Michal Orzel [Thu, 30 Sep 2021 06:52:30 +0000 (08:52 +0200)]
xsa-227: Fix link to XSA-227 web page
Current link is invalid and gives the following error:
"The requested URL was not found on this server."
Fix it.
Signed-off-by: Michal Orzel <michal.orzel@arm.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
XSA-227 was first written before c/s 487bce87eda33 "Docs: Fix the generated
advisory links" but upstreamed later, hence the missing of the tree-wide
cleanup.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Tue, 17 Aug 2021 20:55:01 +0000 (21:55 +0100)]
common: Move {BITS,BYTES}_PER_LONG into limits.h
We're already using compiler-provided __*_TYPE__ macros, so instead of basing
BYTES_PER_LONG on __i386__ or __x86_64__, just use __SIZEOF_LONG__ directly.
This form doesn't require editing to add different architectures.
Add some build assertions that we have a half-way sane compile environment.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Mon, 10 May 2021 17:03:09 +0000 (18:03 +0100)]
common: Make a weak default for arch_crash_hard()
arch_crash_hard() is used from common code, and in the most basic case can
just be an infinite loop. Both x86 PV and HVM keep their more specific
implementations.
Move the declaration from arch/traps.h to framework.h
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Thu, 1 Jul 2021 12:12:34 +0000 (13:12 +0100)]
build: Fix build when only python3 is available
The shebang lines in the python scrips - xtf-runner in particular - still need
work, but this at least fixes `make` on systems without `python` on $PATH.
Default to python3 in CI too.
Reported-by: Pranjal Singh <008pranjalsingh@gmail.com> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Tested-by: Pranjal Singh <008pranjalsingh@gmail.com>
Andrew Cooper [Wed, 19 May 2021 21:08:59 +0000 (22:08 +0100)]
Work around GCC issue 99578
GCC 11.1 objects to pointers derived from a constant:
error: '__builtin_memcpy' offset [0, 7] is out of the bounds [0, 0] [-Werror=array-bounds]
This is a GCC bug, but work around it rather than turning array-bounds
checking off generally.
Reported-by: Damien Thenot <damien.thenot@vates.fr> Reported-by: Christopher Clark <christopher.w.clark@gmail.com> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Tested-by: Christopher Clark <christopher.w.clark@gmail.com>
Andrew Cooper [Mon, 17 May 2021 09:48:57 +0000 (10:48 +0100)]
build: Fix build with binutils 2.36
Passing -no-pie to ld has never been correct, and binutils 2.36 now objects
properly to it. https://sourceware.org/bugzilla/show_bug.cgi?id=27050
When this workaround was introduced, we used $(CC) to link, but this was
adjusted back to $(LD) with c/s 8486a388e2 ("build: Use LD").
However, the adjustment should always have been passed to the compile step,
not the link step. Move the adjustment into COMMON_CFLAGS.
Fixes: c92015f8ab ("build: disable PIE during linking if necessary") Fixes: 8486a388e2 ("build: Use LD") Reported-by: Damien Thenot <damien.thenot@vates.fr> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Michal Orzel [Wed, 5 May 2021 06:34:16 +0000 (08:34 +0200)]
Fix issue with clang --target when cross compiling using LLVM
When using LLVM and cross compiling, the CC expands to:
clang --target=<target_triple>
Example of target triple: aarch64-linux-gnu.
However the current code assigning --target based on the
cross compiler does not work if we pass the full path to
CROSS_COMPILE. In this case the build fails.
Fix the issue so that when cross compiling using LLVM
only the basename of cross compiler path is used.
Closes #2
Signed-off-by: Michal Orzel <michal.orzel@arm.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
main.c:164:15: warning: Although the value stored to 'cr4' is used in the enclosing expression, the value is never actually read from 'cr4' [deadcode.DeadStores]
write_cr4(cr4 &= ~X86_CR4_DE);
^ ~~~~~~~~~~~
Rework all impacted logic avoid dead stores of this form.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Thu, 15 Apr 2021 00:36:20 +0000 (01:36 +0100)]
gnttab: Fix scan-build core.CallAndMessage issues
scan-build complains:
arch/x86/grant_table.c:41:17: warning: 1st function call argument is an uninitialized value [core.CallAndMessage]
pte_from_gfn(gnttab_gfns[i], PF_SYM(AD, RW, P)), UVMF_INVLPG);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
because it can't observe that GNTTABOP_setup_table fills the variable on its
success path.
Initialising the array (which is currently one entry) isn't trivial because
the array is variadic. Drop the nr_frames variable and use the sizeof()
expression directly, to create compile-time constant size.
A similar issue is reported against xsa-255, but this is trivial to resolve.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Thu, 15 Apr 2021 15:55:09 +0000 (16:55 +0100)]
Drop dependency on gcc-multilib
inttypes.h in particular isn't a freestanding header, and certain distros have
problems providing suitable freestanding headers anyway. This also gets more
complicated as we start supporting other architectures.
Take the plunge and switch to entirely local headers only.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Thu, 15 Apr 2021 17:05:05 +0000 (18:05 +0100)]
Fix LGTM static analysis issues
* xtf-runner: Class TestInstance implements __hash__ but does not define __eq__.
* mkinfo.py: Import of 'os' is not used.
LGTM also complains about gdt/idt/tss being global symbols with too-short
names. As they're the most appropriate architectural names, insert
suppression comments.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Michal Orzel [Wed, 10 Mar 2021 10:43:32 +0000 (11:43 +0100)]
xtf: Perform misc code cleanup
* Define macro ALIGN to set alignment. Header file asm_macros.h should not
contain architecture specific code. Replace hardcoded alignment value with
a call to macro ALIGN.
* Move declaration of shared_info into xtf/traps.h. Declaration of
shared_info structure should be placed in xtf/traps.h as it is a common
declaration for all the possible architectures.
* Do not protect including <arch/barrier.h>. We should always include
<arch/barrier.h> and rely on the compiler to throw an error. This would
avoid increasing #if protection each time we would add a new architecture.
Signed-off-by: Michal Orzel <michal.orzel@arm.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
[Also implement HYPERCALL0 as it is frequently opencoded] Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Wed, 11 Nov 2020 12:57:45 +0000 (12:57 +0000)]
hypercall: Refine fix for Clang code generation bug
It was incorrect to switch "=a" to "+a" and set up hcall, as the hypercall
number is encoded in the offset within hypercall_page. Switch res back to
just an output.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Fri, 6 Nov 2020 18:53:39 +0000 (18:53 +0000)]
hypercall: Work around Clang code generation bug
_hypercall64_4() is mis-compiled by some versions of Clang (5 is ok, 9 and
later not), in a way which breaks the XSA-286 PoC.
Clang loses the association between argument 4 being in %r10 between the input
"a" (_a4) and the output "=&r" (__ign4), so while the input is handled
correctly, the clobber on the output is missed.
In the XSA-286, PoC, this causes clang to hoist the setting of DOMID_SELF out
of the loop, and the test subsequently to malfunction on debug versions of Xen
which intentionally clobber the hypercall parameters.
Rewrite the hypercall macros to a single "+r" parameter form, rather than dual
input/output form, which causes all tested versions of Clang to set up %r10 on
each loop iteration.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Wed, 23 Sep 2020 13:09:03 +0000 (14:09 +0100)]
Adjust XSA-221 PoC based on XSA-343 behaviour change
XSA-343 has made SCHEDOP_poll fail for un-established event channels, which is
reasonable behaviour. Don't bother trying to audit the error codes, and
always run to the end of the loop.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Fri, 5 Jun 2020 19:20:50 +0000 (20:20 +0100)]
Remove ambiguous uses of iret/lret
GAS of at least version 2.34 complains:
Warning: no instruction mnemonic suffix given and no register operands; using default for `lret'
This is legitimate, as without a suffix, there are up to 3 possible encodings
actually meant.
Use l/q suffixes as appropriate, using __ASM_SEL() in cases where we need to
conditionally select between the suffixes. Use the same trick to clean up
some code32/64 statements.
Sadly, this cannot be done for the single ambiguous use of lcall, because
lcallq isn't accepted as a valid mnemonic. Leave the XSA-298 PoC as it is.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
There are a number of ways to do this, but by far the most efficient way is to
have vsnprintf() expand \n's in the output buffer.
This however is non-standard behaviour for vsnprintf(). Rename it to
vsnprintf_internal() and take extra flags, and have vprintk() use the new
LF_TO_CRLF control flag.
Inside vsnprintf_internal(), rearrange the non-format and %c logic to share
the expansion logic, as well as extending the logic to fmt_string().
Extend the selftests to confirm correct behaviour in both modes, for all ways
of being able to pass newline characters into a format operation.
Reported-by: Pawel Wieczorkiewicz <wipawel@amazon.de> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Thu, 4 Jun 2020 17:36:57 +0000 (18:36 +0100)]
Fix assembler type warnings with newer binutils
GAS of at least version 2.34 complains:
hypercall_page.S: Assembler messages:
hypercall_page.S:24: Warning: symbol 'HYPERCALL_set_trap_table' already has its type set
...
hypercall_page.S:71: Warning: symbol 'HYPERCALL_arch_7' already has its type set
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Mon, 27 Apr 2020 13:57:35 +0000 (14:57 +0100)]
xtf-runner: Python3 fix when not specifying --quiet
Andy reports:
Combined test results:
Traceback (most recent call last):
File "./xtf-runner", line 716, in <module>
sys.exit(main())
File "./xtf-runner", line 711, in main
return run_tests(opts)
File "./xtf-runner", line 559, in run_tests
if res == "SUCCESS" and opts.quiet >= 2:
TypeError: '>=' not supported between instances of 'NoneType' and 'int'
Reported-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Currently the xenbus_write() does not handle ring wrapping around
correctly. When ring buffer is almost full and there is not enough
space for next packet (e.g. there is 12 bytes of space left, but the
packet header needs to transmit 16 bytes) the memcpy() goes out of the
ring buffer boundry.
Instead, the part variable should be limited to the space available in
the ring buffer, so the memcpy() can fill up the buffer, update len
variable (to indicate that there is still some data to be copied) and
thereby the xenbus_write() loop can iterate again to finish copying
the remainder of data to the beginning of the ring buffer.
Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Mon, 17 Feb 2020 09:48:26 +0000 (09:48 +0000)]
Fix asm constraints for push/pop instructions
There are several issues with 64bit builds. Correct the types/constraints to
prohibit encoding 32bit registers, and immediates which can't be represented
as a 32bit signed extended number.
Introduce asm_checks() in selftest as a build-time check for constraint corner
cases, to be extended as needed.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Tue, 7 May 2019 10:19:58 +0000 (11:19 +0100)]
Use named asm parameters for _ASM_EXTABLE_HANDLER()
LTO builds need to know that ex_record_fault_{eax,edi} are referenced from
within asm, to avoid the functions being discarded.
Previously, this was done with an "X" parameter listing the function twice,
but this can lead to copy/paste mistakes. Instead, use a named parameter and
the "p" type and "P" modifier, which works compatibly between GCC and Clang.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Thu, 16 May 2019 18:12:33 +0000 (18:12 +0000)]
Simplify the unhandled_exception handling for tests
Tests, being single-purpose by their very nature, don't in practice use the
flexibility to change the unhandled exception hook. Furthermore, updating the
pointer has to be done carefully (i.e. with compiler barriers) because the
compiler doesn't see any connection between the hook and surrounding code
which may fault.
Switch to the using method already used by the syscall infrastructure and use
a single weak do_unhandled_exception() function which may be overridden by
guests wanting to implement their own custom behaviour.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Fri, 10 May 2019 16:22:15 +0000 (16:22 +0000)]
Misc trivial code cleanup
* Use named asm parameters for non-trivial blocks
* "=r" (x) : "r" (x) is more commonly "+r" (x)
* Correct the header guard in x86-gate.h
* Remove brackets from absolute memory addresss
* Use unsigned int rather than unsigned long and forcing back to int with %k
* Drop unused ex_record_fault_eax reference
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Sat, 11 May 2019 18:20:34 +0000 (19:20 +0100)]
libc: Fix strcmp() ABI violations
The C standard specifies that strcmp() interprets the provided strings as
unsigned char, rather than signed. This affects the result when used on
strings with the high bit set.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Fri, 11 Jan 2019 09:50:20 +0000 (02:50 -0700)]
nested-vmx: exceptions take priority over VMFail*
The way the instruction invocations are coded, it is compiler version
dependent whether things work: With old gcc, fail_{,in}valid will not
get touched and hence remain at their initial values, while with newer
gcc evaluation of the status flags occurs outside of the asm(), i.e.
also when an exception was received (in which case EFLAGS didn't change
from its value before the faulting instruction).
Since it is more logical anyway to check for a possible exception first,
do so uniformly instead of trying to fiddle with the asm() in some way.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
projects / xtf.git / log