dgit.raspbian.org Git

X86-MCE: fix a bug of xen-mceinj tool

Fix a bug of xen-mceinj tool which used to test mce by software way.

Signed-off-by: Liu, Jinsong <jinsong.liu@intel.com>
Committed-by: Keir Fraser <keir@xen.org>

Fix grant_table v2 status mapping.

Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

Allow VMs to query their own grant table version.

Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

xl.pod.1: improve documentation of FLASK commands

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

xsm: add checks on PCI configuration access

PCI configuration access is allowed to any privileged domain
regardless of I/O port access restrictions; add XSM hooks for these
accesses.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

xsm: fix up dummy ops

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

xsm: Add missing access checks

Actions requiring IS_PRIV should also require some XSM access control
in order for XSM to be useful in confining multiple privileged
domains. Add XSM hooks for new hypercalls and sub-commands that are
under IS_PRIV but not currently under any access checks.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

xsm: add remote_remap permission

The mmu_update hypercall can be used to manipulate the page tables of
a remote domain. Add a check for this in the XSM hook in addition to
the existing check on mapping pages of a remote domain.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

xsm: only log dummy override if not setting up dummy_xsm_ops

The log messages from dummy overrides appear on every boot with XSM
enabled, and are just noise when filling in the dummy_xsm_ops
structure.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

xsm/flask: report memory and IO ranges in audit messages

This information is useful when determining the cause of an AVC denial
caused by missing label on device memory or IRQs.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

xsm/flask: Add missing unlock on error path

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

Linux/xencommons: Use oxenstored by default when available

oxenstored is an ocaml implementation of the xenstore daemon. It is faster,
more scalable and more reliable than the C xenstored.

In particular the transaction model in oxenstored does not involve taking a
complete copy of the database and aborting on any (even non-conflicting) other
change.

There is a paper on the design and implementation of oxenstored at
http://gazagnaire.org/pub/GH09.pdf which includes a performance evaluation and
comparison with the C daemon etc.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86/emulator: workaround for AMD erratum 573

The only cases where we might end up emulating fsincos (as any other
x87 operations without memory operands) are
- when a HVM guest is in real mode (not applicable on AMD)
- between two half page table updates in PAE mode (unlikely, and not
  doing the emulation here does affect only performance, not
  correctness)
- when a guest maliciously (or erroneously) modifies an (MMIO or page
  table update) instruction under emulation (unspecified behavior)

Hence, in order to avoid the erratum to cause harm to the entire host,
don't emulate fsincos on the affected AMD CPU families.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

libxl: remove stubdom device model save file when destroying stubdom

/var/lib/xen/qemu-save.<domid> is created when the stub domain is started
(connected to a stubdom console) and is used to save the device model state on
suspend/migrate but never cleaned up.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

oxenstored: Always log something at start of day (if logging enabled at all)

Otherwise at the default level we rarely log anything at all.

A completely empty log file is a good sign, but only if you know you are
looking in the right place...

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

oxenstored: install configuration file

First though:
  - Move it to /etc/xen/oxenstored.conf.
  - Use /var/run/xenstored.pid as default pid file
  - Disable test-eagain "Randomly failed a transaction with EAGAIN. Used for
    testing Xs user". Doesn't sound fun by default...

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

oxenstored: handle unknown operations by returning an error to the client

Previous an unknown operation would be decoded as a Not_found exception which
would bubble all the way up to the try ... with surrounding the call to
main_loop where it would be logged and ignored.

This would leave the guest hanging waiting for a response to the invalid
request.

Instead introduce a specific "Invalid" operation. Higher level functionality,
such as Process.process_packet, already handles operations which are not
understood with an error reply due to the final wildcard entry in
Process.function_of_type but explicitly handle Invalid this way to make it
clear what is going on.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86/AMD: use correct shift count when merging model and stepping

... for legacy errata matching.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/ucode: fix for AMD Fam15 CPUs

Remove hardcoded maximum size a microcode patch can have. This is
dynamic now.

The microcode patch for family15h can be larger than 2048 bytes and
gets silently truncated.

Signed-off-by: Christoph Egger <Christoph.Egger@amd.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

x86/MCE: add more strict sanity check of one SRAR case

When RIPV = EIPV = 0, it's a little bit tricky. It may be an asynchronic error, currently we have no way to precisely locate whether the error occur at guest or hypervisor.
To avoid handling error in wrong way, we treat it as unrecovered.

Signed-off-by: Liu, Jinsong <jinsong.liu@intel.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

x86/MCE: add SRAR handler

Currently Intel SDM add 2 kinds of MCE SRAR errors:
1). Data Load error, error code = 0x134
2). Instruction Fetch error, error code = 0x150
This patch add handler to these new SRAR errors.
It based on existed mce infrastructure, add code to handle SRAR specific error.

Signed-off-by: Liu, Jinsong <jinsong.liu@intel.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

XLAT.lst whitespace fix.

Replace spaces with tabs to be in line with file format.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

oxenstored: log Errors and Warnings by default.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson.citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>

oxenstored: Remove support for PQ defined operations.

It is unused.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson.citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>

libxl: fix cold plugged PCI devices with stubdomains

Since 23565:72eafe80ebc1 the xenstore entries for the stubdomain's PCI were
never created and therefore the stubdom ends up waiting forever for the devices
which it has been asked to insert to show up.

Since the stubdomain is already running when we call the libxl_device_pci_add
loop in do_domain_create we should treat it as if "starting == 0".

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson.citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

mini-os: do not wait for pci backend in pcifront_scan

This blocks the main thread indefinitely if there is no PCI backend present in
xenstore.

Even in the case where there are passthrough devices configured libxl creates
the stubdom and waits for it to startup _before_ adding the backend. Since the
stub domains main thread is blocked before it can write the "running" state to
xenstore the toolstack eventually times out and kills everything.

There is already a separate pcifront thread which waits for the backend to
appear and calls init_pcifront at the appropriate time should a backend ever
appear.

Unfortunately I don't have any free test boxes with VT-d so I haven't been able
to test the cases where PCI deivces are passed through but I obviously have
tested that I can now start an HVM domain with stub qemu without PCI devices
passed through which I couldn't do before so this is an improvement. This stuff
is a bit like pushing the lump around the carpet :-/

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson.citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: do not leak qemu saved state on restore

In particular do not leak /var/lib/xen/qemu-resume.<domid>.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

pygrub: Fix "a" entry editing in grub2

When user wants to change entry in grub2 menu in pygrub, there's no
response in case of appending command line arguments ('a' key).

Append malfunction is caused by change of keyword used for kernel
record. Grub uses 'kernel' for line with linux kernel but grub2 uses
'linux' instead. This patch adds checking for both grub 1 and 2 keywords.

Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

pygrub: Allow scrolling of the list of entries

When user wants to change entry in grub2 menu in pygrub, there
may be crash of pygrub in case of editing item ('e' key).

Crash on editing is caused longer entry list in case of grub2. As entry
window is 10 lines high, it can hold only 8 entries (2 lines for border).
Adding line outside of windows high causes crash. Patch add handling
for longer lists and scrolling through them.

Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: Compile with -Wformat-nonliteral.

At least one compiler (some Ubuntu version) uses this by default and it seems
like a good idea anyway and the fixup required is trivial.

One hunk is from a patch by Ian Jackson.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reported-by: Adda Rathbone <addarathbone@googlemail.com>
Tested-by: Adda Rathbone <addarathbone@googlemail.com>
Tested-by: Andrew Pounce <andrew.pounce@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

stubdom: allow to build with older tool chain

GNU make prior to 3.81 doesn't support $(realpath ...). This fixes a
regression introduced in 23368:0f670f5146c8 (the option tested via
cc-option-add got interpreted as the argument of the -I compiler
option, as its intended argument was blank, and hence the compiler was
falsely considered to support *any* option in the pciutils sub-tree).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

ACPI: eliminate duplicate IVRS definitions

Use their proper counterparts in include/acpi/actbl*.h instead.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

ACPI: eliminate duplicate DMAR definitions

Use their proper counterparts in include/acpi/actbl*.h instead.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

ACPI: update table interface headers

... to what is being used on Linux 3.1 (and 3.2-rc).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

ACPI: eliminate duplicate MADT parsing and unused SBF definitions

Use their proper counterparts in include/acpi/actbl*.h instead.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

VT-d: bind IRQs to CPUs local to the node the IOMMU is on

This extends create_irq() to take a node parameter, allowing the
resulting IRQ to have its destination set to a CPU on that node right
away, which is more natural than having to post-adjust this (and
get e.g. a new IRQ vector assigned despite a fresh one was just
obtained).

All other callers of create_irq() pass NUMA_NO_NODE for the time being.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

remove the use of -Wno-unused-value

It has been hiding actual mistakes, and there are not too many changes
necessary to make things build without suppressing this warning.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86: remove redundant MCE related MSR definitions

Two definitions (the first register and a macro to calculate the
register for a given bank) are sufficient per kind of register.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86: add platform hypercall to retrieve pCPU-s' family, model, and stepping

With the recent hotplug changes to the Xen part of the microcode
loading, this allows the kernel driver to avoid unnecessary calls into
the hypervisor during pCPU hot-enabling: Knowing that the hypervisor
retains the data for already booted CPUs, only data for CPUs with a
different signature needs to be passed down. Since the microcode
loading code can be pretty verbose, avoiding to invoke it can make the
log much easier to look at in case of problems.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/microcode: Allow "ucode=" argument to be negative

... to indicate counting from the end of the modules list.

Suggested by Tim Deegan.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86, amd: Disable GartTlbWlkErr when BIOS forgets it

This patch disables GartTlbWlk errors on AMD Fam10h CPUs if the BIOS
forgets to do is (or is just too old). Letting these errors enabled
can cause a sync-flood on the CPU causing a reboot.

The AMD BKDG recommends disabling GART TLB Wlk Error completely.

Based on a Linux patch from Joerg Roedel <joerg.roedel@amd.com>; see e.g.
https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=patch;h=5bbc097d890409d8eff4e3f1d26f11a9d6b7c07e

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

flask: add tools/flask/utils/flask-label-pci to .hgignore

This was apparently forgotten in 24353:448c48326d6b

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
diff -r 7e90178b8bbf -r c995cdcc3700 .hgignore
--- a/.hgignore Mon Dec 12 17:48:42 2011 +0000
+++ b/.hgignore Mon Dec 12 17:58:25 2011 +0000
@@ -157,6 +157,7 @@
^tools/flask/utils/flask-getenforce$
^tools/flask/utils/flask-loadpolicy$
^tools/flask/utils/flask-setenforce$
+^tools/flask/utils/flask-label-pci$
^tools/fs-back/fs-backend$
^tools/hotplug/common/hotplugpath\.sh$
^tools/include/xen/.*$

libxl: Use GC_INIT and GC_FREE everywhere

Replace
    libxl__gc gc = LIBXL_INIT_GC(ctx);
    ...
    libxl__free_all(&gc);
with
    GC_INIT(ctx);
    ...
    GC_FREE;
throughout with a couple of perl runes.

We must then adjust uses of the resulting gc for pointerness, which is
mostly just replacing all occurrences of "&gc" with "gc".  Also a
couple of unusual uses of LIBXL_INIT_GC needed to be fixed up by hand.

Here are those runes:
perl -i -pe 's/\Q    libxl__gc gc = LIBXL_INIT_GC(ctx);/    GC_INIT(ctx);/' tools/libxl/*.c
perl -i -pe 's/\Q    libxl__free_all(&gc);/    GC_FREE;/' tools/libxl/*.c

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: libxl_ctx_free should free the ctx

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: make libxl__free_all idempotent

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: make libxl__[v]log const-correct

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: introduce lock in libxl_ctx

This lock will be used to protect data structures which will be hung
off the libxl_ctx in subsequent patches.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: Rationalise #includes

libxl_internal.h now #includes libxl.h and various system headers.

This
1. makes the order of header inclusion more predictable
2. explicitly allows libxl_internal.h to use objects defined in libxl.h
3. removes the need for individual files to include these headers

Also
- remove some unnecessary #includes of libxl_utils.h,
flexarray.h, etc. in some libxl*.c files,
- include libxl_osdeps.h at the top of libxl_internal.h
- add missing includes of libxl_osdeps.h to a couple of files
- change libxl.h to libxl_internal.h in a couple of files

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: internal convenience macros

Provide some macros which are useful shorthands for use within libxl:
  * GC_INIT to initialise a gc from a ctx and GC_FREE to free it
  * CTX(gc) to give you back the ctx
  * LIBXL_TAILQ_INSERT_SORTED for inserting things into sorted lists

These will be used by later patches.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: permit declaration after statement

GCC and C99 allow declarations to be mixed with code.  This is a good
idea because:

* It allows variables to be more often initialised as they are
   declared, thus reducing the occurrence of uninitialised variable
   errors.

* Certain alloca-like constructs (arrays allocated at runtime on the
   stack) can more often be written without a spurious { } block.
   Such blocks are confusing to read.

* It makes it easier to write and use macros which declare and
   initialise formulaic variables and do other function setup code,
   because there is no need to worry that such macros might be
   incompatible with each other or have strict ordering constraints.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: idl: Provide struct and union tags

Instead of generating:

   typedef struct {
     ...
   } libxl_foo;

Produce:

   typedef struct libxl_foo {
     ...
   } libxl_foo;

This makes it possible to refer to libxl idl-generated structs and
unions, as incomplete types, before they have been defined.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: idl: support new "private" type attribute

This provides for fields in libxl datatypes which are only present in
the C version of structures and are used only by libxl itself. This
is useful when a libxl datatype wants to contain fields which are used
by libxl internally and which are only present in the structure to
avoid additional memory allocation inconvenience.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: Provide a version of bsd's queue.h as _libxl_list.h

We would like some linked list macros which are (a) well known to be
sane and (b) typesafe. BSD's queue.h meets these criteria.

We also provide some simple perlery to arrange to add the libxl_
namespace prefix to the macros. This will allow us to #include
_libxl_list.h in our public header file without clashing with anyone
else who is also using another version of queue.h.

(A note on copyright: The FreeBSD files we are adding have an
[L]GPL-compatible licence, so there is no need to change our COPYING.
Although FreeBSD's queue.3 still contains the advertising clause, this
has been withdrawn by UCB as recorded in the FreeBSD COPYRIGHT file,
which is included in tools/libxl/external/ for reference.)

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <Ian.campbell@citrix.com>
Tested-by: Roger Pau Monne <roger.pau@entel.upc.edu>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxenstore: Provide xs_check_watch

Event-driven programs want to wait until the xs_fileno triggers for
reading, and then repeatedly call xs_check_watch.

Also xs_read_watch exposes a useless "num" out parameter, which should
always (if things aren't going hideously wrong) be at least 2 and
which the caller shouldn't be interested in. So xs_check_watch
doesn't have one of those.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: Make libxl__xs_* more const-correct

Paths and values which are not modified by these functions should be
declared as "const char *" not "char *".

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

xl: fix compiler warnings

either GCC 4.6.1 or Ubuntu add -Werror=format-security to the -Wall set,
so libxl compilation breaks:
   libxl_create.c: In function 'store_libxl_entry':
   libxl_create.c:454:9: error: format not a string literal and no
format arguments [-Werror=format-security]
   cc1: all warnings being treated as errors

Attached patch fixes this and another occurrence.

Patch from: Uwe Dannowski

Signed-off-by: Andre Przywara <andre.przywara@amd.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86/Intel: quiesce revised CPUID level message

Print this only once, for the boot CPU, unless "cpuinfo" was specified.
I found this particularly annoying on a machine which also didn't have
it MTRRs consistently set up across cores, resulting in the printing of
those messages being awfully slow (and with a second per-CPU message
added for debugging purposes this even lead to timeouts during AP
bringup).

Signed-off-by: Jan Beulich <jbeulich@suse.com>

xend: fix insufficient quoting in tapdisk

Fix insufficient quoting between "tap-ctl list" and
xend/server/BlktapController.py

The "line.split(None, 4)" needs to be a "3", because 3 splits needs to
be done to get the 4 parts. Sorry for the mixup.

[ fix to 24335:3915bd95ade5. -iwj ]

Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

docs: Say in xm(1) that xm is obsolete

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

Update QEMU_TAG

x86/mm: New mem access type to log access

This patch adds a new p2m access type, n2rwx. It allows for implement a "log
access" mode in the hypervisor, akin to log dirty but for all types of
accesses. Faults caused by this access mode automatically promote the
access rights of the offending p2m entry, place the event in the ring, and
let the vcpu keep on executing.

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Signed-off-by: Adin Scannell <adin@scannell.ca>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

x86/mm: When mem event automatically promotes access rights, let other subsystems know

The mem event fault handler in the p2m can automatically promote the access
rights of a p2m entry. In those scenarios, vcpu's are not paused and they will
immediately retry the faulting instructions. This will generate a second fault
if the underlying entry type requires so (paging, unsharing, pod, etc).
Collapse the two faults into a single one.

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

Improve handling of nested page faults

Add checks for access type. Be less reliant on implicit semantics.

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

x86/mm: Allow dummy responses on the mem_event ring.

Ring semantics require that for every request, a response be put. This
allows consumer to place a dummy response if need be.

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Signed-off-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

x86/mm: Consume multiple mem event responses off the ring

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Signed-off-by: Adin Scannell <adin@scanneel.ca>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

x86/mm: Allow memevent responses to be signaled via the event channel

Don't require a separate domctl to notify the memevent interface that an event
has occured. This domctl can be taxing, particularly when you are scaling
events and paging to many domains across a single system. Instead, we use the
existing event channel to signal when we place something in the ring (as per
normal ring operation).

Signed-off-by: Adin Scannell <adin@scannell.ca>
Signed-off-by: Keir Fraser <keir@xen.org>
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

Create a generic callback mechanism for Xen-bound event channels

For event channels for which Xen is the consumer, there currently is
a single action. With this patch, we allow event channel creators to
specify a generic callback (or no callback). Because the expectation
is that there will be few callbacks, they are stored in a small table.

Signed-off-by: Adin Scannell <adin@scannell.ca>
Signed-off-by: Keir Fraser <keir@xen.org>
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Committed-by: Tim Deegan <tim@xen.org>

x86/mm: Flag mem_events caused by foreign domains

Add a new flag for mem events, as consumers might need to discriminate
foreign domain-caused from guest-caused events. The vcpu field of an
event is bogus from a consumer p.o.v. for foreign domain-caused events.

Also assert that we shouldn't be pausing foreign vcpus.

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

X86: Prepare PCID/INVPCID for hvm

This patch is used to prepare exposing PCID/INVPCID features to hvm
guest.
The specific exposure result depend on hvm paging mode (hap/shadow),
which would be handled at next patch.

Signed-off-by: Liu, Jinsong <jinsong.liu@intel.com>
Committed-by: Keir Fraser <keir@xen.org>

X86: Disable PCID/INVPCID for pv

This patch disable PCID/INVPCID for pv.

Signed-off-by: Liu, Jinsong <jinsong.liu@intel.com>
Committed-by: Keir Fraser <keir@xen.org>

X86: expose Intel new features to pv/hvm

Intel recently release some new features, including
FMA/AVX2/BMI1/BMI2/LZCNT/MOVBE.
Refer to http://software.intel.com/file/36945
This patch expose these new features to pv and hvm.

Signed-off-by: Liu, Jinsong <jinsong.liu@intel.com>
Committed-by: Keir Fraser <keir@xen.org>

KEXEC: fix kexec_get_range_compat to fail vocally.

Fail with -ERANGE rather than silently truncating 64bit values (a
physical address and size) into 32bit integers for dom0 to consume.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Simplify the bitwise arithmetic a bit.

Signed-off-by: Keir Fraser <keir@xen.org>

tools/firmware: remove "_PS0/3" Method

Do not expose the ACPI power management "_PS0/3" Method to guest
firmware. According to section 3.4 of the APCI specification 4.0, PCI
device control the device power through its own specification but not
through APCI.

Qemu pushes "_PS0/3" to guest will cause a mess between ACPI PM and
PCI PM as a result of incorrect ACPI table shipped with the guest
BIOS, it may cause a failure of PCI device PM state transition(from
PCI_UNKNOWN to PCI_D0).

Signed-off-by: Xudong Hao <xudong.hao@intel.com>
Signed-off-by: Haitao Shan <haitao.shan@intel.com>
Committed-by: Keir Fraser <keir@xen.org>

flask: Fix 32-bit compilation of label-pci tool

The 32-bit tools need to support 64-bit addresses, so use the correct
printf/scanf formats. Also, some systems declare fscanf with attribute
warn_unused_result, so check the result instead of relying on the
value of start being unmodified across a failed call.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

Update QEMU_TAG

hvmloader: Change VM Generation Id Device HID.

Unfortunately a HID of PNP0A06 will not work for an existing client
driver so this patch aims to choose something that's pretty certain
not to class with anything else.

Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

flask: Add flask-label-pci tool

This allows a PCI device and its associated resources to be labeled
without hardcoding addresses (which may change from system to system)
in the security policy.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

xsm: clean up initial SIDs

The domU SID is never used before a policy load, and so does not
belong in the initial_sids list.

The PIRQ SID is now incorrectly named; it should simply be called IRQ.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

xsm: rename security_pirq_sid to security_irq_sid

Attempting to manage the PIRQ namespace is not useful as guests can
assign any mapping of IRQ to PIRQ (although the identity mapping is
the most common). Change the internal names to reflect this change.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

xsm: Expand I/O resource hooks

The XSM hooks inside rangeset are not useful in capturing the PIRQ
mappings in HVM domains. They can also be called from softirq context
where current->domain is invalid, causing spurious AVC denials from
unrelated domains on such calls.

Within FLASK code, the rangeset hooks were already divided between
IRQs, I/O memory, and x86 IO ports; propagate this division back
through the XSM hooks and call the XSM functions directly when needed.

This removes XSM checks for the initial rangeset population for dom0
and the removal checks on domain destruction; denying either of these
actions does not make sense.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

xsm: always allow setting non-present PTEs

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

xsm: Revert "Fix xsm_mmu_* and xsm_update_va_mapping hooks"

This reverts 23220:56a3b9c7367f, which removes all validation of the
target pages in the mapping. This crash was solved by properly marking
pages without known SIDs in 22207:20f139010445.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

xsm: remove unused xsm_assign_vector check

The PHYSDEVOP_alloc_irq_vector hypercall is a noop, so its XSM check
is not useful. Remove it and the "event vector" FLASK permission.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

flask: Fix policy build with new checkpolicy

Version 26 of checkpolicy (shipped with Fedora 16) now requires that
roles be declared prior to setting types for a role. Add a declaration
of the system_r role to fix the build of default XSM/FLASK policy.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

tools/libxc: Fix x86_32 build breakage in previous changeset.

Signed-off-by: Keir Fraser <keir@xen.org>

tools/x86_64: Fix cpuid() inline asm to not clobber stack's red zone

Pushing stuff onto the stack on x86-64 when we do not specify
-mno-red-zone is unsafe. Since the complicated asm is due to register
pressure on i386, we simply implement an all-new simpler alternative
for x86-64.

Signed-off-by: Keir Fraser <keir@xen.org>
Acked-by: Jan Beulich <jbeulich@novell.com>

x86/mm: remove 0x55 debug pattern from M2P table

It's not really any more useful than explicitly setting new M2P
entries to the invalid value.

Signed-off-by: Tim Deegan <tim@xen.org>
Committed-by: Keir Fraser <keir@xen.org>

AMD IOMMU v2: minor cleanup

Despite this array living in an __init function, having such be an
automatic variable is rather inefficient in terms of generated code.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Wei Wang2 <wei.wang2@amd.com>

x86-64/mmcfg: remove __initdata annotation overlooked in 23749:e8d1c8f074ba

Signed-off-by: Jan Beulich <jbeulich@suse.com>

Support of xl sched-sedf

Supports the xl subcommand sched-sedf.
The man page is only a minimal version (copy from xm man page without
examples). BTW: the xm man page seems not to be in sync with xm sched-sedf -h
regarding the time units. I used milliseconds in the xl implementation.
Only minimal semantical checks of parameters.

Signed-off-by: juergen.gross@ts.fujitsu.com
Acked-by: Ian Jackson <ian.jackson.citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>

Correct error message in libxl_sched_credit_domain_get()

Just a typo...

Signed-off-by: juergen.gross@ts.fujitsu.com
Acked-by: Ian Jackson <ian.jackson.citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>

Support of xl sched-credit2

Supports the xl subcommand sched-credit2.

Signed-off-by: juergen.gross@ts.fujitsu.com
Acked-by: Ian Jackson <ian.jackson.citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>

Support cpupools in xl sched-credit

Adds cpupool awareness to output of xl sched-credit. Output can now be
restricted to a specific cpupool. The domains are printed for each cpupool
seperately.

The loop over cpupools and domains is seperated from the main command
implementation to be able to support other schedulers as well.

Signed-off-by: juergen.gross@ts.fujitsu.com
Acked-by: Ian Jackson <ian.jackson.citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>

xl sched-credit: support long options

The help text of xl sched-credit supported long options. Neither the man page
nor the implementation did.

Signed-off-by: juergen.gross@ts.fujitsu.com
Acked-by: Ian Jackson <ian.jackson.citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>

xend: insufficient quoting in tapdisk

insufficient quoting between "tap-ctl list" and xend/server/BlktapController.py

BlktapController splits the output into lines using \n, then each line
at each space, and finally each of these 'words' at the '=', which
fails if the filename contains spaces.

As a quick work-around, the attached patch fixes the problem for me. That is,
until tap-ctl changes it's output format.

A more permanent solution would be to add proper quoting / escaping to tap-ctl
and un-quoting / de-escaping to BlktapController.py

Signed-off-by: Philipp Hahn <hahn@univention.de>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

tools: init.d/Linux/xencommons: load evtchn and gntdev modules

There is currently no code in the kernel to trigger autoload of the
evtchn or gntdev drivers. Load them manually during xencommons start.
Handle both pvops and xenlinux module names.

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

tools: init.d/Linux/xencommons: run script only when needed

Currently xencommons prints an error that /proc/xen/capabilities does
not exist when started on a non-xen kernel.

Update the xencommons script to run only when needed:
- do not run if /proc/xen does not exist
- check if /proc/xen/capabilities exists before doing the grep for dom0

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

Update QEMU_TAG

libxc: Fix checks on grant notify arguments

The notify offset and event channels are both unsigned variables, so
testing for >= 0 will not correctly detect the use of -1 to indicate
the field is unused. Remove the useless comparison and replace with
correct range checks or comparisons to -1.

Reported-by: Anil Madhavapeddy <anil@recoil.org>
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

merge