Jan Beulich [Mon, 15 Jan 2024 11:18:43 +0000 (12:18 +0100)]
x86/vPIC: check values loaded from state save record
Loading is_master from the state save record can lead to out-of-bounds
accesses via at least the two container_of() uses by vpic_domain() and
__vpic_lock(). Make sure the value is consistent with the instance being
loaded.
For ->int_output (which for whatever reason isn't a 1-bit bitfield),
besides bounds checking also take ->init_state into account.
For ELCR follow what vpic_intercept_elcr_io()'s write path and
vpic_reset() do, i.e. don't insist on the internal view of the value to
be saved.
Move the instance range check as well, leaving just an assertion in the
load handler.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Mon, 15 Jan 2024 11:18:10 +0000 (12:18 +0100)]
x86/vPIT: check values loaded from state save record
In particular pit_latch_status() and speaker_ioport_read() perform
calculations which assume in-bounds values. Several of the state save
record fields can hold wider ranges, though. Refuse to load values which
cannot result from normal operation, except mode, the init state of
which (see also below) cannot otherwise be reached.
Note that ->gate should only be possible to be zero for channel 2;
enforce that as well.
Adjust pit_reset()'s writing of ->mode as well, to not unduly affect
the value pit_latch_status() may calculate. The chosen mode of 7 is
still one which cannot be established by writing the control word. Note
that with or without this adjustment effectively all switch() statements
using mode as the control expression aren't quite right when the PIT is
still in that init state; there is an apparent assumption that before
these can sensibly be invoked, the guest would init the PIT (i.e. in
particular set the mode).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Mon, 15 Jan 2024 11:16:56 +0000 (12:16 +0100)]
x86/HVM: split restore state checking from state loading
..., at least as reasonably feasible without making a check hook
mandatory (in particular strict vs relaxed/zero-extend length checking
can't be done early this way).
Note that only one of the two uses of "real" hvm_load() is accompanied
with a "checking" one. The other directly consumes hvm_save() output,
which ought to be well-formed. This means that while input data related
checks don't need repeating in the "load" function when already done by
the "check" one (albeit assertions to this effect may be desirable),
domain state related checks (e.g. has_xyz(d)) will be required in both
places.
With the split arch_hvm_{check,load}(), also invoke the latter only
after downing all the vCPU-s.
Suggested-by: Roger Pau Monné <roger.pau@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Mon, 15 Jan 2024 11:15:56 +0000 (12:15 +0100)]
NUMA: limit first_valid_mfn exposure
Address the TODO regarding first_valid_mfn by making the variable static
when NUMA=y, thus also addressing a Misra C:2012 rule 8.4 concern (on
x86). To carry this out, introduce two new IS_ENABLED()-like macros
conditionally inserting "static". One less macro expansion layer is
sufficient though (I might guess that some early form of IS_ENABLED()
pasted CONFIG_ onto the incoming argument, at which point the extra
layer would have been necessary), and part of the existing helper macros
can be re-used.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Julien Grall <jgrall@amazon.com>
Jan Beulich [Mon, 15 Jan 2024 11:12:00 +0000 (12:12 +0100)]
x86emul: support SM4
Since the insns here and in particular their memory access patterns
follow the usual scheme, I didn't think it was necessary to add a
contrived test specifically for them.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 15 Jan 2024 11:11:22 +0000 (12:11 +0100)]
x86emul: support SM3
Since the insns here and in particular their memory access patterns
follow the usual scheme, I didn't think it was necessary to add a
contrived test specifically for them.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 15 Jan 2024 11:09:42 +0000 (12:09 +0100)]
x86emul: support AVX-VNNI-INT16
These are close relatives of the AVX-VNNI and AVX-VNNI-INT8 ISA
extensions. Since the insns here and in particular their memory access
patterns follow the usual scheme (and especially the word variants of
AVX-VNNI), I didn't think it was necessary to add a contrived test
specifically for them.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Julien Grall [Fri, 12 Jan 2024 11:54:31 +0000 (11:54 +0000)]
xen/arm32: head: Improve logging in head.S
The sequence to enable the MMU on arm32 is quite complex as we may need
to jump to a temporary mapping to map Xen.
Recently, we had one bug in the logic (see f5a49eb7f8b3 ("xen/arm32:
head: Add mising isb in switch_to_runtime_mapping()") and it was
a pain to debug because there are no logging.
In order to improve the logging in the MMU switch we need to add
support for early printk while running on the identity mapping
and also on the temporary mapping.
For the identity mapping, we have only the first page of Xen mapped.
So all the strings should reside in the first page. For that purpose
a new macro PRINT_ID is introduced.
For the temporary mapping, the fixmap is already linked in the temporary
area (and so does the UART). So we just need to update the register
storing the UART address (i.e. r11) to point to the UART temporary
mapping.
Take the opportunity to introduce mov_w_on_cond in order to
conditionally execute mov_w and avoid branches.
Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
Shawn Anastasio [Thu, 11 Jan 2024 23:24:22 +0000 (17:24 -0600)]
xen/arm: bootfdt: Harden handling of malformed mem reserve map
The early_print_info routine in bootfdt.c incorrectly stores the result
of a call to fdt_num_mem_rsv() in an unsigned int, which results in the
negative error code being interpreted incorrectly in a subsequent loop
in the case where the device tree is malformed. Fix this by properly
checking the return code for an error and calling panic().
Signed-off-by: Shawn Anastasio <sanastasio@raptorengineering.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
Javi Merino [Thu, 11 Jan 2024 12:09:27 +0000 (12:09 +0000)]
xen/common: Don't dereference overlay_node after checking that it is NULL
In remove_nodes(), overlay_node is dereferenced when printing the
error message even though it is known to be NULL. Return without
printing as an error message is already printed by the caller.
The semantic patch that spots this code is available in
Julien Grall [Fri, 12 Jan 2024 10:45:09 +0000 (10:45 +0000)]
xen/arm32: head: Rework how the fixmap and early UART mapping are prepared
Since commit 5e213f0f4d2c ("xen/arm32: head: Widen the use of the
temporary mapping"), boot_second (used to cover regions like Xen and
the fixmap) will not be mapped if the identity mapping overlap.
So it is ok to prepare the fixmap table and link it in boot_second
earlier. With that, the fixmap can also be used earlier via the
temporary mapping.
Therefore split setup_fixmap() in two:
* The table is now linked in create_page_tables() because
the boot page tables needs to be recreated for every CPU.
* The early UART mapping is only added for the boot CPU0 as the
fixmap table is not cleared when secondary CPUs boot.
Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
Roger Pau Monné [Tue, 9 Jan 2024 13:07:49 +0000 (14:07 +0100)]
x86/iommu: introduce a rangeset to perform hwdom IOMMU setup
This change just introduces the boilerplate code in order to use a rangeset
when setting up the hardware domain IOMMU mappings. The rangeset is never
populated in this patch, so it's a non-functional change as far as the mappings
the domain gets established.
Note there will be a change for HVM domains (ie: PVH dom0) when the code
introduced here gets used: the p2m mappings will be established using
map_mmio_regions() instead of p2m_add_identity_entry(), so that ranges can be
mapped with a single function call if possible. Note that the interface of
map_mmio_regions() doesn't allow creating read-only mappings, but so far there
are no such mappings created for PVH dom0 in arch_iommu_hwdom_init().
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Tue, 9 Jan 2024 13:07:17 +0000 (14:07 +0100)]
x86/HVM: drop tsc_scaling.setup() hook
This was used by VMX only, and the intended VMCS write can as well
happen from vmx_set_tsc_offset(), invoked (directly or indirectly)
almost immediately after the present call sites of the hook.
vmx_set_tsc_offset() isn't invoked frequently elsewhere, so the extra
VMCS write shouldn't raise performance concerns.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Tue, 9 Jan 2024 13:06:34 +0000 (14:06 +0100)]
x86/HVM: hide SVM/VMX when their enabling is prohibited by firmware
... or we fail to enable the functionality on the BSP for other reasons.
The only place where hardware announcing the feature is recorded is the
raw CPU policy/featureset.
Inspired by https://lore.kernel.org/all/20230921114940.957141-1-pbonzini@redhat.com/.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Tue, 9 Jan 2024 13:05:33 +0000 (14:05 +0100)]
VMX: drop vmx_virt_exception and make vmx_vmfunc static
The variable was introduced by 69b830e5ffb4 ("VMX: VMFUNC and #VE
definitions and detection") without any use and - violating Misra C:2012
rule 8.4 - without a declaration. Since no use has appeared, drop it.
For vmx_vmfunc the situation is similar, but not identical: It at least
has one use. Convert it to be static (and make style adjustments while
there).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Tamas K Lengyel [Mon, 8 Jan 2024 09:16:58 +0000 (10:16 +0100)]
x86/mwait-idle: fix ubsan warning
Fix warning:
(XEN) UBSAN: Undefined behaviour in arch/x86/cpu/mwait-idle.c:1300:44
(XEN) left shift of 15 by 28 places cannot be represented in type 'int'
originating from sklh_idle_state_table_update() and hence observable on
one kind of CPU only.
Fixes: 5a211704e88 ("mwait-idle: prevent SKL-H boot failure when C8+C9+C10 enabled") Signed-off-by: Tamas K Lengyel <tamas.lengyel@intel.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Oleksii Kurochko [Wed, 20 Dec 2023 14:08:29 +0000 (16:08 +0200)]
xen: ifdef inclusion of <asm/grant_table.h> in <xen/grant_table.h>
Ifdef-ing inclusion of <asm/grant_table.h> allows to avoid
generation of empty <asm/grant_table.h> for cases when
CONFIG_GRANT_TABLE is not enabled.
The following changes were done for Arm:
<asm/grant_table.h> should be included directly because it contains
gnttab_dom0_frames() macros which is unique for Arm and is used in
arch/arm/domain_build.c.
<asm/grant_table.h> is #ifdef-ed with CONFIG_GRANT_TABLE in
<xen/grant_table.h> so in case of !CONFIG_GRANT_TABLE gnttab_dom0_frames
won't be available for use in arch/arm/domain_build.c.
xen/arm: smmu-v3: address violations of MISRA C:2012 Rule 16.3
Add a break statement at the end of the switch-clauses to address
violations of MISRA C:2012 Rule 16.3 ("An unconditional `break'
statement shall terminate every switch-clause").
No funtional change.
Juergen Gross [Tue, 12 Dec 2023 16:27:02 +0000 (17:27 +0100)]
xen: remove asm/unaligned.h
With include/xen/unaligned.h now dealing properly with unaligned
accesses for all architectures, asm/unaligned.h can be removed and
users can be switched to include xen/unaligned.h instead.
Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Juergen Gross [Tue, 12 Dec 2023 16:27:01 +0000 (17:27 +0100)]
xen: make include/xen/unaligned.h usable on all architectures
Instead of defining get_unaligned() and put_unaligned() in a way that
is only supporting architectures allowing unaligned accesses, use the
same approach as the Linux kernel and let the compiler do the
decision how to generate the code for probably unaligned data accesses.
Update include/xen/unaligned.h from include/asm-generic/unaligned.h of
the Linux kernel.
The generated code has been checked to be the same on x86.
Modify the Linux variant to not use underscore prefixed identifiers,
avoid unneeded parentheses and drop the 24-bit accessors.
Add the definition of __packed to xg_dom_decompress_unsafe_zstd.c in
libxenguest as it is using a cruel hack to reuse the hypervisor's
decompressing code for stubdom.
Roger Pau Monne [Thu, 21 Dec 2023 10:08:31 +0000 (11:08 +0100)]
x86/amd: Extend CPU erratum #1474 fix to more affected models
Erratum #1474 has now been extended to cover models from family 17h ranges
00-2Fh, so the errata now covers all the models released under Family
17h (Zen, Zen+ and Zen2).
Additionally extend the workaround to Family 18h (Hygon), since it's based on
the Zen architecture and very likely affected.
Rename all the zen2 related symbols to fam17, since the errata doesn't
exclusively affect Zen2 anymore.
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
is unweidly and likely meaningless to non-Xen developers. Therefore:
* Switch to IS_ENABLED(). There's no need for full #ifdef-ary.
* Pull memchr_inv() out into the if(), and provide an error message which
clearly states that corruption has been found.
* XMEM_POOL_POISON can be enabled in release builds. Use printk()+BUG() so
it doesn't silently stop working when assertions are compiled out.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Julien Grall <jgrall@amazon.com>
Nicola Vetrini [Thu, 21 Dec 2023 10:48:18 +0000 (11:48 +0100)]
docs/misra: exclude files inherited from ACPI CA from MISRA compliance
The files under 'include/acpi/ac*.h' and 'include/acpi/plaform/ac*.h'
are inherited from Linux and ACPI CA, therefore they are not subject to
MISRA compliance at the moment.
Jan Beulich [Thu, 21 Dec 2023 10:47:41 +0000 (11:47 +0100)]
x86/platform: tidy do_platform_op() a little
The function has a few stray scopes and inconsistent use (indentation)
of break statements. Drop the stray braces and bring all the break-s in
line with one another. This in particular means dropping a redundant
break from XENPF_cpu_offline handling, pleasing Misra C:2012 rule 2.1.
No functional change intended.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Thu, 21 Dec 2023 10:47:10 +0000 (11:47 +0100)]
x86/mm: use "break" in arch_memory_op()
The final return statement is unreachable and hence disliked by Misra
C:2012 (rule 2.1). Convert those case-specific (main) return statements
which already use "rc", or in one case when it can be used without
further adding of code, to break.
No functional change intended.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Add per-domain d->pci_lock that protects access to
d->pdev_list. Purpose of this lock is to give guarantees to VPCI code
that underlying pdev will not disappear under feet. This is a rw-lock,
but this patch adds only write_lock()s. There will be read_lock()
users in the next patches.
This lock should be taken in write mode every time d->pdev_list is
altered. All write accesses also should be protected by pcidevs_lock()
as well. Idea is that any user that wants read access to the list or
to the devices stored in the list should use either this new
d->pci_lock or old pcidevs_lock(). Usage of any of this two locks will
ensure only that pdev of interest will not disappear from under feet
and that the pdev still will be assigned to the same domain. Of
course, any new users should use pcidevs_lock() when it is
appropriate (e.g. when accessing any other state that is protected by
the said lock). In case both the newly introduced per-domain rwlock
and the pcidevs lock is taken, the latter must be acquired first.
Suggested-by: Roger Pau Monné <roger.pau@citrix.com> Suggested-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com> Signed-off-by: Stewart Hildebrand <stewart.hildebrand@amd.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org> Acked-by: Jan Beulich <jbeulich@suse.com>
Previously pci_enable_msi() function obtained pdev pointer by itself,
but taking into account upcoming changes to PCI locking, it is better
when caller passes already acquired pdev pointer to the function,
because caller knows better how to obtain the pointer and which locks
are needed to be used. Also, in most cases caller already has pointer
to pdev, so we can avoid an extra list walk.
Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com> Signed-off-by: Stewart Hildebrand <stewart.hildebrand@amd.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Roger Pau Monné [Thu, 21 Dec 2023 10:44:55 +0000 (11:44 +0100)]
amd-vi: set IOMMU page table levels based on guest reported paddr width
However take into account the minimum number of levels required by unity maps
when setting the page table levels.
The previous setting of the page table levels for PV guests based on the
highest RAM address was bogus, as there can be other non-RAM regions past the
highest RAM address that need to be mapped, for example device MMIO.
For HVM we also take amd_iommu_min_paging_mode into account, however if unity
maps require more than 4 levels attempting to add those will currently fail at
the p2m level, as 4 levels is the maximum supported.
Fixes: 0700c962ac2d ('Add AMD IOMMU support into hypervisor') Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Roger Pau Monné [Thu, 21 Dec 2023 10:44:04 +0000 (11:44 +0100)]
x86/p2m: move and rename paging_max_paddr_bits()
The function also supports non-paging domains, and hence it being placed in
p2m.h and named with the paging_ prefix is misleading.
Move to x86 domain.c and rename to domain_max_paddr_bits(). Moving to a
different header is non trivial, as the function depends on helpers declared in
p2m.h. There's no performance reason for the function being inline.
Note the function is safe to use against PV or system domains, as it does check
whether the domain is using external paging, and if not the returned physical
address width is the host (native) value.
No functional change intended.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
tools/xg: Reserialise CPU policies with the allocated number of leaves.
The procedure used to customize the domain CPU policy is broken when
toolstack tries to set leaves (with subleaves) that the hypervisor didn't
need to serialise (i.e: because they where empty subleaves).
During typical domain creation xg does the following:
1. Probe Xen for max #leaves that a policy may have
2. Allocate memory for that many leaves
3. Tell the hypervisor to dump the policy in the allocated buffer
4. Deserialise it
5. Modify it
6. Reserialise it
7. Send it back to Xen
The problem is that (3) overrides nr_leaves, which then makes (6) fail in
the case where (5) has added subleaves that Xen understands but didn't need
to serialize on (3).
The fix uses an opaque CPU policy object so we can (a) avoid probing Xen
for sizes, and (b) trivially have knowledge of the actual size of the
buffer.
While at it, fix xc_cpu_policy_destroy() to preserve errno accross free()
Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Andrew Cooper [Fri, 15 Dec 2023 08:42:01 +0000 (08:42 +0000)]
driver/char: Drop run_in_exception_handler() ifdefary
Since commit 60a9b0715055 ("xen: introduce CONFIG_GENERIC_BUG_FRAME"), the new
common bug.h provides an implementation of run_in_exception_handler() in all
cases, making the #else here dead.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Andrew Cooper [Thu, 23 Nov 2023 16:28:36 +0000 (16:28 +0000)]
tools/pygrub: Drop compatibility symlink
This was deprecated in commit 10c88f1c18b7 ("tools: Install pv bootloaders in
libexec rather than /usr/bin") and caused to warn in commit c31d6a7ee2ea
("libxl: Warn that /usr/bin/pygrub is deprecated"), both in 2012.
New versions of RPM warn against absolute symlinks, so take out fully, 11
years later.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
xen/arm: mmu: address a violations of MISRA C:2012 Rule 16.3
Add missing break at the end of the switch-clause to address a
violation of MISRA C:2012 Rule 16.3 ("An unconditional `break'
statement shall terminate every switch-clause").
No functional change.
Add missing break statements to address violations of Rule 16.3.
Add pseudo-keyword "fallthrough" to make explicit the intended
behavior and satisfy the requirements to deviate Rule 16.3.
No functional change.
xen/arm: gic-v3: address violations of MISRA C:2012 Rule 16.3
Add the pseudo-keyword fallthrough to meet the requirements to
deviate Rule 16.3 ("An unconditional `break' statement shall terminate
every switch-clause").
No functional change.
xen/common: address violations of MISRA C:2012 Rule 11.8
The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".
Change cast type from void* to uintptr_t.
void* type cast resulted in violation of the Rule, a cast to type uintptr_t
is more appropriate type-wise.
Signed-off-by: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com> Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Function ERR_CAST contains a violation of MISRA C:2012 Rule 11.8,
whose headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".
Since the function has no users, it is appropriate to remove it.
Signed-off-by: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com> Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".
The macro 'container_of' violates the Rule because it casts away any
qualifier to do pointer arithmetic, but making the macro definition compliant
would add additional complexity, therefore a deviation is introduced.
xen/arm: address violations of MISRA C:2012 Rule 11.8
The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".
Add missing const qualifiers in casts.
The variables are originally const-qualified.
There's no reason to drop the qualifiers.
Nicola Vetrini [Mon, 18 Dec 2023 10:17:32 +0000 (11:17 +0100)]
xen/arm: vcpreg: address violation of MISRA C Rule 2.1
There is no path that reaches the call to 'advance_pc', thus violating MISRA C
Rule 2.1.
A call to ASSERT_UNREACHABLE() is added after the switch, despite this being
useful to detect errors only in debug builds; if that marker is ever reached,
a domain crash is triggered, as a defensive coding measure.
Nicola Vetrini [Mon, 18 Dec 2023 10:17:30 +0000 (11:17 +0100)]
xen/arm: traps: add ASSERT_UNREACHABLE() where needed
The statements after a call to the noreturn function 'do_unexpected_trap'
can't be reached, thus violating MISRA C:2012 Rule 2.1
("A project shall not contain unreachable code.").
ASSERT_UNREACHABLE() is used to signal that the unreachable break-s are used as
a defensive coding measure to prevent inadvertent fallthrough.
Nicola Vetrini [Mon, 18 Dec 2023 10:17:29 +0000 (11:17 +0100)]
xen/arm: address MISRA C:2012 Rule 2.1
There are no paths that can reach the last return statement
of function 'vgic_v3_its_mmio_write' in 'vcig-v3-its.c' and
'arch_memory_op' in 'arch/arm/mm.c', thus violating
MISRA C:2012 Rule 2.1:
"A project shall not contain unreachable code".
Therefore, an ASSERT_UNREACHABLE() is inserted to remove the unreachable
return statement and protect against possible mistakes.
Nicola Vetrini [Mon, 18 Dec 2023 15:06:12 +0000 (16:06 +0100)]
xen: move declaration of first_valid_mfn to xen/numa.h
Such declaration is moved in order to provide it for Arm and PPC,
whilst not violating MISRA C:2012 Rule 8.4 in common/page_alloc.c:
"A compatible declaration shall be visible when an object or
function with external linkage is defined".
Exclude efibind.h for all the architectures: it is used to build the
efi stub, which is a separate entry point for Xen when booted from EFI
firmware.
Remove redundant entries from out_of_scope.ecl.
Exclude common/coverage: it is code to support gcov, hence it is part
of the testing machinery.
Exclude decompress.h: file ported from Linux that defines a unique and
documented interface towards all the (adopted) decompress functions.
Jens Wiklander [Wed, 13 Dec 2023 10:31:35 +0000 (11:31 +0100)]
xen/arm: ffa: return fpi size from FFA_PARTITION_INFO_GET
Until now has FFA_PARTITION_INFO_GET always returned zero in w3, but
FF-A v1.1 requires FFA_PARTITION_INFO_GET to return the size of each
partition information descriptor returned if
FFA_PARTITION_INFO_GET_COUNT_FLAG isn't set.
The SPMC queried with FFA_PARTITION_INFO_GET must also return the each
partition information descriptor returned so fix this by passing along
the same value.
Jan Beulich [Tue, 19 Dec 2023 12:51:40 +0000 (13:51 +0100)]
x86: don't open-code max_page calculation nor pfn_to_paddr()
As observed by Roger while reviewing a somewhat related change, there's
no need here either to open-code the (largely, i.e. once setup_max_pdx()
was called) fixed relationship between max_pdx and max_page. Further we
can avoid open-coding pfn_to_paddr() here.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Roger Pau Monné [Tue, 19 Dec 2023 12:48:09 +0000 (13:48 +0100)]
iommu/vt-d: do not assume page table levels for quarantine domain
Like XSA-445, do not assume IOMMU page table levels on VT-d are always set
based on DEFAULT_DOMAIN_ADDRESS_WIDTH and instead fetch the value set by
intel_iommu_domain_init() from the domain iommu structure. This prevents
changes to intel_iommu_domain_init() possibly getting the levels out of sync
with what intel_iommu_quarantine_init() expects.
No functional change, since on Intel domains are hardcoded to use
DEFAULT_DOMAIN_ADDRESS_WIDTH.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Tue, 19 Dec 2023 12:47:38 +0000 (13:47 +0100)]
x86: allow non-BIGMEM configs to boot on >= 16Tb systems
While frame table setup, directmap init, and boot allocator population
respect all intended bounds, the logic passing memory to the heap
allocator which wasn't passed to the boot allocator fails to respect
max_{pdx,pfn}. This then typically triggers the BUG() in
free_heap_pages() after checking page state, because of hitting a struct
page_info instance which was set to all ~0.
Of course all the memory above the 16Tb boundary is still going to
remain unused; using it requires BIGMEM=y. And of course this fix
similarly ought to help BIGMEM=y configurations on >= 123Tb systems
(where all the memory beyond that boundary continues to be unused).
Fixes: bac2000063ba ("x86-64: reduce range spanned by 1:1 mapping and frame table indexes") Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
x86/hvm: address a violation of MISRA C:2012 Rule 11.8
The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".
Remove unnecessary cast.
from is a const-qualified pointer to void and the function hvm_copy_to_guest_linear
requires a const void* type argument, therefore the cast to void* is not necessary.
No functional change.
Signed-off-by: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com> Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
x86/boot: address violations of MISRA C:2012 Rule 11.8
The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".
Add missing const qualifiers in casts.
Macro get_mb2_data returns values that are const-qualified.
The results are stored in const struct pointers, hence
there's no need to cast away the const qualifiers.
Signed-off-by: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com> Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
xen/efi: address violations of MISRA C:2012 Rule 11.8
The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".
Add missing const qualifiers in casts.
The variables are originally const-qualified.
There's no reason to drop the qualifiers.
Signed-off-by: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com> Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
xen/arm64: address violations of MISRA C:2012 Rule 11.8
The xen sources contain violations of MISRA C:2012 Rule 11.8 whose
headline states:
"A conversion shall not remove any const, volatile or _Atomic qualification
from the type pointed to by a pointer".
Add volatile qualifiers missing in casts.
Arguments p and ptr are originally volatile-qualified.
There's no reason to drop the qualifiers.
No functional change.
xen/x86_emulate: address violations of MISRA C:2012 Rule 14.4
The xen sources contain violations of MISRA C:2012 Rule 14.4 whose
headline states:
"The controlling expression of an if statement and the controlling
expression of an iteration-statement shall have essentially Boolean type".
Add comparisons to avoid using enum constants as controlling expressions
to comply with Rule 14.4.
No functional change.
Signed-off-by: Maria Celeste Cesario <maria.celeste.cesario@bugseng.com> Signed-off-by: Simone Ballarin <simone.ballarin@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Oleksii Kurochko [Mon, 18 Dec 2023 14:19:01 +0000 (15:19 +0100)]
xen: fix compilation issue of serial.c
The following issue occurs on RISC-V platforms:
drivers/char/serial.c: In function 'serial_tx_interrupt':
drivers/char/serial.c:88:9: error: implicit declaration of function 'cpu_relax' [-Werror=implicit-function-declaration]
88 | cpu_relax();
cpu_relax() is defined in <asm/processor.h> so it was added
an inclusion of the header to serial.c.
Signed-off-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Acked-by: Jan Beulich <jbeulich@suse.com>
The file exclude-list.json contains files that are classified as
adopted code for MISRA compliance. Therefore, this file is used to
automatically generate a suitable .ecl configuration for ECLAIR.
As such, many entries in out_of_scope.ecl can be removed, as they
would be duplicates.
Jan Beulich [Thu, 14 Dec 2023 09:56:07 +0000 (10:56 +0100)]
smp: move cpu_is_offline() definition
It's all the same for the 3 arch-es which have it, and RISC-V would
introduce a 4th instance. Put it in xen/smp.h instead, while still
permitting asm/smp.h to define a custom variant if need be.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: George Dunlap <george.dunlap@cloud.com> Reviewed-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Acked-by: Shawn Anastasio <sanastasio@raptorengineering.com> Acked-by: Julien Grall <jgrall@amazon.com>
Juergen Gross [Thu, 14 Dec 2023 09:55:24 +0000 (10:55 +0100)]
tools/libs/evtchn: fix locking in Mini-OS
When adding locking to tools/libs/evtchn/minios.c a semaphore was
used. This can result in deadlocks, as the lock is taken inside the
event handler, which can interrupt an already locked region.
The fix is rather simple, as Mini-OS is supporting a single vcpu
only. So instead of the semaphore it is enough to disable interrupts
when operating on the port list.
Fixes: bc4fe94a69d4 ("ools/libs/evtchn: replace assert()s in stubdom with proper locking") Signed-off-by: Juergen Gross <jgross@suse.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Jens Wiklander [Wed, 13 Dec 2023 10:32:41 +0000 (11:32 +0100)]
xen/arm: ffa: return FFA_RET_NOT_SUPPORTED on unhandled calls
Until now an unsupported FF-A request has been reported back with
ARM_SMCCC_ERR_UNKNOWN_FUNCTION in register x0. A FF-A caller would
rather expect FFA_ERROR in x0 and FFA_RET_NOT_SUPPORTED in x2 so update
ffa_handle_call() to return true and with the cpu_user_regs updated.
xen/arm: don't pass iommu properties to hwdom for iommu-map
A device tree node for a PCIe root controller may have an iommu-map property [1]
with a phandle reference to the SMMU node, but not necessarily an iommus
property. In this case, we want to treat it the same as we currently handle
devices with an iommus property: don't pass the iommu related properties to
hwdom.
xen/arm: smmu: move phys_addr_t definition to linux-compat.h
Both smmu and smmu-v3 (ported from Linux) define the typedef name
"phys_addr_t": move the type definition to the common header
linux-compat.h to address violations of MISRA C:2012 Rule 5.6
("A typedef name shall be a unique identifier").
No functional change.
Suggested-by: Jan Beulich <jbeulich@suse.com> Suggested-by: Julien Grall <julien@xen.org> Signed-off-by: Federico Serafini <federico.serafini@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Julien Grall <jgrall@amazon.com>
AMD/IOMMU: address violations of MISRA C:2012 Rule 8.2
Add missing parameter names to address violations of MISRA C:2012
Rule 8.2. Remove trailing spaces and use C standard types to comply
with XEN coding style. No functional change.
Michal Orzel [Thu, 23 Nov 2023 14:53:02 +0000 (15:53 +0100)]
xen/arm: page: Avoid pointer overflow on cache clean & invalidate
On Arm32, after cleaning and invalidating the last dcache line of the top
domheap page i.e. VA = 0xfffff000 (as a result of flushing the page to
RAM), we end up adding the value of a dcache line size to the pointer
once again, which results in a pointer arithmetic overflow (with 64B line
size, operation 0xffffffc0 + 0x40 overflows to 0x0). Such behavior is
undefined and given the wide range of compiler versions we support, it is
difficult to determine what could happen in such scenario.
Modify clean_and_invalidate_dcache_va_range() as well as
clean_dcache_va_range() and invalidate_dcache_va_range() due to similarity
of handling to prevent pointer arithmetic overflow. Modify the loops to
use an additional variable to store the index of the next cacheline.
Add an assert to prevent passing a region that wraps around which is
illegal and would end up in a page fault anyway (region 0-2MB is
unmapped). Lastly, return early if size passed is 0.
Note that on Arm64, we don't have this problem given that the max VA
space we support is 48-bits.
This is XSA-447 / CVE-2023-46837.
Signed-off-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Julien Grall <jgrall@amazon.com>
projects / xen.git / log