Andrew Cooper [Thu, 25 Feb 2016 12:01:01 +0000 (13:01 +0100)]
work around Clang generating .data.rel.ro section for init-only files
Clang-3.8 generates several .data.rel.ro sections when compiling Xen. As
these contain no global symbols, they should be .data.rel.ro.local. This
breaks the SPECIAL_DATA_SECTIONS check when converting the transition units to
being init-only.
For alternatives.c, explicitly move the nops arrays into __initconst. For efi
boot.c, manually create the optimisation performed by Clang by collapsing the
switch statement into a lookup table. The double use of const is required to
avoid breaking the ARM build by creating a section type conflict with
fdt_guid.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Haozhong Zhang [Thu, 25 Feb 2016 12:00:11 +0000 (13:00 +0100)]
x86/hvm: collect information of TSC scaling ratio
Both VMX TSC scaling and SVM TSC ratio use the 64-bit TSC scaling ratio,
but the number of fractional bits of the ratio is different between VMX
and SVM. This patch adds the architecture code to collect the number of
fractional bits and other related information into fields of struct
hvm_function_table so that they can be used in the common code.
Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Doug Goldstein [Wed, 24 Feb 2016 11:06:28 +0000 (12:06 +0100)]
xenoprof: drop unnecessary macro
This macro doesn't really provide a benefit. When support is added the
implementer can implement this how it needs to be and not conform to the
macro. Additionally this change limits the output of the warning to just
once instead of nrpages worth. While editing this area I dropped
trailing whitespace.
Signed-off-by: Doug Goldstein <cardoe@cardoe.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Juergen Gross [Wed, 24 Feb 2016 11:05:58 +0000 (12:05 +0100)]
use XEN_SYSCTL_SCHEDOP_* for sysctl operation checks
In flask_sysctl_scheduler_op() and sched_adjust_global() the test for
the desired operation is done with the wrong constants. While the
values are correct, the names are not.
Correct the error message for the case of an unknown operation in
flask_sysctl_scheduler_op(), too.
Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Huaitong Han [Wed, 24 Feb 2016 11:04:50 +0000 (12:04 +0100)]
x86/hvm: add xstate support for pkeys
The XSAVE feature set can operate on PKRU state only if the feature set is
enabled (CR4.OSXSAVE = 1) and has been configured to manage PKRU state
(XCR0[9] = 1). And XCR0.PKRU is disabled on PV mode without PKU feature
enabled.
Signed-off-by: Huaitong Han <huaitong.han@intel.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Huaitong Han [Wed, 24 Feb 2016 11:04:19 +0000 (12:04 +0100)]
x86/hvm: add pkeys support for guest_walk_tables
Protection keys define a new 4-bit protection key field(PKEY) in bits 62:59 of
leaf entries of the page tables.
PKRU register defines 32 bits, there are 16 domains and 2 attribute bits per
domain in pkru, for each i (0 = i = 15), PKRU[2i] is the access-disable bit for
protection key i (ADi); PKRU[2i+1] is the write-disable bit for protection key
i (WDi). PKEY is index to a defined domain.
A fault is considered as a PKU violation if all of the following conditions are
true:
1.CR4_PKE=1.
2.EFER_LMA=1.
3.Page is present with no reserved bit violations.
4.The access is not an instruction fetch.
5.The access is to a user page.
6.PKRU.AD=1
or The access is a data write and PKRU.WD=1
and either CR0.WP=1 or it is a user access.
Signed-off-by: Huaitong Han <huaitong.han@intel.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com>
Dario Faggioli [Wed, 24 Feb 2016 11:03:32 +0000 (12:03 +0100)]
credit1: trace vCPU boost/unboost
Add tracepoints and a performance counter for
boosting and unboosting in Credit1.
Note that they (the trace points) do not cover
the case of the idle vCPU being boosted to run
a tasklet, as there already is
TRC_CSCHED_SCHED_TASKLET for that.
Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Dario Faggioli [Wed, 24 Feb 2016 11:02:37 +0000 (12:02 +0100)]
sched: get rid of static private schedulers' structures
In fact, they look rather useless: they are never
referenced neither directly, nor via the sched_data
pointer, as a dynamic copy that overrides them is
allocated as the very first step of a scheduler's
initialization.
While there, take the chance to also reset the sched_data
pointer to NULL, upon scheduler de-initialization.
Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com> Acked-by: George Dunlap <george.dunlap@citrix.com>
Jan Beulich [Mon, 22 Feb 2016 16:38:34 +0000 (17:38 +0100)]
common: re-arrange struct kernel_param fields
Even if placed in .init.* there's no reason to needlessly bloat the
binary due to padding fields the compiler needs to insert on 64-bit
architectures.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Tamas K Lengyel [Mon, 22 Feb 2016 16:24:15 +0000 (17:24 +0100)]
x86/vm_event: consolidate hvm_event_fill_regs and p2m_vm_event_fill_regs
Currently the registers saved in the request depend on which type of event
is filling in the registers. In this patch we consolidate the two versions
of register filling function as to return a fix set of registers irrespective
of the underlying event.
Signed-off-by: Tamas K Lengyel <tlengyel@novetta.com> Acked-by: George Dunlap <george.dunlap@citrix.com> Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
Jan Beulich [Mon, 22 Feb 2016 16:23:08 +0000 (17:23 +0100)]
x86: drop register reload from INT80 malicious MSI guard
None of the restored registers are actually of interest to the
subsequent code (as opposed to the similar construct on the compat
mode hypercall path).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Roger Pau Monné [Mon, 22 Feb 2016 16:20:37 +0000 (17:20 +0100)]
x86/PVHv2: add XEN_ prefix to HVM_START_MAGIC_VALUE
Reported by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Mon, 22 Feb 2016 16:17:18 +0000 (17:17 +0100)]
init: annotate all command line parameter infrastructure as const
There is no reason for any of it to be modified. Additionally, link
.init.setup beside the other constant .init data.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
[jb: reduce alignments to 8] Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Doug Goldstein [Fri, 19 Feb 2016 02:57:03 +0000 (20:57 -0600)]
m4/python: fix typo in LDFLAGS variable name
[ also, reran autogen.sh ]
Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com> Signed-off-by: Doug Goldstein <cardoe@cardoe.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Doug Goldstein [Fri, 19 Feb 2016 19:55:49 +0000 (13:55 -0600)]
MAINTAINERS: add Doug Goldstein for Travis CI config
Add myself as the maintainer for the Travis CI config.
Signed-off-by: Doug Goldstein <cardoe@cardoe.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Andrew Cooper [Fri, 12 Feb 2016 19:06:48 +0000 (19:06 +0000)]
tools/xenalyze: Fix build with clang
1) EXIT_REASON_EXCEPTION_NMI is 0, and Clang complains:
xenalyze.c:513:33: error: initializer overrides prior initialization of this subobject [-Werror,-Winitializer-overrides]
[EXIT_REASON_EXCEPTION_NMI]="EXCEPTION_NMI",
^~~~~~~~~~~~~~~
xenalyze.c:512:11: note: previous initialization is here
[0] = "NONE",
^~~~~~
2) cr3_time_compare(), eip_compare(), ipi_send() and cr3_compare_start() are
declared as nested functions, which is a GCCism not supported by Clang.
As they don't actually make use of the interesting feature offered by
nested functions (i.e. dynamic scoping), move them to just being normal
functions.
3) clear_interval_summary(), update_cpi() and clear_interval_cpi() are all
unused. The former isn't reference anywhere, so is deleted, while the other
two are called from currently #if 0'd code.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: George Dunlap <george.dunlap@citrix.com>
Ian Campbell [Wed, 17 Feb 2016 15:39:55 +0000 (15:39 +0000)]
xenpaging: don't try to log via xch if xc_interface_close fails
Since xch may not be valid (enough) any longer, xc_interface_close
already logs anything of any use before it tears down the integrated
logger so there is no need to log any further in the application via
that path.
Ian Campbell [Wed, 17 Feb 2016 14:30:38 +0000 (14:30 +0000)]
tools: gtracestat: make all functions and global data static
After "Drop unused functions do_cstate and single_cstate helper" make
all the remaining functions and global data static and in the process
allow the compiler to notice that cond_rec_init() is also unused, thus
remove it.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Campbell [Wed, 17 Feb 2016 14:30:37 +0000 (14:30 +0000)]
tools: gtracestat: Drop unused functions do_cstate and single_cstate helper
These have always been dead code since the code was added AFAICT.
This eliminates the code containing CID 10567079, 10567080, 10567081
and 10567082 (all apparently some confusion between max_cx_num vs
MAX_CX_NR, but given the lack of callers its hard to tell what was
intended)
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Campbell [Wed, 17 Feb 2016 14:04:15 +0000 (14:04 +0000)]
xl: create: close restore_fd_to_close on error
Currently the fd is opened and then later closed and
restore_fd_to_close set back to -1, however there are several goto out
and goto error_out paths in the interim.
Since the code resets restore_fd_to_close to -1 it is OK to check this
and close on the out path too.
Ian Jackson [Thu, 18 Feb 2016 12:37:04 +0000 (12:37 +0000)]
tools: libxl: Simplify logic in libxl__realloc
Replace the loop exit and separate test for loop overrun with an
assert in the loop body.
This simplifies the code. It also (hopefully) avoids Coverity
thinking that gc->alloc_maxsize might change, resulting in the loop
failing to find the right answer but also failing to abort.
(gc->alloc_maxsize can't change because gcs are all singlethreaded:
either they are on the stack of a specific thread, or they belong to
an ao and are covered by the ctx lock.)
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Corneliu ZUZU [Thu, 18 Feb 2016 16:47:36 +0000 (17:47 +0100)]
x86/monitor: minor left-shift undefined behavior checks
This minor patch adds a range-check to avoid left-shift caused undefined
behavior. Also replaces '1 <<' w/ '1U <<' @ x86 monitor.h in an effort to avoid
a future potential '1 << 31' that would cause a similar issue.
Corneliu ZUZU [Thu, 18 Feb 2016 14:08:25 +0000 (15:08 +0100)]
x86/hvm_event: fix uninitialized struct field usage introduced by c/s f5365e6
c/s f5365e6: "xen/vm-events: Move parts of monitor_domctl code to common-side",
introduced a use without initialization issue.
hvm_event_breakpoint calls hvm_event_traps(&req) and if sync is true that
ors some bits into req->flags which was never initialised.
Reported by Coverity Scan.
Initializes req @ hvm_event_breakpoint entry.
Coverity-ID: 1353192 Signed-off-by: Corneliu ZUZU <czuzu@bitdefender.com> Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Thu, 18 Feb 2016 14:07:33 +0000 (15:07 +0100)]
x86: drop failsafe callback invocation from assembly
Afaict this was never necessary on a 64-bit hypervisor, and was instead
just blindly cloned over from 32-bit code: We don't fiddle with (and
hence don't reload) any of DS, ES, FS, or GS, and an exception on IRET
itself can equally well be reported to the guest as that very exception
on the target of that IRET.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Thu, 18 Feb 2016 14:05:34 +0000 (15:05 +0100)]
x86emul: fix rIP handling
Deal with rIP just like with any other register: Truncate to designated
width upon entry, write back the zero-extended 32-bit value when
emulating 32-bit code, and leave the upper 48 bits unchanged for 16-bit
code.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Dario Faggioli [Thu, 18 Feb 2016 14:04:23 +0000 (15:04 +0100)]
RTDS: pack trace data better for xentrace_format
when tracing runstate changes, the vcpu and domain IDs
are encoded in the lower and higher, respectively, parts
of a 32 bits integer. When decoding a trace with
xentrace_format, this makes it possible to display
such events like this:
For consistency, we should do the same when displaying
the events coming from the RTDS scheduler (when using
the same tool), and to do that, we need to invert the
order in which the fields are being put in the trace
struct right now.
While there, we also:
- fix the use of TRC_RTDS_SCHED_TASKLET (it should
only be involved when a tasklet is scheduled, not
_every_ time rt_schedule() is invoked!);
- remove a very chatty and useless (nothing has been
picked!) use of TRC_RTDS_RUNQ_PICK.
In fact, one can already figure out when nothing has been
picked from the runqueue, by looking at when cpu_idle
is invoked --which is the same thing one would do if on
Credit or Credit2.
Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: George Dunlap <george.dunlap@citrix.com>
Dario Faggioli [Thu, 18 Feb 2016 14:04:00 +0000 (15:04 +0100)]
credit2: pack trace data better for xentrace_format
when tracing runstate changes, the vcpu and domain IDs
are encoded in the lower and higher, respectively, parts
of a 32 bits integer. When decoding a trace with
xentrace_format, this makes it possible to display
such events like this:
For consistency, we should do the same when displaying
the events coming from the Credit2 scheduler (when using
the same tool), and to do that, we need to invert the
order in which the fields are being put in the trace
struct right now.
Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: George Dunlap <george.dunlap@citrix.com>
Dario Faggioli [Thu, 18 Feb 2016 14:03:34 +0000 (15:03 +0100)]
sched: improve domain creation tracing
by doing the following two things:
- move TRC_SCHED_DOM_{ADD,REM}, into the functions
that do the actual scheduling-related domain
initialization;
- add two 'generic' DOM_{ADD,REM} events. They're
made part of the TRC_DOM0 tracing class, as Dom0
is, usually, from where domains are created and
destroyed.
Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Dario Faggioli [Thu, 18 Feb 2016 14:03:15 +0000 (15:03 +0100)]
sched: move up the trace record for vcpu_wake and vcpu_sleep
vcpu_wake() and vcpu_sleep() are called before the specific
schedulers wakeup and sleep routines (in fact, it is them
that calls those specific routine).
Make the trace reflect that, by moving the records up. In
fact, it is more natural and easy to find the record of
the event (e.g., the wakeup) *before* the records of the
actions that deals with the event itself.
Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: George Dunlap <george.dunlap@citrix.com>
Jan Beulich [Thu, 18 Feb 2016 14:02:16 +0000 (15:02 +0100)]
x86: avoid flush IPI when possible
Since CLFLUSH, other than WBINVD, is a cache coherency domain wide
flush, there's no need to IPI other CPUs if this is the only flushing
being requested. (As a secondary change, move a local variable into the
scope where it's actually needed.)
As a secondary change also eliminate another leftover from 32-bit days:
invalidate_interrupt() can clear FLUSH_TLB_GLOBAL alongside FLUSH_TLB,
since write_ptbase() (as a descendant of __sync_local_execstate()) now
unconditionally fiddles with CR4.PGE.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Dirk Behme [Thu, 4 Feb 2016 16:49:35 +0000 (17:49 +0100)]
xen/arm64: Make sure we get all debug output
Starting in the wrong ELx mode I get the following debug output:
...
- Current EL 00000004 -
- Xen must be entered in NS EL2 mode -
- Boot failed -
The output of "Please update the bootloader" is missing here, because
string concatenation in gas, unlike in C, keeps the \0 between each
individual string.
Make sure this is output, too. With this, we get
...
- Current EL 00000004 -
- Xen must be entered in NS EL2 mode -
- Please update the bootloader -
- Boot failed -
as intended.
Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- added same change to arm32 case ]
Ian Campbell [Wed, 17 Feb 2016 14:58:33 +0000 (14:58 +0000)]
xenpaging: do not leak if --pagefile given twice
By freeing filename (which is either NULL or the previous iteration of
this argument). This implements a semantic where the last --pagefile
given on the command line takes precedence.
This is the same semantic as the other options have.
Jim Fehlig [Wed, 17 Feb 2016 17:20:57 +0000 (10:20 -0700)]
libxlu_cfg: reject unknown characters following '\'
When dequoting config strings in xlu__cfgl_dequote(), unknown
characters following a '\', and the '\' itself, are discarded.
E.g. a disk configuration string containing
Doug Goldstein [Wed, 17 Feb 2016 15:24:29 +0000 (16:24 +0100)]
x86/PMU: make {acquire,release}_pmu_ownership names consistent
The function names were inconsistent with acquire and release being
called acquire_pmu_ownership() and release_pmu_ownship() respectively.
Function prototypes were available for both spellings so this change
makes them consistent and drops the dual function prototypes.
Additionally change the internal variable names within those functions
to ownership as well.
Signed-off-by: Doug Goldstein <cardoe@cardoe.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Roger Pau Monné [Wed, 17 Feb 2016 15:22:21 +0000 (16:22 +0100)]
x86/PVHv2: update the start info structure layout
After some discussion around the new boot ABI consensus has been reached
about the layout and contents of the start info. The following patch updates
the layout to what has been agreed.
Also, the new layout is described in binary terms in order to avoid issues
with alignments when using C structs.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Juergen Gross [Wed, 17 Feb 2016 15:21:20 +0000 (16:21 +0100)]
public: make some constants usable for assembler
Some constants defined in xen/include/public/xen.h are not usable in
assembler sources as they are either defined with "U" or "UL" suffixes
or they are inside #ifndef __ASSEMBLY__ areas.
Change this as grub2 could make use of those definitions.
This requires to move the definition of mk_unsigned_long() up. While
we are touching this macro, rename it in order to avoid namespace
pollution. This in turn requires adaption of some arch-x86 specific
headers.
Signed-off-by: Juergen Gross <jgross@suse.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Wed, 17 Feb 2016 15:20:01 +0000 (16:20 +0100)]
x86emul: relax asm() constraints
Let's give the compiler as much liberty at picking instruction operands
as possible. Also drop unnecessary size modifiers when the correct size
can already be derived from the asm() operands. Finally also drop an
"unsigned" from idiv_dbl()'s second parameter, allowing a cast to be
eliminated.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Wed, 17 Feb 2016 15:18:50 +0000 (16:18 +0100)]
x86/HVM: fold hypercall tables
In order to reduce the risk of unintentionally adding a function
pointer to just one of the two tables, merge them into one, with each
entry pair getting generated by a single macro invocation (at once
dropping all explicit casting outside the macro definition).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Wed, 17 Feb 2016 15:18:08 +0000 (16:18 +0100)]
x86/VMX: sanitize rIP before re-entering guest
... to prevent guest user mode arranging for a guest crash (due to
failed VM entry). (On the AMD system I checked, hardware is doing
exactly the canonicalization being added here.)
Note that fixing this in an architecturally correct way would be quite
a bit more involved: Making the x86 instruction emulator check all
branch targets for validity, plus dealing with invalid rIP resulting
from update_guest_eip() or incoming directly during a VM exit. The only
way to get the latter right would be by not having hardware do the
injection.
Note further that there are a two early returns from
vmx_vmexit_handler(): One (through vmx_failed_vmentry()) leads to
domain_crash() anyway, and the other covers real mode only and can
neither occur with a non-canonical rIP nor result in an altered rIP,
so we don't need to force those paths through the checking logic.
This is CVE-2016-2271 / XSA-170.
Reported-by: 刘令 <liuling-it@360.cn> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Wed, 17 Feb 2016 15:16:53 +0000 (16:16 +0100)]
x86: enforce consistent cachability of MMIO mappings
We've been told by Intel that inconsistent cachability between
multiple mappings of the same page can affect system stability only
when the affected page is an MMIO one. Since the stale data issue is
of no relevance to the hypervisor (since all guest memory accesses go
through proper accessors and validation), handling of RAM pages
remains unchanged here. Any MMIO mapped by domains however needs to be
done consistently (all cachable mappings or all uncachable ones), in
order to avoid Machine Check exceptions. Since converting existing
cachable mappings to uncachable (at the time an uncachable mapping
gets established) would in the PV case require tracking all mappings,
allow MMIO to only get mapped uncachable (UC, UC-, or WC).
This also implies that in the PV case we mustn't use the L1 PTE update
fast path when cachability flags get altered.
Since in the HVM case at least for now we want to continue honoring
pinned cachability attributes for pages not mapped by the hypervisor,
special case handling of r/o MMIO pages (forcing UC) gets added there.
Arguably the counterpart change to p2m-pt.c may not be necessary, since
UC- (which already gets enforced there) is probably strict enough.
Note that the shadow code changes include fixing the write protection
of r/o MMIO ranges: shadow_l1e_remove_flags() and its siblings, other
than l1e_remove_flags() and alike, return the new PTE (and hence
ignoring their return values makes them no-ops).
This is CVE-2016-2270 / XSA-154.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Ian Campbell [Tue, 16 Feb 2016 11:49:53 +0000 (11:49 +0000)]
libxl: close fd's in parent when spawning qdisk
Coverity points out that these remain open in the parent upon
success, which is a resource leak.
To fix this rejig the exit paths such that success and error cases
both close the two fds, this means adjusting the callback to only
happen for the error case and it also makes sense to rename the label
from "error" to just "out".
Coverity (correctly) complains that the strncpy(p, "0x", 2) will not
null terminate p.
Although we can see that in the rest of the function p will
definitely be NULL terminated by the time it is complete there is no
harm in passing 3 to the strncpy and allowing it to NULL terminate to
placate Coverity. We know this is safe because the allocation to hold
the string includes a "+3" for the 0x and the terminating NULL.
Ian Campbell [Tue, 16 Feb 2016 11:09:43 +0000 (11:09 +0000)]
tools: libxl: free devpath on failure in libxl__blktap_devpath
The underlying code paths in tap_ctl_create attempt to handle both
*devpath == NULL (by allocating) and *devpath != NULL (caller provided
name) and if they allocate tend to write the return immediately before
doing other potentially error generating tasks. All of which makes
handling this at a lower level rather more complicated than handling
it in the error path of libxl__blktap_devpath.
Note that libxl__blktap_devpath initialises devpath to NULL and if the
earlier GCSPRINTF succeeds then the value is returned earlier.
Therefore if we make it to the call to tap_ctl_create then devpath is
still NULL on entry, therefore on the error path devpath is either
still NULL or has been set to a freshly allocated value by
tap_ctl_create. Since free(NULL) is fine it is sufficient to just
free(devpath).
I also considered adding a non-NULL devnull to the gc, even on
failure, but that would have required a comment to explain the
apparently strange behaviour.
Wei Liu [Tue, 16 Feb 2016 12:28:27 +0000 (12:28 +0000)]
stubdom: fix link farm runes
Previously in the three problematic libraries all public headers were
linked to source code directory. We should have created an include
directory for each library and linked public headers there.
Note that there was no breakage for those three libraries before this
patch. This patch merely changes the location headers are linked to so
that all libraries follow the same pattern.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
docs: document shortcomings of running QEMU as non-root
Running QEMU as non-root causes migration and PCI passthrough not to
work properly. Migration can be fixed rather easily
(http://marc.info/?l=xen-devel&m=145382864118600), but PCI passthrough
cannot (http://marc.info/?l=xen-devel&m=145286946113964).
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Andrew Cooper [Fri, 12 Feb 2016 19:21:31 +0000 (19:21 +0000)]
tools/libxc: Fix use of zlib-options when building the domain builder
c/s de0f8c7c changed the use of zlib-options, and moved it from being locally
generated to coming from ./configure.
However, it neglected to modify the users of zlib-options. The curious use of
$(call ...) was to select either the -D or -l options as appropriate, but c/s de0f8c7c broke this by loosing the `grep`.
Instead, use $(filter ...) to pick out either the -D or -l options. This
fixes the build with Clang, which complains at passing '-llzma' when trying
to compile xc_dom_bzimageloader.c to xc_dom_bzimageloader.o.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Whatever the reason for silly code like this, it fools the current stack
overflow detection logic in the #DF handler (which triggers reliably on the
'orq' instruction).
Update the overflow condition to declare an overflow if %esp is anywhere
within the guard page, rather than just within the upper 8th of the page.
Additionally, check %esp against the expected stack base in all builds.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Corneliu ZUZU [Mon, 15 Feb 2016 13:14:16 +0000 (14:14 +0100)]
x86: merge 2 hvm_event_... functions into 1
This patch merges almost identical functions hvm_event_int3 and
hvm_event_single_step into a single function called hvm_event_breakpoint.
Also fixes event.c file header comment in the process.
Razvan Cojocaru [Mon, 15 Feb 2016 13:13:31 +0000 (14:13 +0100)]
vm_event: remove xc_mem_access_enable_emulate() and friends
xc_mem_access_enable_emulate() and xc_mem_access_disable_emulate()
are currently no-ops, that is all they do is set a flag that
nobody else checks. The user can already set the EMULATE flags in
the vm_event response if emulation is desired, and having an extra
check above that is not inherently safer, but it does complicate
(currenly unnecessarily) the API. This patch removes these
functions and the corresponding hypervisor code.
Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Acked-by: Tamas K Lengyel <tamas@tklengyel.com> Acked-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Coverity correctly identifies that the changes in mtrr_attrib_to_str()
introduce dead code. strings[] is a 2d array, rather than an array of
strings, which means that strings[x] will never be a NULL pointer.
Adjust the check to compenstate, by looking for a NUL in strings[x][0]
instead.
Curiously, Coverity did not notice the same error with memory_type_to_str().
There was also a further error; the strings were not NULL terminated, which
made the return type of memory_type_to_str() erronious.
Bump the 2D array to 3 characters, so the strings retain their NUL characters,
and introduce an ASSERT() as requested on one thread of the original patch.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Mon, 15 Feb 2016 13:12:06 +0000 (14:12 +0100)]
x86: improvements to pv_cpuid()
pv_cpuid() has two completely separate paths inside it depending on whether
current is dom0 or a domU. This causes unnecessary divergence, and
complicates future improvements. Take steps to undo it.
Changes:
* Create leaf and subleaf variables and use them consistently, instead of a
mix of {a,c} and regs->e{a,c}x as the input parameters.
* Combine the dom0 and domU hypervisor leaf handling, with an early exit.
* Apply sanity checks to domU as well. This brings PV domU cpuid handling in
line with HVM domains and PV dom0.
* Perform a real cpuid instruction for calculating CPUID.0xD[ECX=0].EBX. The
correct xcr0 is in context, and this avoids the O(M*N) loop over the domain
cpuid policy list which exists currently.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Doug Goldstein [Mon, 8 Feb 2016 02:45:03 +0000 (20:45 -0600)]
travis: add initial Travis CI script to do builds
This is just suppose to do a simple compile test on Travis CI. Currently
due to linux86 (bcc/bin86/dev86) not being whitelisted the tools cannot
be built.
Signed-off-by: Doug Goldstein <cardoe@cardoe.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Andrew Cooper [Fri, 12 Feb 2016 09:34:13 +0000 (10:34 +0100)]
uniformally use __ varients for attribute names
Otherwise, debug code such as "void __attribute__((noreturn)) foobar()" fails
to compile when the noreturn itself gets expanded, resulting in
__attribute__((__attribute__((noreturn)))).
No function change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
and it was having trouble combining the explicit REX prefix with the REX.B
required for the use of %r15.
Follow what Linux does and use a redundant %ds prefix instead, for a final
generated instruction of `3e 41 0f ae 3f`
While modifying this line, fix the indentation which was out by one space.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Tested-by: Doug Goldstein <cardoe@cardoe.com>
Introduce and use NOP_DS_PREFIX.
Also the above description of the issue is slightly wrong: We're not
suffering from some gas versions not being able to combine multiple REX
prefixes, but from the replacement instruction, when requiring a REX
prefix in order to express the memory operand, becoming one byte longer
than the original one, triggering the respective build time safety
check.
Olaf Hering [Thu, 11 Feb 2016 15:38:14 +0000 (15:38 +0000)]
tools/console: correct make dependencies for _paths.h
Correct dependencies for _paths.h to avoid build failure with make -j.
Only main.c requires _paths.h. This fixes commit 8398ec70 ("xenconsole:
Ensure exclusive access to console using locks")
Signed-off-by: Olaf Hering <olaf@aepfle.de> Cc: Ian Jackson <ian.jackson@eu.citrix.com> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: Ian Campbell <ian.campbell@citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Ian Campbell [Thu, 11 Feb 2016 12:11:21 +0000 (12:11 +0000)]
tools: probe for existence of qemu-xen stderr trace backend.
QEMU upstream commit ed7f5f1d8db0 ("trace: convert stderr backend to
log") renamed the "stderr" trace backend to "log", which breaks the
xen build when pointed at a QEMU tree after that point:
Upstream also changed, in baf86d6b3ca0 ("trace: switch default backend
to "log""), to use "log" as the default backend (previously it was
"nop").
Use ./scripts/tracetool.py to check for the presence of the stderr
backend and if it is present then explicitly enable it. If the stderr
backend is not present then assume a newer QEMU which defaults to
"log" and simply accept that default (there is a 1 commit window
upstream where this would result in no trace backend being enabled).
The check is done using the older (deprecated?) --check-backend/--backend
variant of the tracetool.py options rather than the new plural
versions since the singular was supported even by very old versions of
QEMU. New QEMU has compatibility code but if/when that is removed we
will still do the right thing i.e. no explict configuiration resulting
in the upstream default (currently "log").
If the explicit selection of the "stderr" backend is required then it
is now done unconditionally (not depending on debug=y), which is
simpler to arrange here but also matches the newer upstream's default
to "log" which is not conditional on debug being enabled either.
Tested with current qemu-xen-unstable (e9d8252) and current QEMU
upstream master (88c73d1), both out of tree via
QEMU_UPSTREAM_URL=/path/to/qemu-xen.git.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Cc: Paul Durrant <paul.durrant@citrix.com> Cc: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Paul Durrant <paul.durrant@citrix.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Andrew Cooper [Thu, 11 Feb 2016 15:48:38 +0000 (16:48 +0100)]
x86/traps: prevent interleaving of concurrent cpu state dumps
If two cpus enter show_execution_state() concurrently, the resulting console
output interleaved, and of no help debugging the situation further.
As calls to these locations are rare and usually important, it is acceptable
to serialise them. These codepaths are also on the terminal error paths, so
the console lock must be the lock used for serialisation, to allow
console_force_unlock() to function properly.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Thu, 11 Feb 2016 15:45:08 +0000 (16:45 +0100)]
x86/p2m: use large pages for MMIO mappings
When mapping large BARs (e.g. the frame buffer of a graphics card) the
overhead of establishing such mappings using only 4k pages has,
particularly after the XSA-125 fix, become unacceptable. Alter the
XEN_DOMCTL_memory_mapping semantics once again, so that there's no
longer a fixed amount of guest frames that represents the upper limit
of what a single invocation can map. Instead bound execution time by
limiting the number of iterations (regardless of page size).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Kevin Tian <kevin.tian@intel.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com>
projects / xen.git / log