Oleksii Kurochko [Wed, 20 Dec 2023 14:08:29 +0000 (16:08 +0200)]
xen: ifdef inclusion of <asm/grant_table.h> in <xen/grant_table.h>
Ifdef-ing inclusion of <asm/grant_table.h> allows to avoid
generation of empty <asm/grant_table.h> for cases when
CONFIG_GRANT_TABLE is not enabled.
The following changes were done for Arm:
<asm/grant_table.h> should be included directly because it contains
gnttab_dom0_frames() macros which is unique for Arm and is used in
arch/arm/domain_build.c.
<asm/grant_table.h> is #ifdef-ed with CONFIG_GRANT_TABLE in
<xen/grant_table.h> so in case of !CONFIG_GRANT_TABLE gnttab_dom0_frames
won't be available for use in arch/arm/domain_build.c.
xen/arm: smmu-v3: address violations of MISRA C:2012 Rule 16.3
Add a break statement at the end of the switch-clauses to address
violations of MISRA C:2012 Rule 16.3 ("An unconditional `break'
statement shall terminate every switch-clause").
No funtional change.
Juergen Gross [Tue, 12 Dec 2023 16:27:02 +0000 (17:27 +0100)]
xen: remove asm/unaligned.h
With include/xen/unaligned.h now dealing properly with unaligned
accesses for all architectures, asm/unaligned.h can be removed and
users can be switched to include xen/unaligned.h instead.
Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Juergen Gross [Tue, 12 Dec 2023 16:27:01 +0000 (17:27 +0100)]
xen: make include/xen/unaligned.h usable on all architectures
Instead of defining get_unaligned() and put_unaligned() in a way that
is only supporting architectures allowing unaligned accesses, use the
same approach as the Linux kernel and let the compiler do the
decision how to generate the code for probably unaligned data accesses.
Update include/xen/unaligned.h from include/asm-generic/unaligned.h of
the Linux kernel.
The generated code has been checked to be the same on x86.
Modify the Linux variant to not use underscore prefixed identifiers,
avoid unneeded parentheses and drop the 24-bit accessors.
Add the definition of __packed to xg_dom_decompress_unsafe_zstd.c in
libxenguest as it is using a cruel hack to reuse the hypervisor's
decompressing code for stubdom.
Roger Pau Monne [Thu, 21 Dec 2023 10:08:31 +0000 (11:08 +0100)]
x86/amd: Extend CPU erratum #1474 fix to more affected models
Erratum #1474 has now been extended to cover models from family 17h ranges
00-2Fh, so the errata now covers all the models released under Family
17h (Zen, Zen+ and Zen2).
Additionally extend the workaround to Family 18h (Hygon), since it's based on
the Zen architecture and very likely affected.
Rename all the zen2 related symbols to fam17, since the errata doesn't
exclusively affect Zen2 anymore.
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
is unweidly and likely meaningless to non-Xen developers. Therefore:
* Switch to IS_ENABLED(). There's no need for full #ifdef-ary.
* Pull memchr_inv() out into the if(), and provide an error message which
clearly states that corruption has been found.
* XMEM_POOL_POISON can be enabled in release builds. Use printk()+BUG() so
it doesn't silently stop working when assertions are compiled out.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Julien Grall <jgrall@amazon.com>
Nicola Vetrini [Thu, 21 Dec 2023 10:48:18 +0000 (11:48 +0100)]
docs/misra: exclude files inherited from ACPI CA from MISRA compliance
The files under 'include/acpi/ac*.h' and 'include/acpi/plaform/ac*.h'
are inherited from Linux and ACPI CA, therefore they are not subject to
MISRA compliance at the moment.
Jan Beulich [Thu, 21 Dec 2023 10:47:41 +0000 (11:47 +0100)]
x86/platform: tidy do_platform_op() a little
The function has a few stray scopes and inconsistent use (indentation)
of break statements. Drop the stray braces and bring all the break-s in
line with one another. This in particular means dropping a redundant
break from XENPF_cpu_offline handling, pleasing Misra C:2012 rule 2.1.
No functional change intended.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Thu, 21 Dec 2023 10:47:10 +0000 (11:47 +0100)]
x86/mm: use "break" in arch_memory_op()
The final return statement is unreachable and hence disliked by Misra
C:2012 (rule 2.1). Convert those case-specific (main) return statements
which already use "rc", or in one case when it can be used without
further adding of code, to break.
No functional change intended.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Add per-domain d->pci_lock that protects access to
d->pdev_list. Purpose of this lock is to give guarantees to VPCI code
that underlying pdev will not disappear under feet. This is a rw-lock,
but this patch adds only write_lock()s. There will be read_lock()
users in the next patches.
This lock should be taken in write mode every time d->pdev_list is
altered. All write accesses also should be protected by pcidevs_lock()
as well. Idea is that any user that wants read access to the list or
to the devices stored in the list should use either this new
d->pci_lock or old pcidevs_lock(). Usage of any of this two locks will
ensure only that pdev of interest will not disappear from under feet
and that the pdev still will be assigned to the same domain. Of
course, any new users should use pcidevs_lock() when it is
appropriate (e.g. when accessing any other state that is protected by
the said lock). In case both the newly introduced per-domain rwlock
and the pcidevs lock is taken, the latter must be acquired first.
Suggested-by: Roger Pau Monné <roger.pau@citrix.com> Suggested-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com> Signed-off-by: Stewart Hildebrand <stewart.hildebrand@amd.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org> Acked-by: Jan Beulich <jbeulich@suse.com>
Previously pci_enable_msi() function obtained pdev pointer by itself,
but taking into account upcoming changes to PCI locking, it is better
when caller passes already acquired pdev pointer to the function,
because caller knows better how to obtain the pointer and which locks
are needed to be used. Also, in most cases caller already has pointer
to pdev, so we can avoid an extra list walk.
Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com> Signed-off-by: Stewart Hildebrand <stewart.hildebrand@amd.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Roger Pau Monné [Thu, 21 Dec 2023 10:44:55 +0000 (11:44 +0100)]
amd-vi: set IOMMU page table levels based on guest reported paddr width
However take into account the minimum number of levels required by unity maps
when setting the page table levels.
The previous setting of the page table levels for PV guests based on the
highest RAM address was bogus, as there can be other non-RAM regions past the
highest RAM address that need to be mapped, for example device MMIO.
For HVM we also take amd_iommu_min_paging_mode into account, however if unity
maps require more than 4 levels attempting to add those will currently fail at
the p2m level, as 4 levels is the maximum supported.
Fixes: 0700c962ac2d ('Add AMD IOMMU support into hypervisor') Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Roger Pau Monné [Thu, 21 Dec 2023 10:44:04 +0000 (11:44 +0100)]
x86/p2m: move and rename paging_max_paddr_bits()
The function also supports non-paging domains, and hence it being placed in
p2m.h and named with the paging_ prefix is misleading.
Move to x86 domain.c and rename to domain_max_paddr_bits(). Moving to a
different header is non trivial, as the function depends on helpers declared in
p2m.h. There's no performance reason for the function being inline.
Note the function is safe to use against PV or system domains, as it does check
whether the domain is using external paging, and if not the returned physical
address width is the host (native) value.
No functional change intended.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
tools/xg: Reserialise CPU policies with the allocated number of leaves.
The procedure used to customize the domain CPU policy is broken when
toolstack tries to set leaves (with subleaves) that the hypervisor didn't
need to serialise (i.e: because they where empty subleaves).
During typical domain creation xg does the following:
1. Probe Xen for max #leaves that a policy may have
2. Allocate memory for that many leaves
3. Tell the hypervisor to dump the policy in the allocated buffer
4. Deserialise it
5. Modify it
6. Reserialise it
7. Send it back to Xen
The problem is that (3) overrides nr_leaves, which then makes (6) fail in
the case where (5) has added subleaves that Xen understands but didn't need
to serialize on (3).
The fix uses an opaque CPU policy object so we can (a) avoid probing Xen
for sizes, and (b) trivially have knowledge of the actual size of the
buffer.
While at it, fix xc_cpu_policy_destroy() to preserve errno accross free()
Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Andrew Cooper [Fri, 15 Dec 2023 08:42:01 +0000 (08:42 +0000)]
driver/char: Drop run_in_exception_handler() ifdefary
Since commit 60a9b0715055 ("xen: introduce CONFIG_GENERIC_BUG_FRAME"), the new
common bug.h provides an implementation of run_in_exception_handler() in all
cases, making the #else here dead.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Andrew Cooper [Thu, 23 Nov 2023 16:28:36 +0000 (16:28 +0000)]
tools/pygrub: Drop compatibility symlink
This was deprecated in commit 10c88f1c18b7 ("tools: Install pv bootloaders in
libexec rather than /usr/bin") and caused to warn in commit c31d6a7ee2ea
("libxl: Warn that /usr/bin/pygrub is deprecated"), both in 2012.
New versions of RPM warn against absolute symlinks, so take out fully, 11
years later.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
xen/arm: mmu: address a violations of MISRA C:2012 Rule 16.3
Add missing break at the end of the switch-clause to address a
violation of MISRA C:2012 Rule 16.3 ("An unconditional `break'
statement shall terminate every switch-clause").
No functional change.
Add missing break statements to address violations of Rule 16.3.
Add pseudo-keyword "fallthrough" to make explicit the intended
behavior and satisfy the requirements to deviate Rule 16.3.
No functional change.
xen/arm: gic-v3: address violations of MISRA C:2012 Rule 16.3
Add the pseudo-keyword fallthrough to meet the requirements to
deviate Rule 16.3 ("An unconditional `break' statement shall terminate
every switch-clause").
No functional change.
xen/common: address violations of MISRA C:2012 Rule 11.8
The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".
Change cast type from void* to uintptr_t.
void* type cast resulted in violation of the Rule, a cast to type uintptr_t
is more appropriate type-wise.
Signed-off-by: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com> Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Function ERR_CAST contains a violation of MISRA C:2012 Rule 11.8,
whose headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".
Since the function has no users, it is appropriate to remove it.
Signed-off-by: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com> Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".
The macro 'container_of' violates the Rule because it casts away any
qualifier to do pointer arithmetic, but making the macro definition compliant
would add additional complexity, therefore a deviation is introduced.
xen/arm: address violations of MISRA C:2012 Rule 11.8
The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".
Add missing const qualifiers in casts.
The variables are originally const-qualified.
There's no reason to drop the qualifiers.
Nicola Vetrini [Mon, 18 Dec 2023 10:17:32 +0000 (11:17 +0100)]
xen/arm: vcpreg: address violation of MISRA C Rule 2.1
There is no path that reaches the call to 'advance_pc', thus violating MISRA C
Rule 2.1.
A call to ASSERT_UNREACHABLE() is added after the switch, despite this being
useful to detect errors only in debug builds; if that marker is ever reached,
a domain crash is triggered, as a defensive coding measure.
Nicola Vetrini [Mon, 18 Dec 2023 10:17:30 +0000 (11:17 +0100)]
xen/arm: traps: add ASSERT_UNREACHABLE() where needed
The statements after a call to the noreturn function 'do_unexpected_trap'
can't be reached, thus violating MISRA C:2012 Rule 2.1
("A project shall not contain unreachable code.").
ASSERT_UNREACHABLE() is used to signal that the unreachable break-s are used as
a defensive coding measure to prevent inadvertent fallthrough.
Nicola Vetrini [Mon, 18 Dec 2023 10:17:29 +0000 (11:17 +0100)]
xen/arm: address MISRA C:2012 Rule 2.1
There are no paths that can reach the last return statement
of function 'vgic_v3_its_mmio_write' in 'vcig-v3-its.c' and
'arch_memory_op' in 'arch/arm/mm.c', thus violating
MISRA C:2012 Rule 2.1:
"A project shall not contain unreachable code".
Therefore, an ASSERT_UNREACHABLE() is inserted to remove the unreachable
return statement and protect against possible mistakes.
Nicola Vetrini [Mon, 18 Dec 2023 15:06:12 +0000 (16:06 +0100)]
xen: move declaration of first_valid_mfn to xen/numa.h
Such declaration is moved in order to provide it for Arm and PPC,
whilst not violating MISRA C:2012 Rule 8.4 in common/page_alloc.c:
"A compatible declaration shall be visible when an object or
function with external linkage is defined".
Exclude efibind.h for all the architectures: it is used to build the
efi stub, which is a separate entry point for Xen when booted from EFI
firmware.
Remove redundant entries from out_of_scope.ecl.
Exclude common/coverage: it is code to support gcov, hence it is part
of the testing machinery.
Exclude decompress.h: file ported from Linux that defines a unique and
documented interface towards all the (adopted) decompress functions.
Jens Wiklander [Wed, 13 Dec 2023 10:31:35 +0000 (11:31 +0100)]
xen/arm: ffa: return fpi size from FFA_PARTITION_INFO_GET
Until now has FFA_PARTITION_INFO_GET always returned zero in w3, but
FF-A v1.1 requires FFA_PARTITION_INFO_GET to return the size of each
partition information descriptor returned if
FFA_PARTITION_INFO_GET_COUNT_FLAG isn't set.
The SPMC queried with FFA_PARTITION_INFO_GET must also return the each
partition information descriptor returned so fix this by passing along
the same value.
Jan Beulich [Tue, 19 Dec 2023 12:51:40 +0000 (13:51 +0100)]
x86: don't open-code max_page calculation nor pfn_to_paddr()
As observed by Roger while reviewing a somewhat related change, there's
no need here either to open-code the (largely, i.e. once setup_max_pdx()
was called) fixed relationship between max_pdx and max_page. Further we
can avoid open-coding pfn_to_paddr() here.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Roger Pau Monné [Tue, 19 Dec 2023 12:48:09 +0000 (13:48 +0100)]
iommu/vt-d: do not assume page table levels for quarantine domain
Like XSA-445, do not assume IOMMU page table levels on VT-d are always set
based on DEFAULT_DOMAIN_ADDRESS_WIDTH and instead fetch the value set by
intel_iommu_domain_init() from the domain iommu structure. This prevents
changes to intel_iommu_domain_init() possibly getting the levels out of sync
with what intel_iommu_quarantine_init() expects.
No functional change, since on Intel domains are hardcoded to use
DEFAULT_DOMAIN_ADDRESS_WIDTH.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Tue, 19 Dec 2023 12:47:38 +0000 (13:47 +0100)]
x86: allow non-BIGMEM configs to boot on >= 16Tb systems
While frame table setup, directmap init, and boot allocator population
respect all intended bounds, the logic passing memory to the heap
allocator which wasn't passed to the boot allocator fails to respect
max_{pdx,pfn}. This then typically triggers the BUG() in
free_heap_pages() after checking page state, because of hitting a struct
page_info instance which was set to all ~0.
Of course all the memory above the 16Tb boundary is still going to
remain unused; using it requires BIGMEM=y. And of course this fix
similarly ought to help BIGMEM=y configurations on >= 123Tb systems
(where all the memory beyond that boundary continues to be unused).
Fixes: bac2000063ba ("x86-64: reduce range spanned by 1:1 mapping and frame table indexes") Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
x86/hvm: address a violation of MISRA C:2012 Rule 11.8
The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".
Remove unnecessary cast.
from is a const-qualified pointer to void and the function hvm_copy_to_guest_linear
requires a const void* type argument, therefore the cast to void* is not necessary.
No functional change.
Signed-off-by: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com> Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
x86/boot: address violations of MISRA C:2012 Rule 11.8
The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".
Add missing const qualifiers in casts.
Macro get_mb2_data returns values that are const-qualified.
The results are stored in const struct pointers, hence
there's no need to cast away the const qualifiers.
Signed-off-by: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com> Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
xen/efi: address violations of MISRA C:2012 Rule 11.8
The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".
Add missing const qualifiers in casts.
The variables are originally const-qualified.
There's no reason to drop the qualifiers.
Signed-off-by: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com> Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
xen/arm64: address violations of MISRA C:2012 Rule 11.8
The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".
Add volatile qualifiers missing in casts.
Arguments p and ptr are originally volatile-qualified.
There's no reason to drop the qualifiers.
No functional change.
xen/x86_emulate: address violations of MISRA C:2012 Rule 14.4
The xen sources contain violations of MISRA C:2012 Rule 14.4 whose
headline states:
"The controlling expression of an if statement and the controlling
expression of an iteration-statement shall have essentially Boolean type".
Add comparisons to avoid using enum constants as controlling expressions
to comply with Rule 14.4.
No functional change.
Signed-off-by: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com> Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Oleksii Kurochko [Mon, 18 Dec 2023 14:19:01 +0000 (15:19 +0100)]
xen: fix compilation issue of serial.c
The following issue occurs on RISC-V platforms:
drivers/char/serial.c: In function 'serial_tx_interrupt':
drivers/char/serial.c:88:9: error: implicit declaration of function 'cpu_relax' [-Werror=implicit-function-declaration]
88 | cpu_relax();
cpu_relax() is defined in <asm/processor.h> so it was added
an inclusion of the header to serial.c.
Signed-off-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Acked-by: Jan Beulich <jbeulich@suse.com>
The file exclude-list.json contains files that are classified as
adopted code for MISRA compliance. Therefore, this file is used to
automatically generate a suitable .ecl configuration for ECLAIR.
As such, many entries in out_of_scope.ecl can be removed, as they
would be duplicates.
Jan Beulich [Thu, 14 Dec 2023 09:56:07 +0000 (10:56 +0100)]
smp: move cpu_is_offline() definition
It's all the same for the 3 arch-es which have it, and RISC-V would
introduce a 4th instance. Put it in xen/smp.h instead, while still
permitting asm/smp.h to define a custom variant if need be.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: George Dunlap <george.dunlap@cloud.com> Reviewed-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Acked-by: Shawn Anastasio <sanastasio@raptorengineering.com> Acked-by: Julien Grall <jgrall@amazon.com>
Juergen Gross [Thu, 14 Dec 2023 09:55:24 +0000 (10:55 +0100)]
tools/libs/evtchn: fix locking in Mini-OS
When adding locking to tools/libs/evtchn/minios.c a semaphore was
used. This can result in deadlocks, as the lock is taken inside the
event handler, which can interrupt an already locked region.
The fix is rather simple, as Mini-OS is supporting a single vcpu
only. So instead of the semaphore it is enough to disable interrupts
when operating on the port list.
Fixes: bc4fe94a69d4 ("ools/libs/evtchn: replace assert()s in stubdom with proper locking") Signed-off-by: Juergen Gross <jgross@suse.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Jens Wiklander [Wed, 13 Dec 2023 10:32:41 +0000 (11:32 +0100)]
xen/arm: ffa: return FFA_RET_NOT_SUPPORTED on unhandled calls
Until now an unsupported FF-A request has been reported back with
ARM_SMCCC_ERR_UNKNOWN_FUNCTION in register x0. A FF-A caller would
rather expect FFA_ERROR in x0 and FFA_RET_NOT_SUPPORTED in x2 so update
ffa_handle_call() to return true and with the cpu_user_regs updated.
xen/arm: don't pass iommu properties to hwdom for iommu-map
A device tree node for a PCIe root controller may have an iommu-map property [1]
with a phandle reference to the SMMU node, but not necessarily an iommus
property. In this case, we want to treat it the same as we currently handle
devices with an iommus property: don't pass the iommu related properties to
hwdom.
xen/arm: smmu: move phys_addr_t definition to linux-compat.h
Both smmu and smmu-v3 (ported from Linux) define the typedef name
"phys_addr_t": move the type definition to the common header
linux-compat.h to address violations of MISRA C:2012 Rule 5.6
("A typedef name shall be a unique identifier").
No functional change.
Suggested-by: Jan Beulich <jbeulich@suse.com> Suggested-by: Julien Grall <julien@xen.org> Signed-off-by: Federico Serafini <federico.serafini@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Julien Grall <jgrall@amazon.com>
AMD/IOMMU: address violations of MISRA C:2012 Rule 8.2
Add missing parameter names to address violations of MISRA C:2012
Rule 8.2. Remove trailing spaces and use C standard types to comply
with XEN coding style. No functional change.
Michal Orzel [Thu, 23 Nov 2023 14:53:02 +0000 (15:53 +0100)]
xen/arm: page: Avoid pointer overflow on cache clean & invalidate
On Arm32, after cleaning and invalidating the last dcache line of the top
domheap page i.e. VA = 0xfffff000 (as a result of flushing the page to
RAM), we end up adding the value of a dcache line size to the pointer
once again, which results in a pointer arithmetic overflow (with 64B line
size, operation 0xffffffc0 + 0x40 overflows to 0x0). Such behavior is
undefined and given the wide range of compiler versions we support, it is
difficult to determine what could happen in such scenario.
Modify clean_and_invalidate_dcache_va_range() as well as
clean_dcache_va_range() and invalidate_dcache_va_range() due to similarity
of handling to prevent pointer arithmetic overflow. Modify the loops to
use an additional variable to store the index of the next cacheline.
Add an assert to prevent passing a region that wraps around which is
illegal and would end up in a page fault anyway (region 0-2MB is
unmapped). Lastly, return early if size passed is 0.
Note that on Arm64, we don't have this problem given that the max VA
space we support is 48-bits.
This is XSA-447 / CVE-2023-46837.
Signed-off-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Julien Grall <jgrall@amazon.com>
Henry Wang [Thu, 7 Dec 2023 16:20:36 +0000 (00:20 +0800)]
MAINTAINERS: Hand over the release manager role to Oleksii Kurochko
I've finished the opportunity to do two releases (4.17 and 4.18)
and Oleksii Kurochko has volunteered to be the next release manager.
Hand over the role to him by changing the maintainership of the
CHANGELOG.md.
Signed-off-by: Henry Wang <Henry.Wang@arm.com> Acked-by: Julien Grall <jgrall@amazon.com> Acked-by: Oleksii Kurochko <oleksii.kurochko@gmail.com>
Juergen Gross [Mon, 11 Dec 2023 13:16:16 +0000 (14:16 +0100)]
xen: remove asm/unaligned.h
With include/xen/unaligned.h now dealing properly with unaligned
accesses for all architectures, asm/unaligned.h can be removed and
users can be switched to include xen/unaligned.h instead.
Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Juergen Gross [Mon, 11 Dec 2023 13:16:15 +0000 (14:16 +0100)]
xen: make include/xen/unaligned.h usable on all architectures
Instead of defining get_unaligned() and put_unaligned() in a way that
is only supporting architectures allowing unaligned accesses, use the
same approach as the Linux kernel and let the compiler do the
decision how to generate the code for probably unaligned data accesses.
Update include/xen/unaligned.h from include/asm-generic/unaligned.h of
the Linux kernel.
The generated code has been checked to be the same on x86.
Modify the Linux variant to not use underscore prefixed identifiers,
avoid unneeded parentheses and drop the 24-bit accessors.
Juergen Gross [Mon, 11 Dec 2023 13:16:14 +0000 (14:16 +0100)]
xen/arm: set -mno-unaligned-access compiler option for Arm32
As the hypervisor is disabling unaligned accesses for Arm32, set the
-mno-unaligned-access compiler option for building. This will prohibit
unaligned accesses when e.g. accessing 2- or 4-byte data items in
packed data structures.
Juergen Gross [Thu, 23 Nov 2023 16:08:34 +0000 (17:08 +0100)]
tools/xenstored: potentially split trace_io() out message
Today write_messages() will call trace_io() after having written the
complete message to the ring buffer or socket.
In case the message can't be written in one go, split it by writing
one trace entry when starting the write and one when finishing it.
In order to distinguish a complete OUT message from a split one, let the
caller of trace_io specify the prefix string ("IN", "OUT", "OUT(START)",
"OUT(END)") directly instead via an int.
The xen sources contain violations of MISRA C:2012 Rule 14.4 whose
headline states:
"The controlling expression of an if statement and the controlling
expression of an iteration-statement shall have essentially Boolean type".
Struct domain member is_dying is an anonymous enum designed to act as boolean.
Add deviation to mark its uses in controlling expressions as deliberate.
Juergen Gross [Mon, 4 Dec 2023 15:23:21 +0000 (16:23 +0100)]
xen/sched: do some minor cleanup of sched_move_domain()
Do some minor cleanups:
- Move setting of old_domdata and old_units next to each other
- Drop incrementing unit_idx in the final loop of sched_move_domain()
as it isn't used afterwards
- Rename new_p to new_cpu and unit_p to unit_cpu
Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: George Dunlap <george.dunlap@cloud.com>
Juergen Gross [Mon, 4 Dec 2023 15:23:20 +0000 (16:23 +0100)]
xen/sched: fix sched_move_domain()
Do cleanup in sched_move_domain() in a dedicated service function,
which is called either in error case with newly allocated data, or in
success case with the old data to be freed.
This will at once fix some subtle bugs which sneaked in due to
forgetting to overwrite some pointers in the error case.
Fixes: 70fadc41635b ("xen/cpupool: support moving domain between cpupools with different granularity") Reported-by: René Winther Højgaard <renewin@proton.me> Initial-fix-by: Jan Beulich <jbeulich@suse.com> Initial-fix-by: George Dunlap <george.dunlap@cloud.com> Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: George Dunlap <george.dunlap@cloud.com>
Michal Orzel [Thu, 7 Dec 2023 10:14:32 +0000 (11:14 +0100)]
xen/arm: bootfdt: Check return code of device_tree_for_each_node()
As a result of not checking the return code of device_tree_for_each_node()
in boot_fdt_info(), any error occured during early FDT parsing does not
stop Xen from booting. This can result in an unwanted behavior in later
boot stages. Fix it by checking the return code and panicing on an error.
Juergen Gross [Tue, 21 Nov 2023 11:40:46 +0000 (12:40 +0100)]
tools/xenstored: remove the "-P" command line option
The "-P" command line option just results in printing the PID of the
xenstored daemon to stdout before stdout is being closed. The same
information can be retrieved from the PID file via the "-F" option.
Juergen Gross [Tue, 21 Nov 2023 11:40:45 +0000 (12:40 +0100)]
tools/xenstored: remove "-V" command line option
The "-V" (verbose) command line option is nearly completely redundant
with "io" tracing. Just the time of the printed data is a little bit
different, while the tracing is more informative.
Jan Beulich [Thu, 7 Dec 2023 07:33:55 +0000 (08:33 +0100)]
x86/DMI: adjustments to comply with Misra C:2012 Rule 9.3
The rule demands that all array elements be initialized (or dedicated
initializers be used). Introduce a small set of macros to allow doing so
without unduly affecting use sites (in particular in terms of how many
elements .matches[] actually has; right now there's no use of
DMI_MATCH4(), so we could even consider reducing the array size to 3).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
projects / xen.git / log