dgit.raspbian.org Git

AMD IOMMU: include IOMMU interrupt information in 'M' debug key output

Note that this also adds a few pieces missing from c/s
25903:5e4a00b4114c (relevant only when the PCI MSI mask bit is
supported by an IOMMU, which apparently isn't the case for existing
implementations).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

VT-d: include IOMMU interrupt information in 'M' debug key output

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

ACPI: fix return value of XEN_PM_PDC platform op

Should return -EFAULT when copying to guest memory fails.

Once touching this code, also switch to using the more relaxed copy
function (copying from the same guest memory already validated the
virtual address range).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86: fix hypercall continuation cancellation in XENMAPSPACE_gmfn_range compat wrapper

When no continuation was established, there must also not be an attempt
to cancel it - hypercall_cancel_continuation(), in the non-HVM, non-
multicall case, adjusts the guest mode return address in a way assuming
that an earlier call hypercall_create_continuation() took place.

Once touching this code, also restructure it slightly to improve
readability and switch to using the more relaxed copy function (copying
from the same guest memory already validated the virtual address
range).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

README: adjust gcc version requirement

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

libxl: Fix bug in libxl_cdrom_insert, make more robust against bad xenstore data

libxl_cdrom_insert was failing to initialize the backend type,
resulting in the wrong default backend. The result was not only that
the CD was not inserted properly, but also that some improper xenstore
entries were created, causing further block commands to fail.

This patch fixes the bug by setting the disk backend type based on the
type of the existing device.

It also makes the system more robust by checking to see that it has
got a valid path before proceeding to write a partial xenstore entry.

Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xl: xl.conf(5): correct advice re autoballooning vs. dom0_mem.

The advice was backwards, you should really disable autoballoon if you
use dom0_mem. Also add a reference to the command-line docs.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

README: add Pixman as build dependency

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

libxl: fix a variable underflow in libxl_wait_for_free_memory

When xl is called to create a domU and there is not enough memory available,
then the autoballooning is called to extract memory from dom0. During the
ballooning a loop in libxl_wait_for_free_memory() waits unless enough memory
is available to create the domU.

But because of a variable-underflow the loop can finish too soon and xl
finally aborts with the message:

xc: error: panic: xc_dom_boot.c:161: xc_dom_boot_mem_init: can't allocate low memory for domain: Out of memory
libxl: error: libxl_dom.c:430:libxl__build_pv: xc_dom_boot_mem_init failed: Device or resource busy
libxl: error: libxl_create.c:901:domcreate_rebuild_done: cannot (re-)build domain: -3

The variable-underflow happens when freemem_slack is larger then
info.free_pages*4, because the solution of this operation is converted
implicit to a unsigned int to match the type of memory_kb.

Add a extra check for this condition to solve the problem.

Signed-off-by: Ronny Hegewald <Ronny.Hegewald@online.de>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xenstore-chmod: handle arbitrary number of perms rather than MAX_PERMS constant

Constant MAX_PERMS 16 is too small to use in some occasions, e.g. if
there are more than 16 domU(s) on one hypervisor (it's easy to
achieve) and one wants to do xenstore-chmod PATH to all domU(s). So,
remove MAX_PERMS limitation and make it as arbitrary number of perms.

Signed-off-by: Chunyan Liu <cyliu@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

x86/time: fix scale_delta() inline assembly

The way it was coded, it clobbered %rdx without telling the compiler.
This generally didn't cause any problems except when there are two back
to back invocations (as in plt_overflow()), as in that case the
compiler may validly assume that it can re-use for the second instance
the value loaded into %rdx before the first one.

Once at it, also properly relax the second operand of "mul" (there's no
need for it to be in %rdx, or a register at all), and switch away from
using explicit register names in the instruction operands.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

xend: enable environment passing in xPopen3

In changeset 19990:38dd208e1d95 a new parameter 'env' was added to
xPopen3, but no code was added to actually pass the environment down to
execvpe. Also, the new code was unreachable.

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: Tidy up flush_xen_dcache().

- Use a compile-time-constant check for whether we can safely flush
   just one cacheline.  This reduces the common case from 28
   instructions to three.
- Pass an object to the macro, not a pointer, so we can detect
   attempts to flush arrays.
- Decode CCSIDR correctly to get cacheline size.
- Remove some redundant DSBs at the call sites.

Signed-off-by: Tim Deegan <tim@xen.org>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xl: Suppress spurious warning message for cpupool-list

libxl_cpupool_list() enumerates the cpupools by "probing": calling
cpupool_info, starting at 0 and stopping when it gets an error. However,
cpupool_info will print an error when the call to xc_cpupool_getinfo() fails,
resulting in every xl command that uses libxl_list_cpupool (such as
cpupool-list) printing that error message spuriously.

Since at the moment the times we want to print the message correspond
with the use of the existing "exact" parameter, use it to decide
whether to print the message or not.

Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

implement vmap()

... and use it as basis for a proper ioremap() on x86.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/HPET: fix FSB interrupt masking

HPET_TN_FSB is not really suitable for masking interrupts - it merely
switches between the two delivery methods. The right way of masking is
through the HPET_TN_ENABLE bit (which really is an interrupt enable,
not a counter enable or some such). This is even more so with certain
chip sets not even allowing HPET_TN_FSB to be cleared on some of the
channels.

Further, all the setup of the channel should happen before actually
enabling the interrupt, which requires splitting legacy and FSB logic.

Finally this also fixes an S3 resume problem (HPET_TN_FSB did not get
set in hpet_broadcast_resume(), and hpet_msi_unmask() doesn't get
called from the general resume code either afaict).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/HPET: include FSB interrupt information in 'M' debug key output

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

VT-d: clean up map/unmap log messages

- printing file name and line number here is pointless
- they are guest related, so should get their log level filter
accordingly
- include segment numbers and canonicalize number widths

Signed-off-by: Jan Beulich <jbeulich@suse.com>

xend: reinstate XendOptionsFile.get_external_migration_tool

This was removed by 26167:31dcc0e08754 "xend: Remove old vtpm support
from xm" but at least one caller was left. Reinstate with
s/TPM/device/ since it appears that this functionality could apply
elsewhere.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

passthrough/PCI: replace improper uses of pci_find_next_cap()

Using pci_find_next_cap() without prior pci_find_cap_offset() is bogus
(and possibly wrong, given that the latter doesn't check the
PCI_STATUS_CAP_LIST flag, which so far was checked in an open-coded way
only for the non-bridge case).

Once at it, fold the two calls into one, as we need its result in any
case.

Question is whether, without any caller left, pci_find_next_cap()
should be purged as well.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Xiantao Zhang <xiantao.zhang@intel.com>

xen: fix build failure due to extra closing comment

Added by 26173:26facad2f1a1

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

docs: Include prototype for HYPERVISOR_multicall

Mark-up for inclusion of generated docs.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

docs: Document HYPERVISOR_update_descriptor

Mark-up for inclusion of generated docs.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

docs: Add ToC entry for start of day memory layout.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

docs: Document HYPERVISOR_mmuext_op

Mark-up for inclusion of generated docs.

Remove some trailing whitespace.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

docs: document HYPERVISOR_update_va_mapping(_other_domain)

Mark-up for inclusion of generated docs.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

docs: document/mark-up SCHEDOP_*

The biggest subtlety here is there additional argument when op ==
SCHEDOP_shutdown and reason == SHUTDOWN_suspend and its interpretation by
xc_domain_{save,restore}. Add some clarifying comments to libxc as well.

This patch moves some structs around but there is no functional change
other than improved documentation.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

AMD IOMMU: fix type of "bdf" parameter of update_intremap_entry_from_msi_msg()

Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>

Remove tools/vtpm* from MAINTAINERS file

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

tools: Remove old vtpm stuff from tools/libxen

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

Remove VTPM_TOOLS from config/Tools.mk.in

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xend: Remove old vtpm support from xm

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

minios: Update mini-os license to support GPL features

This patch updates extras/mini-os/COPYING to explain
which optional features are GPL and what the implications
of enabling them are.

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

minios: fix bug in lseek for mini-os

lseek always used files[fd].file.offset. It should
use the offset of whatever union member is actually
being used.

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: get the number of cpus from device tree

The system might have fewer cpus than the GIC supports.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: flush D-cache and I-cache when appropriate

- invalidate tlb after setting WXN
- flush D-cache and I-cache after relocation;
- invalidate D-cache after writing to smp_up_cpu;
- flush I-cache after changing HTTBR;
- flush I-cache and branch predictor after writing Xen text ptes.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

vscsiif: minor cleanup

Remove a definition not belonging into the interface, and correct a
few typos in comments.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

AMD IOMMU: Enable HPET broadcast msi remapping

This patch enables hpet msi remapping for amd iommu.

Signed-off-by: Wei Wang <wei.wang2@amd.com>
- use the existing ACPI_IVHD_* #define-s
- warn on finding more than one IVHD HPET entry
- consolidate parameters of update_intremap_entry_from_msi_msg()

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

xen/arm: wake up secondary cpus

Secondary cpus are held by the firmware until we send an IPI to them.

Reordered non-boot cpu wait loop to perform the check before waiting
for an event, to handled the case where the event has already
happened when we reach the loop.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: set the SMP bit in the ACTLR register

"Enables the processor to receive instruction cache, BTB, and TLB maintenance
operations from other processors"

...

"You must set this bit before enabling the caches and MMU, or
performing any cache and TLB maintenance operations. The only time
you must clear this bit is during a processor power-down sequence"

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

pl011: set baud and clock_hz to the right defaults for Versatile Express

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: setup the fixmap in head.S

Setup the fixmap mapping directly in head.S rather than having a
temporary mapping only to re-do it later in C.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: pass the correct bit-per-interrupt argument to vgic_irq_rank

Use 1 for registers that have 1 bit per irq.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

libxl: Fix passing of application data to timeout_deregister hook

When deregistering a timeout, the address of application data was
being passed to the timeout_deregister hook instead of the data
itself.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

x86/nmi: self_nmi() should not unconditionally enable interrupts

It seems that all current callers have interrupts enabled, making the
code currently safe but dangerous. Also, fix a trailing whitespace
issue.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

update MAINTAINERS file

There have been some "organizational changes" within AMD.
Update the MAINTAINERS file accordingly.
Please also feel free to use the new email addresses if there are
any inquires related to code authored by Wei Wang, Christoph Egger
or Andre Przywara.

Signed-off-by: Andre Przywara <osp@andrep.de>
Acked-by: Wei Wang <weiwang.dd@gmail.com>
Acked-by: Boris Ostrovsky <boris.ostrovsky@amd.com>
Acked-by: Wei Huang <wei.huang2@amd.com>
Acked-by: Christoph Egger <Christoph_Egger@gmx.de>
Committed-by: Keir Fraser <keir@xen.org>

tools: rerun autoconf after 26144:170d45f7a2eb

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

compat/gnttab: Prevent infinite loop in compat code

c/s 20281:95ea2052b41b, which introduces Grant Table version 2
hypercalls introduces a vulnerability whereby the compat hypercall
handler can fall into an infinite loop.

If the watchdog is enabled, Xen will die after the timeout.

This is a security problem, XSA-24 / CVE-2012-4539.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

xen/mm/shadow: check toplevel pagetables are present before unhooking them.

If the guest has not fully populated its top-level PAE entries when it calls
HVMOP_pagetable_dying, the shadow code could try to unhook entries from
MFN 0. Add a check to avoid that case.

This issue was introduced by c/s 21239:b9d2db109cf5.

This is a security problem, XSA-23 / CVE-2012-4538.

Signed-off-by: Tim Deegan <tim@xen.org>
Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86/physmap: Prevent incorrect updates of m2p mappings

In certain conditions, such as low memory, set_p2m_entry() can fail.
Currently, the p2m and m2p tables will get out of sync because we still
update the m2p table after the p2m update has failed.

If that happens, subsequent guest-invoked memory operations can cause
BUG()s and ASSERT()s to kill Xen.

This is fixed by only updating the m2p table iff the p2m was
successfully updated.

This is a security problem, XSA-22 / CVE-2012-4537.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability

The timer action for a vcpu periodic timer is to calculate the next
expiry time, and to reinsert itself into the timer queue. If the
deadline ends up in the past, Xen never leaves __do_softirq(). The
affected PCPU will stay in an infinite loop until Xen is killed by the
watchdog (if enabled).

This is a security problem, XSA-20 / CVE-2012-4535.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

xen-tmem-list-parse: fix ugly parse output

The program xen-tmem-list-parse parses the output of xm/xl tmem-list
into human-readable format. A missing NULL terminator sometimes
causes garbage to be spewed where the two-letter pool type
should be output.

Signed-off-by: Dan Magenheimer <dan.magenheimer@oracle.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

hotplug/Linux: Fix locking in tools/hotplug/Linux/locking.sh

The claim_lock() function would fail in the perl code with:

Invalid argument at -e line 2.

because the Perl snippet opens for reading the file descriptor, which
was earlier opened for write (append).

Signed-off-by: Jacek Konieczny <jajcus@jajcus.net>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

libxl: fix vfb related assertion problem when starting pv-domU

When a config-file for a pv-domU has a vfb section with a vnc=0
option then a "xl create" for that domU crashes with the message

xl: libxl.c:252: libxl_defbool_val: Assertion `!libxl_defbool_is_default(db)'
failed.

and the domU hangs early in the start.

This patch fixes the cause of the assertion and let the domU start
normally.

This problem exists since xen 4.2.

Signed-off-by: Ronny Hegewald <Ronny.Hegewald@online.de>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

tools: Remove the vtpm process model

Remove the old vtpm process model. It doesn't work very
well and is no longer supported.

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

libxl: add vtpm support

This patch adds vtpm support to libxl. It adds vtpm parsing to config
files and 3 new xl commands:
vtpm-attach
vtpm-detach
vtpm-list

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

minios: add tpmfront, tpm_tis, and tpmback drivers

This patch adds 3 new drivers to mini-os.

tpmfront - paravirtualized tpm frontend driver
tpmback - paravirtualized tpm backend driver
tpm_tis - hardware tpm driver

Unfortunately these drivers were derived from GPL
licensed linux kernel drivers so they must carry
the GPL license. However, since mini-os now
supports conditional compilation, hopefully these
drivers can be included into the xen tree and
conditionally removed from non-gpl projects.
By default they are disabled in the makefile.

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

minios: add xenbus_read_uuid

Similar to xenbus_read_integer, this function reads a xenstore path
and parses it as a uuid. See include/xenbus.h for details.

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

minios: Disable -DGNT_DEBUG and -DGNTMAP_DEBUG

Disabling the above flags in default mini-os build. They generate a
lot of spam.

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

fix xenctl_cpumap_to_cpumask() buffer size check

xenctl_cpumap_to_cpumask incorrectly uses sizeof when checking whether
bits should be masked off from the input cpumap bitmap or not.

Fix by using the correct cpumask buffer size in place of sizeof.

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Compare against copy_bytes instead, and use equality rather than less-
or-equal.

Further, this issue (introduced with c/s 23991:a7ccbc79fc17) is not
security relevant (i.e. the bug could not cause memory corruption):
_xmalloc() never returns chunks of data smaller than the size of a
pointer, i.e. even if sizeof(void*) > guest_bytes > copy_bytes, the
piece of memory erroneously written to would still be inside the
allocation done at the top of the function.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
Committed-by: Jan Beulich <jbeulich@suse.com>

pygrub: Fix command line argument error handling

pygrub's individual config file parsers do not correctly check the
amount of command line arguments given to them. In addition, the LILO
config parser would report an incorrect message.

Use len() to correctly check the amount of arguments, and fix the LILO
error message.

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

libxl: fix reboot failure of migrated domain

The same problem was once fixed by c/s 23878:59c7213b5949
but c/s 25344:0f3b1e13d6af broke it.

Signed-off-by: Kouya Shimura <kouya@jp.fujitsu.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

tools: Synchronize privcmd header constants

Since Linux's git commit ceb90fa0a8008059ecbbf9114cb89dc71a730bb6,
the privcmd.h interface between Linux and libxc specifies two new
constants, PRIVCMD_MMAPBATCH_MFN_ERROR and
PRIVCMD_MMAPBATCH_PAGED_ERROR. These constants represent the error
codes encoded in the top nibble of an mfn slot passed to the legacy
MMAPBATCH ioctl.

In particular, libxenctrl checks for the equivalent of the latter
constant when dealing with paged out frames that might be the target
of a foreign map.

Previously, the relevant constant was defined in the domctl hypervisor
interface header (XEN_DOMCTL_PFINFO_PAGEDTAB). Because this
top-nibble encoding is a contract between the dom0 kernel and libxc,
a domctl.h definition is misplaced.

- Sync the privcmd.h header to that now available in upstream Linux
- Update libxc appropriately
- Remove the unnecessary constant in domctl.h

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Ian Campbell <ian.campbelL@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

tools: Make restore work properly with PV superpage flag

For PV guests, the superpage flag means to unconditionally allocate all
pages as superpages, which is required for Linux hugepages to work.  Support
for this on restore was not supported.  This patch adds proper support for
the superpage flag on restore.

For HVM guests, the superpage flag has been used to mean attempt to allocate
superpages if possible on restore.  This functionality has been preserved.

Signed-off-by: Dave McCracken <dave.mccracken@oracle.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

x86/mm x86 shadow: Fix typo in sh_invlpg sl3 page presence check

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

IOMMU: don't immediately disable bus mastering on faults

Instead, give the owning domain at least a small opportunity of fixing
things up, and allow for rare faults to not bring down the device at
all.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>
Acked-by: Dario Faggioli <dario.faggioli@citrix.com>

tmem: Prevent NULL dereference on error case

If the client / pool IDs given to tmemc_save_get_next_page are invalid,
the calculation of pagesize will dereference NULL.

Fix this by moving the calculation below the appropriate NULL check.

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

x86/x2apic: properly implement cluster mode

So far, cluster mode was just an alternative implementation of
physical mode: Allowing only single CPU interrupt targets, and sending
IPIs to each target CPU separately. Take advantage of what cluster
mode really can do in that regard.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86: make cpu_2_logical_apicid private to x2apic code

... as it in fact is only being used there. While moving it, also make
it a per-CPU variable rather than a NR_CPUS-sized array.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/ACPI: invalidate BGRT if necessary

Since the image pointed to may live in boot services memory (which we
add to the global memory pool long before ACPI tables get looked at),
we should prevent Dom0 from trying to retrieve the image data in that
case.

The alternatives would be to
- not add boot services memory to the global pool at all, or
- defer adding boot services memory until Dom0 indicates it is safe to
do so, or
- find and parse the BGRT table in xen/arch/x86/efi/boot.c, and avoid
adding that specific region to the E820 table.
None of these are really attractive, and as Xen commonly prints to the
video console anyway (without trying to avoid any regions on the
screen), the invalidation would need to be done conditionally anyway.

(xen/include/acpi/actbl3.h is a verbatim copy from Linux 3.7-rc4)

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/emul: only emulate possibly operand sizes for POPA

This opcode neither supports 1-byte operands, nor does it support
8-byte ones (since the opcode is undefined in 64-bit mode). Simplify
the code accordingly.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

IOMMU: keep disabled until iommu_setup() is called

The iommu is enabled by default when xen is booting and later disabled
in iommu_setup() when no iommu is present.

But under some circumstances iommu code can be called before
iommu_setup() is processed. If there is no iommu available xen crashes.

This can happen for example when panic(...) is called as introduced
with the patch "x86-64: detect processors subject to AMD erratum #121
and refuse to boot" since xen 4.1.3, resulting in
find_iommu_for_device() to be called in the context of
disable_IO_APIC() / __stop_this_cpu().

This patch fixes this by keeping the iommu disabled until iommu_setup()
is entered.

Originally-by: Ronny Hegewald <ronny.hegewald@online.de>
In order for iommu_enable to be off initially, iommu_supports_eim()
must not depend on it anymore, nor must acpi_parse_dmar(). The former
in turn requires that iommu_intremap gets uncoupled from iommu_enabled
(in particular, failure during IOMMU setup should no longer result in
iommu_intremap getting cleared by generic code; IOMMU specific code
can still do so provided in can live with the consequences).

This could have the nice side effect of allowing to use "iommu=off"
even when x2APIC was pre-enabled by the BIOS (in which case interrupt
remapping is a requirement, but DMA translation [obviously] isn't), but
that doesn't currently work (and hence x2apic_bsp_setup() forces the
IOMMU on rather than just interrupt remapping).

For consistency with VT-d, make the AMD IOMMU code also skip all ACPI
table parsing when neither iommu_enable nor iommu_intremap are set.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Xiantao Zhang <xiantao.zhang@intel.com>
Acked-by: "Huang2, Wei" <Wei.Huang2@amd.com>

x86/mwait-idle: enable Ivy Bridge Xeon support

Matching a similar change in Linux 3.7-rc.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

ACPI/cpuidle: remove unused "power" field from Cx state data

It has never been used for anything, and Linux 3.7 doesn't propagate
this information anymore.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

autoconf: add file missing from 26123:f6d5b3bf74a8

This file was in 26123:f6d5b3bf74a8 as submitted but I failed to add it.

Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

autoconf: check for wget and ftp

Some OSes don't come with wget by default, so ftp should be choosen
on those. Add an autoconf check to check for wget and ftp, and
replace the usage of hardcoded wget in tools.

[ Stubdom builds still use wget unconditionally. -iwj ]

Signed-off-by: Christoph Egger <Christoph.Egger@amd.com>
Signed-off-by: Roger Pau Monne <roger.pau@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86: save/restore only partial register state where possible

... and make restore conditional not only upon having saved the state,
but also upon whether saved state was actually modified (and register
values are known to have been preserved).

Note that RBP is unconditionally considered a volatile register (i.e.
irrespective of CONFIG_FRAME_POINTER), since the RBP handling would
become overly complicated due to the need to save/restore it on the
compat mode hypercall path [6th argument].

Note further that for compat mode code paths, saving/restoring R8...R15
is entirely unnecessary - we don't allow those guests to enter 64-bit
mode, and hence they have no way of seeing these registers' contents
(and there consequently also is no information leak, except if the
context saving domctl would be considered such).

Finally, note that this may not properly deal with gdbstub's needs, yet
(but if so, I can't really suggest adjustments, as I don't know that
code).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86: use MOV instead of PUSH/POP when saving/restoring register state

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

docs: document persistent grants

Document the new persistent grants block-device feature.

Signed-off-by: Roger Pau Monne <roger.pau@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

MCE: remove unused MCA_MCE_HANDLER

Remove unused MCA_MCE_HANDLER. MCA_MCE_SCAN is used everywhere instead.

Signed-off-by: Christoph Egger <Christoph.Egger@amd.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

x86/MCE: merge AMD quirks

merge mce_amd_quirks.c into mce_amd.c

Signed-off-by: Christoph Egger <Christoph.Egger@amd.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

x86/MCE: remove K7 support

Remove K7 support from MCE.

Signed-off-by: Christoph Egger <Christoph.Egger@amd.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

x86/MCE: consolidate AMD initialization

Move AMD specific initialization to AMD files.

Signed-off-by: Christoph Egger <Christoph.Egger@amd.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

libxc: builder: limit maximum size of kernel/ramdisk.

Allowing user supplied kernels of arbitrary sizes, especially during
decompression, can swallow up dom0 memory leading to either virtual
address space exhaustion in the builder process or allocation
failures/OOM killing of both toolstack and unrelated processes.

We disable these checks when building in a stub domain for pvgrub
since this uses the guest's own memory and is isolated.

Decompression of gzip compressed kernels and ramdisks has been safe
since 14954:58205257517d (Xen 3.1.0 onwards).

This is XSA-25 / CVE-2012-4544.

Also make explicit checks for buffer overflows in various
decompression routines. These were already ruled out due to other
properties of the code but check them as a belt-and-braces measure.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

pygrub: Add option to list grub entries

The argument to "--entry" allows 2 syntaxes, either directly the entry
number in menu.lst, or the whole string behind the "title" key word.
This poses the following issue:

From Dom0 there is no way to guess the number and, or the complete
title string because this string contains the kernel version, which
will change with a kernel update.

This patch adds [-l|--list-entries] as an argument to pygrub.

Signed-off-by: Charles Arnold <carnold@suse.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

xl: Do not leak events when a domain exits.

The goto in both of these places misses the event free which would
normally clean up.

==8655== 80 bytes in 1 blocks are definitely lost in loss record 1 of 1
==8655==    at 0x4024370: calloc (vg_replace_malloc.c:593)
==8655==    by 0x406EAAE: libxl__zalloc (libxl_internal.c:83)
==8655==    by 0x4078173: libxl__event_new (libxl_event.c:1167)
==8655==    by 0x4056373: domain_death_occurred (libxl.c:958)
==8655==    by 0x4058D06: domain_death_xswatch_callback (libxl.c:1038)
==8655==    by 0x4078EB5: watchfd_callback (libxl_event.c:458)
==8655==    by 0x407839E: afterpoll_internal (libxl_event.c:949)
==8655==    by 0x4079142: eventloop_iteration (libxl_event.c:1371)
==8655==    by 0x40799BB: libxl_event_wait (libxl_event.c:1396)
==8655==    by 0x805CC67: create_domain (xl_cmdimpl.c:1698)
==8655==    by 0x805E001: main_create (xl_cmdimpl.c:3986)
==8655==    by 0x804D43D: main (xl.c:285)

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

Revert 26109:6ccfe4d29f95

This changeset was contaminated by changes hanging around in my
working tree. Sorry :-(.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: NetBSD PCI passthrough support

Add PCI passthrough support for HVM guests.

Signed-off-by: Christoph Egger <Christoph.Egger@amd.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: Use libxl__realloc in a couple of places in libxl_events.c

This avoids us having to think about the error handling on failure.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

xl: Do not leak events when a domain exits.

The goto in both of these places misses the event free which would
normally clean up.

==8655== 80 bytes in 1 blocks are definitely lost in loss record 1 of 1
==8655==    at 0x4024370: calloc (vg_replace_malloc.c:593)
==8655==    by 0x406EAAE: libxl__zalloc (libxl_internal.c:83)
==8655==    by 0x4078173: libxl__event_new (libxl_event.c:1167)
==8655==    by 0x4056373: domain_death_occurred (libxl.c:958)
==8655==    by 0x4058D06: domain_death_xswatch_callback (libxl.c:1038)
==8655==    by 0x4078EB5: watchfd_callback (libxl_event.c:458)
==8655==    by 0x407839E: afterpoll_internal (libxl_event.c:949)
==8655==    by 0x4079142: eventloop_iteration (libxl_event.c:1371)
==8655==    by 0x40799BB: libxl_event_wait (libxl_event.c:1396)
==8655==    by 0x805CC67: create_domain (xl_cmdimpl.c:1698)
==8655==    by 0x805E001: main_create (xl_cmdimpl.c:3986)
==8655==    by 0x804D43D: main (xl.c:285)

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

hvmloader: Reserve FE700000-FE800000 in physical memory map for guest use.

Xen platform promises never to use this physical address region, and
will always mark it as reserved in the physical memory map presented
to the OS (preventing its use by generic OS services such as BAR
remapping).

Linux will use this region for mapping the shared-info page.

Signed-off-by: Keir Fraser <keir@xen.org>

xl: Fix accidently waiting for domains to shutdown without --wait option

Introduced by changeset 26091: "xl: Add --wait and --all to xl reboot."

Signed-off-by: Sander Eikelenboom <linux@eikelenboom>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86/MCE: Implement clearbank callback for AMD

Signed-off-by: Christoph Egger <Christoph.Egger@amd.com>
Move initialization of mce_clear_banks into common code (would not get
initialized on AMD CPUs otherwise). Mark per-CPU struct mce_bank
pointers read-mostly.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

x86/HPET: cache MSI message last written

Rather than spending measurable amounts of time reading back the most
recently written message, cache it in space previously unused, and thus
accelerate the CPU's entering of the intended C-state.

hpet_msi_read() ends up being unused after this change, but rather than
removing the function, it's being marked "unused" in order - that way
it can easily get used again should a new need for it arise.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

compiler.h adjustments

- replace __attribute_used__ with just __used
- add __maybe_unused and explain the difference between the two
- remove gcc 3.x specifics (as we don't support building with it
anymore; really for quite some time we didn't even support building
with the checked for minor versions)
- remove left over __setup() from init.h (rather than adjusting it)

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

xl: avoid shadowing reboot(2)

On NetBSD <unistd.h> mistakenly exposes reboot(2). Work around this.

Signed-off-by: Christoph Egger <Christoph.Egger@amd.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86: don't special case first IO-APIC

It has always been puzzling me why the first IO-APIC gets special cased
in two places, and finally Xen got run on a system where this breaks:

(XEN) ACPI: IOAPIC (id[0x10] address[0xfecff000] gsi_base[0])
(XEN) IOAPIC[0]: apic_id 16, version 17, address 0xfecff000, GSI 0-2
(XEN) ACPI: IOAPIC (id[0x0f] address[0xfec00000] gsi_base[3])
(XEN) IOAPIC[1]: apic_id 15, version 17, address 0xfec00000, GSI 3-38
(XEN) ACPI: IOAPIC (id[0x0e] address[0xfec01000] gsi_base[39])
(XEN) IOAPIC[2]: apic_id 14, version 17, address 0xfec01000, GSI 39-74
(XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 1 global_irq 4 dfl dfl)
(XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 5 dfl dfl)
(XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 3 global_irq 6 dfl dfl)
(XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 4 global_irq 7 dfl dfl)
(XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 6 global_irq 9 dfl dfl)
(XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 7 global_irq 10 dfl dfl)
(XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 8 global_irq 11 low edge)
(XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 12 dfl dfl)
(XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 12 global_irq 15 dfl dfl)
(XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 13 global_irq 16 dfl dfl)
(XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 14 global_irq 17 low edge)
(XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 15 global_irq 18 dfl dfl)

i.e. all legacy IRQs (apart from the timer one, but the firmware passed
data doesn't look right for that case anyway, as both Xen and native
Linux are falling back to use the virtual wire setup for IRQ0,
apparently rather using pin 2 of the first IO-APIC) are being handled
by the second IO-APIC.

This at once eliminates the possibility of an unmasked RTE getting
written without having got a vector put in place (in
setup_IO_APIC_irqs()).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

xen: sched_sedf: remove an unused stat in SEDF

Namely, `short_cont' which is not updated anywhere in the code.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

xen: sched: introduce a couple of counters in credit2 and SEDF

Mainly for consistency with credit, at least for the events that are
general enough, like vCPU initialization/destruction and calls
to the specific scheduling function.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

xen: sched: generalize scheduling related perfcounter macros

Moving some of them from sched_credit.c to generic scheduler code.
This also allows the other schedulers to use perf counters equally
easy.

This change is mainly preparatory work for what stated above. In fact,
it mostly does s/CSCHED_STAT/SCHED_STAT/, and, in general, it implies
no functional changes.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Committed-by: Keir Fraser <keir@xen.org>