Keir Fraser [Wed, 3 Feb 2010 09:46:01 +0000 (09:46 +0000)]
libxc: Check there's enough memory for segments we're creating
Previously, xc_dom_alloc_segment would go ahead even if the segment
we're trying to create is too big for the domain's RAM (or the
requested addr is out of range). It would pass invalid parameters to
xc_dom_seg_to_ptr giving undefined behaviour.
Fixing xc_dom_seg_to_ptr to fail is not sufficient because we want to
provide a comprehensible explanation to the caller - which may
ultimately be the user.
In particular, with this change attempting "xl create" with a ramdisk
image bigger than the guest's specified RAM will provide a useful
error message mentioning the ramdisk.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Keir Fraser [Wed, 3 Feb 2010 09:45:40 +0000 (09:45 +0000)]
libxc: Check full range of pfns for xc_dom_pfn_to_ptr
Previously, passing a valid pfn but an overly large count to
xc_dom_pfn_to_ptr, and functions which call it, would run off the end
of the pfn array giving undefined behaviour.
It is tempting to change this check to an assert, as no callers should
be providing invalid parameters here. But this is probably best not
done while frozen for 4.0.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Keir Fraser [Wed, 3 Feb 2010 09:36:37 +0000 (09:36 +0000)]
xentrace: Disable tracing, then read records one more time.
When interrupted, first disable tracing, then read through the records
one last time.
Without this patch, it's possible to get traces which interact (such
as runstate changes) on processors with higher numbers, while missing
the corresponding traces generated on lower-numbered processors.
Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>
Keir Fraser [Wed, 3 Feb 2010 09:35:56 +0000 (09:35 +0000)]
xentrace: Clear lost records when disabling tracing
This patch clears the "lost records" flag on each cpu when tracing is
disabled.
Without this patch, the next time tracing starts, cpus with lost
records will generate lost record traces, even though buffers are
empty and no tracing has recently happened.
Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>
Keir Fraser [Wed, 3 Feb 2010 09:35:23 +0000 (09:35 +0000)]
xentrace: Trace p2m events
Add more tracing to aid in debugging ballooning / PoD:
* Nested page faults for EPT/NPT systems
* set_p2m_enry
* Decrease reservation (for ballooning)
* PoD populate, zero reclaim, superpage splinter
Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>
Keir Fraser [Wed, 3 Feb 2010 09:16:11 +0000 (09:16 +0000)]
hvmloader: Fix CPU hotplug notify handler in ACPI DSDT.
By merging PRSC and NTFY methods we simplify the code, improve
efficiency, and fix a bug where PRSC iterated 0-255 but NTDY could
only handle CPU numbers 0-127.
Keir Fraser [Fri, 29 Jan 2010 08:55:27 +0000 (08:55 +0000)]
blktap2: Prefer AIO eventfd support on kernels >= 2.6.22
Mainline kernel support for eventfd(2) in linux aio was added between
2.6.21 and 2.6.22. Libaio after 0.3.107 has the header file, but
presently few systems support it. Neither do we rely on an up-to-date
libc6.
Instead, this patch adds a header which defines custom iocb_common
struct, and works around a potentially missing sys/eventfd.h.
Signed-off-by: Daniel Stodden <daniel.stodden@citrix.com>
Keir Fraser [Fri, 29 Jan 2010 08:54:51 +0000 (08:54 +0000)]
blktap2: Separate tapdisk raw I/O into different backends.
Hide tapdisk support for different raw I/O interfaces behind a new
struct tio. Libaio remains to dominate the interface, requiring
everyone to dispatch iocb/ioevent structs.
Misc:
- Fixes a bug in tapdisk-vbd which locks up the sync io mode.
- Wants a PERROR macro in blktaplib.h
- Removes dead code in qcow2raw to make it link again.
Signed-off-by: Daniel Stodden <daniel.stodden@citrix.com> Signed-off-by: Jake Wires <jake.wires@citrix.com>
Keir Fraser [Fri, 29 Jan 2010 06:50:23 +0000 (06:50 +0000)]
x86 mca: Be more careful for printk in MCE context
MCE may happen in printk context, and will cause deadlock if we try to
call printk again in MCE context.
A new level(mce_critical) is added to mce_verbosity for printk in mce
context. This level is only for developer that aware of such issue.
In mce_panic, force console unlock.
Keir Fraser [Fri, 29 Jan 2010 06:49:42 +0000 (06:49 +0000)]
x86 mca: Add MCE broadcast checkiing.
Some platform will broadcast MCE to all logical processor, while some
platform will not. Distinguish these platforms will be helpful for
unified MCA handler.
the "mce_fb" is a option to emulate the broadcast MCA in non-broadcast
platform. This is mainly for MCA software trigger.
Keir Fraser [Fri, 29 Jan 2010 06:48:00 +0000 (06:48 +0000)]
x86 mca: Not GP fault when guest write non 0s or 1s to MCA CTL MSRs.
a) For Mci_CTL MSR, Guest can write any value to it. When read back,
it will be ANDed with the physical value. Some bit in physical value
can be 0, either because read-only in hardware (like masked by AMD's
Mci_CTL_MASK), or because Xen didn't enable it.
If guest write some bit as 0, while that bit is 1 in host, we will
not inject MCE corresponding that bank to guest, as we can't
distinguish if the MCE is caused by the guest-cleared bit.
b) For MCG_CTL MSR, guest can write any value to it. When read back,
it will be ANDed with the physical value.
If guest does not write all 1s. In mca_ctl_conflict(), we simply
not inject any vMCE to guest if some bit is set in physical MSR
while is cleared in guest 's vMCG_CTL MSR.
Keir Fraser [Fri, 29 Jan 2010 06:47:24 +0000 (06:47 +0000)]
x86 mca: Handle the vMCA bank correctly
Currently the virtual MCE MSR assume all MSRs range from 0 to
MAX_NR_BANKS are always MCE MSR, this is not always correct. With this
patch, the mce_rdmsr/mce_wrmsr will only handle vMCE MSR range from 0
to the MCA banks in the host platform.
Please notice that some MSR beyond current MCA banks in the host
platform are really MCA MSRs, that should be handled by general MSR
handler.
Keir Fraser [Tue, 26 Jan 2010 15:54:40 +0000 (15:54 +0000)]
pygrub: improve grub 2 support
* The "default" value can be a quoted string (containing an integer)
so strip the quotes before interpreting.
* The "set" command takes a variable with an arbitrary name so instead
of whitelisting the ones to ignore simply silently accept any set
command with an unknown variable.
* Ignore the echo command.
* Handle the function { ... } syntax. Previously pygrub would error
out with a syntax error on the closing "}" because it thought it was
the closing bracket of a menuentry.
This makes pygrub2 work with the configuration files generated by
Debian Squeeze today.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Keir Fraser [Tue, 26 Jan 2010 15:53:01 +0000 (15:53 +0000)]
x86: Directly clear all pending EOIs once MSI info changed
As to unmaskable MSI, its deferred EOI policy only targets
for avoiding IRQ storm. It should be safe to clear pending
EOIs in advance when guest irq migration occurs, because next
interrupt's EOI write is still deferred, and also can avoid
storm.
Keir Fraser [Tue, 26 Jan 2010 07:51:20 +0000 (07:51 +0000)]
VT-d: add "iommu=workaround_bios_bug" option
Add this option to workaround BIOS bugs. Currently it ignores DRHD
if "all" devices under its scope are not pci discoverable. This
workarounds a BIOS bug in some platforms to make VT-d work. But note
that this option doesn't guarantee security, because it might ignore
DRHD.
So there are 3 options which handle BIOS bugs differently:
iommu=1 (default): If detect non-existent device under a DRHD's
scope, or find incorrect RMRR setting (base_address > end_address),
disable VT-d completely in Xen with warning messages. This guarantees
security when VT-d enabled, or just disable VT-d to let Xen work
without VT-d.
iommu=force: it enforces to enable VT-d in Xen. If VT-d cannot be
enabled, it will crashes Xen. This is mainly for users who must need
VT-d.
iommu=workaround_bogus_bios: it workarounds some BIOS bugs to make
VT-d still work. This might be insecure because there might be a
device not protected by any DRHD if the device is re-enabled by
malicious s/w. This is for users who want to use VT-d regardless of
security.
Signed-off-by: Weidong Han <weidong.han@intel.com>
Keir Fraser [Tue, 26 Jan 2010 07:50:04 +0000 (07:50 +0000)]
tools/xsm: Expose Flask XSM AVC functions to user-space
This patch exposes the flask_access, flask_avc_cachestats,
flask_avc_hashstats, flask_getavc_threshold, flask_setavc_threshold,
and flask_policyvers functions to user-space. A python wrapper was
created for the flask_access function to facilitate policy based
user-space access control decisions. flask.h was renamed to libflask.h
to remove a naming conflict.
ide-disks: Unplug all emulated IDE disks (but not CD-ROMs)
aux-ide-disks: As above, but doesn't touch primary IDE master
nics: Unplug all emulated NICs
all: ide-disks and nics
Keir Fraser [Sat, 23 Jan 2010 08:23:24 +0000 (08:23 +0000)]
VT-d: improve RMRR validity checking
In order to make Xen more defensive to VT-d related BIOS issue, this
patch ignores a DRHD if all devices under its scope are not pci
discoverable, and regards a DRHD as invalid and then disable whole
VT-d if some devices under its scope are not pci discoverable. But if
iommu=force is set, it will enable all DRHDs reported by BIOS, to
avoid any security vulnerability with malicious s/s re-enabling
"supposed disabled" devices. Pls note that we don't know the devices
under the "Include_all" DRHD are existent or not, because the scope of
"Include_all" DRHD won't enumerate common pci device, it only
enumerates I/OxAPIC and HPET devices.
Signed-off-by: Noboru Iwamatsu <n_iwamatsu@jp.fujitsu.com> Signed-off-by: Weidong Han <weidong.han@intel.com>
Keir Fraser [Fri, 22 Jan 2010 13:32:26 +0000 (13:32 +0000)]
Get libconfig tarball from xenbits
Download libconfig.tar.gz from xenbits.org extfiles rather than from
upstream. This insulates us from upstream networking failures and any
upstream changes to the files hosted etc.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Keir Fraser [Fri, 22 Jan 2010 11:01:18 +0000 (11:01 +0000)]
x86: check if desc->action is NULL when unbinding guest pirq
Before igb PF driver is unloaded, dom0 doesn't unload igbvf driver
automatically. When igb drver is unloaded, it invokes the
PHYSDEVOP_manage_pci_remove hypercall to remove the VFs and xen frees
the msi irqs by pci_cleanup_msi() -> ... -> dynamic_irq_cleanup() and
sets the desc->action to NULL. igbvf driver knows the VF is
disappearing via a hook ndo_stop() in dev_close() and tries to unbind
the pirq and xen would crash as the desc->action is NULL now.
Keir Fraser [Fri, 22 Jan 2010 11:00:45 +0000 (11:00 +0000)]
blktap: fix blktapctrl abort
On rebooting a hvm, the blktapctrl daemon has died.
gdb shows the following call trace:
(gdb) where
#0 0x00000039d1830155 in raise () from /lib64/libc.so.6
#1 0x00000039d1831bf0 in abort () from /lib64/libc.so.6
#2 0x00000039d186a38b in __libc_message () from /lib64/libc.so.6
#3 0x00000039d1871634 in _int_free () from /lib64/libc.so.6
#4 0x00000039d1874c5c in free () from /lib64/libc.so.6
#5 0x0000003320a01bdd in ueblktap_probe (h=3D0x6073b0,=20
w=<value optimized out>, bepath_im=<value optimized out>) at
xenbus.c:270
#6 0x0000003320a020e0 in xs_fire_next_watch (h=3D0x6073b0) at
xs_api.c:355
#7 0x0000000000401785 in main (argc=3D<value optimized out>,
argv=<value optimized out>) at blktapctrl.c:907
There is a case that "/local/domain/0/backend/tap/<dom_id>" exists but
"/local/domain/<dom_id>/vm" is not in the xenstore.
Keir Fraser [Fri, 22 Jan 2010 10:59:51 +0000 (10:59 +0000)]
libxc: mmapbatch-v2 adjustments
Just like the kernel, the fallback implementation of
xc_map_foreign_bulk() should clear the error indication array upon
success.
Also, a few allocations were needlessly using calloc() instead of
malloc().
Finally, in xc_domain_save() allocate the error indicator array once
(along with the other arrays) instead of using realloc() (without
error checking) in the loop body.
Keir Fraser [Fri, 22 Jan 2010 10:59:03 +0000 (10:59 +0000)]
libxc: New hcall_buf_{prep,release} pre-mlock interface
Allow certain performance-critical hypercall wrappers to register data
buffers via a new interface which allows them to be 'bounced' into a
pre-mlock'ed page-sized per-thread data area. This saves the cost of
mlock/munlock on every such hypercall, which can be very expensive on
modern kernels.
Keir Fraser [Thu, 21 Jan 2010 15:12:17 +0000 (15:12 +0000)]
x86: add keyhandler to dump MSI state
Equivalent to dumping IO-APIC state; the question is whether this
ought to live on its own key (as done here), or whether it should be
chanined to from the 'i' handler.
Keir Fraser [Thu, 21 Jan 2010 09:12:01 +0000 (09:12 +0000)]
VT-d: improve RMRR validity checking
Currently, Xen checks RMRR range and disables VT-d if RMRR range is
set incorrectly in BIOS rigorously. But, actually we can ignore the
RMRR if the device under its scope are not pci discoverable, because
the RMRR won't be used by non-existed or disabled devices.
This patch ignores the RMRR if the device under its scope are not pci
discoverable, and only checks the validity of RMRRs that are actually
used. In order to avoid duplicate pci device detection code, this
patch defines a function pci_device_detect for it.
Signed-off-by: Weidong Han <weidong.han@intel.com>
Keir Fraser [Thu, 21 Jan 2010 09:11:06 +0000 (09:11 +0000)]
VT-d: handle return value of deassign_device
deassign_device may fail, so need to capture its failure for
appropriate handling. This patch captures return values of
deassign_device, and prints error messages if it fails.
In addition, this patch also fixes some code style issues.
Signed-off-by: Weidong Han <Weidong.han@intel.com>
Keir Fraser [Thu, 21 Jan 2010 09:03:20 +0000 (09:03 +0000)]
libxc: Unbreak HVM live migration after 0b138a019292.
0b138a019292 was a little too ambitious replacing xc_map_foreign_batch
with xc_map_foreign_pages in xc_domain_restore. With HVM, some of the
mappings are expected to fail (as "XTAB" pages).
Keir Fraser [Thu, 21 Jan 2010 09:03:00 +0000 (09:03 +0000)]
xend: Unbreak live migration with tapdisk2 after 20691:054042ba73b6
vm.image does not exist at this point in the restore process.
I haven't looked at the memory_sharing code. It's likely something
better is needed to make that work across relocation.
Keir Fraser [Wed, 20 Jan 2010 20:33:35 +0000 (20:33 +0000)]
xentrace: Per-cpu xentrace buffers
In the current xentrace configuration, xentrace buffers are all
allocated in a single contiguous chunk, and then divided among logical
cpus, one buffer per cpu. The size of an allocatable chunk is fairly
limited, in my experience about 128 pages (512KiB). As the number of
logical cores increase, this means a much smaller maximum per-cpu
trace buffer per cpu; on my dual-socket quad-core nehalem box with
hyperthreading (16 logical cpus), that comes to 8 pages per logical
cpu.
This patch addresses this issue by allocating per-cpu buffers
separately.
Keir Fraser [Tue, 19 Jan 2010 15:44:54 +0000 (15:44 +0000)]
Enable IOMMU by default.
Can be disabled with 'iommu=0' boot parameter.
Note that iommu_inclusive_mapping is now also enabled by default, to
deal with systems with broken BIOS tables specifying bad RMRRs. Old
behaviour can be specified via 'iommu_inclusive_mapping=0'.
Keir Fraser [Tue, 19 Jan 2010 10:56:59 +0000 (10:56 +0000)]
x86: Clean up TSC_RELIABLE handling after 20705:a74aca4b9386
Set the feature by default and disable it if we can detect TSC warp,
rather than leaving the feature cleared and setting it if we happen
not to detect TSC warp.
This way round fixes dom0 kernel boot for Masaki Kanno.
Keir Fraser [Mon, 18 Jan 2010 10:35:36 +0000 (10:35 +0000)]
x86 hvm: Pre-allocate per-cpu HVM memory before bringing CPUs online
after boot. Avoids doing the allocations on the CPU itself, while in a
not-fully-online state and with irqs disabled. This way we avoid
assertions about irqs being disabled in e.g., tlb flush logic.
Keir Fraser [Sun, 17 Jan 2010 18:07:10 +0000 (18:07 +0000)]
Change default cpufreq governor to ondemand
Back in c/s 18950 the default cpufreq governor was set to userspace
(it had previously been performance). However, since there is no
supplied userspace program or script that will change the frequency
this is at best a no-op. Worse, on some hardware with some BIOS
revisions, this actually sets the CPUs running at their lowest
frequency rather than their highest and there is a corresponding (and
initially puzzling) drop in performance.
This patch changes the default governor to "ondemand" which should
make it the same as the Linux default and will provide power savings
for the majority without needing to write a userspace governor. For
those that want to install their own governor, that is still possible.
Keir Fraser [Sun, 17 Jan 2010 18:05:03 +0000 (18:05 +0000)]
libxenlight: separate logically list_vm and list_domain
previously list_domain was something between listing VM and domains.
provide 2 separates API calls to list domains and list vms. the list
vms API filters utility domains like stubdomains, and domain 0
change is_stubdom to properly check the integer and also return a
boolean value.
Signed-off-by: Vincent Hanquez <vincent.hanquez@eu.citrix.com>
Keir Fraser [Sun, 17 Jan 2010 18:01:08 +0000 (18:01 +0000)]
xend: NUMA: fix division by zero on unpopulated nodes
nodes without memory will currently be disabled by also moving the
physical cores connected to them to other nodes. This leads to nodes
without CPUs and thus to a division by zero in the node allocation
algorithm. Attached patch fixes this by checking for 0 before the
division. This fixes domain creation on boxes with memory-less nodes.
Signed-off-by: Andre Przywara <andre.przywara@amd.com>
Keir Fraser [Thu, 14 Jan 2010 09:44:08 +0000 (09:44 +0000)]
xend, NUMA: Fix computation of needed nodes
Enumerate the best nodes and add CPU affinity until all VCPUs can be
backed by at least one physical core. This should fix problems with
asymmetric NUMA configurations and cropped number of CPUs in Xen.
Signed-off-by: Andre Przywara <andre.przywara@amd.com>
Keir Fraser [Wed, 13 Jan 2010 08:18:38 +0000 (08:18 +0000)]
x86: fix unmaskable msi assignment issue.
Currently, unmasked msi irq's EOI write is deferred untile guest
writes EOI, so needs to keep eoi_vector unchanged before guest writes
EOI. However, irq migration breaks the assumption and changs
eoi_vector when interrupts are generated through new vector.
The patch removes the dependency for eoi_vector and directly recoreds
the irq info in the EOI stack, and when guest writes EOI, just do the
physical EOI for the specific irq(recorded in EOI stack)on the cpus
according to the cpu_eoi_map.
Keir Fraser [Wed, 13 Jan 2010 08:14:01 +0000 (08:14 +0000)]
x86: add and use XEN_DOMCTL_getpageframeinfo3
To support wider than 28-bit MFNs, add XEN_DOMCTL_getpageframeinfo3
(with the type replacing the passed in MFN rather than getting or-ed
into it) to properly back xc_get_pfn_type_batch().
With xc_get_pfn_type_batch() only used internally to libxc, move its
prototype from xenctrl.h to xc_private.h.
This also fixes a couple of bugs in pre-existing code:
- the failure path for init_mem_info() leaked minfo->pfn_type,
- one error path of the XEN_DOMCTL_getpageframeinfo2 handler used
put_domain() where rcu_unlock_domain() was meant, and
- the XEN_DOMCTL_getpageframeinfo2 handler could call
xsm_getpageframeinfo() with an invalid struct page_info pointer.
Keir Fraser [Wed, 13 Jan 2010 08:12:56 +0000 (08:12 +0000)]
libxc: use new (replacement) mmap-batch ioctl
Replace all calls to xc_map_foreign_batch() where the caller doesn't
look at the passed in array to check for errors by calls to
xc_map_foreign_pages(). Replace all remaining calls by such to the
newly introduced xc_map_foreign_bulk().
As a sideband modification (needed while writing the patch to ensure
they're unused) eliminate unused parameters to
uncanonicalize_pagetable() and xc_map_foreign_batch_single(). Also
unmap live_p2m_frame_list earlier in map_and_save_p2m_table(),
reducing the peak amount of virtual address space required.
All supported OSes other than Linux continue to use the old ioctl for
the time being.
Also change libxc's MAJOR to 4.0 to reflect the API change.
projects / xen.git / log