dgit.raspbian.org Git

x86/EFI: drop redundant newlines from blexit() argument strings

The function issues a newline itself.

Also correct two slightly misplaced __initdata annotations.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/EFI: make trampoline allocation more flexible

Certain UEFI implementations reserve all memory below 1Mb at boot time,
making it impossible to properly allocate the chunk necessary for the
trampoline. Fall back to simply grabbing a chunk from EfiBootServices*
regions immediately prior to calling ExitBootServices().

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/hvm: fix restart of RTC periodic timer with vpt_align=1

The commit 58afa7ef "x86/hvm: Run the RTC periodic timer on a
consistent time series" aligns the RTC periodic timer to the VM's boot time.
However, it's aligned later again to the system time in create_periodic_time()
with vpt_align=1. The next tick might be skipped.

Signed-off-by: Kouya Shimura <kouya@jp.fujitsu.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>

x86/msi: Refactor msi_compose_message() to not require an irq_desc

Subsequent changes will cause HPET MSIs to not have an associated IRQ.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>

x86/hpet: Fix ambiguity in broadcast info message

"$N will be used for broadcast" is ambiguous between "$N timers" or "timer
$N", particuarly when N is 0.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Tim Deegan <tim@xen.org>

x86/acpi: Warn about multiple HPET tables

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Tim Deegan <tim@xen.org>

MAINTAINERS: remove Jacob Shin

As was requested by him, now that he left AMD.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

call sched_destroy_domain before cpupool_rm_domain

The domain destruction code, removes a domain from its cpupool
before attempting to destroy its scheduler information. Since
the scheduler framework uses the domain's cpupool information
to decide on which scheduler ops to use, this results in the
the wrong scheduler's destroy domain function being called
when the cpupool scheduler and the initial scheduler are
different.

Correct this by destroying the domain's scheduling information
before removing it from the pool.

Signed-off-by: Nathan Studer <nate.studer@dornerworks.com>
Reviewed-by: Juergen Gross <juergen.gross@ts.fujitsu.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Keir Fraser <keir@xen.org>

evtchn: don't lose pending state if FIFO event array page is missing

When the FIFO-based ABI is in use, if an event is bound when the
corresponding event array page is missing any attempt to set the event
pending will lose the event (because there is nowhere to write the
pending state).

This wasn't initially considered an issue because guests were expected
to only bind events once they had expanded the event array, however:

1. A domain may start with events already bound (by the toolstack).

2. The guest does not know what the port number will be until the
   event is bound (it doesn't know how many already bound events there
   are), so it does not know how many event array pages are required.
   This makes it difficult to expand in advanced (the current Linux
   implementation expands after binding for example).

To prevent pending events from being lost because there is no array
page, temporarily store the pending state in evtchn->pending.  When an
array page is added, use this state to set the port as pending.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

MAINTAINERS: Add FIFO-based event channel ABI maintainer

Suggested-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>

VMX: flush cache when vmentry back to UC guest

This patch flush cache when vmentry back to UC guest, to prevent
cache polluted by hypervisor access guest memory during UC mode.

The elegant way to do this is, simply add wbinvd just before vmentry.
However, currently wbinvd before vmentry will mysteriously trigger
lapic timer interrupt storm, hung booting stage for 10s ~ 60s. We still
didn't dig out the root cause of interrupt storm, so currently this
patch add flag indicating hypervisor access UC guest memory to prevent
interrupt storm -- though it still leaves aspects un-addressed, i.e.
speculative reads, and multi-vCPU issues, etc.

Whenever the interrupt storm got root caused and fixed, the protection
flag can be removed -- that would be final clean and elegant approach
dealing with cache flushing before vmentry.

This is CVE-2013-2212 / XSA-60.

Suggested-by: Jan Beulich <jbeulich@suse.com>
Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Liu Jinsong <jinsong.liu@intel.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Jun Nakajima <jun.nakajima@intel.com>

VMX: fix cr0.cd handling

This patch solves XSA-60 security hole:
1. For guest w/o VT-d, and for guest with VT-d but snooped, Xen need
do nothing, since hardware snoop mechanism has ensured cache coherency.

2. For guest with VT-d but non-snooped, cache coherency can not be
guaranteed by h/w snoop, therefore it need emulate UC type to guest:
2.1). if it works w/ Intel EPT, set guest IA32_PAT fields as UC so that
guest memory type are all UC.
2.2). if it works w/ shadow, drop all shadows so that any new ones would
be created on demand w/ UC.

This patch also fix a bug of shadow cr0.cd setting. Current shadow has a
small window between cache flush and TLB invalidation, resulting in possilbe
cache pollution. This patch pause vcpus so that no vcpus context involved
into the window.

This is CVE-2013-2212 / XSA-60.

Signed-off-by: Liu Jinsong <jinsong.liu@intel.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jun Nakajima <jun.nakajima@intel.com>
Acked-by: Keir Fraser <keir@xen.org>

VMX: remove the problematic set_uc_mode logic

XSA-60 security hole comes from the problematic vmx_set_uc_mode.
This patch remove vmx_set_uc_mode logic, which will be replaced by
PAT approach at later patch.

This is CVE-2013-2212 / XSA-60.

Signed-off-by: Liu Jinsong <jinsong.liu@intel.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Acked-by: Jun Nakajima <jun.nakajima@intel.com>

VMX: disable EPT when !cpu_has_vmx_pat

Recently Oracle developers found a Xen security issue as DOS affecting,
named as XSA-60. Please refer http://xenbits.xen.org/xsa/advisory-60.html
Basically it involves how to handle guest cr0.cd setting, which under
some environment it consumes much time resulting in DOS-like behavior.

This is a preparing patch for fixing XSA-60. Later patch will fix XSA-60
via PAT under Intel EPT case, which depends on cpu_has_vmx_pat.

This is CVE-2013-2212 / XSA-60.

Signed-off-by: Liu Jinsong <jinsong.liu@intel.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Acked-by: Jun Nakajima <jun.nakajima@intel.com>

x86/viridian: TSC and APIC Frequency MSRs

These viridian MSRs are read-only sources of the TSC and APIC frequency (in
units of Hz)

Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/viridian: Time Reference Count MSR

This viridian MSR is a read-only source of time (in units of 100ns) since the
domain started.

Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86: command line parameter to disable ARAT

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/HVM: 32-bit IN result must be zero-extended to 64 bits

Just like for all other operations with 32-bit operand size.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>

.config: Allow all URL(s) to be specified in .config

This allow building of XEN from source on a system without internet
access using either the environment or .config

Do the same with XEN_EXTFILES_URL, QEMU_REMOTE, IPXE_GIT_URL, and
IPXE_TARBALL_URL as QEMU_UPSTREAM_URL, SEABIOS_UPSTREAM_URL, etc.

Signed-off-by: Don Slutz <dslutz@verizon.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: make hotplug execution conditional on backend_domid == domid

libxl currently refuses to execute hotplug scripts if the backend
domid of a device is different than LIBXL_TOOLSTACK_DOMID. This will
prevent libxl from executing hotplug scripts when running on a domain
different than LIBXL_TOOLSTACK_DOMID, we should instead check if
backend_domid is different than current domid.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: remove unneeded libxl_domain_info in wait_device_connection

The info fetched by libxl_domain_info is not used anywere in the
function.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl/hotplug: add support for getting domid

This patch writes Dom0 domid on xenstore (like it's done for other
guests), and adds a libxl helper function to fetch that domid from
xenstore.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
[ ijc -- dropped xencommons hunk, same change was made independently
in 02ebea7768fe ]

xen: arm: consitfy platform compatibility lists and use __initconst

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen/arm: Blacklist sun7i UARTs

These are in the same page as the UART which is used as the Xen console. We are
not currently smart enough to avoid passing them through to the guest,
accidentally giving the guest access to the Xen console UART.

we blacklist them all, if necessary in the future we can split the list into
two halves and make a per platform decision about which half should be
blacklisted on a given platform depending on which UART is wired up as the
console.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen/arm: Basic support for sunxi/sun7i platform.

Specifically cubieboard2

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

Merge branch 'staging' of ssh://xenbits.xen.org/home/xen/git/xen into staging

xen: arm: add default kernel_start in xenctx

Signed-off-by: Bamvor Jian Zhang <bjzhang@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen: arm: enable 32bit kernel stack trace

Signed-off-by: Bamvor Jian Zhang <bjzhang@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libvchan: tidy up usages of fcntl in select-type sample application

Namely, don't overwrite all the other flags when twiddling O_NONBLOCK,
and add basic error handling.

Coverity-ID: 1055041
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

Register PV driver product numbers 4 and 5.

Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: new parameters for upstream qemu's vga interfaces

Change the qemu parameters for upstream qemu vgas to the
new ones (-device), introduced some years ago.

Signed-off-by: Fabio Fantoni <fabio.fantoni@m2r.biz>

libxl: Allow 4 MB of video RAM for Cirrus graphics on traditional QEMU

VMs using Cirrus graphics have always had 4 MB of video RAM on XenServer, while
libxl currently does not allow values less than 8 MB.

Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Tested-by: Fabio Fantoni <fabio.fantoni@m2r.biz>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

ARINC653: fix NULL pointer dereference in free_vdata

The ARINC653 scheduler alloc_vdata function does not add the
idle cpu to its internal vcpu_list, but when the free_vdata
function is called, the scheduler attempted to remove the vcpu
from its internal vcpu_list, regardless of whether or not
the vcpu was the idle vcpu. Since the idle vcpu's list field
was never initialized, a NULL pointer was passed to list_del.

When using cpupools, this resulted in a crash when moving a cpu
from an arinc653 scheduler pool.

Signed-off-by: Nathan Studer <nate.studer@dornerworks.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

ARINC653: fix sched_priv corruption in alloc_vdata

The ARINC653 scheduler was directly assigning and manipulating
the sched_priv field of a vcpu in its alloc_vdata function.

When creating a cpu pool, this resulted in the corruption
of the sched_priv field of the vcpu, which was then passed
to the initial scheduler's free_vdata function with
disastrous results.

Signed-off-by: Nathan Studer <nate.studer@dornerworks.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>

x86/ats: Fix parsing of 'ats' command line option

This is really a boolean_param() hidden inside a hand-coded attempt to
replicate boolean_param(), which misses the 'no-' prefix semantics
expected with Xen boolean parameters.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86: make sure memory block is RAM before passing to the allocator

Memory blocks outside of the always visible 1:1 mapping range get
passed to the allocator separately (once enough other setup was done).
Skipping non-RAM regions, however, was forgotten in adc5afbf ("x86:
support up to 16Tb").

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/ACPI/x2APIC: guard against out of range ACPI or APIC IDs

Other than for the legacy APIC, the x2APIC MADT entries have valid
ranges possibly extending beyond what our internal arrays can handle,
and hence we need to guard ourselves against corrupting memory here.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Keir Fraser <keir@xen.org>

gnttab: correct locking order reversal

Coverity ID 1087189

Correct a lock order reversal between a domains page allocation and grant
table locks.

This is CVE-2013-4494 / XSA-73.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Consolidate error handling.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Keir Fraser <keir@xen.org>
Tested-by: Matthew Daley <mattjd@gmail.com>

libxl: check for xc_domain_shutdown failure in libxl__domain_suspend_common_callback

Coverity-ID: 1055048
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: check for xc_domain_max_vcpus failure in libxl__build_pre

Coverity-ID: 1055047
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxc: check for xc_vcpu_setcontext failure in xc_domain_resume_any

Coverity-ID: 1090352
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: Add EARLY_PRINT support for Broadcom brcm platform.

Enable early print support for the Broadcom A15 platform, brcm.

Signed-off-by: Jon Fraser <jfraser@broadcom.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: UART addresses are not always aligned to a page.

When calculating the virtual address of the UART,
add the page offset of the UART to the mapped address.

Create define EARLY_UART_VIRTUAL_ADDRESS and use instead
of FIXMAP_ADDR(FIXMAP_CONSOLE)

Signed-off-by: Jon Fraser <jfraser@broadcom.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxc: don't read uninitialized size value in xc_read_image

This error case can only be triggered by gzread returning 0 (and having
not read anything), so move it there.

Coverity-ID: 1056076
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xentrace: undeadify invalid option argument handling

Apparently it's always been like this.

Coverity-ID: 1056153
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: George Dunlap <george.dunlap@eu.citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xentrace: don't try to close null libxc handle in disable_tbufs

While at it, simplify the function.

Coverity-ID: 1055316
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: George Dunlap <george.dunlap@eu.citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xenctx: correct error check when opening libxc

Coverity-ID: 1054979
Coverity-ID: 1055238
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: George Dunlap <george.dunlap@eu.citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xenctx: only alloc symbol if we are inserting it into the symbol table

...otherwise it's pointless, and will leak.

Coverity-ID: 1055936
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libvchan: handle libxc evtchn failures properly in init functions

The reasoning behind this patch is that ctrl->event_port is a uint32_t
(ie. unsigned), so the current checks on it for negative error results,
non-negative port presence etc. are incorrect.

Fix by using evtchn_port_or_error_t in the init functions instead,
adjusting the error handling, and removing the now-unnecessary check
from the close function.

Coverity-ID: 1055609
Coverity-ID: 1055610
Coverity-ID: 1055611
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

docs: make `xl vm-list` example use verbatim formatting

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xl: correct references to long-removed function in error messages

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xl: remove needless infinite-loop construct in create_domain

Use a simple if condition instead.

Coverity-ID: 1056150
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xl: check for restore file open failure in create_domain

...otherwise you get a less helpful error message.

Coverity-ID: 1055569
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xl: libxl_list_vm returns a pointer, not a handle

Coverity-ID: 1054978
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: only close fds which successfully opened in libxl__spawn_local_dm

Coverity-ID: 1055565
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: don't leak memory in libxl__poller_get failure case

Coverity-ID: 1055894
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: correct file open success check in libxl__device_pci_reset

It could, even if only in theory, be fd 0.

Coverity-ID: 1055895
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: check for transaction abortion failure in libxl_set_memory_target

While at it, correct the error handling of libxl__fill_dom0_memory_info;
at that point there is no transaction to end in any manner.

Coverity-ID: 1055046
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxc: remove null pointer checks in xc_pm_get_{c, p}xstat

We don't check for null pointers in similar functions, and it's silly to
do so for these arguments here anyway; they should fail noisily if null
is passed.

While at it, remove pointless brackets.

Coverity-ID: 1055938
Coverity-ID: 1055939
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxc: initalize stdio loggers' progress_last_percent values to 0

...otherwise they are undefined in the first progress callback.

Coverity-ID: 1056055
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxc: check for xc_domain_get_guest_width failure in xc_domain_resume_any

Coverity-ID: 1090351
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxc: remove pointless null pointer check in xc_interface_open_common

xch is guaranteed non-null here.

Coverity-ID: 1055944
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxc: tidy up loop construct in write_compressed

...otherwise the return 0 at the bottom is dead code.

Coverity-ID: 1055189
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxc: don't ignore fd read failures when restoring a domain

Coverity-ID: 1055042
Coverity-ID: 1055043
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxc: fix memory leak in move_l3_below_4G error handling

...otherwise mmu gets leaked.

Coverity-ID: 1055844
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxc: fix retrieval of and remove pointless check on gzip size

Coverity-ID: 1055587
Coverity-ID: 1055963
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xencommons: write domain 0's domid to xenstore

libvchan's init_xs_srv (server-side xenstore-related initialization)
expects to find the current domain's domid at this xenstore key. libxl
(and xend) write this for domains they create. Do the same for domain 0,
allowing the use of libvchan in dom0.

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: HVM domain S3 bugfix

Currently Xen hvm s3 has a bug coming from the difference between
qemu-traditional and qemu-xen. For qemu-traditional, the way to
resume from hvm s3 is via 'xl trigger' command. However, for
qemu-xen, the way to resume from hvm s3 inherited from standard
qemu, i.e. via QMP, and it doesn't work under Xen.

The root cause is, for qemu-xen, 'xl trigger' command didn't reset
devices, while QMP didn't unpause hvm domain though they did qemu
system reset.

We have two qemu patches one xl patch to fix the HVM S3 bug:
This patch is the xl patch. It invokes QMP system_wakeup so that
qemu logic for hvm s3 could be triggered.

Signed-off-by: Liu Jinsong <jinsong.liu@intel.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

tools: remove unnecessary null pointer checks before frees

Patch generated by the following semantic patch
(http://coccinelle.lip6.fr/):

@@
expression *P;
@@

- if(P) free(P);
+ free(P);

...and then by filtering through the following command:

filterdiff -p1 -x 'stubdom/*' -x 'tools/firmware/*' -x 'tools/qemu-*' -x 'tools/blktap*'

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: ocaml: add META to list of generated files in Makefile

Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: idl: allow KeyedUnion members to be empty

This is useful when the key enum has an "invalid" option and avoids
the need to declare a dummy struct. Use this for domain_build_info
resulting in the generated API changing like so:
    --- tools/libxl/_libxl_BACKUP_types.h
    +++ tools/libxl/_libxl_types.h
    @@ -377,8 +377,6 @@ typedef struct libxl_domain_build_info {
                 const char * features;
                 libxl_defbool e820_host;
             } pv;
    -        struct {
    -        } invalid;
         } u;
     } libxl_domain_build_info;
     void libxl_domain_build_info_dispose(libxl_domain_build_info *p);

+ a related change to the JSON generation.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

Revert "VMX: Eliminate cr3 store/load vmexit when UG enabled"

This reverts commit c9efe34c119418a5ac776e5d91aeefcce4576518. It
doesn't work right on non-UG hardware.

tools: xenstored: if the reply is too big then send E2BIG error

This fixes the issue for both C and ocaml xenstored, however only the ocaml
xenstored is vulnerable in its default configuration.

Adding a new error appears to be safe, since bit libxenstore and the Linux
driver at least treat an unknown error code as EINVAL.

This is XSA-72 / CVE-2013-4416.

Original ocaml patch by Jerome Maloberti <jerome.maloberti@citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Thomas Sanders <thomas.sanders@citrix.com>

fix locking in cpu_disable_scheduler()

So commit eedd6039 ("scheduler: adjust internal locking interface")
uncovered - by now using proper spin lock constructs - a bug after all:
When bringing down a CPU, cpu_disable_scheduler() gets called with
interrupts disabled, and hence the use of vcpu_schedule_lock_irq() was
never really correct (i.e. the caller ended up with interrupts enabled
despite having disabled them explicitly).

Fixing this however surfaced another problem: The call path
vcpu_migrate() -> evtchn_move_pirqs() wants to acquire the event lock,
which however is a non-IRQ-safe once, and hence check_lock() doesn't
like this lock to be acquired when interrupts are already off. As we're
in stop-machine context here, getting things wrong wrt interrupt state
management during lock acquire/release is out of question though, so
the simple solution to this appears to be to just suppress spin lock
debugging for the period of time while the stop machine callback gets
run.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>

VMX: Eliminate cr3 store/load vmexit when UG enabled

With the feature of unrestricted guest, Xen should not cause
vmexits for cr3 accesses in non-paging mode.

Signed-off-by: Yang Zhang <yang.z.zhang@Intel.com>
Acked-by: Jun Nakajima <jun.nakajima@intel.com>

xl: don't emit misleading daemon pid message

After creating a domain, xl forks off a process to handle domain events
(shutdown, disk eject, ...). It prints out the pid of the process
created by the fork to stdout. However, the newly forked process soon
after calls daemon(), which itself forks once more (and exit()s the
original process). This means that the pid printed out is not the pid of
the actual process which remains in the background after all is said and
done, instead it is the pid of the transient process that exists between
xl's fork() and the fork'd process's daemon() call.

We could resolve this by printing the correct pid, ie. by open-coding
daemon() (we already do most of the heavy lifting it does ourselves by
fiddling with the standard fds). However, since no-one seems to be
complaining about the misleading message to begin with, and since it
seems like a pointless message anyway, just remove it outright instead.

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxenstore: Use PTHREAD_STACK_MIN

The existing value of 16K is smaller than the arm64 minimum stack size, which
is 128K. PTHREAD_STACK_MIN appears to be standard
http://pubs.opengroup.org/onlinepubs/009695399/functions/pthread_attr_setstacksize.html

Consindered setting a lower bound but the stack requirements of the watcher
thread are pretty minimal (tens of bytes from the looks of it) and unlikely to
blow PTHREAD_STACK_MIN on any useful platform.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: remove spurious newline from LOG() message

The macro already includes this.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libelf: improve errors in elf_xen_note_check()

I recently debugged an isolated failure to boot, with no information other
than the logs.

The "Will only load images built for the generic loader or Linux images"
string was missing a newline, leading to the subsequent error being appended
to this line, rather than having its own line with correctly identified
function.

Furthermore, error messages which state "param containing $FOO is not $BAR" is
fairly useless for debugging without identifying which bad $FOO caused the
failure.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Keir Fraser <keir@xen.org>
CC: Jan Beulich <JBeulich@suse.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86/irq: print direct vector mappings in the 'i' debug key

Also adjust the initial print message, as the IRQ loop has contained
non-guest interrutps for a while now.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86: refine address validity checks before accessing page tables

In commit 40d66baa ("x86: correct LDT checks") and d06a0d71 ("x86: add
address validity check to guest_map_l1e()") I didn't really pay
attention to the fact that these checks would better be done before the
paging_mode_translate() ones, as there's also no equivalent check down
the shadow code paths involved here (at least not up to the first use
of the address), and such generic checks shouldn't really be done by
particular backend functions anyway.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>

common/initcall: extern linker symbols with correct types

Coverity IDs 1054956, 1054957

Coverity pointed out that we applying array operations based on an expression
which yielded singleton pointers. The problem is actually that the externs
were typed incorrectly.

Correct the extern declaration to prevent straying into undefined behaviour,
and relying on the lenience of GCC to work.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>

xenctx: fix typo in arm64 output

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: arm: Ensure HCR_EL2.RW is set correctly when building dom0

copy_to_user and friends rely on this, since the address transalation
functions (guest VA -> MFN) will truncate VA to the appropriate size.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: arm: correctly round down MFN to 1GB boundary make sure pagetable mask macros as physaddr size

~FIRST_MASK is nothing like correct for rounding down an MFN. It is the
inverse *and* an address not a framenumber so wrong in every dimension! We
cannot use FIRST_MASK since that would mask off any zeroeth level bits.
Instead calculate the correct value from FIRST_SIZE.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: arm: make sure pagetable mask macros have appropriate size

{ZEROETH,FIRST,SECOND,THIRD}_MASK are used with physical addresses which may
be larger than 32 bits. Therefore ensure that they are wide enough by casting
to paddr_t otherwise we may truncate addresses on 32-bit.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: arm: map entire memory banks on arm64

Currently we only map regions which are not part of boot modules. However we
subsequently free at least some of those modules to the heaps in
discard_initial_modules and if we were unluckly with sizing/location we might
end up adding unmapped pages to the heap.

The heaps on 64-bit use 1GB mappings, so in practice this is probably pretty
unlikely and I've not actually seen it.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: arm: Enable 40 bit addressing in VTCR for arm64

This requires setting the v8 specific VTCR_EL2.PS field. These bits are
UNK/SBZP on v7.

Also the TS0SZ field is described slightly differently for v8, so update the
comment to reflect this.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: correct xenheap_bits after "xen: support RAM at addresses 0 and 4096"

This is incorrect after commit 1aac966e24e which shuffled the zones up by one.
I've observed failures on arm64 systems with RAM at 0x8,00000000-0x8,7fffffff
since xenheap_bits ends up as 35 instead of 36 (which is the zone with all the
RAM).

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
Cc: Tim Deegan <tim@xen.org>

xen: arm: fix usage of bootargs for Xen.

The chosen node's bootargs property should be used for Xen if there is a dom0
kernel multiboot module with a command line, not just if xen,dom0-bootargs is
present.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.linaro.org>

xen: arm: correct XEN_COMPILE_ARCH autodetection for arm64

At least on aarch64 openSUSE running with qemu-user-aarch64 "uname -m" reports
"aarch64" and not "armv8" so include that in the seddery. There's no harm
leaving the existing armv8 rune too so do so.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen/arm: Allocate memory for dom0 from the bottom with the 1:1 Workaround

On Linux, the option CONFIG_ARM_PATCH_PHYS_VIRT (by default enabled) allows
the Kernel to be loaded anywhere (or nearly) by patching the translation
pv<->virt at boot time.

The current solution in Linux assuming that the delta physical address -
virtual address is always negative. A positive delta will destroy all the
optimisation to modify only a part of the translation instruction (add/sub).

By default, Xen is allocating memory from the top of memory and then
goes down. To avoid booting issue with Linux, we must allocate memory
from the bottom (ie starting from 0).

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: implement smp initialization callbacks for omap5

Signed-off-by: Chen Baozi <baozich@gmail.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen/arm: fix a typo in comment of PLATFORM_QUIRK_DOM0_MAPPING_11

Signed-off-by: Chen Baozi <baozich@gmail.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

netif.h: Add IPv6 related changes

My recent patch series to Linux netback added IPv6 checksum
offload and GSO support. This involved making some changes to the
copy of netif.h in Linux.
This patch adds those changes to the canonical copy of netif.h.

Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: add_to_physmap_one: Avoid to map mfn 0 if an error occurs

By default, the function add_to_physmap_one set mfn to 0. Some code paths that
result to an error, continue and the map the mfn 0 (valid on ARM) to the
slot given by the guest.

To fix the problem, return directly an error if sanity check has failed.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Tim Deegan <tim@xen.org>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

spinlock: ensure the flags parameter is wide enough

Because of the construction of spin_lock_irq() (and varients), the flags
parameter could be trucated. Use a BUILD_BUG_ON() to verify the width of the
parameter.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

widen flags parameter for spinlock_irqsave() and friends

These issues were detected using the subsequent patch which forces a
compilation error if the result from local_irq_save() would be truncated.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/irq: local_irq_restore() should not blindly popf

local_irq_restore() should only be concerned with possibly changing the
interrupt flag. A blind popf could corrupt other system flags.

While playing in this area, fixup an opencoded use of X86_EFLAGS_IF.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/xsave: also save/restore XCR0 across suspend (ACPI S3)

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>