Daniel Kiper [Tue, 7 May 2013 11:51:44 +0000 (13:51 +0200)]
stubdom/vtpm: Silently ignore rm errors during make clean
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Roger Pau Monne [Fri, 3 May 2013 11:23:01 +0000 (13:23 +0200)]
libxl: correctly parse storage devices on driver domains
Don't try to check physical devices if they belong to a domain
different than the one where the toolstack is running. This prevents
the following error when trying to use storage driver domains:
libxl: debug: libxl_create.c:1246:do_domain_create: ao 0x1819240: create: how=(nil) callback=(nil) poller=0x1818fa0
libxl: debug: libxl_device.c:235:libxl__device_disk_set_backend: Disk vdev=xvda spec.backend=phy
libxl: debug: libxl_device.c:175:disk_try_backend: Disk vdev=xvda, backend phy unsuitable as phys path not a block device
libxl: error: libxl_device.c:278:libxl__device_disk_set_backend: no suitable backend for disk xvda
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Wei Liu [Tue, 7 May 2013 11:28:54 +0000 (12:28 +0100)]
docs: canonicalize representation of boolean type in xl.cfg
The representations of boolean type in xl docs are inconsistent. This patch
replaces occurences of "1", "0", "[Tt]rue" and "[Ff]alse" with "[Tt]rue (1)"
and "[Ff]alse (0)".
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
We need to write the irq number to GICC_DIR on the physical cpu that
previously received the interrupt, but currently we are doing it on the
pcpu that received the maintenance interrupt. As a consequence if a
vcpu is migrated to a different pcpu, the irq is going to be EOI'ed on
the wrong pcpu.
This covers the case where dom0 vcpu0 is running on pcpu1 for example
(you can test this scenario by using xl vcpu-pin).
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Move virt_start out of ioremap and rename it to early_vmap_start.
Implement arch_vmap_virt_end by returning early_vmap_start.
Allocate virtual addresses in early_ioremap from top to bottom so that
later on when we initialize vmap, we can return the end of the vmap
address space (the last address allocated by early_ioremap).
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Trap guest WFI, block the guest VCPU unless it has pending interrupts
(WFI should return if any interrupts arrive even if interrupts are
disabled).
Awake the guest vcpu when a new interrupt for it arrives.
Introduce gic_events_need_delivery: it checks whether the current vcpu
has any interrupts that need to be delivered either on the lrs or in
lr_pending.
Properly implement local_events_need_delivery: check if the guest
disabled interrupts, if they aren't disabled, return positive if
gic_events_need_delivery returns positive. Otherwise we still need to
check whether evtchn_upcall_pending is set but no
VGIC_IRQ_EVTCHN_CALLBACK irqs are in flight: it could be the race
described by commit db453468d92369e7182663fb13e14d83ec4ce456 "arm: vgic:
fix race between evtchn upcall and evtchnop_send". If that is the case
it means that an event needs to be injected.
If all these tests are negative then no events need to be delivered.
Implement local_event_delivery_enable by clearing PSR_IRQ_MASK.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Wei Liu [Tue, 7 May 2013 14:54:56 +0000 (16:54 +0200)]
netif: define XEN_NETIF_NR_SLOTS_MIN in public header
Xen network protocol has implicit dependency on MAX_SKB_FRAGS. In order to
remove dependency on MAX_SKB_FRAGS, we derive a constant from historical
MAX_SKB_FRAGS for future reference.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Keir Fraser <keir@xen.org>
Daniel De Graaf [Tue, 7 May 2013 14:51:19 +0000 (16:51 +0200)]
rename IS_PRIV to is_hardware_domain
Since the remaining uses of IS_PRIV are actually concerned with the
domain having control of the hardware (i.e. being the initial domain),
clarify this by renaming IS_PRIV to is_hardware_domain. This also
removes IS_PRIV_FOR since the only remaining user was xsm/dummy.h.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release) Acked-by: Keir Fraser <keir@xen.org>
Daniel De Graaf [Tue, 7 May 2013 14:50:28 +0000 (16:50 +0200)]
common: remove rcu_lock_target_domain_by_id
This function (and rcu_lock_remote_target_domain_by_id) has no remaining
users, having been replaced with XSM hooks and the other rcu_lock_*
functions. Remove it.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release) Acked-by: Keir Fraser <keir@xen.org>
Daniel De Graaf [Tue, 7 May 2013 14:49:53 +0000 (16:49 +0200)]
arm: remove rcu_lock_target_domain_by_id users
This function has been replaced with rcu_lock_domain_by_any_id and an
XSM check. Two callers already had an XSM check; add a check to the
third.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release) Acked-by: Ian Campbell <ian.campbell@citrix.com> (for thae ARM bits)
Daniel De Graaf [Tue, 7 May 2013 14:49:18 +0000 (16:49 +0200)]
xsm: add hooks for claim
Adds XSM hooks for the recently introduced XENMEM_claim_pages and
XENMEM_get_outstanding_pages operations, and adds FLASK access vectors
for them. This makes the access control decisions for these operations
match those in the rest of the hypervisor.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release) Acked-by: Keir Fraser <keir@xen.org>
Update return codes of wrmsr_hypervisor_regs, update callers to deal
with the new return codes:
0: not handled
1: handled
-EAGAIN: retry
Currently wrmsr_hypervisor_regs will not return the following error, it
will be added in a separate patch:
-EINVAL: error during handling
Also update the gdprintk to handle a page value of NULL to avoid
printing a bogus MFN value. Update also computing of MSR value in
gdprintk, the idx was always zero.
Signed-off-by: Olaf Hering <olaf@aepfle.de> Acked-by: Keir Fraser <keir@xen.org>
Ian Jackson [Tue, 7 May 2013 12:41:15 +0000 (13:41 +0100)]
README: update version number
Updated the figlet version number to "Xen 4.3-rc". Also remove the
paragraph touting the benefits of Xen 4.2. At some point we should
replace it with a paragraph touting the benefits of Xen 4.3.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Tue, 7 May 2013 10:39:10 +0000 (11:39 +0100)]
tools: Bump some library sonames
libxc (libxenctrl, libxenguest):
New claim_enabled field in struct xc_dom_image;
New nr_outstanding_pages field in struct xc_dominfo;
New fields in struct xc_hvm_build_args (xenguest.h).
libxl:
new fields in dominfo domain_build_info device_vfb device_vkb
device_disk etc. etc. etc.
libxlu #includes libxl headers so needs to inherit its new soname
Use Xen version for new sonames since we don't in fact guarantee
ABI (as opposed to API) stability across releases.
xenstore (libxenstore):
New flag XS_UNWATCH_FILTER, so bump minor version only.
This was the result of reviewing the output from:
git-checkout staging
cd tools
git-diff RELEASE-4.2.2 `find -name \*.h`
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
George Dunlap [Thu, 2 May 2013 11:03:09 +0000 (12:03 +0100)]
libxl: Don't use tapdisk for cd-roms
blktap does not support the insert / eject commands, and so is not
suitable for cd-roms.
This fixes the bug where libxl uses tapdisk as a cdrom back-end, causing
subsequent eject / insert commands to fail.
Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com> CC: Fabio Fantoni <fabio.fantoni@heliman.it> CC: Stefano Stabellini <stefano.stabellini@citrix.com> CC: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Jan Beulich [Thu, 2 May 2013 15:08:58 +0000 (17:08 +0200)]
VT-d: don't permit SVT_NO_VERIFY entries for known device types
Only in cases where we don't know what to do we should leave the IRTE
blank (suppressing all validation), but we should always log a warning
in those cases (as being insecure).
This is CVE-2013-1952 / XSA-49.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: "Zhang, Xiantao" <xiantao.zhang@intel.com>
Jan Beulich [Thu, 2 May 2013 15:04:14 +0000 (17:04 +0200)]
x86: cleanup after making various page table manipulation operations preemptible
This drops the "preemptible" parameters from various functions where
now they can't (or shouldn't, validated by assertions) be run in non-
preemptible mode anymore, to prove that manipulations of at least L3
and L4 page tables and page table entries are now always preemptible,
i.e. the earlier patches actually fulfill their purpose of fixing the
resulting security issue.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Tim Deegan <tim@xen.org>
Jan Beulich [Thu, 2 May 2013 14:48:22 +0000 (16:48 +0200)]
x86/HVM: fix legacy PIC check in pt_update_irq()
Depending on the IRQ we need to
- not look at the PIC at all is this is the LAPIC timer (in that case
we're dealing with a vector number rather than an IRQ one),
- not look at the PIC for any non-legacy interrupt,
- look at the correct PIC for the IRQ (which will always be PIC 2 for
the RTC, and possibly also for HPET).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Tested-by: Roger Pau Monné <roger.pau@citrix.com> (FreeBSD guest) Reviewed-by: Tim Deegan <tim@xen.org>
Jan Beulich [Thu, 2 May 2013 14:47:32 +0000 (16:47 +0200)]
x86/HVM: fix processing of RTC REG_B writes
We must store the new values before calling rtc_update_irq(), and we
need to call rtc_timer_update() when PIE transitions from 0 to 1 (as we
may have previously turned off the periodic timer due to the guest not
reading REG_C, and hence may have to re-enable it in order to start
IRQs getting delivered to the guest).
Note that the timer is being kept running if PIE transitions from 1 to
0, to match the behavior of keeping it running for a brief period of
time if the guest doesn't clear PF in time (in order to avoid
permanently destroying and re-creating the periodic timer).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Tested-by: Roger Pau Monné <roger.pau@citrix.com> (FreeBSD guest) Reviewed-by: Tim Deegan <tim@xen.org>
Jan Beulich [Thu, 2 May 2013 14:46:02 +0000 (16:46 +0200)]
x86: allow Dom0 read-only access to IO-APICs
There are BIOSes that want to map the IO-APIC MMIO region from some
ACPI method(s), and there is at least one BIOS flavor that wants to
use this mapping to clear an RTE's mask bit. While we can't allow the
latter, we can permit reads and simply drop write attempts, leveraging
the already existing infrastructure introduced for dealing with AMD
IOMMUs' representation as PCI devices.
This fixes an interrupt setup problem on a system where _CRS evaluation
involved the above described BIOS/ACPI behavior, and is expected to
also deal with a boot time crash of pv-ops Linux upon encountering the
same kind of system.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
Jan Beulich [Thu, 2 May 2013 14:39:37 +0000 (16:39 +0200)]
x86: make page table handling error paths preemptible
... as they may take significant amounts of time.
This requires cloning the tweaked continuation logic from
do_mmuext_op() to do_mmu_update().
Note that in mod_l[34]_entry() a negative "preemptible" value gets
passed to put_page_from_l[34]e() now, telling the callee to store the
respective page in current->arch.old_guest_table (for a hypercall
continuation to pick up), rather than carrying out the put right away.
This is going to be made a little more explicit by a subsequent cleanup
patch.
This is part of CVE-2013-1918 / XSA-45.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Tim Deegan <tim@xen.org>
Jan Beulich [Thu, 2 May 2013 14:39:06 +0000 (16:39 +0200)]
x86: make page table unpinning preemptible
... as it may take significant amounts of time.
Since we can't re-invoke the operation in a second attempt, the
continuation logic must be slightly tweaked so that we make sure
do_mmuext_op() gets run one more time even when the preempted unpin
operation was the last one in a batch.
This is part of CVE-2013-1918 / XSA-45.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Tim Deegan <tim@xen.org>
Jan Beulich [Thu, 2 May 2013 14:34:21 +0000 (16:34 +0200)]
x86: make vcpu_destroy_pagetables() preemptible
... as it may take significant amounts of time.
The function, being moved to mm.c as the better home for it anyway, and
to avoid having to make a new helper function there non-static, is
given a "preemptible" parameter temporarily (until, in a subsequent
patch, its other caller is also being made capable of dealing with
preemption).
This is part of CVE-2013-1918 / XSA-45.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Tim Deegan <tim@xen.org>
Ian Campbell [Fri, 26 Apr 2013 11:42:24 +0000 (12:42 +0100)]
libxl: unconst the event argument to the event_occurs hook.
The event is supposed to become owned, and therefore freed, by the application
and the const prevents this.
Unfortunately there is no way to remove the const without breaking existing
callers. The best we can do is use the LIBXL_API_VERSION provisions to remove
the const for callers who wish only to support the 4.3 API and newer.
Callers who wish to support 4.2 will need to live with casting away the const.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Reviewed-by: Jim Fehlig <jfehlig@suse.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Daniel De Graaf [Wed, 24 Apr 2013 16:44:53 +0000 (12:44 -0400)]
xenstore: create pidfile in init-xenstore-domain
Since libxl checks for the existance of /var/run/xenstored.pid in order
to ensure xenstore is running, create this file when starting the
xenstore stub domain. This also changes the Makefile to enable the
creation of the init-xenstore-domain tool during tools compilation,
since the existing Makefile incorrectly added to the ALL_TARGETS list
when compiling the stubdom, when this variable is not used.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Eric Shelton [Tue, 30 Apr 2013 15:03:03 +0000 (11:03 -0400)]
libxl: adjust point of backend name resolution
Resolution of a backend name to a domid needs to happen a little earlier
in some cases.
For example, if a domU is specified as a backend for a
disk and, as previously written, libxl__device_disk_setdefault() calls
libxl__resolve_domid() last, then disk->backend_domid still equals
LIBXL_TOOLSTACK_DOMID when libxl__device_disk_set_backend() is called.
This results in libxl__device_disk_set_backend() making an incorrect
attempt to validate the target by calling stat() on a file on dom0,
resulting in ERROR_INVAL (see libxl_device.c lines 239-248), which
prevents creation of the frontend domain.
Likewise, libxl__device_nic_setdefault() previously made use of
nic->backend_domid before it was set.
Signed-off-by: Eric Shelton <eshelton@pobox.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Reviewed-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Ian Campbell [Fri, 26 Apr 2013 10:58:46 +0000 (11:58 +0100)]
xen: arm: correct platform detection in public header.
These headers cannot use the CONFIG_FOO defines provided when building Xen
(since they aren't provided when building tools or by external components) and
need to use the compiler provided architecture defines.
This manifested itself as a failure to build xenctx.c on ARM64 due to the
missing symbols contains .
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
xen/arm: do not call __cpu_disable on machine_halt
__cpu_disable shouldn't be called on machine_halt, in fact it cannot
succeed: cpu_disable_scheduler won't be able to migrate away vcpus to
others pcpus.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Ian Campbell [Tue, 30 Apr 2013 07:08:08 +0000 (09:08 +0200)]
xsm: fix printf format string for strlen result
strlen returns size_t:
policydb.c: In function \91policydb_read\92:
policydb.c:1779: error: format \91%lu\92 expects type \91long unsigned int\92, but argument 3 has type \91size_t\92
This is probably benign on 64-bit x86 but was found by Dharshini on 32-bit Xen
4.2.x. I expect it affects ARM too.
Reported-by: Dharshini Tharmaraj <dharshinitharmaraj@gmail.com> Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Jan Beulich [Mon, 29 Apr 2013 13:46:15 +0000 (15:46 +0200)]
x86/HVM: move per-vendor function tables into .init.data
hvm_enable() copies the table contents rather than storing the pointer,
so there's no need to keep these tables post-boot.
Also constify the return values of the per-vendor initialization
functions, making clear that once the per-vendor initialization is
complete, the vendor specific tables won't get modified anymore.
Finally, in hvm_enable(), use the returned pointer for all read
accesses as being more efficient than global variable accesses. Writes
of course still need to go to the global variable.
Ian Campbell [Fri, 26 Apr 2013 11:41:43 +0000 (12:41 +0100)]
libxl: stat the path for all non-qdisk backends (including unknown)
The commit a8a1f236a296 "libxl: Only call stat() when adding a disk if we
expect a device to exist." changed things to only stat the file when the phy
backend was explicitly requested. This broke the case where we are probing and
would normally be able to decide on the phy option.
Since the intention of that commit was to allow for backends with no explicit
file in dom0 (i.e. network remote backend such as ceph) the lowest impact fix
appears to be to make that explicit. It turns out that tap disk can also
potentially handle such paths.
The only backend which requires a local file/device is PHY but we need to
handle UNKNOWN too in order for subsequent probing to work. Note that it is
not possible to autoprobe the backend if the path is not a local object, so we
don't need to worry about autoprobing ceph etc.
This should probably be revisited to rationalize the probing.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Wei Liu [Fri, 26 Apr 2013 10:11:37 +0000 (11:11 +0100)]
libxl: write IO ABI for disk frontends
This is a patch to forward-port a Xend behaviour. Xend writes IO ABI used for
all frontends. Blkfront before 2.6.26 relies on this behaviour otherwise guest
cannot boot when running in 32-on-64 mode. Blkfront after 2.6.26 writes that
node itself, in which case it's just an overwrite to an existing node which
should be OK.
In fact Xend writes the ABI for all frontends including console and vif. But
nowadays only old disk frontends rely on that behaviour so that we only write
the ABI for disk frontends in libxl, minimizing the impact.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Ian Campbell [Wed, 24 Apr 2013 10:54:01 +0000 (11:54 +0100)]
arm: allocate per-PCPU domheap pagetable pages
the domheap mappings are supposed to be per-PCPU. Therefore xen_pgtable
becomes a per-PCPU variable and we allocate and setup the page tables for each
secondary PCPU just before we tell it to come up.
Each secondary PCPU starts out on the boot page table but switches to its own
page tables ASAP.
The boot PCPU uses the boot pagetables as its own.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: TIm Deegan <tim@xen.org>
Ian Campbell [Wed, 24 Apr 2013 10:53:58 +0000 (11:53 +0100)]
xen: arm: rename xen_pgtable to boot_pgtable
The intention is that in a subsequent patch each PCPU will have its own
pagetables and that xen_pgtable will become a per-cpu variable. The boot
pagetables will become the boot cpu's pagetables.
For now leave a #define in place for those places which semantically do mean
xen_pgtable and not boot_pgtable.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Tim Deegan <tim@xen.org>
Christoph Egger [Wed, 24 Apr 2013 11:19:31 +0000 (12:19 +0100)]
tools/pygrub: Fix install when $(BINDIR) and $(PRIVATE_BINDIR) are the same
Do not override pygrub with a symbolic link in this case.
Signed-off-by: Christoph Egger <chegger@amazon.de> Reviewed-by: Matt Wilson <msw@amazon.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- reworded summary to fit on one line ]
David Scott [Tue, 23 Apr 2013 09:59:26 +0000 (10:59 +0100)]
libxl: Only call stat() when adding a disk if we expect a device to exist.
We consider calling stat() a helpful error check in the following
circumstances only:
1. the disk backend type must be PHYsical
2. the disk backend domain must be the same as the running libxl
code (ie LIBXL_TOOLSTACK_DOMID)
3. there must not be a hotplug script because this would imply that
the device won't be created until after the hotplug script has
run.
With this fix, it is possible to use qemu's built-in block drivers
such as ceph/rbd, with a xl config disk spec like this:
Signed-off-by: David Scott <dave.scott@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Ben Guthro [Wed, 24 Apr 2013 09:41:53 +0000 (11:41 +0200)]
ns16550: delay resume until dom0 ACPI has a chance to run
Check for ioport access, before fully resuming operation, to avoid
spinning in __ns16550_poll when reading the LSR register returns 0xFF
on failing ioport access.
On some systems (like Lenovo T410, and some HP machines of similar vintage)
there is a SuperIO card that provides this legacy ioport on the LPC bus.
In this case, we need to wait for dom0's ACPI processing to run the proper
AML to re-initialize the chip, before we can use the card again.
This may cause a small amount of garbage to be written to the serial log
while we wait patiently for that AML to be executed.
This implementation limits the number of retries, to avoid a situation
where we keep trying over and over again, in the case of some other failure
on the ioport.
Signed-Off-By: Ben Guthro <benjamin.guthro@citrix.com> Acked-by: Keir Fraser <keir@xen.org>
Daniel De Graaf [Tue, 23 Apr 2013 09:56:05 +0000 (11:56 +0200)]
x86: remove IS_PRIV_FOR references
The check in guest_physmap_mark_populate_on_demand is redundant, since
its only caller is populate_physmap whose only caller checks the
xsm_memory_adjust_reservation hook prior to calling.
Add a new XSM hook for the other two checks since they allow privileged
domains to arbitrarily map a guest's memory.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (release perspective)
Daniel De Graaf [Tue, 23 Apr 2013 09:54:01 +0000 (11:54 +0200)]
x86/hvm: convert access check for nested HVM to XSM
This adds an XSM hook for enabling nested HVM support, replacing an
IS_PRIV check. This hook is a partial duplicate with the xsm_hvm_param
hook, but using the existing hook would require adding the index to the
hook and would require the use of a custom hook for the xsm-disabled
case (using XSM_OTHER, which is less immediately readable) - whereas
adding a new hook retains the clarity of the existing code.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (release perspective)
Daniel De Graaf [Tue, 23 Apr 2013 09:48:11 +0000 (11:48 +0200)]
cpupool: prevent a domain from moving itself
In the XEN_SYSCTL_CPUPOOL_OP_MOVEDOMAIN operation, the existing check
for domid == 0 should be checking that a domain does not attempt to
modify its own cpupool; fix this by using rcu_lock_remote_domain_by_id.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Juergen Gross <juergen.gross@ts.fujitsu.com>
Len Brown [Mon, 22 Apr 2013 12:00:16 +0000 (14:00 +0200)]
x86/mwait_idle: stop using driver_data for static flags
The (Linux) commit 4202735e8ab6ecfb0381631a0d0b58fefe0bd4e2
(cpuidle: Split cpuidle_state structure and move per-cpu statistics fields)
observed that the MWAIT flags for Cn on every processor to date were the
same, and created get_driver_data() to supply them.
Unfortunately, that assumption is false, going forward.
So here we restore the MWAIT flags to the cpuidle_state table.
However, instead restoring the old "driver_data" field,
we put the flags into the existing "flags" field,
where they probalby should have lived all along.
This patch does not change any operation.
Signed-off-by: Len Brown <len.brown@intel.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Jan Beulich [Mon, 22 Apr 2013 11:58:01 +0000 (13:58 +0200)]
x86/EFI: pass boot services variable info to runtime code
EFI variables can be flagged as being accessible only within boot services.
This makes it awkward for us to figure out how much space they use at
runtime. In theory we could figure this out by simply comparing the results
from QueryVariableInfo() to the space used by all of our variables, but
that fails if the platform doesn't garbage collect on every boot. Thankfully,
calling QueryVariableInfo() while still inside boot services gives a more
reliable answer. This patch passes that information from the EFI boot stub
up to the efi platform code.
Based on a similarly named Linux patch by Matthew Garrett <matthew.garrett@nebula.com>.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org> Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Add decompressors based on hypervisor code. This are used in mini-os by
pv-grub.
This enables pv-grub to boot kernels compressed with e.g. xz, which are
becoming more common.
Signed-off-by: Bastian Blank <waldi@debian.org>
Adjusted to use terminology "unsafe" rather than "trusted" to indicate
that the user had better sanitise the data (or not care, as in stub
domains) as suggested by Tim Deegan. This was effectively a sed script.
Minimise the changes to hypervisor code by moving the "compat layer" into the
relevant libxc source files (which include the Xen ones).
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
xen/arm: do not use is_running to decide whether we can write directly to the LR registers
During context switch is_running is set for the next vcpu before the
gic state is actually saved.
This leads to possible nasty races when interrupts need to be injected
after is_running is set to the next vcpu but before the currently
running gic state has been saved from the previous vcpu.
Use current instead of is_running to check which one is the currently
running vcpu: set_current is called right before __context_switch and
schedule_tail with interrupt disabled.
Re-enabled interrupts after ctxt_switch_from, so that all the context
switch saving functions don't have to worry about receiving interrupts
while saving state.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
mini-os/x86-64 entry: check against nested events and try to fix up
In hypervisor_callback, check against event re-entrant.
If we came from the critical region in interrupt context,
try to fix up by coalescing the two stack frames.
The execution is resumed as if the second event never happened.
Signed-off-by: Xu Zhang <xzhang@cs.uic.edu> Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
mini-os/x86-64 entry: defer RESTORE_REST until return
No need to do a RESTORE_REST at this point because if we saw pending
events after we enabled event delivery, we have to do a SAVE_REST again.
Instead, we do a "lazy" RESTORE_REST, deferring it until actual return.
The offset of saved-on-stack rflags register is changed as well.
Signed-off-by: Xu Zhang <xzhang@cs.uic.edu> Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
projects / xen.git / log