6 files changed, 10 insertions, 439 deletions

diff --git a/emulators/xen-kernel/Makefile b/emulators/xen-kernel/Makefile
index d08ba8c7fdb3..99845319e3c3 100644
--- a/emulators/xen-kernel/Makefile
+++ b/emulators/xen-kernel/Makefile
@@ -1,9 +1,11 @@
 PORTNAME=	xen
-PORTVERSION=	4.17.0
-PORTREVISION=	1
-CATEGORIES=	emulators
-MASTER_SITES=	http://downloads.xenproject.org/release/xen/${PORTVERSION}/
 PKGNAMESUFFIX=	-kernel
+DISTVERSION=	4.17.2.20230929
+CATEGORIES=	emulators
+
+USE_GITLAB=	yes
+GL_ACCOUNT=	xen-project
+GL_TAGNAME=	0b56bed864ca9b572473957f0254aefa797216f2
 
 MAINTAINER=	royger@FreeBSD.org
 COMMENT=	Hypervisor using a microkernel design
@@ -26,14 +28,7 @@ PLIST_FILES=	/boot/xen \
 		lib/debug/boot/xen.debug \
 		lib/debug/boot/xen-debug.debug
 
-# XSAs
-EXTRA_PATCHES+=	${PATCHDIR}/xsa425.patch:-p1 \
-		${PATCHDIR}/xsa426.patch:-p1 \
-		${PATCHDIR}/0001-xen-Work-around-Clang-IAS-macro-expansion-bug.patch:-p1
-# Backports
-# clang build fixes
-EXTRA_PATCHES+=	${PATCHDIR}/0001-xen-x86-Remove-the-use-of-K-R-functions.patch:-p1
-# Support for fetching video mode from PVH dom0
+# Support for fetching video mode for PVH dom0
 EXTRA_PATCHES+=	${PATCHDIR}/0001-x86-platform-introduce-hypercall-to-get-initial-vide.patch:-p1 \
 		${PATCHDIR}/0001-x86-platform-make-XENPF_get_dom0_console-actually-us.patch:-p1
 
diff --git a/emulators/xen-kernel/distinfo b/emulators/xen-kernel/distinfo
index 843b42797c93..ec623c4d9a85 100644
--- a/emulators/xen-kernel/distinfo
+++ b/emulators/xen-kernel/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1678353105
-SHA256 (xen-4.17.0.tar.gz) = 119fc44fa3f9b581f1929c2ed8e0f97fac59a1828bc5ec5c244df096e7343ef9
-SIZE (xen-4.17.0.tar.gz) = 46484553
+TIMESTAMP = 1697454930
+SHA256 (xen-project-xen-0b56bed864ca9b572473957f0254aefa797216f2_GL0.tar.gz) = 67416c990b22ce989f7a1011482b5a99372b8a6060d55230258daf859524c0e5
+SIZE (xen-project-xen-0b56bed864ca9b572473957f0254aefa797216f2_GL0.tar.gz) = 6703002
diff --git a/emulators/xen-kernel/files/0001-xen-Work-around-Clang-IAS-macro-expansion-bug.patch b/emulators/xen-kernel/files/0001-xen-Work-around-Clang-IAS-macro-expansion-bug.patch
deleted file mode 100644
index 62f912f089e7..000000000000
--- a/emulators/xen-kernel/files/0001-xen-Work-around-Clang-IAS-macro-expansion-bug.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From a2adacff0b91cc7b977abb209dc419a2ef15963f Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Fri, 17 Feb 2023 00:12:24 +0000
-Subject: [PATCH] xen: Work around Clang-IAS macro \@ expansion bug
-
-https://github.com/llvm/llvm-project/issues/60792
-
-It turns out that Clang-IAS does not expand \@ uniquely in a translaition
-unit, and the XSA-426 change tickles this bug:
-
-  <instantiation>:4:1: error: invalid symbol redefinition
-  .L1_fill_rsb_loop:
-  ^
-  make[3]: *** [Rules.mk:247: arch/x86/acpi/cpu_idle.o] Error 1
-
-Extend DO_OVERWRITE_RSB with an optional parameter so C callers can mix %= in
-too, which Clang does seem to expand properly.
-
-Fixes: 63305e5392ec ("x86/spec-ctrl: Mitigate Cross-Thread Return Address Predictions")
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
----
- xen/arch/x86/include/asm/spec_ctrl.h     |  4 ++--
- xen/arch/x86/include/asm/spec_ctrl_asm.h | 19 ++++++++++++-------
- 2 files changed, 14 insertions(+), 9 deletions(-)
-
-diff --git a/xen/arch/x86/include/asm/spec_ctrl.h b/xen/arch/x86/include/asm/spec_ctrl.h
-index 3cf8a7d304..f718f94088 100644
---- a/xen/arch/x86/include/asm/spec_ctrl.h
-+++ b/xen/arch/x86/include/asm/spec_ctrl.h
-@@ -83,7 +83,7 @@ static always_inline void spec_ctrl_new_guest_context(void)
-     wrmsrl(MSR_PRED_CMD, PRED_CMD_IBPB);
- 
-     /* (ab)use alternative_input() to specify clobbers. */
--    alternative_input("", "DO_OVERWRITE_RSB", X86_BUG_IBPB_NO_RET,
-+    alternative_input("", "DO_OVERWRITE_RSB xu=%=", X86_BUG_IBPB_NO_RET,
-                       : "rax", "rcx");
- }
- 
-@@ -172,7 +172,7 @@ static always_inline void spec_ctrl_enter_idle(struct cpu_info *info)
-      *
-      * (ab)use alternative_input() to specify clobbers.
-      */
--    alternative_input("", "DO_OVERWRITE_RSB", X86_FEATURE_SC_RSB_IDLE,
-+    alternative_input("", "DO_OVERWRITE_RSB xu=%=", X86_FEATURE_SC_RSB_IDLE,
-                       : "rax", "rcx");
- }
- 
-diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h
-index fab27ff553..f23bb105c5 100644
---- a/xen/arch/x86/include/asm/spec_ctrl_asm.h
-+++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h
-@@ -117,11 +117,16 @@
- .L\@_done:
- .endm
- 
--.macro DO_OVERWRITE_RSB tmp=rax
-+.macro DO_OVERWRITE_RSB tmp=rax xu
- /*
-  * Requires nothing
-  * Clobbers \tmp (%rax by default), %rcx
-  *
-+ * xu is an optional parameter to add eXtra Uniqueness.  It is intended for
-+ * passing %= in from an asm() block, in order to work around
-+ * https://github.com/llvm/llvm-project/issues/60792 where Clang-IAS doesn't
-+ * expand \@ uniquely.
-+ *
-  * Requires 256 bytes of {,shadow}stack space, but %rsp/SSP has no net
-  * change. Based on Google's performance numbers, the loop is unrolled to 16
-  * iterations and two calls per iteration.
-@@ -136,27 +141,27 @@
-     mov $16, %ecx                   /* 16 iterations, two calls per loop */
-     mov %rsp, %\tmp                 /* Store the current %rsp */
- 
--.L\@_fill_rsb_loop:
-+.L\@_fill_rsb_loop\xu:
- 
-     .irp n, 1, 2                    /* Unrolled twice. */
--    call .L\@_insert_rsb_entry_\n   /* Create an RSB entry. */
-+    call .L\@_insert_rsb_entry\xu\n /* Create an RSB entry. */
-     int3                            /* Halt rogue speculation. */
- 
--.L\@_insert_rsb_entry_\n:
-+.L\@_insert_rsb_entry\xu\n:
-     .endr
- 
-     sub $1, %ecx
--    jnz .L\@_fill_rsb_loop
-+    jnz .L\@_fill_rsb_loop\xu
-     mov %\tmp, %rsp                 /* Restore old %rsp */
- 
- #ifdef CONFIG_XEN_SHSTK
-     mov $1, %ecx
-     rdsspd %ecx
-     cmp $1, %ecx
--    je .L\@_shstk_done
-+    je .L\@_shstk_done\xu
-     mov $64, %ecx                   /* 64 * 4 bytes, given incsspd */
-     incsspd %ecx                    /* Restore old SSP */
--.L\@_shstk_done:
-+.L\@_shstk_done\xu:
- #endif
- .endm
- 
--- 
-2.39.0
-
diff --git a/emulators/xen-kernel/files/0001-xen-x86-Remove-the-use-of-K-R-functions.patch b/emulators/xen-kernel/files/0001-xen-x86-Remove-the-use-of-K-R-functions.patch
deleted file mode 100644
index cab6f0e93b9f..000000000000
--- a/emulators/xen-kernel/files/0001-xen-x86-Remove-the-use-of-K-R-functions.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 22b2fa4766728c3057757c00e79da5f7803fff33 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Thu, 16 Feb 2023 22:14:12 +0000
-Subject: [PATCH] xen/x86: Remove the use of K&R functions
-
-Clang-15 (as seen in the FreeBSD 14 tests) complains:
-
-  arch/x86/time.c:1364:20: error: a function declaration without a
-  prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
-  s_time_t get_s_time()
-                     ^
-                      void
-
-The error message is a bit confusing but appears to new as part of
--Wdeprecated-non-prototype which is part of supporting C2x which formally
-removes K&R syntax.
-
-Either way, fix the identified functions.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
----
- xen/arch/x86/hvm/vmx/vmcs.c     | 2 +-
- xen/arch/x86/time.c             | 2 +-
- xen/drivers/passthrough/iommu.c | 4 ++--
- 3 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
-index 09edbd23b3..e1c268789e 100644
---- a/xen/arch/x86/hvm/vmx/vmcs.c
-+++ b/xen/arch/x86/hvm/vmx/vmcs.c
-@@ -781,7 +781,7 @@ static int _vmx_cpu_up(bool bsp)
-     return 0;
- }
- 
--int cf_check vmx_cpu_up()
-+int cf_check vmx_cpu_up(void)
- {
-     return _vmx_cpu_up(false);
- }
-diff --git a/xen/arch/x86/time.c b/xen/arch/x86/time.c
-index 782b11c8a9..4e44a43cc5 100644
---- a/xen/arch/x86/time.c
-+++ b/xen/arch/x86/time.c
-@@ -1361,7 +1361,7 @@ s_time_t get_s_time_fixed(u64 at_tsc)
-     return t->stamp.local_stime + scale_delta(delta, &t->tsc_scale);
- }
- 
--s_time_t get_s_time()
-+s_time_t get_s_time(void)
- {
-     return get_s_time_fixed(0);
- }
-diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iommu.c
-index 921b71e819..0e187f6ae3 100644
---- a/xen/drivers/passthrough/iommu.c
-+++ b/xen/drivers/passthrough/iommu.c
-@@ -606,7 +606,7 @@ int __init iommu_setup(void)
-     return rc;
- }
- 
--int iommu_suspend()
-+int iommu_suspend(void)
- {
-     if ( iommu_enabled )
-         return iommu_call(iommu_get_ops(), suspend);
-@@ -614,7 +614,7 @@ int iommu_suspend()
-     return 0;
- }
- 
--void iommu_resume()
-+void iommu_resume(void)
- {
-     if ( iommu_enabled )
-         iommu_vcall(iommu_get_ops(), resume);
--- 
-2.39.0
-
diff --git a/emulators/xen-kernel/files/xsa425.patch b/emulators/xen-kernel/files/xsa425.patch
deleted file mode 100644
index b36732025e83..000000000000
--- a/emulators/xen-kernel/files/xsa425.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-From: Jason Andryuk <jandryuk@gmail.com>
-Subject: Revert "tools/xenstore: simplify loop handling connection I/O"
-
-I'm observing guest kexec trigger xenstored to abort on a double free.
-
-gdb output:
-Program received signal SIGABRT, Aborted.
-__pthread_kill_implementation (no_tid=0, signo=6, threadid=140645614258112) at ./nptl/pthread_kill.c:44
-44    ./nptl/pthread_kill.c: No such file or directory.
-(gdb) bt
-    at ./nptl/pthread_kill.c:44
-    at ./nptl/pthread_kill.c:78
-    at ./nptl/pthread_kill.c:89
-    at ../sysdeps/posix/raise.c:26
-    at talloc.c:119
-    ptr=ptr@entry=0x559fae724290) at talloc.c:232
-    at xenstored_core.c:2945
-(gdb) frame 5
-    at talloc.c:119
-119            TALLOC_ABORT("Bad talloc magic value - double free");
-(gdb) frame 7
-    at xenstored_core.c:2945
-2945                talloc_increase_ref_count(conn);
-(gdb) p conn
-$1 = (struct connection *) 0x559fae724290
-
-Looking at a xenstore trace, we have:
-IN 0x559fae71f250 20230120 17:40:53 READ (/local/domain/3/image/device-model-dom
-id )
-wrl: dom    0      1  msec      10000 credit     1000000 reserve        100 disc
-ard
-wrl: dom    3      1  msec      10000 credit     1000000 reserve        100 disc
-ard
-wrl: dom    0      0  msec      10000 credit     1000000 reserve          0 disc
-ard
-wrl: dom    3      0  msec      10000 credit     1000000 reserve          0 disc
-ard
-OUT 0x559fae71f250 20230120 17:40:53 ERROR (ENOENT )
-wrl: dom    0      1  msec      10000 credit     1000000 reserve        100 disc
-ard
-wrl: dom    3      1  msec      10000 credit     1000000 reserve        100 disc
-ard
-IN 0x559fae71f250 20230120 17:40:53 RELEASE (3 )
-DESTROY watch 0x559fae73f630
-DESTROY watch 0x559fae75ddf0
-DESTROY watch 0x559fae75ec30
-DESTROY watch 0x559fae75ea60
-DESTROY watch 0x559fae732c00
-DESTROY watch 0x559fae72cea0
-DESTROY watch 0x559fae728fc0
-DESTROY watch 0x559fae729570
-DESTROY connection 0x559fae724290
-orphaned node /local/domain/3/device/suspend/event-channel deleted
-orphaned node /local/domain/3/device/vbd/51712 deleted
-orphaned node /local/domain/3/device/vkbd/0 deleted
-orphaned node /local/domain/3/device/vif/0 deleted
-orphaned node /local/domain/3/control/shutdown deleted
-orphaned node /local/domain/3/control/feature-poweroff deleted
-orphaned node /local/domain/3/control/feature-reboot deleted
-orphaned node /local/domain/3/control/feature-suspend deleted
-orphaned node /local/domain/3/control/feature-s3 deleted
-orphaned node /local/domain/3/control/feature-s4 deleted
-orphaned node /local/domain/3/control/sysrq deleted
-orphaned node /local/domain/3/data deleted
-orphaned node /local/domain/3/drivers deleted
-orphaned node /local/domain/3/feature deleted
-orphaned node /local/domain/3/attr deleted
-orphaned node /local/domain/3/error deleted
-orphaned node /local/domain/3/console/backend-id deleted
-
-and no further output.
-
-The trace shows that DESTROY was called for connection 0x559fae724290,
-but that is the same pointer (conn) main() was looping through from
-connections.  So it wasn't actually removed from the connections list?
-
-Reverting commit e8e6e42279a5 "tools/xenstore: simplify loop handling
-connection I/O" fixes the abort/double free.  I think the use of
-list_for_each_entry_safe is incorrect.  list_for_each_entry_safe makes
-traversal safe for deleting the current iterator, but RELEASE/do_release
-will delete some other entry in the connections list.  I think the
-observed abort is because list_for_each_entry has next pointing to the
-deleted connection, and it is used in the subsequent iteration.
-
-Add a comment explaining the unsuitability of list_for_each_entry_safe.
-Also notice that the old code takes a reference on next which would
-prevents a use-after-free.
-
-This reverts commit e8e6e42279a5723239c5c40ba4c7f579a979465d.
-
-This is XSA-425/CVE-2022-42330.
-
-Fixes: e8e6e42279a5 ("tools/xenstore: simplify loop handling connection I/O")
-Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
-Reviewed-by: Juergen Gross <jgross@suse.com>
-Reviewed-by: Julien Grall <jgrall@amazon.com>
----
- tools/xenstore/xenstored_core.c | 19 +++++++++++++++++--
- 1 file changed, 17 insertions(+), 2 deletions(-)
-
-diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
-index 78a3edaa4e..029e3852fc 100644
---- a/tools/xenstore/xenstored_core.c
-+++ b/tools/xenstore/xenstored_core.c
-@@ -2941,8 +2941,23 @@ int main(int argc, char *argv[])
- 			}
- 		}
- 
--		list_for_each_entry_safe(conn, next, &connections, list) {
--			talloc_increase_ref_count(conn);
-+		/*
-+		 * list_for_each_entry_safe is not suitable here because
-+		 * handle_input may delete entries besides the current one, but
-+		 * those may be in the temporary next which would trigger a
-+		 * use-after-free.  list_for_each_entry_safe is only safe for
-+		 * deleting the current entry.
-+		 */
-+		next = list_entry(connections.next, typeof(*conn), list);
-+		if (&next->list != &connections)
-+			talloc_increase_ref_count(next);
-+		while (&next->list != &connections) {
-+			conn = next;
-+
-+			next = list_entry(conn->list.next,
-+					  typeof(*conn), list);
-+			if (&next->list != &connections)
-+				talloc_increase_ref_count(next);
- 
- 			if (conn_can_read(conn))
- 				handle_input(conn);
--- 
-2.34.1
diff --git a/emulators/xen-kernel/files/xsa426.patch b/emulators/xen-kernel/files/xsa426.patch
deleted file mode 100644
index 3f5f9527ea87..000000000000
--- a/emulators/xen-kernel/files/xsa426.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Subject: x86/spec-ctrl: Mitigate Cross-Thread Return Address Predictions
-
-This is XSA-426 / CVE-2022-27672
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-
-diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
-index 923910f553c5..a2ff38cdebf2 100644
---- a/docs/misc/xen-command-line.pandoc
-+++ b/docs/misc/xen-command-line.pandoc
-@@ -2355,7 +2355,7 @@ guests to use.
-   on entry and exit.  These blocks are necessary to virtualise support for
-   guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc.
- * `rsb=` offers control over whether to overwrite the Return Stack Buffer /
--  Return Address Stack on entry to Xen.
-+  Return Address Stack on entry to Xen and on idle.
- * `md-clear=` offers control over whether to use VERW to flush
-   microarchitectural buffers on idle and exit from Xen.  *Note: For
-   compatibility with development versions of this fix, `mds=` is also accepted
-diff --git a/xen/arch/x86/include/asm/cpufeatures.h b/xen/arch/x86/include/asm/cpufeatures.h
-index 865f1109866d..da0593de8542 100644
---- a/xen/arch/x86/include/asm/cpufeatures.h
-+++ b/xen/arch/x86/include/asm/cpufeatures.h
-@@ -35,7 +35,8 @@ XEN_CPUFEATURE(SC_RSB_HVM,        X86_SYNTH(19)) /* RSB overwrite needed for HVM
- XEN_CPUFEATURE(XEN_SELFSNOOP,     X86_SYNTH(20)) /* SELFSNOOP gets used by Xen itself */
- XEN_CPUFEATURE(SC_MSR_IDLE,       X86_SYNTH(21)) /* Clear MSR_SPEC_CTRL on idle */
- XEN_CPUFEATURE(XEN_LBR,           X86_SYNTH(22)) /* Xen uses MSR_DEBUGCTL.LBR */
--/* Bits 23,24 unused. */
-+/* Bits 23 unused. */
-+XEN_CPUFEATURE(SC_RSB_IDLE,       X86_SYNTH(24)) /* RSB overwrite needed for idle. */
- XEN_CPUFEATURE(SC_VERW_IDLE,      X86_SYNTH(25)) /* VERW used by Xen for idle */
- XEN_CPUFEATURE(XEN_SHSTK,         X86_SYNTH(26)) /* Xen uses CET Shadow Stacks */
- XEN_CPUFEATURE(XEN_IBT,           X86_SYNTH(27)) /* Xen uses CET Indirect Branch Tracking */
-diff --git a/xen/arch/x86/include/asm/spec_ctrl.h b/xen/arch/x86/include/asm/spec_ctrl.h
-index 6a77c3937844..391973ef6a28 100644
---- a/xen/arch/x86/include/asm/spec_ctrl.h
-+++ b/xen/arch/x86/include/asm/spec_ctrl.h
-@@ -159,6 +159,21 @@ static always_inline void spec_ctrl_enter_idle(struct cpu_info *info)
-      */
-     alternative_input("", "verw %[sel]", X86_FEATURE_SC_VERW_IDLE,
-                       [sel] "m" (info->verw_sel));
-+
-+    /*
-+     * Cross-Thread Return Address Predictions:
-+     *
-+     * On vulnerable systems, the return predictions (RSB/RAS) are statically
-+     * partitioned between active threads.  When entering idle, our entries
-+     * are re-partitioned to allow the other threads to use them.
-+     *
-+     * In some cases, we might still have guest entries in the RAS, so flush
-+     * them before injecting them sideways to our sibling thread.
-+     *
-+     * (ab)use alternative_input() to specify clobbers.
-+     */
-+    alternative_input("", "DO_OVERWRITE_RSB", X86_FEATURE_SC_RSB_IDLE,
-+                      : "rax", "rcx");
- }
- 
- /* WARNING! `ret`, `call *`, `jmp *` not safe before this call. */
-diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
-index a320b81947c8..e80e2a5ed1a9 100644
---- a/xen/arch/x86/spec_ctrl.c
-+++ b/xen/arch/x86/spec_ctrl.c
-@@ -1327,13 +1327,38 @@ void __init init_speculation_mitigations(void)
-      * 3) Some CPUs have RSBs which are not full width, which allow the
-      *    attacker's entries to alias Xen addresses.
-      *
-+     * 4) Some CPUs have RSBs which are re-partitioned based on thread
-+     *    idleness, which allows an attacker to inject entries into the other
-+     *    thread.  We still active the optimisation in this case, and mitigate
-+     *    in the idle path which has lower overhead.
-+     *
-      * It is safe to turn off RSB stuffing when Xen is using SMEP itself, and
-      * 32bit PV guests are disabled, and when the RSB is full width.
-      */
-     BUILD_BUG_ON(RO_MPT_VIRT_START != PML4_ADDR(256));
--    if ( opt_rsb_pv == -1 && boot_cpu_has(X86_FEATURE_XEN_SMEP) &&
--         !opt_pv32 && rsb_is_full_width() )
--        opt_rsb_pv = 0;
-+    if ( opt_rsb_pv == -1 )
-+    {
-+        opt_rsb_pv = (opt_pv32 || !boot_cpu_has(X86_FEATURE_XEN_SMEP) ||
-+                      !rsb_is_full_width());
-+
-+        /*
-+         * Cross-Thread Return Address Predictions.
-+         *
-+         * Vulnerable systems are Zen1/Zen2 uarch, which is AMD Fam17 / Hygon
-+         * Fam18, when SMT is active.
-+         *
-+         * To mitigate, we must flush the RSB/RAS/RAP once between entering
-+         * Xen and going idle.
-+         *
-+         * Most cases flush on entry to Xen anyway.  The one case where we
-+         * don't is when using the SMEP optimisation for PV guests.  Flushing
-+         * before going idle is less overhead than flushing on PV entry.
-+         */
-+        if ( !opt_rsb_pv && hw_smt_enabled &&
-+             (boot_cpu_data.x86_vendor & (X86_VENDOR_AMD|X86_VENDOR_HYGON)) &&
-+             (boot_cpu_data.x86 == 0x17 || boot_cpu_data.x86 == 0x18) )
-+            setup_force_cpu_cap(X86_FEATURE_SC_RSB_IDLE);
-+    }
- 
-     if ( opt_rsb_pv )
-     {