From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Fri, 15 Feb 2013 08:38:45 +0000 (+0100)
Subject: hvm: Allow triple fault to imply crash rather than reboot
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~7292
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https://%22%22/%22http:/www.example.com/cgi/%22https:/%22%22?a=commitdiff_plain;h=63a47721ad3f2bbeedf80850728c9a4aff0224ae;p=xen.git

hvm: Allow triple fault to imply crash rather than reboot

While the triple fault action on native hardware will result in a system
reset, any modern operating system can and will make use of less violent
reboot methods.  As a result, the most likely cause of a triple fault is a
fatal software bug.

This patch allows the toolstack to indicate that a triple fault should mean a
crash rather than a reboot.  The default of reboot still remains the same.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
Committed-by: Jan Beulich <jbeulich@suse.com>
---

diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index fcea52c737..ac915a1d70 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -540,6 +540,7 @@ int hvm_domain_initialise(struct domain *d)
     hvm_init_guest_time(d);
 
     d->arch.hvm_domain.params[HVM_PARAM_HPET_ENABLED] = 1;
+    d->arch.hvm_domain.params[HVM_PARAM_TRIPLE_FAULT_REASON] = SHUTDOWN_reboot;
 
     hvm_init_cacheattr_region_list(d);
 
@@ -1244,9 +1245,13 @@ void hvm_hlt(unsigned long rflags)
 void hvm_triple_fault(void)
 {
     struct vcpu *v = current;
+    struct domain *d = v->domain;
+    u8 reason = d->arch.hvm_domain.params[HVM_PARAM_TRIPLE_FAULT_REASON];
+
     gdprintk(XENLOG_INFO, "Triple fault on VCPU%d - "
-             "invoking HVM system reset.\n", v->vcpu_id);
-    domain_shutdown(v->domain, SHUTDOWN_reboot);
+             "invoking HVM shutdown action %"PRIu8".\n",
+             v->vcpu_id, reason);
+    domain_shutdown(d, reason);
 }
 
 void hvm_inject_trap(struct hvm_trap *trap)
@@ -3929,6 +3934,10 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg)
             case HVM_PARAM_BUFIOREQ_EVTCHN:
                 rc = -EINVAL;
                 break;
+            case HVM_PARAM_TRIPLE_FAULT_REASON:
+                if ( a.value > SHUTDOWN_MAX )
+                    rc = -EINVAL;
+                break;
             }
 
             if ( rc == 0 ) 
diff --git a/xen/include/public/hvm/params.h b/xen/include/public/hvm/params.h
index d28ca8e041..517a184107 100644
--- a/xen/include/public/hvm/params.h
+++ b/xen/include/public/hvm/params.h
@@ -142,6 +142,9 @@
 #define HVM_PARAM_ACCESS_RING_PFN   28
 #define HVM_PARAM_SHARING_RING_PFN  29
 
-#define HVM_NR_PARAMS          31
+/* SHUTDOWN_* action in case of a triple fault */
+#define HVM_PARAM_TRIPLE_FAULT_REASON 31
+
+#define HVM_NR_PARAMS          32
 
 #endif /* __XEN_PUBLIC_HVM_PARAMS_H__ */
diff --git a/xen/include/public/sched.h b/xen/include/public/sched.h
index db5124a536..761cf07d59 100644
--- a/xen/include/public/sched.h
+++ b/xen/include/public/sched.h
@@ -158,6 +158,7 @@ DEFINE_XEN_GUEST_HANDLE(sched_watchdog_t);
 #define SHUTDOWN_suspend    2  /* Clean up, save suspend info, kill.         */
 #define SHUTDOWN_crash      3  /* Tell controller we've crashed.             */
 #define SHUTDOWN_watchdog   4  /* Restart because watchdog time expired.     */
+#define SHUTDOWN_MAX        4  /* Maximum valid shutdown reason.             */
 /* ` } */
 
 #endif /* __XEN_PUBLIC_SCHED_H__ */