Introduce function type bug_fn_t. This improves readability and could be
used to help validating that the function passed to
run_in_exception_handle() has the expected prototype.
Use the newly-intoduced type to address a violation of MISRA
C:2012 Rule 8.2.
automation/eclair: add a deviation for MISRA C:2012 Rule 8.6
Update ECLAIR configuration to take into account the search
procedure adopted by Unix linkers.
Update deviations.rst accordingly and tag Rule 8.6 as "clean".
Nicola Vetrini [Sat, 18 Nov 2023 02:11:11 +0000 (18:11 -0800)]
xen: address violations of Rule 11.9
The constant 0 is used instead of NULL in '__ACCESS_ONCE' as a
compile-time check to detect non-scalar types; its usage for this
purpose is deviated.
Furthermore, the 'typeof_field' macro is introduced as a general way
to access the type of a struct member without declaring a variable
of struct type. Both this macro and 'sizeof_field' are moved to
'xen/macros.h'.
Simone Ballarin [Fri, 13 Oct 2023 10:14:52 +0000 (12:14 +0200)]
automation/eclair: update deviations and accepted guidelines
Remove deviations for ERROR_EXIT, ERROR_EXIT_DOM and PIN_FAIL:
the aforementioned macros have been removed.
Add deviation for Rule 2.1 for pure declarations.
Remove legacy text-based deviations: these are now implemented
with SAF comments.
Add deviations for Rules 8.4, 10.1, 13.5, 14.2, 14.3.
Remove deviations for guidelines not yet accepted or rejected.
Add MC3R1.R11.7, MC3R1.R11.8, MC3R1.R11.9, MC3R1.R15.3 and MC3R1.R14.2
to the accepted guidelines selector.
xen/string: address violations of MISRA C:2012 Rules 8.2 and 8.3
Add missing parameter names to address violations of
MISRA C:2012 Rule 8.2.
Resolve mismatches between parameter name "count" used in
"xen/lib/mem{cpy,move,set}.c" and parameter name "n" used in
"xen/arch/x86/string.c" to address violations of MISRA C:2012 Rule 8.3.
Nicola Vetrini [Fri, 27 Oct 2023 13:34:14 +0000 (15:34 +0200)]
xen/types: address Rule 10.1 for DECLARE_BITMAP use
Given its use in the declaration
'DECLARE_BITMAP(features, IOMMU_FEAT_count)' the argument
'bits' has essential type 'enum iommu_feature', which is not
allowed by the Rule as an operand to the addition operator
in macro 'BITS_TO_LONGS'.
This construct is deviated with a deviation comment.
Nicola Vetrini [Fri, 27 Oct 2023 13:34:12 +0000 (15:34 +0200)]
x86/io_apic: address violation of MISRA C:2012 Rule 10.1
The definition of IO_APIC_BASE contains a sum of an essentially enum
value (FIX_IO_APIC_BASE_0) that is positive with an index that, in all
instances, is unsigned, therefore the former is cast to unsigned, so that
the operands are of the same essential type.
No functional change.
Signed-off-by: Nicola Vetrini <nicola.vetrini@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Simone Ballarin [Thu, 19 Oct 2023 13:11:52 +0000 (15:11 +0200)]
xen/x86: address violations of MISRA C:2012 Rule 7.2
The xen sources contains violations of MISRA C:2012 Rule 7.2 whose
headline states:
"A 'u' or 'U' suffix shall be applied to all integer constants
that are represented in an unsigned type".
Add the 'U' suffix to integers literals with unsigned type.
For the sake of uniformity, the following change is made:
- add the 'U' suffix to switch cases in 'cpuid.c'
Simone Ballarin [Thu, 19 Oct 2023 13:11:51 +0000 (15:11 +0200)]
x86/hvm: address violations of MISRA C:2012 Rule 7.2
The xen sources contains violations of MISRA C:2012 Rule 7.2 whose
headline states:
"A 'u' or 'U' suffix shall be applied to all integer constants
that are represented in an unsigned type".
Add the 'U' suffix to integers literals with unsigned type.
For the sake of uniformity, the following change is made:
- add 'U' suffixes to 'mask16' in 'stdvga.c'
x86/vmx: address violations of MISRA C:2012 Rule 7.2
The xen sources contains violations of MISRA C:2012 Rule 7.2 whose
headline states:
"A 'u' or 'U' suffix shall be applied to all integer constants
that are represented in an unsigned type".
Add the 'U' suffix to integers literals with unsigned type.
For the sake of uniformity, the following changes are made:
- add the 'U' suffix to macros near
'CPU_BASED_ACTIVATE_SECONDARY_CONTROLS' and
'SECONDARY_EXEC_NOTIFY_VM_EXITING' macros in 'vmcs.h'
- add the 'U' suffix to macros near 'INTR_INFO_VALID_MASK'
macro in 'vmx.h'
It is very helpful to see domain id why analyzing xenstored
traces. Especially when you are trying to understand which exactly
domain performs an action.
Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com> Reviewed-by: Juergen Gross <jgross@suse.com>
[jgrall: Use %u rather than %d] Signed-off-by: Julien Grall <jgrall@amazon.com>
In this case, the Xen binary is loaded above 8TB, which exceeds the
maximum supported identity map space of 2TB in Xen. Consequently, the
system fails to boot.
This patch enlarges identity map space to 10TB, allowing module loading
within the range of [0x0 .. 0x000009ff_ffff_ffff].
Fixes: 1c78d76b67 ("xen/arm64: mm: Introduce helpers to prepare/enable/disable") Reported-by: Alexey Klimov <alexey.klimov@linaro.org> Signed-off-by: Leo Yan <leo.yan@linaro.org> Tested-by: Henry Wang <Henry.Wang@arm.com> Release-acked-by: Henry Wang <Henry.Wang@arm.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
Leo Yan [Fri, 13 Oct 2023 12:26:57 +0000 (20:26 +0800)]
xen/arm: Add macro XEN_VM_MAPPING
Xen maps the virtual memory space starting from L0 slot 4, so it's open
coded for macros with the offset '4'.
For more readable, add a new macro XEN_VM_MAPPING which defines the
start slot for Xen virtual memory mapping, and all virtual memory
regions are defined based on it.
Acked-by: Julien Grall <jgrall@amazon.com> Signed-off-by: Leo Yan <leo.yan@linaro.org>
Julien Grall [Thu, 16 Nov 2023 14:15:33 +0000 (14:15 +0000)]
arm32: head: Add missing hunk from previous commit
The documentation change was meant to be part of 9b807e23e7c5
("xen/arm32: head: Replace load_paddr with adr_l when they are
equivalent") but was missed when preparing to commit.
xen/arm32: head: Replace load_paddr with adr_l when they are equivalent
Before the MMU is turned on, PC uses physical address. Thus, one can use adr_l
instead of load_paddr to obtain the physical address of a symbol.
The only exception (for this replacement) is create_table_entry() which is
called before and after MMU is turned on.
Also, in lookup_processor_type() "r10" is no longer used. The reason being
__lookup_processor_type uses adr_l (thus r10 is no longer used to obtain the
physical address offset). Consequently, there is no need to save/restore r10.
Signed-off-by: Ayan Kumar Halder <ayan.kumar.halder@amd.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
[jgrall: Reword comment on top of __lookup_processor_type] Signed-off-by: Julien Grall <jgrall@amazon.com>
Julien Grall [Tue, 17 Oct 2023 12:52:19 +0000 (13:52 +0100)]
xen/arm64: head: only use the macro load_paddr() in the MMU code
The macro load_paddr() requires to know the offset between the
physical location of Xen and the virtual location.
When using the MPU, x20 will always be 0. Rather than wasting
a register for a compile-time constant value, it would be best if
we can avoid using load_paddr() altogether in the common head.S code.
The current use of load_paddr() are equivalent to adr_l() because
the MMU is off.
All the use of load_paddr() in arm64/head.S are now replaced with
adr_l(). With that, load_paddr() can now be moved in arm64/mmu/head.S.
For now, x20 is still unconditionally set. But this could change
in the future if needed.
Signed-off-by: Julien Grall <julien@xen.org> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
Leo Yan [Fri, 13 Oct 2023 12:04:42 +0000 (20:04 +0800)]
xen/arm: Skip memory nodes if not enabled
Currently, Xen doesn't check the status property of memory/reserved
memory nodes, which may lead to the following issues:
- If a memory node has a status "disabled" it implies that it should
not be used. Xen does not handle the status property for the memory
node and ends up using it.
- If a reserved memory node has a status "disabled", it means that this
region is no longer reserved and can be used, but the "disabled"
status is not handled by Xen.
Xen passes the intact device tree binding of the reserved memory nodes
to Dom0 and creates a memory node to cover reserved regions. Disabled
reserved memory nodes are ignored by the Dom0 Linux kernel, thus the
Dom0 Linux kernel will continue to allocate pages from such a region.
On the other hand, since the disabled status is not handled by Xen,
the disabled reserved memory regions are excluded from the page
management in Xen which results in Xen being unable to obtain the
corresponding MFN, in the end, Xen reports error like:
(XEN) arch/arm/p2m.c:2202: d0v0: Failing to acquire the MFN 0x1a02dc
This patch introduces a function device_tree_node_is_available(). If it
detects a memory node is not enabled, Xen will not add the memory region
into the memory lists. In the end, this avoids to generate the memory
node for the disabled memory regions sent to the kernel and the kernel
cannot use the disabled memory nodes any longer.
Since this patch adds checking device node's status in the
device_tree_get_meminfo() function, except it checks for memory nodes
and reserved memory nodes, it also supports status for static memory
and static heap.
Suggested-by: Michal Orzel <michal.orzel@amd.com> Signed-off-by: Leo Yan <leo.yan@linaro.org> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
Nicola Vetrini [Thu, 16 Nov 2023 08:18:23 +0000 (09:18 +0100)]
xen/include: add macro ISOLATE_LSB
The purpose of this macro is to encapsulate the well-known expression
'x & -x' that in 2's complement architectures on unsigned integers will
give a mask where only the least significant nonzero bit of 'x' is set,
or 0 if none are set.
Add MISRA C Rules 11.1, 11.2, 11.3, 11.6 as discussed.
Explicitly add in the notes that conversions to integer types are
permitted if the destination type has enough bits to hold the entire
value. GCC gives enough guarantees in terms of preserving the bit
content in such situations.
Also allow for bool conversions (e.g. to check if a function point is
valid).
Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Wed, 15 Nov 2023 10:42:28 +0000 (11:42 +0100)]
x86/boot: tidy #include-s
As of d58a509e01c4 ("build,x86: remove the need for build32.mk") we
don't need to use non-standard #include forms anymore in the sources for
the boot code helper blobs. The only place where this kind of #include
needs to remain (for the time being) is mkelf32.c.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
These macros were hiding that the ops are not zero-initialized by the
toolstack. This is needlessly opaque for something so simple, so this patch
removes them and replaces them with explicit zero-initialising versions.
The patch also removes PHYSDEV_OP from there, as that seems to be an old
dead macro.
Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Andrew Cooper [Thu, 26 Oct 2023 13:37:38 +0000 (14:37 +0100)]
x86/spec-ctrl: Remove conditional IRQs-on-ness for INT $0x80/0x82 paths
Before speculation defences, some paths in Xen could genuinely get away with
being IRQs-on at entry. But XPTI invalidated this property on most paths, and
attempting to maintain it on the remaining paths was a mistake.
Fast forward, and DO_SPEC_CTRL_COND_IBPB (protection for AMD BTC/SRSO) is not
IRQ-safe, running with IRQs enabled in some cases. The other actions taken on
these paths happen to be IRQ-safe.
Make entry_int82() and int80_direct_trap() unconditionally Interrupt Gates
rather than Trap Gates. Remove the conditional re-adjustment of
int80_direct_trap() in smp_prepare_cpus(), and have entry_int82() explicitly
enable interrupts when safe to do so.
In smp_prepare_cpus(), with the conditional re-adjustment removed, the
clearing of pv_cr3 is the only remaining action gated on XPTI, and it is out
of place anyway, repeating work already done by smp_prepare_boot_cpu(). Drop
the entire if() condition to avoid leaving an incorrect vestigial remnant.
Also drop comments which make incorrect statements about when its safe to
enable interrupts.
This is XSA-446 / CVE-2023-46836
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Roger Pau Monne [Wed, 11 Oct 2023 11:14:21 +0000 (13:14 +0200)]
iommu/amd-vi: use correct level for quarantine domain page tables
The current setup of the quarantine page tables assumes that the quarantine
domain (dom_io) has been initialized with an address width of
DEFAULT_DOMAIN_ADDRESS_WIDTH (48).
However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based
on the maximum (hot pluggable) RAM address, and hence on systems with no RAM
above the 512GB mark only 3 page-table levels are configured in the IOMMU.
On systems without RAM above the 512GB boundary amd_iommu_quarantine_init()
will setup page tables for the scratch page with 4 levels, while the IOMMU will
be configured to use 3 levels only. The page destined to be used as level 1,
and to contain a directory of PTEs ends up being the address in a PTE itself,
and thus level 1 page becomes the leaf page. Without the level mismatch it's
level 0 page that should be the leaf page instead.
The level 1 page won't be used as such, and hence it's not possible to use it
to gain access to other memory on the system. However that page is not cleared
in amd_iommu_quarantine_init() as part of re-initialization of the device
quarantine page tables, and hence data on the level 1 page can be leaked
between device usages.
Fix this by making sure the paging levels setup by amd_iommu_quarantine_init()
match the number configured on the IOMMUs.
Note that IVMD regions are not affected by this issue, as those areas are
mapped taking the configured paging levels into account.
This is XSA-445 / CVE-2023-46835
Fixes: ea38867831da ('x86 / iommu: set up a scratch page in the quarantine domain') Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Wed, 8 Nov 2023 14:53:23 +0000 (14:53 +0000)]
docs/sphinx: Fix indexing
sphinx-build reports:
docs/designs/launch/hyperlaunch.rst: WARNING: document isn't included in any toctree
docs/designs/launch/hyperlaunch-devicetree.rst: WARNING: document isn't included in any toctree
docs/misc/xen-makefiles/makefiles.rst: WARNING: document isn't included in any toctree
docs/misra/C-language-toolchain.rst: WARNING: document isn't included in any toctree
docs/misra/C-runtime-failures.rst: WARNING: document isn't included in any toctree
docs/misra/documenting-violations.rst: WARNING: document isn't included in any toctree
docs/misra/exclude-list.rst: WARNING: document isn't included in any toctree
docs/misra/xen-static-analysis.rst: WARNING: document isn't included in any toctree
Create an up-to-date index.rst in misra/ create an "unsorted docs" section at
the top level to contain everything else. They can be re-filed at a later
date.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org> Release-acked-by: Henry Wang <Henry.Wang@arm.com>
Nested lists require newlines as delimiters, and * either needs escaping, or
put in a literal block.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Luca Fancellu <luca.fancellu@arm.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org> Release-acked-by: Henry Wang <Henry.Wang@arm.com>
Andrew Cooper [Wed, 8 Nov 2023 14:38:33 +0000 (14:38 +0000)]
docs/sphinx: Fix syntax issues in hyperlaunch.rst
sphinx-build reports:
docs/designs/launch/hyperlaunch.rst:111: WARNING: Title underline too short.
docs/designs/launch/hyperlaunch.rst:203: WARNING: Unexpected indentation.
docs/designs/launch/hyperlaunch.rst:216: WARNING: Unexpected indentation.
Nested lists require newlines as delimiters.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org> Release-acked-by: Henry Wang <Henry.Wang@arm.com>
Andrew Cooper [Wed, 8 Nov 2023 14:23:46 +0000 (14:23 +0000)]
docs: Delete kconfig docs to fix licensing violation
These 3 Kconfig docs were imported from Linux erroneously. They are
GPL-2.0-only in Linux, but have no SPDX tag and were placed in such a way to
be included by the blanket statement saying that all RST files are CC-BY-4.0.
We should not be carrying a shadow copy of these docs. They aren't even wired
into our Sphinx docs, and anyone wanting to refer to Kconfig docs is going to
look at the Linux docs anyway. These, and more docs can be found at:
https://www.kernel.org/doc/html/latest/kbuild/
which also have corrections vs the snapshot we took.
Fixes: f80fe2b34f08 ("xen: Update Kconfig to Linux v5.4") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org> Release-acked-by: Henry Wang <Henry.Wang@arm.com>
Andrew Cooper [Wed, 8 Nov 2023 13:51:37 +0000 (13:51 +0000)]
docs/misra: Add missing SPDX tags
Two files are missing SDPX tags, but are covered by the blanketing license
statement in docs/README.sources saying that RST files are CC-BY-4.0
Fixes: 3c911be55f1c ("docs/misra: document the C dialect and translation toolchain assumptions.") Fixes: 7211904e09bd ("docs/misra: add documentation skeleton for MISRA C:2012 Dir 4.1") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Release-acked-by: Henry Wang <Henry.Wang@arm.com>
Roger Pau Monné [Mon, 13 Nov 2023 14:01:26 +0000 (15:01 +0100)]
x86/intel: fix indentation
Adjust line to use a hard tab and align using spaces afterwards, instead of
using all spaces.
Fixes: fc3090a47b21 ('x86/boot: Clear XD_DISABLE from the early boot path') Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Oleksii Kurochko [Mon, 13 Nov 2023 14:00:06 +0000 (15:00 +0100)]
xen: avoid generation of stub <asm/pci.h> header
Platforms which doesn't have HAS_PCI enabled it is needed to
have <asm/pci.h>, which contains only an empty definition of
struct arch_pci_dev (except Arm, it introduces several Arm-specific
functions ).
Also, for architectures (such as PPC or RISC-V) on initial
stages of adding support, it is needed to generate <asm/pci.h>
for only define the mentioned above arch_pci_dev structure.
For the Arm-only stubs (mentioned in <asm/pci.h> for disabled
HAS_PCI and Arm-specific) will be needed
to add <asm/pci.h> directly alongside <xen/pci.h>. Only to
<arm/domain.c> <asm/pci.h> was added.
Suggested-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Julien Grall <jgrall@amazon.com>
Jan Beulich [Mon, 13 Nov 2023 13:58:29 +0000 (14:58 +0100)]
x86: don't allow Dom0 access to ELCR ports
Much like the other PIC ports, Dom0 has no business touching these. Even
our own uses are somewhat questionable, as the corresponding IO-APIC
code in Linux is enclosed in a CONFIG_EISA conditional; I don't think
there are any x86-64 EISA systems.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Luca Fancellu [Thu, 26 Oct 2023 10:32:43 +0000 (11:32 +0100)]
exclude-list: generalise exclude-list
Currently exclude-list.json is used by the xen-analysis tool to
remove from the report (cppcheck for now) violations from the
files listed in it, however that list can be used by different
users that might want to exclude some of the files from their
computation for many reasons.
So add a new field that can be part of each entry to link
the tool supposed to consider that exclusion.
Update exclusion_file_list.py to implement the logic and update
the documentation to reflect this change.
Luca Fancellu [Thu, 26 Oct 2023 10:32:42 +0000 (11:32 +0100)]
cppcheck: rework exclusion_file_list.py code
Rework the exclusion_file_list.py code to have the function
load_exclusion_file_list() detached from the xen-analysis.py tool,
in a way so that other modules can use the function.
The xen-analysis tool and in particular its module cppcheck_analysis.py
will use a new function cppcheck_exclusion_file_list().
Michal Orzel [Wed, 25 Oct 2023 08:28:34 +0000 (10:28 +0200)]
build: Allow setting KBUILD_DEFCONFIG in the environment
At the moment, in order to use a different defconfig target than default,
one needs to specify KBUILD_DEFCONFIG=<target> on the command line.
Switch to weak assignment, so that it can be also obtained from
environment similar to other KCONFIG/KBUILD variables.
This change will activate the use of KBUILD_DEFCONFIG variable in CI
build jobs that so far would have had no effect if they didn't match the
default anyway.
Note, that we will deviate from Linux in this regard.
Signed-off-by: Michal Orzel <michal.orzel@amd.com>
[stefano: adjust commit message] Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Julien Grall [Mon, 23 Oct 2023 17:52:20 +0000 (18:52 +0100)]
xen/arm64: domctl: Avoid unreachable code in subarch_do_domctl()
The 'break' the XEN_DOMCTL_set_address_size is unreachable and tools
like Eclair will report as a violation of Misra Rule 2.1.
Furthermore, the nested switch is not very easy to read. So move
out the nested switch in a separate function to improve the
readability and hopefully address the MISRA violation.
Reported-by: Nicola Vetrini <nicola.vetrini@bugseng.com> Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Henry Wang <Henry.Wang@arm.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
To avoid potentially dangerous sign conversions in bitmap_switch, all
the callers of the bitmap_switch macro (which are all within bitmap.h)
should pass an unsigned int as first parameter.
Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com> Acked-by: Jan Beulich <jbeulich@suse.com>
automation/eclair: update accepted and clean guidelines
This patch updates accepted and clean guidelines selectors.
Align accepted selector with docs/misra/rules.txt.
Add rule 7.3 in the clean selector for ARM.
Avoid regular expressions in all service selectors: usign them
requires escaping dots, which make selectors hard to read.
Michal Orzel [Tue, 7 Nov 2023 09:14:17 +0000 (10:14 +0100)]
ubsan: Fix pointer overflow error message
In __ubsan_handle_pointer_overflow(), fix the condition for determining
whether a pointer operation overflowed or underflowed. Currently, the
function reports "underflowed" when it should be reporting "overflowed"
and vice versa.
Example of incorrect error reporting:
void *foo = (void *)__UINTPTR_MAX__;
foo += 1;
Fixes: 4e3fb2fb47d6 ("ubsan: add clang 5.0 support") Signed-off-by: Michal Orzel <michal.orzel@amd.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Roger Pau Monne [Mon, 6 Nov 2023 14:27:39 +0000 (15:27 +0100)]
x86/x2apic: introduce a mixed physical/cluster mode
The current implementation of x2APIC requires to either use Cluster Logical or
Physical mode for all interrupts. However the selection of Physical vs Logical
is not done at APIC setup, an APIC can be addressed both in Physical or Logical
destination modes concurrently.
Introduce a new x2APIC mode called Mixed, which uses Logical Cluster mode for
IPIs, and Physical mode for external interrupts, thus attempting to use the
best method for each interrupt type.
Using Physical mode for external interrupts allows more vectors to be used, and
interrupt balancing to be more accurate.
Using Logical Cluster mode for IPIs allows fewer accesses to the ICR register
when sending those, as multiple CPUs can be targeted with a single ICR register
write.
A simple test calling flush_tlb_all() 10000 times on a tight loop on AMD EPYC
9754 with 512 CPUs gives the following figures in nano seconds:
So Mixed has no difference when compared to Cluster mode, and Physical mode is
248% slower when compared to either Mixed or Cluster modes with a 95%
confidence.
Note that Xen uses Cluster mode by default, and hence is already using the
fastest way for IPI delivery at the cost of reducing the amount of vectors
available system-wide.
Make the newly introduced mode the default one.
Note the printing of the APIC addressing mode done in connect_bsp_APIC() has
been removed, as with the newly introduced mixed mode this would require more
fine grained printing, or else would be incorrect. The addressing mode can
already be derived from the APIC driver in use, which is printed by different
helpers.
Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Henry Wang <Henry.Wang@arm.com>
Jason Andryuk [Fri, 3 Nov 2023 19:45:51 +0000 (15:45 -0400)]
golang: Fix bindings after XSA-443
The new bootloader_restrict and bootloader_user fields in the libxl idl
change the bindings. Update them.
Fixes: 1f762642d2ca ("libxl: add support for running bootloader in restricted mode") Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Acked-by: George Dunlap <george.dunlap@cloud.com>
Jason Andryuk [Fri, 3 Nov 2023 19:45:50 +0000 (15:45 -0400)]
golang: Fixup binding for Arm FF-A
The new FF-A TEE type changed the go bindings. Update them.
Fixes: 8abdd8d52862 ("tools: add Arm FF-A mediator") Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Acked-by: George Dunlap <george.dunlap@cloud.com>
Jan Beulich [Fri, 3 Nov 2023 10:28:09 +0000 (11:28 +0100)]
AMD/IOMMU: drop tasklet handler forward declaration
do_amd_iommu_irq()'s forward declaration uses a parameter name different
from what the definition uses, thus vioating Misra C:2012 rule 8.3. We
can get away without such a forward declaration if instead we forward-
declare amd_iommu_irq_tasklet, putting its initialization past the
handler function's definition.
No functional change.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
x86/hvm/dom0: fix PVH initrd and metadata placement
Zephyr image consists of multiple non-contiguous load segments
that reside in different RAM regions. For instance:
ELF: phdr: paddr=0x1000 memsz=0x8000
ELF: phdr: paddr=0x100000 memsz=0x28a90
ELF: phdr: paddr=0x128aa0 memsz=0x7560
ELF: memory: 0x1000 -> 0x130000
However, the logic that determines the best placement for dom0
initrd and metadata, assumes that the image is fully contained
in a single RAM region, not taking into account the cases where:
(1) start > kernel_start && end > kernel_end
(2) start < kernel_start && end < kernel_end
(3) start > kernel_start && end < kernel_end
In case (1), the evaluation will result in end = kernel_start,
i.e. end < start, and will load initrd in the middle of the kernel.
In case (2), the evaluation will result in start = kernel_end,
i.e. end < start, and will load initrd at kernel_end, that is out
of the memory region under evaluation.
In case (3), the evaluation will result in either end = kernel_start
or start = kernel_end but in both cases will be end < start, and
will either load initrd in the middle of the image, or arbitrarily
at kernel_end.
This patch reorganizes the conditionals to include so far unconsidered
cases as well, uniformly returning the lowest available address.
Fixes: 73b47eea2104 ('x86/dom0: improve PVH initrd and metadata placement') Signed-off-by: Xenia Ragiadakou <xenia.ragiadakou@amd.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Fri, 3 Nov 2023 10:25:03 +0000 (11:25 +0100)]
xenoprof: move asm/ include
There's no need for xen/xenoprof.h to include the arch header when the
respective config option is off. The only compensation needed is for
svm.c to explicitly include the arch header instead of the common one
(matching what vmx.c and traps.c do).
With that Arm's header can be deleted, and neither RISC-V nor PPC will
need to introduce one.
While there also adjust and move the (prior) inclusion of inttypes.h.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com> # arm
Jan Beulich [Fri, 3 Nov 2023 10:23:18 +0000 (11:23 +0100)]
console: conditionalize console_input_domain()
The function was introduced for just one piece of code to use; it is
dead code in cases where the respective Kconfig option is disabled, thus
violating Misra C:2012 rule 2.1 there.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Juergen Gross [Fri, 3 Nov 2023 10:21:28 +0000 (11:21 +0100)]
build: simplify clean handling of extras directory
The extras directory is used only as a download target for Mini-OS
sources. Instead of special handling extras/mini-os* in .gitignore and
the clean targets, just use extras for that purpose.
So add "extras" to .gitignore and remove it when doing a
"make distclean".
Nicola Vetrini [Wed, 11 Oct 2023 13:03:49 +0000 (15:03 +0200)]
xen/include: make enum perfcounter anonymous
Using enumerators declared in a named enum, such as the one modified,
as operands to arithmetic operators is not allowed by MISRA C:2012 Rule 10.1.
The enumerators of an anonymous enum can be used instead.
Andrew Cooper [Wed, 1 Nov 2023 20:19:52 +0000 (20:19 +0000)]
x86/time: Fix UBSAN failure in __update_vcpu_system_time()
As reported:
(XEN) ================================================================================
(XEN) UBSAN: Undefined behaviour in arch/x86/time.c:1542:32
(XEN) member access within null pointer of type 'union vcpu_info_t'
(XEN) ----[ Xen-4.19-unstable x86_64 debug=y ubsan=y Not tainted ]----
...
(XEN) Xen call trace:
(XEN) [<ffff82d040345036>] R common/ubsan/ubsan.c#ubsan_epilogue+0xa/0xd2
(XEN) [<ffff82d0403456e8>] F __ubsan_handle_type_mismatch+0x133/0x49b
(XEN) [<ffff82d040345b4a>] F __ubsan_handle_type_mismatch_v1+0xfa/0xfc
(XEN) [<ffff82d040623356>] F arch/x86/time.c#__update_vcpu_system_time+0x212/0x30f
(XEN) [<ffff82d040623461>] F update_vcpu_system_time+0xe/0x10
(XEN) [<ffff82d04062389d>] F arch/x86/time.c#local_time_calibration+0x1f7/0x523
(XEN) [<ffff82d0402a64b5>] F common/softirq.c#__do_softirq+0x1f4/0x31a
(XEN) [<ffff82d0402a67ad>] F do_softirq+0x13/0x15
(XEN) [<ffff82d0405a95dc>] F arch/x86/domain.c#idle_loop+0x2e0/0x367
(XEN)
(XEN) ================================================================================
GCC 10 at least doesn't consider it valid to derive a pointer from vcpu_info()
prior to checking that the underlying map pointer is good.
Reorder actions so the map pointer is checked first.
Fixes: 20279afd7323 ("x86: split populating of struct vcpu_time_info into a separate function") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Release-acked-by: Henry Wang <Henry.Wang@arm.com>
Shawn Anastasio [Thu, 2 Nov 2023 09:52:31 +0000 (10:52 +0100)]
xen/ppc: Implement a basic exception handler
Implement a basic exception handler that dumps the CPU state to the
console, as well as the code required to set the correct exception
vector table's base address in setup.c.
Signed-off-by: Shawn Anastasio <sanastasio@raptorengineering.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Shawn Anastasio [Thu, 2 Nov 2023 09:51:31 +0000 (10:51 +0100)]
xen/ppc: Add .text.exceptions section for exception vectors
On Power, the exception vectors must lie at a fixed address, depending
on the state of the Alternate Interrupt Location (AIL) field of the
Logical Partition Control Register (LPCR). Create a .text.exceptions
section in the linker script at an address suitable for AIL=3 plus an
accompanying assertion to pave the way for implementing exception
support.
Signed-off-by: Shawn Anastasio <sanastasio@raptorengineering.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Roger Pau Monné [Thu, 2 Nov 2023 09:50:59 +0000 (10:50 +0100)]
x86/i8259: do not assume interrupts always target CPU0
Sporadically we have seen the following during AP bringup on AMD platforms
only:
microcode: CPU59 updated from revision 0x830107a to 0x830107a, date = 2023-05-17
microcode: CPU60 updated from revision 0x830104d to 0x830107a, date = 2023-05-17
CPU60: No irq handler for vector 27 (IRQ -2147483648)
microcode: CPU61 updated from revision 0x830107a to 0x830107a, date = 2023-05-17
This is similar to the issue raised on Linux commit 36e9e1eab777e, where they
observed i8259 (active) vectors getting delivered to CPUs different than 0.
On AMD or Hygon platforms adjust the target CPU mask of i8259 interrupt
descriptors to contain all possible CPUs, so that APs will reserve the vector
at startup if any legacy IRQ is still delivered through the i8259. Note that
if the IO-APIC takes over those interrupt descriptors the CPU mask will be
reset.
Spurious i8259 interrupt vectors however (IRQ7 and IRQ15) can be injected even
when all i8259 pins are masked, and hence would need to be handled on all CPUs.
Continue to reserve PIC vectors on CPU0 only, but do check for such spurious
interrupts on all CPUs if the vendor is AMD or Hygon. Note that once the
vectors get used by devices detecting PIC spurious interrupts will no longer be
possible, however the device driver should be able to cope with spurious
interrupts. Such PIC spurious interrupts occurring when the vector is in use
by a local APIC routed source will lead to an extra EOI, which might
unintentionally clear a different vector from ISR. Note this is already the
current behavior, so assume it's infrequent enough to not cause real issues.
Finally, adjust the printed message to display the CPU where the spurious
interrupt has been received, so it looks like:
microcode: CPU1 updated from revision 0x830107a to 0x830107a, date = 2023-05-17
cpu1: spurious 8259A interrupt: IRQ7
microcode: CPU2 updated from revision 0x830104d to 0x830107a, date = 2023-05-17
Amends: 3fba06ba9f8b ('x86/IRQ: re-use legacy vector ranges on APs') Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Roger Pau Monné [Thu, 2 Nov 2023 09:50:26 +0000 (10:50 +0100)]
x86/x2apic: remove usage of ACPI_FADT_APIC_CLUSTER
The ACPI FADT APIC_CLUSTER flag mandates that when the interrupt delivery is
Logical mode APIC must be configured for Cluster destination model. However in
apic_x2apic_probe() such flag is incorrectly used to gate whether Physical mode
can be used.
Since Xen when in x2APIC mode only uses Logical mode together with Cluster
model completely remove checking for ACPI_FADT_APIC_CLUSTER, as Xen always
fulfills the requirement signaled by the flag.
Fixes: eb40ae41b658 ('x86/Kconfig: add option for default x2APIC destination mode') Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
The way how switch to virtual address was implemented in the
commit e66003e7be ("xen/riscv: introduce setup_initial_pages")
isn't safe enough as:
* enable_mmu() depends on hooking all exceptions
and pagefault.
* Any exception other than pagefault, or not taking a pagefault
causes it to malfunction, which means you will fail to boot
depending on where Xen was loaded into memory.
Instead of the proposed way of switching to virtual addresses was
decided to use identity mapping for area which constains needed code
to switch from identity mapping and after switching to virtual addresses,
identity mapping is removed from page-tables in the following way:
search for top-most page table entry and remove it.
Fixes: e66003e7be ("xen/riscv: introduce setup_initial_pages") Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Acked-by: Jan Beulich <jbeulich@suse.com>
xen/riscv: introduce function for physical offset calculation
The function was introduced to calculate and save physical
offset before MMU is enabled because access to start() is
PC-relative and in case of linker_addr != load_addr it will
result in incorrect value in phys_offset.
Signed-off-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Thu, 2 Nov 2023 09:45:39 +0000 (10:45 +0100)]
x86: don't allow Dom0 (direct) access to port F0
This controls the driving of IGNNE# (if such emulation is enabled in
hardware), and hence would need proper handling in the hypervisor to be
safe to use by Dom0 (and fully emulating for PVH/HVM DomU-s).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Thu, 2 Nov 2023 09:44:46 +0000 (10:44 +0100)]
x86/PVH: deny Dom0 access to the ISA DMA controller
Unlike PV, a PVH Dom0 has no sensible way of driving the address and
page registers correctly, as it would need to translate guest physical
addresses to host ones. Rather than allowing data corruption to occur
from e.g. the use of a legacy floppy drive, disallow access altogether.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Thu, 2 Nov 2023 09:44:11 +0000 (10:44 +0100)]
x86: don't allow Dom0 access to port 92
Somewhat like port CF9 this may have a bit controlling the CPU's INIT#
signal, and it also may have a bit involved in the driving of A20M#.
Neither of these - just like CF9 - we want to allow Dom0 to drive.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Thu, 2 Nov 2023 09:42:02 +0000 (10:42 +0100)]
x86/vRTC: minor adjustment to reads from index port
Whether to handle this shouldn't depend on the present value of the
index register. Since the handling is done outside of the lock anyway,
pull it out into the sole caller and drop the no longer needed function
parameter.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
David Woodhouse [Mon, 23 Oct 2023 11:34:24 +0000 (12:34 +0100)]
x86/pv-shim: fix grant table operations for 32-bit guests
When switching to call the shim functions from the normal handlers, the
compat_grant_table_op() function was omitted, leaving it calling the
real grant table operations in !PV_SHIM_EXCLUSIVE builds. This leaves a
32-bit shim guest failing to set up its real grant table with the parent
hypervisor.
Fixes: e7db635f4428 ("x86/pv-shim: Don't modify the hypercall table") Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Tamas K Lengyel [Wed, 18 Oct 2023 08:02:42 +0000 (04:02 -0400)]
x86/mem_sharing: add missing m2p entry when mapping shared_info page
When mapping in the shared_info page to a fork the m2p entry wasn't set
resulting in the shared_info being reset even when the fork reset was called
with only reset_state and not reset_memory. This results in an extra
unnecessary TLB flush.
Fixes: 1a0000ac775 ("mem_sharing: map shared_info page to same gfn during fork") Signed-off-by: Tamas K Lengyel <tamas@tklengyel.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Tue, 10 Oct 2023 09:52:53 +0000 (10:52 +0100)]
x86/cpu-policy: Adjust CPUID_MAX_SERIALISED_LEAVES to placate MISRA
MISRA doesn't like !!CONST being used in place of a 1 (Rule 10.1). Update the
expression to just be a plain 1, which still matches the description.
No functional change.
Reported-by: Nicola Vetrini <nicola.vetrini@bugseng.com> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Nicola Vetrini [Fri, 6 Oct 2023 08:26:10 +0000 (10:26 +0200)]
x86/mce: Move MC_NCLASSES into the enum mctelem_class
The definition of MC_NCLASSES contained a violation of MISRA C:2012
Rule 10.1, therefore by moving it as an enumeration constant resolves the
violation and makes it more resilient to possible additions to that enum.
Signed-off-by: Nicola Vetrini <nicola.vetrini@bugseng.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
projects / people / tklengyel / xen.git / log