I'm not sure what I was smoking at the time of
5d74ad1a082e "xen: arm:
implement do_multicall_call for both 32 and 64-bit" but it is obviously
insufficient since it doesn't actually wire up the hypercall.
Before doing so we need to make the usual adjustments for ARM and turn the
unsigned longs into xen_ulong_t. There is no difference in the resulting
structure for x86.
There are knock on changes to the trace interface, but again they are nops on
x86.
For 32-bit ARM guests we require that the arguments which they pass to a
hypercall via a multicall do not use the upper bits of xen_ulong_t and kill
them if they violate this. This should ensure that no ABI surprises can be
silently lurking when running on a 32-bit hypervisor waiting to pounce when the
same kernel is run on a 64-bit hypervisor. Killing the guest is harsh but it
will be far easier to relax the restriction if it turns out to cause problems
than to tighten it up if we were lax to begin with.
In the interests of clarity and always using explicitly sized types change the
unsigned int in the hypercall arguments to a uint32_t. There is no actual
change here on any platform.
We should consider backporting this to 4.4.1 in case a guest decides they want
to use a multicall in common code e.g. I suggested such a thing while
reviewing a netback change recently.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Cc: keir@xen.org
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
*/
#include <xen/config.h>
+#include <xen/stdbool.h>
#include <xen/init.h>
#include <xen/string.h>
#include <xen/version.h>
HYPERCALL(sysctl, 2),
HYPERCALL(hvm_op, 2),
HYPERCALL(grant_table_op, 3),
+ HYPERCALL(multicall, 2),
HYPERCALL_ARM(vcpu_op, 3),
};
#endif
}
+static bool_t check_multicall_32bit_clean(struct multicall_entry *multi)
+{
+ int i;
+
+ for ( i = 0; i < arm_hypercall_table[multi->op].nr_args; i++ )
+ {
+ if ( unlikely(multi->args[i] & 0xffffffff00000000ULL) )
+ {
+ printk("%pv: multicall argument %d is not 32-bit clean %"PRIx64"\n",
+ current, i, multi->args[i]);
+ domain_crash(current->domain);
+ return false;
+ }
+ }
+
+ return true;
+}
+
void do_multicall_call(struct multicall_entry *multi)
{
arm_hypercall_fn_t call = NULL;
return;
}
+ if ( is_32bit_domain(current->domain) &&
+ !check_multicall_32bit_clean(multi) )
+ return;
+
multi->result = call(multi->args[0], multi->args[1],
- multi->args[2], multi->args[3],
- multi->args[4]);
+ multi->args[2], multi->args[3],
+ multi->args[4]);
}
/*
static void __trace_multicall_call(multicall_entry_t *call)
{
- unsigned long args[6];
+ xen_ulong_t args[6];
int i;
for ( i = 0; i < ARRAY_SIZE(args); i++ )
ret_t
do_multicall(
- XEN_GUEST_HANDLE_PARAM(multicall_entry_t) call_list, unsigned int nr_calls)
+ XEN_GUEST_HANDLE_PARAM(multicall_entry_t) call_list, uint32_t nr_calls)
{
struct mc_state *mcs = ¤t->mc_state;
- unsigned int i;
+ uint32_t i;
int rc = 0;
if ( unlikely(__test_and_set_bit(_MCSF_in_multicall, &mcs->flags)) )
}
void __trace_hypercall(uint32_t event, unsigned long op,
- const unsigned long *args)
+ const xen_ulong_t *args)
{
struct __packed {
uint32_t op;
/*
* ` enum neg_errnoval
* ` HYPERVISOR_multicall(multicall_entry_t call_list[],
- * ` unsigned int nr_calls);
+ * ` uint32_t nr_calls);
*
- * NB. The fields are natural register size for this architecture.
+ * NB. The fields are logically the natural register size for this
+ * architecture. In cases where xen_ulong_t is larger than this then
+ * any unused bits in the upper portion must be zero.
*/
struct multicall_entry {
- unsigned long op, result;
- unsigned long args[6];
+ xen_ulong_t op, result;
+ xen_ulong_t args[6];
};
typedef struct multicall_entry multicall_entry_t;
DEFINE_XEN_GUEST_HANDLE(multicall_entry_t);
}
void __trace_hypercall(uint32_t event, unsigned long op,
- const unsigned long *args);
+ const xen_ulong_t *args);
/* Convenience macros for calling the trace function. */
#define TRACE_0D(_e) \
projects / xen.git / commitdiff