Xen project Mailing List

[PATCH v4 01/11] xen: arm: fix len type for guest copy functions

From: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>

Date: Tue, 28 Apr 2026 16:33:30 +0200

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=20251104 header.d=gmail.com header.i="@gmail.com" header.h="Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From"

Cc: Romain Caritey <Romain.Caritey@xxxxxxxxxxxxx>, Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>

Delivery-date: Tue, 28 Apr 2026 14:34:11 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Widen the len argument of copy_to_guest_phys_flush_dcache() and the copy_to_guest_phys_cb typedef from unsigned int to unsigned long, as the function can be used to copy large blobs such as the initrd which may exceed 4GB. Update the internal copy_guest() len argument to unsigned long accordingly. Change the type for local variable size in copy_guest() to avoid compilation error because of type mismatch. raw_* wrappers above copy_guest() keep returning unsigned long to avoid type narrowing; it is not an issue for raw_*'s len argument to remain 'unsigned int' since the assignment to copy_guest()'s wider unsigned long parameter is safe and there is no raw_* users who are using a value bigger than what can fit into 'unsigned int'. Fixes: 2986481b3d9e6 ("xen/arm: guest_copy: Extend the prototype to pass the vCPU") Fixes: 5302bd490bea7 ("xen/arm: Introduce copy_to_guest_phys_flush_dcache") Fixes: d07b7369aa65b ("xen/common: dom0less: introduce common domain-build.c") Reported-by: Jan Beulich <jbeulich@xxxxxxxx> Signed-off-by: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> --- Changes in v4: - Add Fixes: tags. - Add "arm:" prefix to commit subject. - Add Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>. - Avoid using of min_t. --- Changes in v3: - Correct the declaration of copy_to_guest_phys_cb() instead of return 'unsigned int' to be in sync with len argument, the type of len argument is changed on 'unsigned long' as initrd could be pretty big and also its size is stroed in 'paddr_t' which is 'unsigned long'. - Update copy_guest() prototype to avoid trancation bug for len argument. - Revert prototype changes for raw_* wrappers above copy_guest() as they should keep returning unsigned long to avoid type narrowing; it is not an issue for raw_*'s len argument to remain 'unsigned int' since the assignment to copy_guest()'s wider unsigned long parameter is safe. - Change the type for local variable size in copy_guest() to avoid compilation error because of type mismatch. - Add Reported-by: Jan Beulich <jbeulich@xxxxxxxx> --- Changes in v2: - New patch. --- --- xen/arch/arm/guestcopy.c | 6 +++--- xen/arch/arm/include/asm/guest_access.h | 2 +- xen/include/xen/fdt-domain-build.h | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/xen/arch/arm/guestcopy.c b/xen/arch/arm/guestcopy.c index fdb06422b8e9..86f1c9d0e318 100644 --- a/xen/arch/arm/guestcopy.c +++ b/xen/arch/arm/guestcopy.c @@ -53,7 +53,7 @@ static struct page_info *translate_get_page(copy_info_t info, uint64_t addr, return page; } -static unsigned long copy_guest(void *buf, uint64_t addr, unsigned int len, +static unsigned long copy_guest(void *buf, uint64_t addr, unsigned long len, copy_info_t info, unsigned int flags) { /* XXX needs to handle faults */ @@ -65,7 +65,7 @@ static unsigned long copy_guest(void *buf, uint64_t addr, unsigned int len, while ( len ) { void *p; - unsigned int size = min(len, (unsigned int)PAGE_SIZE - offset); + unsigned long size = min(len, PAGE_SIZE + 0UL - offset); struct page_info *page; page = translate_get_page(info, addr, flags & COPY_linear, @@ -136,7 +136,7 @@ unsigned long raw_copy_from_guest(void *to, const void __user *from, unsigned long copy_to_guest_phys_flush_dcache(struct domain *d, paddr_t gpa, void *buf, - unsigned int len) + unsigned long len) { return copy_guest(buf, gpa, len, GPA_INFO(d), COPY_to_guest | COPY_ipa | COPY_flush_dcache); diff --git a/xen/arch/arm/include/asm/guest_access.h b/xen/arch/arm/include/asm/guest_access.h index 18c88b70d7ec..c13cbec55b65 100644 --- a/xen/arch/arm/include/asm/guest_access.h +++ b/xen/arch/arm/include/asm/guest_access.h @@ -14,7 +14,7 @@ unsigned long raw_clear_guest(void *to, unsigned int len); unsigned long copy_to_guest_phys_flush_dcache(struct domain *d, paddr_t gpa, void *buf, - unsigned int len); + unsigned long len); int access_guest_memory_by_gpa(struct domain *d, paddr_t gpa, void *buf, uint32_t size, bool is_write); diff --git a/xen/include/xen/fdt-domain-build.h b/xen/include/xen/fdt-domain-build.h index bc7744270c8f..6ad9e8fd1642 100644 --- a/xen/include/xen/fdt-domain-build.h +++ b/xen/include/xen/fdt-domain-build.h @@ -48,7 +48,7 @@ static inline int get_allocation_size(paddr_t size) typedef unsigned long (*copy_to_guest_phys_cb)(struct domain *d, paddr_t gpa, void *buf, - unsigned int len); + unsigned long len); void initrd_load(struct kernel_info *kinfo, copy_to_guest_phys_cb cb); -- 2.53.0

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.