
- 2 files changed, 50 insertions(+), 10 deletions(-)
-
-diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c
-index 4720bb4505c8..e4eb7e1ee26f 100644
---- a/tools/libfsimage/xfs/fsys_xfs.c
-+++ b/tools/libfsimage/xfs/fsys_xfs.c
-@@ -17,6 +17,7 @@
-  *  along with this program; If not, see <http://www.gnu.org/licenses/>.
-  */
- 
-+#include <stdbool.h>
- #include <xenfsimage_grub.h>
- #include "xfs.h"
- 
-@@ -433,29 +434,56 @@ first_dentry (fsi_file_t *ffi, xfs_ino_t *ino)
- 	return next_dentry (ffi, ino);
- }
- 
-+static bool
-+xfs_sb_is_invalid (const xfs_sb_t *super)
-+{
-+	return (le32(super->sb_magicnum) != XFS_SB_MAGIC)
-+	    || ((le16(super->sb_versionnum) & XFS_SB_VERSION_NUMBITS) !=
-+	        XFS_SB_VERSION_4)
-+	    || (super->sb_inodelog < XFS_SB_INODELOG_MIN)
-+	    || (super->sb_inodelog > XFS_SB_INODELOG_MAX)
-+	    || (super->sb_blocklog < XFS_SB_BLOCKLOG_MIN)
-+	    || (super->sb_blocklog > XFS_SB_BLOCKLOG_MAX)
-+	    || (super->sb_blocklog < super->sb_inodelog)
-+	    || (super->sb_agblklog > XFS_SB_AGBLKLOG_MAX)
-+	    || ((1ull << super->sb_agblklog) < le32(super->sb_agblocks))
-+	    || (((1ull << super->sb_agblklog) >> 1) >=
-+	        le32(super->sb_agblocks))
-+	    || ((super->sb_blocklog + super->sb_dirblklog) >=
-+	        XFS_SB_DIRBLK_NUMBITS);
-+}
-+
- static int
- xfs_mount (fsi_file_t *ffi, const char *options)
- {
- 	xfs_sb_t super;
- 
- 	if (!devread (ffi, 0, 0, sizeof(super), (char *)&super)
--	    || (le32(super.sb_magicnum) != XFS_SB_MAGIC)
--	    || ((le16(super.sb_versionnum) 
--		& XFS_SB_VERSION_NUMBITS) != XFS_SB_VERSION_4) ) {
-+	    || xfs_sb_is_invalid(&super)) {
- 		return 0;
- 	}
- 
--	xfs.bsize = le32 (super.sb_blocksize);
--	xfs.blklog = super.sb_blocklog;
--	xfs.bdlog = xfs.blklog - SECTOR_BITS;
-+	/*
-+	 * Not sanitized. It's exclusively used to generate disk addresses,
-+	 * so it's not important from a security standpoint.
-+	 */
- 	xfs.rootino = le64 (super.sb_rootino);
--	xfs.isize = le16 (super.sb_inodesize);
--	xfs.agblocks = le32 (super.sb_agblocks);
--	xfs.dirbsize = xfs.bsize << super.sb_dirblklog;
- 
--	xfs.inopblog = super.sb_inopblog;
-+	/*
-+	 * Sanitized to be consistent with each other, only used to
-+	 * generate disk addresses, so it's safe
-+	 */
-+	xfs.agblocks = le32 (super.sb_agblocks);
- 	xfs.agblklog = super.sb_agblklog;
- 
-+	/* Derived from sanitized parameters */
-+	xfs.bsize = 1 << super.sb_blocklog;
-+	xfs.blklog = super.sb_blocklog;
-+	xfs.bdlog = super.sb_blocklog - SECTOR_BITS;
-+	xfs.isize = 1 << super.sb_inodelog;
-+	xfs.dirbsize = 1 << (super.sb_blocklog + super.sb_dirblklog);
-+	xfs.inopblog = super.sb_blocklog - super.sb_inodelog;
-+
- 	xfs.btnode_ptr0_off =
- 		((xfs.bsize - sizeof(xfs_btree_block_t)) /
- 		(sizeof (xfs_bmbt_key_t) + sizeof (xfs_bmbt_ptr_t)))
-diff --git a/tools/libfsimage/xfs/xfs.h b/tools/libfsimage/xfs/xfs.h
-index 40699281e44d..b87e37d3d7e9 100644
---- a/tools/libfsimage/xfs/xfs.h
-+++ b/tools/libfsimage/xfs/xfs.h
-@@ -134,6 +134,18 @@ typedef struct xfs_sb
-         xfs_uint8_t       sb_dummy[7];    /* padding */
- } xfs_sb_t;
- 
-+/* Bound taken from xfs.c in GRUB2. It doesn't exist in the spec */
-+#define	XFS_SB_DIRBLK_NUMBITS	27
-+/* Implied by the XFS specification. The minimum block size is 512 octets */
-+#define	XFS_SB_BLOCKLOG_MIN	9
-+/* Implied by the XFS specification. The maximum block size is 65536 octets */
-+#define	XFS_SB_BLOCKLOG_MAX	16
-+/* Implied by the XFS specification. The minimum inode size is 256 octets */
-+#define	XFS_SB_INODELOG_MIN	8
-+/* Implied by the XFS specification. The maximum inode size is 2048 octets */
-+#define	XFS_SB_INODELOG_MAX	11
-+/* High bound for sb_agblklog */
-+#define	XFS_SB_AGBLKLOG_MAX	32
- 
- /* those are from xfs_btree.h */
- 
--- 
-2.42.0
-

main/xen/xsa443-4.17-04.patch

-From c66fd01277939634c624c8340838682d9d4fd839 Mon Sep 17 00:00:00 2001
-From: Alejandro Vallejo <alejandro.vallejo@cloud.com>
-Date: Thu, 14 Sep 2023 13:22:53 +0100
-Subject: [PATCH 04/11] libfsimage/xfs: Add compile-time check to libfsimage
-
-Adds the common tools include folder to the -I compile flags
-of libfsimage. This allows us to use:
-  xen-tools/common-macros.h:BUILD_BUG_ON()
-
-With it, statically assert a sanitized "blocklog - SECTOR_BITS" cannot
-underflow.
-
-This is part of XSA-443 / CVE-2023-34325
-
-Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
----
- tools/libfsimage/common.mk      | 2 +-
- tools/libfsimage/xfs/fsys_xfs.c | 4 +++-
- 2 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/tools/libfsimage/common.mk b/tools/libfsimage/common.mk
-index 4fc8c6679599..e4336837d045 100644
---- a/tools/libfsimage/common.mk
-+++ b/tools/libfsimage/common.mk
-@@ -1,7 +1,7 @@
- include $(XEN_ROOT)/tools/Rules.mk
- 
- FSDIR := $(libdir)/xenfsimage
--CFLAGS += -Wno-unknown-pragmas -I$(XEN_ROOT)/tools/libfsimage/common/ -DFSIMAGE_FSDIR=\"$(FSDIR)\"
-+CFLAGS += -Wno-unknown-pragmas -I$(XEN_ROOT)/tools/libfsimage/common/ $(CFLAGS_xeninclude) -DFSIMAGE_FSDIR=\"$(FSDIR)\"
- CFLAGS += -D_GNU_SOURCE
- LDFLAGS += -L../common/
- 
-diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c
-index e4eb7e1ee26f..4a8dd6f2397b 100644
---- a/tools/libfsimage/xfs/fsys_xfs.c
-+++ b/tools/libfsimage/xfs/fsys_xfs.c
-@@ -19,6 +19,7 @@
- 
- #include <stdbool.h>
- #include <xenfsimage_grub.h>
-+#include <xen-tools/libs.h>
- #include "xfs.h"
- 
- #define MAX_LINK_COUNT	8
-@@ -477,9 +478,10 @@ xfs_mount (fsi_file_t *ffi, const char *options)
- 	xfs.agblklog = super.sb_agblklog;
- 
- 	/* Derived from sanitized parameters */
-+	BUILD_BUG_ON(XFS_SB_BLOCKLOG_MIN < SECTOR_BITS);
-+	xfs.bdlog = super.sb_blocklog - SECTOR_BITS;
- 	xfs.bsize = 1 << super.sb_blocklog;
- 	xfs.blklog = super.sb_blocklog;
--	xfs.bdlog = super.sb_blocklog - SECTOR_BITS;
- 	xfs.isize = 1 << super.sb_inodelog;
- 	xfs.dirbsize = 1 << (super.sb_blocklog + super.sb_dirblklog);
- 	xfs.inopblog = super.sb_blocklog - super.sb_inodelog;
--- 
-2.42.0
-