Shannon Zhao [Wed, 30 Mar 2016 10:10:00 +0000 (12:10 +0200)]
arm/acpi: Permit MMIO access of Xen unused devices for Dom0
Firstly it permits full MMIO capabilities for Dom0. Then deny MMIO
access of Xen used devices, such as UART, GIC, SMMU. Currently, it only
denies the MMIO access of UART and GIC regions. For other Xen used
devices it could be added later when they are supported.
Shannon Zhao [Wed, 30 Mar 2016 10:14:00 +0000 (12:14 +0200)]
arm/acpi: Configure SPI interrupt type and route to Dom0 dynamically
Interrupt information is described in DSDT and is not available at the
time of booting. Check if the interrupt is permitted to access and set
the interrupt type, route it to guest dynamically only for SPI
and Dom0.
Shannon Zhao [Wed, 30 Mar 2016 10:12:00 +0000 (12:12 +0200)]
arm/acpi: Create min DT stub for Dom0
Create a DT for Dom0 for ACPI-case only. DT contains minimal required
information such as Dom0 bootargs, initrd, efi description table and
address of uefi memory table.
Also document this device tree bindings of "hypervisor" and
"hypervisor/uefi" node.
Shannon Zhao [Wed, 30 Mar 2016 10:11:00 +0000 (12:11 +0200)]
arm/acpi: Prepare XSDT table for Dom0
Copy and modify XSDT table before passing it to Dom0. Replace the entry
value of the copied table. Add a new entry for STAO table as well. And
keep entry value of other reused tables unchanged.
Shannon Zhao [Wed, 30 Mar 2016 10:10:00 +0000 (12:10 +0200)]
arm/acpi: Estimate memory required for acpi/efi tables
Estimate the memory required for loading acpi/efi tables in Dom0. Make
the length of each table aligned with 64bit. Alloc the pages to store
the new created EFI and ACPI tables and free these pages when
destroying domain.
Merge branch 'pin' of https://github.com/jgross1/xen into staging
* 'pin' of https://github.com/jgross1/xen:
libxl: add force option for xl vcpu-pin
libxl: print message how to recover from xl cpupool-cpu-remove errors
libxc: do some retries in xc_cpupool_removecpu() for EBUSY case
All patches have Acked-by and Reviewed-by tags.
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Paul Durrant [Tue, 29 Mar 2016 15:55:23 +0000 (16:55 +0100)]
tools/misc/xen-hvmctx: fix the build
Commit 78c5f59e "x86/hvm/viridian: save APIC assist vector" changed
the name of a field in the viridian vcpu save record. Unfortunately this
record has a decode function in xen-hvmctx and so it no longer builds.
This patch fixes the field name in xen-hvmctx and also adds a decode of
the additional field that was added to the save record.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
There should be 6 instead of 7 arguments now for tmem_control()
. which was done in commit 54a51b1766fd433b95e63834eb15d4b1f70271de
"tmem: Remove xc_tmem_control mystical arg3" which missed
this change.
Signed-off-by: Zhigang Wang <zhigang.x.wang@oracle.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Jan Beulich [Tue, 29 Mar 2016 15:16:23 +0000 (17:16 +0200)]
spinlock: improve spin_is_locked() for recursive locks
Recursive locks know their current owner, and since we use the function
solely to determine whether a particular lock is being held by the
current CPU (which so far has been an imprecise check), make actually
check the owner for recusrively acquired locks.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Dario Faggioli <dario.faggioli@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Quan Xu <quan.xu@intel.com> Acked-by: Tim Deegan <tim@xen.org>
Shuai Ruan [Tue, 29 Mar 2016 15:15:57 +0000 (17:15 +0200)]
x86/xsaves: calculate comp_offsets[] based on xcomp_bv
Previous patch using all available features calculate comp_offsets.
This is wrong.This patch fix this bug by calculating the comp_offset
based on xcomp_bv of current guest.
Also, the comp_offset should take alignment into consideration.
Reported-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Shuai Ruan <shuai.ruan@linux.intel.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Tue, 29 Mar 2016 15:15:15 +0000 (17:15 +0200)]
ns16550: enable Pericom controller support
Other than the controllers supported so far, multiple port Pericom
boards map all of their ports via BAR0, which requires a number of
adjustments: Instead of tracking "max_bars" we now flag whether all
ports use BAR0, and whether to expect a port-I/O or MMIO resource. As
a result pci_uart_config() now gets handed a port index, which it then
maps into a BAR index or an offset into BAR0 depending on the bar0
flag.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Tested-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: Tim Deegan <tim@xen.org>
Jan Beulich [Tue, 29 Mar 2016 15:14:43 +0000 (17:14 +0200)]
ns16550: store pointer to config parameters for PCI
Subsequent changes will want to use this pointer.
This makes the enable_ro structure member redundant, so it gets dropped
at once.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Tested-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: Tim Deegan <tim@xen.org>
Shannon Zhao [Tue, 29 Mar 2016 12:26:57 +0000 (14:26 +0200)]
hvm/params: add a new delivery type for event-channel in HVM_PARAM_CALLBACK_IRQ
This new delivery type which is for ARM shares the same value with
HVM_PARAM_CALLBACK_TYPE_VECTOR which is for x86.
val[15:8] is flag: val[7:0] is a PPI.
To the flag, bit 8 stands the interrupt mode is edge(1) or level(0) and
bit 9 stands the interrupt polarity is active low(1) or high(0).
Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org> Acked-by: Jan Beulich <jbeulich@suse.com>
Paul Durrant [Tue, 29 Mar 2016 12:26:33 +0000 (14:26 +0200)]
x86/hvm/viridian: fix APIC assist page leak
Commit a6f2cdb6 "keep APIC assist page mapped..." introduced a page
leak because it relied on viridian_vcpu_deinit() always being called
to release the page mapping. This does not happen in the case a normal
domain shutdown.
This patch fixes the problem by introducing a new function,
viridian_domain_deinit(), which will iterate through the vCPUs and
release any page mappings still present.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Paul Durrant [Tue, 29 Mar 2016 12:26:03 +0000 (14:26 +0200)]
x86/hvm/viridian: save APIC assist vector
If any vcpu has a pending APIC assist when the domain is suspended
then the vector needs to be saved. If this is not done then it's
possible for the vector to remain pending in the vlapic ISR
indefinitely after resume.
This patch adds code to save the APIC assist vector value in the
viridian vcpu save record. This means that the record is now zero-
extended on load and, because this implies a loaded value of
zero means nothing is pending (for backwards compatibility with
hosts not implementing APIC assist), the rest of the viridian APIC
assist code is adjusted to treat a zero value in this way. A
check has therefore been added to viridian_start_apic_assist() to
prevent the enlightenment being used for vectors < 0x10 (which
are illegal for an APIC).
Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
I nominate Anthony Perard as qemu-xen co-maintainer. He has been doing a
lot of QEMU work over the years and in fact he is the original author of
the Xen enablement code in upstream QEMU.
As qemu-xen co-maintainer, he could help me manage the qemu-xen trees
and promptly backport all the relevant commits from upstream QEMU.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Jan Beulich [Tue, 29 Mar 2016 12:24:26 +0000 (14:24 +0200)]
x86: fix information leak on AMD CPUs
The fix for XSA-52 was wrong, and so was the change synchronizing that
new behavior to the FXRSTOR logic: AMD's manuals explictly state that
writes to the ES bit are ignored, and it instead gets calculated from
the exception and mask bits (it gets set whenever there is an unmasked
exception, and cleared otherwise). Hence we need to follow that model
in our workaround.
This is CVE-2016-3158 / CVE-2016-3159 / XSA-172.
[xen/arch/x86/xstate.c:xrstor: CVE-2016-3158]
[xen/arch/x86/i387.c:fpu_fxrstor: CVE-2016-3159]
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
George Dunlap [Thu, 24 Mar 2016 17:17:24 +0000 (17:17 +0000)]
xl: Return an error on failed cd-insert
This makes xl more useful in scripts.
The strange thing about this is that the internal cd_insert function
*already* returned something appropriate, and cd-eject was using it,
but cd-insert wasn't.
Also:
* Rework cd_insert to return EXIT_FAILURE and EXIT_SUCCESS rather than
magic constants
* Use 'r' for non-libxl return code, as specified in CODING_STYLE
Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
George Dunlap [Thu, 24 Mar 2016 17:17:23 +0000 (17:17 +0000)]
xl: Make set_memory_target return an error code on failure
Also move the rc -> shell code translation into set_memory_max() to
make the two functions consistent with each other, and with other
similar examples in xl_cmdimpl.c
Change a 'long long' to "int64_t" while we're at it.
Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
George Dunlap [Thu, 24 Mar 2016 17:17:22 +0000 (17:17 +0000)]
libxl: Remove pointless hypercall from libxl_set_memory_target
There's no obvious reason for the call to xc_domain_getinfolist -- all
it seems to be doing is checking that the domain exists; but if it
doesn't exist, it will have already failed by this point.
NB that this will change the return value for libxl_set_memory_target:
now it will return 0 on success, rather than returning 1 (which was
the previous behavior). This is more in line with expected behavior,
and also allows the caller to distingiush between success and other
failure modes (some of which also return 1).
Signed-off-by: George Dunlap <george.dunlap@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Doug Goldstein [Wed, 16 Mar 2016 19:18:43 +0000 (14:18 -0500)]
xsm: move FLASK_AVC_STATS to Kconfig
Have Kconfig set CONFIG_FLASK_AVC_STATS and prefix all uses with CONFIG_
to use the Kconfig variable.
Note that will preserve the original behavior - which is that you
cannot disable FLASK_AVC_STATS. Enterprising users can disable
it without any compilation issues.
Signed-off-by: Doug Goldstein <cardoe@cardoe.com> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Doug Goldstein [Wed, 16 Mar 2016 19:18:42 +0000 (14:18 -0500)]
xsm: only define XSM_MAGIC in xsm.h
Rather than have XSM_MAGIC set in the global xen/config.h and set in
xsm.h if it's unset, just set it once in xsm.h since its only used in
files that already include xsm.h
Signed-off-by: Doug Goldstein <cardoe@cardoe.com> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Juergen Gross [Thu, 24 Mar 2016 17:44:50 +0000 (18:44 +0100)]
libxl: add force option for xl vcpu-pin
In order to be able to undo a vcpu pin override in case of a kernel
driver error add a flag "-f" to the "xl vcpu-pin" command forcing the
hypervisor to undo the override.
Cc: Ian Jackson <ian.jackson@eu.citrix.com> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Dario Faggioli <dario.faggioli@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Juergen Gross [Thu, 24 Mar 2016 17:44:50 +0000 (18:44 +0100)]
libxl: print message how to recover from xl cpupool-cpu-remove errors
An error occurring when calling "xl cpupool-cpu-remove" might leave
the system in a state where a cpu is neither completely free nor in
a cpupool. This can easily be repaired by adding the cpu via
"xl cpupool-cpu-add" to the cpupool where it was removed from before.
Print a message telling this the user in case of an error.
Cc: Ian Jackson <ian.jackson@eu.citrix.com> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Dario Faggioli <dario.faggioli@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Juergen Gross [Thu, 24 Mar 2016 17:44:50 +0000 (18:44 +0100)]
libxc: do some retries in xc_cpupool_removecpu() for EBUSY case
The hypervisor might return EBUSY when trying to remove a cpu from a
cpupool when a domain running in this cpupool has pinned a vcpu
temporarily. Do some retries in this case, perhaps the situation
cleans up.
Cc: Ian Jackson <ian.jackson@eu.citrix.com> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Dario Faggioli <dario.faggioli@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Jan Beulich [Thu, 24 Mar 2016 15:07:30 +0000 (16:07 +0100)]
x86/vLAPIC: vlapic_reg_write() can't fail
It only ever returns X86EMUL_OKAY, so to make this more obvious change
the function return type to void. Re-structure vlapic_apicv_write() at
once to have only a single path leading to vlapic_reg_write().
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Thu, 24 Mar 2016 15:06:22 +0000 (16:06 +0100)]
x86: annotate special features
Some bits in a featureset are not simple a indication of new functionality,
and require special handling.
APIC, OSXSAVE and OSPKE are fast-forwards of other pieces of state;
IA32_APIC_BASE.EN, CR4.OSXSAVE and CR4.OSPKE. Xen will take care of filling
these appropriately at runtime.
FDP_EXCP_ONLY and NO_FPU_SEL are bits indicating reduced functionality in the
x87 pipeline. The effects of these cannot be hidden from the guest, so the
host values will always be provided.
HTT, X2APIC and CMP_LEGACY indicate how to interpret other cpuid leaves. In
most cases, the toolstack value will be used (with the expectation that these
flags will match the other provided topology information). However with cpuid
masking, the host values are presented as masking cannot influence what the
guest sees in the dependent leaves.
HYPERVISOR is unconditionally set in the PV ABI, but follows the toolstack
setting for HVM guests.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Andrew Cooper [Thu, 24 Mar 2016 15:05:37 +0000 (16:05 +0100)]
x86: mask out unknown features from Xen's capabilities
If Xen doesn't know about a feature, it is unsafe for use and should be
deliberately hidden from Xen's capabilities.
This doesn't make a practical difference yet, but will make a difference
later when the guest featuresets are seeded from the host featureset.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Andrew Cooper [Thu, 24 Mar 2016 15:03:44 +0000 (16:03 +0100)]
x86: collect more cpuid feature leaves
New words are:
* 0x80000007.edx - Contains Invarient TSC
* 0x80000008.ebx - Newly used for AMD Zen processors
In addition, replace some open-coded ITSC and EFRO manipulation.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Andrew Cooper [Thu, 24 Mar 2016 15:02:37 +0000 (16:02 +0100)]
x86: script to automatically process featureset information
This script consumes include/public/arch-x86/cpufeatureset.h and generates a
single include/asm-x86/cpuid-autogen.h containing all the processed
information.
It currently generates just FEATURESET_NR_ENTRIES. Future changes will
generate more information.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Dario Faggioli [Thu, 24 Mar 2016 14:57:30 +0000 (15:57 +0100)]
sched: add .init_pdata hook to the scheduler interface
with the purpose of decoupling the allocation phase and
the initialization one, for per-pCPU data of the schedulers.
This makes it possible to perform the initialization later
in the pCPU bringup/assignement process, when more information
(for instance, the host CPU topology) are available. This,
for now, is important only for Credit2, but it can well be
useful to other schedulers.
Dario Faggioli [Thu, 24 Mar 2016 14:56:56 +0000 (15:56 +0100)]
sched: fix locking when allocating an RTDS pCPU
as doing that include changing the scheduler lock
mapping for the pCPU itself, and the correct way
of doing that is:
- take the lock that the pCPU is using right now
(which may be the lock of another scheduler);
- change the mapping of the lock to the RTDS one;
- release the lock (the one that has actually been
taken!)
Jim Fehlig [Tue, 15 Mar 2016 01:14:15 +0000 (01:14 +0000)]
tools: Restrict configuration of qemu processes
Commit 6ef823fd added '-nodefaults' to the qemu args created by
libxl, which is a good step in restricting qemu's default
configuration. This change takes another step by adding
-no-user-config, which ignores any user-provided config files in
sysconfdir. Together, -nodefaults and -no-user-config allow Xen
to avoid unkown and uncontrolled qemu configuration.
Both options are also added to the qemu invocation in the
xen-qemu-dom0-disk-backend systemd service file.
Signed-off-by: Jim Fehlig <jfehlig@suse.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Jonathan Davies [Thu, 17 Mar 2016 17:51:15 +0000 (17:51 +0000)]
oxenstored: log request and response during transaction replay
During a transaction replay, the replayed requests and the new responses are
logged in the same way as the original requests and the original responses.
Signed-off-by: Jonathan Davies <jonathan.davies@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jon Ludlam <jonathan.ludlam@citrix.com> Reviewed-by: Euan Harris <euan.harris@citrix.com> Acked-by: David Scott <dave@recoil.org>
Jonathan Davies [Thu, 17 Mar 2016 17:51:14 +0000 (17:51 +0000)]
oxenstored: replay transaction upon conflict
The existing transaction merge algorithm keeps track of the least upper bound
(longest common prefix) of all the nodes which have been read and written, and
will re-combine two stores which have disjoint upper bounds. This works well for
small transactions but causes unnecessary conflicts for ones that span a large
subtree, such as the following ones used by the xapi toolstack:
* VM start: creates /vm/... /vss/... /local/domain/...
The least upper bound of this transaction is / and so all
these transactions conflict with everything.
* Device hotplug: creates /local/domain/0/... /local/domain/n/...
The least upper bound of this transaction is /local/domain so
all these transactions conflict with each other.
If the existing merge algorithm cannot merge and commit, we attempt
a /replay/ of the failed transaction against the new store.
When we replay the requests we check whether the response sent to the client is
the same as during the first attempt at the transaction. If the responses are
all the same then the transaction replay can be committed. If any differ then
the transaction replay must be aborted and the client must retry.
This algorithm uses the intuition that the transactions made by the toolstack
are designed to be for separate domains, and should fundamentally not conflict
in the sense that they don't read or write any shared keys. By replaying the
transaction on the server side we do what the client would have to do anyway,
only we can do it quickly without allowing any other requests to interfere.
Performing 300 parallel simulated VM start and shutdowns without this code:
300 parallel starts and shutdowns: 268.92
Performing 300 parallel simulated VM start and shutdowns with this code:
300 parallel starts and shutdowns: 3.80
Signed-off-by: Dave Scott <dave@recoil.org> Signed-off-by: Jonathan Davies <jonathan.davies@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jon Ludlam <jonathan.ludlam@citrix.com> Reviewed-by: Euan Harris <euan.harris@citrix.com> Acked-by: David Scott <dave@recoil.org>
Jonathan Davies [Thu, 17 Mar 2016 17:51:13 +0000 (17:51 +0000)]
oxenstored: move functions that process simple operations
Separate the functions which process operations that can be done as part of a
transaction. Specifically, these operations are: read, write, rm, getperms,
setperms, getdomainpath, directory, mkdir.
Also split function_of_type into two functions: one for processing the simple
operations and one for processing the rest.
This will help allow replay of transactions, allowing us to invoke the functions
that process the simple operations as part of the processing of transaction_end.
Signed-off-by: Jonathan Davies <jonathan.davies@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jon Ludlam <jonathan.ludlam@citrix.com> Reviewed-by: Euan Harris <euan.harris@citrix.com> Acked-by: David Scott <dave@recoil.org>
Jonathan Davies [Thu, 17 Mar 2016 17:51:12 +0000 (17:51 +0000)]
oxenstored: keep track of each transaction's operations
A list of (request, response) pairs from the operations performed within the
transaction will be useful to support transaction replay.
Since this consumes memory, the number of requests per transaction must not be
left unbounded. Hence a new quota for this is introduced. This quota, configured
via the configuration key 'quota-maxrequests', limits the size of transactions
initiated by domUs.
After the maximum number of requests has been exhausted, any further requests
will result in EQUOTA errors. The client may then choose to end the transaction;
a successful commit will result in the retention of only the prior requests.
Signed-off-by: Jonathan Davies <jonathan.davies@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jon Ludlam <jonathan.ludlam@citrix.com> Reviewed-by: Euan Harris <euan.harris@citrix.com> Acked-by: David Scott <dave@recoil.org>
Jonathan Davies [Thu, 17 Mar 2016 17:51:11 +0000 (17:51 +0000)]
oxenstored: refactor request processing
Encapsulate the request in a record that is passed from do_input to
process_packet and input_handle_error.
This will be helpful when keeping track of the requests made as part of a
transaction.
Signed-off-by: Jonathan Davies <jonathan.davies@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jon Ludlam <jonathan.ludlam@citrix.com> Reviewed-by: Euan Harris <euan.harris@citrix.com> Acked-by: David Scott <dave@recoil.org>
Jonathan Davies [Thu, 17 Mar 2016 17:51:10 +0000 (17:51 +0000)]
oxenstored: remove some unused parameters
Signed-off-by: Jonathan Davies <jonathan.davies@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jon Ludlam <jonathan.ludlam@citrix.com> Reviewed-by: Euan Harris <euan.harris@citrix.com> Acked-by: David Scott <dave@recoil.org>
Jonathan Davies [Thu, 17 Mar 2016 17:51:09 +0000 (17:51 +0000)]
oxenstored: refactor putting response on wire
Previously, the functions reply_{ack,data,data_or_ack} and input_handle_error
put the response on the wire by invoking Connection.send_{ack,reply,error}.
Instead, these functions now return a value indicating what needs to be put on
the wire, and that action is done by a send_response function called
afterwards.
This refactoring gives us a chance to store the value of the response, useful
for replaying transactions.
Signed-off-by: Jonathan Davies <jonathan.davies@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jon Ludlam <jonathan.ludlam@citrix.com> Reviewed-by: Euan Harris <euan.harris@citrix.com> Acked-by: David Scott <dave@recoil.org>
Jan Beulich [Wed, 23 Mar 2016 10:04:52 +0000 (11:04 +0100)]
x86: drop raw_write_cr4() again
The bypassing of the memory cache is, namely in the context of the
32-bit PV SMEP/SMAP workaround series (as Andrew validly points out),
making the overall correctness more difficult to verify. Hence go
back to uniform writes.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Wed, 23 Mar 2016 10:02:07 +0000 (11:02 +0100)]
x86: remap text/data/bss with appropriate permissions
c/s cf39362 "x86: use 2M superpages for text/data/bss mappings" served two
purposes; to map the primary code and data with appropriate pagetable
permissions (rather than unilaterally RWX), and to reduce the TLB pressure.
The extra alignment exposed a SYSLinux issue, and was partly reverted by c/s 0b8a172 "x86: partially revert use of 2M mappings for hypervisor image".
This change reinstates the pagetable permission improvements while avoiding
the 2M alignment issue.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
So that we have a nice mechansim to figure out the upper
bounds of bug.frames and also catch compiler errors in case
one tries to use a higher frame number.
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Julien Grall <julien.grall@arm.com> Acked-by: Jan Beulich <jbeulich@suse.com>
--- Cc: Stefano Stabellini <stefano.stabellini@citrix.com> Cc: Julien Grall <julien.grall@arm.com> Cc: Keir Fraser <keir@xen.org> Cc: Jan Beulich <jbeulich@suse.com> Cc: Andrew Cooper <andrew.cooper3@citrix.com>
v3: First time included.
v4: Add BUG_FRAME check also in the assembler version of the macro.
v5: Add Acks, make BUILD_BUG_ON checks look correct. Position the
BUGFRAME_NR properly. Reposition the BUGFRAME_NR again.
---
xsm/xen_version: Add XSM for most of xen_version hypercall
Most of XENVER_* have now an XSM check for their sub-ops.
The subop for XENVER_commandline is now a priviliged operation.
To not break guests we still return an string - but it is
just '<denied>\0'.
The XENVER_[version|platform_parameters|get_features] - will
always return an value to the guest.
The rest: XENVER_[extraversion|capabilities|page_size|
guest_handle|changeset| compile_info] behave as before -
allowed by default for all guests if using the XSM default
policy or with the dummy one. And if the system admin
wants to curtail access to some of them - they can do
that now with a non-default XSM policy.
Also we add a local variable block.
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: Jan Beulich <jbeulich@suse.com> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
--- Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov> Cc: Ian Jackson <ian.jackson@eu.citrix.com> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: Wei Liu <wei.liu2@citrix.com>
v2: Do XSM check for all the XENVER_ ops.
- Add empty data conditions.
- Return <denied> for priv subops.
- Move extraversion from priv to normal. Drop the XSM check
for the non-priv subops.
v3:
- Add +1 for strlen(xen_deny()) to include NULL. Move changeset,
compile_info to non-priv subops.
- Remove the \0 on xen_deny()
- Add new XSM domain for xenver hypercall. Add all subops to it.
- Remove the extra line, Add Ack from Daniel
v4:
- Rename the XSM from xen_version_op to xsm_xen_version.
Prefix the types with 'xen' to distinguish it from another
hypercall performing similar operation. Removed Ack from Daniel
as it was so large. Add local variable block.
v5:
- Make XENVER_platform_parameters,get_features,version be excluded
from the XSM check per Jans' review. Add BUILD_BUG_CHECK and fix
odd line removals. Remove stray changes and fix spelling.
Shannon Zhao [Fri, 18 Mar 2016 14:26:33 +0000 (15:26 +0100)]
acpi: drop CONFIG_ACPI_BOOT and use CONFIG_ACPI instead
There is no difference between CONFIG_ACPI and CONFIG_ACPI_BOOT in
current acpi codes, so it's unnecessary to keep CONFIG_ACPI_BOOT and we
use CONFIG_ACPI instead as Jan suggested.
Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
Drop CONFIG_ACPI conditionals completely from x86 code.
This patch adds code to enable the APIC assist enlightenment which,
under certain conditions, means that the guest can avoid an EOI of
the local APIC and thereby avoid a VMEXIT.
Use of the enlightenment by the hypervisor is under control of the
toolstack, and is added to the default set.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Tianyang Chen [Fri, 18 Mar 2016 14:21:36 +0000 (15:21 +0100)]
sched: convert RTDS from time to event driven model
The current RTDS code has several problems:
- the scheduler, although the algorithm is event driven by
nature, follows a time driven model (is invoked periodically!),
making the code look unnatural;
- budget replenishment logic, budget enforcement logic and scheduling
decisions are mixed and entangled, making the code hard to understand;
- the various queues of vcpus are scanned various times, making the
code inefficient;
This patch separates budget replenishment and enforcement. It does that
by handling the former with a dedicated timer, and a queue of pending
replenishment events.
A replenishment queue has been added to keep track of all vcpus that
are runnable.
We also make sure that the main scheduling function is called when a
scheduling decision is necessary, such as when the currently running
vcpu runs out of budget.
Finally, when waking up a vcpu, it is now enough to tickle the various
CPUs appropriately, like all other schedulers also do.
Andrew Cooper [Fri, 18 Mar 2016 14:19:30 +0000 (15:19 +0100)]
x86: drop unused and non-useful feature definitions
None of these features are interesting for Xen to use, or to be advertised to
guests. Doing so identifies further areas of code which can be removed now
that 32bit support has been dropped.
IA64 has a sole user in microcode_intel.c. While it is plausible for a 32bit
x86 hypervisor to get there via IA64's x86 emulation, a 64bit x86 hypervisor
most certainly won't.
MP proves to be more complicated. It is only advertised on some K7
processors, not on K8 or newer, and now listed as reserved in the AMD manual.
Cleaning this up reveals two chunks of common SMP code which was only
applicable to K7 processors, which are 32bit only.
While cleaning this area up, remove the inconsistent use of newlines in the
cpu_has_* definition block.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Chunyan Liu [Wed, 9 Mar 2016 02:10:14 +0000 (10:10 +0800)]
xl: add pvusb commands
Add pvusb commands: usbctrl-attach, usbctrl-detach, usb-list,
usbdev-attach and usbdev-detach.
To attach a usb device to guest through pvusb, one could follow
following example:
#xl usbctrl-attach test_vm version=1 ports=8
#xl usb-list test_vm
will show the usb controllers and port usage under the domain.
#xl usbdev-attach test_vm hostbus=1 hostaddr=2
will find the first usable controller:port, and attach usb
device whose busnum is 1 and devnum is 6.
One could also specify which <controller> and which <port>.
#xl usbdev-detach test_vm 0 1
will detach USB device under controller 0 port 1.
#xl usbctrl-detach test_vm dev_id
will destroy the controller with specified dev_id. Dev_id
can be traced in usb-list info.
Signed-off-by: Chunyan Liu <cyliu@suse.com> Signed-off-by: Simon Cao <caobosimon@gmail.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Chunyan Liu [Wed, 9 Mar 2016 02:10:13 +0000 (10:10 +0800)]
libxl: domcreate: support pvusb in configuration file
Add code to support pvusb in domain config file. One could specify
usbctrl and usb in domain's configuration file and create domain,
then usb controllers will be created and usb device would be attached
to guest automatically.
One could specify usb controllers and usb devices in config file
like this:
usbctrl=['version=2,ports=4', 'version=1, ports=4', ]
usbdev=['hostbus=2, hostaddr=1, controller=0,port=1', ]
Signed-off-by: Chunyan Liu <cyliu@suse.com> Signed-off-by: Simon Cao <caobosimon@gmail.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com> Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Chunyan Liu [Wed, 9 Mar 2016 02:10:12 +0000 (10:10 +0800)]
libxl: add pvusb API
Add pvusb APIs, including:
- attach/detach (create/destroy) virtual usb controller.
- attach/detach usb device
- list usb controller and usb devices
- some other helper functions
Signed-off-by: Simon Cao <caobosimon@gmail.com> Signed-off-by: George Dunlap <george.dunlap@citrix.com> Signed-off-by: Chunyan Liu <cyliu@suse.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Chunyan Liu [Wed, 9 Mar 2016 02:10:11 +0000 (10:10 +0800)]
libxl: refactor DEFINE_DEVICE_REMOVE to fit for more device types
For some device type, device removal operation needs to be
handled specially, like usbctrl, it needs to remove all usb
devices under it first, then remove usbctrl. Extend
DEFINE_DEVICE_REMOVE to support generic and custom way
For those need to be handled specially, call
DEFINE_DEVICE_REMOVE_CUSTOM, it requires user defined
libxl__initiate_device_##type##_remove. Otherwise, just
call DEFINE_DEVICE_REMOVE as before.
Signed-off-by: George Dunlap <george.dunlap@citrix.com> Signed-off-by: Chunyan Liu <cyliu@suse.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Chunyan Liu [Wed, 9 Mar 2016 02:10:09 +0000 (10:10 +0800)]
libxl: export some functions for pvusb use
Signed-off-by: Chunyan Liu <cyliu@suse.com> Signed-off-by: Simon Cao <caobosimon@gmail.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Jan Beulich [Fri, 18 Mar 2016 08:50:12 +0000 (09:50 +0100)]
x86: put kexec_reloc in its own section
Since it wants to be page aligned, this alignment would force pointless
alignment of .text in the intermediate built_in.o file(s), needlessly
growing the overall text and binary size.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: David Vrabel <david.vrabel@citrix.com>
David Vrabel [Fri, 18 Mar 2016 08:49:01 +0000 (09:49 +0100)]
x86/fpu: improve check for XSAVE* not writing FIP/FDP fields
The hardware may not write the FIP/FDP fields with a XSAVE*
instruction. e.g., with XSAVEOPT/XSAVES if the state hasn't changed
or on AMD CPUs when a floating point exception is not pending. We
need to identify this case so we can correctly apply the check for
whether to save/restore FCS/FDS.
By poisoning FIP in the saved state we can check if the hardware
writes to this field. The poison value is both: a) non-canonical; and
b) random with a vanishingly small probability of matching a value
written by the hardware (1 / (2^63) = 10^-19).
The poison value is fixed and thus knowable by a guest (or guest
userspace). This could allow the guest to cause Xen to incorrectly
detect that the field has not been written. But: a) this requires the
FIP register to be a full 64 bits internally which is not the case for
all current AMD and Intel CPUs; and b) this only allows the guest (or
a guest userspace process) to corrupt its own state (i.e., it cannot
affect the state of another guest or another user space process).
This results in smaller code with fewer branches and is more
understandable.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Intel confirmed that 64-bit {F,}XRSTOR sign-extend FIP from bit 47.
While leaving the description above intact, modify the code comment
accordingly.
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Paul Durrant [Thu, 17 Mar 2016 12:50:39 +0000 (13:50 +0100)]
x86/hvm/viridian: keep APIC assist page mapped...
... for the lifetime of the domain.
If Xen is to make use of the APIC assist enlightenment then a persistent
mapping needs to be kept, rather than the temporary one which is currently
used only to initialize the page content.
This patch also adds a comment block at the top of the source with
information on the latest version of the spec. from Microsoft and the
current URL where it may be found.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Paul Durrant [Thu, 17 Mar 2016 12:49:06 +0000 (13:49 +0100)]
x86/hvm/viridian: fix the TLB flush hypercall
Commit b38d426a "flush remote tlbs by hypercall" add support to allow
Windows to request flush of remote TLB via hypercall rather than IPI.
Unfortunately it seems that this code was broken in a couple of ways:
1) The allocation of the per-vcpu ipi mask is gated on whether the
domain has viridian features enabled but the call to allocate is
made before the toolstack has enabled those features. This results
in a NULL pointer dereference.
2) One of the flush hypercall variants is a rep op, but the code
does not update the output data with the reps completed. Hence the
guest will spin repeatedly making the hypercall because it believes
it has uncompleted reps.
This patch fixes both of these issues as follows:
1) The ipi mask need only be per-pcpu so it is made a per-pcpu static
to avoid the need for allocation.
2) The rep complete count is updated to the rep count since the single
flush that Xen does covers all reps anyway.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
arm64: fix incorrect memory region size in TCR_EL2
The maximum and minimum values for TxSZ depend on level of
translation as per AArch64 Virtual Memory System Architecture.
According to ARM specification DDI0487A_h (sec D4.2.2, page 1752),
the minimum TxSZ value is 16. If TxSZ is programmed to a value
smaller than 16 then it is IMPLEMENTATION DEFINED.
This patch sets T0SZ to (64-48)bits since XEN uses all 4 levels
to cover 48bit (256TB) virtual address instead of value zero.
Doug Goldstein [Wed, 16 Mar 2016 14:11:00 +0000 (09:11 -0500)]
tmem: drop direct usage of opt_tmem
Most callers of tmem_freeable_pages() checked to see if by checking
opt_tmem before calling tmem_freeable_pages() but not all of them did. This
seemed like an oversight and to avoid similar situations like that,
stick the check of tmem into tmem_freeable_pages(). Similarly other
places should not directly check opt_tmem but instead use the
tmem_enabled() helper function.
Signed-off-by: Doug Goldstein <cardoe@cardoe.com> Acked-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Razvan Cojocaru [Thu, 3 Mar 2016 13:58:00 +0000 (15:58 +0200)]
libxc: Have xc_translate_foreign_address() set errno properly
Currently it's possible for xc_translate_foreign_address() to fail
and errno still be set to success. This patch fixes the issue.
Based on the first half of Don Slutz' patch:
http://lists.xen.org/archives/html/xen-devel/2014-03/msg03720.html
Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Ross Lagerwall [Tue, 27 Oct 2015 16:21:32 +0000 (16:21 +0000)]
elf: Add relocation types to elfstructs.h
GCC generates R_X86_64_64, R_X86_64_PC32, and R_X86_64_PLT32
relocations so those are the ones we need initially
to support xSplice.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
David Vrabel [Tue, 15 Mar 2016 11:22:04 +0000 (12:22 +0100)]
hvmloader: add high memory e820 region if needed
If the MMIO hole is large and hvmloader needs to relocate memory to
immediately above the 4 GiB boundary, the e820 presented to the guest
will not have a RAM region above 4 GiB.
e.g., a guest with 3 GiB of memory and a 2 GiB MMIO hole will only see
2 GiB.
The required e820 memory region above 4 GiB needs to be added, and not
just filled in.
Signed-off-by: David Vrabel <david.vrabel@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Tue, 15 Mar 2016 11:21:38 +0000 (12:21 +0100)]
x86: move both exception tables into .rodata
While they are being written during early boot (when sorting them),
that writing takes place before we actually start fiddling with page
table permissions, so these tables can benefit from getting write
protected just like ordinary r/o data does (for now only when using
2M mappings).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
projects / xen.git / log