On 19.02.2026 19:45, Daniel P. Smith wrote:
> --- a/xen/drivers/char/console.c
> +++ b/xen/drivers/char/console.c
> @@ -554,7 +554,7 @@ struct domain *console_get_domain(void)
> if ( !d )
> return NULL;
>
> - if ( d->console->input_allowed )
> + if ( !xsm_console_io(XSM_OTHER, d, CONSOLEIO_read) )
> return d;
>
> rcu_unlock_domain(d);
> @@ -595,7 +595,7 @@ static void console_switch_input(void)
> d = rcu_lock_domain_by_id(domid);
> if ( d )
> {
> - if ( !d->console->input_allowed )
> + if ( xsm_console_io(XSM_OTHER, d, CONSOLEIO_read) )
> {
> rcu_unlock_domain(d);
> continue;
At least the latter of these two can be called from an IRQ handler, and can
be called with IRQs off. Flask's avc_audit() looks to be using a spinlock,
which isn't IRQ-safe. (There may be other lock involved; I merely went as far
as I needed to to find the first one.) IOW I fear you can't call
xsm_console_io() from here.
Jan
