On 06/02/2026 6:31 pm, Roger Pau Monne wrote:
> Currently do_kexec_op_internal() will return 0 for unknown hypercalls. Fix
> this by returning -EOPNOTSUPP instead.
>
> Fixes: d046f361dc93 ("Xen Security Modules: XSM")
> Reported-by: Andrew Cooper <[email protected]>
> Signed-off-by: Roger Pau Monné <[email protected]>
Reviewed-by: Andrew Cooper <[email protected]>
> ---
> Arguably the error code for unsupported kexec hypercalls was already wonky
> before the XSM addiiton, as it would return -EINVAL. It's however way
> worse after the XSM addition, as it returns 0.
> ---
> xen/common/kexec.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/xen/common/kexec.c b/xen/common/kexec.c
> index 84fe8c35976e..8f52c5506d4a 100644
> --- a/xen/common/kexec.c
> +++ b/xen/common/kexec.c
> @@ -1217,9 +1217,8 @@ static int do_kexec_op_internal(unsigned long op,
> XEN_GUEST_HANDLE_PARAM(void) uarg,
> bool compat)
> {
> - int ret = -EINVAL;
> + int ret = xsm_kexec(XSM_PRIV);
>
> - ret = xsm_kexec(XSM_PRIV);
> if ( ret )
> return ret;
Personally, I'd just have `int ret;` and leave the xsm_kexec() call as
it was. That leaves the slightly more normal pattern intact.
>
> @@ -1258,6 +1257,10 @@ static int do_kexec_op_internal(unsigned long op,
> case KEXEC_CMD_kexec_status:
> ret = kexec_status(uarg);
> break;
> +
> + default:
> + ret = -EOPNOTSUPP;
> + break;
> }
>
> clear_bit(KEXEC_FLAG_IN_HYPERCALL, &kexec_flags);
