Juergen Gross [Wed, 23 Aug 2017 17:34:00 +0000 (19:34 +0200)]
xen: add an optional string end parameter to parse_bool()
Add a parameter to parse_bool() to specify the end of the to be
parsed string. Specifying it as NULL will preserve the current
behavior to parse until the end of the input string, while passing
a non-NULL pointer will specify the first character after the input
string.
This will allow to parse boolean sub-strings without having to
write a NUL byte into the input string.
Modify all users of parse_bool() to pass NULL for the new parameter.
Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
David Woodhouse [Fri, 25 Aug 2017 12:07:40 +0000 (14:07 +0200)]
x86/efi: don't write relocations in efi_arch_relocate_image() first pass
The function is invoked with delta=0 before ExitBootServices() is called,
as a dummy run purely to validate that all the relocations can be handled.
This allows us to exit gracefully with an error message.
However, we have relocations in read-only sections such as .rodata and
.init.te(xt). Recent versions of UEFI will actually make those sections
read-only, which will cause a fault. This functionaity was added in
EDK2 commit d0e92aad4 ("MdeModulePkg/DxeCore: Add UEFI image protection.")
It's OK to actually make the changes in the later pass because UEFI will
tear down the protection when ExitBootServices() is called, because it
knows we're going to need to do this kind of thing.
Reported-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Boris Ostrovsky [Fri, 25 Aug 2017 12:07:12 +0000 (14:07 +0200)]
x86/hvm: vmx/svm_cpu_up_prepare should be called only once
These routines are first called via CPU_UP_PREPARE notifier by
the BSP and then by the booting ASP from vmx_cpu_up()/_svm_cpu_up().
Avoid the unnecessary second call. Because BSP doesn't go through
CPU_UP_PREPARE it is a special case. We pass 'bsp' flag to newly
added _vmx_cpu_up() (just like it's already done for _svm_cpu_up())
so they can decide whether or not to call vmx/svm_cpu_up_prepare().
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Alexandru Isaila [Fri, 25 Aug 2017 12:05:09 +0000 (14:05 +0200)]
x86/hvm: allow guest_request vm_events coming from userspace
In some introspection usecases, an in-guest agent needs to communicate
with the external introspection agent. An existing mechanism is
HVMOP_guest_request_vm_event, but this is restricted to kernel usecases
like all other hypercalls.
Introduce a mechanism whereby the introspection agent can whitelist the
use of HVMOP_guest_request_vm_event directly from userspace.
Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com> Acked-by: Tamas K Lengyel <tamas@tklengyel.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Roger Pau Monné [Wed, 23 Aug 2017 15:47:38 +0000 (17:47 +0200)]
hvmloader: add fields for SMBIOS 2.4 compliance
The version of SMBIOS set in the entry point is 2.4, however several
structures are missing fields required by 2.4. Fix this by adding the
missing fields, this is based on the documents found at the DMTF site
[0].
Most fields are set to 0 (undefined/not specified), except for the
cache related handlers that need to be initialized to 0xffff in order
to signal that the information is not provided.
xsm: policy hooks to require an IOMMU and interrupt remapping
Isolation of devices passed through to domains usually requires an
active IOMMU. The existing method of requiring an IOMMU is via a Xen
boot parameter ("iommu=force") which will abort boot if an IOMMU is not
available.
More graceful degradation of behaviour when an IOMMU is absent can be
achieved by enabling XSM to perform enforcement of IOMMU requirement.
This patch enables an enforceable XSM policy to specify that an IOMMU is
required for particular domains to access devices and how capable that
IOMMU must be. This allows a Xen system to boot whilst still
ensuring that an IOMMU is active before permitting device use.
Using a XSM policy ensures that the isolation properties remain enforced
even when the large, complex toolstack software changes.
For some hardware platforms interrupt remapping is a strict requirement
for secure isolation. Not all IOMMUs provide interrupt remapping.
The XSM policy can now optionally require interrupt remapping.
The device use hooks now check whether an IOMMU is:
* Active and securely isolating:
-- current criteria for this is that interrupt remapping is ok
* Active but interrupt remapping is not available
* Not active
This patch also updates the reference XSM policy to use the new
primitives, with policy entries that do not require an active IOMMU.
Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Ross Philipson <ross.philipson@gmail.com>
Jan Beulich [Wed, 23 Aug 2017 15:45:45 +0000 (17:45 +0200)]
arm/mm: release grant lock on xenmem_add_to_physmap_one() error paths
Commit 55021ff9ab ("xen/arm: add_to_physmap_one: Avoid to map mfn 0 if
an error occurs") introduced error paths not releasing the grant table
lock. Replace them by a suitable check after the lock was dropped.
This is XSA-235.
Reported-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Julien Grall <julien.grall@arm.com>
Wei Liu [Mon, 21 Aug 2017 14:09:11 +0000 (15:09 +0100)]
xen: move hvm save code under common to x86
The code is only used by x86 at this point. Merge common/hvm/save.c
into x86 hvm/save.c. Move the headers and fix up inclusions. Remove
the now empty common/hvm directory.
Also fix some issues while moving:
1. removing trailing spaces;
2. fix multi-line comment;
3. make "i" in hvm_save unsigned int;
4. add some blank lines to separate sections of code;
5. change bool_t to bool.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Igor Druzhinin [Thu, 17 Aug 2017 14:57:13 +0000 (15:57 +0100)]
hvmloader, libxl: use the correct ACPI settings depending on device model
We need to choose ACPI tables and ACPI IO port location
properly depending on the device model version we are running.
Previously, this decision was made by BIOS type specific
code in hvmloader, e.g. always load QEMU traditional specific
tables if it's ROMBIOS and always load QEMU Xen specific
tables if it's SeaBIOS.
This change saves this behavior (for compatibility) but adds
an additional way (xenstore key) to specify the correct
device model if we happen to run a non-default one. Toolstack
bit makes use of it.
The enforcement of BIOS type depending on QEMU version will
be lifted later when the rest of ROMBIOS compatibility fixes
are in place.
Signed-off-by: Igor Druzhinin <igor.druzhinin@citrix.com> Reviewed-by: Paul Durrant <paul.durrant@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
The variable domctl.u.address_size.size may remain uninitialized if
guest_type is not one of xen-3.0-aarch64 or xen-3.0-armv7l. And the
code precisely checks if this variable is still 0 to decide if the
guest type is supported or not.
This fixes the following build failure with gcc 7.x:
xc_dom_arm.c:229:31: error: 'domctl.u.address_size.size' may be used uninitialized in this function [-Werror=maybe-uninitialized]
if ( domctl.u.address_size.size == 0 )
Patch originally taken from
https://www.mail-archive.com/xen-devel@lists.xen.org/msg109313.html.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Boris Ostrovsky [Wed, 16 Aug 2017 18:31:00 +0000 (20:31 +0200)]
mm: Keep heap accessible to others while scrubbing
Instead of scrubbing pages while holding heap lock we can mark
buddy's head as being scrubbed and drop the lock temporarily.
If someone (most likely alloc_heap_pages()) tries to access
this chunk it will signal the scrubber to abort scrub by setting
head's BUDDY_SCRUB_ABORT bit. The scrubber checks this bit after
processing each page and stops its work as soon as it sees it.
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Julien Grall <julien.grall@arm.com>
Boris Ostrovsky [Wed, 16 Aug 2017 18:31:00 +0000 (20:31 +0200)]
spinlock: Introduce spin_lock_cb()
While waiting for a lock we may want to periodically run some
code. This code may, for example, allow the caller to release
resources held by it that are no longer needed in the critical
section protected by the lock.
Specifically, this feature will be needed by scrubbing code where
the scrubber, while waiting for heap lock to merge back clean
pages, may be requested by page allocator (which is currently
holding the lock) to abort merging and release the buddy page head
that the allocator wants.
We could use spin_trylock() but since it doesn't take lock ticket
it may take long time until the lock is taken. Instead we add
spin_lock_cb() that allows us to grab the ticket and execute a
callback while waiting. This callback is executed on every iteration
of the spinlock waiting loop.
Since we may be sleeping in the lock until it is released we need a
mechanism that will make sure that the callback has a chance to run.
We add spin_lock_kick() that will wake up the waiter.
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Acked-by: Julien Grall <julien.grall@arm.com>
Boris Ostrovsky [Wed, 16 Aug 2017 18:30:00 +0000 (20:30 +0200)]
mm: Scrub memory from idle loop
Instead of scrubbing pages during guest destruction (from
free_heap_pages()) do this opportunistically, from the idle loop.
We might come to scrub_free_pages()from idle loop while another CPU
uses mapcache override, resulting in a fault while trying to do
__map_domain_page() in scrub_one_page(). To avoid this, make mapcache
vcpu override a per-cpu variable.
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Dario Faggioli <dario.faggioli@citrix.com> Acked-by: Julien Grall <julien.grall@arm.com>
Julien Grall [Tue, 8 Aug 2017 17:17:26 +0000 (18:17 +0100)]
xen/arm: Tighten memory attribute requirement for memory shared
Xen allows shared mapping to be Normal inner-cacheable with any inner cache
allocation strategy and no restriction of the outer-cacheability.
However, Xen is always mapping those region Normal Inner Write-Back
Outer Write-Back Inner-shareable. Per B2.8 "Mismatched memory
attributes" in ARM DDI 0487B.a, if the guest is not using the exact same
memory attributes (excluding any cache allocation hints) for the shared
region then the region will be accessed with mismatched attributes.
This will result to potential loss of coherency, and may impact the
performance.
Given that the ARM ARM strongly recommends to avoid using mismatched
attributes, we should impose shared region to be Normal Inner Write-Back
Outer Write-Back Inner-shareable.
hvmloader: support system enclosure asset tag (SMBIOS type 3)
Allow setting system enclosure asset tag for HVM guest. Guest OS can
check and perform desired operation like support installation.
Also added documentation of '~/bios-string/*' xenstore keys into
docs/misc/xenstore-paths.markdown
Signed-off-by: Vivek Kumar Chaubey <vivekkumar.chaubey@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Boris Ostrovsky [Wed, 16 Aug 2017 18:30:00 +0000 (20:30 +0200)]
mm: Scrub pages in alloc_heap_pages() if needed
When allocating pages in alloc_heap_pages() first look for clean pages. If none
is found then retry, take pages marked as unscrubbed and scrub them.
Note that we shouldn't find unscrubbed pages in alloc_heap_pages() yet. However,
this will become possible when we stop scrubbing from free_heap_pages() and
instead do it from idle loop.
Since not all allocations require clean pages (such as xenheap allocations)
introduce MEMF_no_scrub flag that callers can set if they are willing to
consume unscrubbed pages.
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Boris Ostrovsky [Wed, 16 Aug 2017 18:31:00 +0000 (20:31 +0200)]
mm: Place unscrubbed pages at the end of pagelist
.. so that it's easy to find pages that need to be scrubbed (those pages are
now marked with _PGC_need_scrub bit).
We keep track of the first unscrubbed page in a page buddy using first_dirty
field. For now it can have two values, 0 (whole buddy needs scrubbing) or
INVALID_DIRTY_IDX (the buddy does not need to be scrubbed). Subsequent patches
will allow scrubbing to be interrupted, resulting in first_dirty taking any
value.
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Acked-by: Julien Grall <julien.grall@arm.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Tim Deegan [Fri, 18 Aug 2017 14:23:44 +0000 (15:23 +0100)]
xen/x86/shadow: adjust barriers around gtable_dirty_version.
Use the smp_ variants, as we're only synchronizing against other CPUs.
Add a write barrier before incrementing the version.
x86's memory ordering rules and the presence of various out-of-unit
function calls mean that this code worked OK before, and the barriers
are mostly decorative.
Signed-off-by: Tim Deegan <tim@xen.org> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
arm: traps: handle SMC32 in check_conditional_instr()
On ARMv8 architecture we need to ensure that conditional check was passed
for a trapped SMC instruction that originates from AArch32 state
(ARM DDI 0487B.a page D7-2271).
Thus, we should not skip it while checking HSR.EC value.
For this type of exception special coding of HSR.ISS is used. There is
additional flag (CCKNOWNPASS) to be checked before performing standard
handling of CCVALID and COND fields.
arm: traps: handle unknown exceptions in check_conditional_instr()
According to ARM architecture reference manual (ARM DDI 0487B.a page D7-2259,
ARM DDI 0406C.c page B3-1426), exception with unknown reason (HSR.EC == 0)
has no valid bits in HSR (apart from HSR.EC), so we can't check if that was
caused by conditional instruction. We need to assume that it is unconditional.
arm: processor: add new struct hsr_smc32 into hsr union
On ARMv8, one of conditional exceptions (SMC that originates
from AArch32 state) has extra field in HSR.ISS encoding:
CCKNOWNPASS, bit [19]
Indicates whether the instruction might have failed its condition
code check.
0 - The instruction was unconditional, or was conditional and
passed its condition code check.
1 - The instruction was conditional, and might have failed its
condition code check.
(ARM DDI 0487B.a page D7-2272)
This is an instruction specific field, so better to add new structure
to union hsr. This structure describes ISS encoding for an exception
from SMC instruction executing in AArch32 state. But we define this
struct for both ARMv7 and ARMv8, because ARMv8 encoding is backwards
compatible with ARMv7.
Sergej Proskurin [Wed, 16 Aug 2017 13:17:44 +0000 (15:17 +0200)]
arm/mem_access: Walk the guest's pt in software
In this commit, we make use of the gpt walk functionality introduced in
the previous commits. If mem_access is active, hardware-based gva to ipa
translation might fail, as gva_to_ipa uses the guest's translation
tables, access to which might be restricted by the active VTTBR. To
side-step potential translation errors in the function
p2m_mem_access_check_and_get_page due to restricted memory (e.g. to the
guest's page tables themselves), we walk the guest's page tables in
software.
Signed-off-by: Sergej Proskurin <proskurin@sec.in.tum.de> Acked-by: Tamas K Lengyel <tamas@tklengyel.com> Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Sergej Proskurin [Wed, 16 Aug 2017 13:17:43 +0000 (15:17 +0200)]
arm/mem_access: Add short-descriptor based gpt
This commit adds functionality to walk the guest's page tables using the
short-descriptor translation table format for both ARMv7 and ARMv8. The
implementation is based on ARM DDI 0487B-a J1-6002 and ARM DDI 0406C-b
B3-1506.
Sergej Proskurin [Wed, 16 Aug 2017 13:17:42 +0000 (15:17 +0200)]
arm/mem_access: Add long-descriptor based gpt
This commit adds functionality to walk the guest's page tables using the
long-descriptor translation table format for both ARMv7 and ARMv8.
Similar to the hardware architecture, the implementation supports
different page granularities (4K, 16K, and 64K). The implementation is
based on ARM DDI 0487B.a J1-5922, J1-5999, and ARM DDI 0406C.b B3-1510.
Note that the current implementation lacks support for Large VA/PA on
ARMv8.2 architectures (LVA/LPA, 52-bit virtual and physical address
sizes). The associated location in the code is marked appropriately.
Sergej Proskurin [Wed, 16 Aug 2017 13:17:41 +0000 (15:17 +0200)]
arm/mem_access: Add software guest-page-table walk
The function p2m_mem_access_check_and_get_page in mem_access.c
translates a gva to an ipa by means of the hardware functionality of the
ARM architecture. This is implemented in the function gva_to_ipa. If
mem_access is active, hardware-based gva to ipa translation might fail,
as gva_to_ipa uses the guest's translation tables, access to which might
be restricted by the active VTTBR. To address this issue, in this commit
we add a software-based guest-page-table walk, which will be used by the
function p2m_mem_access_check_and_get_page perform the gva to ipa
translation in software in one of the following commits.
Note: The introduced function guest_walk_tables assumes that the domain,
the gva of which is to be translated, is running on the currently active
vCPU. To walk the guest's page tables on a different vCPU, the following
registers would need to be loaded: TCR_EL1, TTBR0_EL1, TTBR1_EL1, and
SCTLR_EL1.
Sergej Proskurin [Wed, 16 Aug 2017 13:17:40 +0000 (15:17 +0200)]
arm/guest_access: Rename vgic_access_guest_memory
This commit renames the function vgic_access_guest_memory to
access_guest_memory_by_ipa. As the function name suggests, the functions
expects an IPA as argument. All invocations of this function have been
adapted accordingly. Apart from that, we have adjusted all printk
messages for cleanup and to eliminate artefacts of the function's
previous location.
Sergej Proskurin [Wed, 16 Aug 2017 13:17:39 +0000 (15:17 +0200)]
arm/guest_access: Move vgic_access_guest_memory to guest_access.h
This commit moves the function vgic_access_guest_memory to guestcopy.c
and the header asm/guest_access.h. No functional changes are made.
Please note that the function will be renamed in the following commit.
Sergej Proskurin [Wed, 16 Aug 2017 13:17:38 +0000 (15:17 +0200)]
arm/mem_access: Introduce GENMASK_ULL bit operation
The current implementation of GENMASK is capable of creating bitmasks of
32-bit values on AArch32 and 64-bit values on AArch64. As we need to
create masks for 64-bit values on AArch32 as well, in this commit we
introduce the GENMASK_ULL bit operation. Please note that the
GENMASK_ULL implementation has been lifted from the linux kernel source
code.
Sergej Proskurin [Wed, 16 Aug 2017 13:17:37 +0000 (15:17 +0200)]
arm/mem_access: Introduce BIT_ULL bit operation
We introduce the BIT_ULL macro to using values of unsigned long long as
to enable setting bits of 64-bit registers on AArch32. In addition,
this commit adds a define holding the register width of 64 bit
double-word registers. This define simplifies using the associated
constants in the following commits.
Sergej Proskurin [Wed, 16 Aug 2017 13:17:36 +0000 (15:17 +0200)]
arm/mem_access: Introduce GV2M_EXEC permission
We extend the current implementation by an additional permission,
GV2M_EXEC, which will be used to describe execute permissions of PTE's
as part of our guest translation table walk implementation.
Sergej Proskurin [Wed, 16 Aug 2017 13:17:35 +0000 (15:17 +0200)]
arm/mem_access: Add short-descriptor pte typedefs and macros
The current implementation does not provide appropriate types for
short-descriptor translation table entries. As such, this commit adds new
types, which simplify managing the respective translation table entries.
Sergej Proskurin [Wed, 16 Aug 2017 13:17:34 +0000 (15:17 +0200)]
arm/lpae: Introduce lpae_is_page helper
This commit introduces a new helper that checks whether the target PTE
holds a page mapping or not. This helper will be used as part of the
following commits.
Sergej Proskurin [Wed, 16 Aug 2017 13:17:33 +0000 (15:17 +0200)]
arm/mem_access: Add defines supporting PTs with varying page sizes
AArch64 supports pages with different (4K, 16K, and 64K) sizes. To
enable guest page table walks for various configurations, this commit
extends the defines and helpers of the current implementation.
Sergej Proskurin [Wed, 16 Aug 2017 13:17:32 +0000 (15:17 +0200)]
arm/mem_access: Add and cleanup (TCR_|TTBCR_)* defines
This commit adds (TCR_|TTBCR_)* defines to simplify access to the
respective register contents. At the same time, we adjust the macros
TCR_T0SZ and TCR_TG0_* by using the newly introduced TCR_T0SZ_SHIFT and
TCR_TG0_SHIFT instead of the hardcoded values.
Wei Liu [Fri, 7 Jul 2017 14:26:28 +0000 (15:26 +0100)]
x86/mm: lift PAGE_CACHE_ATTRS to page.h
Currently all the users are within x86/mm.c. But that will change once
we split PV specific mm code to another file. Lift that to page.h
along side _PAGE_* in preparation for later patches.
No functional change. Add some spaces around "|" while moving.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Wei Liu [Fri, 7 Jul 2017 13:04:18 +0000 (14:04 +0100)]
x86/mm: carve out create_grant_pv_mapping
And at once make create_grant_host_mapping an inline function. This
requires making create_grant_{p2m,pv}_mapping non-static. Provide
{p2m,pv}/grant_table.h. Include the headers where necessary.
The two functions create_grant_{p2m,pv}_mapping will be moved later in
a dedicated patch with all their helpers.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Fri, 18 Aug 2017 10:27:26 +0000 (11:27 +0100)]
x86/mm: Override mfn_to_page() and page_to_mfn() to use mfn_t
To avoid breaking the build elsewhere, the l{1..4}e_{from,get}_page() macros
are switched to using __mfn_to_page() and __page_to_mfn().
Most changes are wrapping or removing _mfn()/mfn_x() from existing callsites.
However, {alloc,free}_l1_table() are switched to using __map_domain_page(), as
their pfn parameters are otherwise unused. get_page() has one pfn->mfn
correction in a printk(), and __get_page_type()'s IOMMU handling has its gfn
calculation broken out for clarity.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Thu, 17 Aug 2017 12:45:14 +0000 (14:45 +0200)]
x86/asm: add .file directives
Make sure local symbols are correctly associated with their source
files: I've just run across a cpufreq.c#create_bounce_frame stack trace
entry. Since we have multiple entry.S, don't use __FILE__ there to
fully disambiguate things.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Thu, 17 Aug 2017 12:41:57 +0000 (14:41 +0200)]
gnttab: type adjustments
In particular use grant_ref_t and grant_handle_t where appropriate.
Also switch other nearby type uses to their canonical variants where
appropriate and introduce INVALID_MAPTRACK_HANDLE.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
When no memory is available in the hypervisor, rather than immediately
failing the request, try to steal a handle from another vCPU.
Reported-by: George Dunlap <george.dunlap@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Thu, 17 Aug 2017 12:40:31 +0000 (14:40 +0200)]
gnttab: fix transitive grant handling
Processing of transitive grants must not use the fast path, or else
reference counting breaks due to the skipped recursive call to
__acquire_grant_for_copy() (its __release_grant_for_copy()
counterpart occurs independent of original pin count). Furthermore
after re-acquiring temporarily dropped locks we need to verify no grant
properties changed if the original pin count was non-zero; checking
just the pin counts is sufficient only for well-behaved guests. As a
result, __release_grant_for_copy() needs to mirror that new behavior.
Furthermore a __release_grant_for_copy() invocation was missing on the
retry path of __acquire_grant_for_copy(), and gnttab_set_version() also
needs to bail out upon encountering a transitive grant.
This is part of XSA-226.
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Thu, 17 Aug 2017 12:39:18 +0000 (14:39 +0200)]
gnttab: don't use possibly unbounded tail calls
There is no guarantee that the compiler would actually translate them
to branches instead of calls, so only ones with a known recursion limit
are okay:
- __release_grant_for_copy() can call itself only once, as
__acquire_grant_for_copy() won't permit use of multi-level transitive
grants,
- __acquire_grant_for_copy() is fine to call itself with the last
argument false, as that prevents further recursion,
- __acquire_grant_for_copy() must not call itself to recover from an
observed change to the active entry's pin count
This is part of XSA-226.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Wed, 16 Aug 2017 12:01:03 +0000 (13:01 +0100)]
x86/mm: Reduce debug overhead of __virt_to_maddr()
__virt_to_maddr() is used very frequently, but has a large footprint due to
its assertions and comparasons.
Rearange its logic to drop one assertion entirely, encoding its check in a
second assertion (with no additional branch, and the comparason performed with
a 32bit immediate rather than requiring a movabs).
Bloat-o-meter net report is:
add/remove: 0/0 grow/shrink: 1/72 up/down: 3/-2169 (-2166)
along with a reduction of 32 assertion frames (895 down to 861)
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Wed, 16 Aug 2017 13:31:37 +0000 (13:31 +0000)]
x86/svm: Use physical addresses for HSA and Host VMCB
They are only referenced by physical address (either the HSA MSR, or via
VMSAVE/VMLOAD which take a physical operand). Allocating xenheap pages and
storing their virtual address is wasteful.
Allocate them with domheap pages instead, taking the opportunity to suitably
NUMA-position them. This avoids Xen needing to perform a virt to phys
translation on every context switch.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Andrew Cooper [Tue, 15 Aug 2017 15:14:08 +0000 (15:14 +0000)]
x86/mcheck: Minor cleanup to amd_nonfatal
* Drop trailing whitespace.
* Move amd_nonfatal_mcheck_init() into .init.text and drop a trailing return.
* Drop unnecessary wmb()'s. Because of Xen's implementation, they are only
compiler barriers anyway, and each wrmsr() is already fully serialising.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
projects / xen.git / log