dgit.raspbian.org Git

blkif: add indirect descriptors interface to public headers

Indirect descriptors introduce a new block operation
(BLKIF_OP_INDIRECT) that passes grant references instead of segments
in the request. This grant references are filled with arrays of
blkif_request_segment_aligned, this way we can send more segments in a
request.

This interface is already implemented in Linux >= 3.11.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>

common/vsprintf: fix return value when formatting symbolic addresses

When the buffer to be formatted to is too small, the function return
value is expected to be the number of characters that would be printed
(particularly important if that value is then used for allocating a
buffer). Hence incrementing the active pointer must always be
independent of actually storing a character.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>

x86: be more power-efficient when waiting forever

The effect is unchanged, but the processor will be spending most of its time
in the C1 or C1E power state rather than C0.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>

nested vmx: fix I/O port bitmap indexing arithmetic

The I/O port bitmap holds 8 ports per element, and hence the port number
used when indexing into it should be shifted right by 3 bits, not 4.

Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Reviewed-by: Yang Zhang <yang.z.zhang@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>

x86/AMD: work around erratum 793

The recommendation is to set a bit in an MSR - do this if the firmware
didn't, considering that otherwise we expose ourselves to a guest
induced DoS.

This is CVE-2013-6885 / XSA-82.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen: arm: avoid truncation in mfn to paddr conversions

Although MFNs are 64-bit in the hypercall ABI they are most often unsigned
long internally, and therefore be 32-bit on arm32. Physical addresses are
always 64-bit via paddr_t.

This means that the common "mfn << PAGE_SHIFT" pattern risks losing some of
the top bits of the address is high enough. This need not imply a high amount
of RAM, just a sparse physical address map.

The correct form is ((paddr_t)mfn)<<PAGE_SHIFT and we have the pfn_to_paddr
macro which implements this. Grep for PAGE_SHIFT and << and switch to the
macro everywhere we can in the arch specific code. Note that page.h is
included by mm.h which defines the macro and so remains with the open coded
cast. I have inspected the common code matching this pattern and it uses the
correct casts where necessary (x86 also has pfn_to_paddr, so as a further
cleanup we could fix the common code too, but I haven't done that here).

I observed this as failure to boot a guest on midway, due to trying to map a
foreign page which belonged to no guest. I think this likely explains the
crashes which Julien has seen too.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

xen/build: Remove unreferenced figlet files

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
CC: Jan Beulich <JBeulich@suse.com>
CC: Tim Deegan <tim@xen.org>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>
CC: Ian Jackson <Ian.Jackson@eu.citrix.com>

xen/build: Use a distro version of figlet

It is quite inappropriate to keep a hacked up versions of figlet in our source
tree, especially when the purpose of the hackary is just to provide a text to
octal conversion.

This version of figlet contributes a surprisingly large proportion of the
Coverity issues found under xen/ (and therefore attributed against Xen)

Figlet can be found in all distros, so make use of it. We keep xen.flf (being
the Xen figlet font) and replace the hacked up octal transform with a short
python script.

The Xen Makefile has been tweaked in such a way that it still prints the
figlet banner for the build.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
CC: Jan Beulich <JBeulich@suse.com>
CC: Tim Deegan <tim@xen.org>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>
CC: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: don't leak pcidevs in libxl_pcidev_assignable

Coverity-ID: 1055896
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: don't leak output vcpu info on error in libxl_list_vcpu

Coverity-ID: 1055887
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: actually abort if initializing a ctx's lock fails

If initializing the ctx's lock fails, don't keep going, but instead
error out.

Coverity-ID: 1055289
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: remove unsigned less-than-0 comparison

...from libxl_cpuid_parse_config_xend. value is unsigned so this doesn't
work, and either way the following comparison on it being bigger than 3
does what was intended here anyway.

Coverity-ID: 1055614
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: don't leak p in libxl__wait_for_backend

Use libxl__xs_read_checked instead of xs_read. While at it, tidy up the
function as well.

Coverity-ID: 1055891
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: correct file open success check in libxl__device_pci_reset

It could, even if only in theory, be fd 0.

(This is not the same as commit 4b62556b57!)

Coverity-ID: 1055895
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

Fix ptr calculation when converting from a VA

The ptr calculation shall take the offset into the page into account
when ptr is valid.

Reported regression on NetBSD's port-xen with last known working libxen
being rev 2.9. This corrupts the kernel symbol table when the table is
not loaded on a page boundary.

Issue was tracked down by FastIce and Jeff Rizzo. See also
http://mail-index.netbsd.org/port-xen/2013/10/16/msg008088.html

Signed-off-by: Jean-Yves Migeon <jym@NetBSD.org>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

docs: Add some words describing xen-pvdevice

This patch adds a short description of xen-pvdevice to
pci-device-reservations.txt, which contains the canonical list
of device IDs that may be used to create xen-pvdevice instances.

Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- ran expand to de-tabbify ]

xen: arm: Remove useless and incorrect EXPORT_SYMBOLS

Dietmar noticed that one of these was incorrect, but in actual fact they are
not even used. They are defined as nops in Xen for the benefit of code
imported to Linux which ARM's smpboot.c is not.

Just get rid of them.

Reported-by: Dietmar Hahn <dietmar.hahn@ts.fujitsu.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>

hvmloader/ovmf: show OVMF_BEGIN as bios address

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

hvmloader/ovmf: remove hardcoded OVMF loading location

Load OVMF from (100000000ULL - sizeof(ovmf)) to 0xFFFFFFFF, with proper
rounding down.

Tested with OVMF release build (1 MB) and debug build (2 MB), both
worked fine.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen: arm: flush dcache while preparing the device tree for Dom0

Without flushing dcache the hypervisor couldn't copy the device tree
correctly when booting the kernel dom0 Image (memory with device tree
is corrupted). As the result - when we try to load the kernel dom0
Image - dom0 hungs frequently. This issue is not reproduced with the
kernel dom0 zImage because the zImage decompressor code flushes all
dcache before starting the decompressed kernel Image. When the
hypervisor loads the kernel image or initrd, this memory region
isn't corrupted because the hypervisor code flushes the dcache.

Signed-off-by: Oleksandr Dmytryshyn <oleksandr.dmytryshyn@globallogic.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall<julien.grall@linaro.org>

xen: arm: introduce raw_copy_to_guest_flush_dcache() function

This function flushes the dcache while copying the data.

Signed-off-by: Oleksandr Dmytryshyn <oleksandr.dmytryshyn@globallogic.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall<julien.grall@linaro.org>

memshr: fix off-by-one in filename size check

Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

docs: Update xen_platform_pci in man xl.cfg

To reflect requirement for Qemu 1.6.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ijc -- slightly tweak wording ]

libxl: Handle xen_platform_pci=0 case with qemu-xen.

This should result in QEMU *not* adding the xen-platform device.

Since QEMU 1.6, this can be achieved by using a different qemu machine.
The one used by libxl is "xenfv", but using QEMU >=1.6 with "-machine
pc,accel=xen" works as well with only one difference compared to
"xenfv", there is no xen-platform device.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen: arm: handle 40-bit addresses in the p2m

On the X-gene platform there are resources up this high which must be mapped
to dom0.

Remove the first level page from the p2m->pages list since it is actually two
pages and must be freed as such. Do so in p2m_teardown.

I've also punted on the implementation of dump_p2m_lookup for high
addresses...

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

xen: arm: improve early memory map readability

Purely cosmetic, put a blank line after the early memory map to separate it
from the subsequent information. This looks better since the memory map is
preceded by a blank line too.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: arm: enable synchronous console while starting secondary CPUs

Setting synchronous console ensures that any printk hits the buffer
immediately and that any outstanding queued log messages are flushed. This
ensures that such log messages are not being printed while the secondary CPU
may be using early_printk during early bringup.

Signed-of-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
Cc: Keir Fraser <keir@xen.org>

xen: arm: explicitly map 64 bit release address

In case it is outside visible ram.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

xen: arm: Make register bit definitions unsigned.

Otherwise the results of the shifting can be undefined and/or sign extended.

Most registers are 32-bit on both arm32 and arm64 and hence are just unsigned
ints, however HCR is 64-bit on arm64 and therefore is unsigned long.

Pointed out in the context of HCR_* by Pranavkumar Sawargaonkar.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
Cc: Pranavkumar Sawargaonkar <psawargaonkar@apm.com>

xen: arm: Handle cpus nodes with #address-cells > 1

The APM X-Gene Mustang board DTS has #address-cells = 2.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: arm: include ns16550 driver on arm64 too

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

xen: arm64: Map xgene PCI memory regions and interrupts to dom0.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: arm: allow platform code to select dom0 event channel irq

Currently the hardcoded use of GUEST_EVTCHN_PPI is problematic if that is a
real PPI on the platform.

We really need to be smarter about selecting an unused PPI but in the meantime
we can at least give the platform code the option of hardcoding a number which
works for the platform.

Hardcode a suitable PPI on the Xgene platform.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: arm: add a quirk to handle platforms with unusual GIC layout

On some platforms the pages are placed at a 64K stride instead of as
contiguous 4K pages.

This is because the ARM64 architecture allows for page sizes of 4/16/64K in
the MMU so a larger stride allow more granular control of mappings. We only
currently support 4K.

Use this quirk on the xgene platform.

This should ideally be fixed by an extension to the device tree bindings as
described in http://www.spinics.net/lists/devicetree/msg10473.html especially
http://www.spinics.net/lists/devicetree/msg10478.html. However for the time
being a platform specific quirk will do.

Note that we always map the GICV to the guest (including dom0) at a 4K stride
length and this is reflected in the DTB passed to the guest.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: arm64: Add APM implementor id to processor implementers.

This patch updates the list of processor implementers with APM implementor id.

Signed-off-by: Anup Patel <anup.patel@linaro.org>
Signed-off-by: Pranavkumar Sawargaonkar <pranavkumar@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

xen: arm64: Add Basic Platform support for APM X-Gene Storm.

This patch adds initial platform stubs for APM X-Gene.

Signed-off-by: Anup Patel <anup.patel@linaro.org>
Signed-off-by: Pranavkumar Sawargaonkar <pranavkumar@linaro.org>
Drop earlyprintk (split into earlier patch). Only build on ARM64.

Drop empty init and reset hooks and enable 1:1 workaround.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: arm64: Add 8250 earlyprintk support

Extracted from "Basic Platform support for APM X-Gene Storm."

Signed-off-by: Anup Patel <anup.patel@linaro.org>
Signed-off-by: Pranavkumar Sawargaonkar <pranavkumar@linaro.org>
Reworked into generic 8250 driver, use EARLY_UART_REG_SHIFT.

While there observe a missing shift in the arm32 version (UART_THR is zero so
it doesn't really matter). Changed for consistency.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

PVH dom0: iommu related changes

- For now, iommu is required for PVH dom0. Check for that.
- For pvh, we need to do mfn_to_gmfn before calling mapping function
intel_iommu_map_page/amd_iommu_map_page which expects a gfn.

Signed-off-by: Mukesh Rathor <mukesh.rathor@oracle.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86: properly handle MSI-X unmask operation from guests

For a pass-through device with MSI-x capability, when guest tries
to unmask the MSI-x interrupt for the passed through device, xen
doesn't clear the mask bit for MSI-x in hardware in the following
scenario, which will cause network disconnection:

1. Guest masks the MSI-x interrupt
2. Guest updates the address and data for it
3. Guest unmasks the MSI-x interrupt (This is the problematic step)

In the step #3 above, Xen doesn't handle it well. When guest tries
to unmask MSI-X interrupt, it traps to Xen, Xen just returns to Qemu
if it notices that address or data has been modified by guest before,
then Qemu will update Xen with the latest value of address/data by
hypercall. However, in this whole process, the MSI-X interrupt unmask
operation is missing, which means Xen doesn't clear the mask bit in
hardware for the MSI-X interrupt, so it remains disabled, that is why
it loses the network connection.

This patch fixes this issue.

Signed-off-by: Feng Wu <feng.wu@intel.com>
Only latch the address if the guest really is unmasking the entry.

Clean up the entire change.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

kexec: prevent deadlock on reentry to the crash path

In some cases, such as suffering a queued-invalidation timeout while
performing an iommu_crash_shutdown(), Xen can end up reentering the crash
path. Previously, this would result in a deadlock in one_cpu_only(), as the
test_and_set_bit() would fail.

The crash path is not reentrant, and even if it could be made to be so, it is
almost certain that we would fall over the same reentry condition again.

The new code can distinguish a reentry case from multiple cpus racing down the
crash path.  In the case that a reentry is detected, return back out to the
nested panic() call, which will maybe_reboot() on our behalf.  This requires a
bit of return plumbing back up to kexec_crash().

While fixing this deadlock, also fix up an minor niggle seen recently from a
XenServer crash report.  The report was from a Bank 8 MCE, which had managed
to crash on all cpus at once.  The result was a lot of stack traces with cpus
in kexec_common_shutdown(), which was infact the inlined version of
one_cpu_only().  The kexec crash path is not a hotpath, so we can easily
afford to prevent inlining for the sake of clarity in the stack traces.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: David Vrabel <david.vrabel@citrix.com>

x86/HVM: only allow ring 0 guest code to make hypercalls

Anything else would allow for privilege escalation.

This is CVE-2013-4554 / XSA-76.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

x86: restrict XEN_DOMCTL_getmemlist

Coverity ID 1055652

(See the code comment.)

This is CVE-2013-4553 / XSA-74.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Tim Deegan <tim@xen.org>

libxl: doc comment: clarify SIGCHLD demultiplexing requirements

Update the comment to clarify that libxl_sigchld_owner_libxl_always
implies having only one libxl_ctx, and that
libxl_sigchld_owner_mainloop requires one call to
libxl_childproc_exited per ctx.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

firmware/vgabios: Fix incorrect formatting string

bios_len is an long, so requires %ld rather than %d.

Coverity ID: 1055813

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>
CC: Keir Fraser <keir@xen.org>
CC: Jan Beulich <JBeulich@suse.com>
CC: Ian Jackson <Ian.Jackson@eu.citrix.com>

firmware/tcgbios: Prevent integer truncation in the return value

rc inside the function is uint32_t. None of the callers check the return
value.

Coverity ID: 1055442

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>
CC: Keir Fraser <keir@xen.org>
CC: Jan Beulich <JBeulich@suse.com>
CC: Ian Jackson <Ian.Jackson@eu.citrix.com>

xl: fixes for do_daemonize

Fix usage of CHK_ERRNO in do_daemonize and also remove the usage of a
bogus for(;;).

Coverity-ID: 1130516 and 1130520
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: fix fd check in libxl__spawn_local_dm

Checking the logfile_w fd for -1 on failure is no longer true, because
libxl__create_qemu_logfile will now return ERROR_FAIL on failure which
is -3.

While there also add an error check for opening /dev/null.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>

pvh support for gdbsx

Add pvh support to gdbsx so it can be used to debug pvh domUs.

Signed-off-by: Mukesh Rathor <mukesh.rathor@oracle.com>

x86/hvm: clean up segment validation

Use _SEGMENT_* instead of plain numbers where feasible.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/hvm: fix segment validation

Also Coverity CID 1055180.

Reported-by: David Binderman <dcb314@hotmail.com>
Signed-off-by: Tim Deegan <tim@xen.org>
Use _SEGMENT_* instead of plain numbers and adjust a comment.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/pvh: set only minimal cr0 and cr4 flags in order to use paging

Right now Xen sets the WP and NE flags on cr0 for PVH, which are not
needed in order to boot with paging enabled. The same happens with
cr4, at least on my system OSFXSR, OSXMMEXCPT and MCE are enabled by
default when there's no need.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Mukesh Rathor <mukesh.rathor@oracle.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>

tools/libxl: Fix memory leak in sched_domain_output()

Coverity ID: 1055904

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Keir Fraser <keir@xen.org>
CC: Jan Beulich <JBeulich@suse.com>

tools/libxl: Fix integer overflows in sched_sedf_domain_set()

Coverity ID: 1055662 1055663 1055664

Widen from int to uint64_t before multiplcation, rather than afterwards.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
CC: Ian Jackson <Ian.Jackson@eu.citrix.com>

tools/libxl: Avoid deliberate NULL pointer dereference

Coverity ID: 1055290

Calling LIBXL__LOG_ERRNO(ctx,) with a ctx pointer we have just failed to
allocate is going to end badly. Opencode a suitable use of xtl_log() instead.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

tools/xenstored: Don't leak a file handle when creating the pidfile

Coverity ID: 1055849

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

tools/xenstore-rm: Fix memory leaks

Coverity ID: 1055935

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

tools/xenstore: Fix 15 potential resource leaks in build()

Coverity ID: 1055933 1055934

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
CC: Ian Jackson <Ian.Jackson@eu.citrix.com>

tools/xenconsoled: Fix file handle leaks

Coverity ID: 715218 1055876 1055877

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

tools/xenconsole: Use xc_domain_getinfo() correctly

Coverity ID: 1055018

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

tools/xen-mfndump: Avoid using -ERROR as an upper loop bound

Coverity ID: 1090375

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

tools/xen-mfndump: Avoid munmap(NULL, PAGE_SIZE) on certain error paths

Coverity ID 1090361 1090362 1090363

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

tools/libxc: Improve xc_dom_malloc_filemap() error handling

Coverity ID 1055563

In the original function, mmap() could be called with a length of -1 if the
second lseek failed and the caller had not provided max_size.

While fixing up this error, improve the logging of other error paths. I know
from personal experience that debugging failures function is rather difficult
given only "xc_dom_malloc_filemap: failed (on file <somefile>)" in the logs.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

tools/xenctx: Prevent leaking a file handle on error paths

Coverity ID: 1126110

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

tools/xc_restore: Initialise console and store mfns

If the console or store mfn chunks are not present in the migration stream,
stack junk gets reported for the mfns.

XenServer had a very hard to track down VM corruption issue caused by exactly
this issue. Xenconsoled would connect to a junk mfn and incremented the ring
pointer if the junk happend to look like a valid gfn.

Coverity ID: 1056093 1056094

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86/pvh: change epte_get_entry_emt() for pvh mem types

For pvh guests, epte_get_entry_emt() is incorrectly returning WB for
all mem types because of the following check:
if ( !v->domain->arch.hvm_domain.params[HVM_PARAM_IDENT_PT] )
Skip the check for pvh guests.

Also note, MTRR ranges are not maintained for pvh, and a solution is
being contrived using PAT.

Signed-off-by: Mukesh Rathor <mukesh.rathor@oracle.com>
Reviewed-off-by: Jan Beulich <jbeulich@suse.com>

x86/xsave: fix nonlazy state handling

Nonlazy xstates should be xsaved each time when vcpu_save_fpu.
Operation to nonlazy xstates will not trigger #NM exception, so
whenever vcpu scheduled in it got restored and whenever scheduled
out it should get saved.

Currently this bug affects AMD LWP feature, and later Intel MPX
feature. With the bugfix both LWP and MPX will work fine.

Signed-off-by: Liu Jinsong <jinsong.liu@intel.com>
Furthermore, during restore we also need to set nonlazy_xstate_used
according to the incoming accumulated XCR0.

Also adjust the changes to i387.c such that there won't be a pointless
clts()/stts() pair.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

x86/pvh: clearly specify used parameters in vcpu_guest_context

The aim of this patch is to define a stable way in which PVH is
going to do AP bringup.

Since we are running inside of a HVM container, PVH should only need
to set flags, cr3 and user_regs in order to bring up a vCPU, the rest
can be set once the vCPU is started using the bare metal methods.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>

evtchn/fifo: only set READY for new heads

Setting a queue's READY bit for every event added to the queue
introduces a race.

If an event is added to the tail of a queue, the guest may consume the
newly added event and leave an empty queue before the READY is set.
The guest may then see a stale HEAD value and if the event at the
stale head became linked onto a different queue, the guest would
consume events from the wrong queue (corrupting it).

As noted in section 4.1.2 of the design document, only set READY if a
new HEAD is set. This ensures that if the guest sees a READY bit set
the corresponding HEAD is valid.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>

xen: arm: early logging of command line

Helpful for diagnosis of bad console= parameters.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

xen: arm: correct name of the dt node passed around when building dom0 DT

In the case of the GIC, timer and write_properties the argument is the node,
not the parent. Rename the argument to "node" in this case.

I think this stems from the use of the name "np" in other places (confusing
"node parent" for "node pointer"). Therefore replace all uses of "np" with
"node".

In addition in write_properties now that np=>node the name pp makes no sense.
Rename it to "prop".

No semantic change.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: arm: remove /xen-core-devices node from dom0 dtb

The intention of adding this node to contain the GIC, timer and memory nodes
(in 1c08d6004ea7) was to allow us to control the #address-cells and

However in the case of the memory node the #*-cells are always taken from the
root node (see ePAPR 3.1, "the following nodes shall be present at the root...
memory node"). This caused breakage on the arndale platform.

In addition it is not valid to just create sub-nodes like this. Unless they
declare themselves as a bus then they will not necessarily be enumerated
(although Linux currently does so in practice).

Therefore:
- Move the memory node back to the top level.
- Insert the timer and primary gic nodes in the same location as the host
   DTB, replacing the originals. Note that the nodes here may be marked as in
   use by Xen and therefore the check must be before we discard nodes used by
   Xen.
- Drop any secondary gics.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
Tested-by: Julien Grall <julien.grall@linaro.org>

Merge branch 'for-4.4.tmem' of git://xenbits.xen.org/people/konradwilk/xen into staging

x86/crash: disable the watchdog NMIs on the crashing cpu

nmi_shootdown_cpus() is called during a crash to park all the other
CPUs. This changes the NMI trap handlers which means there's no point
in having the watchdog still running.

This also disables the watchdog before executing any crash kexec image
and prevents the image from receiving unexpected NMIs.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
PVOps Linux as a kexec image shoots itself in the foot otherwise.

On a Core2 system, Linux declares a firmware bug and tries to invert some bits
in the performance counter register. It ends up setting the number of retired
instructions to generate another NMI to fewer instructions than the NMI
interrupt path itself, and ceases to make any useful progress.

The call to disable_lapic_nmi_watchdog() must be this late into the kexec path
to be sure that this cpu is the one which will execute the kexec image.
Otherwise there are race conditions where the NMIs might be disabled on the
wrong cpu, resulting in the kexec image still receiving NMIs.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/hvm: reset TSC to 0 after domain resume from S3

Host S3 implicitly resets the host TSC to 0, but the tsc offset for hvm
domains is not recalculated when they resume, causing it to go into
negative values. In Linux guest using tsc clocksource, this results in
a hang after wrap back to positive values since the tsc clocksource
implementation expects it reset.

Signed-off-by: Tomasz Wroblewski <tomasz.wroblewski@citrix.com>

x86/stack: change show_stack_overflow() to use frame pointers if available

Pass a full set of cpu_user_regs, and defer the hand-coded stack printing to
_show_trace(), which will correctly use frame pointers if available.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/stack: adjust boundary conditions for printed stacks

Move the boundary into current.h along with the other stack manipulation code.
The boundary is now the word adjacent to a struct cpu_info on the stack.

This also fixes the somewhat spurious bounds for the case with frame pointers.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/stack: refactor show_trace()

Before, show_trace() had two implementations depending on
CONFIG_FRAME_POINTER. Some parts were common, while the loops to wander up
the stack were different.

The version aided by frame pointers had a special case for function calls on
wild function pointers, but this doesn't need to be a special case.

After the refactoring, there are now two implementations of _show_trace()
which differ depending on CONFIG_FRAME_POINTER, and a single show_trace()
with the common bits, including the logic for wild function pointers.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

.gitignore: Ignore tools/ocaml/libs/xentoollog/ build outputs

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: event system: properly register the SIGCHLD self-pipe

An application which uses libxl_osevent_register_hooks, and doesn't
use libxl_sigchld_owner_mainloop, would never properly experience the
deaths of its (libxl) children.

This is because the SIGCHLD self pipe would be handled using ad-hoc
code in beforepoll_internal and afterpoll_internal. However, this is
no good if application is using the fd registration system instead; in
that case these functions would not be called and nothing would deal
with readability of the self pipe.

Fix this as follows:

The SIGCHLD self pipe now is now dealt with by a standard libxl__ev_fd
handler, which is registered and deregistered along with the SIGCHLD
handler itself. The handler function subsumes the ad-hoc response
code removed from beforepoll_internal, and the functionality of
libxl__fork_selfpipe_woken.

This is also tidier as the SIGCHLD self pipe is no longer touched
outside libxl_fork.c other than in ctx initialisation and teardown.

(The ad-hoc arrangements for poller->wakeup_pipe in
beforepoll_internal and afterpoll_internal are OK because the
libxl__poller mechanism exists to wake up threads which are sitting
inside libxl's poll loop, so is not applicable to the application's
event loop.)

Reported-by: Bamvor Jian Zhang <bjzhang@suse.com>
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Bamvor Jian Zhang <bjzhang@suse.com>
Cc: Ian Campbell <ian.campbell@citrix.com>
Cc: Jim Fehlig <jfehlig@suse.com>

libxl: event system: Make libxl_sigchld_owner_libxl_always work

Previously, libxl_sigchld_owner_libxl_always was mishandled. It would
result in libxl paying no attention to the sigchld self pipe.

Fix this by fixing chldmode_ours so that it returns true iff we are
supposed to be handling SIGCHLD.

Additionally, we arrange to use chldmode_ours everywhere where we are
installing/removing signal handlers and/or deciding whether to check
the self pipe, etc. This means it needs a new "creating" flag
argument for the benefit of libxl__ev_child_fork, which needs to
install the signal handler in libxl_sigchld_owner_libxl even if there
are not currently any children.

ctx->childproc_hooks->chldowner is now interpreted only by
chldmode_ours.

Reported-by: Bamvor Jian Zhang <bjzhang@suse.com>
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Bamvor Jian Zhang <bjzhang@suse.com>
Cc: Ian Campbell <ian.campbell@citrix.com>
Cc: Jim Fehlig <jfehlig@suse.com>
---
v2: Get sense of chldmode test right in perhaps_removehandler (!)

libxl: event system: pass gc, not just ctx, to internal sigchld manipulators

We are going to want the gc for libxl__ev_fd_register.

No functional change in this patch. Simply change the argument types,
and the actual arguments from ctx to gc. Inside these functions, use
CTX (the macro which uses gc) rather than the old formal parameter
ctx.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Ian Campbell <ian.campbell@citrix.com>

hotplug/Linux: update to new ip command syntax.

The current usage prevents naming a vif "dev". Although the current syntax is
documented in Squeeze's ip(8) it appears that this was a documentation bug.
Newer versions of the man page describe the new syntax used here and Squeeze's
implementation accepts it as well.

This is Debian bug #705659.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705659

Mike provided the initial patch to tools/hotplug/Linux/xen-network-common.sh
and Ian extended it to catch some cases in vif-* too.

Signed-off-by: Ian Campbell <ijc@hellion.org.uk>
Signed-off-by: Mike <debian@good-with-numbers.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Release-acked-by: George Dunlap <george.dunlap@eu.citrix.com>

libxl: fix use of aodev->dev after free

Coverity-ID: 1130521
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Cc: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: arm: ensure DTB is page aligned

xc_dom_alloc_segment requires this. Since rambase and ramend are both page
aligned, rounding up the DTB is sufficient.

Reported-by: Julien Grall <julien.grall@linaro.org>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: Check if the range is valid in init_domheap_pages

On ARM, when an initrd is given to xen by U-boot, it will reserve the memory
in the device tree.
In this case, when xen decides to free unused memory, dt_unreserved_regions
will call init_domheap_pages with the start and the end of range equals. But
the latter assumes that (start > end), if not Xen will hang because the
number of pages is equals to (unsigned)-1.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Keir Fraser <keir@xen.org>
Acked-by: Ian Campbell <Ian.campbell@citrix.com>
CC: Jan Beulich <jbeulich@suse.com>

xen/arm: gic: don't use dom0 variable in gicv_setup

The commit 99bf30a "xen: arm: define guest virtual platform in API headers"
modifies gicv_setup to either use harcoded addresses for guest or hardware
addresses for dom0. In the latter case, the variable dom0 is not yet
initialized. dom0 receives assignment by the return of domain_create which
calls gicv_setup.
Use the ID to know whether the domain is dom0 or not.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

Merge branch 'staging' of ssh://xenbits.xen.org/home/xen/git/xen into staging

libxl: build a device tree for ARM guests

Uses xc_dom_devicetree_mem which was just added. The call to this needs to be
carefully sequenced to be after xc_dom_parse_image (so we can tell which kind
of guest we are building, although we don't use this yet) and before
xc_dom_mem_init which tries to decide where to place the FDT in guest RAM.

Removes libxl_noarch which would only have been used by IA64 after this
change. Remove IA64 as part of this patch.

There is no attempt to expose this as a configuration setting for the user.

Includes a debug hook to dump the dtb to a file for inspection.

On v7 the CPU compat is currently hardcoded to cortex-a15. This likely wants
to change at some point.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

libxc: arm64 vcpu initialisation

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

libxc: support for arm64 Image format

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

libxc: arm: allow passing a device tree blob to the guest

Placement of the blob in guest RAM is simplistic but will do for now.

This operation is only supported on ARM.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

libxc: allow caller to specify guest rambase rather than hardcoding

It's still hardcoded but it could now be plausibly be made variable.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxc: arm: rename various bits of zimage load with 32 suffix

Making room for a 64 bit implementation.

Also fix a typo and stop refering to it as a bzImage, which is an x86-ism.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: arm: define guest virtual platform in API headers

The tools and the hypervisor need to agree on various aspects of the guest
environment, such as interrupt numbers, memory layout, initial register values
for registers which are implementation defined etc. Therefore move the
associated defines into the public interface headers, or create them as
necessary.

This just exposes the current de-facto standard guest layout, which may be
subject to change in the future. This deliberately does not make the guest
layout dynamic since there is currently no need.

These values should not be exposed to guests, they should find these things
out via device tree or should not be relying on implementation defined
defaults.

Various bits of the hypervisor needed to change to configure dom0 with the real
platform values while using the virtual platform configuration for guests.
Arrange for this where appropriate and plumb through as needed.

We also need to expose some 64-bit values (e.g. PSR_GUEST64_INIT) for the
benefit of 32 bit toolstacks building 64 bit guests.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

tools: check for libfdt when building for ARM

libxl is going to want this to aid in the creation of guest device tree blobs.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

xen: arm: implement arch_set_info_guest for 64-bit vcpus

This all seems too easy...

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: arm: implement XEN_DOMCTL_set_address_size

This is subarch specific to plumb through to arm32 and arm64 versions.

The toolstack uses this to select 32- vs 64-bit guests (or rather it does on
x86 and soon will for arm too).

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: arm: include header for for arch_do_{sys, dom}ctl prototype

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

xen: arm: add enable-method to cpu nodes for arm64 guests.

This is required by the Linux arm64 boot protocol.

We use PSCI.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: arm: allocate dom0 memory separately from preparing the dtb

Mixing these two together is a pain, it forces us to prepare the dtb before
processing the kernel which means we don't know whether the guest is 32- or
64-bit while we construct its DTB.

Instead split out the memory allocation (including 1:1 workaround handling)
and p2m setup into a separate phase and then create a memory node in the DTB
based on the result.

This allows us to move kernel parsing before DTB setup.

As part of this it was also necessary to rework where the decision regarding
the placement of the DTB and initrd in RAM was made. It is now made when
loading the kernel, which allows it to make use of the zImage/ELF specific
information and therefore to make decisions based on complete knowledge and do
it right rather than guessing in prepare_dtb and relying on a later check to
see if things worked.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>