Tiejun Chen [Mon, 29 Jun 2015 06:51:36 +0000 (14:51 +0800)]
tools/libxc: check to set args.mmio_size before call xc_hvm_build
After commit 5dff8e9eedc7, "libxc/libxl: fill xc_hvm_build_args in
libxl" is introduced, we won't check to set args.mmio_size inside
xc_hvm_build as before. So instead, we need to do this before call
that.
CC: Ian Jackson <ian.jackson@eu.citrix.com> CC: Stefano Stabellini <stefano.stabellini@eu.citrix.com> CC: Ian Campbell <ian.campbell@citrix.com> CC: Wei Liu <wei.liu2@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: Tiejun Chen <tiejun.chen@intel.com>
Ian Campbell [Fri, 26 Jun 2015 09:41:28 +0000 (10:41 +0100)]
xen: Install unstripped version -syms version into /usr/lib/debug
xen-*-syms cannot actually be booted, so putting it in /boot is a bit
misleading. It also happens to cause a warning from update-grub (so at
least it doesn't end up in grub.cfg)
/usr/lib/debug seems to be a pretty common path for installing such
debug info.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
[ ijc -- fixed typos ]
Ian Campbell [Fri, 26 Jun 2015 11:39:54 +0000 (12:39 +0100)]
xen: arm: Log a warning message when a deprecated hypercall is used
A few folks have been caught out by OSes which call e.g.
HYPERVISOR_event_channel_op_compat which has been deprecated since
3.2.2 (i.e. long before Xen on ARM). Existing x86 code can still
safely and quietly using those calls, waiting for an unsuspecting ARM
porter to turn up and trip over it. This turns out to be rather
perplexing when it happens, since it can be obscured e.g. by various
conditionals like __XEN_INTERFACE_VERSION__ what is actually being
called.
Note that I'm making a distinction here between hypercalls which are
simply not used/implemented on arm (yet) and those which were
deprecated and replaced by a newer variant prior to Xen on ARM even
being invented. The latter will never be implemented on ARM and have
non-deprecated aliases leading to confusion so those are the ones for
which a warning is useful.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Tested-by: Ard Biesheuvel <ard@linaro.org> Cc: Jan Beulich <JBeulich@suse.com> Cc: Keir Fraser <keir@xen.org> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Julien Grall <julien.grall@citrix.com>
A find option was forgotten in commit 6592bf60beaf1fa0b4fd36fb73800eb001c739af
"docs: Look for documentation in sub-directories" resulting to get some
docs duplicated and other missing.
Signed-off-by: Julien Grall <julien.grall@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Mon, 29 Jun 2015 14:29:33 +0000 (15:29 +0100)]
libxl: Fix uninitialised rc in libxl__domain_save_device_model
c3c8da9 "libxl: ao: datacopier callback gets an rc" caused
libxl__domain_save_device_model() to pass its rc directly into the
callback.
However in the preexisting code, there were 3 "goto out;" paths which
left rc uninitialised. This causes a build failure with GCC 4.8's
-Wmaybe-uninitialized.
Set the rc explicitly on each goto out path.
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Ian Jackson [Fri, 26 Jun 2015 17:24:22 +0000 (18:24 +0100)]
libxl: Add missing #include of <signal.h>
"libxl: ao abort: Handle SIGTERM in save/restore helper" requires
this; without it we fail to build on BSD.
Reported-by: Ian Campbell <ian.campbell@citrix.com> CC: Ian Campbell <ian.campbell@citrix.com> CC: Roger Pau Monne <roger.pau@citrix.com> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Ian Jackson [Tue, 23 Jun 2015 17:10:51 +0000 (18:10 +0100)]
libxl: spawn: Always debug log middle child process death
Otherwise the debug log is strangely devoid of an explanation for the
spawn completing.
We decorate `what', as otherwise the logged message is rather alarming
(especially if the death is due to us sending SIGKILL, which even
happens on the success path).
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
---
v4: New patch in this version of the series.
Ian Jackson [Tue, 10 Feb 2015 19:37:33 +0000 (19:37 +0000)]
libxl: ao: datacopier callback gets an rc
libxl__datacopier_* now provides its caller's callback function with
an rc value. This relieves the caller of the need to figure out an
appropriate rc value.
Arrange that the `other internal failure' cases now get a valid
positive errno value (EIO).
In a few places, assert that errno is nonzero before passing it to our
caller.
Extend the datacopier callback API to permit the dc to signal ABORTED.
(It doesn't actually do this yet, though.)
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> CC: Andrew Cooper <andrew.cooper3@citrix.com> CC: David Vrabel <david.vrabel@citrix.com>
---
v2: New in this version of the series.
Ian Jackson [Tue, 10 Feb 2015 19:10:18 +0000 (19:10 +0000)]
libxl: ao abort: Abort libxc save/restore
Register the the save/restore helper interface with the abort
machinery. When we are informed that save/restore should be aborted,
we make a note of the that in our rc variable, and send the helper a
SIGTERM. It will die in due course.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v2: New in this version of the series.
Ian Jackson [Tue, 10 Feb 2015 19:05:06 +0000 (19:05 +0000)]
libxl: ao abort: Handle SIGTERM in save/restore helper
During startup of the save/restore helper, set the disposition of
SIGTERM appropriately.
For restore, we can simply die immediately - there is no point trying
to do any kind of cleanup on what is now going to be a trashed domain.
For save, we want to arrange that libxc's cleanup code (eg turning off
logdirty) takes place. So our signal handler replaces the fd with one
on which writes will fail, causing libxc's own loop to fail next time
it actually tries to do a write.
Currently this has only a minor beneficial effect: we don't send the
helper a SIGTERM ourselves, and if someone else contrives to send our
helper a SIGTERM they have probably sent one to libxl too in which
case things are going to be a bit messy anyway.
But in the next patch libxl itself is going to use SIGTERM to
implement ao abort requests.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v2: New in this version of the series.
Ian Jackson [Tue, 10 Feb 2015 17:53:21 +0000 (17:53 +0000)]
libxl: ao abort: Support aborting where we spot domain death
Make an active libxl__domaindeathcheck contain an active
libxl__ao_abortable.
Consequential changes are:
* domaindeath callbacks now take an rc value.
* libxl__domaindeathcheck_start takes an ao, not a gc.
* bootloader_domaindeath plumbs the rc through to its caller.
* libxl__domaindeathcheck_init and _stop are not quite trivial any
more so are moved from (inline functions) in libxl_internal.h, to
ordinary functions defined in libxl_event.c.
* libxl__domaindeathcheck_start is not trivial any more, and now has
the standard error-handling pattern.
The only current user of libxl__domaindeathcheck is the bootloader.
So the result is that now it is possible to effectively abort domain
creation while the bootloader is running.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v2: New in this version of the series.
Ian Jackson [Tue, 10 Feb 2015 17:48:40 +0000 (17:48 +0000)]
libxl: Introduce DOMAIN_DESTROYED error code
This is currently reported only by the bootloader code, if the domain
is destroyed while the bootloader is running.
In the future it would be nice to return it for other circumstances
where the domain existed when the operation started but subsequently
vanished.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v4: Add a comment about the new error code's semantics
v2: New in this version of the series.
Ian Jackson [Tue, 10 Feb 2015 17:18:23 +0000 (17:18 +0000)]
libxl: ao abort: Note that driver domain task cannot be usefully aborted
In practice, aborting this task will cause all subsequent actual
backend operations to fail, but will not actually cause the
libxl_device_events_handler operation to complete.
Ian Jackson [Fri, 20 Dec 2013 18:02:54 +0000 (18:02 +0000)]
libxl: ao abort: Make timeouts abortable
Make libxl__ev_time* register with the abort machinery, so that
libxl_ao_abort can stop any operation which has a timeout.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
---
v4: Do not immediately deregister the abortable (!)
(v3 was Acked-by: Ian Campbell <ian.campbell@citrix.com>)
Ian Jackson [Tue, 10 Feb 2015 19:16:08 +0000 (19:16 +0000)]
libxl: ao abort: Provide explicit internal abort check API
Some places in libxl which can't handle abort via a
libxl__ao_abortable callback might nevertheless benefit from being
able to explicitly check whether abort has been requested.
Provide the (fairly trivial) internal API function to do this.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v2: New in this version of the series.
Ian Jackson [Fri, 20 Dec 2013 16:34:50 +0000 (16:34 +0000)]
libxl: ao abort: Provide public ao abort request API
Provide libxl_ao_abort.
There is machinery to allow an ao to register an interest in abort
requests, using a libxl__ao_abortable.
This API is not currently very functional: requesting abort will
never have any effect.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
---
v5: Clarify API doc comment re aborting synchronous operations.
v4: Rename from cancel to abort.
Actually record aos on aos_inprogress.
(Report from Koushik Chakravarty at Citrix.)
Do not mark libxl_ao_cancel hidden (!)
Abolish ERROR_NOTIMPLEMENTED from libxl_ao_cancel.
All operations are supposed to support cancellation.
v2: Minor comment improvements
Ian Jackson [Fri, 20 Dec 2013 16:34:41 +0000 (16:34 +0000)]
libxl: ao: Provide manip_refcnt
Previously we used in_initiator to stop the ao being freed while we
were still in the initiator function (which would result in the
initiator's call to libxl__ao_inprogress accessing the ao after it had
been freed).
We are going to introduce a new libxl entrypoint which finds, and
operates on, ongoing aos. This function needs the same protection,
and might even end up running on the same ao multiple times
concurrently.
So do this with reference counting instead, with a new variable
ao->manip_refcnt.
We keep ao->in_initiator because that allows us to keep some useful
asserts about the sequencing of libxl__ao_inprogress, etc.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v5: Fix typo in commit message.
v3: Add a missing space.
Mention locking in the comment.
Ian Jackson [Fri, 20 Dec 2013 15:31:32 +0000 (15:31 +0000)]
libxl: domain create: Do not destroy on ao abort
If we aborted the domain creation, do not try to tear it down again
Document this.
This is a backwards-compatible API change since old libxl users will
never abort any operations.
In the current code, there is no functional change, because
ERROR_ABORTED is never generated anywhere yet.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v4: ABORTED not CANCELLED.
Always write out guest domid on completion.
Do not trash rc with libxl__set_domain_configuration on preserve path.
Ian Jackson [Tue, 10 Feb 2015 16:36:46 +0000 (16:36 +0000)]
libxl: events: Permit timeouts to signal ao abort
The callback functions provided by users must take an rc value. This
rc value can be ERROR_TIMEDOUT or ERROR_ABORTED.
Users of xswait are now expected to deal correctly with
ERROR_ABORTED. If they experience this, it hasn't been logged.
And the caller won't log it either since it's not TIMEDOUT.
Luckily this is correct, so we can just change the doc comment.
Currently nothing generates ERROR_ABORTED; in particular the timeouts
cannot in fact signal abort requests.
There should be no publicly visible change except that some error
returns from libxl will change from ERROR_FAIL to ERROR_TIMEDOUT, and
some changes to debugging messages.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v4: ABORTED not CANCELLED.
Ian Jackson [Tue, 10 Feb 2015 16:27:39 +0000 (16:27 +0000)]
libxl: events: Make libxl__async_exec_* pass caller an rc
The internal user of libxl__async_exec_start et al now gets an rc as
well as the process's exit status.
For now this is always either 0 or ERROR_FAIL, but with ao
abort requests this will possibly be ABORTED or TIMEDOUT too.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v4: Improve doc comment as suggested by Ian C.
v2: New patch due to rebause; v1 had changes to device_hotplug_*
scripts instead.
Callback now gets unambiguous information about error situation:
previously, if only thing that went wrong was that child died
badly, rc would be FAILED, which was unambigously; now rc=0.
Add a comment document the meaning of the rc and status parameters
to the callback.
Ian Jackson [Tue, 10 Feb 2015 16:13:36 +0000 (16:13 +0000)]
libxl: events: Make timeout and async exec setup take an ao, not a gc
Change the timeout setup functions to take a libxl__ao, not a
libxl__gc. This is going to be needed for ao abort, because timeouts
are going to be a main hook for ao abort requests - so the timeouts
need to be associated with an ao.
This means that timeouts can only occur as part of a long-running
libxl function (but this is of course correct, as libxl shouldn't have
any global timeouts, and indeed all the call sites have an ao).
Also remove the gc parameter from libxl__async_exec_start. It can
just use the gc from the ao supplied in the aes.
All the callers follow the obvious patterns and therefore supply the
ao's gc to libxl__async_exec_start and the timeout setup functions.
There is therefore no functional change in this patch.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> CC: Yang Hongyang <yanghy@cn.fujitsu.com> CC: Wen Congyang <wency@cn.fujitsu.com> CC: Lai Jiangshan <laijs@cn.fujitsu.com> Acked-by: Wen Congyang <wency@cn.fujitsu.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v2: This patch split off from "Permit timeouts to signal cancellation".
Rebased; consequently, deal with libxl__async_exec_start.
CC'd authors of the libxl__async_exec_* functions.
Ian Jackson [Fri, 20 Dec 2013 15:18:59 +0000 (15:18 +0000)]
libxl: New error codes ABORTED etc.
We introduce ERROR_ABORTED now, so that we can write code to handle
it, and decreee that functions might return it, even though currently
there is nowhere where this error is generated.
While we're here, provide ERROR_NOTFOUND which will also be used
later, but only as part of the public API.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
---
v4: CANCELLED renamed to ABORTED.
No longer introduce ERROR_NOTIMPLEMENTED.
v2: Rebase means new errors have bigger (more negative) numbers.
Ian Jackson [Thu, 25 Jun 2015 15:34:10 +0000 (16:34 +0100)]
libxl: Change some log messages to say `abandoning' rather than `aborting'
We are going to introduce application-requested aborts of (ao)
operations, but these suspend failures are something different.
Reword to avoid confusion.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Ian Jackson [Fri, 20 Dec 2013 12:49:53 +0000 (12:49 +0000)]
libxl: suspend: Return correct error from callbacks
If a suspend callback fails, it has a libxl error code in its hand.
However we must return to libxc the values that libxc expects. So we
stash the libxl error code in dss->rc and fish it out again after
libxc returns from the suspend call.
While we're here, abolish the now-redundant `ok' variable in
remus_devices_postsuspend_cb.
The overall functional change is that libxl_domain_save now completes
with the correct error code as determined when the underlying failure
happened. (Usually this is, still, ERROR_FAIL.)
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v2: Add cleanup in remus_devices_postsuspend_cb.
Ian Jackson [Fri, 20 Dec 2013 12:43:17 +0000 (12:43 +0000)]
libxl: suspend: common suspend callbacks take rc
Change the following functions to take a libxl error code rather than
a boolean "ok" value, and translate that value to the boolean expected
by libxc at the last moment:
domain_suspend_callback_common_done } dss->callback_common_done
remus_domain_suspend_callback_common_done }
domain_suspend_common_done
Also, abolish domain_suspend_common_failed as
domain_suspend_common_done can easily do its job and the call sites
now have to supply the right rc value anyway.
In domain_suspend_common_guest_suspended, change "ret" to "rc"
as it contains a libxl error code.
There is no functional change in this patch: the proper rc value now
propagates further, but is still eventually smashed to a boolean.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v2: Fix a leftover comment referring to domain_suspend_common_failed
Ian Jackson [Fri, 20 Dec 2013 12:34:09 +0000 (12:34 +0000)]
libxl: suspend: switch_logdirty_done takes rc
switch_logdirty_done used to take the value to pass to
libxl__xc_domain_saverestore_async_callback_done (ie, the return value
from the callback). (This was mistakenly described as "ok" in the
prototype, but in the definition it is "broke" and all the call sites
passed 0 for success or -1 for error.)
Instead, make it take a libxl error code (rc). Convert this to the
suspend callback value at the end.
No functional change in this patch.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Ian Jackson [Wed, 8 Apr 2015 11:22:38 +0000 (12:22 +0100)]
libxl: ao internal API docs: Mention synchronous ao completion
This doc comment about ao lifecycle failed to mention the option of
completing the ao during the initiator function. (Indeed, the most
obvious reading would forbid it.)
Restructure the comment, describe this situation, and generally
improve the wording.
Also, fix a grammar problem (missing word `a').
Reported-by: Koushik Chakravarty <koushik.chakravarty@citrix.com> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
David Vrabel [Fri, 26 Jun 2015 15:35:27 +0000 (17:35 +0200)]
x86,arm: remove asm/spinlock.h from all architectures
Now that all architecture use a common ticket lock implementation for
spinlocks, remove the architecture specific byte lock implementations.
Signed-off-by: David Vrabel <david.vrabel@citrix.com> Reviewed-by: Tim Deegan <tim@xen.org> Acked-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
David Vrabel [Fri, 26 Jun 2015 15:33:34 +0000 (17:33 +0200)]
use ticket locks for spin locks
Replace the byte locks with ticket locks. Ticket locks are: a) fair;
and b) peform better when contented since they spin without an atomic
operation.
The lock is split into two ticket values: head and tail. A locker
acquires a ticket by (atomically) increasing tail and using the
previous tail value. A CPU holds the lock if its ticket == head. The
lock is released by increasing head.
spin_lock_irq() and spin_lock_irqsave() now spin with irqs disabled
(previously, they would spin with irqs enabled if possible). This is
required to prevent deadlocks when the irq handler tries to take the
same lock with a higher ticket.
Architectures need only provide arch_fetch_and_add() and two barriers:
arch_lock_acquire_barrier() and arch_lock_release_barrier().
Signed-off-by: David Vrabel <david.vrabel@citrix.com> Reviewed-by: Tim Deegan <tim@xen.org> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Ian Campbell [Tue, 23 Jun 2015 14:58:32 +0000 (15:58 +0100)]
tools: libxl: Take the userdata lock around maxmem changes
There is an issue in libxl_set_memory_target whereby the target and
the max mem can get out of sync, this is because the call the
xc_domain_setmaxmem is not tied in any way to the xenstore transaction
which controls updates to the xenstore side of things.
Consider a domain with 1M of RAM (==target and maxmem for the sake of
argument) and two simultaneous calls to libxl_set_memory_target, both
with relative=0 and enforce=1, one with target=3 and the other with
target=5.
target=5 call target=3 call
transaction start
transaction start
write target=5 to xenstore
write target=3 to xenstore
setmaxmem(5)
setmaxmem(3)
In reality the target=3 case will the retry and eventually (hopefully)
succeed with target=maxmem=3, however the bad state will persist for
some window which is undesirable. On failure other than EAGAIN all
bets are off anyway, but in that case we will likely stick in the bad
state until someone else sets the memory).
To fix this we slightly abuse the userdata lock which is used to
protect updates to the domain's json configuration. Abused because
maxmem is not actually stored in there, but is kept by Xen. However
the lock protects some semantically similar things and is convenient
to use here too.
libxl_domain_setmaxmem also takes the lock, since it reads
memory/target from xenstore before calling xc_domain_setmaxmem there
is a small (but perhaps not very interesting) race there too.
There is on more use of xc_domain_setmaxmem in libxl__build_pre.
However taking a lock around this would be tricky since the xenstore
parts are not done until libxl__build_post. I think this one could be
argued to be OK since the domid is not "public" yet, that is it has
not been returned to the application yet (as the result of the create
operation). Toolstacks which go round fiddling with random domid's
which they find lying on the floor should be taught to do better.
Add a doc note that taking the userdata lock requires the CTX_LOCK to
be held.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Andrew Cooper [Thu, 25 Jun 2015 12:57:31 +0000 (14:57 +0200)]
x86/setup: initialise CR4 before creating idle_vcpu[0]
PV vcpu initialise has CR4 seeded from mmu_cr4_features. Adjust the order of
basic CR4 setup and creation of the idle domain, such that idle_vcpu[0] is not
wildly different from the other idle vcpus.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Thu, 25 Jun 2015 12:57:04 +0000 (14:57 +0200)]
x86/traps: avoid using current too early on boot
Early on boot, current has the sentinel value 0xfffff000. Blindly using it in
show_registers() causes a nested failure and no useful information printed
from an early crash.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Roger Pau Monne [Fri, 19 Jun 2015 08:58:24 +0000 (10:58 +0200)]
xen{trace/analyze}: don't use 64bit versions of libc functions
This is not needed, neither encouraged. Configure already checks
_FILE_OFFSET_BITS and appends it when needed, so that the right functions
are used. Also remove the usage of loff_t and O_LARGEFILE for the same
reason.
Wei Liu [Wed, 24 Jun 2015 10:10:09 +0000 (11:10 +0100)]
NetBSDRump: provide evtchn.h and privcmd.h
Xen's build system has a target for rump kernel called NetBSDRump. We
want to build libxc against rump kernel, so we need to copy NetBSD's
evtchn.h and privcmd.h to NetBSDRump. These copies is not very likely to
diverge from NetBSD's copies, but we don't preclude such possibility.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
A new memory model that allows QEMU to bump memory behind libxl's back
was merged a few months ago. We didn't fully understand the
repercussions back then. Now it breaks migration and becomes blocker of
4.6 release.
It's better to restore to original behaviour at this stage of the
release cycle, that would put us in a position no worse than before, so
the release is unblocked.
The said function is still racy after reverting these two patches.
Making domain memory state consistent requires a bit more work. Separate
patch(es) will be sent out to deal with that problem.
Fix up conflicts with f5b43e95 (libxl: fix "xl mem-set" regression from 0c029c4da2).
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Julien Grall [Fri, 19 Jun 2015 12:41:29 +0000 (13:41 +0100)]
xen/arm: Propagate clock-frequency to DOMU if present in the DT timer node
When the property "clock-frequency" is present in the DT timer node, it
means that the bootloader/firmware didn't correctly configure the
CNTFRQ/CNTFRQ_EL0 on each processor.
The best solution would be to fix the offending firmware/bootloader,
although it may not always be possible to modify and re-flash it.
As it's not possible to trap the register CNTFRQ/CNTFRQ_EL0, we have
to extend xen_arch_domainconfig to provide the timer frequency to the
toolstack when the property "clock-frequency" is present to the host DT
timer node. Then, a property "clock-frequency" will be created in the guest
DT timer node if the value is not 0.
We could have set the property in the guest DT no matter if the property
is present in the host DT. Although, we still want to let the guest
using CNTFRQ in normal case. After all, the property "clock-frequency"
is just a workaround for buggy firmware.
Also add a stub for fdt_property_u32 which is not present in libfdt <
1.4.0 used by distribution such as Debian Wheezy.
Signed-off-by: Julien Grall <julien.grall@citrix.com> Tested-by: Chris Brand <chris.brand@broadcom.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- ran autogen.sh ]
Tim Deegan [Tue, 23 Jun 2015 10:30:26 +0000 (11:30 +0100)]
Change kdd to 'Odd Fixes'.
kdd's knowledge of Windows kernel internals is several releases out of
date now. However the underlying implementation of the serial protocol
is still sound. I have heard that some people are using it, and I'm happy
to answer questions/bug reports, so don't deprecate it just yet.
Tim Deegan [Tue, 23 Jun 2015 10:47:26 +0000 (11:47 +0100)]
New maintainer for x86/mm
George has a long record of contributions to the x86 memory management
and p2m code. He will be taking over as the primary maintainer of
x86/mm; I will still help out with the shadow pagetable code.
Signed-off-by: Tim Deegan <tim@xen.org> Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Paul Durrant [Wed, 24 Jun 2015 15:53:36 +0000 (17:53 +0200)]
x86/hvm: re-name struct hvm_mmio_handler to hvm_mmio_ops
The struct just contains three methods and no data, so the name
hvm_mmio_ops more accurately reflects its content. A subsequent patch
introduces a new structure which more accurately warrants the name
hvm_mmio_handler so doing the rename in this purely cosmetic patch avoids
conflating functional and cosmetic changes in a single patch.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Wed, 24 Jun 2015 08:37:50 +0000 (10:37 +0200)]
x86/mm: use is_..._vcpu() instead of open coding it
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: George Dunlap <george.dunlap@eu.citrix.com>
Paul Durrant [Tue, 23 Jun 2015 16:07:49 +0000 (18:07 +0200)]
x86/hvm: remove hvm_io_pending() check in hvmemul_do_io()
The check is done at the wrong point (since it is irrelevant if the
I/O is to be handled by the hypervisor) and its functionality can be
covered by returning X86EMUL_UNHANDLEABLE from hvm_send_assist_req()
instead.
This patch also removes the domain_crash() call from
hvm_send_assist_req(). Returning X86EMUL_UNHANDLEABLE allows the
higher layers of emulation to decide what to do instead.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Paul Durrant [Tue, 23 Jun 2015 16:07:03 +0000 (18:07 +0200)]
x86/hvm: simplify hvmemul_do_io()
Currently hvmemul_do_io() handles paging for I/O to/from a guest address
inline. This causes every exit point to have to execute:
if ( ram_page )
put_page(ram_page);
This patch introduces wrapper hvmemul_do_io_addr() and
hvmemul_do_io_buffer() functions. The latter is used for I/O to/from a Xen
buffer and thus the complexity of paging can be restricted only to the
former, making the common hvmemul_do_io() function less convoluted.
This patch also tightens up some types and introduces pio/mmio wrappers
for the above functions with comments to document their semantics.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Mon, 22 Jun 2015 15:53:21 +0000 (17:53 +0200)]
x86/vLAPIC: adjust types in internal read/write handling
- use 32-bit types where possible (produces slightly better code)
- drop (now) unnecessary casts
- avoid indirection where not needed
- avoid duplicate log messages in vlapic_write()
- minor other cleanup
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Don Slutz [Mon, 22 Jun 2015 09:40:28 +0000 (11:40 +0200)]
gdbsx_guestmemio: allow it to check domain
gdbsx_guest_mem_io() does not get d passed, it expects to handle the
domain lookup itself. Specifically, the caller of
XEN_DOMCTL_gdbsx_guestmemio is expected to use DOMID_IDLE to interact
with the hypervisor, rather than a domain, which doesn't interact well
with with the domain rcu lock.
Signed-off-by: Don Slutz <dslutz@verizon.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
David Vrabel [Mon, 22 Jun 2015 09:39:46 +0000 (11:39 +0200)]
evtchn: pad struct evtchn to 64 bytes
The number of struct evtchn in a page must be a power of two. Under
some workloads performance is improved slightly by padding struct
evtchn to 64 bytes (a typical cache line size), thus putting the fewer
per-channel locks into each cache line.
This does not decrease the number of struct evtchn's per-page.
Signed-off-by: David Vrabel <david.vrabel@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
David Vrabel [Mon, 22 Jun 2015 09:39:03 +0000 (11:39 +0200)]
evtchn: use a per-event channel lock for sending events
When sending an event, use a new per-event channel lock to safely
validate the event channel state.
This new lock must be held when changing event channel state. Note
that the event channel lock must also be held when changing state from
ECS_FREE or it will race with a concurrent get_free_port() call.
To avoid having to take the remote event channel locks when sending to
an interdomain event channel, the local and remote channel locks are
both held when binding or closing an interdomain event channel.
This significantly increases the number of events that can be sent
from multiple VCPUs. But struct evtchn increases in size, reducing
the number that fit into a single page to 64 (instead of 128).
Signed-off-by: David Vrabel <david.vrabel@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
David Vrabel [Mon, 22 Jun 2015 09:38:01 +0000 (11:38 +0200)]
evtchn: defer freeing struct evtchn's until evtchn_destroy_final()
notify_via_xen_event_channel() and free_xen_event_channel() had to
check if the domain was dying because they may be called while the
domain is being destroyed and the struct evtchn's are being freed.
By deferring the freeing of the struct evtchn's until all references
to the domain are dropped, these functions can rely on the channel
state being present and valid.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
David Vrabel [Mon, 22 Jun 2015 09:36:17 +0000 (11:36 +0200)]
evtchn: clear xen_consumer when clearing state
Freeing a xen event channel would clear xen_consumer before clearing
the channel state, leaving a window where the channel is in a funny
state (still bound but no consumer).
Move the clear of xen_consumer into free_evtchn() where the state is
also cleared.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Ditch the pointless evtchn_close() wrapper around __evtchn_close()
(renaming the latter) as well as some bogus casts of function results
to void.
Jan Beulich [Mon, 22 Jun 2015 09:34:57 +0000 (11:34 +0200)]
x86/HVM: EOI handling function adjustments
The vector parameters are more usefully u8 right away. This is
particularly important for the vioapic_update_EOI() invocation from
vioapic_write() (which luckily is only a latent issue, as
VIOAPIC_VERSION_ID is still hard coded to 0x11 right now). But it at
once allows simplifying VMX's EXIT_REASON_EOI_INDUCED handling (the
kind of pointless helper function should have been static anyway; not
being use for anything else, it gets removed altogether).
Plus vlapic_handle_EOI() (now renamed for that purpose) can be used as
the tail of vlapic_EOI_set() instead of duplicating that code.
Finally replace a stray current->domain use in vlapic_handle_EOI().
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Malcolm Crossley [Fri, 19 Jun 2015 09:01:24 +0000 (11:01 +0200)]
gnttab: use per-VCPU maptrack free lists
Performance analysis of aggregate network throughput with many VMs
shows that performance is signficantly limited by contention on the
maptrack lock when obtaining/releasing maptrack handles from the free
list.
Instead of a single free list use a per-VCPU list. This avoids any
contention when obtaining a handle. Handles must be released back to
their original list and since this may occur on a different VCPU there
is some contention on the destination VCPU's free list tail pointer
(but this is much better than a per-domain lock).
Increase the default maximum number of maptrack frames by 4 times
because: a) struct grant_mapping is now 16 bytes (instead of 8); and
b) a guest may not evenly distribute all the grant map operations
across the VCPUs (meaning some VCPUs need more maptrack entries than
others).
Signed-off-by: Malcolm Crossley <malcolm.crossley@citrix.com> Signed-off-by: David Vrabel <david.vrabel@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Fri, 19 Jun 2015 08:59:53 +0000 (10:59 +0200)]
x86/MSI: track host and guest masking separately
In particular we want to avoid losing track of our own intention to
have an entry masked. Physical unmasking now happens only when both
host and guest requested so.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Fri, 19 Jun 2015 08:58:45 +0000 (10:58 +0200)]
x86/MSI-X: cleanup
- __pci_enable_msix() now checks that an MSI-X capability was actually
found
- pass "pos" to msix_capability_init() as both callers already know it
(and hence there's no need to re-obtain it)
- call __pci_disable_msi{,x}() directly instead of via
pci_disable_msi() from __pci_enable_msi{x,}() state validation paths
- use msix_control_reg() instead of open coding it
- log message adjustments
- coding style corrections
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Thu, 18 Jun 2015 14:44:15 +0000 (16:44 +0200)]
x86/HVM: avoid pointer wraparound in bufioreq handling
The number of slots per page being 511 (i.e. not a power of two) means
that the (32-bit) read and write indexes going beyond 2^32 will likely
disturb operation. Extend I/O req server creation so the caller can
indicate that it is using suitable atomic accesses where needed (not
all accesses to the two pointers really need to be atomic), allowing
the hypervisor to atomically canonicalize both pointers when both have
gone through at least one cycle.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Thu, 18 Jun 2015 14:42:56 +0000 (16:42 +0200)]
x86/HAP: prefer is_..._domain() over is_..._vcpu()
In hvm_hap_nested_page_fault() latch the current domain alongside the
current vCPU into a local variable, making use of it where possible
also beyond what the title says.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Thu, 18 Jun 2015 13:07:10 +0000 (15:07 +0200)]
x86: synchronize PCI config space access decoding
Both PV and HVM logic have similar but not similar enough code here.
Synchronize the two so that
- in the HVM case we don't unconditionally try to access extended
config space
- in the PV case we pass a correct range to the XSM hook
- in the PV case we don't needlessly deny access when the operation
isn't really on PCI config space
All this along with sharing the macros HVM already had here.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
There's no need for two exit paths each using rcu_unlock_domain() on
its own here.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
projects / xen.git / log