xen/arm: arm32: Allow Xen to boot on unidentified CPUs
Currently if the processor id is not identified (ie it is missing in proc-v7.S)
, then Xen boot fails quite early.
We have removed this restriction as for some CPUs (eg Cortex-R52), there isn't
any special initialization required.
Julien Grall [Thu, 29 Jun 2023 19:57:10 +0000 (20:57 +0100)]
xen/arm32: vfp: Add missing U for shifted constant
When enabling UBSAN on arm32, the following splat will be printed:
(XEN) ================================================================================
(XEN) UBSAN: Undefined behaviour in arch/arm/arm32/vfp.c:75:22
(XEN) left shift of 255 by 24 places cannot be represented in type 'int'
This is referring to the shift in FPSID_IMPLEMENTER_MASK. While we could
only add the U to the value shift there, it would be better to be
consistent and also add it for every value shifted.
This should also addressing MISRA Rule 7.2:
A "u" or "U" suffix shall be applied to all integer constants that
are represented in an unsigned type
Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Henry Wang <Henry.Wang@arm.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
Julien Grall [Thu, 29 Jun 2023 19:56:18 +0000 (20:56 +0100)]
xen/arm64: head: Rework PRINT() to work when the string is not withing +/- 1MB
The instruction ADR is able to load an address of a symbol that is
within the range +/- 1 MB of the instruction.
While today Xen is quite small (~1MB), it could grow up to 2MB in the
current setup. So there is no guarantee that the instruction can
load the string address (stored in rodata).
So replace the instruction ADR with the pseudo-instruction ADR_L
which is able to handle symbol within the range +/- 4GB.
Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Henry Wang <Henry.Wang@arm.com>
Julien Grall [Thu, 29 Jun 2023 19:55:18 +0000 (20:55 +0100)]
xen/arm64: entry: Don't jump outside of an alternative
The instruction CBNZ can only jump to a pc-relative that is in the
range +/- 1MB.
Alternative instructions replacement are living in a separate
subsection of the init section. This is usually placed towards
the end of the linker. Whereas text is towards the beginning.
While today Xen is quite small (~1MB), it could grow up to
2MB in the current setup. So there is no guarantee that the
target address in the text section will be within the range +/-
1MB of the CBNZ in alternative section.
The easiest solution is to have the target address within the
same section of the alternative. This means that we need to
duplicate a couple of instructions.
Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
----
I couldn't come up with a solution that would not change the number
of instructions executed in the entry path.
Julien Grall [Thu, 29 Jun 2023 19:47:12 +0000 (20:47 +0100)]
xen/arm32: head: Remove 'r6' from the clobber list of create_page_tables()
Since commit 62529f16c8a2 ("xen/arm32: head: Use a page mapping for the
1:1 mapping in create_page_tables()"), the register 'r6' is not used
anymore within create_page_tables(). So remove it from the documentation.
Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Henry Wang <Henry.Wang@arm.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
Julien Grall [Thu, 29 Jun 2023 19:44:17 +0000 (20:44 +0100)]
xen/arm: Check Xen size when linking
The linker will happily link Xen if it is bigger than what we can handle
(e.g 2MB). This will result to unexpected failure after boot.
This unexpected failure can be prevented by forbidding linking if Xen is
bigger than the area we reserved.
Signed-off-by: Julien Grall <julien@xen.org> Reviewed-by: Henry Wang <Henry.Wang@arm.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com> Tested-by: Henry Wang <Henry.Wang@arm.com>
Nicola Vetrini [Thu, 29 Jun 2023 10:06:15 +0000 (12:06 +0200)]
xen/arm: tlbflush: fix violations of MISRA C:2012 Rule 3.1
In the files `xen/arch/arm/include/asm/arm(32|64)/flushtlb.h' there are a
few occurrences of nested '//' character sequences inside C-style comment
blocks, which violate Rule 3.1. The patch aims to resolve those by changing
the inner comments to arm asm comments, delimited by ';' instead.
xen/arm: change parameter names in replace_grant_host_mapping().
In the current version of replace_grant_host_mapping() function, the
declaration (correctly) uses the parameter names 'gpaddr' and
'new_gpaddr', while the definition uses the parameter names 'addr' and
'new_addr'.
Change the parameter names of the definition to 'gpaddr' and
'new_gpaddr' so that it is clear what type of address is expected and
violations of MISRA C:2012 Rule 8.3 are fixed.
In both declaration and definition of function
replace_grant_host_mapping() change the parameter name 'mfn' to 'frame',
thus improving readability and keeping consistency with name used in
create_grant_host_mapping().
xen/arm: make parameter names of function declarations consistent.
Change the parameter names of function declarations to be consistent
with the names used in the corresponding function definitions, thus
fixing violations of MISRA C:2012 Rule 8.3.
xen/arm: vgic: change parameter name in 'init' and 'free' functions.
In the current versions of vcpu_vgic_init() and vcpu_vgic_free(),
the declarations (correctly) use the parameter name 'v' while the
corresponding definitions use the parameter name 'vcpu'.
Since it is common to use 'v' to denote a vCPU, change the parameter
name 'vcpu' of function definitions to 'v', thus fixing violations of
MISRA C:2012 Rule 8.3.
xen/arm: change parameter name 'pa' in ioremap_addr() definition.
In the current version of ioremap_addr() function, the declaration
uses the parameter name 'start' (consistenly with the other ioremap_*
function declarations), while the definition uses the parameter name
'pa'.
Change the parameter name 'pa' of function definition to 'start', thus
fixing a violation of MISRA C:2012 Rule 8.3 and keeping the consistency
with other ioremap_* functions.
xen/arm: change parameter name 'vcpu' in domain() function definition.
In the current version of domain() function, the declaration
(correctly) uses the parameter name 'v' while the definition uses the
parameter name 'vcpu'.
Since it is common to use 'v' to denote a vCPU, change the parameter
name 'vcpu' of function definition to 'v', thus fixing a violation of
MISRA C:2012 Rule 8.3.
xen/arm: change names in function access_guest_memory_by_ipa().
Change the function name 'access_guest_memory_by_ipa' to
'access_guest_memory_by_gpa' and change its formal parameter name from
'ipa' to 'gpa' because of the following:
1) 'gpa' is used more frequently and therefore is preferable;
2) changing parameter name makes the declaration consistent with the
corresponding definition thus fixing a violation of MISRA C:2012 Rule
8.3.
Andrew Cooper [Tue, 20 Jun 2023 16:36:19 +0000 (17:36 +0100)]
x86/vpmu: Simplify is_pmc_quirk
This should be static, and there's no need for a separate (non-init, even)
function to perform a simple equality test. Drop the is_ prefix which is
gramatically questionable, and make it __ro_after_init.
Leave a TODO, because the behaviour is definitely wrong to be applied to all
modern Intel CPUs. The question has been raised on xen-devel previously
without conclusion.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Shawn Anastasio [Wed, 21 Jun 2023 16:59:51 +0000 (11:59 -0500)]
automation: Fix KBUILD_DEFCONFIG for *ppc64le jobs
During an iteration of the initial ppc64le support patchset the default
defconfig was renamed but build.yaml wasn't updated to reflect this. Fix
it up.
Signed-off-by: Shawn Anastasio <sanastasio@raptorengineering.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Shawn Anastasio [Tue, 20 Jun 2023 18:12:47 +0000 (13:12 -0500)]
xen: Add files needed for minimal ppc64le build
Add the build system changes required to build for ppc64le (POWER8+).
As of now the resulting image simply boots to an infinite loop.
$ make XEN_TARGET_ARCH=ppc64 -C xen build
This port targets POWER8+ CPUs running in Little Endian mode specifically,
and does not boot on older machines. Additionally, this initial skeleton
only implements the PaPR/pseries boot protocol which allows it to be
booted in a standard QEMU virtual machine:
Jan Beulich [Wed, 21 Jun 2023 11:45:36 +0000 (13:45 +0200)]
x86/vPIT: account for "counter stopped" time
For an approach like that used in "x86: detect PIT aliasing on ports
other than 0x4[0-3]" [1] to work, channel 2 may not (appear to) continue
counting when "gate" is low. Record the time when "gate" goes low, and
adjust pit_get_{count,out}() accordingly. Additionally for most of the
modes a rising edge of "gate" doesn't mean just "resume counting", but
"initiate counting", i.e. specifically the reloading of the counter with
its init value.
No special handling for state save/load: See the comment near the end of
pit_load().
Along with introducing the get_count() helper to have the calculations
(and the locking check) in a single place, switch pit_get_count()'s d,
counter, and return type to unsigned int.
Andrew Cooper [Wed, 10 May 2023 19:21:12 +0000 (20:21 +0100)]
x86: Use printk_once() instead of opencoding it
Technically our helper post-dates all of these examples, but it's good cleanup
nevertheless. None of these examples should be using fully locked
test_and_set_bool() in the first place.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Andrew Cooper [Tue, 13 Jun 2023 16:06:47 +0000 (17:06 +0100)]
xen/evtchn: Purge ERROR_EXIT{,_DOM}()
These interfere with code legibility by hiding control flow. Expand and drop
them.
* Rearrange the order of actions to write into rc, then render rc in the
gdprintk().
* Drop redundant "rc = rc" assignments
* Switch to using %pd for rendering domains
As a side effect, this fixes several violations of MISRA rule 2.1 (dead code -
the while() following a goto).
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Julien Grall <jgrall@amazon.com>
Michal Orzel [Wed, 7 Jun 2023 09:27:27 +0000 (11:27 +0200)]
xen/arm: pl011: Add SBSA UART device-tree support
We already have all the bits necessary in PL011 driver to support SBSA
UART thanks to commit 032ea8c736d10f02672863c6e369338f948f7ed8 that
enabled it for ACPI. Plumb in the remaining part for device-tree boot:
- add arm,sbsa-uart compatible to pl011_dt_match (no need for a separate
struct and DT_DEVICE_START as SBSA is a subset of PL011),
- from pl011_dt_uart_init(), check for SBSA UART compatible to determine
the UART type in use.
Signed-off-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Henry Wang <Henry.Wang@arm.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Tested-by: Henry Wang <Henry.Wang@arm.com>
Michal Orzel [Wed, 7 Jun 2023 09:27:26 +0000 (11:27 +0200)]
xen/arm: pl011: Use correct accessors
At the moment, we use 32-bit only accessors (i.e. readl/writel) to match
the SBSA v2.x requirement. This should not be the default case for normal
PL011 where accesses shall be 8/16-bit (max register size is 16-bit).
There are however implementations of this UART that can only handle 32-bit
MMIO. This is advertised by dt property "reg-io-width" set to 4.
Introduce new struct pl011 member mmio32 and replace pl011_{read/write}
macros with static inline helpers that use 32-bit or 16-bit accessors
(largest-common not to end up using different ones depending on the actual
register size) according to mmio32 value. By default this property is set
to false, unless:
- reg-io-width is specified with value 4,
- SBSA UART is in use.
For now, no changes done for ACPI due to lack of testing possibilities
(i.e. current behavior maintained resulting in 32-bit accesses).
Signed-off-by: Michal Orzel <michal.orzel@amd.com> Tested-by: Henry Wang <Henry.Wang@arm.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Michal Orzel [Wed, 7 Jun 2023 09:27:25 +0000 (11:27 +0200)]
xen/arm: debug-pl011: Add support for 32-bit only MMIO
There are implementations of PL011 that can only handle 32-bit accesses
as oppose to the normal behavior where accesses are 8/16-bit wide. This
is usually advertised by setting a dt property 'reg-io-width' to 4.
Introduce CONFIG_EARLY_UART_PL011_MMIO32 Kconfig option to be able to
enable the use of 32-bit only accessors in PL011 early printk code.
Define macros PL011_{STRH,STRB,LDRH} to distinguish accessors for normal
case from 32-bit MMIO one and use them in arm32/arm64 pl011 early printk
code.
Update documentation accordingly.
Signed-off-by: Michal Orzel <michal.orzel@amd.com> Tested-by: Henry Wang <Henry.Wang@arm.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Michal Orzel [Wed, 7 Jun 2023 09:27:24 +0000 (11:27 +0200)]
xen/arm: debug-pl011: Use correct accessors
Although most PL011 UARTs can cope with 32-bit accesses, some of the old
legacy ones might not. PL011 registers are 8/16-bit wide and this shall
be perceived as the normal behavior.
Modify early printk pl011 code for arm32/arm64 to use the correct
accessors depending on the register size (refer ARM DDI 0183G, Table 3.1).
Signed-off-by: Michal Orzel <michal.orzel@amd.com> Tested-by: Henry Wang <Henry.Wang@arm.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
For Dir 1.1, a document describing all implementation-defined behaviour
(i.e. gcc-specific behavior) will be added to docs/misra, also including
implementation-specific (gcc-specific) appropriate types for bit-field
relevant to Rule 6.1.
Rule 21.21 is lacking an example on gitlab but the rule is
straightforward: we don't use stdlib at all in Xen.
Andrew Cooper [Fri, 16 Jun 2023 16:28:21 +0000 (17:28 +0100)]
x86/boot: Clean up early error asm
The asm forming early error handling is a mix of local and non-local symbols,
and has some pointless comments. Drop the "# Error message" comments,
tweaking the style on modified lines, and make the symbols local.
However, leave behind one real symbol so this logic disassembles nicely
without merging in to acpi_boot_init(), which is the thing that happens to be
immediately prior in my build.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Oleksii Kurochko [Mon, 19 Jun 2023 13:47:37 +0000 (15:47 +0200)]
xen/riscv: introduce reset_stack() function
The reason for reset_stack() introduction is that stack should be
reset twice:
1. Before jumping to C world at the start of _start() function.
2. After jumping from 1:1 mapping world.
Signed-off-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Roger Pau Monné [Mon, 19 Jun 2023 13:46:03 +0000 (15:46 +0200)]
iommu/vtd: fix address translation for leaf entries
Fix two issues related to leaf address lookups in VT-d:
* When translating an address that falls inside of a superpage in the
IOMMU page tables the fetching of the PTE value wasn't masking of the
contiguous related data, which caused the returned data to be
corrupt as it would contain bits that the caller would interpret as
part of the address.
* When the requested leaf address wasn't mapped by a superpage the
returned value wouldn't have any of the low 12 bits set, thus missing
the permission bits expected by the caller.
Take the opportunity to also adjust the function comment to note that
when returning the full PTE the bits above PADDR_BITS are removed.
Fixes: c71e55501a61 ('VT-d: have callers specify the target level for page table walks') Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
xen/arm: p2m: Enable support for 32bit IPA for ARM_32
Refer ARM DDI 0406C.d ID040418, B3-1345,
"A stage 2 translation with an input address range of 31-34 bits can
start the translation either:
- With a first-level lookup, accessing a first-level translation
table with 2-16 entries.
- With a second-level lookup, accessing a set of concatenated
second-level translation tables"
Thus, for 32 bit IPA, there will be no concatenated root level tables.
So, the root-order is 0.
Also, Refer ARM DDI 0406C.d ID040418, B3-1348
"Determining the required first lookup level for stage 2 translations
For a stage 2 translation, the output address range from the stage 1
translations determines the required input address range for the stage 2
translation. The permitted values of VTCR.SL0 are:
0b00 Stage 2 translation lookup must start at the second level.
0b01 Stage 2 translation lookup must start at the first level.
VTCR.T0SZ must indicate the required input address range. The size of
the input address region is 2^(32-T0SZ) bytes."
Thus VTCR.SL0 = 1 (maximum value) and VTCR.T0SZ = 0 when the size of
input address region is 2^32 bytes.
When 32 bit physical addresses are used (ie PHYS_ADDR_T_32=y),
"va >> ZEROETH_SHIFT" causes an overflow.
Also, there is no zeroeth level page table on Arm32.
Also took the opportunity to clean up dump_pt_walk(). One could use
DECLARE_OFFSETS() macro instead of declaring an array of page table
offsets.
xen/arm: guest_walk: LPAE specific bits should be enclosed within "ifndef CONFIG_PHYS_ADDR_T_32"
As the previous patch introduces CONFIG_PHYS_ADDR_T_32 to support 32 bit
physical addresses, the code specific to "Large Physical Address Extension"
(ie LPAE) should be enclosed within "ifndef CONFIG_PHYS_ADDR_T_32".
Refer xen/arch/arm/include/asm/short-desc.h, "short_desc_l1_supersec_t"
unsigned int extbase1:4; /* Extended base address, PA[35:32] */
unsigned int extbase2:4; /* Extended base address, PA[39:36] */
Thus, extbase1 and extbase2 are not valid when 32 bit physical addresses
are supported.
xen/arm: Introduce choice to enable 64/32 bit physical addressing
Some Arm based hardware platforms which does not support LPAE
(eg Cortex-R52), uses 32 bit physical addresses.
Also, users may choose to use 32 bits to represent physical addresses
for optimization.
To support the above use cases, we have introduced arch independent
config to choose if the physical address can be represented using
32 bits (PHYS_ADDR_T_32) or 64 bits (!PHYS_ADDR_T_32).
For now only ARM_32 provides support to enable 32 bit physical
addressing.
When PHYS_ADDR_T_32 is defined, PADDR_BITS is set to 32. Note that we
use "unsigned long" (not "uint32_t") to denote the datatype of physical
address. This is done to avoid using a cast each time PAGE_* macros are
used on paddr_t. For eg PAGE_SIZE is defined as unsigned long. Thus,
each time PAGE_SIZE is used with paddr_t, the result will be
"unsigned long".
On 32-bit architecture, "unsigned long" is 32-bit wide. Thus, it can be
used to denote physical address.
When PHYS_ADDR_T_32 is not defined for ARM_32, PADDR_BITS is set to 40.
For ARM_64, PADDR_BITS is set to 48.
The last two are same as the current configuration used today on Xen.
xen/arm: p2m: Use the pa_range_info table to support arm32 and arm64
Restructure the code so that one can use pa_range_info[] table for both
arm32 as well as arm64.
Also, removed the hardcoding for P2M_ROOT_ORDER and P2M_ROOT_LEVEL as
p2m_root_order can be obtained from the pa_range_info[].root_order and
p2m_root_level can be obtained from pa_range_info[].sl0.
Refer ARM DDI 0406C.d ID040418, B3-1345,
"Use of concatenated first-level translation tables
...However, a 40-bit input address range with a translation granularity of 4KB
requires a total of 28 bits of address resolution. Therefore, a stage 2
translation that supports a 40-bit input address range requires two concatenated
first-level translation tables,..."
Thus, root-order is 1 for 40-bit IPA on arm32.
Refer ARM DDI 0406C.d ID040418, B3-1348,
"Determining the required first lookup level for stage 2 translations
For a stage 2 translation, the output address range from the stage 1
translations determines the required input address range for the stage 2
translation. The permitted values of VTCR.SL0 are:
0b00 Stage 2 translation lookup must start at the second level.
0b01 Stage 2 translation lookup must start at the first level.
VTCR.T0SZ must indicate the required input address range. The size of the input
address region is 2^(32-T0SZ) bytes."
Thus VTCR.SL0 = 1 (maximum value) and VTCR.T0SZ = -8 when the size of input
address region is 2^40 bytes.
Thus, pa_range_info[].t0sz = 1 (VTCR.S) | 8 (VTCR.T0SZ) ie 11000b which is 24.
VTCR.T0SZ, is bits [5:0] for arm64.
VTCR.T0SZ is bits [3:0] and S(sign extension), bit[4] for arm32.
For this, we have used struct bitfields to convert pa_range_info[].t0sz to its
arm32 variant.
pa_range_info[] is indexed by ID_AA64MMFR0_EL1.PARange which is present in Arm64
only. This is the reason we do not specify the indices for arm32. Also, we
duplicated the entry "{ 40, 24/*24*/, 1, 1 }" between arm64 and
arm32. This is done to avoid introducing extra #if-defs.
Signed-off-by: Ayan Kumar Halder <ayan.kumar.halder@amd.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
[julien: Tweak some comments and one check] Acked-by: Julien Grall <jgrall@amazon.com>
Andrew Cooper [Wed, 24 May 2023 14:41:21 +0000 (15:41 +0100)]
x86/cpu-policy: Derive RSBA/RRSBA for guest policies
The RSBA bit, "RSB Alternative", means that the RSB may use alternative
predictors when empty. From a practical point of view, this mean "Retpoline
not safe".
Enhanced IBRS (officially IBRS_ALL in Intel's docs, previously IBRS_ATT) is a
statement that IBRS is implemented in hardware (as opposed to the form
retrofitted to existing CPUs in microcode).
The RRSBA bit, "Restricted-RSBA", is a combination of RSBA, and the eIBRS
property that predictions are tagged with the mode in which they were learnt.
Therefore, it means "when eIBRS is active, the RSB may fall back to
alternative predictors but restricted to the current prediction mode". As
such, it's stronger statement than RSBA, but still means "Retpoline not safe".
CPUs are not expected to enumerate both RSBA and RRSBA.
Add feature dependencies for EIBRS and RRSBA. While technically they're not
linked, absolutely nothing good can come of letting the guest see RRSBA
without EIBRS. Nor a guest seeing EIBRS without IBRSB. Furthermore, we use
this dependency to simplify the max derivation logic.
The max policies gets RSBA and RRSBA unconditionally set (with the EIBRS
dependency maybe hiding RRSBA). We can run any VM, even if it has been told
"somewhere you might run, Retpoline isn't safe".
The default policies are more complicated. A guest shouldn't see both bits,
but it needs to see one if the current host suffers from any form of RSBA, and
which bit it needs to see depends on whether eIBRS is visible or not.
Therefore, the calculation must be performed after sanitise_featureset().
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Thu, 25 May 2023 19:31:22 +0000 (20:31 +0100)]
x86/spec-ctrl: Fix up the RSBA/RRSBA bits as appropriate
In order to level a VM safely for migration, the toolstack needs to know the
RSBA/RRSBA properties of the CPU, whether or not they happen to be enumerated.
See the code comment for details.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Fri, 26 May 2023 09:35:47 +0000 (10:35 +0100)]
x86/spec-ctrl: Rename retpoline_safe() to retpoline_calculations()
This is prep work, split out to simply the diff on the following change.
* Rename to retpoline_calculations(), and call unconditionally. It is
shortly going to synthesise missing enumerations required for guest safety.
* For the model check switch statement, store the result in a variable and
break rather than returning directly.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Michal Orzel [Wed, 14 Jun 2023 07:30:18 +0000 (09:30 +0200)]
xen: Append a newline character to panic() where missing
Missing newline is inconsistent with the rest of the callers, since
panic() expects it.
Signed-off-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Luca Fancellu <luca.fancellu@arm.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Michal Orzel [Wed, 14 Jun 2023 09:41:44 +0000 (11:41 +0200)]
xen/arm: Remove stray semicolon at VREG_REG_HELPERS/TLB_HELPER* callers
This is inconsistent with the rest of the code where macros are used
to define functions, as it results in an empty declaration (i.e.
semicolon with nothing before it) after function definition. This is also
not allowed by C99.
Take the opportunity to undefine TLB_HELPER* macros after last use.
Signed-off-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
xen/arm: traps: remove inlining of handle_ro_raz()
To comply with MISRA C:2012 Rule 8.10 ("An inline function shall be
declared with the static storage class"), remove inline function
specifier from handle_ro_raz() since asking the compiler to inline
such function does not seem to add any kind of value.
Andrew Cooper [Tue, 13 Jun 2023 16:25:42 +0000 (17:25 +0100)]
xen/grant: Purge PIN_FAIL()
The name PIN_FAIL() is poor; it's not used only for pinning failures. More
importantly, it interferes with code legibility by hiding control flow.
Expand and drop it.
* Drop redundant "rc = rc" assignment
* Rework gnttab_copy_buf() to be simpler by dropping the rc variable
As a side effect, this fixes several violations of MISRA rule 2.1 (dead code -
the while() following a goto).
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Mon, 9 May 2022 10:18:20 +0000 (11:18 +0100)]
x86/shadow: Don't use signed bitfield in sh_emulate_ctxt
'int' bitfields in particular have implementation defined behaviour under gcc
and can change signed-ness with -funsigned-bitfields.
There is no need for low_bit_was_clear to be a bitfield in the first place; it
is only used as a boolean. Doing so even improves the code generation in
sh_emulate_map_dest() to avoid emitting a merge with structure padding.
Spotted by Eclair MISRA scanner.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Andrew Cooper [Mon, 9 May 2022 10:17:35 +0000 (11:17 +0100)]
x86/p2m.h: Add include guards
Spotted by Eclair MISRA scanner.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
Jan Beulich [Thu, 15 Jun 2023 09:00:22 +0000 (11:00 +0200)]
Arm: drop bogus ALIGN() from linker script
Having ALIGN() inside a section definition usually makes sense only with
a label definition following (an exception case is a few lines out of
context, where cache line sharing is intended to be avoided).
Constituents of .bss.page_aligned need to specify their own alignment
correctly anyway, or else they're susceptible to link order changing.
This requirement is already met: Arm-specific code has no such object,
while common (EFI) code has another one. That one has suitable alignment
specified.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org>
Jan Beulich [Thu, 15 Jun 2023 08:59:56 +0000 (10:59 +0200)]
spinlock: alter inlining of _spin_lock_cb()
To comply with Misra rule 8.10 ("An inline function shall be declared
with the static storage class"), convert what is presently
_spin_lock_cb() to an always-inline (and static) helper, while making
the function itself a thin wrapper, just like _spin_lock() is.
While there drop the unlikely() from the callback check, and correct
indentation in _spin_lock().
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Jan Beulich [Thu, 15 Jun 2023 08:59:30 +0000 (10:59 +0200)]
libxg: shrink variable scope in xc_core_arch_map_p2m_list_rw()
This in particular allows to drop a dead assignment to "ptes" from near
the end of the function.
Coverity ID: 1532314 Fixes: bd7a29c3d0b9 ("tools/libs/ctrl: fix xc_core_arch_map_p2m() to support linear p2m table") Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Jan Beulich [Wed, 14 Jun 2023 10:31:23 +0000 (12:31 +0200)]
libxl: drop dead assignments to "ret" from libxl__domain_config_setdefault()
The variable needs to be properly set only on the error paths.
Coverity ID: 1532311 Fixes: ab4440112bec ("xl / libxl: push parsing of SSID and CPU pool ID down to libxl") Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Juergen Gross <jgross@suse.com> Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.cm> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Olaf Hering [Tue, 13 Jun 2023 12:42:14 +0000 (14:42 +0200)]
tools: fix make rpmball
Commit 438c5ffa44e99cceb574c0f9946aacacdedd2952 ("rpmball: Adjust to
new rpm, do not require --force") attempted to handle stricter
directory permissions in newer distributions.
This introduced a few issues:
- /boot used to be a constant prior commit 6475d700055fa952f7671cee982a23de2f5e4a7c ("use BOOT_DIR as xen.gz
install location"), since this commit the location has to be
referenced via ${BOOT_DIR}
- it assumed the prefix and the various configurable paths match the
glob pattern /*/*/*
Adjust the code to build a filelist on demand and filter directories
from an installed filesystem.rpm. This works on a SUSE system, and
will likely work on a RedHat based system as well.
Take the opportunity to replace the usage of $RPM_BUILD_ROOT with
%buildroot, and use pushd/popd pairs.
Signed-off-by: Olaf Hering <olaf@aepfle.de> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Roger Pau Monné [Tue, 13 Jun 2023 12:41:32 +0000 (14:41 +0200)]
iommu/amd-vi: fix checking for Invalidate All support in amd_iommu_resume()
The iommu local variable does not point to to a valid amd_iommu element
after the call to for_each_amd_iommu(). Instead check whether any IOMMU
on the system doesn't support Invalidate All in order to perform the
per-domain and per-device flushes.
Fixes: 9c46139de889 ('amd iommu: Support INVALIDATE_IOMMU_ALL command.') Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Tue, 13 Jun 2023 09:14:50 +0000 (11:14 +0200)]
x86: minor tidying of identify_cpu()
Fields that generic_identify() sets unconditionally don't need pre-
setting. (In fact the compiler removes some of those assignments anyway,
at least in release builds.)
With the setting of ->cpuid_level to -1 gone, also drop the respective
BUG_ON() from default_init().
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Viresh Kumar [Tue, 13 Jun 2023 09:12:24 +0000 (11:12 +0200)]
libxl: Call libxl__virtio_devtype.set_default() early enough
The _setdefault() function for virtio devices is getting called after
libxl__prepare_dtb(), which is late as libxl__prepare_dtb() expects the
defaults to be already set by this time.
Call libxl__virtio_devtype.set_default() from
libxl__domain_config_setdefault(), in a similar way as other devices
like disk, etc.
Suggested-by: Anthony PERARD <anthony.perard@citrix.com> Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Viresh Kumar [Tue, 13 Jun 2023 09:12:10 +0000 (11:12 +0200)]
libxl: virtio: Remove unused frontend nodes
Only the VirtIO backend will watch xenstore to find out when a new
instance needs to be created for a guest, and read the parameters from
there. VirtIO frontend are only virtio, so they will not do anything
with the xenstore nodes. They can be removed.
While at it, also add a comment to the libxl_virtio.c file.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Andrew Cooper [Thu, 8 Jun 2023 09:59:37 +0000 (10:59 +0100)]
tools/ocaml/xc: Fix xc_physinfo() bindings
The original change doesn't compile on ARM:
xenctrl_stubs.c: In function 'stub_xc_physinfo':
xenctrl_stubs.c:821:16: error: unused variable 'arch_cap_flags_tag' [-Werror=unused-variable]
821 | int r, arch_cap_flags_tag;
| ^~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
but it was buggy too.
First, it tried storing an int in a pointer slot, causing heap corruption.
Next, it is not legitimate to exclude arm32 in the toolstack as it explicitly
can operate an arm64 toolstack and build arm64 domains. That in turn means
that you can't stash a C uint32_t in an OCaml int.
Rewrite the arch_capabilities handling from scratch. Break it out into a
separate function, and make the construction of arch_physinfo_cap_flags common
to prevent other indirection bugs.
Reintroduce arm_physinfo_caps with the fields broken out.
Fixes: 56a7aaa16bfe ("tools: add physinfo arch_capabilities handling for Arm") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Christian Lindig <christian.lindig@cloud.com>
Andrew Cooper [Fri, 9 Jun 2023 15:59:20 +0000 (16:59 +0100)]
CI: Add Ocaml to the alpine containers
This gets more coverage of optional parts of the build, and makes it easier to
trial Ocaml related changes in the smoke tests.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org>
Juergen Gross [Tue, 30 May 2023 08:54:09 +0000 (10:54 +0200)]
tools/xenstore: remove stale TODO file
The TODO file is not really helpful any longer. It contains only
entries which no longer apply or it is unknown what they are meant
for ("Dynamic/supply nodes", "Remove assumption that rename doesn't
fail").
Juergen Gross [Tue, 30 May 2023 08:54:07 +0000 (10:54 +0200)]
tools/xenstore: make some write limit functions static
Some wrl_*() functions are only used in xenstored_domain.c, so make
them static. In order to avoid the need of forward declarations, move
the whole function block to the start of the file.
Juergen Gross [Tue, 30 May 2023 08:54:06 +0000 (10:54 +0200)]
tools/xenstore: rename hashtable_insert() and let it return 0 on success
Today hashtable_insert() returns 0 in case of an error. Change that to
let it return an errno value in the error case and 0 in case of success.
In order to avoid any missed return value checks or related future
backport errors, rename hashtable_insert() to hashtable_add().
Even if not used today, do the same switch for the return value of
hashtable_expand().
Juergen Gross [Tue, 30 May 2023 08:54:04 +0000 (10:54 +0200)]
tools/xenstore: do some cleanup of hashtable.c
Do the following cleanups:
- hashtable_count() isn't used at all, so remove it
- replace prime_table_length and max_load_factor with macros
- make hash() static
- add a loadlimit() helper function
- remove the /***/ lines between functions
- do some style corrections
Roger Pau Monne [Thu, 8 Jun 2023 09:59:39 +0000 (11:59 +0200)]
x86/hvm: print valid CR4 bits in case of error
Some of the current users of hvm_cr4_guest_valid_bits() don't print
the valid mask in case of error, and thus the resulting error messages
are not as helpful as they could be.
Amend callers to always print the value of hvm_cr4_guest_valid_bits()
together with the rejected bits in the checked value. Also take the
opportunity and adjust all the users to use the same print formatter.
No functional change intended.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Wed, 7 Jun 2023 09:27:35 +0000 (10:27 +0100)]
CI: Fix the github actions Coverity run
The Install step is failing with:
Package python-dev is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
E: Package 'python-dev' has no installation candidate
is only available from another source
However the following packages replace it:
python2-dev python2 python-dev-is-python3
which is a side effect of ubuntu-latest having changed from 20.04 to 22.04.
Drop python-dev as python3-dev is already present, and used a fixed runs-on to
avoid such problems in the future.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Juergen Gross [Tue, 30 May 2023 08:24:24 +0000 (10:24 +0200)]
tools/xenstore: switch quota management to be table based
Instead of having individual quota variables switch to a table based
approach like the generic accounting. Include all the related data in
the same table and add accessor functions.
This enables to use the command line --quota parameter for setting all
possible quota values, keeping the previous parameters for
compatibility.
Juergen Gross [Tue, 30 May 2023 08:24:22 +0000 (10:24 +0200)]
tools/xenstore: use generic accounting for remaining quotas
The maxrequests, node size, number of node permissions, and path length
quota are a little bit special, as they are either active in
transactions only (maxrequests), or they are just per item instead of
count values. Nevertheless being able to know the maximum number of
those quota related values per domain would be beneficial, so add them
to the generic accounting.
The per domain value will never show current numbers other than zero,
but the maximum number seen can be gathered the same way as the number
of nodes during a transaction.
To be able to use the const qualifier for a new function switch
domain_is_unprivileged() to take a const pointer, too.
For printing the quota/max values, adapt the print format string to
the longest quota name (now 17 characters long).
Juergen Gross [Tue, 30 May 2023 08:24:21 +0000 (10:24 +0200)]
tools/xenstore: remember global and per domain max accounting values
Add saving the maximum values of the different accounting data seen
per domain and (for unprivileged domains) globally, and print those
values via the xenstore-control quota command. Add a sub-command for
resetting the global maximum values seen.
This should help for a decision how to set the related quotas.
Juergen Gross [Tue, 30 May 2023 08:24:16 +0000 (10:24 +0200)]
tools/xenstore: add current connection to domain_memory_add() parameters
In order to enable switching memory accounting to the generic array
based accounting, add the current connection to the parameters of
domain_memory_add().
This requires to add the connection to some other functions, too.
projects / xen.git / log