* [PATCH 00/12] xen: Misc MISRA fixes for *-allcode targets
@ 2026-02-20 21:46 Andrew Cooper
2026-02-20 21:46 ` [PATCH 01/12] arm: Use __func__ in acpi_boot_table_init() Andrew Cooper
` (11 more replies)
0 siblings, 12 replies; 39+ messages in thread
From: Andrew Cooper @ 2026-02-20 21:46 UTC (permalink / raw)
To: Xen-devel
Cc: Andrew Cooper, Jan Beulich, Roger Pau Monné,
Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bertrand Marquis, Michal Orzel, consulting @ bugseng . com,
Nicola Vetrini
https://gitlab.com/xen-project/hardware/xen-staging/-/pipelines/2340465777
This fixes some low hanging fruit. There's still more work to do in both the
x86 and ARM -allcode targets
Andrew Cooper (12):
arm: Use __func__ in acpi_boot_table_init()
xen/treewide: Adjust suffixes on integer literals
xen/argo: Fix MISRA violations around function parameters
xen/treewide: Adjust parameter names and types
x86: Adjust annotations of asm-used identifiers
xen: Include suitable headers to make declarations visible
xen/vmac: Const the key parameter of vmac_set_key()
arm/pci-designware: Fix MISRA violations
x86/shadow: Rework write_atomic() call in shadow_write_entries()
xen: Adjust break/fallthrough statements
xen: Bracket uses of macro parameters
xen/vmac: Delete STDINT block in vmac.h
xen/arch/arm/acpi/boot.c | 4 ++--
xen/arch/arm/gic-v3-its.c | 2 +-
xen/arch/arm/include/asm/pci.h | 2 +-
xen/arch/arm/include/asm/tee/optee_msg.h | 16 +++++++--------
xen/arch/arm/include/asm/tee/optee_smc.h | 8 ++++----
xen/arch/arm/pci/pci-access.c | 10 ++++++----
xen/arch/arm/pci/pci-designware.c | 4 +++-
xen/arch/arm/pci/pci-designware.h | 5 ++---
xen/arch/arm/tee/optee.c | 7 ++++---
xen/arch/x86/boot/cmdline.c | 3 +--
xen/arch/x86/boot/reloc.c | 3 +--
xen/arch/x86/guest/xen/pvh-boot.c | 2 +-
xen/arch/x86/guest/xen/xen.c | 4 ++--
xen/arch/x86/include/asm/bootinfo.h | 2 +-
xen/arch/x86/include/asm/compat.h | 2 +-
xen/arch/x86/include/asm/config.h | 2 +-
xen/arch/x86/include/asm/guest/hyperv.h | 2 +-
xen/arch/x86/include/asm/p2m.h | 2 +-
xen/arch/x86/include/asm/pv/mm.h | 8 +++++++-
xen/arch/x86/include/asm/pv/traps.h | 6 ++----
xen/arch/x86/mm/mem_paging.c | 8 +++++---
xen/arch/x86/mm/shadow/common.c | 2 +-
xen/arch/x86/mm/shadow/multi.c | 2 +-
xen/arch/x86/mm/shadow/set.c | 4 ++--
xen/arch/x86/pv/emul-gate-op.c | 4 +++-
xen/arch/x86/pv/emul-inv-op.c | 1 +
xen/arch/x86/pv/emul-priv-op.c | 1 +
xen/arch/x86/pv/emulate.c | 1 +
xen/arch/x86/pv/grant_table.c | 1 +
xen/arch/x86/pv/hypercall.c | 2 +-
xen/arch/x86/pv/mm.c | 1 +
xen/arch/x86/pv/ro-page-fault.c | 1 +
xen/arch/x86/pv/traps.c | 1 +
xen/arch/x86/tboot.c | 10 +++++-----
xen/arch/x86/traps.c | 3 +--
xen/arch/x86/x86_64/machine_kexec.c | 3 ++-
xen/common/argo.c | 12 ++++++------
xen/common/kimage.c | 11 ++++++-----
xen/common/livepatch.c | 11 ++++++-----
xen/common/stack-protector.c | 1 +
xen/crypto/vmac.c | 12 ++++++------
xen/drivers/char/xhci-dbc.c | 14 ++++++-------
xen/include/crypto/rijndael.h | 16 +++++++--------
xen/include/crypto/vmac.h | 25 +-----------------------
xen/include/xen/acpi.h | 2 +-
xen/include/xen/libfdt/libfdt.h | 6 +++---
xen/include/xen/stack-protector.h | 2 ++
47 files changed, 125 insertions(+), 126 deletions(-)
--
2.39.5
^ permalink raw reply [flat|nested] 39+ messages in thread
* [PATCH 01/12] arm: Use __func__ in acpi_boot_table_init()
2026-02-20 21:46 [PATCH 00/12] xen: Misc MISRA fixes for *-allcode targets Andrew Cooper
@ 2026-02-20 21:46 ` Andrew Cooper
2026-02-20 21:58 ` Nicola Vetrini
2026-02-23 8:54 ` Orzel, Michal
2026-02-20 21:46 ` [PATCH 02/12] xen/treewide: Adjust suffixes on integer literals Andrew Cooper
` (10 subsequent siblings)
11 siblings, 2 replies; 39+ messages in thread
From: Andrew Cooper @ 2026-02-20 21:46 UTC (permalink / raw)
To: Xen-devel
Cc: Andrew Cooper, Jan Beulich, Roger Pau Monné,
Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bertrand Marquis, Michal Orzel, consulting @ bugseng . com,
Nicola Vetrini
Elcair rejects __FUNCTION__ as nonstandard syntax and a R1.1 violation.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien@xen.org>
CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
CC: Bertrand Marquis <bertrand.marquis@arm.com>
CC: Michal Orzel <michal.orzel@amd.com>
CC: consulting@bugseng.com <consulting@bugseng.com>
CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
---
xen/arch/arm/acpi/boot.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xen/arch/arm/acpi/boot.c b/xen/arch/arm/acpi/boot.c
index db5085e15d84..4ac0fd8f51e8 100644
--- a/xen/arch/arm/acpi/boot.c
+++ b/xen/arch/arm/acpi/boot.c
@@ -264,14 +264,14 @@ int __init acpi_boot_table_init(void)
if ( error )
{
printk("%s: Unable to initialize table parser (%d)\n",
- __FUNCTION__, error);
+ __func__, error);
goto disable;
}
error = acpi_table_parse(ACPI_SIG_FADT, acpi_parse_fadt);
if ( error )
{
- printk("%s: FADT not found (%d)\n", __FUNCTION__, error);
+ printk("%s: FADT not found (%d)\n", __func__, error);
goto disable;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 02/12] xen/treewide: Adjust suffixes on integer literals
2026-02-20 21:46 [PATCH 00/12] xen: Misc MISRA fixes for *-allcode targets Andrew Cooper
2026-02-20 21:46 ` [PATCH 01/12] arm: Use __func__ in acpi_boot_table_init() Andrew Cooper
@ 2026-02-20 21:46 ` Andrew Cooper
2026-02-23 8:57 ` Orzel, Michal
2026-02-20 21:46 ` [PATCH 03/12] xen/argo: Fix MISRA violations around function parameters Andrew Cooper
` (9 subsequent siblings)
11 siblings, 1 reply; 39+ messages in thread
From: Andrew Cooper @ 2026-02-20 21:46 UTC (permalink / raw)
To: Xen-devel
Cc: Andrew Cooper, Jan Beulich, Roger Pau Monné,
Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bertrand Marquis, Michal Orzel, consulting @ bugseng . com,
Nicola Vetrini
Use U where necessary (Misra Rule 7.2) and uppercase L (Misra Rule 7.3).
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien@xen.org>
CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
CC: Bertrand Marquis <bertrand.marquis@arm.com>
CC: Michal Orzel <michal.orzel@amd.com>
CC: consulting@bugseng.com <consulting@bugseng.com>
CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
---
xen/arch/arm/gic-v3-its.c | 2 +-
xen/arch/arm/include/asm/tee/optee_msg.h | 16 ++++++++--------
xen/arch/arm/include/asm/tee/optee_smc.h | 8 ++++----
xen/arch/arm/tee/optee.c | 6 +++---
xen/arch/x86/guest/xen/xen.c | 2 +-
xen/arch/x86/include/asm/config.h | 2 +-
xen/arch/x86/include/asm/guest/hyperv.h | 2 +-
xen/arch/x86/pv/emul-gate-op.c | 2 +-
xen/arch/x86/tboot.c | 4 ++--
xen/drivers/char/xhci-dbc.c | 14 +++++++-------
10 files changed, 29 insertions(+), 29 deletions(-)
diff --git a/xen/arch/arm/gic-v3-its.c b/xen/arch/arm/gic-v3-its.c
index 34833166adcc..9ba068c46fcb 100644
--- a/xen/arch/arm/gic-v3-its.c
+++ b/xen/arch/arm/gic-v3-its.c
@@ -76,7 +76,7 @@ static const struct its_quirk its_quirks[] = {
{
.desc = "R-Car Gen4",
.iidr = 0x0201743b,
- .mask = 0xffffffff,
+ .mask = 0xffffffffU,
.init = gicv3_its_enable_quirk_gen4,
},
{
diff --git a/xen/arch/arm/include/asm/tee/optee_msg.h b/xen/arch/arm/include/asm/tee/optee_msg.h
index fe743dbde3c8..09820ff8638c 100644
--- a/xen/arch/arm/include/asm/tee/optee_msg.h
+++ b/xen/arch/arm/include/asm/tee/optee_msg.h
@@ -222,10 +222,10 @@ struct optee_msg_arg {
* Represented in 4 32-bit words in OPTEE_MSG_UID_0, OPTEE_MSG_UID_1,
* OPTEE_MSG_UID_2, OPTEE_MSG_UID_3.
*/
-#define OPTEE_MSG_UID_0 0x384fb3e0
-#define OPTEE_MSG_UID_1 0xe7f811e3
-#define OPTEE_MSG_UID_2 0xaf630002
-#define OPTEE_MSG_UID_3 0xa5d5c51b
+#define OPTEE_MSG_UID_0 0x384fb3e0U
+#define OPTEE_MSG_UID_1 0xe7f811e3U
+#define OPTEE_MSG_UID_2 0xaf630002U
+#define OPTEE_MSG_UID_3 0xa5d5c51bU
#define OPTEE_MSG_FUNCID_CALLS_UID 0xFF01
/*
@@ -246,10 +246,10 @@ struct optee_msg_arg {
* Returns UUID in 4 32-bit words in the same way as
* OPTEE_MSG_FUNCID_CALLS_UID described above.
*/
-#define OPTEE_MSG_OS_OPTEE_UUID_0 0x486178e0
-#define OPTEE_MSG_OS_OPTEE_UUID_1 0xe7f811e3
-#define OPTEE_MSG_OS_OPTEE_UUID_2 0xbc5e0002
-#define OPTEE_MSG_OS_OPTEE_UUID_3 0xa5d5c51b
+#define OPTEE_MSG_OS_OPTEE_UUID_0 0x486178e0U
+#define OPTEE_MSG_OS_OPTEE_UUID_1 0xe7f811e3U
+#define OPTEE_MSG_OS_OPTEE_UUID_2 0xbc5e0002U
+#define OPTEE_MSG_OS_OPTEE_UUID_3 0xa5d5c51bU
#define OPTEE_MSG_FUNCID_GET_OS_UUID 0x0000
/*
diff --git a/xen/arch/arm/include/asm/tee/optee_smc.h b/xen/arch/arm/include/asm/tee/optee_smc.h
index 2f5c702326f7..39c04eb5ad1b 100644
--- a/xen/arch/arm/include/asm/tee/optee_smc.h
+++ b/xen/arch/arm/include/asm/tee/optee_smc.h
@@ -443,9 +443,9 @@
#define OPTEE_SMC_CALL_RETURN_FROM_RPC \
OPTEE_SMC_STD_CALL_VAL(OPTEE_SMC_FUNCID_RETURN_FROM_RPC)
-#define OPTEE_SMC_RETURN_RPC_PREFIX_MASK 0xFFFF0000
-#define OPTEE_SMC_RETURN_RPC_PREFIX 0xFFFF0000
-#define OPTEE_SMC_RETURN_RPC_FUNC_MASK 0x0000FFFF
+#define OPTEE_SMC_RETURN_RPC_PREFIX_MASK 0xFFFF0000U
+#define OPTEE_SMC_RETURN_RPC_PREFIX 0xFFFF0000U
+#define OPTEE_SMC_RETURN_RPC_FUNC_MASK 0x0000FFFFU
#define OPTEE_SMC_RETURN_GET_RPC_FUNC(ret) \
((ret) & OPTEE_SMC_RETURN_RPC_FUNC_MASK)
@@ -548,7 +548,7 @@
OPTEE_SMC_RPC_VAL(OPTEE_SMC_RPC_FUNC_CMD)
/* Returned in a0 */
-#define OPTEE_SMC_RETURN_UNKNOWN_FUNCTION 0xFFFFFFFF
+#define OPTEE_SMC_RETURN_UNKNOWN_FUNCTION 0xFFFFFFFFU
/* Returned in a0 only from Trusted OS functions */
#define OPTEE_SMC_RETURN_OK 0x0
diff --git a/xen/arch/arm/tee/optee.c b/xen/arch/arm/tee/optee.c
index 5151bd90ed02..699e8d536862 100644
--- a/xen/arch/arm/tee/optee.c
+++ b/xen/arch/arm/tee/optee.c
@@ -49,16 +49,16 @@
#define TEEC_ORIGIN_COMMS 0x00000002
/* "Non-specific cause" as in GP TEE Client API Specification */
-#define TEEC_ERROR_GENERIC 0xFFFF0000
+#define TEEC_ERROR_GENERIC 0xFFFF0000U
/*
* "Input parameters were invalid" as described
* in GP TEE Client API Specification.
*/
-#define TEEC_ERROR_BAD_PARAMETERS 0xFFFF0006
+#define TEEC_ERROR_BAD_PARAMETERS 0xFFFF0006U
/* "System ran out of resources" as in GP TEE Client API Specification */
-#define TEEC_ERROR_OUT_OF_MEMORY 0xFFFF000C
+#define TEEC_ERROR_OUT_OF_MEMORY 0xFFFF000CU
/* Client ID 0 is reserved for the hypervisor itself */
#define OPTEE_CLIENT_ID(domain) ((domain)->domain_id + 1)
diff --git a/xen/arch/x86/guest/xen/xen.c b/xen/arch/x86/guest/xen/xen.c
index 77a3a8742a3e..315e5ded05ab 100644
--- a/xen/arch/x86/guest/xen/xen.c
+++ b/xen/arch/x86/guest/xen/xen.c
@@ -120,7 +120,7 @@ static void map_shared_info(void)
/* Mask all upcalls */
for ( i = 0; i < ARRAY_SIZE(XEN_shared_info->evtchn_mask); i++ )
- write_atomic(&XEN_shared_info->evtchn_mask[i], ~0ul);
+ write_atomic(&XEN_shared_info->evtchn_mask[i], ~0UL);
}
static int map_vcpuinfo(void)
diff --git a/xen/arch/x86/include/asm/config.h b/xen/arch/x86/include/asm/config.h
index cc80f2c62310..1b28349a427b 100644
--- a/xen/arch/x86/include/asm/config.h
+++ b/xen/arch/x86/include/asm/config.h
@@ -200,7 +200,7 @@
#ifdef CONFIG_PV32
/* This is not a fixed value, just a lower limit. */
-#define __HYPERVISOR_COMPAT_VIRT_START 0xF5800000
+#define __HYPERVISOR_COMPAT_VIRT_START 0xF5800000U
#define HYPERVISOR_COMPAT_VIRT_START(d) ((d)->arch.pv.hv_compat_vstart)
#else /* !CONFIG_PV32 */
diff --git a/xen/arch/x86/include/asm/guest/hyperv.h b/xen/arch/x86/include/asm/guest/hyperv.h
index c05efdce71a4..dabc62727b44 100644
--- a/xen/arch/x86/include/asm/guest/hyperv.h
+++ b/xen/arch/x86/include/asm/guest/hyperv.h
@@ -11,7 +11,7 @@
#include <xen/types.h>
/* Use top-most MFN for hypercall page */
-#define HV_HCALL_MFN (((1ull << paddr_bits) - 1) >> HV_HYP_PAGE_SHIFT)
+#define HV_HCALL_MFN (((1ULL << paddr_bits) - 1) >> HV_HYP_PAGE_SHIFT)
/*
* The specification says: "The partition reference time is computed
diff --git a/xen/arch/x86/pv/emul-gate-op.c b/xen/arch/x86/pv/emul-gate-op.c
index dcac0a04015b..1faf13b962b1 100644
--- a/xen/arch/x86/pv/emul-gate-op.c
+++ b/xen/arch/x86/pv/emul-gate-op.c
@@ -32,7 +32,7 @@ static int read_gate_descriptor(unsigned int gate_sel,
return 0;
*sel = (desc.a >> 16) & 0x0000fffc;
- *off = (desc.a & 0x0000ffff) | (desc.b & 0xffff0000);
+ *off = (desc.a & 0x0000ffff) | (desc.b & 0xffff0000U);
*ar = desc.b & 0x0000ffff;
/*
diff --git a/xen/arch/x86/tboot.c b/xen/arch/x86/tboot.c
index 9d9bb6e7cf6d..0b3d596690cc 100644
--- a/xen/arch/x86/tboot.c
+++ b/xen/arch/x86/tboot.c
@@ -41,8 +41,8 @@ static bool __ro_after_init is_vtd;
* TXT configuration registers (offsets from TXT_{PUB, PRIV}_CONFIG_REGS_BASE)
*/
-#define TXT_PUB_CONFIG_REGS_BASE 0xfed30000
-#define TXT_PRIV_CONFIG_REGS_BASE 0xfed20000
+#define TXT_PUB_CONFIG_REGS_BASE 0xfed30000U
+#define TXT_PRIV_CONFIG_REGS_BASE 0xfed20000U
/* # pages for each config regs space - used by fixmap */
#define NR_TXT_CONFIG_PAGES ((TXT_PUB_CONFIG_REGS_BASE - \
diff --git a/xen/drivers/char/xhci-dbc.c b/xen/drivers/char/xhci-dbc.c
index 1f7d4395dc9d..c1ff528de62f 100644
--- a/xen/drivers/char/xhci-dbc.c
+++ b/xen/drivers/char/xhci-dbc.c
@@ -353,8 +353,8 @@ static bool __init dbc_init_xhc(struct dbc *dbc)
cmd = pci_conf_read16(dbc->sbdf, PCI_COMMAND);
pci_conf_write16(dbc->sbdf, PCI_COMMAND, cmd & ~PCI_COMMAND_MEMORY);
- pci_conf_write32(dbc->sbdf, PCI_BASE_ADDRESS_0, 0xFFFFFFFF);
- pci_conf_write32(dbc->sbdf, PCI_BASE_ADDRESS_1, 0xFFFFFFFF);
+ pci_conf_write32(dbc->sbdf, PCI_BASE_ADDRESS_0, 0xFFFFFFFFU);
+ pci_conf_write32(dbc->sbdf, PCI_BASE_ADDRESS_1, 0xFFFFFFFFU);
bar_size = pci_conf_read32(dbc->sbdf, PCI_BASE_ADDRESS_0);
bar_size |= (uint64_t)pci_conf_read32(dbc->sbdf, PCI_BASE_ADDRESS_1) << 32;
xhc_mmio_size = ~(bar_size & PCI_BASE_ADDRESS_MEM_MASK) + 1;
@@ -398,7 +398,7 @@ static struct dbc_reg __iomem *xhci_find_dbc(struct dbc *dbc)
* This is initially an offset to the first capability. All the offsets
* (both in HCCP1 and then next capability pointer) are dword-based.
*/
- next = (readl(hccp1) & 0xFFFF0000) >> 16;
+ next = readl(hccp1) >> 16;
while ( id != DBC_ID && next && ttl-- )
{
@@ -735,7 +735,7 @@ static void dbc_init_ep(uint32_t *ep, uint64_t mbs, uint32_t type,
memset(ep, 0, DBC_CTX_BYTES);
ep[1] = (1024 << 16) | ((uint32_t)mbs << 8) | (type << 3);
- ep[2] = (ring_dma & 0xFFFFFFFF) | 1;
+ ep[2] = (uint32_t)ring_dma | 1;
ep[3] = ring_dma >> 32;
ep[4] = 3 * 1024;
}
@@ -816,7 +816,7 @@ static void dbc_reset_debug_port(struct dbc *dbc)
* This is initially an offset to the first capability. All the offsets
* (both in HCCP1 and then next capability pointer are dword-based.
*/
- next = (readl(hccp1) & 0xFFFF0000) >> 16;
+ next = readl(hccp1) >> 16;
/*
* Look for "supported protocol" capability, major revision 3.
@@ -1094,7 +1094,7 @@ static void dbc_enqueue_in(struct dbc *dbc, struct xhci_trb_ring *trb,
struct dbc_work_ring *wrk)
{
struct dbc_reg *reg = dbc->dbc_reg;
- uint32_t db = (readl(®->db) & 0xFFFF00FF) | (trb->db << 8);
+ uint32_t db = (readl(®->db) & 0xFFFF00FFU) | (trb->db << 8);
/* Check if there is already queued TRB */
if ( xhci_trb_ring_size(trb) >= 1 )
@@ -1289,7 +1289,7 @@ static void cf_check dbc_uart_resume(struct serial_port *port)
struct dbc_uart *uart = port->uart;
struct dbc *dbc = &uart->dbc;
- pci_conf_write32(dbc->sbdf, PCI_BASE_ADDRESS_0, dbc->bar_val & 0xFFFFFFFF);
+ pci_conf_write32(dbc->sbdf, PCI_BASE_ADDRESS_0, dbc->bar_val);
pci_conf_write32(dbc->sbdf, PCI_BASE_ADDRESS_1, dbc->bar_val >> 32);
pci_conf_write16(dbc->sbdf, PCI_COMMAND, dbc->pci_cr);
--
2.39.5
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 03/12] xen/argo: Fix MISRA violations around function parameters
2026-02-20 21:46 [PATCH 00/12] xen: Misc MISRA fixes for *-allcode targets Andrew Cooper
2026-02-20 21:46 ` [PATCH 01/12] arm: Use __func__ in acpi_boot_table_init() Andrew Cooper
2026-02-20 21:46 ` [PATCH 02/12] xen/treewide: Adjust suffixes on integer literals Andrew Cooper
@ 2026-02-20 21:46 ` Andrew Cooper
2026-02-23 9:15 ` Jan Beulich
2026-02-20 21:46 ` [PATCH 04/12] xen/treewide: Adjust parameter names and types Andrew Cooper
` (8 subsequent siblings)
11 siblings, 1 reply; 39+ messages in thread
From: Andrew Cooper @ 2026-02-20 21:46 UTC (permalink / raw)
To: Xen-devel
Cc: Andrew Cooper, Jan Beulich, Roger Pau Monné,
Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bertrand Marquis, Michal Orzel, consulting @ bugseng . com,
Nicola Vetrini
For the ARM build only, Eclair reports a R8.4 violation because do_argo_op()
cannot see its declaration. This means that x86 is picking hypercall-defs.h
up transitively while ARM is not. Include xen/hypercall.h explicitly.
Eclair also reports a R8.3 violation because of arg3 and arg4 differing in
name with a raw_ prefix. Because hypercall-defs.h generates both do_argo_op()
and compat_argo_op() from a single description, it's not possible to simply
rename to raw_ in the declaration, as that would force doing the same rename
in compat_argo_op().
In do_argo_op(), drop the split parameter handling, and perform the 32bit
range check via an explicit cast. While adjusting the surrounding logic, drop
unnecessary casts to void * for already pointer arguments in argo_printk().
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien@xen.org>
CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
CC: Bertrand Marquis <bertrand.marquis@arm.com>
CC: Michal Orzel <michal.orzel@amd.com>
CC: consulting@bugseng.com <consulting@bugseng.com>
CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
---
xen/common/argo.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/xen/common/argo.c b/xen/common/argo.c
index 029a82825ba8..28626e00a8cb 100644
--- a/xen/common/argo.c
+++ b/xen/common/argo.c
@@ -21,6 +21,7 @@
#include <xen/errno.h>
#include <xen/event.h>
#include <xen/guest_access.h>
+#include <xen/hypercall.h>
#include <xen/lib.h>
#include <xen/nospec.h>
#include <xen/param.h>
@@ -2084,18 +2085,17 @@ sendv(struct domain *src_d, xen_argo_addr_t *src_addr,
long
do_argo_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) arg1,
- XEN_GUEST_HANDLE_PARAM(void) arg2, unsigned long raw_arg3,
- unsigned long raw_arg4)
+ XEN_GUEST_HANDLE_PARAM(void) arg2, unsigned long arg3,
+ unsigned long arg4)
{
struct domain *currd = current->domain;
long rc;
- unsigned int arg3 = raw_arg3, arg4 = raw_arg4;
argo_dprintk("->do_argo_op(%u,%p,%p,%lu,0x%lx)\n", cmd,
- (void *)arg1.p, (void *)arg2.p, raw_arg3, raw_arg4);
+ arg1.p, arg2.p, arg3, arg4);
/* Reject numeric hypercall args outside 32-bit range */
- if ( (arg3 != raw_arg3) || (arg4 != raw_arg4) )
+ if ( (arg3 != (uint32_t)arg3) || (arg4 != (uint32_t)arg4) )
return -EINVAL;
if ( unlikely(!opt_argo) )
@@ -2248,7 +2248,7 @@ compat_argo_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) arg1,
return rc;
argo_dprintk("->compat_argo_op(%u,%p,%p,%lu,0x%lx)\n", cmd,
- (void *)arg1.p, (void *)arg2.p, arg3, arg4);
+ arg1.p, arg2.p, arg3, arg4);
send_addr_hnd = guest_handle_cast(arg1, xen_argo_send_addr_t);
/* arg2: iovs, arg3: niov, arg4: message_type */
--
2.39.5
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 04/12] xen/treewide: Adjust parameter names and types
2026-02-20 21:46 [PATCH 00/12] xen: Misc MISRA fixes for *-allcode targets Andrew Cooper
` (2 preceding siblings ...)
2026-02-20 21:46 ` [PATCH 03/12] xen/argo: Fix MISRA violations around function parameters Andrew Cooper
@ 2026-02-20 21:46 ` Andrew Cooper
2026-02-23 8:58 ` Orzel, Michal
2026-02-20 21:46 ` [PATCH 05/12] x86: Adjust annotations of asm-used identifiers Andrew Cooper
` (7 subsequent siblings)
11 siblings, 1 reply; 39+ messages in thread
From: Andrew Cooper @ 2026-02-20 21:46 UTC (permalink / raw)
To: Xen-devel
Cc: Andrew Cooper, Jan Beulich, Roger Pau Monné,
Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bertrand Marquis, Michal Orzel, consulting @ bugseng . com,
Nicola Vetrini
MISRA Rule 8.2 says that parameters must all have names. Rule 8.3 says that
the names and types must match between declaration and definition.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien@xen.org>
CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
CC: Bertrand Marquis <bertrand.marquis@arm.com>
CC: Michal Orzel <michal.orzel@amd.com>
CC: consulting@bugseng.com <consulting@bugseng.com>
CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
---
xen/arch/arm/include/asm/pci.h | 2 +-
xen/arch/arm/pci/pci-access.c | 4 ++--
xen/arch/x86/include/asm/compat.h | 2 +-
xen/arch/x86/include/asm/p2m.h | 2 +-
xen/arch/x86/mm/mem_paging.c | 2 +-
xen/crypto/vmac.c | 2 +-
xen/include/crypto/rijndael.h | 16 ++++++++--------
xen/include/xen/acpi.h | 2 +-
8 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/xen/arch/arm/include/asm/pci.h b/xen/arch/arm/include/asm/pci.h
index 08ffcd443862..73c3be74aef1 100644
--- a/xen/arch/arm/include/asm/pci.h
+++ b/xen/arch/arm/include/asm/pci.h
@@ -98,7 +98,7 @@ struct pci_ecam_ops {
unsigned int bus_shift;
struct pci_ops pci_ops;
int (*cfg_reg_index)(struct dt_device_node *dev);
- int (*init)(struct pci_config_window *);
+ int (*init)(struct pci_config_window *cfg);
};
/* Default ECAM ops */
diff --git a/xen/arch/arm/pci/pci-access.c b/xen/arch/arm/pci/pci-access.c
index 4a9486750199..c0533c00c9a5 100644
--- a/xen/arch/arm/pci/pci-access.c
+++ b/xen/arch/arm/pci/pci-access.c
@@ -135,9 +135,9 @@ static void pci_config_write(pci_sbdf_t sbdf, unsigned int reg,
#define PCI_OP_WRITE(size, type) \
void pci_conf_write##size(pci_sbdf_t sbdf, \
- unsigned int reg, type val) \
+ unsigned int reg, type data) \
{ \
- pci_config_write(sbdf, reg, size / 8, val); \
+ pci_config_write(sbdf, reg, size / 8, data); \
}
#define PCI_OP_READ(size, type) \
diff --git a/xen/arch/x86/include/asm/compat.h b/xen/arch/x86/include/asm/compat.h
index 30ed8f2fd0dc..f12f4f24d802 100644
--- a/xen/arch/x86/include/asm/compat.h
+++ b/xen/arch/x86/include/asm/compat.h
@@ -16,7 +16,7 @@ typedef unsigned long full_ptr_t;
struct domain;
#ifdef CONFIG_PV32
-int switch_compat(struct domain *);
+int switch_compat(struct domain *d);
#else
#include <xen/errno.h>
static inline int switch_compat(struct domain *d) { return -EOPNOTSUPP; }
diff --git a/xen/arch/x86/include/asm/p2m.h b/xen/arch/x86/include/asm/p2m.h
index ef6b02ff0bb6..92be64e134e8 100644
--- a/xen/arch/x86/include/asm/p2m.h
+++ b/xen/arch/x86/include/asm/p2m.h
@@ -773,7 +773,7 @@ static inline int relinquish_p2m_mapping(struct domain *d)
*/
/* Modify p2m table for shared gfn */
-int set_shared_p2m_entry(struct domain *d, unsigned long gfn, mfn_t mfn);
+int set_shared_p2m_entry(struct domain *d, unsigned long gfn_l, mfn_t mfn);
/* Tell xenpaging to drop a paged out frame */
void p2m_mem_paging_drop_page(struct domain *d, gfn_t gfn, p2m_type_t p2mt);
diff --git a/xen/arch/x86/mm/mem_paging.c b/xen/arch/x86/mm/mem_paging.c
index ac8d34ffa074..d4b3cb990c54 100644
--- a/xen/arch/x86/mm/mem_paging.c
+++ b/xen/arch/x86/mm/mem_paging.c
@@ -156,7 +156,7 @@ void p2m_mem_paging_populate(struct domain *d, gfn_t gfn)
*
* If the gfn was dropped the vcpu needs to be unpaused.
*/
-void p2m_mem_paging_resume(struct domain *d, vm_event_response_t *rsp)
+void p2m_mem_paging_resume(struct domain *d, struct vm_event_st *rsp)
{
struct p2m_domain *p2m = p2m_get_hostp2m(d);
p2m_type_t p2mt;
diff --git a/xen/crypto/vmac.c b/xen/crypto/vmac.c
index acb4e015f511..f1f6d75f8eeb 100644
--- a/xen/crypto/vmac.c
+++ b/xen/crypto/vmac.c
@@ -702,7 +702,7 @@ static uint64_t l3hash(uint64_t p1, uint64_t p2,
/* ----------------------------------------------------------------------- */
-void vhash_update(unsigned char *m,
+void vhash_update(unsigned char m[],
unsigned int mbytes, /* Pos multiple of VMAC_NHBYTES */
vmac_ctx_t *ctx)
{
diff --git a/xen/include/crypto/rijndael.h b/xen/include/crypto/rijndael.h
index 4386be587851..80c612749f9e 100644
--- a/xen/include/crypto/rijndael.h
+++ b/xen/include/crypto/rijndael.h
@@ -45,14 +45,14 @@ typedef struct {
u32 dk[4*(AES_MAXROUNDS + 1)]; /* decrypt key schedule */
} rijndael_ctx;
-int rijndael_set_key(rijndael_ctx *, const unsigned char *, int);
-int rijndael_set_key_enc_only(rijndael_ctx *, const unsigned char *, int);
-void rijndael_decrypt(rijndael_ctx *, const unsigned char *, unsigned char *);
-void rijndael_encrypt(rijndael_ctx *, const unsigned char *, unsigned char *);
+int rijndael_set_key(rijndael_ctx *ctx, const unsigned char *key, int bits);
+int rijndael_set_key_enc_only(rijndael_ctx *ctx, const unsigned char *key, int bits);
+void rijndael_decrypt(rijndael_ctx *ctx, const unsigned char *src, unsigned char *dst);
+void rijndael_encrypt(rijndael_ctx *ctx, const unsigned char *src, unsigned char *dst);
-int rijndaelKeySetupEnc(unsigned int [], const unsigned char [], int);
-int rijndaelKeySetupDec(unsigned int [], const unsigned char [], int);
-void rijndaelEncrypt(const unsigned int [], int, const unsigned char [16],
- unsigned char [16]);
+int rijndaelKeySetupEnc(unsigned int rk[], const unsigned char cipherKey[], int keyBits);
+int rijndaelKeySetupDec(unsigned int rk[], const unsigned char cipkerKey[], int keyBits);
+void rijndaelEncrypt(const unsigned int rk[], int Nr, const unsigned char pt[16],
+ unsigned char ct[16]);
#endif /* __RIJNDAEL_H */
diff --git a/xen/include/xen/acpi.h b/xen/include/xen/acpi.h
index 90635ba0f322..ca87cd15a824 100644
--- a/xen/include/xen/acpi.h
+++ b/xen/include/xen/acpi.h
@@ -75,7 +75,7 @@ typedef int (*acpi_table_handler) (struct acpi_table_header *table);
typedef int (*acpi_table_entry_handler) (struct acpi_subtable_header *header, const unsigned long end);
unsigned int acpi_get_processor_id (unsigned int cpu);
-char * __acpi_map_table (paddr_t phys_addr, unsigned long size);
+char * __acpi_map_table (paddr_t phys, unsigned long size);
bool __acpi_unmap_table(const void *ptr, unsigned long size);
int acpi_boot_init (void);
int acpi_boot_table_init (void);
--
2.39.5
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 05/12] x86: Adjust annotations of asm-used identifiers
2026-02-20 21:46 [PATCH 00/12] xen: Misc MISRA fixes for *-allcode targets Andrew Cooper
` (3 preceding siblings ...)
2026-02-20 21:46 ` [PATCH 04/12] xen/treewide: Adjust parameter names and types Andrew Cooper
@ 2026-02-20 21:46 ` Andrew Cooper
2026-02-23 9:21 ` Jan Beulich
2026-02-20 21:46 ` [PATCH 06/12] xen: Include suitable headers to make declarations visible Andrew Cooper
` (6 subsequent siblings)
11 siblings, 1 reply; 39+ messages in thread
From: Andrew Cooper @ 2026-02-20 21:46 UTC (permalink / raw)
To: Xen-devel
Cc: Andrew Cooper, Jan Beulich, Roger Pau Monné,
Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bertrand Marquis, Michal Orzel, consulting @ bugseng . com,
Nicola Vetrini
do_entry_int82() is only called by assembly so gains asmlinkage.
pvh_start_info_pa and early_hypercall_insn are data used by assembly, and need
a SAF-1 annotation.
For the remaining SAF-1 anntations on functions, convert them to asmlinkage
for consistency.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien@xen.org>
CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
CC: Bertrand Marquis <bertrand.marquis@arm.com>
CC: Michal Orzel <michal.orzel@amd.com>
CC: consulting@bugseng.com <consulting@bugseng.com>
CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
---
xen/arch/x86/boot/cmdline.c | 3 +--
xen/arch/x86/boot/reloc.c | 3 +--
xen/arch/x86/guest/xen/pvh-boot.c | 2 +-
xen/arch/x86/guest/xen/xen.c | 2 +-
xen/arch/x86/pv/hypercall.c | 2 +-
xen/arch/x86/traps.c | 3 +--
6 files changed, 6 insertions(+), 9 deletions(-)
diff --git a/xen/arch/x86/boot/cmdline.c b/xen/arch/x86/boot/cmdline.c
index 196c580e9151..5db5c7b20bf6 100644
--- a/xen/arch/x86/boot/cmdline.c
+++ b/xen/arch/x86/boot/cmdline.c
@@ -334,8 +334,7 @@ static void vga_parse(const char *cmdline, early_boot_opts_t *ebo)
}
#endif
-/* SAF-1-safe */
-void cmdline_parse_early(const char *cmdline, early_boot_opts_t *ebo)
+void asmlinkage cmdline_parse_early(const char *cmdline, early_boot_opts_t *ebo)
{
if ( !cmdline )
return;
diff --git a/xen/arch/x86/boot/reloc.c b/xen/arch/x86/boot/reloc.c
index 7a375ad41c1c..82c2d237aab6 100644
--- a/xen/arch/x86/boot/reloc.c
+++ b/xen/arch/x86/boot/reloc.c
@@ -346,8 +346,7 @@ static multiboot_info_t *mbi2_reloc(uint32_t mbi_in, memctx *ctx)
return mbi_out;
}
-/* SAF-1-safe */
-void *reloc(uint32_t magic, uint32_t in)
+void *asmlinkage reloc(uint32_t magic, uint32_t in)
{
memctx ctx = { trampoline_phys + TRAMPOLINE_HEAP_END };
diff --git a/xen/arch/x86/guest/xen/pvh-boot.c b/xen/arch/x86/guest/xen/pvh-boot.c
index e14d7e20e942..8d8f4a34e445 100644
--- a/xen/arch/x86/guest/xen/pvh-boot.c
+++ b/xen/arch/x86/guest/xen/pvh-boot.c
@@ -22,7 +22,7 @@
/* Initialised in head.S, before .bss is zeroed. */
bool __initdata pvh_boot;
-uint32_t __initdata pvh_start_info_pa;
+uint32_t __initdata pvh_start_info_pa; /* SAF-1-safe */
static multiboot_info_t __initdata pvh_mbi;
static module_t __initdata pvh_mbi_mods[8];
diff --git a/xen/arch/x86/guest/xen/xen.c b/xen/arch/x86/guest/xen/xen.c
index 315e5ded05ab..8e13c2fbf307 100644
--- a/xen/arch/x86/guest/xen/xen.c
+++ b/xen/arch/x86/guest/xen/xen.c
@@ -40,7 +40,7 @@ DEFINE_PER_CPU(struct vcpu_info *, vcpu_info);
* 0 vmcall
* > 0 vmmcall
*/
-int8_t __initdata early_hypercall_insn = -1;
+int8_t __initdata early_hypercall_insn = -1; /* SAF-1-safe */
/*
* Called once during the first hypercall to figure out which instruction to
diff --git a/xen/arch/x86/pv/hypercall.c b/xen/arch/x86/pv/hypercall.c
index 17581d232e19..b3b9a3255531 100644
--- a/xen/arch/x86/pv/hypercall.c
+++ b/xen/arch/x86/pv/hypercall.c
@@ -180,7 +180,7 @@ void pv_ring1_init_hypercall_page(void *p)
}
}
-void do_entry_int82(struct cpu_user_regs *regs)
+void asmlinkage do_entry_int82(struct cpu_user_regs *regs)
{
if ( unlikely(untrusted_msi) )
check_for_unexpected_msi((uint8_t)regs->entry_vector);
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index 3c01c5eb53b5..29ea6054abab 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -1336,8 +1336,7 @@ void asmlinkage do_int3(struct cpu_user_regs *regs)
pv_inject_hw_exception(X86_EXC_BP, X86_EVENT_NO_EC);
}
-/* SAF-1-safe */
-void do_general_protection(struct cpu_user_regs *regs)
+void asmlinkage do_general_protection(struct cpu_user_regs *regs)
{
#ifdef CONFIG_PV
struct vcpu *v = current;
--
2.39.5
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 06/12] xen: Include suitable headers to make declarations visible
2026-02-20 21:46 [PATCH 00/12] xen: Misc MISRA fixes for *-allcode targets Andrew Cooper
` (4 preceding siblings ...)
2026-02-20 21:46 ` [PATCH 05/12] x86: Adjust annotations of asm-used identifiers Andrew Cooper
@ 2026-02-20 21:46 ` Andrew Cooper
2026-02-23 10:44 ` Jan Beulich
2026-02-20 21:46 ` [PATCH 07/12] xen/vmac: Const the key parameter of vmac_set_key() Andrew Cooper
` (5 subsequent siblings)
11 siblings, 1 reply; 39+ messages in thread
From: Andrew Cooper @ 2026-02-20 21:46 UTC (permalink / raw)
To: Xen-devel
Cc: Andrew Cooper, Jan Beulich, Roger Pau Monné,
Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bertrand Marquis, Michal Orzel, consulting @ bugseng . com,
Nicola Vetrini
A range of functions can't see their declarations, requiring the inclusion of
appropriate headers.
For pv/mm.h and pv/traps.h, this requires adjustements to become standalone.
In pv/mm.h, swap xen/lib.h for xen/bug.h now that ASSERT_UNREACHABLE() has
moved. For pv/traps.h, pv_trap_callback_registered() needs to see a complete
struct vcpu, and xen/sched.h is not something appropriate to pull in
conditionally.
stack-protector.c can't see the declaration of __stack_chk_guard, and fixing
that reveals that stack-protector.h needs get_cycles() too.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien@xen.org>
CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
CC: Bertrand Marquis <bertrand.marquis@arm.com>
CC: Michal Orzel <michal.orzel@amd.com>
CC: consulting@bugseng.com <consulting@bugseng.com>
CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
---
xen/arch/x86/include/asm/pv/mm.h | 8 +++++++-
xen/arch/x86/include/asm/pv/traps.h | 6 ++----
xen/arch/x86/mm/mem_paging.c | 6 ++++--
xen/arch/x86/pv/emul-gate-op.c | 2 ++
xen/arch/x86/pv/emul-inv-op.c | 1 +
xen/arch/x86/pv/emul-priv-op.c | 1 +
xen/arch/x86/pv/emulate.c | 1 +
xen/arch/x86/pv/grant_table.c | 1 +
xen/arch/x86/pv/mm.c | 1 +
xen/arch/x86/pv/ro-page-fault.c | 1 +
xen/arch/x86/pv/traps.c | 1 +
xen/arch/x86/x86_64/machine_kexec.c | 3 ++-
xen/common/stack-protector.c | 1 +
xen/include/xen/stack-protector.h | 2 ++
14 files changed, 27 insertions(+), 8 deletions(-)
diff --git a/xen/arch/x86/include/asm/pv/mm.h b/xen/arch/x86/include/asm/pv/mm.h
index a5745908206a..11a43f15e222 100644
--- a/xen/arch/x86/include/asm/pv/mm.h
+++ b/xen/arch/x86/include/asm/pv/mm.h
@@ -10,6 +10,12 @@
#ifndef __X86_PV_MM_H__
#define __X86_PV_MM_H__
+#include <xen/stdbool.h>
+
+struct cpu_user_regs;
+struct page_info;
+struct vcpu;
+
#ifdef CONFIG_PV
int pv_ro_page_fault(unsigned long addr, struct cpu_user_regs *regs);
@@ -26,7 +32,7 @@ int validate_segdesc_page(struct page_info *page);
#else
#include <xen/errno.h>
-#include <xen/lib.h>
+#include <xen/bug.h>
static inline int pv_ro_page_fault(unsigned long addr,
struct cpu_user_regs *regs)
diff --git a/xen/arch/x86/include/asm/pv/traps.h b/xen/arch/x86/include/asm/pv/traps.h
index 8c31d5a793c5..8c201190923d 100644
--- a/xen/arch/x86/include/asm/pv/traps.h
+++ b/xen/arch/x86/include/asm/pv/traps.h
@@ -10,9 +10,9 @@
#ifndef __X86_PV_TRAPS_H__
#define __X86_PV_TRAPS_H__
-#ifdef CONFIG_PV
+#include <xen/sched.h>
-#include <public/xen.h>
+#ifdef CONFIG_PV
int pv_raise_nmi(struct vcpu *v);
@@ -28,8 +28,6 @@ static inline bool pv_trap_callback_registered(const struct vcpu *v,
#else /* !CONFIG_PV */
-#include <xen/errno.h>
-
static inline int pv_raise_nmi(struct vcpu *v) { return -EOPNOTSUPP; }
static inline int pv_emulate_privileged_op(struct cpu_user_regs *regs) { return 0; }
diff --git a/xen/arch/x86/mm/mem_paging.c b/xen/arch/x86/mm/mem_paging.c
index d4b3cb990c54..33929b526ab9 100644
--- a/xen/arch/x86/mm/mem_paging.c
+++ b/xen/arch/x86/mm/mem_paging.c
@@ -7,10 +7,12 @@
* Copyright (c) 2009 Citrix Systems, Inc. (Patrick Colp)
*/
-
-#include <asm/p2m.h>
#include <xen/guest_access.h>
#include <xen/vm_event.h>
+
+#include <asm/mem_paging.h>
+#include <asm/p2m.h>
+
#include <xsm/xsm.h>
#include "mm-locks.h"
diff --git a/xen/arch/x86/pv/emul-gate-op.c b/xen/arch/x86/pv/emul-gate-op.c
index 1faf13b962b1..c2c699fbff40 100644
--- a/xen/arch/x86/pv/emul-gate-op.c
+++ b/xen/arch/x86/pv/emul-gate-op.c
@@ -9,6 +9,8 @@
#include <xen/err.h>
+#include <asm/pv/traps.h>
+
#include "emulate.h"
static int read_gate_descriptor(unsigned int gate_sel,
diff --git a/xen/arch/x86/pv/emul-inv-op.c b/xen/arch/x86/pv/emul-inv-op.c
index 346ac1124d7b..23d2928b00cd 100644
--- a/xen/arch/x86/pv/emul-inv-op.c
+++ b/xen/arch/x86/pv/emul-inv-op.c
@@ -8,6 +8,7 @@
*/
#include <asm/pv/trace.h>
+#include <asm/pv/traps.h>
#include "emulate.h"
diff --git a/xen/arch/x86/pv/emul-priv-op.c b/xen/arch/x86/pv/emul-priv-op.c
index 1d9e57ad2763..a3c1fd12621d 100644
--- a/xen/arch/x86/pv/emul-priv-op.c
+++ b/xen/arch/x86/pv/emul-priv-op.c
@@ -21,6 +21,7 @@
#include <asm/mc146818rtc.h>
#include <asm/pv/domain.h>
#include <asm/pv/trace.h>
+#include <asm/pv/traps.h>
#include <asm/shared.h>
#include <asm/stubs.h>
diff --git a/xen/arch/x86/pv/emulate.c b/xen/arch/x86/pv/emulate.c
index 0022e0f55e30..a00d1c6c82eb 100644
--- a/xen/arch/x86/pv/emulate.c
+++ b/xen/arch/x86/pv/emulate.c
@@ -10,6 +10,7 @@
#include <xen/guest_access.h>
#include <asm/debugreg.h>
+#include <asm/pv/domain.h>
#include "emulate.h"
diff --git a/xen/arch/x86/pv/grant_table.c b/xen/arch/x86/pv/grant_table.c
index 247436a0156a..1df68440a24a 100644
--- a/xen/arch/x86/pv/grant_table.c
+++ b/xen/arch/x86/pv/grant_table.c
@@ -12,6 +12,7 @@
#include <public/grant_table.h>
#include <asm/p2m.h>
+#include <asm/pv/grant_table.h>
#include <asm/pv/mm.h>
#include "mm.h"
diff --git a/xen/arch/x86/pv/mm.c b/xen/arch/x86/pv/mm.c
index 187f5f6a3e8c..3f2e9dedcde3 100644
--- a/xen/arch/x86/pv/mm.c
+++ b/xen/arch/x86/pv/mm.c
@@ -12,6 +12,7 @@
#include <asm/current.h>
#include <asm/p2m.h>
+#include <asm/pv/mm.h>
#include "mm.h"
diff --git a/xen/arch/x86/pv/ro-page-fault.c b/xen/arch/x86/pv/ro-page-fault.c
index 9c6f66884675..d89306d34fc6 100644
--- a/xen/arch/x86/pv/ro-page-fault.c
+++ b/xen/arch/x86/pv/ro-page-fault.c
@@ -8,6 +8,7 @@
* Copyright (c) 2004 Christian Limpach
*/
+#include <asm/pv/mm.h>
#include <asm/pv/trace.h>
#include <asm/shadow.h>
diff --git a/xen/arch/x86/pv/traps.c b/xen/arch/x86/pv/traps.c
index 26a468108a77..b0395b99145a 100644
--- a/xen/arch/x86/pv/traps.c
+++ b/xen/arch/x86/pv/traps.c
@@ -16,6 +16,7 @@
#include <asm/idt.h>
#include <asm/irq-vectors.h>
#include <asm/pv/trace.h>
+#include <asm/pv/traps.h>
#include <asm/shared.h>
#include <asm/traps.h>
diff --git a/xen/arch/x86/x86_64/machine_kexec.c b/xen/arch/x86/x86_64/machine_kexec.c
index f4a005cd0c2f..f9e54d86fb53 100644
--- a/xen/arch/x86/x86_64/machine_kexec.c
+++ b/xen/arch/x86/x86_64/machine_kexec.c
@@ -6,8 +6,9 @@
* - Magnus Damm <magnus@valinux.co.jp>
*/
-#include <xen/types.h>
#include <xen/kernel.h>
+#include <xen/kexec.h>
+
#include <asm/page.h>
#include <public/kexec.h>
diff --git a/xen/common/stack-protector.c b/xen/common/stack-protector.c
index 2115912c3bd0..05e57d4509e2 100644
--- a/xen/common/stack-protector.c
+++ b/xen/common/stack-protector.c
@@ -2,6 +2,7 @@
#include <xen/init.h>
#include <xen/lib.h>
#include <xen/random.h>
+#include <xen/stack-protector.h>
#include <xen/time.h>
/*
diff --git a/xen/include/xen/stack-protector.h b/xen/include/xen/stack-protector.h
index 931affd919be..65488bdabced 100644
--- a/xen/include/xen/stack-protector.h
+++ b/xen/include/xen/stack-protector.h
@@ -1,6 +1,8 @@
#ifndef __XEN_STACK_PROTECTOR_H__
#define __XEN_STACK_PROTECTOR_H__
+#include <xen/time.h>
+
extern unsigned long __stack_chk_guard;
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 07/12] xen/vmac: Const the key parameter of vmac_set_key()
2026-02-20 21:46 [PATCH 00/12] xen: Misc MISRA fixes for *-allcode targets Andrew Cooper
` (5 preceding siblings ...)
2026-02-20 21:46 ` [PATCH 06/12] xen: Include suitable headers to make declarations visible Andrew Cooper
@ 2026-02-20 21:46 ` Andrew Cooper
2026-02-23 10:45 ` Jan Beulich
2026-02-20 21:46 ` [PATCH 08/12] arm/pci-designware: Fix MISRA violations Andrew Cooper
` (4 subsequent siblings)
11 siblings, 1 reply; 39+ messages in thread
From: Andrew Cooper @ 2026-02-20 21:46 UTC (permalink / raw)
To: Xen-devel
Cc: Andrew Cooper, Jan Beulich, Roger Pau Monné,
Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bertrand Marquis, Michal Orzel, consulting @ bugseng . com,
Nicola Vetrini
Eclair complains that tboot_gen_domain_integrity() is casting away
constness (Rule 11.8 violation).
vmac_set_key() doesn't modify the user_key parameter, so it can become const,
removing the need to cast.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien@xen.org>
CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
CC: Bertrand Marquis <bertrand.marquis@arm.com>
CC: Michal Orzel <michal.orzel@amd.com>
CC: consulting@bugseng.com <consulting@bugseng.com>
CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
---
xen/arch/x86/tboot.c | 6 +++---
xen/crypto/vmac.c | 2 +-
xen/include/crypto/vmac.h | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/xen/arch/x86/tboot.c b/xen/arch/x86/tboot.c
index 0b3d596690cc..5ae27f481f94 100644
--- a/xen/arch/x86/tboot.c
+++ b/xen/arch/x86/tboot.c
@@ -202,7 +202,7 @@ static void tboot_gen_domain_integrity(const uint8_t key[TB_KEY_SIZE],
uint8_t nonce[16] = {};
vmac_ctx_t ctx;
- vmac_set_key((uint8_t *)key, &ctx);
+ vmac_set_key(key, &ctx);
for_each_domain( d )
{
if ( !(d->options & XEN_DOMCTL_CDF_s3_integrity) )
@@ -241,7 +241,7 @@ static void tboot_gen_xenheap_integrity(const uint8_t key[TB_KEY_SIZE],
uint8_t nonce[16] = {};
vmac_ctx_t ctx;
- vmac_set_key((uint8_t *)key, &ctx);
+ vmac_set_key(key, &ctx);
for ( mfn = 0; mfn < max_page; mfn++ )
{
struct page_info *page = mfn_to_page(_mfn(mfn));
@@ -272,7 +272,7 @@ static void tboot_gen_frametable_integrity(const uint8_t key[TB_KEY_SIZE],
uint8_t nonce[16] = {};
vmac_ctx_t ctx;
- vmac_set_key((uint8_t *)key, &ctx);
+ vmac_set_key(key, &ctx);
for ( sidx = 0; ; sidx = nidx )
{
eidx = find_next_zero_bit(pdx_group_valid, max_idx, sidx);
diff --git a/xen/crypto/vmac.c b/xen/crypto/vmac.c
index f1f6d75f8eeb..c9914d2c7c1d 100644
--- a/xen/crypto/vmac.c
+++ b/xen/crypto/vmac.c
@@ -924,7 +924,7 @@ uint64_t vmac(unsigned char m[],
/* ----------------------------------------------------------------------- */
-void vmac_set_key(unsigned char user_key[], vmac_ctx_t *ctx)
+void vmac_set_key(const unsigned char user_key[], vmac_ctx_t *ctx)
{
uint64_t in[2] = {0}, out[2];
unsigned i;
diff --git a/xen/include/crypto/vmac.h b/xen/include/crypto/vmac.h
index 457f3f5dd6da..7574c4a3f328 100644
--- a/xen/include/crypto/vmac.h
+++ b/xen/include/crypto/vmac.h
@@ -161,7 +161,7 @@ uint64_t vhash(unsigned char m[],
* When passed a VMAC_KEY_LEN bit user_key, this function initialazies ctx.
* ----------------------------------------------------------------------- */
-void vmac_set_key(unsigned char user_key[], vmac_ctx_t *ctx);
+void vmac_set_key(const unsigned char user_key[], vmac_ctx_t *ctx);
/* --------------------------------------------------------------------- */
--
2.39.5
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 08/12] arm/pci-designware: Fix MISRA violations
2026-02-20 21:46 [PATCH 00/12] xen: Misc MISRA fixes for *-allcode targets Andrew Cooper
` (6 preceding siblings ...)
2026-02-20 21:46 ` [PATCH 07/12] xen/vmac: Const the key parameter of vmac_set_key() Andrew Cooper
@ 2026-02-20 21:46 ` Andrew Cooper
2026-02-20 22:15 ` Nicola Vetrini
2026-02-23 9:00 ` Orzel, Michal
2026-02-20 21:46 ` [PATCH 09/12] x86/shadow: Rework write_atomic() call in shadow_write_entries() Andrew Cooper
` (3 subsequent siblings)
11 siblings, 2 replies; 39+ messages in thread
From: Andrew Cooper @ 2026-02-20 21:46 UTC (permalink / raw)
To: Xen-devel
Cc: Andrew Cooper, Jan Beulich, Roger Pau Monné,
Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bertrand Marquis, Michal Orzel, consulting @ bugseng . com,
Nicola Vetrini
* Move includes inside the header guards (D4.10)
* Use NULL in preference to 0 (R11.9)
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien@xen.org>
CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
CC: Bertrand Marquis <bertrand.marquis@arm.com>
CC: Michal Orzel <michal.orzel@amd.com>
CC: consulting@bugseng.com <consulting@bugseng.com>
CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
---
xen/arch/arm/pci/pci-designware.c | 2 +-
xen/arch/arm/pci/pci-designware.h | 5 ++---
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/xen/arch/arm/pci/pci-designware.c b/xen/arch/arm/pci/pci-designware.c
index 0bd67524ac8b..6b85213f637b 100644
--- a/xen/arch/arm/pci/pci-designware.c
+++ b/xen/arch/arm/pci/pci-designware.c
@@ -285,7 +285,7 @@ void __iomem *dw_pcie_child_map_bus(struct pci_host_bridge *bridge,
bridge->child_cfg->phys_addr, busdev,
bridge->child_cfg->size);
if ( ret )
- return 0;
+ return NULL;
return bridge->child_cfg->win + where;
}
diff --git a/xen/arch/arm/pci/pci-designware.h b/xen/arch/arm/pci/pci-designware.h
index b9deb3b138ae..bd93dab6f2f1 100644
--- a/xen/arch/arm/pci/pci-designware.h
+++ b/xen/arch/arm/pci/pci-designware.h
@@ -6,12 +6,11 @@
* Based on xen/arch/arm/pci/pci-host-generic.c
*/
-#include <xen/pci.h>
-#include <xen/init.h>
-
#ifndef __PCI_DESIGNWARE_H__
#define __PCI_DESIGNWARE_H__
+#include <xen/pci.h>
+#include <xen/init.h>
#define PCIE_ATU_VIEWPORT 0x900
#define PCIE_ATU_REGION_OUTBOUND 0
--
2.39.5
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 09/12] x86/shadow: Rework write_atomic() call in shadow_write_entries()
2026-02-20 21:46 [PATCH 00/12] xen: Misc MISRA fixes for *-allcode targets Andrew Cooper
` (7 preceding siblings ...)
2026-02-20 21:46 ` [PATCH 08/12] arm/pci-designware: Fix MISRA violations Andrew Cooper
@ 2026-02-20 21:46 ` Andrew Cooper
2026-02-20 22:28 ` Nicola Vetrini
2026-02-23 7:26 ` Roberto Bagnara
2026-02-20 21:46 ` [PATCH 10/12] xen: Adjust break/fallthrough statements Andrew Cooper
` (2 subsequent siblings)
11 siblings, 2 replies; 39+ messages in thread
From: Andrew Cooper @ 2026-02-20 21:46 UTC (permalink / raw)
To: Xen-devel
Cc: Andrew Cooper, Jan Beulich, Roger Pau Monné,
Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bertrand Marquis, Michal Orzel, consulting @ bugseng . com,
Nicola Vetrini
Eclair complains of a side effect in a sizeof() expression (R13.6).
write_atomic() only evaluates each parameter once, but rewrite the expression
to less resemble entries in an obfuscation contest.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien@xen.org>
CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
CC: Bertrand Marquis <bertrand.marquis@arm.com>
CC: Michal Orzel <michal.orzel@amd.com>
CC: consulting@bugseng.com <consulting@bugseng.com>
CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
---
xen/arch/x86/mm/shadow/set.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xen/arch/x86/mm/shadow/set.c b/xen/arch/x86/mm/shadow/set.c
index 8b670b6bb555..96ba2811077e 100644
--- a/xen/arch/x86/mm/shadow/set.c
+++ b/xen/arch/x86/mm/shadow/set.c
@@ -62,8 +62,8 @@ shadow_write_entries(void *d, const void *s, unsigned int entries, mfn_t mfn)
ASSERT(IS_ALIGNED((unsigned long)dst, sizeof(*dst)));
- for ( ; i < entries; i++ )
- write_atomic(&dst++->l1, src++->l1);
+ for ( ; i < entries; i++, dst++, src++ )
+ write_atomic(&dst->l1, src->l1);
unmap_domain_page(map);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 10/12] xen: Adjust break/fallthrough statements
2026-02-20 21:46 [PATCH 00/12] xen: Misc MISRA fixes for *-allcode targets Andrew Cooper
` (8 preceding siblings ...)
2026-02-20 21:46 ` [PATCH 09/12] x86/shadow: Rework write_atomic() call in shadow_write_entries() Andrew Cooper
@ 2026-02-20 21:46 ` Andrew Cooper
2026-02-20 22:36 ` Nicola Vetrini
2026-02-23 9:02 ` Orzel, Michal
2026-02-20 21:46 ` [PATCH 11/12] xen: Bracket uses of macro parameters Andrew Cooper
2026-02-20 21:46 ` [PATCH 12/12] xen/vmac: Delete STDINT block in vmac.h Andrew Cooper
11 siblings, 2 replies; 39+ messages in thread
From: Andrew Cooper @ 2026-02-20 21:46 UTC (permalink / raw)
To: Xen-devel
Cc: Andrew Cooper, Jan Beulich, Roger Pau Monné,
Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bertrand Marquis, Michal Orzel, consulting @ bugseng . com,
Nicola Vetrini
sh_destroy_shadow() has a spelling of fallthrough which doesn't match the
permitted pattern. Convert it to a real fallthrough (psedo)keyword.
Elsewhere, insert breaks at the end of the default statements.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien@xen.org>
CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
CC: Bertrand Marquis <bertrand.marquis@arm.com>
CC: Michal Orzel <michal.orzel@amd.com>
CC: consulting@bugseng.com <consulting@bugseng.com>
CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
---
xen/arch/arm/pci/pci-access.c | 2 ++
xen/arch/arm/pci/pci-designware.c | 2 ++
xen/arch/arm/tee/optee.c | 1 +
xen/arch/x86/mm/shadow/common.c | 2 +-
4 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/xen/arch/arm/pci/pci-access.c b/xen/arch/arm/pci/pci-access.c
index c0533c00c9a5..2b23d552bbfb 100644
--- a/xen/arch/arm/pci/pci-access.c
+++ b/xen/arch/arm/pci/pci-access.c
@@ -63,6 +63,7 @@ int pci_generic_config_read(struct pci_host_bridge *bridge, pci_sbdf_t sbdf,
break;
default:
ASSERT_UNREACHABLE();
+ break;
}
return 0;
@@ -89,6 +90,7 @@ int pci_generic_config_write(struct pci_host_bridge *bridge, pci_sbdf_t sbdf,
break;
default:
ASSERT_UNREACHABLE();
+ break;
}
return 0;
diff --git a/xen/arch/arm/pci/pci-designware.c b/xen/arch/arm/pci/pci-designware.c
index 6b85213f637b..902da19e8c98 100644
--- a/xen/arch/arm/pci/pci-designware.c
+++ b/xen/arch/arm/pci/pci-designware.c
@@ -48,6 +48,7 @@ static int dw_pcie_read(void __iomem *addr, unsigned int len, uint32_t *val)
break;
default:
ASSERT_UNREACHABLE();
+ break;
}
return 0;
@@ -71,6 +72,7 @@ static int dw_pcie_write(void __iomem *addr, unsigned int len, uint32_t val)
break;
default:
ASSERT_UNREACHABLE();
+ break;
}
return 0;
diff --git a/xen/arch/arm/tee/optee.c b/xen/arch/arm/tee/optee.c
index 699e8d536862..f719d9d767ab 100644
--- a/xen/arch/arm/tee/optee.c
+++ b/xen/arch/arm/tee/optee.c
@@ -1206,6 +1206,7 @@ static void do_call_with_arg(struct optee_domain *ctx,
default:
/* Free any temporary shared buffers */
free_shm_buffers(ctx, call->xen_arg);
+ break;
}
put_std_call(ctx, call);
diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c
index 96986ee2553d..5834c265f76d 100644
--- a/xen/arch/x86/mm/shadow/common.c
+++ b/xen/arch/x86/mm/shadow/common.c
@@ -1213,7 +1213,7 @@ void sh_destroy_shadow(struct domain *d, mfn_t smfn)
#ifdef CONFIG_PV32
case SH_type_l2h_64_shadow:
ASSERT(is_pv_32bit_domain(d));
- /* Fall through... */
+ fallthrough;
#endif
case SH_type_l2_64_shadow:
SHADOW_INTERNAL_NAME(sh_destroy_l2_shadow, 4)(d, smfn);
--
2.39.5
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 11/12] xen: Bracket uses of macro parameters
2026-02-20 21:46 [PATCH 00/12] xen: Misc MISRA fixes for *-allcode targets Andrew Cooper
` (9 preceding siblings ...)
2026-02-20 21:46 ` [PATCH 10/12] xen: Adjust break/fallthrough statements Andrew Cooper
@ 2026-02-20 21:46 ` Andrew Cooper
2026-02-20 22:45 ` Nicola Vetrini
` (2 more replies)
2026-02-20 21:46 ` [PATCH 12/12] xen/vmac: Delete STDINT block in vmac.h Andrew Cooper
11 siblings, 3 replies; 39+ messages in thread
From: Andrew Cooper @ 2026-02-20 21:46 UTC (permalink / raw)
To: Xen-devel
Cc: Andrew Cooper, Jan Beulich, Roger Pau Monné,
Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bertrand Marquis, Michal Orzel, consulting @ bugseng . com,
Nicola Vetrini
Fixing Rule 20.7 violations.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien@xen.org>
CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
CC: Bertrand Marquis <bertrand.marquis@arm.com>
CC: Michal Orzel <michal.orzel@amd.com>
CC: consulting@bugseng.com <consulting@bugseng.com>
CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
---
xen/arch/arm/pci/pci-access.c | 6 +++---
xen/arch/x86/include/asm/bootinfo.h | 2 +-
xen/arch/x86/mm/shadow/multi.c | 2 +-
xen/common/kimage.c | 11 ++++++-----
xen/common/livepatch.c | 11 ++++++-----
xen/crypto/vmac.c | 8 ++++----
xen/include/xen/libfdt/libfdt.h | 6 +++---
7 files changed, 24 insertions(+), 22 deletions(-)
diff --git a/xen/arch/arm/pci/pci-access.c b/xen/arch/arm/pci/pci-access.c
index 2b23d552bbfb..7bd6877596d4 100644
--- a/xen/arch/arm/pci/pci-access.c
+++ b/xen/arch/arm/pci/pci-access.c
@@ -16,7 +16,7 @@
#include <asm/io.h>
#define INVALID_VALUE (~0U)
-#define PCI_ERR_VALUE(len) GENMASK(0, len * 8)
+#define PCI_ERR_VALUE(len) GENMASK(0, (len) * 8)
static const struct pci_ops *get_ops(struct pci_host_bridge *bridge,
pci_sbdf_t sbdf)
@@ -139,14 +139,14 @@ static void pci_config_write(pci_sbdf_t sbdf, unsigned int reg,
void pci_conf_write##size(pci_sbdf_t sbdf, \
unsigned int reg, type data) \
{ \
- pci_config_write(sbdf, reg, size / 8, data); \
+ pci_config_write(sbdf, reg, (size) / 8, data); \
}
#define PCI_OP_READ(size, type) \
type pci_conf_read##size(pci_sbdf_t sbdf, \
unsigned int reg) \
{ \
- return pci_config_read(sbdf, reg, size / 8); \
+ return pci_config_read(sbdf, reg, (size) / 8); \
}
PCI_OP_READ(8, uint8_t)
diff --git a/xen/arch/x86/include/asm/bootinfo.h b/xen/arch/x86/include/asm/bootinfo.h
index 4f2cc5906e59..b3a6b2acf3ac 100644
--- a/xen/arch/x86/include/asm/bootinfo.h
+++ b/xen/arch/x86/include/asm/bootinfo.h
@@ -75,7 +75,7 @@ static inline unsigned int __init next_boot_module_index(
#define for_each_boot_module_by_type(i, b, t) \
for ( (i) = first_boot_module_index(b, t); \
(i) <= (b)->nr_modules; \
- (i) = next_boot_module_index(b, t, i + 1) )
+ (i) = next_boot_module_index(b, t, (i) + 1) )
#endif /* X86_BOOTINFO_H */
diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
index 3bbaceec1287..9de60720db20 100644
--- a/xen/arch/x86/mm/shadow/multi.c
+++ b/xen/arch/x86/mm/shadow/multi.c
@@ -793,7 +793,7 @@ do { \
do { \
int __done = 0; \
_FOREACH_PRESENT_L1E(_sl1mfn, _sl1e, _gl1p, \
- ({ (__done = _done); }), _code); \
+ ({ (__done = (_done)); }), _code); \
_sl1mfn = sh_next_page(_sl1mfn); \
if ( !__done ) \
_FOREACH_PRESENT_L1E(_sl1mfn, _sl1e, _gl1p, _done, _code); \
diff --git a/xen/common/kimage.c b/xen/common/kimage.c
index e1aec5a18a54..972301368443 100644
--- a/xen/common/kimage.c
+++ b/xen/common/kimage.c
@@ -491,11 +491,12 @@ static void kimage_terminate(struct kexec_image *image)
* Call unmap_domain_page(ptr) after the loop exits.
*/
#define for_each_kimage_entry(image, ptr, entry) \
- for ( ptr = map_domain_page(_mfn(paddr_to_pfn(image->head))); \
- (entry = *ptr) && !(entry & IND_DONE); \
- ptr = (entry & IND_INDIRECTION) ? \
- (unmap_domain_page(ptr), map_domain_page(_mfn(paddr_to_pfn(entry)))) \
- : ptr + 1 )
+ for ( (ptr) = map_domain_page(_mfn(paddr_to_pfn((image)->head))); \
+ ((entry) = *(ptr)) && !((entry) & IND_DONE); \
+ (ptr) = (((entry) & IND_INDIRECTION) \
+ ? (unmap_domain_page(ptr), \
+ map_domain_page(_mfn(paddr_to_pfn(entry)))) \
+ : (ptr) + 1) )
static void kimage_free_entry(kimage_entry_t entry)
{
diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c
index 7446533c8cfb..63473925cafb 100644
--- a/xen/common/livepatch.c
+++ b/xen/common/livepatch.c
@@ -664,9 +664,10 @@ static inline int livepatch_check_expectations(const struct payload *payload)
const struct livepatch_elf_sec *__sec = livepatch_elf_sec_by_name(elf, section_name); \
if ( !__sec ) \
break; \
- if ( !section_ok(elf, __sec, sizeof(*hook)) || __sec->sec->sh_size != sizeof(*hook) ) \
+ if ( !section_ok(elf, __sec, sizeof(*(hook))) || \
+ __sec->sec->sh_size != sizeof(*(hook)) ) \
return -EINVAL; \
- hook = __sec->addr; \
+ (hook) = __sec->addr; \
} while (0)
/*
@@ -678,10 +679,10 @@ static inline int livepatch_check_expectations(const struct payload *payload)
const struct livepatch_elf_sec *__sec = livepatch_elf_sec_by_name(elf, section_name); \
if ( !__sec ) \
break; \
- if ( !section_ok(elf, __sec, sizeof(*hook)) ) \
+ if ( !section_ok(elf, __sec, sizeof(*(hook))) ) \
return -EINVAL; \
- hook = __sec->addr; \
- nhooks = __sec->sec->sh_size / sizeof(*hook); \
+ (hook) = __sec->addr; \
+ (nhooks) = __sec->sec->sh_size / sizeof(*(hook)); \
} while (0)
static int prepare_payload(struct payload *payload,
diff --git a/xen/crypto/vmac.c b/xen/crypto/vmac.c
index c9914d2c7c1d..c7aa1e9be3b9 100644
--- a/xen/crypto/vmac.c
+++ b/xen/crypto/vmac.c
@@ -203,7 +203,7 @@ const uint64_t mpoly = UINT64_C(0x1fffffff1fffffff); /* Poly key mask */
#define nh_16(mp, kp, nw, rh, rl) \
{ int i; uint64_t th, tl; \
rh = rl = 0; \
- for (i = 0; i < nw; i+= 2) { \
+ for (i = 0; i < (nw); i+= 2) { \
MUL64(th,tl,get64PE((mp)+i )+(kp)[i ],get64PE((mp)+i+1)+(kp)[i+1]);\
ADD128(rh,rl,th,tl); \
} \
@@ -211,7 +211,7 @@ const uint64_t mpoly = UINT64_C(0x1fffffff1fffffff); /* Poly key mask */
#define nh_16_2(mp, kp, nw, rh, rl, rh1, rl1) \
{ int i; uint64_t th, tl; \
rh1 = rl1 = rh = rl = 0; \
- for (i = 0; i < nw; i+= 2) { \
+ for (i = 0; i < (nw); i+= 2) { \
MUL64(th,tl,get64PE((mp)+i )+(kp)[i ],get64PE((mp)+i+1)+(kp)[i+1]);\
ADD128(rh,rl,th,tl); \
MUL64(th,tl,get64PE((mp)+i )+(kp)[i+2],get64PE((mp)+i+1)+(kp)[i+3]);\
@@ -223,7 +223,7 @@ const uint64_t mpoly = UINT64_C(0x1fffffff1fffffff); /* Poly key mask */
#define nh_vmac_nhbytes(mp, kp, nw, rh, rl) \
{ int i; uint64_t th, tl; \
rh = rl = 0; \
- for (i = 0; i < nw; i+= 8) { \
+ for (i = 0; i < (nw); i+= 8) { \
MUL64(th,tl,get64PE((mp)+i )+(kp)[i ],get64PE((mp)+i+1)+(kp)[i+1]);\
ADD128(rh,rl,th,tl); \
MUL64(th,tl,get64PE((mp)+i+2)+(kp)[i+2],get64PE((mp)+i+3)+(kp)[i+3]);\
@@ -237,7 +237,7 @@ const uint64_t mpoly = UINT64_C(0x1fffffff1fffffff); /* Poly key mask */
#define nh_vmac_nhbytes_2(mp, kp, nw, rh, rl, rh1, rl1) \
{ int i; uint64_t th, tl; \
rh1 = rl1 = rh = rl = 0; \
- for (i = 0; i < nw; i+= 8) { \
+ for (i = 0; i < (nw); i+= 8) { \
MUL64(th,tl,get64PE((mp)+i )+(kp)[i ],get64PE((mp)+i+1)+(kp)[i+1]);\
ADD128(rh,rl,th,tl); \
MUL64(th,tl,get64PE((mp)+i )+(kp)[i+2],get64PE((mp)+i+1)+(kp)[i+3]);\
diff --git a/xen/include/xen/libfdt/libfdt.h b/xen/include/xen/libfdt/libfdt.h
index fabddbee8cec..1b09bba28eea 100644
--- a/xen/include/xen/libfdt/libfdt.h
+++ b/xen/include/xen/libfdt/libfdt.h
@@ -230,9 +230,9 @@ int fdt_next_subnode(const void *fdt, int offset);
* literal.
*/
#define fdt_for_each_subnode(node, fdt, parent) \
- for (node = fdt_first_subnode(fdt, parent); \
- node >= 0; \
- node = fdt_next_subnode(fdt, node))
+ for ((node) = fdt_first_subnode(fdt, parent); \
+ (node) >= 0; \
+ (node) = fdt_next_subnode(fdt, node))
/**********************************************************************/
/* General functions */
--
2.39.5
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 12/12] xen/vmac: Delete STDINT block in vmac.h
2026-02-20 21:46 [PATCH 00/12] xen: Misc MISRA fixes for *-allcode targets Andrew Cooper
` (10 preceding siblings ...)
2026-02-20 21:46 ` [PATCH 11/12] xen: Bracket uses of macro parameters Andrew Cooper
@ 2026-02-20 21:46 ` Andrew Cooper
2026-02-23 10:54 ` Jan Beulich
11 siblings, 1 reply; 39+ messages in thread
From: Andrew Cooper @ 2026-02-20 21:46 UTC (permalink / raw)
To: Xen-devel
Cc: Andrew Cooper, Jan Beulich, Roger Pau Monné,
Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bertrand Marquis, Michal Orzel, consulting @ bugseng . com,
Nicola Vetrini
Eclair complains that _MSC_VER is undefined (a Rule 20.9 violation).
This could be fixed by inserting an "&& defined(_MSC_VER)" clause, but the
whole block is entirely useless (it comments out the include of stdint) and
the top of vmac.c pulls in xen/types.h specifically.
Simply delete the block.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien@xen.org>
CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
CC: Bertrand Marquis <bertrand.marquis@arm.com>
CC: Michal Orzel <michal.orzel@amd.com>
CC: consulting@bugseng.com <consulting@bugseng.com>
CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
---
xen/include/crypto/vmac.h | 23 -----------------------
1 file changed, 23 deletions(-)
diff --git a/xen/include/crypto/vmac.h b/xen/include/crypto/vmac.h
index 7574c4a3f328..43fd288ae3bd 100644
--- a/xen/include/crypto/vmac.h
+++ b/xen/include/crypto/vmac.h
@@ -35,29 +35,6 @@
#define hz (400e6) mips
*/
-/* --------------------------------------------------------------------------
- * This implementation uses uint32_t and uint64_t as names for unsigned 32-
- * and 64-bit integer types. These are defined in C99 stdint.h. The
- * following may need adaptation if you are not running a C99 or
- * Microsoft C environment.
- * ----------------------------------------------------------------------- */
-#define VMAC_USE_STDINT 1 /* Set to zero if system has no stdint.h */
-
-#if VMAC_USE_STDINT && !_MSC_VER /* Try stdint.h if non-Microsoft */
-#ifdef __cplusplus
-#define __STDC_CONSTANT_MACROS
-#endif
-//#include <stdint.h>
-#elif (_MSC_VER) /* Microsoft C does not have stdint.h */
-typedef unsigned __int32 uint32_t;
-typedef unsigned __int64 uint64_t;
-#define UINT64_C(v) v ## UI64
-#else /* Guess sensibly - may need adaptation */
-typedef unsigned int uint32_t;
-typedef unsigned long long uint64_t;
-#define UINT64_C(v) v ## ULL
-#endif
-
/* --------------------------------------------------------------------------
* This implementation supports two free AES implementations: OpenSSL's and
* Paulo Barreto's. To use OpenSSL's, you will need to include the OpenSSL
--
2.39.5
^ permalink raw reply related [flat|nested] 39+ messages in thread
* Re: [PATCH 01/12] arm: Use __func__ in acpi_boot_table_init()
2026-02-20 21:46 ` [PATCH 01/12] arm: Use __func__ in acpi_boot_table_init() Andrew Cooper
@ 2026-02-20 21:58 ` Nicola Vetrini
2026-02-23 8:54 ` Orzel, Michal
1 sibling, 0 replies; 39+ messages in thread
From: Nicola Vetrini @ 2026-02-20 21:58 UTC (permalink / raw)
To: Andrew Cooper
Cc: Xen-devel, Jan Beulich, Roger Pau Monné, Stefano Stabellini,
Julien Grall, Volodymyr Babchuk, Bertrand Marquis, Michal Orzel,
consulting @ bugseng . com
On 2026-02-20 22:46, Andrew Cooper wrote:
> Elcair rejects __FUNCTION__ as nonstandard syntax and a R1.1 violation.
>
s/Elcair/ECLAIR/
> No functional change.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> ---
> CC: Jan Beulich <JBeulich@suse.com>
> CC: Roger Pau Monné <roger.pau@citrix.com>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: Julien Grall <julien@xen.org>
> CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
> CC: Bertrand Marquis <bertrand.marquis@arm.com>
> CC: Michal Orzel <michal.orzel@amd.com>
> CC: consulting@bugseng.com <consulting@bugseng.com>
> CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
> ---
Reviewed-by: Nicola Vetrini <nicola.vetrini@bugseng.com>
> xen/arch/arm/acpi/boot.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/xen/arch/arm/acpi/boot.c b/xen/arch/arm/acpi/boot.c
> index db5085e15d84..4ac0fd8f51e8 100644
> --- a/xen/arch/arm/acpi/boot.c
> +++ b/xen/arch/arm/acpi/boot.c
> @@ -264,14 +264,14 @@ int __init acpi_boot_table_init(void)
> if ( error )
> {
> printk("%s: Unable to initialize table parser (%d)\n",
> - __FUNCTION__, error);
> + __func__, error);
> goto disable;
> }
>
> error = acpi_table_parse(ACPI_SIG_FADT, acpi_parse_fadt);
> if ( error )
> {
> - printk("%s: FADT not found (%d)\n", __FUNCTION__, error);
> + printk("%s: FADT not found (%d)\n", __func__, error);
> goto disable;
> }
--
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 08/12] arm/pci-designware: Fix MISRA violations
2026-02-20 21:46 ` [PATCH 08/12] arm/pci-designware: Fix MISRA violations Andrew Cooper
@ 2026-02-20 22:15 ` Nicola Vetrini
2026-02-23 9:00 ` Orzel, Michal
1 sibling, 0 replies; 39+ messages in thread
From: Nicola Vetrini @ 2026-02-20 22:15 UTC (permalink / raw)
To: Andrew Cooper
Cc: Xen-devel, Jan Beulich, Roger Pau Monné, Stefano Stabellini,
Julien Grall, Volodymyr Babchuk, Bertrand Marquis, Michal Orzel,
consulting @ bugseng . com
On 2026-02-20 22:46, Andrew Cooper wrote:
> * Move includes inside the header guards (D4.10)
> * Use NULL in preference to 0 (R11.9)
>
> No functional change.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Nicola Vetrini <nicola.vetrini@bugseng.com>
> ---
> CC: Jan Beulich <JBeulich@suse.com>
> CC: Roger Pau Monné <roger.pau@citrix.com>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: Julien Grall <julien@xen.org>
> CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
> CC: Bertrand Marquis <bertrand.marquis@arm.com>
> CC: Michal Orzel <michal.orzel@amd.com>
> CC: consulting@bugseng.com <consulting@bugseng.com>
> CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
> ---
> xen/arch/arm/pci/pci-designware.c | 2 +-
> xen/arch/arm/pci/pci-designware.h | 5 ++---
> 2 files changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/xen/arch/arm/pci/pci-designware.c
> b/xen/arch/arm/pci/pci-designware.c
> index 0bd67524ac8b..6b85213f637b 100644
> --- a/xen/arch/arm/pci/pci-designware.c
> +++ b/xen/arch/arm/pci/pci-designware.c
> @@ -285,7 +285,7 @@ void __iomem *dw_pcie_child_map_bus(struct
> pci_host_bridge *bridge,
> bridge->child_cfg->phys_addr,
> busdev,
> bridge->child_cfg->size);
> if ( ret )
> - return 0;
> + return NULL;
>
> return bridge->child_cfg->win + where;
> }
> diff --git a/xen/arch/arm/pci/pci-designware.h
> b/xen/arch/arm/pci/pci-designware.h
> index b9deb3b138ae..bd93dab6f2f1 100644
> --- a/xen/arch/arm/pci/pci-designware.h
> +++ b/xen/arch/arm/pci/pci-designware.h
> @@ -6,12 +6,11 @@
> * Based on xen/arch/arm/pci/pci-host-generic.c
> */
>
> -#include <xen/pci.h>
> -#include <xen/init.h>
> -
> #ifndef __PCI_DESIGNWARE_H__
> #define __PCI_DESIGNWARE_H__
>
> +#include <xen/pci.h>
> +#include <xen/init.h>
>
> #define PCIE_ATU_VIEWPORT 0x900
> #define PCIE_ATU_REGION_OUTBOUND 0
--
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 09/12] x86/shadow: Rework write_atomic() call in shadow_write_entries()
2026-02-20 21:46 ` [PATCH 09/12] x86/shadow: Rework write_atomic() call in shadow_write_entries() Andrew Cooper
@ 2026-02-20 22:28 ` Nicola Vetrini
2026-02-23 7:26 ` Roberto Bagnara
1 sibling, 0 replies; 39+ messages in thread
From: Nicola Vetrini @ 2026-02-20 22:28 UTC (permalink / raw)
To: Andrew Cooper
Cc: Xen-devel, Jan Beulich, Roger Pau Monné, Stefano Stabellini,
Julien Grall, Volodymyr Babchuk, Bertrand Marquis, Michal Orzel,
consulting @ bugseng . com
On 2026-02-20 22:46, Andrew Cooper wrote:
> Eclair complains of a side effect in a sizeof() expression (R13.6).
>
> write_atomic() only evaluates each parameter once, but rewrite the
> expression
> to less resemble entries in an obfuscation contest.
>
> No functional change.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Nicola Vetrini <nicola.vetrini@bugseng.com>
> ---
> CC: Jan Beulich <JBeulich@suse.com>
> CC: Roger Pau Monné <roger.pau@citrix.com>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: Julien Grall <julien@xen.org>
> CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
> CC: Bertrand Marquis <bertrand.marquis@arm.com>
> CC: Michal Orzel <michal.orzel@amd.com>
> CC: consulting@bugseng.com <consulting@bugseng.com>
> CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
> ---
> xen/arch/x86/mm/shadow/set.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/xen/arch/x86/mm/shadow/set.c
> b/xen/arch/x86/mm/shadow/set.c
> index 8b670b6bb555..96ba2811077e 100644
> --- a/xen/arch/x86/mm/shadow/set.c
> +++ b/xen/arch/x86/mm/shadow/set.c
> @@ -62,8 +62,8 @@ shadow_write_entries(void *d, const void *s, unsigned
> int entries, mfn_t mfn)
>
> ASSERT(IS_ALIGNED((unsigned long)dst, sizeof(*dst)));
>
> - for ( ; i < entries; i++ )
> - write_atomic(&dst++->l1, src++->l1);
> + for ( ; i < entries; i++, dst++, src++ )
> + write_atomic(&dst->l1, src->l1);
>
> unmap_domain_page(map);
> }
--
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 10/12] xen: Adjust break/fallthrough statements
2026-02-20 21:46 ` [PATCH 10/12] xen: Adjust break/fallthrough statements Andrew Cooper
@ 2026-02-20 22:36 ` Nicola Vetrini
2026-02-23 9:02 ` Orzel, Michal
1 sibling, 0 replies; 39+ messages in thread
From: Nicola Vetrini @ 2026-02-20 22:36 UTC (permalink / raw)
To: Andrew Cooper
Cc: Xen-devel, Jan Beulich, Roger Pau Monné, Stefano Stabellini,
Julien Grall, Volodymyr Babchuk, Bertrand Marquis, Michal Orzel,
consulting @ bugseng . com
On 2026-02-20 22:46, Andrew Cooper wrote:
> sh_destroy_shadow() has a spelling of fallthrough which doesn't match
> the
> permitted pattern. Convert it to a real fallthrough (psedo)keyword.
>
> Elsewhere, insert breaks at the end of the default statements.
>
> No functional change.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Nicola Vetrini <nicola.vetrini@bugseng.com>
> ---
> CC: Jan Beulich <JBeulich@suse.com>
> CC: Roger Pau Monné <roger.pau@citrix.com>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: Julien Grall <julien@xen.org>
> CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
> CC: Bertrand Marquis <bertrand.marquis@arm.com>
> CC: Michal Orzel <michal.orzel@amd.com>
> CC: consulting@bugseng.com <consulting@bugseng.com>
> CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
> ---
> xen/arch/arm/pci/pci-access.c | 2 ++
> xen/arch/arm/pci/pci-designware.c | 2 ++
> xen/arch/arm/tee/optee.c | 1 +
> xen/arch/x86/mm/shadow/common.c | 2 +-
> 4 files changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/xen/arch/arm/pci/pci-access.c
> b/xen/arch/arm/pci/pci-access.c
> index c0533c00c9a5..2b23d552bbfb 100644
> --- a/xen/arch/arm/pci/pci-access.c
> +++ b/xen/arch/arm/pci/pci-access.c
> @@ -63,6 +63,7 @@ int pci_generic_config_read(struct pci_host_bridge
> *bridge, pci_sbdf_t sbdf,
> break;
> default:
> ASSERT_UNREACHABLE();
> + break;
> }
>
> return 0;
> @@ -89,6 +90,7 @@ int pci_generic_config_write(struct pci_host_bridge
> *bridge, pci_sbdf_t sbdf,
> break;
> default:
> ASSERT_UNREACHABLE();
> + break;
> }
>
> return 0;
> diff --git a/xen/arch/arm/pci/pci-designware.c
> b/xen/arch/arm/pci/pci-designware.c
> index 6b85213f637b..902da19e8c98 100644
> --- a/xen/arch/arm/pci/pci-designware.c
> +++ b/xen/arch/arm/pci/pci-designware.c
> @@ -48,6 +48,7 @@ static int dw_pcie_read(void __iomem *addr, unsigned
> int len, uint32_t *val)
> break;
> default:
> ASSERT_UNREACHABLE();
> + break;
> }
>
> return 0;
> @@ -71,6 +72,7 @@ static int dw_pcie_write(void __iomem *addr, unsigned
> int len, uint32_t val)
> break;
> default:
> ASSERT_UNREACHABLE();
> + break;
> }
>
> return 0;
> diff --git a/xen/arch/arm/tee/optee.c b/xen/arch/arm/tee/optee.c
> index 699e8d536862..f719d9d767ab 100644
> --- a/xen/arch/arm/tee/optee.c
> +++ b/xen/arch/arm/tee/optee.c
> @@ -1206,6 +1206,7 @@ static void do_call_with_arg(struct optee_domain
> *ctx,
> default:
> /* Free any temporary shared buffers */
> free_shm_buffers(ctx, call->xen_arg);
> + break;
> }
>
> put_std_call(ctx, call);
> diff --git a/xen/arch/x86/mm/shadow/common.c
> b/xen/arch/x86/mm/shadow/common.c
> index 96986ee2553d..5834c265f76d 100644
> --- a/xen/arch/x86/mm/shadow/common.c
> +++ b/xen/arch/x86/mm/shadow/common.c
> @@ -1213,7 +1213,7 @@ void sh_destroy_shadow(struct domain *d, mfn_t
> smfn)
> #ifdef CONFIG_PV32
> case SH_type_l2h_64_shadow:
> ASSERT(is_pv_32bit_domain(d));
> - /* Fall through... */
> + fallthrough;
> #endif
> case SH_type_l2_64_shadow:
> SHADOW_INTERNAL_NAME(sh_destroy_l2_shadow, 4)(d, smfn);
--
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 11/12] xen: Bracket uses of macro parameters
2026-02-20 21:46 ` [PATCH 11/12] xen: Bracket uses of macro parameters Andrew Cooper
@ 2026-02-20 22:45 ` Nicola Vetrini
2026-02-25 16:05 ` Andrew Cooper
2026-02-23 9:04 ` Orzel, Michal
2026-02-23 10:50 ` Jan Beulich
2 siblings, 1 reply; 39+ messages in thread
From: Nicola Vetrini @ 2026-02-20 22:45 UTC (permalink / raw)
To: Andrew Cooper
Cc: Xen-devel, Jan Beulich, Roger Pau Monné, Stefano Stabellini,
Julien Grall, Volodymyr Babchuk, Bertrand Marquis, Michal Orzel,
consulting @ bugseng . com
On 2026-02-20 22:46, Andrew Cooper wrote:
> Fixing Rule 20.7 violations.
>
> No functional change.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Nicola Vetrini <nicola.vetrini@bugseng.com>
Two minor nits below
> ---
> CC: Jan Beulich <JBeulich@suse.com>
> CC: Roger Pau Monné <roger.pau@citrix.com>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: Julien Grall <julien@xen.org>
> CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
> CC: Bertrand Marquis <bertrand.marquis@arm.com>
> CC: Michal Orzel <michal.orzel@amd.com>
> CC: consulting@bugseng.com <consulting@bugseng.com>
> CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
> ---
> xen/arch/arm/pci/pci-access.c | 6 +++---
> xen/arch/x86/include/asm/bootinfo.h | 2 +-
> xen/arch/x86/mm/shadow/multi.c | 2 +-
> xen/common/kimage.c | 11 ++++++-----
> xen/common/livepatch.c | 11 ++++++-----
> xen/crypto/vmac.c | 8 ++++----
> xen/include/xen/libfdt/libfdt.h | 6 +++---
> 7 files changed, 24 insertions(+), 22 deletions(-)
>
> diff --git a/xen/arch/arm/pci/pci-access.c
> b/xen/arch/arm/pci/pci-access.c
> index 2b23d552bbfb..7bd6877596d4 100644
> --- a/xen/arch/arm/pci/pci-access.c
> +++ b/xen/arch/arm/pci/pci-access.c
> @@ -16,7 +16,7 @@
> #include <asm/io.h>
>
> #define INVALID_VALUE (~0U)
> -#define PCI_ERR_VALUE(len) GENMASK(0, len * 8)
> +#define PCI_ERR_VALUE(len) GENMASK(0, (len) * 8)
>
> static const struct pci_ops *get_ops(struct pci_host_bridge *bridge,
> pci_sbdf_t sbdf)
> @@ -139,14 +139,14 @@ static void pci_config_write(pci_sbdf_t sbdf,
> unsigned int reg,
> void pci_conf_write##size(pci_sbdf_t sbdf, \
> unsigned int reg, type data) \
> { \
> - pci_config_write(sbdf, reg, size / 8, data); \
> + pci_config_write(sbdf, reg, (size) / 8, data); \
> }
>
> #define PCI_OP_READ(size, type) \
> type pci_conf_read##size(pci_sbdf_t sbdf, \
> unsigned int reg) \
> { \
> - return pci_config_read(sbdf, reg, size / 8); \
> + return pci_config_read(sbdf, reg, (size) / 8); \
> }
>
> PCI_OP_READ(8, uint8_t)
> diff --git a/xen/arch/x86/include/asm/bootinfo.h
> b/xen/arch/x86/include/asm/bootinfo.h
> index 4f2cc5906e59..b3a6b2acf3ac 100644
> --- a/xen/arch/x86/include/asm/bootinfo.h
> +++ b/xen/arch/x86/include/asm/bootinfo.h
> @@ -75,7 +75,7 @@ static inline unsigned int __init
> next_boot_module_index(
> #define for_each_boot_module_by_type(i, b, t) \
> for ( (i) = first_boot_module_index(b, t); \
> (i) <= (b)->nr_modules; \
> - (i) = next_boot_module_index(b, t, i + 1) )
> + (i) = next_boot_module_index(b, t, (i) + 1) )
>
> #endif /* X86_BOOTINFO_H */
>
> diff --git a/xen/arch/x86/mm/shadow/multi.c
> b/xen/arch/x86/mm/shadow/multi.c
> index 3bbaceec1287..9de60720db20 100644
> --- a/xen/arch/x86/mm/shadow/multi.c
> +++ b/xen/arch/x86/mm/shadow/multi.c
> @@ -793,7 +793,7 @@ do {
> \
> do {
> \
> int __done = 0;
> \
> _FOREACH_PRESENT_L1E(_sl1mfn, _sl1e, _gl1p,
> \
> - ({ (__done = _done); }), _code);
> \
> + ({ (__done = (_done)); }), _code);
> \
> _sl1mfn = sh_next_page(_sl1mfn);
> \
> if ( !__done )
> \
> _FOREACH_PRESENT_L1E(_sl1mfn, _sl1e, _gl1p, _done, _code);
> \
> diff --git a/xen/common/kimage.c b/xen/common/kimage.c
> index e1aec5a18a54..972301368443 100644
> --- a/xen/common/kimage.c
> +++ b/xen/common/kimage.c
> @@ -491,11 +491,12 @@ static void kimage_terminate(struct kexec_image
> *image)
> * Call unmap_domain_page(ptr) after the loop exits.
> */
> #define for_each_kimage_entry(image, ptr, entry)
> \
> - for ( ptr = map_domain_page(_mfn(paddr_to_pfn(image->head)));
> \
> - (entry = *ptr) && !(entry & IND_DONE);
> \
> - ptr = (entry & IND_INDIRECTION) ?
> \
> - (unmap_domain_page(ptr),
> map_domain_page(_mfn(paddr_to_pfn(entry)))) \
> - : ptr + 1 )
> + for ( (ptr) = map_domain_page(_mfn(paddr_to_pfn((image)->head)));
> \
> + ((entry) = *(ptr)) && !((entry) & IND_DONE);
> \
> + (ptr) = (((entry) & IND_INDIRECTION)
> \
> + ? (unmap_domain_page(ptr),
> \
> + map_domain_page(_mfn(paddr_to_pfn(entry))))
> \
> + : (ptr) + 1) )
>
> static void kimage_free_entry(kimage_entry_t entry)
> {
> diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c
> index 7446533c8cfb..63473925cafb 100644
> --- a/xen/common/livepatch.c
> +++ b/xen/common/livepatch.c
> @@ -664,9 +664,10 @@ static inline int
> livepatch_check_expectations(const struct payload *payload)
> const struct livepatch_elf_sec *__sec =
> livepatch_elf_sec_by_name(elf, section_name); \
> if ( !__sec )
> \
> break;
> \
> - if ( !section_ok(elf, __sec, sizeof(*hook)) || __sec->sec->sh_size
> != sizeof(*hook) ) \
> + if ( !section_ok(elf, __sec, sizeof(*(hook))) ||
> \
> + __sec->sec->sh_size != sizeof(*(hook)) )
> \
> return -EINVAL;
> \
> - hook = __sec->addr;
> \
> + (hook) = __sec->addr;
> \
This is not strictly needed, if not for consistency
> } while (0)
>
> /*
> @@ -678,10 +679,10 @@ static inline int
> livepatch_check_expectations(const struct payload *payload)
> const struct livepatch_elf_sec *__sec =
> livepatch_elf_sec_by_name(elf, section_name); \
> if ( !__sec )
> \
> break;
> \
> - if ( !section_ok(elf, __sec, sizeof(*hook)) )
> \
> + if ( !section_ok(elf, __sec, sizeof(*(hook))) )
> \
> return -EINVAL;
> \
> - hook = __sec->addr;
> \
> - nhooks = __sec->sec->sh_size / sizeof(*hook);
> \
> + (hook) = __sec->addr;
> \
> + (nhooks) = __sec->sec->sh_size / sizeof(*(hook));
> \
same as above
> } while (0)
>
> static int prepare_payload(struct payload *payload,
> diff --git a/xen/crypto/vmac.c b/xen/crypto/vmac.c
> index c9914d2c7c1d..c7aa1e9be3b9 100644
> --- a/xen/crypto/vmac.c
> +++ b/xen/crypto/vmac.c
> @@ -203,7 +203,7 @@ const uint64_t mpoly =
> UINT64_C(0x1fffffff1fffffff); /* Poly key mask */
> #define nh_16(mp, kp, nw, rh, rl)
> \
> { int i; uint64_t th, tl;
> \
> rh = rl = 0;
> \
> - for (i = 0; i < nw; i+= 2) {
> \
> + for (i = 0; i < (nw); i+= 2) {
> \
> MUL64(th,tl,get64PE((mp)+i )+(kp)[i
> ],get64PE((mp)+i+1)+(kp)[i+1]);\
> ADD128(rh,rl,th,tl);
> \
> }
> \
> @@ -211,7 +211,7 @@ const uint64_t mpoly =
> UINT64_C(0x1fffffff1fffffff); /* Poly key mask */
> #define nh_16_2(mp, kp, nw, rh, rl, rh1, rl1)
> \
> { int i; uint64_t th, tl;
> \
> rh1 = rl1 = rh = rl = 0;
> \
> - for (i = 0; i < nw; i+= 2) {
> \
> + for (i = 0; i < (nw); i+= 2) {
> \
> MUL64(th,tl,get64PE((mp)+i )+(kp)[i
> ],get64PE((mp)+i+1)+(kp)[i+1]);\
> ADD128(rh,rl,th,tl);
> \
> MUL64(th,tl,get64PE((mp)+i
> )+(kp)[i+2],get64PE((mp)+i+1)+(kp)[i+3]);\
> @@ -223,7 +223,7 @@ const uint64_t mpoly =
> UINT64_C(0x1fffffff1fffffff); /* Poly key mask */
> #define nh_vmac_nhbytes(mp, kp, nw, rh, rl)
> \
> { int i; uint64_t th, tl;
> \
> rh = rl = 0;
> \
> - for (i = 0; i < nw; i+= 8) {
> \
> + for (i = 0; i < (nw); i+= 8) {
> \
> MUL64(th,tl,get64PE((mp)+i )+(kp)[i
> ],get64PE((mp)+i+1)+(kp)[i+1]);\
> ADD128(rh,rl,th,tl);
> \
>
> MUL64(th,tl,get64PE((mp)+i+2)+(kp)[i+2],get64PE((mp)+i+3)+(kp)[i+3]);\
> @@ -237,7 +237,7 @@ const uint64_t mpoly =
> UINT64_C(0x1fffffff1fffffff); /* Poly key mask */
> #define nh_vmac_nhbytes_2(mp, kp, nw, rh, rl, rh1, rl1)
> \
> { int i; uint64_t th, tl;
> \
> rh1 = rl1 = rh = rl = 0;
> \
> - for (i = 0; i < nw; i+= 8) {
> \
> + for (i = 0; i < (nw); i+= 8) {
> \
> MUL64(th,tl,get64PE((mp)+i )+(kp)[i
> ],get64PE((mp)+i+1)+(kp)[i+1]);\
> ADD128(rh,rl,th,tl);
> \
> MUL64(th,tl,get64PE((mp)+i
> )+(kp)[i+2],get64PE((mp)+i+1)+(kp)[i+3]);\
> diff --git a/xen/include/xen/libfdt/libfdt.h
> b/xen/include/xen/libfdt/libfdt.h
> index fabddbee8cec..1b09bba28eea 100644
> --- a/xen/include/xen/libfdt/libfdt.h
> +++ b/xen/include/xen/libfdt/libfdt.h
> @@ -230,9 +230,9 @@ int fdt_next_subnode(const void *fdt, int offset);
> * literal.
> */
> #define fdt_for_each_subnode(node, fdt, parent) \
> - for (node = fdt_first_subnode(fdt, parent); \
> - node >= 0; \
> - node = fdt_next_subnode(fdt, node))
> + for ((node) = fdt_first_subnode(fdt, parent); \
> + (node) >= 0; \
> + (node) = fdt_next_subnode(fdt, node))
>
>
> /**********************************************************************/
> /* General functions
> */
--
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 09/12] x86/shadow: Rework write_atomic() call in shadow_write_entries()
2026-02-20 21:46 ` [PATCH 09/12] x86/shadow: Rework write_atomic() call in shadow_write_entries() Andrew Cooper
2026-02-20 22:28 ` Nicola Vetrini
@ 2026-02-23 7:26 ` Roberto Bagnara
2026-02-25 12:14 ` Andrew Cooper
1 sibling, 1 reply; 39+ messages in thread
From: Roberto Bagnara @ 2026-02-23 7:26 UTC (permalink / raw)
To: Andrew Cooper, Xen-devel
Cc: Jan Beulich, Roger Pau Monné, Stefano Stabellini,
Julien Grall, Volodymyr Babchuk, Bertrand Marquis, Michal Orzel,
consulting @ bugseng . com, Nicola Vetrini
On 20/02/26 22:46, Andrew Cooper wrote:
> Eclair complains of a side effect in a sizeof() expression (R13.6).
I disagree with comments of the form "Eclair complains" used whereas
the right thing to say is, e.g.:
sizeof() expressions with "potential side effects" violate
MISRA C:2012 + AMD2 Rule 13.6, for which each function call
is a potential side effect
or
Take out potential side effects from sizeof() as mandated by
MISRA C:2012 + AMD2 Rule 13.6.
Note that in recent versions of MISRA C that rule is no longer
mandatory. More generally, note also that, IMHO, switching to
a more modern version of MISRA C would simplify compliance.
BTW: the correct spelling is "ECLAIR", all capitals.
> write_atomic() only evaluates each parameter once, but rewrite the expression
> to less resemble entries in an obfuscation contest.
>
> No functional change.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> ---
> CC: Jan Beulich <JBeulich@suse.com>
> CC: Roger Pau Monné <roger.pau@citrix.com>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: Julien Grall <julien@xen.org>
> CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
> CC: Bertrand Marquis <bertrand.marquis@arm.com>
> CC: Michal Orzel <michal.orzel@amd.com>
> CC: consulting@bugseng.com <consulting@bugseng.com>
> CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
> ---
> xen/arch/x86/mm/shadow/set.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/xen/arch/x86/mm/shadow/set.c b/xen/arch/x86/mm/shadow/set.c
> index 8b670b6bb555..96ba2811077e 100644
> --- a/xen/arch/x86/mm/shadow/set.c
> +++ b/xen/arch/x86/mm/shadow/set.c
> @@ -62,8 +62,8 @@ shadow_write_entries(void *d, const void *s, unsigned int entries, mfn_t mfn)
>
> ASSERT(IS_ALIGNED((unsigned long)dst, sizeof(*dst)));
>
> - for ( ; i < entries; i++ )
> - write_atomic(&dst++->l1, src++->l1);
> + for ( ; i < entries; i++, dst++, src++ )
> + write_atomic(&dst->l1, src->l1);
>
> unmap_domain_page(map);
> }
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/12] arm: Use __func__ in acpi_boot_table_init()
2026-02-20 21:46 ` [PATCH 01/12] arm: Use __func__ in acpi_boot_table_init() Andrew Cooper
2026-02-20 21:58 ` Nicola Vetrini
@ 2026-02-23 8:54 ` Orzel, Michal
1 sibling, 0 replies; 39+ messages in thread
From: Orzel, Michal @ 2026-02-23 8:54 UTC (permalink / raw)
To: Andrew Cooper, Xen-devel
Cc: Jan Beulich, Roger Pau Monné, Stefano Stabellini,
Julien Grall, Volodymyr Babchuk, Bertrand Marquis,
consulting @ bugseng . com, Nicola Vetrini
On 20/02/2026 22:46, Andrew Cooper wrote:
> Elcair rejects __FUNCTION__ as nonstandard syntax and a R1.1 violation.
>
> No functional change.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Michal Orzel <michal.orzel@amd.com>
~Michal
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 02/12] xen/treewide: Adjust suffixes on integer literals
2026-02-20 21:46 ` [PATCH 02/12] xen/treewide: Adjust suffixes on integer literals Andrew Cooper
@ 2026-02-23 8:57 ` Orzel, Michal
0 siblings, 0 replies; 39+ messages in thread
From: Orzel, Michal @ 2026-02-23 8:57 UTC (permalink / raw)
To: Andrew Cooper, Xen-devel
Cc: Jan Beulich, Roger Pau Monné, Stefano Stabellini,
Julien Grall, Volodymyr Babchuk, Bertrand Marquis,
consulting @ bugseng . com, Nicola Vetrini
On 20/02/2026 22:46, Andrew Cooper wrote:
> Use U where necessary (Misra Rule 7.2) and uppercase L (Misra Rule 7.3).
>
> No functional change.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Michal Orzel <michal.orzel@amd.com>
~Michal
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 04/12] xen/treewide: Adjust parameter names and types
2026-02-20 21:46 ` [PATCH 04/12] xen/treewide: Adjust parameter names and types Andrew Cooper
@ 2026-02-23 8:58 ` Orzel, Michal
0 siblings, 0 replies; 39+ messages in thread
From: Orzel, Michal @ 2026-02-23 8:58 UTC (permalink / raw)
To: Andrew Cooper, Xen-devel
Cc: Jan Beulich, Roger Pau Monné, Stefano Stabellini,
Julien Grall, Volodymyr Babchuk, Bertrand Marquis,
consulting @ bugseng . com, Nicola Vetrini
On 20/02/2026 22:46, Andrew Cooper wrote:
> MISRA Rule 8.2 says that parameters must all have names. Rule 8.3 says that
> the names and types must match between declaration and definition.
>
> No functional change.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Michal Orzel <michal.orzel@amd.com>
~Michal
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 08/12] arm/pci-designware: Fix MISRA violations
2026-02-20 21:46 ` [PATCH 08/12] arm/pci-designware: Fix MISRA violations Andrew Cooper
2026-02-20 22:15 ` Nicola Vetrini
@ 2026-02-23 9:00 ` Orzel, Michal
1 sibling, 0 replies; 39+ messages in thread
From: Orzel, Michal @ 2026-02-23 9:00 UTC (permalink / raw)
To: Andrew Cooper, Xen-devel
Cc: Jan Beulich, Roger Pau Monné, Stefano Stabellini,
Julien Grall, Volodymyr Babchuk, Bertrand Marquis,
consulting @ bugseng . com, Nicola Vetrini
On 20/02/2026 22:46, Andrew Cooper wrote:
> * Move includes inside the header guards (D4.10)
> * Use NULL in preference to 0 (R11.9)
>
> No functional change.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Michal Orzel <michal.orzel@amd.com>
~Michal
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 10/12] xen: Adjust break/fallthrough statements
2026-02-20 21:46 ` [PATCH 10/12] xen: Adjust break/fallthrough statements Andrew Cooper
2026-02-20 22:36 ` Nicola Vetrini
@ 2026-02-23 9:02 ` Orzel, Michal
1 sibling, 0 replies; 39+ messages in thread
From: Orzel, Michal @ 2026-02-23 9:02 UTC (permalink / raw)
To: Andrew Cooper, Xen-devel
Cc: Jan Beulich, Roger Pau Monné, Stefano Stabellini,
Julien Grall, Volodymyr Babchuk, Bertrand Marquis,
consulting @ bugseng . com, Nicola Vetrini
On 20/02/2026 22:46, Andrew Cooper wrote:
> sh_destroy_shadow() has a spelling of fallthrough which doesn't match the
> permitted pattern. Convert it to a real fallthrough (psedo)keyword.
>
> Elsewhere, insert breaks at the end of the default statements.
>
> No functional change.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Michal Orzel <michal.orzel@amd.com>
~Michal
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 11/12] xen: Bracket uses of macro parameters
2026-02-20 21:46 ` [PATCH 11/12] xen: Bracket uses of macro parameters Andrew Cooper
2026-02-20 22:45 ` Nicola Vetrini
@ 2026-02-23 9:04 ` Orzel, Michal
2026-02-23 10:50 ` Jan Beulich
2 siblings, 0 replies; 39+ messages in thread
From: Orzel, Michal @ 2026-02-23 9:04 UTC (permalink / raw)
To: Andrew Cooper, Xen-devel
Cc: Jan Beulich, Roger Pau Monné, Stefano Stabellini,
Julien Grall, Volodymyr Babchuk, Bertrand Marquis,
consulting @ bugseng . com, Nicola Vetrini
On 20/02/2026 22:46, Andrew Cooper wrote:
> Fixing Rule 20.7 violations.
>
> No functional change.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Michal Orzel <michal.orzel@amd.com>
~Michal
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 03/12] xen/argo: Fix MISRA violations around function parameters
2026-02-20 21:46 ` [PATCH 03/12] xen/argo: Fix MISRA violations around function parameters Andrew Cooper
@ 2026-02-23 9:15 ` Jan Beulich
2026-03-03 12:48 ` Daniel Smith
0 siblings, 1 reply; 39+ messages in thread
From: Jan Beulich @ 2026-02-23 9:15 UTC (permalink / raw)
To: Andrew Cooper
Cc: Roger Pau Monné, Stefano Stabellini, Julien Grall,
Volodymyr Babchuk, Bertrand Marquis, Michal Orzel,
consulting @ bugseng . com, Nicola Vetrini, Xen-devel,
Christopher Clark, Daniel P. Smith
On 20.02.2026 22:46, Andrew Cooper wrote:
> For the ARM build only, Eclair reports a R8.4 violation because do_argo_op()
> cannot see its declaration. This means that x86 is picking hypercall-defs.h
> up transitively while ARM is not. Include xen/hypercall.h explicitly.
>
> Eclair also reports a R8.3 violation because of arg3 and arg4 differing in
> name with a raw_ prefix. Because hypercall-defs.h generates both do_argo_op()
> and compat_argo_op() from a single description, it's not possible to simply
> rename to raw_ in the declaration, as that would force doing the same rename
> in compat_argo_op().
>
> In do_argo_op(), drop the split parameter handling, and perform the 32bit
> range check via an explicit cast. While adjusting the surrounding logic, drop
> unnecessary casts to void * for already pointer arguments in argo_printk().
>
> No functional change.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
> ---
> CC: Jan Beulich <JBeulich@suse.com>
> CC: Roger Pau Monné <roger.pau@citrix.com>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: Julien Grall <julien@xen.org>
> CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
> CC: Bertrand Marquis <bertrand.marquis@arm.com>
> CC: Michal Orzel <michal.orzel@amd.com>
> CC: consulting@bugseng.com <consulting@bugseng.com>
> CC: Nicola Vetrini <nicola.vetrini@bugseng.com>
Further Cc-ing Argo maintainer / reviewer.
Jan
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 05/12] x86: Adjust annotations of asm-used identifiers
2026-02-20 21:46 ` [PATCH 05/12] x86: Adjust annotations of asm-used identifiers Andrew Cooper
@ 2026-02-23 9:21 ` Jan Beulich
0 siblings, 0 replies; 39+ messages in thread
From: Jan Beulich @ 2026-02-23 9:21 UTC (permalink / raw)
To: Andrew Cooper
Cc: Roger Pau Monné, Stefano Stabellini, Julien Grall,
Volodymyr Babchuk, Bertrand Marquis, Michal Orzel,
consulting @ bugseng . com, Nicola Vetrini, Xen-devel
On 20.02.2026 22:46, Andrew Cooper wrote:
> do_entry_int82() is only called by assembly so gains asmlinkage.
>
> pvh_start_info_pa and early_hypercall_insn are data used by assembly, and need
> a SAF-1 annotation.
Why not use asmlinkage there as well? The deviation covering it as much as SAF-1-safe
say "only" (which doesn't fully apply here), so if in doubt is should be asmlinkage?
Jan
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 06/12] xen: Include suitable headers to make declarations visible
2026-02-20 21:46 ` [PATCH 06/12] xen: Include suitable headers to make declarations visible Andrew Cooper
@ 2026-02-23 10:44 ` Jan Beulich
0 siblings, 0 replies; 39+ messages in thread
From: Jan Beulich @ 2026-02-23 10:44 UTC (permalink / raw)
To: Andrew Cooper
Cc: Roger Pau Monné, Stefano Stabellini, Julien Grall,
Volodymyr Babchuk, Bertrand Marquis, Michal Orzel,
consulting @ bugseng . com, Nicola Vetrini, Xen-devel
On 20.02.2026 22:46, Andrew Cooper wrote:
> A range of functions can't see their declarations, requiring the inclusion of
> appropriate headers.
>
> For pv/mm.h and pv/traps.h, this requires adjustements to become standalone.
>
> In pv/mm.h, swap xen/lib.h for xen/bug.h now that ASSERT_UNREACHABLE() has
> moved. For pv/traps.h, pv_trap_callback_registered() needs to see a complete
> struct vcpu, and xen/sched.h is not something appropriate to pull in
> conditionally.
>
> stack-protector.c can't see the declaration of __stack_chk_guard, and fixing
> that reveals that stack-protector.h needs get_cycles() too.
>
> No functional change.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 07/12] xen/vmac: Const the key parameter of vmac_set_key()
2026-02-20 21:46 ` [PATCH 07/12] xen/vmac: Const the key parameter of vmac_set_key() Andrew Cooper
@ 2026-02-23 10:45 ` Jan Beulich
0 siblings, 0 replies; 39+ messages in thread
From: Jan Beulich @ 2026-02-23 10:45 UTC (permalink / raw)
To: Andrew Cooper
Cc: Roger Pau Monné, Stefano Stabellini, Julien Grall,
Volodymyr Babchuk, Bertrand Marquis, Michal Orzel,
consulting @ bugseng . com, Nicola Vetrini, Xen-devel
On 20.02.2026 22:46, Andrew Cooper wrote:
> Eclair complains that tboot_gen_domain_integrity() is casting away
> constness (Rule 11.8 violation).
>
> vmac_set_key() doesn't modify the user_key parameter, so it can become const,
> removing the need to cast.
>
> No functional change.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 11/12] xen: Bracket uses of macro parameters
2026-02-20 21:46 ` [PATCH 11/12] xen: Bracket uses of macro parameters Andrew Cooper
2026-02-20 22:45 ` Nicola Vetrini
2026-02-23 9:04 ` Orzel, Michal
@ 2026-02-23 10:50 ` Jan Beulich
2 siblings, 0 replies; 39+ messages in thread
From: Jan Beulich @ 2026-02-23 10:50 UTC (permalink / raw)
To: Andrew Cooper
Cc: Roger Pau Monné, Stefano Stabellini, Julien Grall,
Volodymyr Babchuk, Bertrand Marquis, Michal Orzel,
consulting @ bugseng . com, Nicola Vetrini, Xen-devel
On 20.02.2026 22:46, Andrew Cooper wrote:
> --- a/xen/arch/x86/mm/shadow/multi.c
> +++ b/xen/arch/x86/mm/shadow/multi.c
> @@ -793,7 +793,7 @@ do { \
> do { \
> int __done = 0; \
> _FOREACH_PRESENT_L1E(_sl1mfn, _sl1e, _gl1p, \
> - ({ (__done = _done); }), _code); \
> + ({ (__done = (_done)); }), _code); \
Could I talk you into dropping the unnecessary pair of parentheses (around the
assignment) in exchange?
Jan
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 12/12] xen/vmac: Delete STDINT block in vmac.h
2026-02-20 21:46 ` [PATCH 12/12] xen/vmac: Delete STDINT block in vmac.h Andrew Cooper
@ 2026-02-23 10:54 ` Jan Beulich
0 siblings, 0 replies; 39+ messages in thread
From: Jan Beulich @ 2026-02-23 10:54 UTC (permalink / raw)
To: Andrew Cooper
Cc: Roger Pau Monné, Stefano Stabellini, Julien Grall,
Volodymyr Babchuk, Bertrand Marquis, Michal Orzel,
consulting @ bugseng . com, Nicola Vetrini, Xen-devel
On 20.02.2026 22:46, Andrew Cooper wrote:
> Eclair complains that _MSC_VER is undefined (a Rule 20.9 violation).
>
> This could be fixed by inserting an "&& defined(_MSC_VER)" clause, but the
> whole block is entirely useless (it comments out the include of stdint) and
> the top of vmac.c pulls in xen/types.h specifically.
And any other user of the header (tboot.c currently). Wouldn't we be better
off having vmac.h include xen/types.h instead of that useless block?
> Simply delete the block.
>
> No functional change.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Either way:
Acked-by: Jan Beulich <jbeulich@suse.com>
Jan
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 09/12] x86/shadow: Rework write_atomic() call in shadow_write_entries()
2026-02-23 7:26 ` Roberto Bagnara
@ 2026-02-25 12:14 ` Andrew Cooper
2026-02-25 12:35 ` Nicola Vetrini
0 siblings, 1 reply; 39+ messages in thread
From: Andrew Cooper @ 2026-02-25 12:14 UTC (permalink / raw)
To: Roberto Bagnara, Xen-devel
Cc: Andrew Cooper, Jan Beulich, Roger Pau Monné,
Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bertrand Marquis, Michal Orzel, consulting @ bugseng . com,
Nicola Vetrini
On 23/02/2026 7:26 am, Roberto Bagnara wrote:
> On 20/02/26 22:46, Andrew Cooper wrote:
>> Eclair complains of a side effect in a sizeof() expression (R13.6).
>
> I disagree with comments of the form "Eclair complains"
We use the same phrasing with other tools too, but I can change it to
"reports" which I suppose is a more neutral term.
>
> Note that in recent versions of MISRA C that rule is no longer
> mandatory. More generally, note also that, IMHO, switching to
> a more modern version of MISRA C would simplify compliance.
Ok. Making things simpler for compliance sounds like a good thing.
What would this entail?
Presumably we've got to adapt to all changes in this newer revision of
MISRA C.
~Andrew
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 09/12] x86/shadow: Rework write_atomic() call in shadow_write_entries()
2026-02-25 12:14 ` Andrew Cooper
@ 2026-02-25 12:35 ` Nicola Vetrini
2026-02-25 12:53 ` Andrew Cooper
0 siblings, 1 reply; 39+ messages in thread
From: Nicola Vetrini @ 2026-02-25 12:35 UTC (permalink / raw)
To: Andrew Cooper
Cc: Roberto Bagnara, Xen-devel, Jan Beulich, Roger Pau Monné,
Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bertrand Marquis, Michal Orzel, consulting @ bugseng . com
On 2026-02-25 13:14, Andrew Cooper wrote:
> On 23/02/2026 7:26 am, Roberto Bagnara wrote:
>> On 20/02/26 22:46, Andrew Cooper wrote:
>>> Eclair complains of a side effect in a sizeof() expression (R13.6).
>>
>> I disagree with comments of the form "Eclair complains"
>
> We use the same phrasing with other tools too, but I can change it to
> "reports" which I suppose is a more neutral term.
>
>>
>> Note that in recent versions of MISRA C that rule is no longer
>> mandatory. More generally, note also that, IMHO, switching to
>> a more modern version of MISRA C would simplify compliance.
>
> Ok. Making things simpler for compliance sounds like a good thing.
> What would this entail?
>
> Presumably we've got to adapt to all changes in this newer revision of
> MISRA C.
>
> ~Andrew
Most likely new violations on new non-clean guidelines, generally rules
for features that were standardized in C11/C18 and were previously
widely available extensions (e.g. _Noreturn, _Alignof, threads, ...),
alongside some minor changes in existing ones, such as the
classification change mentioned by Roberto. The exact impact depends on
the target MISRA revision, however. Making an experiment should be only
a matter of s/MC3A2/MC4/ (or whichever MISRA revision is chosen: MC4 in
ECLAIR refers to the latest published MISRA revision, that is, MISRA
C:2025. Perhaps also a few regressions (as in newly introduced
violations) on clean ones, but I do not expect the results to be
radically different.
Side note here: are the efforts to make Xen compile with -stc=c11/gnu11
still ongoing? I say this because any MISRA revision other than the one
currently used by Xen by default is based on C11, as it introduces
guidelines for C11/C18 features. Not that this would matter a whole lot
for Xen, but it is something to consider in the broader picture.
--
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 09/12] x86/shadow: Rework write_atomic() call in shadow_write_entries()
2026-02-25 12:35 ` Nicola Vetrini
@ 2026-02-25 12:53 ` Andrew Cooper
2026-02-25 13:09 ` Nicola Vetrini
0 siblings, 1 reply; 39+ messages in thread
From: Andrew Cooper @ 2026-02-25 12:53 UTC (permalink / raw)
To: Nicola Vetrini
Cc: Andrew Cooper, Roberto Bagnara, Xen-devel, Jan Beulich,
Roger Pau Monné, Stefano Stabellini, Julien Grall,
Volodymyr Babchuk, Bertrand Marquis, Michal Orzel,
consulting @ bugseng . com
On 25/02/2026 12:35 pm, Nicola Vetrini wrote:
> On 2026-02-25 13:14, Andrew Cooper wrote:
>> On 23/02/2026 7:26 am, Roberto Bagnara wrote:
>>>
>>> Note that in recent versions of MISRA C that rule is no longer
>>> mandatory. More generally, note also that, IMHO, switching to
>>> a more modern version of MISRA C would simplify compliance.
>>
>> Ok. Making things simpler for compliance sounds like a good thing.
>> What would this entail?
>>
>> Presumably we've got to adapt to all changes in this newer revision of
>> MISRA C.
>>
>> ~Andrew
>
> Most likely new violations on new non-clean guidelines, generally
> rules for features that were standardized in C11/C18 and were
> previously widely available extensions (e.g. _Noreturn, _Alignof,
> threads, ...),
We use noreturn a lot, and alignof() a little. No threading at all
(well - not as C understands it).
> alongside some minor changes in existing ones, such as the
> classification change mentioned by Roberto. The exact impact depends
> on the target MISRA revision, however. Making an experiment should be
> only a matter of s/MC3A2/MC4/ (or whichever MISRA revision is chosen:
> MC4 in ECLAIR refers to the latest published MISRA revision, that is,
> MISRA C:2025. Perhaps also a few regressions (as in newly introduced
> violations) on clean ones, but I do not expect the results to be
> radically different.
>
> Side note here: are the efforts to make Xen compile with
> -stc=c11/gnu11 still ongoing? I say this because any MISRA revision
> other than the one currently used by Xen by default is based on C11,
> as it introduces guidelines for C11/C18 features. Not that this would
> matter a whole lot for Xen, but it is something to consider in the
> broader picture.
>
Funny you should ask. I had a paragraph about it in my reply but
dropped it, thinking it was getting off track.
https://gitlab.com/xen-project/xen/-/issues/201
I've just updated it to note that we did start using auto, by way of the
__auto_type language extension.
From the Xen side, switching to gnu11 is a one-line change. However
"ongoing" is really just me in my copious free time, and I'm not able to
do the ECLAIR/MISRA config side of the work.
It sounds to me like we want a dedicated work item switch to gnu11 and
some newer MISRA revision, but I will have to defer to you on how large
a task this is.
I suppose we should start with an experiment to see what shows up in the
*-amd target builds, and go from there?
~Andrew
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 09/12] x86/shadow: Rework write_atomic() call in shadow_write_entries()
2026-02-25 12:53 ` Andrew Cooper
@ 2026-02-25 13:09 ` Nicola Vetrini
0 siblings, 0 replies; 39+ messages in thread
From: Nicola Vetrini @ 2026-02-25 13:09 UTC (permalink / raw)
To: Andrew Cooper
Cc: Roberto Bagnara, Xen-devel, Jan Beulich, Roger Pau Monné,
Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bertrand Marquis, Michal Orzel, consulting @ bugseng . com
On 2026-02-25 13:53, Andrew Cooper wrote:
> On 25/02/2026 12:35 pm, Nicola Vetrini wrote:
>> On 2026-02-25 13:14, Andrew Cooper wrote:
>>> On 23/02/2026 7:26 am, Roberto Bagnara wrote:
>>>>
>>>> Note that in recent versions of MISRA C that rule is no longer
>>>> mandatory. More generally, note also that, IMHO, switching to
>>>> a more modern version of MISRA C would simplify compliance.
>>>
>>> Ok. Making things simpler for compliance sounds like a good thing.
>>> What would this entail?
>>>
>>> Presumably we've got to adapt to all changes in this newer revision
>>> of
>>> MISRA C.
>>>
>>> ~Andrew
>>
>> Most likely new violations on new non-clean guidelines, generally
>> rules for features that were standardized in C11/C18 and were
>> previously widely available extensions (e.g. _Noreturn, _Alignof,
>> threads, ...),
>
> We use noreturn a lot, and alignof() a little. No threading at all
> (well - not as C understands it).
>
>> alongside some minor changes in existing ones, such as the
>> classification change mentioned by Roberto. The exact impact depends
>> on the target MISRA revision, however. Making an experiment should be
>> only a matter of s/MC3A2/MC4/ (or whichever MISRA revision is chosen:
>> MC4 in ECLAIR refers to the latest published MISRA revision, that is,
>> MISRA C:2025. Perhaps also a few regressions (as in newly introduced
>> violations) on clean ones, but I do not expect the results to be
>> radically different.
>>
>> Side note here: are the efforts to make Xen compile with
>> -stc=c11/gnu11 still ongoing? I say this because any MISRA revision
>> other than the one currently used by Xen by default is based on C11,
>> as it introduces guidelines for C11/C18 features. Not that this would
>> matter a whole lot for Xen, but it is something to consider in the
>> broader picture.
>>
>
> Funny you should ask. I had a paragraph about it in my reply but
> dropped it, thinking it was getting off track.
>
> https://gitlab.com/xen-project/xen/-/issues/201
>
> I've just updated it to note that we did start using auto, by way of
> the
> __auto_type language extension.
>
> From the Xen side, switching to gnu11 is a one-line change. However
> "ongoing" is really just me in my copious free time, and I'm not able
> to
> do the ECLAIR/MISRA config side of the work.
>
> It sounds to me like we want a dedicated work item switch to gnu11 and
> some newer MISRA revision, but I will have to defer to you on how large
> a task this is.
>
> I suppose we should start with an experiment to see what shows up in
> the
> *-amd target builds, and go from there?
>
Yes, that's sensible. I just wasn't sure if there were other gotchas in
Xen still to be addressed before using gnu11
> ~Andrew
--
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 11/12] xen: Bracket uses of macro parameters
2026-02-20 22:45 ` Nicola Vetrini
@ 2026-02-25 16:05 ` Andrew Cooper
2026-02-25 16:34 ` Nicola Vetrini
0 siblings, 1 reply; 39+ messages in thread
From: Andrew Cooper @ 2026-02-25 16:05 UTC (permalink / raw)
To: Nicola Vetrini
Cc: Andrew Cooper, Xen-devel, Jan Beulich, Roger Pau Monné,
Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bertrand Marquis, Michal Orzel, consulting @ bugseng . com
On 20/02/2026 10:45 pm, Nicola Vetrini wrote:
> On 2026-02-20 22:46, Andrew Cooper wrote:
>> Fixing Rule 20.7 violations.
>>
>> No functional change.
>>
>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
>
> Reviewed-by: Nicola Vetrini <nicola.vetrini@bugseng.com>
Thanks.
>> diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c
>> index 7446533c8cfb..63473925cafb 100644
>> --- a/xen/common/livepatch.c
>> +++ b/xen/common/livepatch.c
>> @@ -664,9 +664,10 @@ static inline int
>> livepatch_check_expectations(const struct payload *payload)
>> const struct livepatch_elf_sec *__sec =
>> livepatch_elf_sec_by_name(elf, section_name); \
>> if ( !__sec
>> )
>> \
>>
>> break;
>> \
>> - if ( !section_ok(elf, __sec, sizeof(*hook)) ||
>> __sec->sec->sh_size != sizeof(*hook) ) \
>> + if ( !section_ok(elf, __sec, sizeof(*(hook)))
>> || \
>> + __sec->sec->sh_size != sizeof(*(hook))
>> ) \
>> return
>> -EINVAL;
>> \
>> - hook =
>> __sec->addr;
>> \
>> + (hook) =
>> __sec->addr;
>> \
>
> This is not strictly needed, if not for consistency.
That explains why my first try didn't succeed. But, why is it that only
MISRA only cares about bracketing for rvalues, not lvalues ?
~Andrew
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 11/12] xen: Bracket uses of macro parameters
2026-02-25 16:05 ` Andrew Cooper
@ 2026-02-25 16:34 ` Nicola Vetrini
2026-02-25 16:39 ` Andrew Cooper
0 siblings, 1 reply; 39+ messages in thread
From: Nicola Vetrini @ 2026-02-25 16:34 UTC (permalink / raw)
To: Andrew Cooper
Cc: Xen-devel, Jan Beulich, Roger Pau Monné, Stefano Stabellini,
Julien Grall, Volodymyr Babchuk, Bertrand Marquis, Michal Orzel,
consulting @ bugseng . com
On 2026-02-25 17:05, Andrew Cooper wrote:
> On 20/02/2026 10:45 pm, Nicola Vetrini wrote:
>> On 2026-02-20 22:46, Andrew Cooper wrote:
>>> Fixing Rule 20.7 violations.
>>>
>>> No functional change.
>>>
>>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
>>
>> Reviewed-by: Nicola Vetrini <nicola.vetrini@bugseng.com>
>
> Thanks.
>
>>> diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c
>>> index 7446533c8cfb..63473925cafb 100644
>>> --- a/xen/common/livepatch.c
>>> +++ b/xen/common/livepatch.c
>>> @@ -664,9 +664,10 @@ static inline int
>>> livepatch_check_expectations(const struct payload *payload)
>>> const struct livepatch_elf_sec *__sec =
>>> livepatch_elf_sec_by_name(elf, section_name); \
>>> if ( !__sec
>>> )
>>> \
>>>
>>> break;
>>> \
>>> - if ( !section_ok(elf, __sec, sizeof(*hook)) ||
>>> __sec->sec->sh_size != sizeof(*hook) ) \
>>> + if ( !section_ok(elf, __sec, sizeof(*(hook)))
>>> || \
>>> + __sec->sec->sh_size != sizeof(*(hook))
>>> ) \
>>> return
>>> -EINVAL;
>>> \
>>> - hook =
>>> __sec->addr;
>>> \
>>> + (hook) =
>>> __sec->addr;
>>> \
>>
>> This is not strictly needed, if not for consistency.
>
> That explains why my first try didn't succeed. But, why is it that
> only
> MISRA only cares about bracketing for rvalues, not lvalues ?
>
It was actually asked by Xen maintainers to introduce this special case
on the grounds that it is extremely unlikely to result in an operator
precedence mishap that leads to incorrect expansion. See below:
-doc_begin="Code violating Rule 20.7 is safe when macro parameters are
used: (1)
as function arguments; (2) as macro arguments; (3) as array indices; (4)
as lhs
in assignments; (5) as initializers, possibly designated, in initalizer
lists;
(6) as the constant expression in a switch clause label."
-config=MC3A2.R20.7,expansion_context=
[...]
--
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 11/12] xen: Bracket uses of macro parameters
2026-02-25 16:34 ` Nicola Vetrini
@ 2026-02-25 16:39 ` Andrew Cooper
0 siblings, 0 replies; 39+ messages in thread
From: Andrew Cooper @ 2026-02-25 16:39 UTC (permalink / raw)
To: Nicola Vetrini
Cc: Andrew Cooper, Xen-devel, Jan Beulich, Roger Pau Monné,
Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bertrand Marquis, Michal Orzel, consulting @ bugseng . com
On 25/02/2026 4:34 pm, Nicola Vetrini wrote:
> On 2026-02-25 17:05, Andrew Cooper wrote:
>> On 20/02/2026 10:45 pm, Nicola Vetrini wrote:
>>> On 2026-02-20 22:46, Andrew Cooper wrote:
>>>> Fixing Rule 20.7 violations.
>>>>
>>>> No functional change.
>>>>
>>>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
>>>
>>> Reviewed-by: Nicola Vetrini <nicola.vetrini@bugseng.com>
>>
>> Thanks.
>>
>>>> diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c
>>>> index 7446533c8cfb..63473925cafb 100644
>>>> --- a/xen/common/livepatch.c
>>>> +++ b/xen/common/livepatch.c
>>>> @@ -664,9 +664,10 @@ static inline int
>>>> livepatch_check_expectations(const struct payload *payload)
>>>> const struct livepatch_elf_sec *__sec =
>>>> livepatch_elf_sec_by_name(elf, section_name); \
>>>> if ( !__sec
>>>> )
>>>> \
>>>>
>>>> break;
>>>> \
>>>> - if ( !section_ok(elf, __sec, sizeof(*hook)) ||
>>>> __sec->sec->sh_size != sizeof(*hook) ) \
>>>> + if ( !section_ok(elf, __sec, sizeof(*(hook)))
>>>> || \
>>>> + __sec->sec->sh_size != sizeof(*(hook))
>>>> ) \
>>>> return
>>>> -EINVAL;
>>>> \
>>>> - hook =
>>>> __sec->addr;
>>>> \
>>>> + (hook) =
>>>> __sec->addr;
>>>> \
>>>
>>> This is not strictly needed, if not for consistency.
>>
>> That explains why my first try didn't succeed. But, why is it that only
>> MISRA only cares about bracketing for rvalues, not lvalues ?
>>
>
> It was actually asked by Xen maintainers to introduce this special
> case on the grounds that it is extremely unlikely to result in an
> operator precedence mishap that leads to incorrect expansion. See below:
>
> -doc_begin="Code violating Rule 20.7 is safe when macro parameters are
> used: (1)
> as function arguments; (2) as macro arguments; (3) as array indices;
> (4) as lhs
> in assignments; (5) as initializers, possibly designated, in
> initalizer lists;
> (6) as the constant expression in a switch clause label."
> -config=MC3A2.R20.7,expansion_context=
> [...]
Oh ok. I'll make it match what was agreed then.
Thanks,
~Andrew
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 03/12] xen/argo: Fix MISRA violations around function parameters
2026-02-23 9:15 ` Jan Beulich
@ 2026-03-03 12:48 ` Daniel Smith
0 siblings, 0 replies; 39+ messages in thread
From: Daniel Smith @ 2026-03-03 12:48 UTC (permalink / raw)
To: Jan Beulich
Cc: Andrew Cooper, "Roger Pau Monné", Stefano Stabellini,
Julien Grall, Volodymyr Babchuk, Bertrand Marquis, Michal Orzel,
consulting @ bugseng . com, Nicola Vetrini, Xen-devel,
Christopher Clark
From: Jan Beulich <jbeulich@suse.com>
To: "Andrew Cooper"<andrew.cooper3@citrix.com>
Cc: "Roger Pau Monné"<roger.pau@citrix.com>, "Stefano Stabellini"<sstabellini@kernel.org>, "Julien Grall"<julien@xen.org>, "Volodymyr Babchuk"<Volodymyr_Babchuk@epam.com>, "Bertrand Marquis"<bertrand.marquis@arm.com>, "Michal Orzel"<michal.orzel@amd.com>, "consulting @ bugseng . com"<consulting@bugseng.com>, "Nicola Vetrini"<nicola.vetrini@bugseng.com>, "Xen-devel"<xen-devel@lists.xenproject.org>, "Christopher Clark"<christopher.w.clark@gmail.com>, "Daniel P. Smith"<dpsmith@apertussolutions.com>
Date: Mon, 23 Feb 2026 04:15:55 -0500
Subject: Re: [PATCH 03/12] xen/argo: Fix MISRA violations around function parameters
> On 20.02.2026 22:46, Andrew Cooper wrote:
> > For the ARM build only, Eclair reports a R8.4 violation because do_argo_op()
> > cannot see its declaration. This means that x86 is picking hypercall-defs.h
> > up transitively while ARM is not. Include xen/hypercall.h explicitly.
> >
> > Eclair also reports a R8.3 violation because of arg3 and arg4 differing in
> > name with a raw_ prefix. Because hypercall-defs.h generates both do_argo_op()
> > and compat_argo_op() from a single description, it's not possible to simply
> > rename to raw_ in the declaration, as that would force doing the same rename
> > in compat_argo_op().
> >
> > In do_argo_op(), drop the split parameter handling, and perform the 32bit
> > range check via an explicit cast. While adjusting the surrounding logic, drop
> > unnecessary casts to void * for already pointer arguments in argo_printk().
> >
> > No functional change.
> >
> > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
>
> Reviewed-by: Jan Beulich <jbeulich@suse.com>
>
Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
^ permalink raw reply [flat|nested] 39+ messages in thread
end of thread, other threads:[~2026-03-03 12:49 UTC | newest]
Thread overview: 39+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-20 21:46 [PATCH 00/12] xen: Misc MISRA fixes for *-allcode targets Andrew Cooper
2026-02-20 21:46 ` [PATCH 01/12] arm: Use __func__ in acpi_boot_table_init() Andrew Cooper
2026-02-20 21:58 ` Nicola Vetrini
2026-02-23 8:54 ` Orzel, Michal
2026-02-20 21:46 ` [PATCH 02/12] xen/treewide: Adjust suffixes on integer literals Andrew Cooper
2026-02-23 8:57 ` Orzel, Michal
2026-02-20 21:46 ` [PATCH 03/12] xen/argo: Fix MISRA violations around function parameters Andrew Cooper
2026-02-23 9:15 ` Jan Beulich
2026-03-03 12:48 ` Daniel Smith
2026-02-20 21:46 ` [PATCH 04/12] xen/treewide: Adjust parameter names and types Andrew Cooper
2026-02-23 8:58 ` Orzel, Michal
2026-02-20 21:46 ` [PATCH 05/12] x86: Adjust annotations of asm-used identifiers Andrew Cooper
2026-02-23 9:21 ` Jan Beulich
2026-02-20 21:46 ` [PATCH 06/12] xen: Include suitable headers to make declarations visible Andrew Cooper
2026-02-23 10:44 ` Jan Beulich
2026-02-20 21:46 ` [PATCH 07/12] xen/vmac: Const the key parameter of vmac_set_key() Andrew Cooper
2026-02-23 10:45 ` Jan Beulich
2026-02-20 21:46 ` [PATCH 08/12] arm/pci-designware: Fix MISRA violations Andrew Cooper
2026-02-20 22:15 ` Nicola Vetrini
2026-02-23 9:00 ` Orzel, Michal
2026-02-20 21:46 ` [PATCH 09/12] x86/shadow: Rework write_atomic() call in shadow_write_entries() Andrew Cooper
2026-02-20 22:28 ` Nicola Vetrini
2026-02-23 7:26 ` Roberto Bagnara
2026-02-25 12:14 ` Andrew Cooper
2026-02-25 12:35 ` Nicola Vetrini
2026-02-25 12:53 ` Andrew Cooper
2026-02-25 13:09 ` Nicola Vetrini
2026-02-20 21:46 ` [PATCH 10/12] xen: Adjust break/fallthrough statements Andrew Cooper
2026-02-20 22:36 ` Nicola Vetrini
2026-02-23 9:02 ` Orzel, Michal
2026-02-20 21:46 ` [PATCH 11/12] xen: Bracket uses of macro parameters Andrew Cooper
2026-02-20 22:45 ` Nicola Vetrini
2026-02-25 16:05 ` Andrew Cooper
2026-02-25 16:34 ` Nicola Vetrini
2026-02-25 16:39 ` Andrew Cooper
2026-02-23 9:04 ` Orzel, Michal
2026-02-23 10:50 ` Jan Beulich
2026-02-20 21:46 ` [PATCH 12/12] xen/vmac: Delete STDINT block in vmac.h Andrew Cooper
2026-02-23 10:54 ` Jan Beulich
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.