David Vrabel [Thu, 6 Sep 2012 14:39:01 +0000 (16:39 +0200)]
timer: remove stray local_irq_enable()
migrate_timers_from_cpu() has a stray local_irq_enable() that does
nothing (it's immediately after a spin_unlock_irq()) and has no
matching local_irq_disable().
Signed-off-by: David Vrabel <david.vrabel@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org> Committed-by: Jan Beulich <jbeulich@suse.com>
Ian Jackson [Wed, 5 Sep 2012 11:30:26 +0000 (12:30 +0100)]
xen/gnttab: Validate input to GNTTABOP_swap_grant_ref
xen-unstable c/s 24548:d115844ebfbb introduces a new GNTTABOP to swap
grant refs. However, it fails to validate the two refs passed from
the guest.
The result is that passing out-of-range refs can cause Xen to read
past the end of the grant_table->active[] array, and deference
whatever it finds. Typically, this results in Xen trying to deference
a low pointer and fail with a page-fault.
As this hypercall can be issued by an unprivileged guest, this is a
Denial of Service against Xen. This is XSA-18 / CVE-2012-3516.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Paul Durrant <paul.durrant@citrix.com>
Ian Jackson [Mon, 3 Sep 2012 10:22:01 +0000 (11:22 +0100)]
libxl: fix api check Makefile
Touch the libxl.api-ok stamp file, and unconditionally put in place
the new _libxl.api-for-check. This avoids needlessly rerunning the
preprocessor on libxl.h each time we call "make".
Ensure that _libxl.api-for-check gets the CFLAGS used for xl, so that
if it is asked for in a standalone make run it can find xentoollog.h.
Remove *.api-ok on clean.
Also fix .gitignore.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Committed-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Tested-by: Dieter Bloms <dieter@bloms.de> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Campbell <ian.campbell@citrix.com>
Jan Beulich [Mon, 3 Sep 2012 07:40:38 +0000 (09:40 +0200)]
make domain_create() return a proper error code
While triggered by the XSA-9 fix, this really is of more general use;
that fix just pointed out very sharply that the current situation
with all domain creation failures reported to user (tools) space as
-ENOMEM is very unfortunate (actively misleading users _and_ support
personnel).
Pull over the pointer <-> error code conversion infrastructure from
Linux, and use it in domain_create() and all it callers.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
Jan Beulich [Mon, 3 Sep 2012 06:35:41 +0000 (08:35 +0200)]
x86/HVM: RTC periodic timer emulation adjustments
- don't call rtc_timer_update() on REG_A writes when the value didn't
change (doing the call always was reported to cause wall clock time
lagging with the JVM running on Windows)
- don't call rtc_timer_update() on REG_B writes when RTC_PIE didn't
change
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
Jan Beulich [Mon, 3 Sep 2012 06:17:50 +0000 (08:17 +0200)]
x86: comment opaque expression in __page_to_virt()
mm.h's __page_to_virt() has a rather opaque expression. Comment it.
Reported-By: Ian Campbell <ian.campbell@citrix.com> Suggested-by: Ian Jackson <ian.jackson@eu.citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
Christoph Egger [Fri, 31 Aug 2012 20:15:31 +0000 (21:15 +0100)]
nestedsvm: fix interrupt handling
Give the l2 guest a chance to finish the delivery of the last injected
interrupt or exception before we emulate a VMEXIT.
For example after a NPF handled by the host there can be an interrupt
for the l1 guest.
Signed-off-by: Christoph Egger <Christoph.Egger@amd.com> Committed-by: Keir Fraser <keir@xen.org>
Dan Magenheimer [Fri, 31 Aug 2012 20:13:39 +0000 (21:13 +0100)]
tmem: add matching unlock for an about-to-be-destroyed object
A 4.2 changeset forces a preempt_disable/enable with
every lock/unlock.
Tmem has dynamically allocated "objects" that contain a
lock. The lock is held when the object is destroyed.
No reason to unlock something that's about to be destroyed!
But with the preempt_enable/disable in the generic locking code,
and the fact that do_softirq ASSERTs that preempt_count
must be zero, a crash occurs soon after any object is
destroyed.
So force lock to be released before destroying objects.
Signed-off-by: Dan Magenheimer <dan.magenheimer@oracle.com> Committed-by: Keir Fraser <keir@xen.org>
Ian Jackson [Fri, 31 Aug 2012 11:24:57 +0000 (12:24 +0100)]
libxl: fix double free on some config parser errors
If libxlu_cfg_y.y encountered a config file error, the code generated
by bison would sometimes _both_ run the %destructor _and_ call
xlu__cfg_set_store for the same XLU_ConfigSetting* semantic value.
The result would be a double free.
This appears to be because of the use of a mid-rule action. There is
some discussion of the problems with destructors and mid-rule action
error handling in "(bison)Mid-Rule Actions". This area is complex and
best avoided.
So fix the bug by abolishing the use of a mid-rule action, which was
in any case not necessary here.
Also while we are there rename the nonterminal rule "setting" to
"assignment", to avoid confusion with the token type "setting", which
had an identically name in a different namespace. This was especially
confusing because the nonterminal "setting" did not have "setting" as
the type of its semantic value! (In fact the nonterminal, now called
"assignment", does not have a value so it does not have a value type.)
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Committed-by: Ian Campbell <ian.campbell@citrix.com>
Ian Campbell [Fri, 31 Aug 2012 10:13:49 +0000 (11:13 +0100)]
tools: remove --disable-pythontools option
This incorrectly removes the $(PYTHON) variable which is used at build
time as well as by the tools.
Remove and revisit for 4.3.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Campbell <ian.campbell@citrix.com>
Ian Campbell [Fri, 31 Aug 2012 10:13:48 +0000 (11:13 +0100)]
xencommons: Attempt to load blktap2 driver
Older kernels, such as those found in Debian Squeeze:
* Have bugs in handling of AIO into foreign pages
* Have blktap modules, which will cause qemu not to use AIO, but
which are not loaded on boot.
Attempt to load blktap in xencommons, to make sure modern qemu's which
use AIO will work properly on those kernels.
Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Prefer to load blktap2 if it exists. This is the name of the driver in
classic-Xen ports, while in mainline kernels the driver is called just
blktap.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Jan Beulich <JBeulich@suse.com> Committed-by: Ian Campbell <ian.campbell@citrix.com>
Matt Wilson [Fri, 31 Aug 2012 09:42:09 +0000 (10:42 +0100)]
tools: remove vestigial default_lib.m4 macros and adjust substitutions
LIB_PATH is no longer used, so the AX_DEFAULT_LIB macro is no longer
needed. Additionally lower case make variables are now used as
autoconf substitutions, which allows for more correct overrides at
build time.
I've checked the file layout in dist/install from the build made
before this change versus after with ./configure values of:
1) ./configure (no flags provided)
2) ./configure --libdir=/usr/lib/x86_64-linux-gnu (Debian style)
3) ./configure --libdir='${exec_prefix}/lib' (late variable expansion)
Signed-off-by: Matt Wilson <msw@amazon.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc - reran autogen.sh ] Committed-by: Ian Campbell <ian.campbell@citrix.com>
Ian Campbell [Fri, 31 Aug 2012 09:42:08 +0000 (10:42 +0100)]
uninstall: push tools uninstall down into tools/Makefile
Many of the rules here depend on having run configure and the
variables which it defines in config/Tools.mk
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Looks-good: Jan Beulich <JBeulich@suse.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Campbell <ian.campbell@citrix.com>
Ian Campbell [Fri, 31 Aug 2012 09:42:08 +0000 (10:42 +0100)]
uninstall: do not remove kernels or modules on uninstall.
The pattern used is very broad and will delete any kernel with xen in
its filename, likewise modules, including those which come packages
from the distribution etc.
I don't think this was ever the right thing to do but it is doubly
wrong now that Xen does not even build or install a kernel by default.
Push cleanup of the installed hypervisor down into xen/Makefile so that
it can cleanup exactly what it actually installs.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Looks-good: Jan Beulich <JBeulich@suse.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Campbell <ian.campbell@citrix.com>
Roger Pau Monne [Fri, 31 Aug 2012 09:42:07 +0000 (10:42 +0100)]
hotplug/NetBSD: check type of file to attach from params
xend used to set the xenbus backend entry "type" to either "phy" or
"file", but now libxl sets it to "phy" for both file and block device.
We have to manually check for the type of the "param" field in order
to detect if we are trying to attach a file or a block device.
Signed-off-by: Christoph Egger <Christoph.Egger@amd.com> Signed-off-by: Roger Pau Monne <roger.pau@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Campbell <ian.campbell@citrix.com>
Roger Pau Monne [Fri, 31 Aug 2012 09:42:06 +0000 (10:42 +0100)]
hotplug/NetBSD: write error message to hotplug-error
As recommended by Ian Campbell, write the hotplug error to
hotplug-error, just as the Linux hotplug script does.
Signed-off-by: Roger Pau Monne <roger.pau@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Campbell <ian.campbell@citrix.com>
Roger Pau Monne [Fri, 31 Aug 2012 09:42:05 +0000 (10:42 +0100)]
hotplug/NetBSD: fix xenstore_write usage in error
xenstore_write doesn't exist, use xenstore-write instead. The error
function is currently broken without this change.
Signed-off-by: Roger Pau Monne <roger.pau@citrix.com> Signed-off-by: Christoph Egger <Christoph.Egger@amd.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Campbell <ian.campbell@citrix.com>
David Vrabel [Fri, 31 Aug 2012 09:42:04 +0000 (10:42 +0100)]
xenconsoled: clean-up after all dead domains
xenconsoled expected domains that are being shutdown to end up in the
the DYING state and would only clean-up such domains. HVM domains
either didn't enter the DYING state or weren't in long enough for
xenconsoled to notice.
For every shutdown HVM domain, xenconsoled would leak memory, grow its
list of domains and (if guest console logging was enabled) leak the
log file descriptor. If the file descriptors were leaked and enough
HVM domains were shutdown, no more console connections would work as
the evtchn device could not be opened. Guests would then block
waiting to send console output.
Fix this by tagging domains that exist in enum_domains(). Afterwards,
all untagged domains are assumed to be dead and are shutdown and
cleaned up.
Signed-off-by: David Vrabel <david.vrabel@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Campbell <ian.campbell@citrix.com>
Ian Campbell [Fri, 31 Aug 2012 09:42:04 +0000 (10:42 +0100)]
README: Update references to PyXML to lxml
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Campbell <ian.campbell@citrix.com>
Matt Wilson [Fri, 31 Aug 2012 09:42:03 +0000 (10:42 +0100)]
docs: improve documentation of Xen command line parameters
This change improves documentation for several Xen command line
parameters. Some of the Itanium-specific options are now removed. A
more thorough check should be performed to remove any other remnants.
I've reformatted some of the entries to fit in 80 column terminals.
Options that are yet undocumented but accept standard boolean /
integer values are now annotated as such.
The size suffixes have been corrected to use the binary prefixes
instead of decimal prefixes.
Signed-off-by: Matt Wilson <msw@amazon.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Campbell <ian.campbell@citrix.com>
Andrew Cooper [Thu, 30 Aug 2012 17:06:39 +0000 (18:06 +0100)]
x86/i8259: Handle bogus spurious interrupts more quietly
c/s 25336:edd7c7ad1ad2 introduced the concept of a bogus vector, for
in irqs delivered through the i8259 PIC after IO-APICs had been set
up.
However, if supurious PIC vectors are received, many "No irq handler
for vector" log messages can be seen on the console.
This patch adds to the bogus vector logic to detect spurious PIC
vectors and simply ignore them. _mask_and_ack_8259A_irq() has been
modified to return a boolean indicating whether the irq is real or
not, and in the case of a spurious vector, the error in do_IRQ() is
not printed.
One complication is that now, _mask_and_ack_8259A_irq() can get called
whatever the ack mode is, so has been altered to work out whether it
should EOI the irq or not.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Committed-by: Keir Fraser <keir@xen.org>
Dongxiao Xu [Thu, 30 Aug 2012 16:55:31 +0000 (17:55 +0100)]
nvmx: fix resource relinquish for nested VMX
The previous order of relinquish resource is:
relinquish_domain_resources() -> vcpu_destroy() ->
nvmx_vcpu_destroy(). However some L1 resources like nv_vvmcx and
io_bitmaps are free in nvmx_vcpu_destroy(), therefore the
relinquish_domain_resources() will not reduce the refcnt of the domain
to 0, therefore the latter vcpu release functions will not be called.
To fix this issue, we need to release the nv_vvmcx and io_bitmaps in
relinquish_domain_resources().
Besides, after destroy the nested vcpu, we need to switch the
vmx->vmcs back to the L1 and let the vcpu_destroy() logic to free the
L1 VMCS page.
Keir Fraser [Tue, 28 Aug 2012 21:40:45 +0000 (22:40 +0100)]
x86: Prefer multiboot-provided e820 over bios-provided e801 memory info.
Some UEFI systems do not provide e820 information. In this case we
should take the detailed memory map provided by a multiboot-capable
loader, rather than rely on very conservative values from the e801
bios call. Using the latter on any modern system really hardly makes
good sense.
[Excellent candidate for 4.1 backport]
Signed-off-by: Keir Fraser <keir@xen.org> Tested-by: Jonathan Tripathy <jonnyt@abpni.co.uk>
Andrew Cooper [Tue, 28 Aug 2012 13:46:30 +0000 (14:46 +0100)]
tools/xl: Fix uninitialized variable error.
c/s 25779:4ca40e0559c3 introduced a compilation error for any build
system using -Werror=uninitialized, such as the default CentOS 5.7
version of gcc.
And with good reason, because if the global libxl
default_output_format is neither OUTPUT_FORMAT_SXP nor
OUTPUT_FORMAT_JSON, the variable hand will be used before being
initialised.
The attached patch fixes the warning, and futher fixes the logic to
work correctly when a new OUTPUT_FORMAT is added to xl.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Committed-by: Ian Campbell <ian.campbell@citrix.com>
Ian Jackson [Fri, 24 Aug 2012 11:38:18 +0000 (12:38 +0100)]
libxl: Rerun bison
This updates libxlu_cfg_y.[ch] to code generated by bison from
Debian squeeze (1:2.4.1.dfsg-3 i386).
There should be no functional change since there is no change to the
source file, but we will inherit bugfixes and behavioural changes from
the new version of bison. So this is more a matter of hope than
knowledge.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Fri, 24 Aug 2012 11:38:16 +0000 (12:38 +0100)]
libxl: Rerun flex
This undoes some systematic changes which were made to
libxlu_cfg_l.[ch] along with manually-edited files (eg, whitespace
changes, emacs local variables) and returns these two files to exactly
the output of flex (Debian squeeze 2.5.35-10 i386).
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Fri, 24 Aug 2012 11:38:14 +0000 (12:38 +0100)]
libxl: provide "make realclean" target
This removes all the autogenerated files.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Campbell [Thu, 23 Aug 2012 18:12:28 +0000 (19:12 +0100)]
xl: make "xl list -l" proper JSON
Bastian Blank reports that the output of this command is just multiple
JSON objects concatenated and is not a single properly formed JSON
object.
Fix this by wrapping in an array. This turned out to be a bit more
intrusive than I was expecting due to the requirement to keep
supporting the SXP output mode.
Python's json module is happy to parse the result...
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Campbell [Thu, 23 Aug 2012 18:00:09 +0000 (19:00 +0100)]
libxl: make domain resume API asynchronous
Although the current implementation has no asynchromous parts I can
envisage it needing to do bits of create/destroy like functionality
which may need async support in the future.
To do this make the meat into an internal libxl__domain_resume
function in order to satisfy the no-internal-callers rule for the
async function.
Since I needed to touch the logging to s/ctx/CTX/ anyway switch to the
LOG* helper macros.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Roger Pau Monne <roger.pau@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Santosh Jodh [Wed, 22 Aug 2012 21:29:06 +0000 (22:29 +0100)]
Dump IOMMU p2m table
New key handler 'o' to dump the IOMMU p2m table for each domain.
Skips dumping table for domain 0.
Intel and AMD specific iommu_ops handler for dumping p2m table.
Incorporated feedback from Jan Beulich and Wei Wang.
Fixed indent printing with %*s.
Removed superflous superpage and other attribute prints.
Make next_level use consistent for AMD IOMMU dumps. Warn if found
inconsistent.
AMD IOMMU does not skip levels. Handle 2mb and 1gb IOMMU page size for
AMD.
Paul Durrant [Wed, 22 Aug 2012 21:26:27 +0000 (22:26 +0100)]
hvm: Remove VM genearation ID device and incr_generationid from build_info.
Microsoft have now published their VM generation ID specification at
https://www.microsoft.com/en-us/download/details.aspx?id=30707.
It differs from the original specification upon which I based my
implementation in several key areas. Particularly, it is no longer
an incrementing 64-bit counter and so this patch is to remove
the incr_generationid field from the build_info and also disable the
ACPI device before 4.2 is released.
I will follow up with further patches to implement the VM generation
ID to the new specification.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Committed-by: Keir Fraser <keir@xen.org>
Daniel De Graaf [Wed, 22 Aug 2012 21:14:52 +0000 (22:14 +0100)]
xsm/flask: remove page-to-domain lookups from XSM hooks
Doing a reverse lookup from MFN to its owning domain is redundant with
the internal checks Xen does on pages. Change the checks to operate
directly on the domain owning the pages for normal memory; MMIO areas
are still checked with security_iomem_sid.
This fixes a hypervisor crash when a domU attempts to map an MFN that
is free in Xen's heap: the XSM hook is called before the validity
check, and page_get_owner returns garbage when called on these
pages. While explicitly checking for such pages using
page_get_owner_and_reference is a possible solution, this ends up
duplicating parts of get_page_from_l1e.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Committed-by: Keir Fraser <keir@xen.org>
Daniel De Graaf [Wed, 22 Aug 2012 21:13:32 +0000 (22:13 +0100)]
xsm: Add missing dummy hooks
A few XSM hooks have been defined without implementation in dummy.c;
these will cause a null function pointer deference if called. Also
implement the efi_call hook, which was incorrectly added without any
implementations.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Committed-by: Keir Fraser <keir@xen.org>
Jan Beulich [Mon, 20 Aug 2012 06:46:47 +0000 (08:46 +0200)]
x86-64: refine the XSA-9 fix
Our product management wasn't happy with the "solution" for XSA-9, and
demanded that customer systems must continue to boot. Rather than
having our and perhaps other distros carry non-trivial patches, allow
for more fine grained control (panic on boot, deny guest creation, or
merely warn) by means of a single line change.
Also, as this was found to be a problem with remotely managed systems,
don't default to boot denial (just deny guest creation).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
Jan Beulich [Mon, 20 Aug 2012 06:40:01 +0000 (08:40 +0200)]
x86: don't expose SYSENTER on unknown CPUs
So far we only ever set up the respective MSRs on Intel CPUs, yet we
hide the feature only on a 32-bit hypervisor. That prevents booting of
PV guests on top of a 64-bit hypervisor making use of the instruction
on unknown CPUs (VIA in this case).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
Andrew Cooper [Fri, 17 Aug 2012 13:46:49 +0000 (14:46 +0100)]
tools/python: Clean python correctly
Cleaning the python directory should completely remove the build/
directory, otherwise subsequent builds may be short-circuited and a
stale build installed.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Committed-by: Ian Campbell <ian.campbell@citrix.com>
Wangzhenguo [Fri, 17 Aug 2012 13:46:48 +0000 (14:46 +0100)]
libxc/Linux: Add VM_DONTCOPY flag of the VMA of the hypercall buffer
This avoids the hypercall buffer becoming CoW on fork.
In multi-threads and multi-processes environment, e.g. the process has two
threads, thread A may call hypercall, thread B may call fork() to create child
process. After forking, all pages of the process including hypercall buffers
are cow. It will cause a write protection and return EFAULT error if hypervisor
calls copy_to_user in hypercall in thread A context,
Fix:
1. Before hypercall: use MADV_DONTFORK of madvise syscall to make the hypercall
buffer not to be copied to child process after fork.
2. After hypercall: undo the effect of MADV_DONTFORK for the hypercall buffer
by using MADV_DOFORK of madvise syscall.
3. Use mmap/nunmap for memory alloc/free instead of malloc/free to bypass libc.
Note:
Child processes must not use the opened xc_{interface,evtchn,gnttab,gntshr}
handle that inherits from parents. They should reopen the handle if they want
to interact with xc. Otherwise, it may cause segment fault to access hypercall
buffer caches of the handle.
Signed-off-by: Zhenguo Wang <wangzhenguo@huawei.com> Signed-off-by: Xiaowei Yang <xiaowei.yang@huawei.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- s/ptr/p/ to fix build & tweaked the wording of the comments
slightly. ] Committed-by: Ian Campbell <ian.campbell@citrix.com>
M A Young [Fri, 17 Aug 2012 13:10:26 +0000 (14:10 +0100)]
xend: Replace the use of XMLPrettyPrint from PyXML with stdlib functionality.
This appears to have been missed by changeset 22235:b8cc53d22545
"Replace pyxml/xmlproc-based XML validator with lxml based one"
This was reported by Toshio Ernie Kuratomi at
https://bugzilla.redhat.com/show_bug.cgi?id=842843
Signed-off-by: Michael Young <m.a.young@durham.ac.uk> Acked-by: Ian Campbell <ian.campbell@citrix.com> Committed-by: Ian Campbell <ian.campbell@citrix.com>
Jan Beulich [Thu, 16 Aug 2012 16:38:05 +0000 (17:38 +0100)]
EPT/PoD: fix interaction with 1Gb pages
When PoD got enabled to support 1Gb pages, ept_get_entry() didn't get
updated to match - the assertion in there triggered, indicating that
the call to p2m_pod_demand_populate() needed adjustment.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Tim Deegan <tim@xen.org> Committed-by: Tim Deegan <tim@xen.org>
Tim Deegan [Thu, 16 Aug 2012 13:31:09 +0000 (14:31 +0100)]
x86/mm: update max_mapped_pfn on MMIO mappings too.
max_mapped_pfn should reflect the highest mapping we've ever seen of
any type, or the tests in the lookup functions will be wrong. As it
happens, the highest mapping has always been a RAM one, but this is no
longer the case when we allow 64-bit BARs.
Reported-by: Xudong Hao <xudong.hao@intel.com> Signed-off-by: Tim Deegan <tim@xen.org> Committed-by: Tim Deegan <tim@xen.org>
Jan Beulich [Thu, 16 Aug 2012 08:16:19 +0000 (10:16 +0200)]
x86/PoD: clean up types
GMFN values must undoubtedly be "unsigned long". "count" and
"entry_count", since they are signed types, should also be "long" as
otherwise they can't fit all values that can fit into "d->tot_pages"
(which currently is "uint32_t").
Beyond that, the patch doesn't convert everything to "long" as in many
places it is clear that "int" suffices. In places where "long" is being
used partially already, the change is however being done.
Furthermore, page order values have no use of being "long".
Finally, in the course of updating a few printk messages anyway, some
also get slightly shortened (to focus on the relevant information).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Jan Beulich [Thu, 16 Aug 2012 08:14:11 +0000 (10:14 +0200)]
x86/PoD: prevent guest from being destroyed upon early access to its memory
When an external agent (e.g. a monitoring daemon) happens to access the
memory of a PoD guest prior to setting the PoD target, that access must
fail for there not being any page in the PoD cache, and only the space
above the low 2Mb gets scanned for victim pages (while only the low 2Mb
got real pages populated so far).
To accomodate for this
- set the PoD target first
- do all physmap population in PoD mode (i.e. not just large [2Mb or
1Gb] pages)
- slightly lift the restrictions enforced by p2m_pod_set_mem_target()
to accomodate for the changed tools behavior
Tested-by: Jürgen Groß <juergen.gross@ts.fujitsu.com>
(in a 4.0.x based incarnation) Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Boris Ostrovsky [Wed, 15 Aug 2012 07:43:25 +0000 (09:43 +0200)]
acpi: Make sure valid CPU is passed to do_pm_op()
Passing invalid CPU value to do_pm_op() will cause assertion
in cpu_online().
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@amd.com>
Such checks would, at a first glance, then also be missing at the top
of various helper functions, but these check really were already
redundant with the check in do_pm_op(). Remove the redundant checks
for clarity and brevity.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Committed-by: Jan Beulich <jbeulich@suse.com>
Daniel De Graaf [Wed, 15 Aug 2012 07:42:14 +0000 (09:42 +0200)]
x86-64/EFI: add CFLAGS to check compile
Without this, the compilation of check.c could fail due to compiler
features such as -fstack-protector being enabled, which causes a
missing __stack_chk_fail symbol error.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Rather than using plain CFLAGS here, remove CFLAGS-y from them to
particularly get rid of the -MF argument referencing (the undefined
here) $(@F).
The use of CFLAGS at once allows dropping the explicit use of -Werror.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Committed-by: Jan Beulich <jbeulich@suse.com>
That c/s introduced a double unlock on the out-of-memory error path of
p2m_pod_demand_populate().
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: George Dunlap <george.dunlap@eu.citrix.com> Acked-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Andrew Cooper [Mon, 13 Aug 2012 17:09:33 +0000 (18:09 +0100)]
config: Split debug build from debug symbols
RPM based packaging systems expect binaries to have debug symbols which get
placed in a separate debuginfo RPM.
Split the concept of a debug build up so that binaries can be built with
debugging symbols without having the other gubbins which $(debug) implies, most
notibly frame pointers.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Tested-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Olaf Hering [Mon, 13 Aug 2012 13:11:22 +0000 (14:11 +0100)]
tools: init.d/Linux/xencommons: load all known backend drivers
Load all known backend drivers fron xenlinux and pvops based dom0
kernels. There is currently no code in xend or libxl to load these
drivers on demand. Currently libxl has also no helpful error message if
a backend driver is missing.
Signed-off-by: Olaf Hering <olaf@aepfle.de> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Campbell [Tue, 7 Aug 2012 13:26:29 +0000 (14:26 +0100)]
libxl: write physical-device node if user did not supply a block script
This reverts one of the intentional changes from 25733:353bc0801b11.
That change exposed an issue with the xl migration protocol, which
although safe triggers the hotplug scripts device sharing logic.
For 4.2 we disable this logic by writing the physical-device xenstore
node ourselves if a user did not supply a script. If the user did
supply a script then we continue to rely on it to write the
physical-device node (not least because the script may create the
device and therefore it is not available before we run the script).
This means that to support localhost migration a block hotplug script
needs to be robust against adding a device twice and should not
deactivate the device until it has been removed twice.
This should be revisited for 4.3.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Committed-by: Ian Campbell <ian.campbell@citrix.com>
Matt Wilson [Tue, 7 Aug 2012 06:49:53 +0000 (08:49 +0200)]
Although the "Intel Virtualization Technology FlexMigration
Application Note" (http://www.intel.com/Assets/PDF/manual/323850.pdf)
does not document support for extended model 2H model DH (Intel Xeon
Processor E5 Family), empirical evidence shows that the same MSR
addresses can be used for cpuid masking as exdended model 2H model AH
(Intel Xen Processor E3-1200 Family).
Signed-off-by: Matt Wilson <msw@amazon.com> Acked-by: Nakajima, Jun <jun.nakajima@intel.com> Committed-by: Jan Beulich <jbeulich@suse.com>
Ian Campbell [Mon, 6 Aug 2012 11:28:03 +0000 (12:28 +0100)]
libxl: support custom block hotplug scripts
These are provided using the "script=" syntax described in
docs/misc/xl-disk-configuration.txt.
The existing hotplug scripts currently conflate two different
concepts, namely that of making a datapath available in the backend
domain (logging into iSCSI LUNs and the like) and that of actually
connecting that datapath to a Xen backend path (e.g. writing
"physical-device" node in xenstore to bring up blkback).
For this reason the script support implemented here is only supported
in conjunction with backendtype=phy.
Eventually we hope to rework the hotplug scripts to separate the to
concepts, but that is not 4.2 material.
In addition there are some other subtleties:
- Previously in the blktap case we would add "script = .../blktap" to
the backend flex array, but then jumped to the PHY case which added
"script = .../block" too. The block one takes precendence since it
comes second.
This was, accidentally, correct. The blktap script is for blktap1
devices and not blktap2 devices. libxl completely manages the
blktap2 side of things without resorting to hotplug scripts and
creates a blkback device directly. Therefore the "block" script is
always the correct one to call. Custom script are not supported in
this context.
- libxl should not write the "physical-device" node. This is the
responsibility of the block script. Writing the "physical-device"
node in libxl basically completely short-cuts the standard block
hotplug script which uses "physical-device" to know if it has run
already or not.
In the case of more complex scripts libxl cannot know the right
value to write here anyway, in particular the device may not exist
until after the script is called.
This change has the side effect of re-enabling the checks for
device sharing aspect of the default block script, which I have tested
and which now cause libxl to properly abort now that libxl properly
checks for hotplug script errors.
There is no sharing check for blktap2 since even if you reuse the
same vhd the resulting tap device is different. I would have preferred
to simply write the "physical-device" node for the blktap2 case but
the hotplug script infrastructure is not currently setup to handle
LIBXL__DEVICE_KIND_VBD
devices without a hotplug script (backendtype phy and tap both end
up as KIND_VBD). Changing this was more surgery than I was happy doing
for 4.2 and therefore I have simply hardcoded to the block script for
the LIBXL_DISK_BACKEND_TAP case.
- libxl__device_disk_set_backend running against a phy device with a
script cannot stat the device to check its properties since it may
not exist until the script is run. Therefore I have special cased
this in disk_try_backend to simply assume that backend == phy is
always ok if a script was
configured. Similarly the other backend types are always rejected
if a script was configured.
Note that the reason for implementing the default script behaviour
in device_disk_add instead of libxl__device_disk_setdefault is
because we need to be able to tell when the script was
user-supplied rather than defaulted by libxl in order to correctly
implement the above. The setdefault function must be idempotent so
we cannot simply update disk->script.
I suspect that for 4.3 a script member should be added to
libxl__device, this would also help in the case above of handling
devices with no script in a consistent manner. This is not 4.2
material.
- When the block script falls through and shells out to a block-$type
script it used to pass "$node" however the only place this was
assigned was in the remove+phy case (in which case it contains the
file:// derived /dev/loopN device), and in that case the script
exits without falling through to the block-$type case.
Since libxl never creates a type other than phy this never happens
in practice anyway and we now call the correct block-$type script
directly. But fix it up anyway since it is confusing.
- The block-nbd and block-enbd scripts which we supply appear to be
broken WRT the hotplug calling convention, in that they seem to
expect a command line parameter (perhaps the $node described above)
rather than reading the appropriate node from xenstore.
I rather suspect this was broken by 7774:e2e7f47e6f79 in November
2005. I think it is safe to say no one is using these scripts! I
haven't fixed this here. It would be good to track down some working
scripts and either incorproate them or defer to them in their existing
home (e.g. if they live somewhere useful like the nbd tools
package).
- Added a few block script related entries to check-xl-disk-parse
from http://backdrift.org/xen-block-iscsi-script-with-multipath-support
and http://lists.linbit.com/pipermail/drbd-user/2008-September/010221.html /
http://www.drbd.org/users-guide-emb/s-xen-configure-domu.html (and
snuck in another interesting empty CDROM case)
This highlighted two bugs in the libxlu disk parser handling of the
deprecated "<script>:" prefix:
- It was failing to prefix with "block-" to construct the actual
script name
- The regex for matching iscsi or drdb or e?nbd was incorrect
- Use libxl__abs_path for the nic script too. Just because the
existing code nearly tricked me into repeating the mistake
I have tested with a custom block script which uses "lvchange -a" to
dynamically add remove the referenced device (simulates iSCSI
login/logout without requiring me to faff around setting up an iSCSI
target). I also tested on a blktap2 system.
I haven't directly tested anything more complex like iscsi: or nbd:
other than what check-xl-disk-parse exercises.
[ Recommit of correct version of 25727:a8d708fcb347, which was mangled
during commit. Sorry. -iwj ]
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Jan Beulich [Mon, 6 Aug 2012 09:18:43 +0000 (11:18 +0200)]
x86: fix wait code asm() constraints
This fixes theoretical issues with those constraints - operands that
get clobbered before consuming all input operands must be marked so
according the the gcc documentation. Beyond that, the change is merely
code improvement, not a bug fix.
In __prepare_to_wait(), properly mark early clobbered registers. By
doing so, we at once eliminate the need to save/restore rCX and rDI.
In check_wakeup_from_wait(), make the current constraints match by
removing the code that actuall alters registers. By adjusting the
resume address in __prepare_to_wait(), we can simply re-use the copying
operation there (rather than doing a second pointless copy in the
opposite direction after branching to the resume point), which at once
eliminates the need for re-loading rCX and rDI inside the asm().
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
Ian Campbell [Fri, 3 Aug 2012 11:25:29 +0000 (12:25 +0100)]
libxl: fix cleanup of tap devices in libxl__device_destroy
We pass be_path to tapdisk_destroy but we've already deleted it so it
fails to read tapdisk-params. However it appears that we need to
destroy the tap device after tearing down xenstore, to avoid the leak
reported by Greg Wettstein in
<201207312141.q6VLfJje012656@wind.enjellic.com>.
So read the tapdisk-params in the cleanup transaction, before the
remove, and pass that down to destroy_tapdisk instead. tapdisk-params
may of course be NULL if the device isn't a tap device.
There is no need to tear down the tap device from
libxl__initiate_device_remove since this ultimately calls
libxl__device_destroy.
Propagate and log errors from libxl__device_destroy_tapdisk.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Campbell [Fri, 3 Aug 2012 10:59:12 +0000 (11:59 +0100)]
libxl: support custom block hotplug scripts
These are provided using the "script=" syntax described in
docs/misc/xl-disk-configuration.txt.
The existing hotplug scripts currently conflate two different
concepts, namely that of making a datapath available in the backend
domain (logging into iSCSI LUNs and the like) and that of actually
connecting that datapath to a Xen backend path (e.g. writing
"physical-device" node in xenstore to bring up blkback).
For this reason the script support implemented here is only supported
in conjunction with backendtype=phy.
Eventually we hope to rework the hotplug scripts to separate the to
concepts, but that is not 4.2 material.
In addition there are some other subtleties:
- Previously in the blktap case we would add "script = .../blktap" to
the backend flex array, but then jumped to the PHY case which added
"script = .../block" too. The block one takes precendence since it
comes second.
This was, accidentally, correct. The blktap script is for blktap1
devices and not blktap2 devices. libxl completely manages the
blktap2 side of things without resorting to hotplug scripts and
creates a blkback device directly. Therefore the "block" script is
always the correct one to call. Custom script are not supported in
this context.
- libxl should not write the "physical-device" node. This is the
responsibility of the block script. Writing the "physical-device"
node in libxl basically completely short-cuts the standard block
hotplug script which uses "physical-device" to know if it has run
already or not.
In the case of more complex scripts libxl cannot know the right
value to write here anyway, in particular the device may not exist
until after the script is called.
This change has the side effect of re-enabling the checks for
device sharing aspect of the default block script, which I have tested
and which now cause libxl to properly abort now that libxl properly
checks for hotplug script errors.
There is no sharing check for blktap2 since even if you reuse the
same vhd the resulting tap device is different. I would have preferred
to simply write the "physical-device" node for the blktap2 case but
the hotplug script infrastructure is not currently setup to handle
LIBXL__DEVICE_KIND_VBD
devices without a hotplug script (backendtype phy and tap both end
up as KIND_VBD). Changing this was more surgery than I was happy doing
for 4.2 and therefore I have simply hardcoded to the block script for
the LIBXL_DISK_BACKEND_TAP case.
- libxl__device_disk_set_backend running against a phy device with a
script cannot stat the device to check its properties since it may
not exist until the script is run. Therefore I have special cased
this in disk_try_backend to simply assume that backend == phy is
always ok if a script was
configured. Similarly the other backend types are always rejected
if a script was configured.
Note that the reason for implementing the default script behaviour
in device_disk_add instead of libxl__device_disk_setdefault is
because we need to be able to tell when the script was
user-supplied rather than defaulted by libxl in order to correctly
implement the above. The setdefault function must be idempotent so
we cannot simply update disk->script.
I suspect that for 4.3 a script member should be added to
libxl__device, this would also help in the case above of handling
devices with no script in a consistent manner. This is not 4.2
material.
- When the block script falls through and shells out to a block-$type
script it used to pass "$node" however the only place this was
assigned was in the remove+phy case (in which case it contains the
file:// derived /dev/loopN device), and in that case the script
exits without falling through to the block-$type case.
Since libxl never creates a type other than phy this never happens
in practice anyway and we now call the correct block-$type script
directly. But fix it up anyway since it is confusing.
- The block-nbd and block-enbd scripts which we supply appear to be
broken WRT the hotplug calling convention, in that they seem to
expect a command line parameter (perhaps the $node described above)
rather than reading the appropriate node from xenstore.
I rather suspect this was broken by 7774:e2e7f47e6f79 in November
2005. I think it is safe to say no one is using these scripts! I
haven't fixed this here. It would be good to track down some working
scripts and either incorproate them or defer to them in their existing
home (e.g. if they live somewhere useful like the nbd tools
package).
- Added a few block script related entries to check-xl-disk-parse
from http://backdrift.org/xen-block-iscsi-script-with-multipath-support
and http://lists.linbit.com/pipermail/drbd-user/2008-September/010221.html /
http://www.drbd.org/users-guide-emb/s-xen-configure-domu.html (and
snuck in another interesting empty CDROM case)
This highlighted two bugs in the libxlu disk parser handling of the
deprecated "<script>:" prefix:
- It was failing to prefix with "block-" to construct the actual
script name
- The regex for matching iscsi or drdb or e?nbd was incorrect
- Use libxl__abs_path for the nic script too. Just because the
existing code nearly tricked me into repeating the mistake
I have tested with a custom block script which uses "lvchange -a" to
dynamically add remove the referenced device (simulates iSCSI
login/logout without requiring me to faff around setting up an iSCSI
target). I also tested on a blktap2 system.
I haven't directly tested anything more complex like iscsi: or nbd:
other than what check-xl-disk-parse exercises.
[ reran flex/bison -iwj ]
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Fri, 3 Aug 2012 10:57:10 +0000 (11:57 +0100)]
libxl: correct some comments regarding event API and fds
* libxl may indeed register more than one callback for the same fd,
with some restrictions. The allowable range of responses to this by
the application means that this should pose no problems for users.
But the documentation comment should be fixed.
* Document the relaxed synchronicity semantics of the fd_modify
registration callback.
* A couple of comments referred to old names for functions.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
projects / xen.git / log