Wei Liu [Tue, 17 Dec 2013 22:53:45 +0000 (22:53 +0000)]
xl: create VFB for PV guest when VNC is specified
This replicates a Xend behavior. When you specify 'vnc=1' and there's no
'vfb=[]' in a PV guest's config file, xl parses all top level VNC options and
creates a VFB for you.
Reported-by: Konrad Wilk <konrad.wilk@oracle.com> Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Anthony PERARD [Wed, 8 Jan 2014 08:17:55 +0000 (09:17 +0100)]
firmware: change level-triggered GPE event to a edge one for qemu-xen
This should help to reduce a CPU hotplug race window where a cpu hotplug
event while not be seen by the OS.
When hotplugging more than one vcpu, some of those vcpus might not be
seen as plugged by the guest.
This is what is currently happenning:
1. hw adds cpu, sets GPE.2 bit and sends SCI
2. OSPM gets SCI, reads GPE00.sts and masks GPE.2 bit in GPE00.en
3. OSPM executes _L02 (level-triggered event associate to cpu hotplug)
4. hw adds second cpu and sets GPE.2 bit but SCI is not asserted
since GPE00.en masks event
5. OSPM resets GPE.2 bit in GPE00.sts and umasks it in GPE00.en
as result event for step 4 is lost because step 5 clears it and OS
will not see added second cpu.
1. Disables the interrupt source (GPEx_BLK EN bit).
2. If an edge event, clears the status bit.
3. Performs one of the following:
* Dispatches to an ACPI-aware device driver.
* Queues the matching control method for execution.
* Manages a wake event using device _PRW objects.
4. If a level event, clears the status bit.
5. Enables the interrupt source.
So, by using edge-triggered General-Purpose Event instead of a
level-triggered GPE, OSPM is less likely to clear the status bit of the
addition of the second CPU. On step 5, QEMU will resend an interrupt if
the status bit is set.
This description apply also for PCI hotplug since the same step are
followed by QEMU, so we also change the GPE event type for PCI hotplug.
This does not apply to qemu-xen-traditional because it does not resend
an interrupt if necessary as a result of step 5.
Patch and description inspired by SeaBIOS's commit:
Replace level gpe event with edge gpe event for hot-plug handlers 9c6635bd48d39a1d17d0a73df6e577ef6bd0037c
from Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
Jan Beulich [Wed, 8 Jan 2014 08:04:48 +0000 (09:04 +0100)]
rename XENMEM_add_to_physmap_{range => batch}
The use of "range" here wasn't really correct - there are no ranges
involved. As the comment in the public header already correctly said,
all this is about is batching of XENMEM_add_to_physmap calls (with
the addition of having a way to specify a foreign domain for
XENMAPSPACE_gmfn_foreign).
Suggested-by: Ian Campbell <Ian.Campbell@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Keir Fraser <keir@xen.org>
Bob Liu [Thu, 12 Dec 2013 11:05:15 +0000 (19:05 +0800)]
tmem: check the return value of copy to guest
Use function copy_to_guest_offset/copy_to_guest directly and check their return
value.
This also fixes CID 1132754, and 1132755:
"Unchecked return value
If the function returns an error value, the error value may be mistaken for a
normal value. In tmem_copy_to_client_buf_offset: Value returned from a function
is not checked for errors before being used (CWE-252)"
And CID 1055125, 1055126, 1055127, 1055128, 1055129, 1055130
"Unchecked return value
If the function returns an error value, the error value may be mistaken for a
normal value. In <functions changed>: Value returned from a function is not
checked for errors before being used (CWE-252)"
Signed-off-by: Bob Liu <bob.liu@oracle.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Bob Liu [Thu, 12 Dec 2013 11:05:11 +0000 (19:05 +0800)]
tmem: cleanup: drop useless functions from header file
They are several one line functions in tmem_xen.h which are useless, this patch
embeded them into tmem.c directly.
Also modify void *tmem in struct domain to struct client *tmem_client in order
to make things more straightforward.
Signed-off-by: Bob Liu <bob.liu@oracle.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: Keir Fraser <keir@xen.org>
Bob Liu [Thu, 12 Dec 2013 11:05:08 +0000 (19:05 +0800)]
tmem: cleanup: drop tmem_lock_all
tmem_lock_all is used for debug only, remove it from upstream to make
tmem source code more readable and easier to maintain.
And no_evict is meaningless without tmem_lock_all, this patch removes it
also.
[ Two threads will be stuck waiting forever if each holds a lock the other needs to acquire.
In alloc_heap_pages: Threads may try to acquire two locks in different orders, potentially
causing deadlock (CWE-833)]
Signed-off-by: Bob Liu <bob.liu@oracle.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Bob Liu [Thu, 12 Dec 2013 11:05:04 +0000 (19:05 +0800)]
tmem: cleanup: drop useless parameters from put/get page
Tmem only takes page as a unit, so parameters tmem_offset, pfn_offset and len in
do_tmem_put/get() are meaningless. All of the callers are using the same
value(tmem_offset=0, pfn_offset=0, len=PAGE_SIZE).
This patch simplifies tmem ignoring those useless parameters and use the default
value directly.
Signed-off-by: Bob Liu <bob.liu@oracle.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
David Vrabel [Wed, 8 Jan 2014 07:44:23 +0000 (08:44 +0100)]
evtchn/fifo: don't corrupt queues if an old tail is linked
An event may still be the tail of a queue even if the queue is now
empty (an 'old tail' event). There is logic to handle the case when
this old tail event needs to be added to the now empty queue (by
checking for q->tail == port).
However, this does not cover all cases.
1. An old tail may be re-added simultaneously with another event.
LINKED is set on the old tail, and the other CPU may misinterpret
this as the old tail still being valid and set LINK instead of
HEAD. All events on this queue will then be lost.
2. If the old tail event on queue A is moved to a different queue B
(by changing its VCPU or priority), the event may then be linked
onto queue B. When another event is linked onto queue A it will
check the old tail, see that it is linked (but on queue B) and
overwrite the LINK field, corrupting both queues.
When an event is linked, save the vcpu id and priority of the queue it
is being linked onto. Use this when linking an event to check if it
is an unlinked old tail event. If it is an old tail event, the old
queue is empty and old_q->tail is invalidated to ensure adding another
event to old_q will update HEAD. The tail is invalidated by setting
it to 0 since the event 0 is never linked.
The old_q->lock is held while setting LINKED to avoid the race with
the test of LINKED in evtchn_fifo_set_link().
Since a event channel may move queues after old_q->lock is acquired,
we must check that we have the correct lock and retry if not. Since
changing VCPUs or priority is expected to be rare events that are
serialized in the guest, we try at most 3 times before dropping the
event. This prevents a malicious guest from repeatedly adjusting
priority to prevent another domain from acquiring old_q->lock.
Signed-off-by: David Vrabel <david.vrabel@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
David Vrabel [Wed, 8 Jan 2014 07:43:36 +0000 (08:43 +0100)]
evtchn/fifo: initialize priority when events are bound
Event channel ports that are reused or that were not in the initial
bucket would have a non-default priority.
Add an init evtchn_port_op hook and use this to set the priority when
an event channel is bound.
Within this new evtchn_fifo_init() call, also check if the event is
already on a queue and print a warning, as this event may have its
first event delivered on a queue with the wrong VCPU or priority.
This guest is expected to prevent this (if it cares) by not unbinding
events that are still linked.
Reported-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: David Vrabel <david.vrabel@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
Jan Beulich [Tue, 7 Jan 2014 15:01:14 +0000 (16:01 +0100)]
IOMMU: make page table deallocation preemptible
This too can take an arbitrary amount of time.
In fact, the bulk of the work is being moved to a tasklet, as handling
the necessary preemption logic in line seems close to impossible given
that the teardown may also be invoked on error paths.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Xiantao Zhang <xiantao.zhang@intel.com>
Ian Campbell [Fri, 20 Dec 2013 15:08:08 +0000 (15:08 +0000)]
xen: arm: context switch the aux memory attribute registers
We appear to have somehow missed these. Linux doesn't actually use them and
none of the processors I've looked at actually define any bits in them (so
they are UNK/SBZP) but it is good form to context switch them anyway.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Julien Grall <julien.grall@linaro.org>
AMD/IOMMU: fix infinite loop due to ivrs_bdf_entries larger than 16-bit value
Certain AMD systems could have upto 0x10000 ivrs_bdf_entries.
However, the loop variable (bdf) is declared as u16 which causes
inifinite loop when parsing IOMMU event log with IO_PAGE_FAULT event.
This patch changes the variable to u32 instead.
Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Tue, 7 Jan 2014 13:59:31 +0000 (14:59 +0100)]
VTD/DMAR: free() correct pointer on error from acpi_parse_one_atsr()
Free the allocated structure rather than the ACPI table ATS entry.
On further analysis, there is another memory leak. acpi_parse_dev_scope()
could allocate scope->devices, and return with -ENOMEM. All callers of
acpi_parse_dev_scope() would then free the underlying structure, loosing the
pointer.
These errors can only actually be reached through acpi_parse_dev_scope()
(which passes type = DMAR_TYPE), but I am quite surprised Coverity didn't spot
it.
Coverity-ID: 1146949 Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Tue, 7 Jan 2014 13:57:15 +0000 (14:57 +0100)]
AMD/iommu_detect: don't leak iommu structure on error paths
Tweak the logic slightly to return the real errors from
get_iommu_{,msi_}capabilities(), which at the moment is no functional change.
Coverity-ID: 1146950 Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Tsahee Zidenberg [Sun, 22 Dec 2013 10:59:57 +0000 (12:59 +0200)]
ns16550: support ns16550a
Ns16550a devices are Ns16550 devices with additional capabilities.
Decare XEN is compatible with this device, to be able to use unmodified
devicetrees.
Ian Jackson [Tue, 17 Dec 2013 18:35:18 +0000 (18:35 +0000)]
libxc: Document xenctrl.h event channel calls
Provide semantic documentation for how the libxc calls relate to the
hypervisor interface, and how they are to be used.
Also document the bug (present at least in Linux 3.12) that setting
the evtchn fd to nonblocking doesn't in fact make xc_evtchn_pending
nonblocking, and describe the appropriate workaround.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> CC: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> CC: Jan Beulich <JBeulich@suse.com> CC: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Document the event channel protocol in xenstore-paths.markdown, in the
section for ~/device/suspend/event-channel.
Protocol reverse-engineered from commentary and commit messages of 4539594d46f9 Add facility to get notification of domain suspend ... 17636f47a474 Teach xc_save to use event-channel-based ...
and implementations in
xc_save (current version)
libxl (current version)
linux-2.6.18-xen (mercurial 1241:2993033a77ca)
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> CC: Keir Fraser <keir@xen.org> CC: Shriram Rajagopalan <rshriram@cs.ubc.ca>
Ian Jackson [Tue, 17 Dec 2013 18:35:16 +0000 (18:35 +0000)]
xen: Document that EVTCHNOP_bind_interdomain signals
EVTCHNOP_bind_interdomain signals the event channel. Document this.
Also explain the usual use pattern.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> CC: Keir Fraser <keir@xen.org> CC: Jan Beulich <JBeulich@suse.com>
Ian Jackson [Tue, 17 Dec 2013 18:35:15 +0000 (18:35 +0000)]
xen: Document XEN_DOMCTL_subscribe
Arguably this domctl is misnamed. But, for now, document its actual
behaviour (reverse-engineered from the code and found in the commit
message for 4539594d46f9) under its actual name.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> CC: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> CC: Shriram Rajagopalan <rshriram@cs.ubc.ca> CC: Jan Beulich <JBeulich@suse.com>
Julien Grall [Tue, 17 Dec 2013 14:28:19 +0000 (14:28 +0000)]
xen/arm: Allow ballooning working with 1:1 memory mapping
With the lack of iommu, dom0 must have a 1:1 memory mapping for all
these guest physical address. When the balloon decides to give back a
page to the kernel, this page must have the same address as previously.
Otherwise, we will loose the 1:1 mapping and will break DMA-capable
devices.
Signed-off-by: Julien Grall <julien.grall@linaro.org> Reviewed-by: Jan Beulich <jbeulich@suse.com> Cc: Keir Fraser <keir@xen.org> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Yang Zhang [Tue, 7 Jan 2014 13:30:47 +0000 (14:30 +0100)]
VMX: Eliminate cr3 save/loading exiting when UG enabled
With the feature of unrestricted guest, there should be no vmexit
be triggered when guest accesses the cr3 in non-paging mode. This
patch will clear the cr3 save/loading bit in vmcs control filed to
eliminate cr3 access vmexit on UG avaliable hardware.
Jan Beulich [Tue, 7 Jan 2014 13:21:48 +0000 (14:21 +0100)]
IOMMU: make page table population preemptible
Since this can take an arbitrary amount of time, the rooting domctl as
well as all involved code must become aware of this requiring a
continuation.
The subject domain's rel_mem_list is being (ab)used for this, in a way
similar to and compatible with broken page offlining.
Further, operations get slightly re-ordered in assign_device(): IOMMU
page tables now get set up _before_ the first device gets assigned, at
once closing a small timing window in which the guest may already see
the device but wouldn't be able to access it.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Tim Deegan <tim@xen.org> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Xiantao Zhang <xiantao.zhang@intel.com>
Just like for all other hypercalls we shouldn't be modifying the input
structure - all of the fields are, even if not explicitly documented,
just inputs (the one OUT one really refers to the memory pointed to by
that handle rather than the handle itself).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Tim Deegan <tim@xen.org> Acked-by: Keir Fraser <keir@xen.org> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Jan Beulich [Fri, 20 Dec 2013 11:01:09 +0000 (12:01 +0100)]
fix XENMEM_add_to_physmap preemption handling
Just like for all other hypercalls we shouldn't be modifying the input
structure - all of the fields are, even if not explicitly documented,
just inputs.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Tim Deegan <tim@xen.org> Acked-by: Keir Fraser <keir@xen.org> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Matthew Daley [Sat, 30 Nov 2013 00:20:04 +0000 (13:20 +1300)]
xenstore: sanity check incoming message body lengths
This is for the client-side receiving messages from xenstored, so there
is no security impact, unlike XSA-72.
Coverity-ID: 1055449
Coverity-ID: 1056028 Signed-off-by: Matthew Daley <mattd@bugfuzz.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Julien Grall [Wed, 18 Dec 2013 16:54:08 +0000 (16:54 +0000)]
xen/arm: p2m: Fix hypercall preemption when domain is relinquish memory mapping
The commit 84f29a9 "xen/arm: Add relinquish_p2m_mapping to remove reference on
every mapped page" doesn't save correctly the next gfn when the hypercall
is preempted.
Instead of storing the next gfn, it store the next mfn. Fix it by using
'addr' instead of 'maddr'.
Signed-off-by: Julien Grall <julien.grall@linaro.org> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Julien Grall [Tue, 17 Dec 2013 16:27:57 +0000 (16:27 +0000)]
xen/arm: Set foreign page type to p2m_map_foreign
Xen needs to know that the current page belongs to another domain. Also take
a reference to this page.
The current process to add a foreign page is:
1) get the page from the foreign p2m
2) take a reference on the page with the foreign domain in parameters
3) add the page to the current domain p2m
If the foreign domain drops the page:
- before 2), get_page will return NULL because the page doesn't
belong anymore to the domain
- after 2), the current domain already have a reference. Write will
occur to an old page which is not yet released. It can corrupt the foreign
domain.
Signed-off-by: Julien Grall <julien.grall@linaro.org> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Julien Grall [Tue, 17 Dec 2013 16:27:52 +0000 (16:27 +0000)]
xen/arm: Store p2m type in each page of the guest
Use the field 'avail' to store the type of the page. Rename it to 'type' for
convenience.
The information stored in this field will be retrieved in a future patch to
change the behaviour when the page is removed.
Also introduce guest_physmap_add_entry to map and set a specific p2m type for
a page.
Signed-off-by: Julien Grall <julien.grall@linaro.org> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Julien Grall [Tue, 17 Dec 2013 16:27:51 +0000 (16:27 +0000)]
xen/arm: Implement p2m_type_t as an enum
Until now, Xen doesn't know the type of the page (ram, foreign page, mmio,...).
Introduce p2m_type_t with basic types:
- p2m_invalid: Nothing is mapped here
- p2m_ram_rw: Normal read/write guest RAM
- p2m_ram_ro: Read-only guest RAM
- p2m_mmio_direct: Read/write mapping of device memory
- p2m_map_foreign: RAM page from foreign guest
- p2m_grant_map_rw: Read/write grant mapping
- p2m_grant_map_ro: Read-only grant mapping
Signed-off-by: Julien Grall <julien.grall@linaro.org> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Julien Grall [Tue, 17 Dec 2013 16:27:50 +0000 (16:27 +0000)]
xen/arm: move mfn_to_p2m_entry in arch/arm/p2m.c
The function mfn_to_p2m_entry will be extended in a following patch to handle
p2m_type_t. It will break compilation because p2m_type_t is not defined
(interdependence between includes).
It's easier to move the function in arch/arm/p2m.c and it's not harmful as the
function is only used in this file.
Signed-off-by: Julien Grall <julien.grall@linaro.org> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Ian Campbell [Wed, 18 Dec 2013 13:39:14 +0000 (13:39 +0000)]
xen: arm: process XENMEM_add_to_physmap_range forwards not backwards.
Jan points out that processing the list backwards is rather counter intuitive
and that the effect of the hypercall can differ between forwards and backwards
processing (e.g. in the presence of duplicate idx or gpfn, which would be
unusual but as Jan says, users are a creative bunch)
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Cc: Mukesh Rathor <mukesh.rathor@oracle.com>
Ian Campbell [Wed, 18 Dec 2013 11:54:46 +0000 (11:54 +0000)]
xen: arm: clarify cacheability requirements of hypercall arguments.
Accepting hypercall arguments which are either consistently in cached or
uncached is tricky and/or potentially slow, requiring a guest mapping lookup
to determine whether/when to do a cache clean or invalidate.
There are very few reasons, and no current use cases in practice, for a guest
to use uncached memory for their hypercall arguments. Therefore mandate that
all hypercall arguments must be mapped inner-cacheable.
Do not place any restriction on the outer-cacheability or on the cache
fill/flush strategy used.
If use cases arise then we can consider specific exemptions to this rule.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Ian Jackson [Tue, 26 Nov 2013 12:08:09 +0000 (12:08 +0000)]
libxl: Fix error handling in libxl__device_nic_from_xs_be
Previously, this function would leak the temporary return from xs_read for
handle and mac address. Fix both of these and the rest of the error handling.
This requires changing its return type and fixing the callers.
Introduce here a READ_BACKEND macro to make the code less repetitive.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- spell out what the leaks were in the commit message ]
Andrew Cooper [Wed, 11 Dec 2013 15:47:42 +0000 (15:47 +0000)]
tools/libxc: Fix error checking for xc_get_{cpu, node}map_size() callers
c/s 2e82c18cd850592ae9a1f682eb93965a868b5f2f changed the error returns of
xc_get_{cpu,node}map_size() to now include returning -1. This invalidated the
error checks from callers, which expected 0 to be the only error case.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Campbell <Ian.Campbell@citrix.com> CC: Ian Jackson <Ian.Jackson@eu.citrix.com> CC: George Dunlap <george.dunlap@eu.citrix.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> CC: Ian Campbell <Ian.Campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Release-acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Jan Beulich [Tue, 17 Dec 2013 15:39:39 +0000 (16:39 +0100)]
x86/memshr: fix preemption in relinquish_shared_pages()
For one, should hypercall_preempt_check() return false the first time
it gets called, it would never have got called again (because count,
being checked for equality, didn't get reset to zero).
And then, if there were a huge range of unshared pages, with count not
getting incremented at all in that case there would also not be any
preemption.
Fix this by using a biased increment (ratio 1:16 for unshared vs shared
pages), and flushing the count to zero in case of a "false" return from
hypercall_preempt_check().
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Tim Deegan <tim@xen.org>
If {copy_to,clear}_guest_offset() fails, we would leak the domain mappings for
l4 thru l1.
Fixing this requires having conditional unmaps on the faulting path, which in
turn requires explicitly initialising the pointers to NULL because of the
early ENOMEM exit.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <JBeulich@suse.com> Acked-by: Tim Deegan <tim@xen.org>
Joe Jin [Tue, 10 Dec 2013 09:04:47 +0000 (17:04 +0800)]
Xend: handle died domain in getVCPUInfo()
When created new guest on NUMA server, xend tried to get the best node
by calculated all vcpus info, if domain already be terminated then
getVCPUInfo() will throw below exception and guest start failed:
[2013-09-04 20:01:26 6254] ERROR (XendDomainInfo:496) VM start failed
Traceback (most recent call last):
File "/usr/lib64/python2.4/site-packages/xen/xend/XendDomainInfo.py", line 482, in start
XendTask.log_progress(31, 60, self._initDomain)
File "/usr/lib64/python2.4/site-packages/xen/xend/XendTask.py", line 209, in log_progress
retval = func(*args, **kwds)
File "/usr/lib64/python2.4/site-packages/xen/xend/XendDomainInfo.py", line 2918, in _initDomain
node = self._setCPUAffinity()
File "/usr/lib64/python2.4/site-packages/xen/xend/XendDomainInfo.py", line 2835, in _setCPUAffinity
best_node = find_relaxed_node(candidate_node_list)[0]
File "/usr/lib64/python2.4/site-packages/xen/xend/XendDomainInfo.py", line 2803, in find_relaxed_node
cpuinfo = dom.getVCPUInfo()
File "/usr/lib64/python2.4/site-packages/xen/xend/XendDomainInfo.py", line 1600, in getVCPUInfo
raise XendError(str(exn))
XendError: (3, 'No such process')
This patch will check return value of xc.vcpu_getinfo() and make sure the
error not caused by domain died before throw the exception.
Signed-off-by: Joe Jin <joe.jin@oracle.com> Acked-by: Matt Wilson <msw@amazon.com> Cc: Keir Fraser <keir@xen.org> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: Ian Jackson <ian.jackson@eu.citrix.com> Cc: Ian Campbell <ian.campbell@citrix.com> Cc: Roger Pau Monne <roger.pau@citrix.com>
Introduce a status field in struct pending_irq. Valid states are
GUEST_PENDING, GUEST_VISIBLE and GUEST_ENABLED and they are not mutually
exclusive. See the in-code comment for an explanation of the states and
how they are used.
Use atomic operations to set and clear the status bits. Note that
setting GIC_IRQ_GUEST_VISIBLE and clearing GIC_IRQ_GUEST_PENDING can be
done in two separate operations as the underlying pending status is
actually only cleared on the LR after the guest ACKs the interrupts.
Until that happens it's not possible to receive another interrupt.
The main effect of this patch is that an IRQ can be set to GUEST_PENDING
while it is being serviced by the guest. In maintenance_interrupt we
check whether GUEST_PENDING is set and if it is we add the irq back into
the lr_pending queue so that it's going to be reinjected one more time,
if the interrupt is still enabled at the vgicd level.
If it is not, it is going to be injected as soon as the guest renables
the interrupt.
One exception is evtchn_irq: in that case we don't want to
set the GIC_IRQ_GUEST_PENDING bit if it is already GUEST_VISIBLE,
because as part of the event handling loop, the guest would realize that
new events are present even without a new notification.
Also we already have a way to figure out exactly when we do need to
inject a second notification if vgic_vcpu_inject_irq is called after the
end of the guest event handling loop and before the guest EOIs the
interrupt (see db453468d92369e7182663fb13e14d83ec4ce456 "arm: vgic: fix
race between evtchn upcall and evtchnop_send").
Don't call gic_inject_irq_stop from maintenance_interrupt because
gic_inject (called by leave_hypervisor_tail) is going to call
gic_inject_irq_start/stop appropriately later anyway.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Ian Campbell [Fri, 13 Dec 2013 08:21:51 +0000 (08:21 +0000)]
tools: libxc: flush data cache after loading images into guest memory
On ARM guest OSes are started with MMU and Caches disables (as they are on
native) however caching is enabled in the domain running the builder and
therefore we must flush the cache as we load the blobs, otherwise when the
guest starts running it may not see them. The dom0 build in the hypervisor has
the same requirements and already does the right thing.
The mechanism for performing a cache flush from userspace is OS specific, so
implement this as a new osdep hook:
- On 32-bit ARM Linux provides a system call to flush the cache.
- On 64-bit ARM Linux the processor is configured to allow cache flushes
directly from userspace.
- Non-Linux platforms will need to provide their own implementation. If
similar mechanisms are not available then a new privcmd ioctl should be a
suitable alternative.
No cache maintenance is required on x86, so provide a stub for all non-Linux
platforms which returns success on x86 only and log an error otherwise.
This fixes guest building on Xgene which has a very large L3 cache and so is
particularly susceptible to this problem. It has also been observed
sporadically on midway.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Cc: Andre Przywara <andre.przywara@calxeda.com> Cc: Pranavkumar Sawargaonkar <psawargaonkar@apm.com> Cc: Anup Patel <apatel@apm.com>
Matthew Daley [Sat, 14 Dec 2013 01:04:47 +0000 (14:04 +1300)]
xenconsole: adjust pty opening error checking and handling
Currently we check the pty path received from xenstore with access(); if
it indicates that the pty is not accessible, we loop around and wait for
a new path to appear in xenstore.
This has several issues:
* If a path has been written to xenstore, it can be assumed that that
pty should already be accessible to xenconsole, and hence any error
that occurs while trying to open it should be fatal and not ignored
* If access() indicates no access to the pty, the memory allocated for
the path is leaked when going around the loop again
* The accessibility of the pty could change between the access() and
open() calls, leading to a TOCTOU race (this is what Coverity is
complaining about).
By removing the explicit access() check and just erroring out whenever
open() fails, we fix all these issues.
Coverity-ID: 1056047 Signed-off-by: Matthew Daley <mattd@bugfuzz.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
David Vrabel [Mon, 16 Dec 2013 09:51:24 +0000 (10:51 +0100)]
evtchn/fifo: map correct pages when guest is HVM
If a HVM guest attempts to use the FIFO-based ABI it will not receive
any events and destroying the guest may crash Xen or trigger an assert
when attempting to unmap a control block page. This occurs because
Xen maps the wrong page for both the control blocks and the event
arrays.
In map_guest_page(), use the MFN of the guest's page and not the GFN
when calling map_domain_page_global().
Reported-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Cache the xs_daemon_socket{,_ro}() strings to save pointlessly
re-snprintf()'ing the same path, and add explicit size checks against
addr.sun_path before strcpy()'ing into it.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> CC: Ian Campbell <Ian.Campbell@citrix.com> CC: Matthew Daley <mattd@bugfuzz.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Matthew Daley [Tue, 3 Dec 2013 01:29:04 +0000 (14:29 +1300)]
libxl: don't leak ptr in libxl_list_vm error case
While at it, tidy up the function; there's no point in allocating more
than the amount of domains actually returned by xc_domain_getinfolist
(barring the caveat described in the newly-added comment)
Coverity-ID: 1055888 Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Matthew Daley [Mon, 2 Dec 2013 12:45:16 +0000 (01:45 +1300)]
xenstore: check F_SETFL fcntl invocation in setnonblock
...and check the newly-added result of setnonblock itself where used.
Coverity-ID: 1055103 Signed-off-by: Matthew Daley <mattd@bugfuzz.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Jan Beulich [Fri, 13 Dec 2013 14:06:11 +0000 (15:06 +0100)]
x86/p2m: restrict auditing to debug builds
... since iterating through all of a guest's pages may take unduly
long.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Release-acked-by: George Dunlap <george.dunlap@eu.citrix.com> Acked-by: Tim Deegan <tim@xen.org>
Rob Hoes [Thu, 12 Dec 2013 16:36:49 +0000 (16:36 +0000)]
ocaml: do not install test binaries
Signed-off-by: Rob Hoes <rob.hoes@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- added back an Empty install rule ]
projects / xen.git / log