Currently do_kexec_op_internal() will return 0 for unknown hypercalls. Fix
this by returning -EOPNOTSUPP instead.
Fixes: d046f361dc93 ("Xen Security Modules: XSM")
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
---
Arguably the error code for unsupported kexec hypercalls was already wonky
before the XSM addiiton, as it would return -EINVAL. It's however way
worse after the XSM addition, as it returns 0.
---
xen/common/kexec.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/xen/common/kexec.c b/xen/common/kexec.c
index 84fe8c35976e..8f52c5506d4a 100644
--- a/xen/common/kexec.c
+++ b/xen/common/kexec.c
@@ -1217,9 +1217,8 @@ static int do_kexec_op_internal(unsigned long op,
XEN_GUEST_HANDLE_PARAM(void) uarg,
bool compat)
{
- int ret = -EINVAL;
+ int ret = xsm_kexec(XSM_PRIV);
- ret = xsm_kexec(XSM_PRIV);
if ( ret )
return ret;
@@ -1258,6 +1257,10 @@ static int do_kexec_op_internal(unsigned long op,
case KEXEC_CMD_kexec_status:
ret = kexec_status(uarg);
break;
+
+ default:
+ ret = -EOPNOTSUPP;
+ break;
}
clear_bit(KEXEC_FLAG_IN_HYPERCALL, &kexec_flags);
--
2.51.0
On 06/02/2026 6:31 pm, Roger Pau Monne wrote:
> Currently do_kexec_op_internal() will return 0 for unknown hypercalls. Fix
> this by returning -EOPNOTSUPP instead.
>
> Fixes: d046f361dc93 ("Xen Security Modules: XSM")
> Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
> ---
> Arguably the error code for unsupported kexec hypercalls was already wonky
> before the XSM addiiton, as it would return -EINVAL. It's however way
> worse after the XSM addition, as it returns 0.
> ---
> xen/common/kexec.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/xen/common/kexec.c b/xen/common/kexec.c
> index 84fe8c35976e..8f52c5506d4a 100644
> --- a/xen/common/kexec.c
> +++ b/xen/common/kexec.c
> @@ -1217,9 +1217,8 @@ static int do_kexec_op_internal(unsigned long op,
> XEN_GUEST_HANDLE_PARAM(void) uarg,
> bool compat)
> {
> - int ret = -EINVAL;
> + int ret = xsm_kexec(XSM_PRIV);
>
> - ret = xsm_kexec(XSM_PRIV);
> if ( ret )
> return ret;
Personally, I'd just have `int ret;` and leave the xsm_kexec() call as
it was. That leaves the slightly more normal pattern intact.
>
> @@ -1258,6 +1257,10 @@ static int do_kexec_op_internal(unsigned long op,
> case KEXEC_CMD_kexec_status:
> ret = kexec_status(uarg);
> break;
> +
> + default:
> + ret = -EOPNOTSUPP;
> + break;
> }
>
> clear_bit(KEXEC_FLAG_IN_HYPERCALL, &kexec_flags);
On Fri, Feb 06, 2026 at 06:35:32PM +0000, Andrew Cooper wrote:
> On 06/02/2026 6:31 pm, Roger Pau Monne wrote:
> > Currently do_kexec_op_internal() will return 0 for unknown hypercalls. Fix
> > this by returning -EOPNOTSUPP instead.
> >
> > Fixes: d046f361dc93 ("Xen Security Modules: XSM")
> > Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
> > Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
>
> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
>
> > ---
> > Arguably the error code for unsupported kexec hypercalls was already wonky
> > before the XSM addiiton, as it would return -EINVAL. It's however way
> > worse after the XSM addition, as it returns 0.
> > ---
> > xen/common/kexec.c | 7 +++++--
> > 1 file changed, 5 insertions(+), 2 deletions(-)
> >
> > diff --git a/xen/common/kexec.c b/xen/common/kexec.c
> > index 84fe8c35976e..8f52c5506d4a 100644
> > --- a/xen/common/kexec.c
> > +++ b/xen/common/kexec.c
> > @@ -1217,9 +1217,8 @@ static int do_kexec_op_internal(unsigned long op,
> > XEN_GUEST_HANDLE_PARAM(void) uarg,
> > bool compat)
> > {
> > - int ret = -EINVAL;
> > + int ret = xsm_kexec(XSM_PRIV);
> >
> > - ret = xsm_kexec(XSM_PRIV);
> > if ( ret )
> > return ret;
>
> Personally, I'd just have `int ret;` and leave the xsm_kexec() call as
> it was. That leaves the slightly more normal pattern intact.
I'm fine with that as it also drops the dead -EINVAL initialization.
Thanks, Roger.
© 2016 - 2026 Red Hat, Inc.