Jan Beulich [Tue, 7 Jul 2015 08:28:25 +0000 (10:28 +0200)]
gnttab: fix out of range shift count
Commit 213f145114 ("gnttab: fix/adjust gnttab_transfer()") wasn't
careful enough in this regard.
Coverity ID: 1306859 Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
libxc: Fix misleading use of strncpy code in build_hvm_info()
hvm_info->signature is not a string, but an 64 bit int, and is not
NULL terminated. The use of strncpy to populate it is inappropriate and
potentially misleading. A cursory glance might have you thinking someone
had miscounted the length of the string literal - not realising it was
intentionally cropping of the null termination.
Also, since we wish to initialise all of hvm_info->signature, and
certainly no more, the use of sizeof is safer.
Signed-off-by: Jennifer Herbert <jennifer.herbert@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
libxc: Prevent dereferencing NULL pointers returned from xc_dom_allocate()
The return from xc_dom_allocate is not checked for a NULL value.
This patch fixes this, causing it to return from the function with an error.
Signed-off-by: Jennifer Herbert <jennifer.herbert@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
It is not sensible that adding -d would cause different output on
stdout. And that -N would produce less debug output is hardly
surprising in general and not really a problem in this case.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v2: New patch in this version of the mini-series.
The domid is always NULL (as the domain has not been created at this
stage).
This is annoying if you want to take this output and use it for some
actually useful purpose like domain creation: either it needs to be
massaged, or the the consuming tool needs to be taught to look inside
the json object for the `config' element (which IMO makes no sense as
an interface).
We would like to be able to pass libxl json configs around sensibly.
In the future maybe xl will grow an option to create a domain from a
json config, and this is currently something I want to be able to have
a test tool do.
Note that this change is NOT BACKWARDS COMPATIBLE. But it would only
adversely affects anyone who uses `xl -N create' and then saves and
processes the JSON. (The output from xl list et al is not changed; it
normally needs the domid.) Such a user should probably have already
have complained about the infelicitous output. If they haven't it
would be simple enough for them to bookend the output so as to provide
compatible output.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> CC: Ian Campbell <ian.campbell@citrix.com> CC: Wei Liu <wei.liu2@citrix.com> CC: Euan Harris <euan.harris@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v2: Print json output to correct filehandle
(Using newly introduced flush_stream.)
Ian Jackson [Fri, 3 Jul 2015 11:36:20 +0000 (12:36 +0100)]
xl: Break out flush_stream
We are going to want to reuse this. Adjust the code slightly to
detect right away call sites that pass something other than stdout or
stderr.
No resulting functional change.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v2: New patch in this version of the mini-series
Ian Campbell [Fri, 26 Jun 2015 11:06:09 +0000 (12:06 +0100)]
stubdom: vtpmmgr: Correctly format size_t with %z when printing.
Also contains a fix from Thomas Leonard (to use %u for "4 + 32", not
%lu) previously posted as part of "mini-os: enable compiler check for
printk format types" but with mini-os now having been split a separate
repo most of that change has been applied there.
This fixes the 32-bit build with updated mini-os which includes format
string checking.
Signed-off-by: Thomas Leonard <talex5@gmail.com> Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: Samuel Thibault <samuel.thibault@ens-lyon.org> Acked-By: Samuel Thibault <samuel.thibault@ens-lyon.org>
[ ijc -- Updated MINIOS_UPSTREAM_REVISION ]
Chen Baozi [Tue, 30 Jun 2015 08:00:22 +0000 (16:00 +0800)]
xen/arm64: increase MAX_VIRT_CPUS to 128 on arm64
After we have increased the size of GICR in address space for guest
and made use of both AFF0 and AFF1 in (v)MPIDR, we are now able to
support up to 4096 vCPUs in theory. However, it will cost 512M
address space for GICR region, which is unnecessarily big at the
moment. Considering the max CPU number that GIC-500 can support and
the old value of MAX_VIRT_CPUS before commit aa25a61, we increase
its value to 128.
Signed-off-by: Chen Baozi <baozich@gmail.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Chen Baozi [Tue, 30 Jun 2015 08:00:21 +0000 (16:00 +0800)]
xen/arm: make domain_max_vcpus return value from vgic_ops
Each vGIC driver supports different maximum numbers of vCPU. For
example, GICv2 is limited to 8 vCPUs, while GICv3 can support up
to 4096 vCPUs if we use both AFF0 and AFF1. Thus, domain_max_vcpus
should depend on not only MAX_VIRT_CPUS but also the version
of vGIC that the guest uses.
Since evtchn_init would call domain_max_vcpus to allocate poll_mask
when the vgic_ops haven't been initialised yet, we make it return
MAX_VIRT_CPUS at that time. On ARM32, event channel doesn't need
to allocate the poll_mask because MAX_VIRT_CPUS < BITS_PER_LONG,
while allocating more memory (2 unsigned long rather than 1) only
for poll_mask on arm64 with GICv2 looks not so expensive.
We didn't keep it as the old static inline form because it will break
compilation when access the member of struct domain:
In file included from xen/include/xen/domain.h:6:0,
from xen/include/xen/sched.h:10,
from arm64/asm-offsets.c:10:
xen/include/asm/domain.h: In function ‘domain_max_vcpus’:
xen/include/asm/domain.h:266:10: error: dereferencing pointer to incomplete type
if (d->arch.vgic.version == GIC_V2)
^
Signed-off-by: Chen Baozi <baozich@gmail.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Chen Baozi [Tue, 30 Jun 2015 08:00:20 +0000 (16:00 +0800)]
xen/arm: Set 'reg' of cpu node for dom0 to match MPIDR's affinity
According to ARM CPUs bindings, the reg field should match the MPIDR's
affinity bits. We will use AFF0 and AFF1 when constructing the reg value
of the guest at the moment, for it is enough for the current max vcpu
number.
Signed-off-by: Chen Baozi <baozich@gmail.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Reviewed-by: Julien Grall <julien.grall@citrix.com>
[ ijc -- use PRIx64 to format mpidr_aff in node name, fixing 32-bit
build ]
Chen Baozi [Tue, 30 Jun 2015 08:00:19 +0000 (16:00 +0800)]
tools/libxl: Set 'reg' of cpu node equal to MPIDR affinity for domU
According to ARM CPUs bindings, the reg field should match the MPIDR's
affinity bits. We will use AFF0 and AFF1 when constructing the reg value
of the guest at the moment, for it is enough for the current max vcpu
number.
Chen Baozi [Tue, 30 Jun 2015 08:00:18 +0000 (16:00 +0800)]
xen/arm: Use AFF1 when translating ICC_SGI1R_EL1 to cpumask
The old unsigned long type of vcpu_mask can only express 64 cpus at the
most, which might not be enough for the guest which used vGICv3. We
introduce a new struct sgi_target for the target cpu list of SGI, which
holds the affinity path information (only level 1 at the moment). For
GICv2 that has no affinity level, we can just set the corresponding
fields to be 0.
Chen Baozi [Tue, 30 Jun 2015 08:00:17 +0000 (16:00 +0800)]
xen/arm: Use the new functions for vCPUID/vaffinity transformation
There are 3 places to change:
* Initialise vMPIDR value in vcpu_initialise()
* Find the vCPU from vMPIDR affinity information when accessing GICD
registers in vGIC
* Find the vCPU from vMPIDR affinity information when booting with vPSCI
in vGIC
- Both PSCI 0.1 and PSCI 0.2 are modified to respect the MPIDR like.
Chen Baozi [Tue, 30 Jun 2015 08:00:16 +0000 (16:00 +0800)]
xen/arm: Add functions of mapping between vCPUID and virtual affinity
GICv3 restricts that the maximum number of CPUs in affinity 0 (one
cluster) is 16. (See the note of 'Bits[15:0]' in '5.7.29 ICC_SGI0R_EL1
ICC_SGI1R_EL1 and ICC_ASGI1R_EL1, GICv3 Architecture Specification')
That is to say the upper 4 bits of affinity 0 is unused. Current
implementation considers that AFF0 is equal to vCPUID, which makes all
vCPUs in one cluster, limiting its number to 16. If we would like to
support more than 16 number of vCPU in one guest, we need to make use
of AFF1. Considering the unused upper 4 bits, we need to create a pair
of functions mapping the vCPUID and virtual affinity.
libxl: unset info->numa_placement upon successful placement
so that, if the same config is reused later, the following
two (good) things happen:
- we do not trip over warnings because node and/or vcpu
soft affinity now exist (as a consequence of the
successful placement), but numa_placement is still
true;
- we end up always using the results of the original
execution of the placement algorithm, rather than
re-running it at each re-use of the same config,
which is what most users expects and wants.
This fixes the bug reported here:
http://lists.xenproject.org/archives/html/xen-devel/2015-06/msg04454.html
Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
libxl: turn NUMA placement misconfigs into warnings
instead than errors. More specifically, in libxl,
b_info->numa_autoplacement is meant as a way to
disable automatic NUMA placement, if one does not
want it to happen. It is, however, useful for
consistency checking as well, i.e., to ensure that
the user provided configuration (such as, for instance,
vcpu hard or soft affinity) and NUMA placement itself
will not clash.
However, right now, if such a clash happens we abort
domain creation and error out, which is too much! It
is, in fact, enough to infom the user/caller that NUMA
placement won't be performed, with a WARN, and that's
what this commit does.
Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Currently, it's hard to decide whether a part of the domain
initialization should live in gicv_setup (part of the GIC
driver) and domain_init (part of the vGIC driver).
The code to initialize the domain for a specific vGIC version is always
the same no matter the version of the GIC.
Move all the domain initialization code for the vGIC in the respective
domain_init callback of each vGIC drivers.
New structures have been introduced to store HW information per vGIC.
Each vGIC HW structure contains a boolean to indicate if the current GIC is
able to support this specific version of virtual GIC.
Helpers have been introduced in order to help the GIC correctly setup
the vGIC. The GIC will have to call them to announce support for this
specific version.
Also drop fields that become unnecessary in each global state.
Signed-off-by: Julien Grall <julien.grall@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
xen/arm: gic-v3: Rework the messages printed at initialization
- Print all the redistributor regions rather than only the first
one...
- Add # in the format to print 0x for hexadecimal. It's easier to
differentiate from decimal
- Re-order information printed
- Drop print of the virtual addresses. It makes the log more
difficult to read and don't improve user debugging experience (the
value can't be used like as it is).
Signed-off-by: Julien Grall <julien.grall@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
xen/arm: gic-v3: Fix the distributor region to 64kB
On GICv3, the default size of the distributor region is 64kB (see 5.3
in PRD03-GENC-010745 24.0). This region can be extended to provide an
implementation defined set of pages containing additional aliases for MSI.
Although, the GICv3 driver only access to register within the default
distributor region.
Furthermore, our vGIC driver implementation doesn't support the extended
distributor. Therefore there is no reason to expose it to DOM0.
Finally drop the field dbase_size which is not useful anymore.
Signed-off-by: Julien Grall <julien.grall@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Julien Grall [Wed, 17 Jun 2015 13:58:27 +0000 (14:58 +0100)]
xen/arm: Find automatically the gnttab region for DOM0
Currently, the grant table region is hardcoded per-platform. When a new
board is coming up, we have to check the spec in order to find a space
in the memory layout free. Depending on the platform it may be tedious.
A good candidate for the gnttab region is the one used by Xen binary as
some part will never be mapped to the DOM0 address, MMIO are mapped 1:1
and the RAM will be either:
- direct mapped: 1:1 mapping is used => no problem
- non direct mapped: Xen always relocates himself as high as possible
(limited to 4GB on ARM32) and the RAM bank are filled from the first
one. It's very unlikely that the gnttab region will overlap with the
RAM. Although for safety a check may be necessary when we will reenable
the option.
Furthermore, there is plenty of space to contain a big gnttab, the default
size is 32 frame (i.e 128KB) but it can be changed via a command option.
It's not possible to use the whole region used by Xen, as some part of
the binary will be freed after Xen boot and can be used by DOM0 and other
guest. A sensible choice is the text secion as it will always reside in
memory never be mapped to the guest and the size is big enough (~300KB
on ARM64). It could be extended later to use other contiguous sections
such as data...
Note that on ARM64, the grant table region may be after 4GB (Xen is
relocated to the highest address) using DOM0 32 bit with short page table
may not work. Although, I don't think this is a big deal as device may not
work and/or the RAM is too high due to the 1:1 mapping.
This patch also drop the platforms thunderx and xilinx-zynqmp which became
dummy by dropping the hardcoding DOM0 grant table region.
Ian Jackson [Wed, 1 Jul 2015 14:20:03 +0000 (15:20 +0100)]
libxl: Do not try to destroy domain -1 on failed create
Perhaps since f0c4c53f "libxl: domain create: Do not destroy on ao
abort", we have destroyed guest_domid==-1 if domain creation fails
without actually creating a domid.
Reported-by: Julien Grall <julien.grall@citrix.com> CC: Julien Grall <julien.grall@citrix.com> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Liang Li [Mon, 29 Jun 2015 21:27:16 +0000 (05:27 +0800)]
nested EPT: fix the handling of nested EPT
If the host EPT entry is changed, the nested EPT should be updated.
the current code does not do this, and it's wrong.
I have tested this patch, the L2 guest can boot and run as normal.
Signed-off-by: Liang Li <liang.z.li@intel.com> Signed-off-by: Yang Zhang <yang.z.zhang@intel.com> Reported-by: Tim Deegan <tim@xen.org> Reviewed-by: Tim Deegan <tim@xen.org>
Tiejun Chen [Mon, 29 Jun 2015 06:51:36 +0000 (14:51 +0800)]
tools/libxc: check to set args.mmio_size before call xc_hvm_build
After commit 5dff8e9eedc7, "libxc/libxl: fill xc_hvm_build_args in
libxl" is introduced, we won't check to set args.mmio_size inside
xc_hvm_build as before. So instead, we need to do this before call
that.
CC: Ian Jackson <ian.jackson@eu.citrix.com> CC: Stefano Stabellini <stefano.stabellini@eu.citrix.com> CC: Ian Campbell <ian.campbell@citrix.com> CC: Wei Liu <wei.liu2@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: Tiejun Chen <tiejun.chen@intel.com>
Ian Campbell [Fri, 26 Jun 2015 09:41:28 +0000 (10:41 +0100)]
xen: Install unstripped version -syms version into /usr/lib/debug
xen-*-syms cannot actually be booted, so putting it in /boot is a bit
misleading. It also happens to cause a warning from update-grub (so at
least it doesn't end up in grub.cfg)
/usr/lib/debug seems to be a pretty common path for installing such
debug info.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
[ ijc -- fixed typos ]
Ian Campbell [Fri, 26 Jun 2015 11:39:54 +0000 (12:39 +0100)]
xen: arm: Log a warning message when a deprecated hypercall is used
A few folks have been caught out by OSes which call e.g.
HYPERVISOR_event_channel_op_compat which has been deprecated since
3.2.2 (i.e. long before Xen on ARM). Existing x86 code can still
safely and quietly using those calls, waiting for an unsuspecting ARM
porter to turn up and trip over it. This turns out to be rather
perplexing when it happens, since it can be obscured e.g. by various
conditionals like __XEN_INTERFACE_VERSION__ what is actually being
called.
Note that I'm making a distinction here between hypercalls which are
simply not used/implemented on arm (yet) and those which were
deprecated and replaced by a newer variant prior to Xen on ARM even
being invented. The latter will never be implemented on ARM and have
non-deprecated aliases leading to confusion so those are the ones for
which a warning is useful.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Tested-by: Ard Biesheuvel <ard@linaro.org> Cc: Jan Beulich <JBeulich@suse.com> Cc: Keir Fraser <keir@xen.org> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Julien Grall <julien.grall@citrix.com>
A find option was forgotten in commit 6592bf60beaf1fa0b4fd36fb73800eb001c739af
"docs: Look for documentation in sub-directories" resulting to get some
docs duplicated and other missing.
Signed-off-by: Julien Grall <julien.grall@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Mon, 29 Jun 2015 14:29:33 +0000 (15:29 +0100)]
libxl: Fix uninitialised rc in libxl__domain_save_device_model
c3c8da9 "libxl: ao: datacopier callback gets an rc" caused
libxl__domain_save_device_model() to pass its rc directly into the
callback.
However in the preexisting code, there were 3 "goto out;" paths which
left rc uninitialised. This causes a build failure with GCC 4.8's
-Wmaybe-uninitialized.
Set the rc explicitly on each goto out path.
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Ian Jackson [Fri, 26 Jun 2015 17:24:22 +0000 (18:24 +0100)]
libxl: Add missing #include of <signal.h>
"libxl: ao abort: Handle SIGTERM in save/restore helper" requires
this; without it we fail to build on BSD.
Reported-by: Ian Campbell <ian.campbell@citrix.com> CC: Ian Campbell <ian.campbell@citrix.com> CC: Roger Pau Monne <roger.pau@citrix.com> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Ian Jackson [Tue, 23 Jun 2015 17:10:51 +0000 (18:10 +0100)]
libxl: spawn: Always debug log middle child process death
Otherwise the debug log is strangely devoid of an explanation for the
spawn completing.
We decorate `what', as otherwise the logged message is rather alarming
(especially if the death is due to us sending SIGKILL, which even
happens on the success path).
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
---
v4: New patch in this version of the series.
Ian Jackson [Tue, 10 Feb 2015 19:37:33 +0000 (19:37 +0000)]
libxl: ao: datacopier callback gets an rc
libxl__datacopier_* now provides its caller's callback function with
an rc value. This relieves the caller of the need to figure out an
appropriate rc value.
Arrange that the `other internal failure' cases now get a valid
positive errno value (EIO).
In a few places, assert that errno is nonzero before passing it to our
caller.
Extend the datacopier callback API to permit the dc to signal ABORTED.
(It doesn't actually do this yet, though.)
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> CC: Andrew Cooper <andrew.cooper3@citrix.com> CC: David Vrabel <david.vrabel@citrix.com>
---
v2: New in this version of the series.
Ian Jackson [Tue, 10 Feb 2015 19:10:18 +0000 (19:10 +0000)]
libxl: ao abort: Abort libxc save/restore
Register the the save/restore helper interface with the abort
machinery. When we are informed that save/restore should be aborted,
we make a note of the that in our rc variable, and send the helper a
SIGTERM. It will die in due course.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v2: New in this version of the series.
Ian Jackson [Tue, 10 Feb 2015 19:05:06 +0000 (19:05 +0000)]
libxl: ao abort: Handle SIGTERM in save/restore helper
During startup of the save/restore helper, set the disposition of
SIGTERM appropriately.
For restore, we can simply die immediately - there is no point trying
to do any kind of cleanup on what is now going to be a trashed domain.
For save, we want to arrange that libxc's cleanup code (eg turning off
logdirty) takes place. So our signal handler replaces the fd with one
on which writes will fail, causing libxc's own loop to fail next time
it actually tries to do a write.
Currently this has only a minor beneficial effect: we don't send the
helper a SIGTERM ourselves, and if someone else contrives to send our
helper a SIGTERM they have probably sent one to libxl too in which
case things are going to be a bit messy anyway.
But in the next patch libxl itself is going to use SIGTERM to
implement ao abort requests.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v2: New in this version of the series.
Ian Jackson [Tue, 10 Feb 2015 17:53:21 +0000 (17:53 +0000)]
libxl: ao abort: Support aborting where we spot domain death
Make an active libxl__domaindeathcheck contain an active
libxl__ao_abortable.
Consequential changes are:
* domaindeath callbacks now take an rc value.
* libxl__domaindeathcheck_start takes an ao, not a gc.
* bootloader_domaindeath plumbs the rc through to its caller.
* libxl__domaindeathcheck_init and _stop are not quite trivial any
more so are moved from (inline functions) in libxl_internal.h, to
ordinary functions defined in libxl_event.c.
* libxl__domaindeathcheck_start is not trivial any more, and now has
the standard error-handling pattern.
The only current user of libxl__domaindeathcheck is the bootloader.
So the result is that now it is possible to effectively abort domain
creation while the bootloader is running.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v2: New in this version of the series.
Ian Jackson [Tue, 10 Feb 2015 17:48:40 +0000 (17:48 +0000)]
libxl: Introduce DOMAIN_DESTROYED error code
This is currently reported only by the bootloader code, if the domain
is destroyed while the bootloader is running.
In the future it would be nice to return it for other circumstances
where the domain existed when the operation started but subsequently
vanished.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v4: Add a comment about the new error code's semantics
v2: New in this version of the series.
Ian Jackson [Tue, 10 Feb 2015 17:18:23 +0000 (17:18 +0000)]
libxl: ao abort: Note that driver domain task cannot be usefully aborted
In practice, aborting this task will cause all subsequent actual
backend operations to fail, but will not actually cause the
libxl_device_events_handler operation to complete.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> CC: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v2: New in this version of the series.
Ian Jackson [Fri, 20 Dec 2013 18:02:54 +0000 (18:02 +0000)]
libxl: ao abort: Make timeouts abortable
Make libxl__ev_time* register with the abort machinery, so that
libxl_ao_abort can stop any operation which has a timeout.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
---
v4: Do not immediately deregister the abortable (!)
(v3 was Acked-by: Ian Campbell <ian.campbell@citrix.com>)
Ian Jackson [Tue, 10 Feb 2015 19:16:08 +0000 (19:16 +0000)]
libxl: ao abort: Provide explicit internal abort check API
Some places in libxl which can't handle abort via a
libxl__ao_abortable callback might nevertheless benefit from being
able to explicitly check whether abort has been requested.
Provide the (fairly trivial) internal API function to do this.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v2: New in this version of the series.
Ian Jackson [Fri, 20 Dec 2013 16:34:50 +0000 (16:34 +0000)]
libxl: ao abort: Provide public ao abort request API
Provide libxl_ao_abort.
There is machinery to allow an ao to register an interest in abort
requests, using a libxl__ao_abortable.
This API is not currently very functional: requesting abort will
never have any effect.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
---
v5: Clarify API doc comment re aborting synchronous operations.
v4: Rename from cancel to abort.
Actually record aos on aos_inprogress.
(Report from Koushik Chakravarty at Citrix.)
Do not mark libxl_ao_cancel hidden (!)
Abolish ERROR_NOTIMPLEMENTED from libxl_ao_cancel.
All operations are supposed to support cancellation.
v2: Minor comment improvements
Ian Jackson [Fri, 20 Dec 2013 16:34:41 +0000 (16:34 +0000)]
libxl: ao: Provide manip_refcnt
Previously we used in_initiator to stop the ao being freed while we
were still in the initiator function (which would result in the
initiator's call to libxl__ao_inprogress accessing the ao after it had
been freed).
We are going to introduce a new libxl entrypoint which finds, and
operates on, ongoing aos. This function needs the same protection,
and might even end up running on the same ao multiple times
concurrently.
So do this with reference counting instead, with a new variable
ao->manip_refcnt.
We keep ao->in_initiator because that allows us to keep some useful
asserts about the sequencing of libxl__ao_inprogress, etc.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v5: Fix typo in commit message.
v3: Add a missing space.
Mention locking in the comment.
Ian Jackson [Fri, 20 Dec 2013 15:31:32 +0000 (15:31 +0000)]
libxl: domain create: Do not destroy on ao abort
If we aborted the domain creation, do not try to tear it down again
Document this.
This is a backwards-compatible API change since old libxl users will
never abort any operations.
In the current code, there is no functional change, because
ERROR_ABORTED is never generated anywhere yet.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v4: ABORTED not CANCELLED.
Always write out guest domid on completion.
Do not trash rc with libxl__set_domain_configuration on preserve path.
Ian Jackson [Tue, 10 Feb 2015 16:36:46 +0000 (16:36 +0000)]
libxl: events: Permit timeouts to signal ao abort
The callback functions provided by users must take an rc value. This
rc value can be ERROR_TIMEDOUT or ERROR_ABORTED.
Users of xswait are now expected to deal correctly with
ERROR_ABORTED. If they experience this, it hasn't been logged.
And the caller won't log it either since it's not TIMEDOUT.
Luckily this is correct, so we can just change the doc comment.
Currently nothing generates ERROR_ABORTED; in particular the timeouts
cannot in fact signal abort requests.
There should be no publicly visible change except that some error
returns from libxl will change from ERROR_FAIL to ERROR_TIMEDOUT, and
some changes to debugging messages.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v4: ABORTED not CANCELLED.
Ian Jackson [Tue, 10 Feb 2015 16:27:39 +0000 (16:27 +0000)]
libxl: events: Make libxl__async_exec_* pass caller an rc
The internal user of libxl__async_exec_start et al now gets an rc as
well as the process's exit status.
For now this is always either 0 or ERROR_FAIL, but with ao
abort requests this will possibly be ABORTED or TIMEDOUT too.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v4: Improve doc comment as suggested by Ian C.
v2: New patch due to rebause; v1 had changes to device_hotplug_*
scripts instead.
Callback now gets unambiguous information about error situation:
previously, if only thing that went wrong was that child died
badly, rc would be FAILED, which was unambigously; now rc=0.
Add a comment document the meaning of the rc and status parameters
to the callback.
Ian Jackson [Tue, 10 Feb 2015 16:13:36 +0000 (16:13 +0000)]
libxl: events: Make timeout and async exec setup take an ao, not a gc
Change the timeout setup functions to take a libxl__ao, not a
libxl__gc. This is going to be needed for ao abort, because timeouts
are going to be a main hook for ao abort requests - so the timeouts
need to be associated with an ao.
This means that timeouts can only occur as part of a long-running
libxl function (but this is of course correct, as libxl shouldn't have
any global timeouts, and indeed all the call sites have an ao).
Also remove the gc parameter from libxl__async_exec_start. It can
just use the gc from the ao supplied in the aes.
All the callers follow the obvious patterns and therefore supply the
ao's gc to libxl__async_exec_start and the timeout setup functions.
There is therefore no functional change in this patch.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> CC: Yang Hongyang <yanghy@cn.fujitsu.com> CC: Wen Congyang <wency@cn.fujitsu.com> CC: Lai Jiangshan <laijs@cn.fujitsu.com> Acked-by: Wen Congyang <wency@cn.fujitsu.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v2: This patch split off from "Permit timeouts to signal cancellation".
Rebased; consequently, deal with libxl__async_exec_start.
CC'd authors of the libxl__async_exec_* functions.
Ian Jackson [Fri, 20 Dec 2013 15:18:59 +0000 (15:18 +0000)]
libxl: New error codes ABORTED etc.
We introduce ERROR_ABORTED now, so that we can write code to handle
it, and decreee that functions might return it, even though currently
there is nowhere where this error is generated.
While we're here, provide ERROR_NOTFOUND which will also be used
later, but only as part of the public API.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
---
v4: CANCELLED renamed to ABORTED.
No longer introduce ERROR_NOTIMPLEMENTED.
v2: Rebase means new errors have bigger (more negative) numbers.
Ian Jackson [Thu, 25 Jun 2015 15:34:10 +0000 (16:34 +0100)]
libxl: Change some log messages to say `abandoning' rather than `aborting'
We are going to introduce application-requested aborts of (ao)
operations, but these suspend failures are something different.
Reword to avoid confusion.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Ian Jackson [Fri, 20 Dec 2013 12:49:53 +0000 (12:49 +0000)]
libxl: suspend: Return correct error from callbacks
If a suspend callback fails, it has a libxl error code in its hand.
However we must return to libxc the values that libxc expects. So we
stash the libxl error code in dss->rc and fish it out again after
libxc returns from the suspend call.
While we're here, abolish the now-redundant `ok' variable in
remus_devices_postsuspend_cb.
The overall functional change is that libxl_domain_save now completes
with the correct error code as determined when the underlying failure
happened. (Usually this is, still, ERROR_FAIL.)
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v2: Add cleanup in remus_devices_postsuspend_cb.
Ian Jackson [Fri, 20 Dec 2013 12:43:17 +0000 (12:43 +0000)]
libxl: suspend: common suspend callbacks take rc
Change the following functions to take a libxl error code rather than
a boolean "ok" value, and translate that value to the boolean expected
by libxc at the last moment:
domain_suspend_callback_common_done } dss->callback_common_done
remus_domain_suspend_callback_common_done }
domain_suspend_common_done
Also, abolish domain_suspend_common_failed as
domain_suspend_common_done can easily do its job and the call sites
now have to supply the right rc value anyway.
In domain_suspend_common_guest_suspended, change "ret" to "rc"
as it contains a libxl error code.
There is no functional change in this patch: the proper rc value now
propagates further, but is still eventually smashed to a boolean.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v2: Fix a leftover comment referring to domain_suspend_common_failed
Ian Jackson [Fri, 20 Dec 2013 12:34:09 +0000 (12:34 +0000)]
libxl: suspend: switch_logdirty_done takes rc
switch_logdirty_done used to take the value to pass to
libxl__xc_domain_saverestore_async_callback_done (ie, the return value
from the callback). (This was mistakenly described as "ok" in the
prototype, but in the definition it is "broke" and all the call sites
passed 0 for success or -1 for error.)
Instead, make it take a libxl error code (rc). Convert this to the
suspend callback value at the end.
No functional change in this patch.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Ian Jackson [Wed, 8 Apr 2015 11:22:38 +0000 (12:22 +0100)]
libxl: ao internal API docs: Mention synchronous ao completion
This doc comment about ao lifecycle failed to mention the option of
completing the ao during the initiator function. (Indeed, the most
obvious reading would forbid it.)
Restructure the comment, describe this situation, and generally
improve the wording.
Also, fix a grammar problem (missing word `a').
Reported-by: Koushik Chakravarty <koushik.chakravarty@citrix.com> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
David Vrabel [Fri, 26 Jun 2015 15:35:27 +0000 (17:35 +0200)]
x86,arm: remove asm/spinlock.h from all architectures
Now that all architecture use a common ticket lock implementation for
spinlocks, remove the architecture specific byte lock implementations.
Signed-off-by: David Vrabel <david.vrabel@citrix.com> Reviewed-by: Tim Deegan <tim@xen.org> Acked-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
David Vrabel [Fri, 26 Jun 2015 15:33:34 +0000 (17:33 +0200)]
use ticket locks for spin locks
Replace the byte locks with ticket locks. Ticket locks are: a) fair;
and b) peform better when contented since they spin without an atomic
operation.
The lock is split into two ticket values: head and tail. A locker
acquires a ticket by (atomically) increasing tail and using the
previous tail value. A CPU holds the lock if its ticket == head. The
lock is released by increasing head.
spin_lock_irq() and spin_lock_irqsave() now spin with irqs disabled
(previously, they would spin with irqs enabled if possible). This is
required to prevent deadlocks when the irq handler tries to take the
same lock with a higher ticket.
Architectures need only provide arch_fetch_and_add() and two barriers:
arch_lock_acquire_barrier() and arch_lock_release_barrier().
Signed-off-by: David Vrabel <david.vrabel@citrix.com> Reviewed-by: Tim Deegan <tim@xen.org> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Ian Campbell [Tue, 23 Jun 2015 14:58:32 +0000 (15:58 +0100)]
tools: libxl: Take the userdata lock around maxmem changes
There is an issue in libxl_set_memory_target whereby the target and
the max mem can get out of sync, this is because the call the
xc_domain_setmaxmem is not tied in any way to the xenstore transaction
which controls updates to the xenstore side of things.
Consider a domain with 1M of RAM (==target and maxmem for the sake of
argument) and two simultaneous calls to libxl_set_memory_target, both
with relative=0 and enforce=1, one with target=3 and the other with
target=5.
target=5 call target=3 call
transaction start
transaction start
write target=5 to xenstore
write target=3 to xenstore
setmaxmem(5)
setmaxmem(3)
In reality the target=3 case will the retry and eventually (hopefully)
succeed with target=maxmem=3, however the bad state will persist for
some window which is undesirable. On failure other than EAGAIN all
bets are off anyway, but in that case we will likely stick in the bad
state until someone else sets the memory).
To fix this we slightly abuse the userdata lock which is used to
protect updates to the domain's json configuration. Abused because
maxmem is not actually stored in there, but is kept by Xen. However
the lock protects some semantically similar things and is convenient
to use here too.
libxl_domain_setmaxmem also takes the lock, since it reads
memory/target from xenstore before calling xc_domain_setmaxmem there
is a small (but perhaps not very interesting) race there too.
There is on more use of xc_domain_setmaxmem in libxl__build_pre.
However taking a lock around this would be tricky since the xenstore
parts are not done until libxl__build_post. I think this one could be
argued to be OK since the domid is not "public" yet, that is it has
not been returned to the application yet (as the result of the create
operation). Toolstacks which go round fiddling with random domid's
which they find lying on the floor should be taught to do better.
Add a doc note that taking the userdata lock requires the CTX_LOCK to
be held.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Andrew Cooper [Thu, 25 Jun 2015 12:57:31 +0000 (14:57 +0200)]
x86/setup: initialise CR4 before creating idle_vcpu[0]
PV vcpu initialise has CR4 seeded from mmu_cr4_features. Adjust the order of
basic CR4 setup and creation of the idle domain, such that idle_vcpu[0] is not
wildly different from the other idle vcpus.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Thu, 25 Jun 2015 12:57:04 +0000 (14:57 +0200)]
x86/traps: avoid using current too early on boot
Early on boot, current has the sentinel value 0xfffff000. Blindly using it in
show_registers() causes a nested failure and no useful information printed
from an early crash.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Roger Pau Monne [Fri, 19 Jun 2015 08:58:25 +0000 (10:58 +0200)]
configure: check for argp
argp is only present in the GNU C library, so add a specific check for it in
configure. Also check if -largp is needed for linking against it.
Please run autoconf after applying.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Cc: George Dunlap <george.dunlap@eu.citrix.com> Cc: Ian Jackson <ian.jackson@eu.citrix.com> Cc: Ian Campbell <ian.campbell@citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Cc: Olaf Hering <olaf@aepfle.de> Acked-by: Wei Liu <wei.liu2@citrix.com> Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
[ ijc -- ran autogen.sh ]
Roger Pau Monne [Fri, 19 Jun 2015 08:58:24 +0000 (10:58 +0200)]
xen{trace/analyze}: don't use 64bit versions of libc functions
This is not needed, neither encouraged. Configure already checks
_FILE_OFFSET_BITS and appends it when needed, so that the right functions
are used. Also remove the usage of loff_t and O_LARGEFILE for the same
reason.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Cc: George Dunlap <george.dunlap@eu.citrix.com> Cc: Ian Jackson <ian.jackson@eu.citrix.com> Cc: Ian Campbell <ian.campbell@citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Cc: Olaf Hering <olaf@aepfle.de> Acked-by: Wei Liu <wei.liu2@citrix.com> Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Wei Liu [Wed, 24 Jun 2015 10:10:09 +0000 (11:10 +0100)]
NetBSDRump: provide evtchn.h and privcmd.h
Xen's build system has a target for rump kernel called NetBSDRump. We
want to build libxc against rump kernel, so we need to copy NetBSD's
evtchn.h and privcmd.h to NetBSDRump. These copies is not very likely to
diverge from NetBSD's copies, but we don't preclude such possibility.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
A new memory model that allows QEMU to bump memory behind libxl's back
was merged a few months ago. We didn't fully understand the
repercussions back then. Now it breaks migration and becomes blocker of
4.6 release.
It's better to restore to original behaviour at this stage of the
release cycle, that would put us in a position no worse than before, so
the release is unblocked.
The said function is still racy after reverting these two patches.
Making domain memory state consistent requires a bit more work. Separate
patch(es) will be sent out to deal with that problem.
Fix up conflicts with f5b43e95 (libxl: fix "xl mem-set" regression from 0c029c4da2).
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Julien Grall [Fri, 19 Jun 2015 12:41:29 +0000 (13:41 +0100)]
xen/arm: Propagate clock-frequency to DOMU if present in the DT timer node
When the property "clock-frequency" is present in the DT timer node, it
means that the bootloader/firmware didn't correctly configure the
CNTFRQ/CNTFRQ_EL0 on each processor.
The best solution would be to fix the offending firmware/bootloader,
although it may not always be possible to modify and re-flash it.
As it's not possible to trap the register CNTFRQ/CNTFRQ_EL0, we have
to extend xen_arch_domainconfig to provide the timer frequency to the
toolstack when the property "clock-frequency" is present to the host DT
timer node. Then, a property "clock-frequency" will be created in the guest
DT timer node if the value is not 0.
We could have set the property in the guest DT no matter if the property
is present in the host DT. Although, we still want to let the guest
using CNTFRQ in normal case. After all, the property "clock-frequency"
is just a workaround for buggy firmware.
Also add a stub for fdt_property_u32 which is not present in libfdt <
1.4.0 used by distribution such as Debian Wheezy.
Signed-off-by: Julien Grall <julien.grall@citrix.com> Tested-by: Chris Brand <chris.brand@broadcom.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- ran autogen.sh ]
projects / xen.git / log