dgit.raspbian.org Git

xen: add missing guest address range checks to XENMEM_exchange handlers

Ever since its existence (3.0.3 iirc) the handler for this has been
using non address range checking guest memory accessors (i.e.
the ones prefixed with two underscores) without first range
checking the accessed space (via guest_handle_okay()), allowing
a guest to access and overwrite hypervisor memory.

This is XSA-29 / CVE-2012-5513.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>

hvm: Limit the size of large HVM op batches

Doing large p2m updates for HVMOP_track_dirty_vram without preemption
ties up the physical processor. Integrating preemption into the p2m
updates is hard so simply limit to 1GB which is sufficient for a 15000
* 15000 * 32bpp framebuffer.

For HVMOP_modified_memory and HVMOP_set_mem_type preemptible add the
necessary machinery to handle preemption.

This is CVE-2012-5511 / XSA-27.

Signed-off-by: Tim Deegan <tim@xen.org>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>

gnttab: fix releasing of memory upon switches between versions

gnttab_unpopulate_status_frames() incompletely freed the pages
previously used as status frame in that they did not get removed from
the domain's xenpage_list, thus causing subsequent list corruption
when those pages did get allocated again for the same or another purpose.

Similarly, grant_table_create() and gnttab_grow_table() both improperly
clean up in the event of an error - pages already shared with the guest
can't be freed by just passing them to free_xenheap_page(). Fix this by
sharing the pages only after all allocations succeeded.

This is CVE-2012-5510 / XSA-26.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>

xl: Check for duplicate vncdisplay options, and return an error

If the user has set a vnc display number both in vnclisten (with
"xxxx:yy"), and with vncdisplay, throw an error.

Update man pages to match.

Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen: arm: Use $(OBJCOPY) not bare objcopy

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reported-by: Anthony PERARD <anthony.perard@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

libxl: fix wrong comment

The comment in function libxl__try_phy_backend is wrong, 1 is returned
if the backend should be handled as "phy", while 0 is returned if not.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

docs: expand persistent grants protocol

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

mini-os: shutdown_thread depends on xenbus

This fixes the build of the xenstore stub domain, which should never
be shut down and so does not need this feature.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

arm: const-correctness in virt_to_maddr

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: handle xenheap which isn't at the start of RAM.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: create a raw binary target.

This is suitable for direct loading by a bootloader.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: Enable build without CONFIG_DTB_FILE

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

AMD IOMMU: add locking missing from c/s 26198:ba90ecb0231f

An oversight of mine; I'm sorry.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

Add gtags and tags rune in gitignore.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

minios/console: console_input() weak reference

In exactly the same style as app_main() in kernel.c, create a weak
reference console_input() function for applications to override to
quickly gain access to the console.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Committed-by: Keir Fraser <keir@xen.org>

[minios] Add xenbus shutdown control support

Add a thread watching the xenbus shutdown control path and notifies a
wait queue.

Add HYPERVISOR_shutdown convenient inline for minios shutdown.

Add proper shutdown to the minios test application.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Committed-by: Keir Fraser <keir@xen.org>

[minios] Fix test application link when pcifront is not enabled

When pcifront is not enabled, the test application needs to disable
the PCI test.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Committed-by: Keir Fraser <keir@xen.org>

nested vmx: enable load IA32_PERF_GLOBAL_CTRL feature for L1 VMM

Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Acked-by: Jun Nakajima <jun.nakajima@intel.com>
Committed-by: Keir Fraser <keir@xen.org>

nested vmx: enable load and save IA32_EFER feature for L1 VMM

Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Acked-by: Jun Nakajima <jun.nakajima@intel.com>
Committed-by: Keir Fraser <keir@xen.org>

nested vmx: enable load and save IA32_PAT feature for L1 VMM

Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Acked-by: Jun Nakajima <jun.nakajima@intel.com>
Committed-by: Keir Fraser <keir@xen.org>

nested vmx: enable save VMX-preemption timer feature for L1 VMM

Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Acked-by: Jun Nakajima <jun.nakajima@intel.com>
Committed-by: Keir Fraser <keir@xen.org>

nested vmx: enable VMX-preemption timer for L1 VMM

Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Acked-by: Jun Nakajima <jun.nakajima@intel.com>
Committed-by: Keir Fraser <keir@xen.org>

nested vmx: enable Descriptor-table exiting for L1 VMM

Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Acked-by: Jun Nakajima <jun.nakajima@intel.com>
Committed-by: Keir Fraser <keir@xen.org>

nested vmx: enable secondary processor-based VM-Execution controls

Enable secondary processor-based control in VMCS

Besides that, add a helper function to get the certain control bit
in secondary processor-based control MSR.

Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Signed-off-by: Xiantao Zhang <xiantao.zhang@intel.com>
Acked-by: Jun Nakajima <jun.nakajima@intel.com>
Committed-by: Keir Fraser <keir@xen.org>

nested vmx: enable NMI-window exiting for L1 VMM

Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Acked-by: Jun Nakajima <jun.nakajima@intel.com>
Committed-by: Keir Fraser <keir@xen.org>

nested vmx: enable Monitor Trap Flag for L1 VMM

Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Acked-by: Jun Nakajima <jun.nakajima@intel.com>
Committed-by: Keir Fraser <keir@xen.org>

docs: fix persistent grants doc typo

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- fix additional typo s/this grants/these grants/g ]
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: build as zImage

The zImage format is extremely simple: it only consists of a magic
number and 2 addresses in a specific position (see
http://www.simtec.co.uk/products/SWLINUX/files/booting_article.html#d0e309).

Some bootloaders expect a zImage; considering that it doesn't cost us
much to build Xen compatible with the format, make it so.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- switch from 7*nop + nop to just 8*nop ]
Committed-by: Ian Campbell <ian.campbell@citrix.com>

x86/hap: Fix memory leak of domain->arch.hvm_domain.dirty_vram

Signed-off-by: Kouya Shimura <kouya@jp.fujitsu.com>
Signed-off-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

x86/mm: Comment the definitions of _mfn(), _gfn() &c.

It's not very easy to find them if you don't know to look for the
TYPE_SAFE() macro.

Signed-off-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

VT-d: make scope parsing code type safe

Rather than requiring the scopes to be the first members of their
respective structures (so that casts can be used to switch between the
different views), properly use types and container_of().

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
Acked-by Xiantao Zhang <xiantao.zhang@intel.com>

IOMMU: imply "verbose" from "debug"

I think that generally enabling debugging code without also enabling
verbose output is rather pointless; if someone really wants this, they
can always pass e.g. "iommu=debug,no-verbose".

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

VT-d: adjust IOMMU interrupt affinities when all CPUs are online

Since these interrupts get setup before APs get brought online, their
affinities naturally could only ever point to CPU 0 alone so far.
Adjust this to include potentially multiple CPUs in the target mask
(when running in one of the cluster modes), and take into account NUMA
information (to handle the interrupts on a CPU on the node where the
respective IOMMU is).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

AMD IOMMU: include IOMMU interrupt information in 'M' debug key output

Note that this also adds a few pieces missing from c/s
25903:5e4a00b4114c (relevant only when the PCI MSI mask bit is
supported by an IOMMU, which apparently isn't the case for existing
implementations).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

VT-d: include IOMMU interrupt information in 'M' debug key output

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

ACPI: fix return value of XEN_PM_PDC platform op

Should return -EFAULT when copying to guest memory fails.

Once touching this code, also switch to using the more relaxed copy
function (copying from the same guest memory already validated the
virtual address range).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86: fix hypercall continuation cancellation in XENMAPSPACE_gmfn_range compat wrapper

When no continuation was established, there must also not be an attempt
to cancel it - hypercall_cancel_continuation(), in the non-HVM, non-
multicall case, adjusts the guest mode return address in a way assuming
that an earlier call hypercall_create_continuation() took place.

Once touching this code, also restructure it slightly to improve
readability and switch to using the more relaxed copy function (copying
from the same guest memory already validated the virtual address
range).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

README: adjust gcc version requirement

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

libxl: Fix bug in libxl_cdrom_insert, make more robust against bad xenstore data

libxl_cdrom_insert was failing to initialize the backend type,
resulting in the wrong default backend. The result was not only that
the CD was not inserted properly, but also that some improper xenstore
entries were created, causing further block commands to fail.

This patch fixes the bug by setting the disk backend type based on the
type of the existing device.

It also makes the system more robust by checking to see that it has
got a valid path before proceeding to write a partial xenstore entry.

Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xl: xl.conf(5): correct advice re autoballooning vs. dom0_mem.

The advice was backwards, you should really disable autoballoon if you
use dom0_mem. Also add a reference to the command-line docs.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

README: add Pixman as build dependency

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

libxl: fix a variable underflow in libxl_wait_for_free_memory

When xl is called to create a domU and there is not enough memory available,
then the autoballooning is called to extract memory from dom0. During the
ballooning a loop in libxl_wait_for_free_memory() waits unless enough memory
is available to create the domU.

But because of a variable-underflow the loop can finish too soon and xl
finally aborts with the message:

xc: error: panic: xc_dom_boot.c:161: xc_dom_boot_mem_init: can't allocate low memory for domain: Out of memory
libxl: error: libxl_dom.c:430:libxl__build_pv: xc_dom_boot_mem_init failed: Device or resource busy
libxl: error: libxl_create.c:901:domcreate_rebuild_done: cannot (re-)build domain: -3

The variable-underflow happens when freemem_slack is larger then
info.free_pages*4, because the solution of this operation is converted
implicit to a unsigned int to match the type of memory_kb.

Add a extra check for this condition to solve the problem.

Signed-off-by: Ronny Hegewald <Ronny.Hegewald@online.de>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xenstore-chmod: handle arbitrary number of perms rather than MAX_PERMS constant

Constant MAX_PERMS 16 is too small to use in some occasions, e.g. if
there are more than 16 domU(s) on one hypervisor (it's easy to
achieve) and one wants to do xenstore-chmod PATH to all domU(s). So,
remove MAX_PERMS limitation and make it as arbitrary number of perms.

Signed-off-by: Chunyan Liu <cyliu@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

x86/time: fix scale_delta() inline assembly

The way it was coded, it clobbered %rdx without telling the compiler.
This generally didn't cause any problems except when there are two back
to back invocations (as in plt_overflow()), as in that case the
compiler may validly assume that it can re-use for the second instance
the value loaded into %rdx before the first one.

Once at it, also properly relax the second operand of "mul" (there's no
need for it to be in %rdx, or a register at all), and switch away from
using explicit register names in the instruction operands.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

xend: enable environment passing in xPopen3

In changeset 19990:38dd208e1d95 a new parameter 'env' was added to
xPopen3, but no code was added to actually pass the environment down to
execvpe. Also, the new code was unreachable.

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: Tidy up flush_xen_dcache().

- Use a compile-time-constant check for whether we can safely flush
   just one cacheline.  This reduces the common case from 28
   instructions to three.
- Pass an object to the macro, not a pointer, so we can detect
   attempts to flush arrays.
- Decode CCSIDR correctly to get cacheline size.
- Remove some redundant DSBs at the call sites.

Signed-off-by: Tim Deegan <tim@xen.org>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xl: Suppress spurious warning message for cpupool-list

libxl_cpupool_list() enumerates the cpupools by "probing": calling
cpupool_info, starting at 0 and stopping when it gets an error. However,
cpupool_info will print an error when the call to xc_cpupool_getinfo() fails,
resulting in every xl command that uses libxl_list_cpupool (such as
cpupool-list) printing that error message spuriously.

Since at the moment the times we want to print the message correspond
with the use of the existing "exact" parameter, use it to decide
whether to print the message or not.

Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

implement vmap()

... and use it as basis for a proper ioremap() on x86.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/HPET: fix FSB interrupt masking

HPET_TN_FSB is not really suitable for masking interrupts - it merely
switches between the two delivery methods. The right way of masking is
through the HPET_TN_ENABLE bit (which really is an interrupt enable,
not a counter enable or some such). This is even more so with certain
chip sets not even allowing HPET_TN_FSB to be cleared on some of the
channels.

Further, all the setup of the channel should happen before actually
enabling the interrupt, which requires splitting legacy and FSB logic.

Finally this also fixes an S3 resume problem (HPET_TN_FSB did not get
set in hpet_broadcast_resume(), and hpet_msi_unmask() doesn't get
called from the general resume code either afaict).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/HPET: include FSB interrupt information in 'M' debug key output

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

VT-d: clean up map/unmap log messages

- printing file name and line number here is pointless
- they are guest related, so should get their log level filter
accordingly
- include segment numbers and canonicalize number widths

Signed-off-by: Jan Beulich <jbeulich@suse.com>

xend: reinstate XendOptionsFile.get_external_migration_tool

This was removed by 26167:31dcc0e08754 "xend: Remove old vtpm support
from xm" but at least one caller was left. Reinstate with
s/TPM/device/ since it appears that this functionality could apply
elsewhere.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

passthrough/PCI: replace improper uses of pci_find_next_cap()

Using pci_find_next_cap() without prior pci_find_cap_offset() is bogus
(and possibly wrong, given that the latter doesn't check the
PCI_STATUS_CAP_LIST flag, which so far was checked in an open-coded way
only for the non-bridge case).

Once at it, fold the two calls into one, as we need its result in any
case.

Question is whether, without any caller left, pci_find_next_cap()
should be purged as well.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Xiantao Zhang <xiantao.zhang@intel.com>

xen: fix build failure due to extra closing comment

Added by 26173:26facad2f1a1

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

docs: Include prototype for HYPERVISOR_multicall

Mark-up for inclusion of generated docs.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

docs: Document HYPERVISOR_update_descriptor

Mark-up for inclusion of generated docs.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

docs: Add ToC entry for start of day memory layout.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

docs: Document HYPERVISOR_mmuext_op

Mark-up for inclusion of generated docs.

Remove some trailing whitespace.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

docs: document HYPERVISOR_update_va_mapping(_other_domain)

Mark-up for inclusion of generated docs.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

docs: document/mark-up SCHEDOP_*

The biggest subtlety here is there additional argument when op ==
SCHEDOP_shutdown and reason == SHUTDOWN_suspend and its interpretation by
xc_domain_{save,restore}. Add some clarifying comments to libxc as well.

This patch moves some structs around but there is no functional change
other than improved documentation.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

AMD IOMMU: fix type of "bdf" parameter of update_intremap_entry_from_msi_msg()

Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>

Remove tools/vtpm* from MAINTAINERS file

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

tools: Remove old vtpm stuff from tools/libxen

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

Remove VTPM_TOOLS from config/Tools.mk.in

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xend: Remove old vtpm support from xm

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

minios: Update mini-os license to support GPL features

This patch updates extras/mini-os/COPYING to explain
which optional features are GPL and what the implications
of enabling them are.

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

minios: fix bug in lseek for mini-os

lseek always used files[fd].file.offset. It should
use the offset of whatever union member is actually
being used.

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: get the number of cpus from device tree

The system might have fewer cpus than the GIC supports.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: flush D-cache and I-cache when appropriate

- invalidate tlb after setting WXN
- flush D-cache and I-cache after relocation;
- invalidate D-cache after writing to smp_up_cpu;
- flush I-cache after changing HTTBR;
- flush I-cache and branch predictor after writing Xen text ptes.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

vscsiif: minor cleanup

Remove a definition not belonging into the interface, and correct a
few typos in comments.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

AMD IOMMU: Enable HPET broadcast msi remapping

This patch enables hpet msi remapping for amd iommu.

Signed-off-by: Wei Wang <wei.wang2@amd.com>
- use the existing ACPI_IVHD_* #define-s
- warn on finding more than one IVHD HPET entry
- consolidate parameters of update_intremap_entry_from_msi_msg()

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

xen/arm: wake up secondary cpus

Secondary cpus are held by the firmware until we send an IPI to them.

Reordered non-boot cpu wait loop to perform the check before waiting
for an event, to handled the case where the event has already
happened when we reach the loop.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: set the SMP bit in the ACTLR register

"Enables the processor to receive instruction cache, BTB, and TLB maintenance
operations from other processors"

...

"You must set this bit before enabling the caches and MMU, or
performing any cache and TLB maintenance operations. The only time
you must clear this bit is during a processor power-down sequence"

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

pl011: set baud and clock_hz to the right defaults for Versatile Express

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: setup the fixmap in head.S

Setup the fixmap mapping directly in head.S rather than having a
temporary mapping only to re-do it later in C.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: pass the correct bit-per-interrupt argument to vgic_irq_rank

Use 1 for registers that have 1 bit per irq.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

libxl: Fix passing of application data to timeout_deregister hook

When deregistering a timeout, the address of application data was
being passed to the timeout_deregister hook instead of the data
itself.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

x86/nmi: self_nmi() should not unconditionally enable interrupts

It seems that all current callers have interrupts enabled, making the
code currently safe but dangerous. Also, fix a trailing whitespace
issue.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

update MAINTAINERS file

There have been some "organizational changes" within AMD.
Update the MAINTAINERS file accordingly.
Please also feel free to use the new email addresses if there are
any inquires related to code authored by Wei Wang, Christoph Egger
or Andre Przywara.

Signed-off-by: Andre Przywara <osp@andrep.de>
Acked-by: Wei Wang <weiwang.dd@gmail.com>
Acked-by: Boris Ostrovsky <boris.ostrovsky@amd.com>
Acked-by: Wei Huang <wei.huang2@amd.com>
Acked-by: Christoph Egger <Christoph_Egger@gmx.de>
Committed-by: Keir Fraser <keir@xen.org>

tools: rerun autoconf after 26144:170d45f7a2eb

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

compat/gnttab: Prevent infinite loop in compat code

c/s 20281:95ea2052b41b, which introduces Grant Table version 2
hypercalls introduces a vulnerability whereby the compat hypercall
handler can fall into an infinite loop.

If the watchdog is enabled, Xen will die after the timeout.

This is a security problem, XSA-24 / CVE-2012-4539.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

xen/mm/shadow: check toplevel pagetables are present before unhooking them.

If the guest has not fully populated its top-level PAE entries when it calls
HVMOP_pagetable_dying, the shadow code could try to unhook entries from
MFN 0. Add a check to avoid that case.

This issue was introduced by c/s 21239:b9d2db109cf5.

This is a security problem, XSA-23 / CVE-2012-4538.

Signed-off-by: Tim Deegan <tim@xen.org>
Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86/physmap: Prevent incorrect updates of m2p mappings

In certain conditions, such as low memory, set_p2m_entry() can fail.
Currently, the p2m and m2p tables will get out of sync because we still
update the m2p table after the p2m update has failed.

If that happens, subsequent guest-invoked memory operations can cause
BUG()s and ASSERT()s to kill Xen.

This is fixed by only updating the m2p table iff the p2m was
successfully updated.

This is a security problem, XSA-22 / CVE-2012-4537.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability

The timer action for a vcpu periodic timer is to calculate the next
expiry time, and to reinsert itself into the timer queue. If the
deadline ends up in the past, Xen never leaves __do_softirq(). The
affected PCPU will stay in an infinite loop until Xen is killed by the
watchdog (if enabled).

This is a security problem, XSA-20 / CVE-2012-4535.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

xen-tmem-list-parse: fix ugly parse output

The program xen-tmem-list-parse parses the output of xm/xl tmem-list
into human-readable format. A missing NULL terminator sometimes
causes garbage to be spewed where the two-letter pool type
should be output.

Signed-off-by: Dan Magenheimer <dan.magenheimer@oracle.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

hotplug/Linux: Fix locking in tools/hotplug/Linux/locking.sh

The claim_lock() function would fail in the perl code with:

Invalid argument at -e line 2.

because the Perl snippet opens for reading the file descriptor, which
was earlier opened for write (append).

Signed-off-by: Jacek Konieczny <jajcus@jajcus.net>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

libxl: fix vfb related assertion problem when starting pv-domU

When a config-file for a pv-domU has a vfb section with a vnc=0
option then a "xl create" for that domU crashes with the message

xl: libxl.c:252: libxl_defbool_val: Assertion `!libxl_defbool_is_default(db)'
failed.

and the domU hangs early in the start.

This patch fixes the cause of the assertion and let the domU start
normally.

This problem exists since xen 4.2.

Signed-off-by: Ronny Hegewald <Ronny.Hegewald@online.de>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

tools: Remove the vtpm process model

Remove the old vtpm process model. It doesn't work very
well and is no longer supported.

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

libxl: add vtpm support

This patch adds vtpm support to libxl. It adds vtpm parsing to config
files and 3 new xl commands:
vtpm-attach
vtpm-detach
vtpm-list

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

minios: add tpmfront, tpm_tis, and tpmback drivers

This patch adds 3 new drivers to mini-os.

tpmfront - paravirtualized tpm frontend driver
tpmback - paravirtualized tpm backend driver
tpm_tis - hardware tpm driver

Unfortunately these drivers were derived from GPL
licensed linux kernel drivers so they must carry
the GPL license. However, since mini-os now
supports conditional compilation, hopefully these
drivers can be included into the xen tree and
conditionally removed from non-gpl projects.
By default they are disabled in the makefile.

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

minios: add xenbus_read_uuid

Similar to xenbus_read_integer, this function reads a xenstore path
and parses it as a uuid. See include/xenbus.h for details.

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

minios: Disable -DGNT_DEBUG and -DGNTMAP_DEBUG

Disabling the above flags in default mini-os build. They generate a
lot of spam.

Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

fix xenctl_cpumap_to_cpumask() buffer size check

xenctl_cpumap_to_cpumask incorrectly uses sizeof when checking whether
bits should be masked off from the input cpumap bitmap or not.

Fix by using the correct cpumask buffer size in place of sizeof.

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Compare against copy_bytes instead, and use equality rather than less-
or-equal.

Further, this issue (introduced with c/s 23991:a7ccbc79fc17) is not
security relevant (i.e. the bug could not cause memory corruption):
_xmalloc() never returns chunks of data smaller than the size of a
pointer, i.e. even if sizeof(void*) > guest_bytes > copy_bytes, the
piece of memory erroneously written to would still be inside the
allocation done at the top of the function.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
Committed-by: Jan Beulich <jbeulich@suse.com>

pygrub: Fix command line argument error handling

pygrub's individual config file parsers do not correctly check the
amount of command line arguments given to them. In addition, the LILO
config parser would report an incorrect message.

Use len() to correctly check the amount of arguments, and fix the LILO
error message.

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

libxl: fix reboot failure of migrated domain

The same problem was once fixed by c/s 23878:59c7213b5949
but c/s 25344:0f3b1e13d6af broke it.

Signed-off-by: Kouya Shimura <kouya@jp.fujitsu.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

tools: Synchronize privcmd header constants

Since Linux's git commit ceb90fa0a8008059ecbbf9114cb89dc71a730bb6,
the privcmd.h interface between Linux and libxc specifies two new
constants, PRIVCMD_MMAPBATCH_MFN_ERROR and
PRIVCMD_MMAPBATCH_PAGED_ERROR. These constants represent the error
codes encoded in the top nibble of an mfn slot passed to the legacy
MMAPBATCH ioctl.

In particular, libxenctrl checks for the equivalent of the latter
constant when dealing with paged out frames that might be the target
of a foreign map.

Previously, the relevant constant was defined in the domctl hypervisor
interface header (XEN_DOMCTL_PFINFO_PAGEDTAB). Because this
top-nibble encoding is a contract between the dom0 kernel and libxc,
a domctl.h definition is misplaced.

- Sync the privcmd.h header to that now available in upstream Linux
- Update libxc appropriately
- Remove the unnecessary constant in domctl.h

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Ian Campbell <ian.campbelL@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

tools: Make restore work properly with PV superpage flag

For PV guests, the superpage flag means to unconditionally allocate all
pages as superpages, which is required for Linux hugepages to work.  Support
for this on restore was not supported.  This patch adds proper support for
the superpage flag on restore.

For HVM guests, the superpage flag has been used to mean attempt to allocate
superpages if possible on restore.  This functionality has been preserved.

Signed-off-by: Dave McCracken <dave.mccracken@oracle.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

x86/mm x86 shadow: Fix typo in sh_invlpg sl3 page presence check

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

IOMMU: don't immediately disable bus mastering on faults

Instead, give the owning domain at least a small opportunity of fixing
things up, and allow for rare faults to not bring down the device at
all.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>
Acked-by: Dario Faggioli <dario.faggioli@citrix.com>

tmem: Prevent NULL dereference on error case

If the client / pool IDs given to tmemc_save_get_next_page are invalid,
the calculation of pagesize will dereference NULL.

Fix this by moving the calculation below the appropriate NULL check.

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Committed-by: Jan Beulich <jbeulich@suse.com>