Ian Campbell [Tue, 16 Feb 2016 11:49:53 +0000 (11:49 +0000)]
libxl: close fd's in parent when spawning qdisk
Coverity points out that these remain open in the parent upon
success, which is a resource leak.
To fix this rejig the exit paths such that success and error cases
both close the two fds, this means adjusting the callback to only
happen for the error case and it also makes sense to rename the label
from "error" to just "out".
Coverity (correctly) complains that the strncpy(p, "0x", 2) will not
null terminate p.
Although we can see that in the rest of the function p will
definitely be NULL terminated by the time it is complete there is no
harm in passing 3 to the strncpy and allowing it to NULL terminate to
placate Coverity. We know this is safe because the allocation to hold
the string includes a "+3" for the 0x and the terminating NULL.
Ian Campbell [Tue, 16 Feb 2016 11:09:43 +0000 (11:09 +0000)]
tools: libxl: free devpath on failure in libxl__blktap_devpath
The underlying code paths in tap_ctl_create attempt to handle both
*devpath == NULL (by allocating) and *devpath != NULL (caller provided
name) and if they allocate tend to write the return immediately before
doing other potentially error generating tasks. All of which makes
handling this at a lower level rather more complicated than handling
it in the error path of libxl__blktap_devpath.
Note that libxl__blktap_devpath initialises devpath to NULL and if the
earlier GCSPRINTF succeeds then the value is returned earlier.
Therefore if we make it to the call to tap_ctl_create then devpath is
still NULL on entry, therefore on the error path devpath is either
still NULL or has been set to a freshly allocated value by
tap_ctl_create. Since free(NULL) is fine it is sufficient to just
free(devpath).
I also considered adding a non-NULL devnull to the gc, even on
failure, but that would have required a comment to explain the
apparently strange behaviour.
Wei Liu [Tue, 16 Feb 2016 12:28:27 +0000 (12:28 +0000)]
stubdom: fix link farm runes
Previously in the three problematic libraries all public headers were
linked to source code directory. We should have created an include
directory for each library and linked public headers there.
Note that there was no breakage for those three libraries before this
patch. This patch merely changes the location headers are linked to so
that all libraries follow the same pattern.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
docs: document shortcomings of running QEMU as non-root
Running QEMU as non-root causes migration and PCI passthrough not to
work properly. Migration can be fixed rather easily
(http://marc.info/?l=xen-devel&m=145382864118600), but PCI passthrough
cannot (http://marc.info/?l=xen-devel&m=145286946113964).
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Andrew Cooper [Fri, 12 Feb 2016 19:21:31 +0000 (19:21 +0000)]
tools/libxc: Fix use of zlib-options when building the domain builder
c/s de0f8c7c changed the use of zlib-options, and moved it from being locally
generated to coming from ./configure.
However, it neglected to modify the users of zlib-options. The curious use of
$(call ...) was to select either the -D or -l options as appropriate, but c/s de0f8c7c broke this by loosing the `grep`.
Instead, use $(filter ...) to pick out either the -D or -l options. This
fixes the build with Clang, which complains at passing '-llzma' when trying
to compile xc_dom_bzimageloader.c to xc_dom_bzimageloader.o.
Whatever the reason for silly code like this, it fools the current stack
overflow detection logic in the #DF handler (which triggers reliably on the
'orq' instruction).
Update the overflow condition to declare an overflow if %esp is anywhere
within the guard page, rather than just within the upper 8th of the page.
Additionally, check %esp against the expected stack base in all builds.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Corneliu ZUZU [Mon, 15 Feb 2016 13:14:16 +0000 (14:14 +0100)]
x86: merge 2 hvm_event_... functions into 1
This patch merges almost identical functions hvm_event_int3 and
hvm_event_single_step into a single function called hvm_event_breakpoint.
Also fixes event.c file header comment in the process.
Razvan Cojocaru [Mon, 15 Feb 2016 13:13:31 +0000 (14:13 +0100)]
vm_event: remove xc_mem_access_enable_emulate() and friends
xc_mem_access_enable_emulate() and xc_mem_access_disable_emulate()
are currently no-ops, that is all they do is set a flag that
nobody else checks. The user can already set the EMULATE flags in
the vm_event response if emulation is desired, and having an extra
check above that is not inherently safer, but it does complicate
(currenly unnecessarily) the API. This patch removes these
functions and the corresponding hypervisor code.
Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Acked-by: Tamas K Lengyel <tamas@tklengyel.com> Acked-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Coverity correctly identifies that the changes in mtrr_attrib_to_str()
introduce dead code. strings[] is a 2d array, rather than an array of
strings, which means that strings[x] will never be a NULL pointer.
Adjust the check to compenstate, by looking for a NUL in strings[x][0]
instead.
Curiously, Coverity did not notice the same error with memory_type_to_str().
There was also a further error; the strings were not NULL terminated, which
made the return type of memory_type_to_str() erronious.
Bump the 2D array to 3 characters, so the strings retain their NUL characters,
and introduce an ASSERT() as requested on one thread of the original patch.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Mon, 15 Feb 2016 13:12:06 +0000 (14:12 +0100)]
x86: improvements to pv_cpuid()
pv_cpuid() has two completely separate paths inside it depending on whether
current is dom0 or a domU. This causes unnecessary divergence, and
complicates future improvements. Take steps to undo it.
Changes:
* Create leaf and subleaf variables and use them consistently, instead of a
mix of {a,c} and regs->e{a,c}x as the input parameters.
* Combine the dom0 and domU hypervisor leaf handling, with an early exit.
* Apply sanity checks to domU as well. This brings PV domU cpuid handling in
line with HVM domains and PV dom0.
* Perform a real cpuid instruction for calculating CPUID.0xD[ECX=0].EBX. The
correct xcr0 is in context, and this avoids the O(M*N) loop over the domain
cpuid policy list which exists currently.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Doug Goldstein [Mon, 8 Feb 2016 02:45:03 +0000 (20:45 -0600)]
travis: add initial Travis CI script to do builds
This is just suppose to do a simple compile test on Travis CI. Currently
due to linux86 (bcc/bin86/dev86) not being whitelisted the tools cannot
be built.
Signed-off-by: Doug Goldstein <cardoe@cardoe.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Andrew Cooper [Fri, 12 Feb 2016 09:34:13 +0000 (10:34 +0100)]
uniformally use __ varients for attribute names
Otherwise, debug code such as "void __attribute__((noreturn)) foobar()" fails
to compile when the noreturn itself gets expanded, resulting in
__attribute__((__attribute__((noreturn)))).
No function change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
and it was having trouble combining the explicit REX prefix with the REX.B
required for the use of %r15.
Follow what Linux does and use a redundant %ds prefix instead, for a final
generated instruction of `3e 41 0f ae 3f`
While modifying this line, fix the indentation which was out by one space.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Tested-by: Doug Goldstein <cardoe@cardoe.com>
Introduce and use NOP_DS_PREFIX.
Also the above description of the issue is slightly wrong: We're not
suffering from some gas versions not being able to combine multiple REX
prefixes, but from the replacement instruction, when requiring a REX
prefix in order to express the memory operand, becoming one byte longer
than the original one, triggering the respective build time safety
check.
Olaf Hering [Thu, 11 Feb 2016 15:38:14 +0000 (15:38 +0000)]
tools/console: correct make dependencies for _paths.h
Correct dependencies for _paths.h to avoid build failure with make -j.
Only main.c requires _paths.h. This fixes commit 8398ec70 ("xenconsole:
Ensure exclusive access to console using locks")
Signed-off-by: Olaf Hering <olaf@aepfle.de> Cc: Ian Jackson <ian.jackson@eu.citrix.com> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: Ian Campbell <ian.campbell@citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Ian Campbell [Thu, 11 Feb 2016 12:11:21 +0000 (12:11 +0000)]
tools: probe for existence of qemu-xen stderr trace backend.
QEMU upstream commit ed7f5f1d8db0 ("trace: convert stderr backend to
log") renamed the "stderr" trace backend to "log", which breaks the
xen build when pointed at a QEMU tree after that point:
Upstream also changed, in baf86d6b3ca0 ("trace: switch default backend
to "log""), to use "log" as the default backend (previously it was
"nop").
Use ./scripts/tracetool.py to check for the presence of the stderr
backend and if it is present then explicitly enable it. If the stderr
backend is not present then assume a newer QEMU which defaults to
"log" and simply accept that default (there is a 1 commit window
upstream where this would result in no trace backend being enabled).
The check is done using the older (deprecated?) --check-backend/--backend
variant of the tracetool.py options rather than the new plural
versions since the singular was supported even by very old versions of
QEMU. New QEMU has compatibility code but if/when that is removed we
will still do the right thing i.e. no explict configuiration resulting
in the upstream default (currently "log").
If the explicit selection of the "stderr" backend is required then it
is now done unconditionally (not depending on debug=y), which is
simpler to arrange here but also matches the newer upstream's default
to "log" which is not conditional on debug being enabled either.
Tested with current qemu-xen-unstable (e9d8252) and current QEMU
upstream master (88c73d1), both out of tree via
QEMU_UPSTREAM_URL=/path/to/qemu-xen.git.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Cc: Paul Durrant <paul.durrant@citrix.com> Cc: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Paul Durrant <paul.durrant@citrix.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Andrew Cooper [Thu, 11 Feb 2016 15:48:38 +0000 (16:48 +0100)]
x86/traps: prevent interleaving of concurrent cpu state dumps
If two cpus enter show_execution_state() concurrently, the resulting console
output interleaved, and of no help debugging the situation further.
As calls to these locations are rare and usually important, it is acceptable
to serialise them. These codepaths are also on the terminal error paths, so
the console lock must be the lock used for serialisation, to allow
console_force_unlock() to function properly.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Thu, 11 Feb 2016 15:45:08 +0000 (16:45 +0100)]
x86/p2m: use large pages for MMIO mappings
When mapping large BARs (e.g. the frame buffer of a graphics card) the
overhead of establishing such mappings using only 4k pages has,
particularly after the XSA-125 fix, become unacceptable. Alter the
XEN_DOMCTL_memory_mapping semantics once again, so that there's no
longer a fixed amount of guest frames that represents the upper limit
of what a single invocation can map. Instead bound execution time by
limiting the number of iterations (regardless of page size).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Kevin Tian <kevin.tian@intel.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com>
Andrew Cooper [Thu, 11 Feb 2016 15:40:47 +0000 (16:40 +0100)]
x86: drop X86_FEATURE_3DNOW_ALT
Introducing an X86_FEATURE aliased value turns out to complicate automatic
processing of the feature list. Drop X86_FEATURE_3DNOW_ALT and use
X86_FEATURE_PBE, extending the comment accordingly.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Ian Campbell [Thu, 11 Feb 2016 09:23:54 +0000 (09:23 +0000)]
tools: libxl: make it illegal to pass libxl__realloc(gc) a non-gc ptr
That is, if gc is not NOGC and ptr is not NULL then ptr must be
associated with a gc.
Currently in this case the new_ptr would not be registered with any
gc, which Coverity rightly points out (in various different places)
would be a memory leak.
It would also be possible to fix this by adding a libxl__ptr_add() at
the same point, however semantically it seems like a programming error
to gc-realloc a pointer which is not associated with the gc in
question, so treat it as such.
Compile tested only, this change could expose latent bugs.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Ian Campbell [Wed, 10 Feb 2016 16:56:22 +0000 (16:56 +0000)]
init-xenstore-domain: cleanup all resources on a single exit path
Previously xs_fd would be left open, which is CID 1055993 (previously
partially fixed by 3bca826aae5eb).
Instead arrange for both success and error cases to cleanup everything
on a single exit path instead of doing partial cleanup on the success
path a few operations higher up.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Ian Campbell [Wed, 10 Feb 2016 16:26:25 +0000 (16:26 +0000)]
xenmon: initialise dummy array
This is just used to expand the shared backing file to the expected
size (whether this is actually necessary I'm not sure). Rather than
leaking some small amount of the processes' heap set the array to
zeroes.
While at it add a check that the malloc succeeded before using the
result.
Doug Goldstein [Thu, 11 Feb 2016 12:23:42 +0000 (12:23 +0000)]
build: specify minimum versions of make
To help people avoid having to figure out what versions of make
needs to be supported document it explicitly.
Signed-off-by: Doug Goldstein <cardoe@cardoe.com> Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Doug Goldstein [Thu, 11 Feb 2016 12:23:41 +0000 (12:23 +0000)]
build: specify minimum versions of gcc and binutils
To help people avoid having to figure out what versions of gcc and
binutils need to be supported document them explicitly.
Signed-off-by: Doug Goldstein <cardoe@cardoe.com> Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Paul Durrant [Wed, 10 Feb 2016 16:49:25 +0000 (16:49 +0000)]
public/io/netif.h: fix typos
Unfortunately my patch 162a81ab "document control ring and toeplitz
hashing" contained a couple of typos. This patch fixes them.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Cc: Ian Campbell <ian.campbell@citrix.com> Cc: Ian Jackson <ian.jackson@eu.citrix.com> Cc: Jan Beulich <jbeulich@suse.com> Cc: Keir Fraser <keir@xen.org> Cc: Tim Deegan <tim@xen.org> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Andrew Cooper [Wed, 10 Feb 2016 13:51:25 +0000 (14:51 +0100)]
x86: fix get_cpu_info() when built with clang
Clang understands the GCCism in use here, but still complains that sp is
unintialised. In such cases, resort to the older version of this code, which
directly reads %rsp into the temporary variable.
Note that we still keep the GCCism in the default case, as it causes GCC to
create rather better assembly.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Wed, 10 Feb 2016 13:50:37 +0000 (14:50 +0100)]
x86: fix section type mismatch in mm.c
Clang doesn't like mixing const and non-const data in the same section. Move
zero_page into .bss.page_aligned.const and wildcard .bss.page_aligned when
linking.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: George Dunlap <george.dunlap@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Wed, 10 Feb 2016 13:49:06 +0000 (14:49 +0100)]
remove or annotate possibly-unused functions
Clang notices more unused functions than GCC.
* sh_next_page() is only used at GUEST_PAGING_LEVELS=2, so remove it from the
other guest level translation units
* rcu_batch_after() is completely unused.
* Various of the COMPAT() generated functions are used only for their
BUILD_BUG_ON() properties. Annotate them all as __maybe_used.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Tim Deegan <tim@xen.org> Acked-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Wed, 10 Feb 2016 13:48:36 +0000 (14:48 +0100)]
xen/lib.h: fix ASSERT() to build with clang
Clang warns about a semicolon immediately following an if() clause as a
possible mistake, and recommends putting the semicolon on a new line if it was
intentional. A newline is not an option here, so use a set of empty braces
instead.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Anthony PERARD [Wed, 10 Feb 2016 13:46:45 +0000 (14:46 +0100)]
hvmloader: fix scratch_alloc to avoid overlaps
scratch_alloc() set scratch_start to the last byte of the current
allocation. The value of scratch_start is then reused as is (if it is
already aligned) in the next allocation. This result in a potential reuse
of the last byte of the previous allocation.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Tamas K Lengyel [Wed, 10 Feb 2016 13:46:09 +0000 (14:46 +0100)]
x86/altp2m: merge p2m_set_altp2m_mem_access and p2m_set_mem_access
The altp2m subsystem in its current form duplicates much of the existing
code present in p2m for setting mem_access permissions. In this patch we
consolidate the two versions but keep the separate MEMOP and HVMOP interfaces.
Signed-off-by: Tamas K Lengyel <tlengyel@novetta.com> Acked-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Acked-by: Ian Campbell < ian.campbell@citrix.com > Reviewed-by: George Dunlap <george.dunlap@citrix.com>
Jan Beulich [Tue, 9 Feb 2016 12:24:00 +0000 (13:24 +0100)]
x86/mm: make {cmpxchg,write}_guest_entry() hook shadow mode specific
... as they're being used for PV guests only, which don't use HAP mode.
This eliminates another pair of NULL callbacks in HAP as well as in 2-
and 3-guest-level shadow modes.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Tim Deegan <tim@xen.org>
Jan Beulich [Tue, 9 Feb 2016 12:23:30 +0000 (13:23 +0100)]
x86/mm: drop guest_{map,get_eff}_l1e() hooks
Disallow the unmaintained and presumed broken translated-but-not-
external paging mode combination, allowing the respective paging hooks
to go away (which eliminates one pair of NULL callbacks in HAP mode).
As a result of them no longer being generic paging operations, make the
inline functions private to mm.c, dropping their struct vcpu parameters
where suitable.
The enforcement of the proper mode combination gets now done in
paging_enable(), requiring shadow_domctl() to no longer call
shadow_enable() directly.
Also as a result support for XEN_DOMCTL_SHADOW_OP_ENABLE_TRANSLATE gets
removed too.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Tim Deegan <tim@xen.org>
Jan Beulich [Tue, 9 Feb 2016 12:22:13 +0000 (13:22 +0100)]
x86/nHVM: avoid NULL deref during INVLPG intercept handling
When intercepting (or emulating) L1 guest INVLPG, the nested P2M
pointer may be (is?) NULL, and hence there's no point in calling
p2m_flush(). In fact doing so would cause a dereference of that NULL
pointer at least in the ASSERT() right at the beginning of the
function.
While so far nothing supports hap_invlpg() being reachable from the
INVLPG intercept paths (only INVLPG insn emulation would lead there),
and hence the code in question (added by dd6de3ab99 ["Implement
Nested-on-Nested"]) appears to be dead, this seems to be the change
which can be agreed on as an immediate fix. Ideally, however, the
problematic code would go away altogether. See thread at
lists.xenproject.org/archives/html/xen-devel/2016-01/msg03762.html.
Reported-by: 刘令 <liuling-it@360.cn> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: George Dunlap <george.dunlap@citrix.com>
Razvan Cojocaru [Tue, 9 Feb 2016 12:20:49 +0000 (13:20 +0100)]
x86/hvm: simplify emulation triggered by vm_event response
Currently, after receiving a vm_event reply requesting emulation,
the actual emulation is triggered in p2m_mem_access_check(),
which means that we're waiting for the page fault to occur again
before emulating. Aside from the performance impact, this
complicates the code since between hvm_do_resume() and the second
page fault it is possible that the latter becomes a completely
new page fault - hence checking that EIP and the GPA match with
the ones in the original page fault. If they don't, duplicate
EPT fault vm_events will occur, of which a monitoring application
needs to be aware.
This patch makes struct arch_vm_event smaller (since we no longer
need to track eip and gpa), removes the checking code from
p2m_mem_access_check(), and moves the emulation in hvm_do_resume().
Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Tamas K Lengyel <tamas@tklengyel.com>
Tamas K Lengyel [Fri, 5 Feb 2016 21:22:20 +0000 (14:22 -0700)]
xen-access: minor fixes
Only copy the VCPU_PAUSED flag to the response. Copy the entire mem_access
struct which is useful and easily forgotten when also testing the emulate
response flags. Turn off singlestepping on the vCPUs once we are done
processing all events, as we might have turned on singlestep there and leave
the VM in an undesirable state.
Signed-off-by: Tamas K Lengyel <tlengyel@novetta.com> Cc: Razvan Cojocaru <rcojocaru@bitdefender.com> Cc: Ian Jackson <ian.jackson@eu.citrix.com> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: Ian Campbell <ian.campbell@citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
Juergen Gross [Mon, 8 Feb 2016 14:23:52 +0000 (15:23 +0100)]
libxc: correct memory range check in domain builder
Commit 81a76e4b12961a9f54f5021809074196dfe6dbba ("libxc: rework of
domain builder's page table handler") introduced a regression with
checking the required memory size of the domain. The needed maximum pfn
of the initial kernel mapping was added to the currently last used pfn
resulting in doubling the estimated memory need.
Correct the calculation of the last needed pfn to enable booting of
small domains again.
Reported-by: Anthony Perard <anthony.perard@citrix.com> Signed-off-by: Juergen Gross <jgross@suse.com> Tested-by: Anthony PERARD <anthony.perard@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
When xc_map_foreign_batch got deprecated reinitializing vm_event on a domain
where an event listener was previously active broke as it relied on the flag
XEN_DOMCTL_PFINFO_XTAB to indicate that the magic page is not in the physmap.
Manually check the gpfn type, add it to the physmap if needed, and only then
try to map it.
Signed-off-by: Tamas K Lengyel <tlengyel@novetta.com> Cc: Ian Jackson <ian.jackson@eu.citrix.com> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: Ian Campbell <ian.campbell@citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Cc: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Roger Pau Monne [Thu, 4 Feb 2016 15:25:50 +0000 (15:25 +0000)]
libxc: fix uninitialised usage of rc in meminit_hvm
Due to the HVMlite changes there's a chance that the value in rc is checked
without being initialised. Fix this by initialising it to 0 prior to the
while loop. Also add a specific error check to a previous populate_physmap
call, this prevents us from overwriting this error.
Ian Campbell [Wed, 3 Feb 2016 16:10:49 +0000 (16:10 +0000)]
tools: Do not expose all builds to unstable hypercall APIs by default
Currently __XEN_TOOLS__ is defined in the global CFLAGS used for tools
builds, exposing them all to the various unstable hypercall interfaces.
However there are places where we do not want this (in particular all
the stable libraries now under tools/libs), and there is a risk of
such uses slipping in unnoticed (currently there are none, but I
tripped over the mixed nature of the HVMOPs just now in some new code
I was putting together).
Instead only define __XEN_TOOLS__ for things which explicitly want the
unstable APIs. The vast majority of these are consumers of libxenctrl,
which have opted into unstable interfaces by using libxenctrl already,
so adding -D__XEN_TOOLS__ to CFLAGS_libxenctrl covers these without
needing to patch the dozen or so tools manually.
The libxc build itself, which doesn't use CFLAGS_libxenctrl, now needs
the define too. As does gdbsx's own low level hypercall binding
library xg.
hvmloader no longer needs to undefine the symbol.
The ocaml evtchn bindings don't actually need sysctl.h and therefore
don't actually need __XEN_TOOLS__ either.
qemu-xen-traditional doesn't use CFLAGS_libxenctrl and so we pass the
define there (via --extra-cflags) too.
Having removed __XEN_TOOLS__ replace it with
__XEN_INTERFACE_VERSION__=__XEN_LATEST_INTERFACE_VERSION__ so that in
tree code is always using the latest APIs.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Ian Campbell [Wed, 3 Feb 2016 16:10:48 +0000 (16:10 +0000)]
tools: consolidate Makefile runes to building+installing qemu-trad
Currently both subdir-all-qemu-traditional-dir and subdir-install-...
recurse into qemu-traditional-dir and run xen-setup, but with subtly
different options (--extra-cflags was only passed for install).
Consolidate these by having the install target depend on the all
(build) target and only calling make install.
There is a subtlty which is that qemu-trad's build is not completely
isolated from xen.git and requires some environment variables etc. To
handle this refactor the setup code into a make macro and $(call) it
in both cases.
Note that this doesn't actually omit a potential double call to
configure, since all is still called during install, this is the same
for qemu-xen. Note that it doesn't result in a double build in either
case, since apparently the qemu configure is idempotent.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Campbell [Thu, 4 Feb 2016 13:00:29 +0000 (13:00 +0000)]
libxenevtchn: rename evtchn_port_or_errot_t as xenevtchn_port...
Otherwise the name clashes with the libxc evtchn_compat use of the
name (which is compat, so can't really change), and triggers an error
with older gcc relating to redefining typedefs (which are not allowed
per the spec, but which are tolerated by newer gcc)
None of qemu-trad, qemu-xen or mini-os actually use this type, so this
should be fine. Note that the library API is not actually stable until
4.7 is releases.
Reported-by: Olaf Hering <olaf@aepfle.de> Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Cc: Andrew Cooper <andrew.cooper3@citrix.com> Tested-by: Olaf Hering <olaf@aepfle.de> Acked-by: Wei Liu <wei.liu2@citrix.com>
George Dunlap [Thu, 4 Feb 2016 10:41:07 +0000 (11:41 +0100)]
x86/mm: clean up pfec handling in gva_to_gfn
At the moment, the pfec argument to gva_to_gfn has two functions:
* To inform guest_walk what kind of access is happenind
* As a value to pass back into the guest in the event of a fault.
Unfortunately this is not quite treated consistently: the hvm_fetch_*
function will "pre-clear" the PFEC_insn_fetch flag before calling
gva_to_gfn; meaning guest_walk doesn't actually know whether a given
access is an instruction fetch or not. This works now, but will cause
issues when pkeys are introduced, since guest_walk will need to know
whether an access is an instruction fetch even if it doesn't return
PFEC_insn_fetch.
Fix this by making a clean separation for in and out functionalities
of the pfec argument:
1. Always pass in the access type to gva_to_gfn
2. Filter out inappropriate access flags before returning from gva_to_gfn.
(The PFEC_insn_fetch flag should only be passed to the guest if either NX or
SMEP is enabled. See Intel 64 Developer's Manual, Volume 3, Chapter Paging,
PAGE-FAULT EXCEPTIONS)
Signed-off-by: George Dunlap <george.dunlap@citrix.com> Signed-off-by: Huaitong Han <huaitong.han@intel.com> Acked-by: Jan Beulich <jbeulich@suse.com> Acked-by: Tim Deegan <tim@xen.org>
Huaitong Han [Thu, 4 Feb 2016 10:40:08 +0000 (11:40 +0100)]
x86/hvm: disable pkeys for guests in non-paging mode
This patch disables pkeys for guest in non-paging mode, However XEN always uses
paging mode to emulate guest non-paging mode, To emulate this behavior, pkeys
needs to be manually disabled when guest switches to non-paging mode.
Signed-off-by: Huaitong Han <huaitong.han@intel.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Shuai Ruan [Thu, 4 Feb 2016 10:39:32 +0000 (11:39 +0100)]
x86/xstate: also use alternative asm on xsave side
From: Shuai Ruan <shuai.ruan@linux.intel.com>
This patch use alternavtive asm on the xsave side.
As xsaves use modified optimization like xsaveopt, xsaves
may not writing the FPU portion of the save image too.
So xsaves also need some extra tweaks.
Signed-off-by: Shuai Ruan <shuai.ruan@linux.intel.com>
Fix XSAVES opcode. Extend the other respective XSAVEOPT conditional to
cover XSAVES as well. Re-wrap comment being adjusted.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Wed, 3 Feb 2016 13:12:00 +0000 (14:12 +0100)]
x86/PV: fix unintended dependency of m2p-strict mode on migration-v2
This went unnoticed until a backport of this to an older Xen got used,
causing migration of guests enabling this VM assist to fail, because
page table pinning there precedes vCPU context loading, and hence L4
tables get initialized for the wrong mode. Fix this by post-processing
L4 tables when setting the intended VM assist flags for the guest.
Note that this leaves in place a dependency on vCPU 0 getting its guest
context restored first, but afaict the logic here is not the only thing
depending on that.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
The current rwlocks are write-biased and unfair. This allows writers
to starve readers in situations where there are many writers (e.g.,
p2m type changes from log dirty updates during domain save).
Replace the current implementation with queued read-write locks which use
a fair spinlock (a ticket lock in this case) to ensure fairness between
readers and writers when they are contended.
This implementation is from the Linux commit 70af2f8a4f48 by Waiman
Long and Peter Zijlstra.
This rwlock uses the arch_spin_lock_t as a waitqueue, and assuming
the arch_spin_lock_t is a fair lock (ticket,mcs etc..) the
resulting rwlock is a fair lock.
It fits in the same 8 bytes as the regular rwlock_t by folding the
reader and writer count into a single integer, using the remaining
4 bytes for the arch_spinlock_t.
Architectures that can single-copy adress bytes can optimize
queue_write_unlock() with a 0 write to the LSB (the write count).
We do not yet make use of the architecture-specific optimization noted
above.
Signed-off-by: Jennifer Herbert <jennifer.herbert@citrix.com> Signed-off-by: David Vrabel <david.vrabel@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
spinlock: move rwlock API and per-cpu rwlocks into their own files
In preparation for a replacement read-write lock implementation, move
the API and the per-cpu read-write locks into their own files.
Signed-off-by: Jennifer Herbert <jennifer.herbert@citrix.com> Signed-off-by: David Vrabel <david.vrabel@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Shannon Zhao [Sat, 23 Jan 2016 08:00:16 +0000 (16:00 +0800)]
arm/smpboot: Move dt specific code in smp to seperate functions
Partition smp initialization functions into generic and dt specific
parts, this will be useful when introducing new functions for smp
initialization based on acpi.
Ian Campbell [Tue, 26 Jan 2016 14:38:46 +0000 (14:38 +0000)]
tools/libxl: improve logging on domain create failure.
A user reported[0] that xl create failed with just:
libxl: error: libxl_create.c:892:initiate_domain_create: Unable to set domain build info defaults
and some resulting fallout, but without indicating why it was unable
to set the defaults, even in verbose mode[1].
Go through libxl__domain_{create,build}_info_setdefault and ensure
that each error path logs something.
In most cases this involved simply adding a call to LOG.
In two cases this involved switching from strdup to
libxl__strdup(NOGC) and removing the existing error handling.
When switching from qemu-xen to qemu-xen-traditional (because the
former is not available) log at level INFO rather than VERBOSE, so
the message would normally be printed. Also tweak the language here.
I'm not sure all these messages are reachable (some might be shadowed
by previous error paths) but it seems better to err on the side of
caution.
Coverity rightly points out that checking for ret == NULL and then
calling osdep unmap(ret) is wrong.
The intention on this code path is to turn partial failure into total
failure when the err argument is NULL, so we want to take this patch
whenever ret is _non_ NULL (and err_to_free is set, indicating err was
NULL).
Roger Pau Monne [Wed, 3 Feb 2016 10:59:57 +0000 (11:59 +0100)]
libxc: fix leak in xc_dom_load_hvm_kernel error path
Error path in xc_dom_load_hvm_kernel needs to use the 'error' label instead
of directly returning. This is needed so the entries local variable is
freed.
In both cases if __p2m_get_mem_access subsequently gets to
call p2m_lookup (happens if !radix_tree_lookup(...)), a hypervisor
hang will occur, since p2m_lookup also spin-locks on the p2m lock.
This bug-fix simply replaces the p2m_lookup call from __p2m_get_mem_access
with a call to __p2m_lookup.
Following Ian's suggestion, we also add an ASSERT to ensure that
the p2m lock is taken upon __p2m_get_mem_access entry.
Signed-off-by: Corneliu ZUZU <czuzu@bitdefender.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Vitaly Kuznetsov [Thu, 28 Jan 2016 10:58:25 +0000 (11:58 +0100)]
xl: don't free additional memory on soft reset
We don't need to free anything extra from Dom0 in order to perform soft
reset. It can also fail soft reset if it happens that we don't have this
memory (which we don't need) available.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Andrew Cooper [Mon, 1 Feb 2016 11:08:03 +0000 (11:08 +0000)]
tools/libxc: Provide evtchn_port_or_error_t for compat xenctrl interface
c/s 2d2f789 "tools: rename libxc's evtchn_port_or_error_t with an xc_
prefix" doesn't cater for older applications which have requested
XC_WANT_COMPAT_EVTCHN_API
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
To hopefully clarify what it meant. Also point out that mechanism
by which the return 1 value is done is via an intimate knowledge of the
hypercall ABI (i.e. which register - eax - is the return value).
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
libxl: Use libxl_strdup instead of strdup on libxl_version_info
The change is simple replace of raw strdup with a libxl variant.
The benefit of that is the libxl variant has the extra
behaviour of abort-on-alloc-fail - and will improve error handling.
libxl_version_info is a bit odd - it is a public function and as libxl.h
mentions - the callers of libxl_ public function needs to call the appropiate
_dispose() function.
"However libxl_get_version_info() is special and returns a cached
result from the ctx which cannot and should not be freed (as evidenced
by it returning a const struct). This data is freed in libxl_ctx_free()
by calling libxl_version_info_dispose(). This is why none of the callers
remember to free -- they shouldn't be doing so." (Ian Campbell)
So the patch makes sure to use the NOGC.
Suggested-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Juergen Gross [Tue, 2 Feb 2016 13:03:40 +0000 (14:03 +0100)]
credit: recalculate per-cpupool credits when updating timeslice
When modifying the timeslice of the credit scheduler in a cpupool the
cpupool global credit value (n_cpus * credits_per_tslice) isn't
recalculated. This will lead to wrong scheduling decisions later.
Juergen Gross [Tue, 2 Feb 2016 13:03:06 +0000 (14:03 +0100)]
credit: update timeslice under lock
When updating the timeslice of the credit scheduler protect the
scheduler's private data by it's lock. Today a possible race could
result only in some weird scheduling decisions during one timeslice,
but further adjustments will need the lock anyway.
Andrew Cooper [Tue, 2 Feb 2016 13:02:37 +0000 (14:02 +0100)]
x86/hvm: fix use-after-free introduced by c/s 428607a
c/s 428607a "x86: shrink 'struct domain', was already PAGE_SIZE" introduced a
use-after-free error during domain destruction, because of the order in which
timers are torn down.
David Vrabel [Tue, 2 Feb 2016 13:01:57 +0000 (14:01 +0100)]
x86: only check for two watchdog NMIs
Since the NMI handler can now recognize watchdog NMIs, make
check_nmi_watchdog() only check for at least two watchdog NMIs. This
prevents false negatives caused by other processors (which may be
being power managed by the BIOS) running at reduced clock frequencies.
We check for more than one NMI since there are apparently systems
where the NMI works only once.
This will also slightly speed up boot times since we only wait the
full 10 ticks if the NMI watchdog on one or more CPUs is not working.
Signed-off-by: David Vrabel <david.vrabel@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Tue, 2 Feb 2016 13:01:29 +0000 (14:01 +0100)]
x86/hvm: don't intercept #UD exceptions in general
c/s 0f1cb96e "x86 hvm: Allow cross-vendor migration" caused HVM domains to
unconditionally intercept #UD exceptions. While cross-vendor migration is
cool as a demo, it is extremely niche.
Intercepting #UD allows userspace code in a multi-vcpu guest to execute
arbitrary instructions in the x86 emulator by having one thread execute a ud2a
instruction, and having a second thread rewrite the instruction before the
emulator performs an instruction fetch.
XSAs 105, 106 and 110 are all examples where guest userspace can use bugs in
the x86 emulator to compromise security of the domain, either by privilege
escalation or causing a crash.
c/s 2d67a7a4 "x86: synchronize PCI config space access decoding"
introduced (amongst other things) a per-domain vendor, based on the guests
cpuid policy.
Use the per-guest vendor to enable #UD interception only when a domain is
configured for a vendor different to the current hardware. (#UD interception
is also enabled if hvm_fep is specified on the Xen command line. This is a
debug-only option whose entire purpose is for testing the x86 emulator.)
As a result, the overwhelming majority of usecases now have #UD interception
disabled, removing an attack surface for malicious guest userspace.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Andrew Cooper [Tue, 2 Feb 2016 13:00:52 +0000 (14:00 +0100)]
x86/vmx: don't clobber exception_bitmap when entering/leaving emulated real mode
Most updates to the exception bitmaps set or clear an individual bits.
However, entering or exiting emulated real mode unilaterally clobbers it,
leaving the exit code to recalculate what it should have been. This is error
prone, and indeed currently fails to recalculate the TRAP_no_device intercept
appropriately.
Instead of overwriting exception_bitmap when entering emulated real mode, move
the override into vmx_update_exception_bitmap() and leave exception_bitmap
unmodified.
This means that recalculation is unnecessary, and that the use of
vmx_fpu_leave() and vmx_update_debug_state() while in emulated real mode
doesn't result in TRAP_no_device and TRAP_int3 being un-intercepted.
This is only a functional change on hardware lacking unrestricted guest
support.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Corneliu ZUZU [Mon, 1 Feb 2016 13:00:30 +0000 (14:00 +0100)]
x86: shrink 'struct domain', was already PAGE_SIZE
The X86 domain structure already occupied PAGE_SIZE (4096).
Looking @ the memory layout of the structure, we could see that
overall most was occupied by (used the pahole tool on domain.o):
* sizeof(domain.arch) = sizeof(arch_domain) = 3328 bytes.
* sizeof(domain.arch.hvm_domain) = 2224 bytes.
* sizeof(domain.arch.hvm_domain.pl_time) = 1088 bytes.
This patch attempts to free some space, by making the pl_time
field in hvm_domain dynamically allocated.
We xzalloc/xfree it @ hvm_domain_initialise/hvm_domain_destroy.
After this change, the domain structure shrunk w/ 1152 bytes (>1K!).
Signed-off-by: Corneliu ZUZU <czuzu@bitdefender.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Razvan Cojocaru [Mon, 1 Feb 2016 12:59:46 +0000 (13:59 +0100)]
MAINTAINERS: cover non-x86 vm_event files
This patch covers modifications to xen/arch/*/vm_event.c, in order
to include ARM vm_event maintainership.
Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Acked-by: Tamas K Lengyel <tamas@tklengyel.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
projects / xen.git / log