Pull up following revision(s) (requested by bouyer in ticket #1168):

	sys/arch/i386/i386/locore.S: revision 1.202
	sys/arch/i386/i386/locore.S: revision 1.203
	sys/arch/i386/i386/locore.S: revision 1.204
	sys/arch/amd64/amd64/locore.S: revision 1.231
	sys/arch/amd64/amd64/locore.S: revision 1.232
	sys/arch/amd64/amd64/locore.S: revision 1.233
	sys/arch/xen/xen/hypervisor.c: revision 1.100
	all via patch

Our PVH bootstrap code assumed that the hvm_start_info structure provided
by Xen is just after the end of the symbol case. With Xen 4.20 it's not
always the case, so:
- get the symbol table size from the first byte of the symbol table area
  provided by Xen. As we don't know if there is a symbol table or not,
  do a minimal sanity check on the size.
- if the hvm_start_info structure is not in the page after kernel_end or
  esym, copy it there (this was already done in the genpvh case). While
  there, if we copy we can easily compute the size and not assume it all fits
  in one page.
With this, a NetBSD PVH dom0 can boot on Xen 4.20

Fix various typos, mainly in comments.

Fix some issues with symbol table detection on Xen PVH:
- the stack grows down so the last pushed value is at 0(%esp), not -4(%esp).
  Pointed out by Joachim Kuebart.
- 0x3fffffff is 1GB-1, not 1MB-1. Test the symtab size against 16MB
  (amd64 generic symbol table is just above 1MB these days)
- I got confused by cmp's arguments order between intel and gas syntax,
  so the tests did the opposite of intended and the symtab was always
  considered valid.
While there use unsigned conditions.
Should fix booting in PVH mode with netbsd-INSTALL (which is stripped)

Author: MartinHusemann

sys/arch/amd64/amd64/locore.S

@@ -1,4 +1,4 @@
-/*	$NetBSD: locore.S,v 1.214.4.3 2025/03/29 10:32:43 martin Exp $	*/
+/*	$NetBSD: locore.S,v 1.214.4.4 2025/10/01 17:19:00 martin Exp $	*/
 
 /*
  * Copyright-o-rama!
@@ -842,6 +842,7 @@ next:	pop	%edi
 	jmp	compat
 compat:
 
+	movl	$RELOC(tmpstk),%esp
 	/*
 	 * 5. Not quite done yet, we're now in a compatibility segment, in
 	 *    legacy mode. We must jump to a long mode segment. Need to set up
@@ -1061,7 +1062,6 @@ ENTRY(start_pvh)
 	 *
 	 * To distinguish between the 2 cases, we'll use the 'cpuid' instruction
 	 */
-
 	push %ebx
 	xorl %eax, %eax
 	cpuid
@@ -1084,85 +1084,139 @@ ENTRY(start_pvh)
 
 .start_genpvh:
 
-	/* First, copy the hvm_start_info structure to __kernel_end */
+	/* announce ourself */
+	movl $VM_GUEST_GENPVH, RELOC(vm_guest)
+
+	pop %ebx
+	movl $RELOC(__kernel_end), %eax
+	movl %eax, %ecx
+	addl $KERNBASE_LO,%ecx
+	movl $RELOC(esym),%ebp
+	movl %ecx,(%ebp)
+	movl $KERNBASE_HI,4(%ebp)
+
+	jmp .copy_hvm_info
+
+.start_xen32:
+	movl $VM_GUEST_XENPVH, RELOC(vm_guest)
+	/*
+	 * Read the size of the symbol table, sanity-check and compute the end
+	 * We have:
+	 * |   kernel   |
+	 * -------------- kernel_end
+	 *     alignment
+	 * -------------- bsd_symtab
+	 * | size (int) |
+	 * | elf_header |
+	 * 
+	 */
+	movl $RELOC(__kernel_end), %ebp
+	addl $3, %ebp
+	andl $~3, %ebp
+	movl 0(%ebp), %eax /* read size */
+	testl $~0x00ffffff, %eax /* more than 16MB ? */
+	jnz .bad_esym
+	addl %ebp, %eax /* compute esym */
+	/* check if start_info is within symbol table */
+	movl 0(%esp), %ebx
+	cmp %ebp, %ebx
+	jb .save_esym /* %ebx < __kernel_end */
+	cmp %eax, %ebx
+	jae .save_esym /* %ebx >= esym */
+
+.bad_esym:
+	movl $RELOC(__kernel_end), %eax
+.save_esym:
+	movl %eax, %ebx
+	addl $KERNBASE_LO,%ebx
+	movl $RELOC(esym),%ebp
+	movl %ebx,(%ebp)
+	movl $KERNBASE_HI,4(%ebp)
+	/* advance to next page boundary, this will be our hvm_start_info */
+	addl $PGOFSET,%eax
+	andl $~PGOFSET,%eax
 	pop %ebx
+	
+.copy_hvm_info:
+ 	/*
+	 * %ebx points to physical address provided by Xen
+	 * %eax points to where we want it to be copied to
+	 */
+	/* check if %ebx and %eax are in the same page */
+	movl %ebx, %esi
+	addl $PGOFSET,%esi
+	andl $~PGOFSET,%esi
+	cmp %esi, %eax
+	je .same_hvm_info
+
+	/* First, copy the hvm_start_info structure to %eax */
 	movl %ebx, %esi
-	movl $RELOC(__kernel_end), %edi
+	movl %eax, %edi
 	movl $HVM_START_INFO_SIZE, %ecx
 	shrl $2, %ecx
 	rep movsl
 
 	/* Copy cmdline_paddr after hvm_start_info */
 	movl CMDLINE_PADDR(%ebx), %esi
-	movl $RELOC(__kernel_end), %ecx
-	movl %edi, CMDLINE_PADDR(%ecx)	/* Set new cmdline_paddr in hvm_start_info */
-	.cmdline_copy:
-	movb (%esi), %al
+	movl %edi, CMDLINE_PADDR(%eax)	/* Set new cmdline_paddr in hvm_start_info */
+.cmdline_copy:
+	movb (%esi), %cl
 	movsb
-	cmp $0, %al
+	cmp $0, %cl
 	jne .cmdline_copy
 
 	/* Copy memmap_paddr after cmdline (only if hvm_start_info->version != 0) */
-	xorl %eax, %eax
-	cmpl START_INFO_VERSION(%ebx), %eax
-	je .reload_ebx
+	xorl %ecx, %ecx
+	cmpl START_INFO_VERSION(%ebx), %ecx
+	je .save_hvm_info
+	pushl %eax
 	movl MMAP_PADDR(%ebx), %esi
-	movl $RELOC(__kernel_end), %ecx
-	movl %edi, MMAP_PADDR(%ecx)	/* Set new memmap_paddr in hvm_start_info */
+	movl %edi, MMAP_PADDR(%eax)	/* Set new memmap_paddr in hvm_start_info */
 	movl MMAP_ENTRIES(%ebx), %eax	/* Get memmap_entries */
 	movl $MMAP_ENTRY_SIZE, %ebx
 	mull %ebx			/* eax * ebx => edx:eax */
 	movl %eax, %ecx
 	shrl $2, %ecx
 	rep movsl
+	popl %eax
 
-.reload_ebx:
-	movl $RELOC(__kernel_end), %ebx
-
-	/* announce ourself */
-	movl	$VM_GUEST_GENPVH, RELOC(vm_guest)
-
-	jmp .save_hvm_start_paddr
-
-.start_xen32:
-	pop %ebx
-	movl	$VM_GUEST_XENPVH, RELOC(vm_guest)
-
-.save_hvm_start_paddr:
- 	/*
- 	 * save addr of the hvm_start_info structure. This is also the end
- 	 * of the symbol table
+.save_hvm_info:
 	/*
-	 * save addr of the hvm_start_info structure. This is also the end
-	 * of the symbol table
+	 * %eax points to the start of hvm_start_info
+	 * %edi points to the end
 	 */
-	movl	%ebx, RELOC(hvm_start_paddr)
-	movl	%ebx, %eax
-	addl	$KERNBASE_LO,%eax
-	movl	$RELOC(esym),%ebp
+	addl 	$KERNBASE_LO,%eax
+	movl	$RELOC(hvm_start_info),%ebp
 	movl	%eax,(%ebp)
 	movl	$KERNBASE_HI,4(%ebp)
+
+	/* round end to next page boundary */
+	addl	$PGOFSET,%edi
+	andl	$~PGOFSET,%edi
+
 	/* get a page for HYPERVISOR_shared_info */
 	/* this is only needed if we are running on Xen */
 	cmpl	$VM_GUEST_XENPVH, RELOC(vm_guest)
-	jne	.add_hvm_start_info_page
-	addl	$PAGE_SIZE, %ebx
-	addl	$PGOFSET,%ebx
-	andl	$~PGOFSET,%ebx
+	jne	.save_eblob
 	movl	$RELOC(HYPERVISOR_shared_info_pa),%ebp
-	movl	%ebx,(%ebp)
+	movl	%edi,(%ebp)
 	movl	$0,4(%ebp)
-	/* XXX assume hvm_start_info+dependant structure fits in a single page */
-.add_hvm_start_info_page:
-	addl	$PAGE_SIZE, %ebx
-	addl	$PGOFSET,%ebx
-	andl	$~PGOFSET,%ebx
-	addl	$KERNBASE_LO,%ebx
+	addl	$PAGE_SIZE, %edi
+.save_eblob:
+	addl	$KERNBASE_LO,%edi
 	movl	$RELOC(eblob),%ebp
-	movl	%ebx,(%ebp)
+	movl	%edi,(%ebp)
 	movl	$KERNBASE_HI,4(%ebp)
 
 	jmp .Lbiosbasemem_finished
+
+.same_hvm_info:
+	/* just use the provided %ebx */
+	/* XXX assume hvm_start_info+dependant structure fits in a single page */
+	movl %ebx, %eax
+	movl %ebx, %edi
+	addl	$PAGE_SIZE, %edi
+	jmp .save_hvm_info
 END(start_pvh)
 	.code64
 # endif /* !XENPV */

sys/arch/i386/i386/locore.S

@@ -1,4 +1,4 @@
-/*	$NetBSD: locore.S,v 1.190.4.2 2023/10/18 15:19:08 martin Exp $	*/
+/*	$NetBSD: locore.S,v 1.190.4.3 2025/10/01 17:19:00 martin Exp $	*/
 
 /*
  * Copyright-o-rama!
@@ -128,7 +128,7 @@
  */
 
 #include <machine/asm.h>
-__KERNEL_RCSID(0, "$NetBSD: locore.S,v 1.190.4.2 2023/10/18 15:19:08 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: locore.S,v 1.190.4.3 2025/10/01 17:19:00 martin Exp $");
 
 #include "opt_copy_symtab.h"
 #include "opt_ddb.h"
@@ -1191,31 +1191,118 @@ ENTRY(start_xenpvh)
 	rep
 	stosb
 
+	/* push addr of the hvm_start_info structure to stack */
+	push %ebx
+	movl $VM_GUEST_XENPVH, RELOC(vm_guest)
+        /*
+	 * read the size of the symbol table, sanity-check and compute the end
+	 * we have:
+	 * |   kernel   |
+	 * -------------- kernel_end
+	 *     alignment
+	 * -------------- bsd_symtab
+	 * | size (int) |
+	 * | elf_header |
+	 *
+	 */
+	movl $RELOC(__kernel_end), %ebp
+	addl $3, %ebp
+	andl $~3, %ebp
+	movl 0(%ebp), %eax /* read size */
+	testl $~0x00ffffff, %eax /* more than 16MB ? */
+	jnz .bad_esym
+	addl %ebp, %eax /* compute esym */
+	/* check if start_info is within symbol table */
+	movl 0(%esp), %ebx
+	cmp %ebp, %ebx
+	jb .save_esym /* %ebx < __kernel_end */
+	cmp %eax, %ebx
+	jae .save_esym /* %ebx > esym */
+
+.bad_esym:
+	movl $RELOC(__kernel_end), %eax
+.save_esym:
+	movl %eax, %ebx
+	addl $KERNBASE,%ebx
+	movl %ebx,RELOC(esym)
+	/* advance to next page boundary, this will be our hvm_start_info */
+	addl $PGOFSET,%eax
+	andl $~PGOFSET,%eax
+	pop %ebx
+
+.copy_hvm_info:
 	/*
-	 * save addr of the hvm_start_info structure. This is also the end
-	 * of the symbol table
+	 * save addr of the hvm_start_info structure.
+	 * %ebx points to physical address provided by Xen
+	 * %eax points to we want it to be copied to
 	 */
-	movl	%ebx, RELOC(hvm_start_paddr)
-	movl	%ebx, %eax
-	addl	$KERNBASE,%eax
-	movl	$RELOC(esym),%ebp
-	movl	%eax,(%ebp)
+	/* check if %ebx and %eax are in the same page */
+	movl %ebx, %esi
+	addl $PGOFSET,%esi
+	andl $~PGOFSET,%esi
+        cmp %esi, %eax
+	je .same_hvm_info
+
+	/* First, copy the hvm_start_info structure to %eax */
+	movl %ebx, %esi
+	movl %eax, %edi
+	movl $HVM_START_INFO_SIZE, %ecx
+	shrl $2, %ecx
+	rep movsl
+
+	/* Copy cmdline_paddr after hvm_start_info */
+	movl CMDLINE_PADDR(%ebx), %esi
+	movl %edi, CMDLINE_PADDR(%eax)	/* Set new cmdline_paddr in hvm_start_info */
+.cmdline_copy:
+	movb (%esi), %cl
+	movsb
+	cmp $0, %cl
+	jne .cmdline_copy
+
+	/* Copy memmap_paddr after cmdline (only if hvm_start_info->version != 0) */
+	xorl %ecx, %ecx
+	cmpl START_INFO_VERSION(%ebx), %ecx
+	je .save_hvm_info
+	pushl %eax
+	movl MMAP_PADDR(%ebx), %esi
+	movl %edi, MMAP_PADDR(%eax)	/* Set new memmap_paddr in hvm_start_info */
+	movl MMAP_ENTRIES(%ebx), %eax	/* Get memmap_entries */
+	movl $MMAP_ENTRY_SIZE, %ebx
+	mull %ebx			/* eax * ebx => edx:eax */
+	movl %eax, %ecx
+	shrl $2, %ecx
+	rep movsl
+	popl %eax
+
+.save_hvm_info:
+	/*
+	 * %eax points to the start of hvm_start_info
+	 * %edi points to the end
+	 */
+	addl    $KERNBASE,%eax
+	movl	%eax,RELOC(hvm_start_info)
+
+	/* round end to next page boundary */
+	addl    $PGOFSET,%edi
+	andl    $~PGOFSET,%edi
+
 	/* get a page for HYPERVISOR_shared_info */
-	addl	$PAGE_SIZE, %ebx
-	addl	$PGOFSET,%ebx
-	andl	$~PGOFSET,%ebx
 	movl	$RELOC(HYPERVISOR_shared_info_pa),%ebp
-	movl	%ebx,(%ebp)
-	/* XXX assume hvm_start_info+dependant structure fits in a single page */
-	addl	$PAGE_SIZE, %ebx
-	addl	$PGOFSET,%ebx
-	andl	$~PGOFSET,%ebx
-	addl	$KERNBASE,%ebx
+	movl	%edi,(%ebp)
+	addl	$PAGE_SIZE, %edi
+
+	addl    $KERNBASE,%edi
 	movl	$RELOC(eblob),%ebp
-	movl	%ebx,(%ebp)
-	/* announce ourself */
-	movl	$VM_GUEST_XENPVH, RELOC(vm_guest)
+	movl	%edi,(%ebp)
 	jmp	.Lstart_common
+
+.same_hvm_info:
+	/* just use the provided %ebx */
+	/* XXX assume hvm_start_info+dependant structure fits in a single page */
+	movl %ebx, %eax
+	movl %ebx, %edi
+	addl    $PAGE_SIZE, %edi
+	jmp .save_hvm_info
 END(start_xenpvh)
 	.align 8
 gdtdesc_xenpvh:

sys/arch/xen/xen/hypervisor.c

@@ -1,4 +1,4 @@
-/* $NetBSD: hypervisor.c,v 1.96.4.1 2025/03/29 10:32:43 martin Exp $ */
+/* $NetBSD: hypervisor.c,v 1.96.4.2 2025/10/01 17:19:00 martin Exp $ */
 
 /*
  * Copyright (c) 2005 Manuel Bouyer.
@@ -53,7 +53,7 @@
 
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: hypervisor.c,v 1.96.4.1 2025/03/29 10:32:43 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: hypervisor.c,v 1.96.4.2 2025/10/01 17:19:00 martin Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -234,8 +234,6 @@ xen_init_hypercall_page(void)
 	wrmsr(descs[1], (uintptr_t)&hypercall_page - KERNBASE);
 }
 
-uint32_t hvm_start_paddr;
-
 void init_xen_early(void);
 void
 init_xen_early(void)
@@ -244,8 +242,6 @@ init_xen_early(void)
 	if (!vm_guest_is_pvh())
 		return;
 
-	hvm_start_info = (void *)((uintptr_t)hvm_start_paddr + KERNBASE);
-
 	if (hvm_start_info->cmdline_paddr != 0) {
 		cmd_line =
 		    (void *)((uintptr_t)hvm_start_info->cmdline_paddr + KERNBASE);