Ian Jackson [Wed, 14 Nov 2012 11:46:35 +0000 (11:46 +0000)]
compat/gnttab: Prevent infinite loop in compat code
c/s 20281:95ea2052b41b, which introduces Grant Table version 2
hypercalls introduces a vulnerability whereby the compat hypercall
handler can fall into an infinite loop.
If the watchdog is enabled, Xen will die after the timeout.
This is a security problem, XSA-24 / CVE-2012-4539.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
xen-unstable changeset: 26151:b64a7d868f06 Backport-requested-by: security@xen.org Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Wed, 14 Nov 2012 11:44:46 +0000 (11:44 +0000)]
xen/mm/shadow: check toplevel pagetables are present before unhooking them.
If the guest has not fully populated its top-level PAE entries when it calls
HVMOP_pagetable_dying, the shadow code could try to unhook entries from
MFN 0. Add a check to avoid that case.
This issue was introduced by c/s 21239:b9d2db109cf5.
This is a security problem, XSA-23 / CVE-2012-4538.
Signed-off-by: Tim Deegan <tim@xen.org> Tested-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
xen-4.1-testing changeset: 23409:61eb3d030f52 Backport-requested-by: security@xen.org Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Wed, 14 Nov 2012 11:40:51 +0000 (11:40 +0000)]
x86/physmap: Prevent incorrect updates of m2p mappings
In certain conditions, such as low memory, set_p2m_entry() can fail.
Currently, the p2m and m2p tables will get out of sync because we still
update the m2p table after the p2m update has failed.
If that happens, subsequent guest-invoked memory operations can cause
BUG()s and ASSERT()s to kill Xen.
This is fixed by only updating the m2p table iff the p2m was
successfully updated.
This is a security problem, XSA-22 / CVE-2012-4537.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Wed, 14 Nov 2012 11:37:55 +0000 (11:37 +0000)]
VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability
The timer action for a vcpu periodic timer is to calculate the next
expiry time, and to reinsert itself into the timer queue. If the
deadline ends up in the past, Xen never leaves __do_softirq(). The
affected PCPU will stay in an infinite loop until Xen is killed by the
watchdog (if enabled).
This is a security problem, XSA-20 / CVE-2012-4535.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
xen-unstable changeset: 26148:bf58b94b3cef Backport-requested-by: security@xen.org Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
David Vrabel [Thu, 9 Aug 2012 15:45:12 +0000 (16:45 +0100)]
cpufreq: P state stats aren't available if there is no cpufreq driver
If there is no cpufreq driver (e.g., with an AMD Opteron 8212) then
reading the P state statistics causes a deadlock as an uninitialized
spinlock is locked in do_get_pm_info(). The spinlock is initialized in
cpufreq_statistic_init() which is not called if cpufreq_driver ==
NULL.
Signed-off-by: David Vrabel <david.vrabel@citrix.com> Committed-by: Jan Beulich <jbeulich@suse.com>
xen-unstable changeset: 25706:7fd5facb6084
xen-unstable date: Fri Aug 03 09:50:28 2012 +0200
Ian Campbell [Thu, 9 Aug 2012 14:47:19 +0000 (15:47 +0100)]
xen: only check for shared pages while any exist on teardown
Avoids worst case behavour when guest has a large p2m.
This is XSA-11 / CVE-2012-3433
Signed-off-by: Tim Deegan <tim@xen.org> Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Tested-by: Olaf Hering <olaf@aepfle.de> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Jan Beulich [Thu, 26 Jul 2012 15:57:18 +0000 (16:57 +0100)]
x86/hvm: don't leave emulator in inconsistent state
The fact that handle_mmio(), and thus the instruction emulator, is
being run through twice for emulations that require involvement of the
device model, allows for the second run to see a different guest state
than the first one. Since only the MMIO-specific emulation routines
update the vCPU's io_state, if they get invoked on the second pass,
internal state (and particularly this variable) can be left in a state
making successful emulation of a subsequent MMIO operation impossible.
Consequently, whenever the emulator invocation returns without
requesting a retry of the guest instruction, reset io_state.
[ This is a security issue. XSA#10. -iwj ]
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
xen-unstable changeset: 25682:ffcb24876b4f Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Andrew Cooper [Tue, 3 Jul 2012 12:51:14 +0000 (13:51 +0100)]
xen: Fix off-by-one error when parsing command line arguments
As Xen currently stands, it will attempt to interpret the first few
bytes of the initcall section as a struct kernel_param.
The reason that this not caused problems is because in the overflow
case, param->name is actually a function pointer to the first
initcall, and intepreting it as string is very unlikely to match an
ASCII command line parameter name.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Committed-by: Keir Fraser <keir@xen.org>
xen-unstable changeset: 25587:2cffb7bf6e57
xen-unstable date: Tue Jul 03 13:38:19 2012 +0100
Andrew Cooper [Tue, 3 Jul 2012 12:51:04 +0000 (13:51 +0100)]
x86/nmi: Fix deadlock in unknown_nmi_error()
Additionally, correct the text description to reflect what is being
done, and make use of fatal_trap() in preference to kexec_crash() in
case an unknown NMI occurs before a kdump kernel has been loaded.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Committed-by: Keir Fraser <keir@xen.org>
xen-unstable changeset: 25478:6d1a30dc47e8
xen-unstable date: Mon Jun 11 15:12:50 2012 +0100
Andrew Cooper [Tue, 3 Jul 2012 12:50:51 +0000 (13:50 +0100)]
x86_64: Fix off-by-one error setting up the Interrupt Stack Tables
The Interrupt Stack Table entries in a 64bit TSS are a 1 based data
structure as far as hardware is concerned. As a result, the code
setting up stacks in subarch_percpu_traps_init() fills in the wrong
IST entries.
The result is that the MCE handler executes on the stack set up for
NMIs; the NMI handler executes on a stack set up for Double Faults,
and Double Faults are executed with a stack pointer set to 0.
Once the #DF handler starts to execute, it will usually take a page
fault looking up the address at 0xfffffffffffffff8, which will cause a
triple fault. If a guest has mapped a page in that location, then it
will have some state overwritten, but as the #DF handler always calls
panic(), this is not a problem the guest will have time to care about.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Committed-by: Keir Fraser <keir@xen.org>
xen-unstable changeset: 25271:54da0329e259
xen-unstable date: Thu May 10 11:04:32 2012 +0100
Jan Beulich [Tue, 12 Jun 2012 10:42:57 +0000 (11:42 +0100)]
x86-64: detect processors subject to AMD erratum #121 and refuse to boot
Processors with this erratum are subject to a DoS attack by unprivileged
guest users.
This is XSA-9 / CVE-2012-2934.
Signed-off-by: Jan Beulich <JBeulich@suse.com> Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
xen-unstable changeset: 25481:422880dc94a4
xen-unstable date: Tue Jun 12 11:33:42 2012 +0100 Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Jan Beulich [Tue, 12 Jun 2012 10:39:34 +0000 (11:39 +0100)]
x86-64: fix #GP generation in assembly code
When guest use of sysenter (64-bit PV guest) or syscall (32-bit PV
guest) gets converted into a GP fault (due to no callback having got
registered), we must
- honor the GP fault handler's request the keep enabled or mask event
delivery
- not allow TBF_EXCEPTION to remain set past the generation of the
(guest) exception in the vCPU's trap_bounce.flags, as that would
otherwise allow for the next exception occurring in guest mode,
should it happen to get handled in Xen itself, to nevertheless get
bounced to the guest kernel.
Also, just like compat mode syscall handling already did, native mode
sysenter handling should, when converting to #GP, subtract 2 from the
RIP present in the frame so that the guest's GP fault handler would
see the fault pointing to the offending instruction instead of past it.
Finally, since those exception generating code blocks needed to be
modified anyway, convert them to make use of UNLIKELY_{START,END}().
[ This bug is security vulnerability, XSA-8 / CVE-2012-0218. ]
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org> Committed-by: Jan Beulich <jbeulich@suse.com>
xen-unstable changeset: 25200:80f4113be500 25204:569d6f05e1ef Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Jan Beulich [Tue, 12 Jun 2012 10:38:31 +0000 (11:38 +0100)]
x86_64: Do not execute sysret with a non-canonical return address
Check for non-canonical guest RIP before attempting to execute sysret.
If sysret is executed with a non-canonical value in RCX, Intel CPUs
take the fault in ring0, but we will necessarily already have switched
to the the user's stack pointer.
This is a security vulnerability, XSA-7 / CVE-2012-0217.
Signed-off-by: Jan Beulich <JBeulich@suse.com> Signed-off-by: Ian Campbell <Ian.Campbell@citrix.com> Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Keir Fraser <keir.xen@gmail.com> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
xen-unstable changeset: 25480:76eaf5966c05
xen-unstable date: Tue Jun 12 11:33:40 2012 +0100 Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
block-remus.c: In function 'ramdisk_flush':
block-remus.c:508: error: 'buf' may be used uninitialized in this
function
make[5]: *** [block-remus.o] Error 1
This is because gcc can see that merge_requests doesn't always set
*mergedbuf but gcc isn't able to prove that it always does so if
merge_requests returns 0 and that in that case the value of
ramdisk_flush::buf isn't used.
This is too useful a warning to disable, despite the occasional false
positive of this form. The conventional approach is to suppress the
warning by explicitly initialising the variable to 0.
This has just come to light because 25275:27d63b9f111a reenabled
optimisation for this area of code, and gcc's data flow analysis
(which is required to trigger the uninitialised variable warning) only
occurs when optimisation is turned on.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
xen-unstable changeset: 25281:60064411a8a9
xen-unstable date: Thu May 10 14:26:14 2012 +0100
George Dunlap [Tue, 1 May 2012 13:18:46 +0000 (14:18 +0100)]
svm: Fake out the Bus Unit Config MSR on revF AMD CPUs
Win2k8 x64 reads this MSR on revF chips, where it wasn't publically
available; it uses a magic constant in %rdi as a password, which we
don't have in rdmsr_safe(). Since we'll ignore the later writes, just
use a plausible value here (the reset value from rev10h chips) if the
real CPU didn't provide one.
Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com> Committed-by: Keir Fraser <keir@xen.org>
xen-unstable changeset: 24990:322300fd2ebd
xen-unstable date: Thu Mar 08 09:17:21 2012 +0000
svm: amend c/s 24990:322300fd2ebd (fake BU_CFG MSR on AMD revF)
Let's restrict such a hack to the known affected family.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org> Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
xen-unstable changeset: 25058:f47d91cb0faa
xen-unstable date: Thu Mar 15 15:09:18 2012 +0100
x86-64: Fix memory hotplug epfn upper limit test for updating the
compat M2P table
The epfn is being compared to (RDWR_COMPAT_MPT_VIRT_END -
RDWR_COMPAT_MPT_VIRT_START) without a 2 bit shift, resulting in the
epfn being compared to the size of the RDWR_COMPAT_MPT table in bytes
instead of the maximum page frame number that the RDWR_COMPAT_MPT
table can map.
Jan Beulich [Tue, 17 Apr 2012 07:37:47 +0000 (08:37 +0100)]
x86/hpet: disable before reboot or kexec
Linux up to now is not smart enough to properly clear the HPET when it
boots, which is particularly a problem when a kdump attempt from
running under Xen is being made. Linux itself added code to work
around
this to its shutdown paths quite some time ago, so let's do something
similar in Xen: Save the configuration register settings during boot,
and restore them during shutdown. This should cover the majority of
cases where the secondary kernel might not come up because timer
interrupts don't work.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
xen-unstable changeset: 25101:f06ff3dfde08
xen-unstable date: Tue Mar 27 15:20:23 2012 +0200
Jan Beulich [Fri, 23 Mar 2012 13:58:58 +0000 (13:58 +0000)]
x86/gnttab: fix asm() operand in gnttab_clear_flag()
The operand needs to use the 'w' modifier in case the compiler happens
to pick a register (which apparently it does for no-one but the
reporter of this problem).
Reported-by: Lin Ming <mlin@ss.pku.edu.cn> Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
xen-unstable changeset: 25092:a66fb91cb8d3
xen-unstable date: Fri Mar 23 08:39:39 2012 +0100
On ia64, 21577:c41ab909f08e introduces the following error:
/xen/include/xen/pci.h:52: warning: implicit declaration of function
`PFN_UP'
/xen/include/xen/pci.h:52: error: variable-size type declared
outside of any function
/xen/include/xen/pci.h:53: error: variable-size type declared
outside of any function
Because the macro PFN_UP() is defined on x86 only.
On ia64, 21530:0383662ea34c introduces the following error:
irq.c:129: warning: initialization from incompatible pointer type
irq.c: In function '__do_IRQ':
irq.c:159: error: too few arguments to function 'desc->handler->end'
irq.c:223: error: too few arguments to function 'desc->handler->end'
irq.c: In function 'pirq_guest_eoi':
irq.c:450: error: too few arguments to function 'desc->handler->end'
irq.c: In function 'pirq_guest_unbind':
irq.c:579: error: too few arguments to function 'desc->handler->end'
This patch is a part of xen-unstable 24145:967845cb565b.
Jan Beulich [Thu, 8 Mar 2012 11:00:17 +0000 (11:00 +0000)]
x86/vMSI: miscellaneous fixes
This addresses a number of problems in msixtbl_{read,write}():
- address alignment was not checked, allowing for memory corruption in
the hypervisor (write case) or returning of hypervisor private data
to the guest (read case)
- the interrupt mask bit was permitted to be written by the guest
(while Xen's interrupt flow control routines need to control it)
- MAX_MSIX_TABLE_{ENTRIES,PAGES} were pointlessly defined to plain
numbers (making it unobvious why they have these values, and making
the latter non-portable)
- MAX_MSIX_TABLE_PAGES was also off by one (failing to account for a
non-zero table offset); this was also affecting host MSI-X code
- struct msixtbl_entry's table_flags[] was one element larger than
necessary due to improper open-coding of BITS_TO_LONGS()
- msixtbl_read() unconditionally accessed the physical table, even
though the data was only needed in a quarter of all cases
- various calculations were done unnecessarily for both of the rather
distinct code paths in msixtbl_read()
Additionally it is unclear on what basis MAX_MSIX_ACC_ENTRIES was
chosen to be 3.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Committed-by: Keir Fraser <keir@xen.org>
xen-unstable changeset: 24535:fb81b807c154
xen-unstable date: Mon Jan 23 09:35:17 2012 +0000
Jan Beulich [Wed, 7 Mar 2012 09:09:05 +0000 (09:09 +0000)]
passthrough: release assigned PCI devices earlier during domain
shutdown
At least with xend, where there's not even a tool stack side attempt
to de-assign devices during domain shutdown, this allows immediate re-
starts of a domain to work reliably. (There's no apparent reason why
c/s 18010:c1577f094ae4 chose to put this in the asynchronous part of
domain destruction).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
xen-unstable changeset: 24888:71159fb049f2
xen-unstable date: Fri Feb 24 11:46:32 2012 +0100
Jan Beulich [Wed, 7 Mar 2012 09:05:20 +0000 (09:05 +0000)]
x86/emulator: workaround for AMD erratum 573
The only cases where we might end up emulating fsincos (as any other
x87 operations without memory operands) are
- when a HVM guest is in real mode (not applicable on AMD)
- between two half page table updates in PAE mode (unlikely, and not
doing the emulation here does affect only performance, not
correctness)
- when a guest maliciously (or erroneously) modifies an (MMIO or page
table update) instruction under emulation (unspecified behavior)
Hence, in order to avoid the erratum to cause harm to the entire host,
don't emulate fsincos on the affected AMD CPU families.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
xen-unstable changeset: 24417:1452fb248cd5
xen-unstable date: Fri Dec 16 15:45:40 2011 +0100
Jan Beulich [Wed, 7 Mar 2012 08:56:28 +0000 (08:56 +0000)]
x86, amd: Disable GartTlbWlkErr when BIOS forgets it
This patch disables GartTlbWlk errors on AMD Fam10h CPUs if the BIOS
forgets to do is (or is just too old). Letting these errors enabled
can cause a sync-flood on the CPU causing a reboot.
The AMD BKDG recommends disabling GART TLB Wlk Error completely.
Based on a Linux patch from Joerg Roedel <joerg.roedel@amd.com>; see
e.g.
https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=patch;h=5bbc097d890409d8eff4e3f1d26f11a9d6b7c07e
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
xen-unstable changeset: 24389:868d82faf651
xen-unstable date: Tue Dec 13 09:45:11 2011 +0100
Tim Deegan [Wed, 7 Mar 2012 08:54:24 +0000 (08:54 +0000)]
x86/mm: Don't lose track of the log dirty bitmap
hap_log_dirty_init unconditionally sets the top of the log dirty
bitmap to INVALID_MFN. If there had been a bitmap allocated, it is
then leaked, and the host crashes on an ASSERT when the domain is
cleaned up.
Signed-off-by: Tim Deegan <tim@xen.org> Acked-by: Andres Lagar-Cavilla <andres@lagarcavilla.org> Committed-by: Tim Deegan <tim@xen.org>
xen-unstable changeset: 24282:a06cda9fb25f
xen-unstable date: Thu Dec 01 14:17:16 2011 +0000
Jan Beulich [Wed, 7 Mar 2012 08:53:56 +0000 (08:53 +0000)]
x86: small fixes to pcpu platform op handling
XENPF_get_cpuinfo should init the flags output field rather than only
modify it.
XENPF_cpu_online must check for the input CPU number to be in range.
XENPF_cpu_offline must also do that, and should also reject attempts
to
offline CPU 0 (this fails in cpu_down() too, but preventing this here
appears more correct given that the code here calls
continue_hypercall_on_cpu(0, ...), which would be flawed if cpu_down()
would ever allow bringing down CPU 0 (and a distinct error code is
easier to deal with when debugging issues).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
xen-unstable changeset: 24201:9c6bea25f712
xen-unstable date: Thu Nov 24 17:56:26 2011 +0100
Jan Beulich [Wed, 7 Mar 2012 08:50:55 +0000 (08:50 +0000)]
x86/vioapic: clear remote IRR when switching RTE to edge triggered
mode
Xen itself (as much as Linux) relies on this behavior, so it should
also emulate it properly. Not doing so reportedly gets in the way of
kexec inside a HVM guest.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Tested-by: Olaf Hering <olaf@aepfle.de>
xen-unstable changeset: 24168:9c350ab8d3ea
xen-unstable date: Mon Nov 21 09:29:31 2011 +0100 Committed-by: Keir Fraser <keir@xen.org>
Jan Beulich [Wed, 7 Mar 2012 08:50:32 +0000 (08:50 +0000)]
x86/IO-APIC: refine EOI-ing of migrating level interrupts
Rather than going through all IO-APICs and calling
io_apic_eoi_vector()
for the vector in question, just use eoi_IO_APIC_irq().
This in turn allows to eliminate quite a bit of other code.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Tested-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
xen-unstable changeset: 24155:0d50e704834f
xen-unstable date: Fri Nov 18 09:18:41 2011 +0100
Jan Beulich [Thu, 23 Feb 2012 10:40:43 +0000 (10:40 +0000)]
gnttab: miscellaneous fixes
- _GTF_* constants name bit positions, so binary arithmetic on them is
wrong
- gnttab_clear_flag() cannot (on x86 and ia64 at least) simply use
clear_bit(), as that may access more than the two bytes that are
intended to be accessed
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
xen-unstable changeset: 24742:9fc810bb8145
xen-unstable date: Thu Feb 09 16:39:16 2012 +0100
Andrew Cooper [Tue, 31 Jan 2012 11:49:30 +0000 (11:49 +0000)]
vesa: flush lfb after zeroing
If Xen is going to relinquish the VGA console, flush the linear frame
buffer after zeroing it in vesa_endboot().
Failing to do so in some circumstances leads to the actual linear
framebuffer on the graphics card still containing the output of the
Xen boot console can lead to ugly graphics output when dom0 is setting
up the graphics card for its own use.
While the patch is quite large, it is mostly just code motion to
prevent having to forward declare lfb_flush(). The only functional
change to vesa_endboot() is to insert a call to lbf_flush().
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Committed-by: Keir Fraser <keir@xen.org>
xen-unstable changeset: 24615:ac9f32525376
xen-unstable date: Sat Jan 28 13:42:25 2012 +0000
Andrew Cooper [Tue, 31 Jan 2012 11:49:15 +0000 (11:49 +0000)]
Console: introduce console=none command line parameter
Currenty, not specifying 'console=<foo>' on the command line causes
Xen to default to 'vga'. Alternativly, the user can explicitly
specifiy 'console=vga|com1|com2'.
However, there is no way to specify that neither vga nor serial should
be used. Specifying 'console=' does have the effect that neither vga
nor serial is set up, but at the cost of an "Bad console= option ''"
warning.
Therefore, expliticly support a 'console=none' option which does not
set up vga and does not set up serial, but does not trigger the bad
console warning.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Committed-by: Keir Fraser <keir@xen.org>
xen-unstable changeset: 24614:f8c2cf24a26c
xen-unstable date: Sat Jan 28 13:41:42 2012 +0000
Yongan Liu [Tue, 17 Jan 2012 11:34:43 +0000 (11:34 +0000)]
x86/vIRQ: IRR and TMR race condition bug fix
In vlapic_set_irq, we set the IRR register before the TMR. And the IRR
might be serviced before setting TMR, and even worse EOI might occur
before TMR setting, in which case the vioapic_update_EOI won't be
called, and further prevent all the subsequent interrupt injecting.
Reorder setting the TMR and IRR will solve the problem.
Besides, KVM has fixed a similar bug in:
http://markmail.org/search/?q=APIC_TMR#query:APIC_TMR+page:1+mid:rphs4f7lkxjlldne+state:results
Signed-off-by: Yongan Liu<Liuyongan@huawei.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Committed-by: Jan Beulich <jbeulich@suse.com>
xen-unstable changeset: 24453:02b92d035f64
xen-unstable date: Thu Jan 05 09:29:59 2012 +0100
tools/x86_64: Fix cpuid() inline asm to not clobber stack's red zone
Pushing stuff onto the stack on x86-64 when we do not specify
-mno-red-zone is unsafe. Since the complicated asm is due to register
pressure on i386, we simply implement an all-new simpler alternative
for x86-64.
Signed-off-by: Keir Fraser <keir@xen.org> Acked-by: Jan Beulich <jbeulich@novell.com>
xen-unstable changeset: 24344:72f4e4cb7440
xen-unstable date: Fri Dec 02 06:31:14 2011 -0800
Mark Langsdorf [Sat, 12 Nov 2011 16:15:19 +0000 (16:15 +0000)]
x86/amd: Eliminate cache flushing when entering C3 on select AMD processors
AMD Fam15h processors have a shared cache. It does not need=
to be be flushed when entering C3 and doing so causes reduces
performance. Modify acpi_processor_power_init_bm_check to
prevent these processors from flushing when entering C3.
Signed-off-by: Mark Langsdorf <mark.langsdorf@amd.com>
xen-unstable changeset: 23511:450f1d198e1e
xen-unstable date: Tue Jun 14 12:46:29 2011 +0100 Committed-by: Keir Fraser <keir@xen.org>
Wei Huang [Tue, 25 Oct 2011 15:44:40 +0000 (16:44 +0100)]
amd xsave: Move xsave initialization code to a common place
This patch moves xsave/xrstor code to CPU common file. First of all,
it prepares xsave/xrstor support for AMD CPUs. Secondly, Xen would
crash on __context_switch() without this patch on xsave-capable AMD
CPUs. The crash was due to cpu_has_xsave reports true in domain.c
while xsave space wasn't initialized.
Ian Campbell [Mon, 3 Oct 2011 15:36:09 +0000 (16:36 +0100)]
build: fix grep invocation in cc-options
Currently the build produces lots of
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
This is due to the "grep -- $(2)" in cc-options. It seems that the
default of reading stdin is disabled when using "--". I don't know if
this is a bug in grep or how it is supposed to be but we can work
around it by explicitly passing in "-"
Jan Beulich [Mon, 3 Oct 2011 15:35:47 +0000 (16:35 +0100)]
x86: ucode-amd: Don't warn when no ucode is available for a CPU
revision
This patch originally comes from the Linus mainline kernel (2.6.33),
find below the patch details:
From: Andreas Herrmann <herrmann.der.user@googlemail.com>
There is no point in warning when there is no ucode available
for a specific CPU revision. Currently the container-file, which
provides the AMD ucode patches for OS load, contains only a few
ucode patches.
It's already clearly indicated by the printed patch_level
whenever new ucode was available and an update happened. So the
warning message is of no help but rather annoying on systems
with many CPUs.
Signed-off-by: Thomas Renninger <trenn@suse.de> Signed-off-by: Jan Beulich <jbeulich@suse.com>
xen-unstable changeset: 23871:503ee256fecf
xen-unstable date: Thu Sep 22 18:35:30 2011 +0100
Jan Beulich [Mon, 3 Oct 2011 15:35:33 +0000 (16:35 +0100)]
VT-d: fix off-by-one error in RMRR validation
(base_addr,end_addr) is an inclusive range, and hence there shouldn't
be a subtraction of 1 in the second invocation of page_is_ram_type().
For RMRRs covering a single page that actually resulted in the
immediately preceding page to get checked (which could have resulted
in a false warning).
Igor Mammedov [Mon, 3 Oct 2011 15:35:03 +0000 (16:35 +0100)]
Clear IRQ_GUEST in irq_desc->status when setting action to NULL.
Looking more closely at usage of action field with relation to
IRQ_GUEST flag. It appears that set IRQ_GUEST implies that action
is not NULL. As result it is not safe to set action to NULL and
leave IRQ_GUEST set.
Hence IRQ_GUEST should be cleared in dynamic_irq_cleanup where
action is set to NULL.
An addition remove BUGON at __pirq_guest_unbind that appears to be
bogus and not needed anymore.
Thanks Paolo Bonzini for NACKing previous patch, and pointing at the
correct solution.
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reinstate the BUG_ON, but after the action==NULL check. Since we then
go and start interpreting action as an irq_guest_action_t, the BUG_ON
is relevant here.
More generally, the brute-force nature of dynamic_irq_cleanup() looks
a bit worrying. Possibly there should be more integratioin with
pirq_guest_unbind() logic, for cleaning up un-acked EOIs and the like.
Jan Beulich [Mon, 3 Oct 2011 15:26:09 +0000 (16:26 +0100)]
x86/vmx: don't call __vmxoff() blindly
If vmx_vcpu_up() failed, __vmxon() would generally not have got
(successfully) executed, and in that case __vmxoff() will #UD.
Additionally, any panic() during early resume (namely the tboot
related one) would cause vmx_cpu_down() to get executed without
vmx_cpu_up() having run before.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
xen-unstable changeset: 23848:cf37d2eec2ef
xen-unstable date: Sat Sep 17 16:26:37 2011 +0100
Andrew Cooper [Tue, 13 Sep 2011 09:39:25 +0000 (10:39 +0100)]
IRQ: IO-APIC support End Of Interrupt for older IO-APICs
The old io_apic_eoi() function using the EOI register only works for
IO-APICs with a version of 0x20. Older IO-APICs do not have an EOI
register so line level interrupts have to be EOI'd by flipping the
mode to edge and back, which clears the IRR and Delivery Status bits.
This patch replaces the current io_apic_eoi() function with one which
takes into account the version of the IO-APIC and EOI's
appropriately.
v2: make recursive call to __io_apic_eoi() to reduce code size.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
xen-unstable changeset: 23833:ffe8e65f6687
xen-unstable date: Tue Sep 13 10:33:10 2011 +0100
Tim Deegan [Thu, 8 Sep 2011 11:23:52 +0000 (12:23 +0100)]
Passthrough: disable bus-mastering on any card that causes an IOMMU fault.
This stops the card from raising back-to-back faults and live-locking
the CPU that handles them.
Signed-off-by: Tim Deegan <tim@xen.org> Acked-by: Wei Wang2 <wei.wang2@amd.com> Acked-by: Allen M Kay <allen.m.kay@intel.com>
xen-unstable changeset: 23762:537ed3b74b3f
xen-unstable date: Fri Aug 12 11:29:24 2011 +0100
Andrew Cooper [Wed, 31 Aug 2011 14:37:57 +0000 (15:37 +0100)]
IRQ: manually EOI migrating line interrupts
When migrating IO-APIC line level interrupts between PCPUs, the
migration code rewrites the IO-APIC entry to point to the new
CPU/Vector before EOI'ing it.
The EOI process says that EOI'ing the Local APIC will cause a
broadcast with the vector number, which the IO-APIC must listen to to
clear the IRR and Status bits.
In the case of migrating, the IO-APIC has already been
reprogrammed so the EOI broadcast with the old vector fails to match
the new vector, leaving the IO-APIC with an outstanding vector,
preventing any more use of that line interrupt. This causes a lockup
especially when your root device is using PCI INTA (megaraid_sas
driver *ehem*)
However, the problem is mostly hidden because send_cleanup_vector()
causes a cleanup of all moving vectors on the current PCPU in such a
way which does not cause the problem, and if the problem has occured,
the writes it makes to the IO-APIC clears the IRR and Status bits
which unlocks the problem.
This fix is distinctly a temporary hack, waiting on a cleanup of the
irq code. It checks for the edge case where we have moved the irq,
and manually EOI's the old vector with the IO-APIC which correctly
clears the IRR and Status bits. Also, it protects the code which
updates irq_cfg by disabling interrupts.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
xen-unstable changeset: 23805:7048810180de
xen-unstable date: Wed Aug 31 15:19:24 2011 +0100
Tim Deegan [Tue, 16 Aug 2011 14:27:06 +0000 (15:27 +0100)]
VT-d: always clean up dpci timers.
If a VM has all its PCI devices deassigned, need_iommu(d) becomes
false but it might still have DPCI EOI timers that were init_timer()d
but not yet kill_timer()d. That causes xen to crash later because the
linked list of inactive timers gets corrupted, e.g.:
hvmloader: Switch to absolute addressing for calling hypercall stubs.
This is clearer and less fragile than trying to make relative calls
work. In particular, the old approach failed if _start was not
== HVMLOADER_PHYSICAL_ADDRESS. This was the case for some modern
toolchains which reorder functions.
tools/hotplug/Linux: start all xen daemons in runlevel 2
Backported from xen-4.1-testing.hg 23086:9b5fbd8ff152 -iwj.
Signed-off-by: Fabio Fantoni <fabio.fantoni@heliman.it> Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
projects / xen.git / log