Keir Fraser [Wed, 10 Feb 2010 09:18:43 +0000 (09:18 +0000)]
Fix domain reference leaks
Besides two unlikely/rarely hit ones in x86 code, the main offender
was tmh_client_from_cli_id(), which didn't even have a counterpart
(albeit it had a comment correctly saying that it causes d->refcnt to
get incremented). Unfortunately(?) this required a bit of code
restructuring (as I needed to change the code anyway, I also fixed
a couple os missing bounds checks which would sooner or later be
reported as security vulnerabilities), so I would hope Dan could give
it his blessing before it gets applied.
Keir Fraser [Wed, 10 Feb 2010 09:18:11 +0000 (09:18 +0000)]
x86: MCE fixes
- fill_vmsr_data() leaked a domain reference; since the caller already
obtained one, there's no need to obtain another one here
- intel_UCR_handler() could call put_domain() with a NULL pointer
- mcheck_mca_logout() updated a local data structure that wasn't used
after the update
Keir Fraser [Mon, 8 Feb 2010 10:18:51 +0000 (10:18 +0000)]
Dump machine check context for fatal machine check
This small patches enable Xen hypervisor to always dump machine check
ontext, previously it will not print anything if fatal MCE happens. It
also add checking for NULL pointer.
It also change the address passing to guest to always use guest
mfn. It should benifit non-translated guest.
Keir Fraser [Mon, 8 Feb 2010 08:43:25 +0000 (08:43 +0000)]
vmx: Don't enable irq for machine check vmexit handling
We should not enable irq for machine check VMExit
In changeset 18658:824892134573, IRQ is enabled during VMExit except
external interrupt. The exception should apply for machine check also,
because :
a) The mce_logout_lock should be held in irq_disabled context.
b) The machine check event should be handled as quickly as possible,
enable irq will increase the period greatly.
Keir Fraser [Fri, 5 Feb 2010 10:37:24 +0000 (10:37 +0000)]
Remus: fix ia64 build
This patch fixes the following error:
/xen-unstable.hg/tools/remus/kmod/sch_queue.c: In function
`is_foreign':
/xen-unstable.hg/tools/remus/kmod/sch_queue.c:51: error:
`phys_to_machine_mapping' undeclared (first use in this function)
Keir Fraser [Fri, 5 Feb 2010 10:35:57 +0000 (10:35 +0000)]
libxl: notice if vbd virt device specifier ("path") unrecognised
Previously, specifying a virtual device string the vbd that couldn't
be parsed would result in attempting to actually create the device
with vbd number -1 !
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Keir Fraser [Thu, 4 Feb 2010 13:16:39 +0000 (13:16 +0000)]
libxc: Reorder functions in xc_misc.c to avoid weak symbol problem
Using a function, and then declaring it weak later, has undefined
behaviour:
cc1: warnings being treated as errors
xc_misc.c:388: error: weak declaration of 'xc_map_foreign_bulk'
after first use results in unspecified behavior
So swap the functions xc_map_foreign_pages and xc_map_foreign_bulk.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Keir Fraser [Thu, 4 Feb 2010 13:09:30 +0000 (13:09 +0000)]
mem hotplug: Fix an incorrect sanity check in memory add
Current, memory hot-add will fail if the new added memory is bigger
than current max_pages. This is really a stupid checking, considering
user may hot-add the biggest address riser card firstly.
This patch fix this issue. It check if all new added memory is
unpopulated, if yes, then it is ok.
Keir Fraser [Thu, 4 Feb 2010 09:09:13 +0000 (09:09 +0000)]
VT-d, tools: Intel IGD passthrough 2/2: hvm config file example
Add an option into hvm config file to enable graphics passthrough
including discrete and IGD. To passthrough graphics to guest, need to
set gfx_passthru=1, and also specify graphics device BDF in pci
passthrough option, like pci=['xx:xx.x'] in hvm config file.
Signed-off-by: Weidong Han <weidong.han@intel.com>
Keir Fraser [Thu, 4 Feb 2010 08:53:16 +0000 (08:53 +0000)]
x86: fix frame table initialization when hotplug memory regions were detected
max_idx is not a pdx, and hence needs to be converted to one in all
cases where it is being passed to pdx_to_page().
Also, just like for max_pdx, the conversion result of max_idx may
point into an address space hole, and hence it must not be used
directly as an argument to pdx_to_page(). Note that this doesn't apply
to the arguments passed to memset(), as the size argument would be
zero in the case of hitting an address space hole.
Keir Fraser [Wed, 3 Feb 2010 09:46:38 +0000 (09:46 +0000)]
VT-d: fix a bug in enable_ats_device
In enable_ats_device, it should enable ATS if find matched atsr unit
for a device, and don't enable it if no matched atsr unit. But current
code does contrarily. This patch fixes it.
Signed-off-by: Weidong Han <Weidong.han@intel.com>
Keir Fraser [Wed, 3 Feb 2010 09:46:01 +0000 (09:46 +0000)]
libxc: Check there's enough memory for segments we're creating
Previously, xc_dom_alloc_segment would go ahead even if the segment
we're trying to create is too big for the domain's RAM (or the
requested addr is out of range). It would pass invalid parameters to
xc_dom_seg_to_ptr giving undefined behaviour.
Fixing xc_dom_seg_to_ptr to fail is not sufficient because we want to
provide a comprehensible explanation to the caller - which may
ultimately be the user.
In particular, with this change attempting "xl create" with a ramdisk
image bigger than the guest's specified RAM will provide a useful
error message mentioning the ramdisk.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Keir Fraser [Wed, 3 Feb 2010 09:45:40 +0000 (09:45 +0000)]
libxc: Check full range of pfns for xc_dom_pfn_to_ptr
Previously, passing a valid pfn but an overly large count to
xc_dom_pfn_to_ptr, and functions which call it, would run off the end
of the pfn array giving undefined behaviour.
It is tempting to change this check to an assert, as no callers should
be providing invalid parameters here. But this is probably best not
done while frozen for 4.0.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Keir Fraser [Wed, 3 Feb 2010 09:36:37 +0000 (09:36 +0000)]
xentrace: Disable tracing, then read records one more time.
When interrupted, first disable tracing, then read through the records
one last time.
Without this patch, it's possible to get traces which interact (such
as runstate changes) on processors with higher numbers, while missing
the corresponding traces generated on lower-numbered processors.
Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>
Keir Fraser [Wed, 3 Feb 2010 09:35:56 +0000 (09:35 +0000)]
xentrace: Clear lost records when disabling tracing
This patch clears the "lost records" flag on each cpu when tracing is
disabled.
Without this patch, the next time tracing starts, cpus with lost
records will generate lost record traces, even though buffers are
empty and no tracing has recently happened.
Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>
Keir Fraser [Wed, 3 Feb 2010 09:35:23 +0000 (09:35 +0000)]
xentrace: Trace p2m events
Add more tracing to aid in debugging ballooning / PoD:
* Nested page faults for EPT/NPT systems
* set_p2m_enry
* Decrease reservation (for ballooning)
* PoD populate, zero reclaim, superpage splinter
Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>
Keir Fraser [Wed, 3 Feb 2010 09:16:11 +0000 (09:16 +0000)]
hvmloader: Fix CPU hotplug notify handler in ACPI DSDT.
By merging PRSC and NTFY methods we simplify the code, improve
efficiency, and fix a bug where PRSC iterated 0-255 but NTDY could
only handle CPU numbers 0-127.
Keir Fraser [Fri, 29 Jan 2010 08:55:27 +0000 (08:55 +0000)]
blktap2: Prefer AIO eventfd support on kernels >= 2.6.22
Mainline kernel support for eventfd(2) in linux aio was added between
2.6.21 and 2.6.22. Libaio after 0.3.107 has the header file, but
presently few systems support it. Neither do we rely on an up-to-date
libc6.
Instead, this patch adds a header which defines custom iocb_common
struct, and works around a potentially missing sys/eventfd.h.
Signed-off-by: Daniel Stodden <daniel.stodden@citrix.com>
Keir Fraser [Fri, 29 Jan 2010 08:54:51 +0000 (08:54 +0000)]
blktap2: Separate tapdisk raw I/O into different backends.
Hide tapdisk support for different raw I/O interfaces behind a new
struct tio. Libaio remains to dominate the interface, requiring
everyone to dispatch iocb/ioevent structs.
Misc:
- Fixes a bug in tapdisk-vbd which locks up the sync io mode.
- Wants a PERROR macro in blktaplib.h
- Removes dead code in qcow2raw to make it link again.
Signed-off-by: Daniel Stodden <daniel.stodden@citrix.com> Signed-off-by: Jake Wires <jake.wires@citrix.com>
Keir Fraser [Fri, 29 Jan 2010 06:50:23 +0000 (06:50 +0000)]
x86 mca: Be more careful for printk in MCE context
MCE may happen in printk context, and will cause deadlock if we try to
call printk again in MCE context.
A new level(mce_critical) is added to mce_verbosity for printk in mce
context. This level is only for developer that aware of such issue.
In mce_panic, force console unlock.
Keir Fraser [Fri, 29 Jan 2010 06:49:42 +0000 (06:49 +0000)]
x86 mca: Add MCE broadcast checkiing.
Some platform will broadcast MCE to all logical processor, while some
platform will not. Distinguish these platforms will be helpful for
unified MCA handler.
the "mce_fb" is a option to emulate the broadcast MCA in non-broadcast
platform. This is mainly for MCA software trigger.
Keir Fraser [Fri, 29 Jan 2010 06:48:00 +0000 (06:48 +0000)]
x86 mca: Not GP fault when guest write non 0s or 1s to MCA CTL MSRs.
a) For Mci_CTL MSR, Guest can write any value to it. When read back,
it will be ANDed with the physical value. Some bit in physical value
can be 0, either because read-only in hardware (like masked by AMD's
Mci_CTL_MASK), or because Xen didn't enable it.
If guest write some bit as 0, while that bit is 1 in host, we will
not inject MCE corresponding that bank to guest, as we can't
distinguish if the MCE is caused by the guest-cleared bit.
b) For MCG_CTL MSR, guest can write any value to it. When read back,
it will be ANDed with the physical value.
If guest does not write all 1s. In mca_ctl_conflict(), we simply
not inject any vMCE to guest if some bit is set in physical MSR
while is cleared in guest 's vMCG_CTL MSR.
Keir Fraser [Fri, 29 Jan 2010 06:47:24 +0000 (06:47 +0000)]
x86 mca: Handle the vMCA bank correctly
Currently the virtual MCE MSR assume all MSRs range from 0 to
MAX_NR_BANKS are always MCE MSR, this is not always correct. With this
patch, the mce_rdmsr/mce_wrmsr will only handle vMCE MSR range from 0
to the MCA banks in the host platform.
Please notice that some MSR beyond current MCA banks in the host
platform are really MCA MSRs, that should be handled by general MSR
handler.
Keir Fraser [Tue, 26 Jan 2010 15:54:40 +0000 (15:54 +0000)]
pygrub: improve grub 2 support
* The "default" value can be a quoted string (containing an integer)
so strip the quotes before interpreting.
* The "set" command takes a variable with an arbitrary name so instead
of whitelisting the ones to ignore simply silently accept any set
command with an unknown variable.
* Ignore the echo command.
* Handle the function { ... } syntax. Previously pygrub would error
out with a syntax error on the closing "}" because it thought it was
the closing bracket of a menuentry.
This makes pygrub2 work with the configuration files generated by
Debian Squeeze today.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Keir Fraser [Tue, 26 Jan 2010 15:53:01 +0000 (15:53 +0000)]
x86: Directly clear all pending EOIs once MSI info changed
As to unmaskable MSI, its deferred EOI policy only targets
for avoiding IRQ storm. It should be safe to clear pending
EOIs in advance when guest irq migration occurs, because next
interrupt's EOI write is still deferred, and also can avoid
storm.
Keir Fraser [Tue, 26 Jan 2010 07:51:20 +0000 (07:51 +0000)]
VT-d: add "iommu=workaround_bios_bug" option
Add this option to workaround BIOS bugs. Currently it ignores DRHD
if "all" devices under its scope are not pci discoverable. This
workarounds a BIOS bug in some platforms to make VT-d work. But note
that this option doesn't guarantee security, because it might ignore
DRHD.
So there are 3 options which handle BIOS bugs differently:
iommu=1 (default): If detect non-existent device under a DRHD's
scope, or find incorrect RMRR setting (base_address > end_address),
disable VT-d completely in Xen with warning messages. This guarantees
security when VT-d enabled, or just disable VT-d to let Xen work
without VT-d.
iommu=force: it enforces to enable VT-d in Xen. If VT-d cannot be
enabled, it will crashes Xen. This is mainly for users who must need
VT-d.
iommu=workaround_bogus_bios: it workarounds some BIOS bugs to make
VT-d still work. This might be insecure because there might be a
device not protected by any DRHD if the device is re-enabled by
malicious s/w. This is for users who want to use VT-d regardless of
security.
Signed-off-by: Weidong Han <weidong.han@intel.com>
Keir Fraser [Tue, 26 Jan 2010 07:50:04 +0000 (07:50 +0000)]
tools/xsm: Expose Flask XSM AVC functions to user-space
This patch exposes the flask_access, flask_avc_cachestats,
flask_avc_hashstats, flask_getavc_threshold, flask_setavc_threshold,
and flask_policyvers functions to user-space. A python wrapper was
created for the flask_access function to facilitate policy based
user-space access control decisions. flask.h was renamed to libflask.h
to remove a naming conflict.
ide-disks: Unplug all emulated IDE disks (but not CD-ROMs)
aux-ide-disks: As above, but doesn't touch primary IDE master
nics: Unplug all emulated NICs
all: ide-disks and nics
Keir Fraser [Sat, 23 Jan 2010 08:23:24 +0000 (08:23 +0000)]
VT-d: improve RMRR validity checking
In order to make Xen more defensive to VT-d related BIOS issue, this
patch ignores a DRHD if all devices under its scope are not pci
discoverable, and regards a DRHD as invalid and then disable whole
VT-d if some devices under its scope are not pci discoverable. But if
iommu=force is set, it will enable all DRHDs reported by BIOS, to
avoid any security vulnerability with malicious s/s re-enabling
"supposed disabled" devices. Pls note that we don't know the devices
under the "Include_all" DRHD are existent or not, because the scope of
"Include_all" DRHD won't enumerate common pci device, it only
enumerates I/OxAPIC and HPET devices.
Signed-off-by: Noboru Iwamatsu <n_iwamatsu@jp.fujitsu.com> Signed-off-by: Weidong Han <weidong.han@intel.com>
Keir Fraser [Fri, 22 Jan 2010 13:32:26 +0000 (13:32 +0000)]
Get libconfig tarball from xenbits
Download libconfig.tar.gz from xenbits.org extfiles rather than from
upstream. This insulates us from upstream networking failures and any
upstream changes to the files hosted etc.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Keir Fraser [Fri, 22 Jan 2010 11:01:18 +0000 (11:01 +0000)]
x86: check if desc->action is NULL when unbinding guest pirq
Before igb PF driver is unloaded, dom0 doesn't unload igbvf driver
automatically. When igb drver is unloaded, it invokes the
PHYSDEVOP_manage_pci_remove hypercall to remove the VFs and xen frees
the msi irqs by pci_cleanup_msi() -> ... -> dynamic_irq_cleanup() and
sets the desc->action to NULL. igbvf driver knows the VF is
disappearing via a hook ndo_stop() in dev_close() and tries to unbind
the pirq and xen would crash as the desc->action is NULL now.
Keir Fraser [Fri, 22 Jan 2010 11:00:45 +0000 (11:00 +0000)]
blktap: fix blktapctrl abort
On rebooting a hvm, the blktapctrl daemon has died.
gdb shows the following call trace:
(gdb) where
#0 0x00000039d1830155 in raise () from /lib64/libc.so.6
#1 0x00000039d1831bf0 in abort () from /lib64/libc.so.6
#2 0x00000039d186a38b in __libc_message () from /lib64/libc.so.6
#3 0x00000039d1871634 in _int_free () from /lib64/libc.so.6
#4 0x00000039d1874c5c in free () from /lib64/libc.so.6
#5 0x0000003320a01bdd in ueblktap_probe (h=3D0x6073b0,=20
w=<value optimized out>, bepath_im=<value optimized out>) at
xenbus.c:270
#6 0x0000003320a020e0 in xs_fire_next_watch (h=3D0x6073b0) at
xs_api.c:355
#7 0x0000000000401785 in main (argc=3D<value optimized out>,
argv=<value optimized out>) at blktapctrl.c:907
There is a case that "/local/domain/0/backend/tap/<dom_id>" exists but
"/local/domain/<dom_id>/vm" is not in the xenstore.
Keir Fraser [Fri, 22 Jan 2010 10:59:51 +0000 (10:59 +0000)]
libxc: mmapbatch-v2 adjustments
Just like the kernel, the fallback implementation of
xc_map_foreign_bulk() should clear the error indication array upon
success.
Also, a few allocations were needlessly using calloc() instead of
malloc().
Finally, in xc_domain_save() allocate the error indicator array once
(along with the other arrays) instead of using realloc() (without
error checking) in the loop body.
Keir Fraser [Fri, 22 Jan 2010 10:59:03 +0000 (10:59 +0000)]
libxc: New hcall_buf_{prep,release} pre-mlock interface
Allow certain performance-critical hypercall wrappers to register data
buffers via a new interface which allows them to be 'bounced' into a
pre-mlock'ed page-sized per-thread data area. This saves the cost of
mlock/munlock on every such hypercall, which can be very expensive on
modern kernels.
Keir Fraser [Thu, 21 Jan 2010 15:12:17 +0000 (15:12 +0000)]
x86: add keyhandler to dump MSI state
Equivalent to dumping IO-APIC state; the question is whether this
ought to live on its own key (as done here), or whether it should be
chanined to from the 'i' handler.
Keir Fraser [Thu, 21 Jan 2010 09:12:01 +0000 (09:12 +0000)]
VT-d: improve RMRR validity checking
Currently, Xen checks RMRR range and disables VT-d if RMRR range is
set incorrectly in BIOS rigorously. But, actually we can ignore the
RMRR if the device under its scope are not pci discoverable, because
the RMRR won't be used by non-existed or disabled devices.
This patch ignores the RMRR if the device under its scope are not pci
discoverable, and only checks the validity of RMRRs that are actually
used. In order to avoid duplicate pci device detection code, this
patch defines a function pci_device_detect for it.
Signed-off-by: Weidong Han <weidong.han@intel.com>
Keir Fraser [Thu, 21 Jan 2010 09:11:06 +0000 (09:11 +0000)]
VT-d: handle return value of deassign_device
deassign_device may fail, so need to capture its failure for
appropriate handling. This patch captures return values of
deassign_device, and prints error messages if it fails.
In addition, this patch also fixes some code style issues.
Signed-off-by: Weidong Han <Weidong.han@intel.com>
Keir Fraser [Thu, 21 Jan 2010 09:03:20 +0000 (09:03 +0000)]
libxc: Unbreak HVM live migration after 0b138a019292.
0b138a019292 was a little too ambitious replacing xc_map_foreign_batch
with xc_map_foreign_pages in xc_domain_restore. With HVM, some of the
mappings are expected to fail (as "XTAB" pages).
Keir Fraser [Thu, 21 Jan 2010 09:03:00 +0000 (09:03 +0000)]
xend: Unbreak live migration with tapdisk2 after 20691:054042ba73b6
vm.image does not exist at this point in the restore process.
I haven't looked at the memory_sharing code. It's likely something
better is needed to make that work across relocation.
Keir Fraser [Wed, 20 Jan 2010 20:33:35 +0000 (20:33 +0000)]
xentrace: Per-cpu xentrace buffers
In the current xentrace configuration, xentrace buffers are all
allocated in a single contiguous chunk, and then divided among logical
cpus, one buffer per cpu. The size of an allocatable chunk is fairly
limited, in my experience about 128 pages (512KiB). As the number of
logical cores increase, this means a much smaller maximum per-cpu
trace buffer per cpu; on my dual-socket quad-core nehalem box with
hyperthreading (16 logical cpus), that comes to 8 pages per logical
cpu.
This patch addresses this issue by allocating per-cpu buffers
separately.
Keir Fraser [Tue, 19 Jan 2010 15:44:54 +0000 (15:44 +0000)]
Enable IOMMU by default.
Can be disabled with 'iommu=0' boot parameter.
Note that iommu_inclusive_mapping is now also enabled by default, to
deal with systems with broken BIOS tables specifying bad RMRRs. Old
behaviour can be specified via 'iommu_inclusive_mapping=0'.
Keir Fraser [Tue, 19 Jan 2010 10:56:59 +0000 (10:56 +0000)]
x86: Clean up TSC_RELIABLE handling after 20705:a74aca4b9386
Set the feature by default and disable it if we can detect TSC warp,
rather than leaving the feature cleared and setting it if we happen
not to detect TSC warp.
This way round fixes dom0 kernel boot for Masaki Kanno.
projects / xen.git / log