dgit.raspbian.org Git

docs: remove odt variant of STAO

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>

docs: convert XENV from odt to fodt

Fixes c33b5f013d ("Add XENV to docs/misc")

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>

docs: convert STAO from odt to fodt

Fixes 140b31a8de ("Add STAO spec to docs/misc")

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>

x86/asm: Use ASM_FLAG_OUT() to simplify atomic and bitop stubs

bitops.h cannot include asm_defns.h, because the static inlines in cpumasks.h
result in forward declarations of the bitops.h contents. Move ASM_FLAG_OUT()
to a new asm/compiler.h to compensate.

While making changes, switch bool_t to bool and use named asm parameters.

No functional change.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

xen/p2m: Fix p2m_flush_table for non-nested cases

Commit 71bb7304e7a7a35ea6df4b0cedebc35028e4c159 added flushing of
nested p2m tables whenever the host p2m table changed. Unfortunately
in the process, it added a filter to p2m_flush_table() function so
that the p2m would only be flushed if it was being used as a nested
p2m. This meant that the p2m was not being flushed at all for altp2m
callers.

Only check np2m_base if p2m_class for nested p2m's.

NB that this is not a security issue: The only time this codepath is
called is in cases where either nestedp2m or altp2m is enabled, and
neither of them are in security support.

Reported-by: Matt Leinhos <matt@starlab.io>
Signed-off-by: George Dunlap <george.dunlap@citrix.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Tested-by: Tamas K Lengyel <tamas@tklengyel.com>

xen: credit2: improve comments' style and definition of CSFLAG-s

Most of the comments describing the meaning of the
vCPU flags used by the scheduler miss the 'wings' (or
have other minor style issues).

Also, use 1U (instead of 1) as the base of shiftings.

No functional change intended.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>

xen: credit2: clear bit instead of skip step in runq_tickle()

Since we are doing cpumask manipulation already, clear a bit
in the mask at once. Doing that will save us an if, later in
the code.

No functional change intended.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>

xen: sched: harmonize debug dump output among schedulers.

Information we currently print for idle vCPUs is
rather useless. Credit2 already stopped showing that,
do the same for Credit and RTDS.

Also, define a new CPU status dump hook, which is
not defined by those schedulers which already dump
such info in other ways (e.g., Credit2, which does
that while dumping runqueue information).

This also means that, still in Credit2, we can keep
the runqueue and pCPU info closer together.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Acked-by: Meng Xu <mengxu@cis.upenn.edu>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>

xen/kbdif: add multi-touch support

Multi-touch fields re-use the page that is used by the other features
which means that you can interleave multi-touch, motion, and key
events.

Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>

xen/kbdif: Update protocol description

The patch clarifies the protocol that is used by the PV keyboard
drivers.

Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>

MAINTAINERS: Add myself as the public API "Czar"

That way we have one person who can: a) poke other maintainers
or pull them in with new drivers are introduced, b) we have
one maintainer who can shepherd the patches along instead of
depending on the REST maintainers which may be busy with
other responsibilities.

Acked-by: Ian Jackson <ian.jackson@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>
Acked-by: George Dunlap <george.dunlap@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

IOMMU: always call teardown callback

There is a possible scenario when (d)->need_iommu remains unset
during guest domain execution. For example, when no devices
were assigned to it. Taking into account that teardown callback
is not called when (d)->need_iommu is unset we might have unreleased
resourses after destroying domain.

So, always call teardown callback to roll back actions
that were performed in init callback.

This is XSA-207.

Signed-off-by: Oleksandr Tyshchenko <olekstysh@gmail.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Julien Grall <julien.grall@arm.com>

configure: disable bash check for FreeBSD

Bash it's not used on FreeBSD.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
[ wei: rerun autogen.sh ]

x86/hvm: Improve physdev_op hypercall dispatching

hvm_physdev_op() and hvm_physdev_op_compat32() are almost identical, but there
is no need to have two functions instantiated at the end of different function
pointers.

Combine the two into a single hvm_physdev_op() and dispatch to
{do,compat}_physdev_op() based on the hcall_64bit setting.

This also fixes an inconsistency where 64bit PVH hardware domains were
permitted access to extra physdev ops, but 32bit domains weren't.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/hvm: Improve grant_table_op hypercall dispatching

hvm_grant_table_op() and hvm_grant_table_op_compat32() are almost identical,
but there is no need to have two functions instantiated at the end of
different function pointers.

Combine the two into a single hvm_grant_table_op() (folding
grant_table_op_is_allowed() into is now-single caller) and dispatch to
{do,compat}_grant_table_op() based on the hcall_64bit setting.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/hvm: Improve memory_op hypercall dispatching

hvm_memory_op() and hvm_memory_op_compat32() are almost identical, but there
is no need to have two functions instantiated at the end of different function
pointers.

Combine the two into single hvm_memory_op() which dispatches to
{do,compat}_memory_op() based on the hcall_64bit setting.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/hvm: Split the hypercall dispatching infrastructure out of hvm.c

Into a new hypercall.c. This is purely code motion.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

x86/hvm: Rework HVM_HCALL_invalidate handling

Sending an invalidation to the device model is an internal detail of
completing the hypercall; callers should not need to be responsible for it.
Drop HVM_HCALL_invalidate entirely and call send_invalidate_req() when
appropriate.

This makes the function boolean in nature, although the existing
HVM_HCALL_{completed,preempted} constants are kept to aid code clarity. While
updating the return type, drop _do from the name, as it is redundant.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>

x86/vvmx: correctly emulate VMREAD

There is an issue with the original __vmread() in nested vmx mode:
emulation of a guest's VMREAD with invalid arguments leads to BUG().

Fix this by using vmread_safe() and reporting any kind of VMfail back
to the guest.

A new safe versions of get_vvmcs() macro and related functions are
introduced because of new function signatures and lots of existing
users.

Signed-off-by: Sergey Dyasli <sergey.dyasli@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>

x86/vvmx: correctly emulate VMWRITE

There is an issue with the original __vmwrite() in nested vmx mode:
emulation of a guest's VMWRITE with invalid arguments leads to BUG().

Fix this by using vmwrite_safe() and reporting any kind of VMfail back
to the guest.

A new safe versions of set_vvmcs() macro and related functions are
introduced because of new function signatures and lots of existing
users.

Signed-off-by: Sergey Dyasli <sergey.dyasli@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>

x86/vmx: introduce VMX_INSN_SUCCEED

The new value corresponds to VMsucceed status of VMX instructions.
This will replace usage of literal zeroes in related functions.

Update vmfail(), vmread_safe() and vmwrite_safe().

Signed-off-by: Sergey Dyasli <sergey.dyasli@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>

x86emul: flatten twobyte_table[]

... in the hope of making it more readable, and in preparation of
adding a second field to the structure.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86: adjust which files need vpmu.h

asm-x86/vmcs.h doesn't need it while asm-x86/domain.h does.

Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/PVHv2: fix dom0_max_vcpus so it's capped to HVM_MAX_VCPUS for PVHv2 Dom0

PVHv2 Dom0 is limited to 128 vCPUs, as are all HVM guests at the moment. Fix
dom0_max_vcpus so it takes this limitation into account.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86: split Dom0 build into PV and PVHv2

Split the Dom0 builder into two different functions, one for PV (and classic
PVH), and another one for PVHv2. Introduce a new command line parameter called
'dom0' that can be used to request the creation of a PVHv2 Dom0 by setting the
'hvm' sub-option. A panic has also been added if a user tries to use dom0=hvm
until all the code is in place, then the panic will be removed.

While there mark the dom0_shadow option that was used by PV Dom0 as deprecated,
it was lacking documentation and was not functional. Point users towards
dom0=shadow instead.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/time: tsc_check_writability() may need to be run a second time

While we shouldn't remove its current invocation, we need to re-run it
for the case that the X86_FEATURE_TSC_RELIABLE feature flag has been
cleared, in order to avoid using the TSC rendezvous function in case
the TSC can't be written.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Joao Martins <joao.m.martins@oracle.com>

x86emul: always init mmval

... to avoid buggy read/write sizes becoming info leaks.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

y86/vmx: dump PIR and vIRR before ASSERT()

Commit c7bdecae42 ("x86/apicv: fix RTC periodic timer and apicv issue") has
added a assertion that intack.vector is the highest priority vector. But
according to the osstest, the assertion failed sometimes. More discussion can
be found in the thread
(https://lists.xenproject.org/archives/html/xen-devel/2017-01/msg01019.html).

The assertion failure is hard to reproduce. In order to root cause issue, this
patch is to add logs to dump PIR and vIRR when failure takes place. It should
be reverted once the root cause is found.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>

x86/bitops: Force __scanbit() to be always inline

It turns out that GCCs 4.9.2 and 6.3.0 instantiate __scanbit() in three
translation units, but never references the result. All real uses of
__scanbit() are already suitably inline.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

libxl: make one function static

libxl__device_frontend_path() is used in libxl_device.c only. Make it
static.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: carve out domain specific functions from libxl.c

libxl.c has grown to an uncomfortable size. Carve out the domain
related functions to libxl_domain.c.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: carve out tmem specific functions from libxl.c

libxl.c has grown to an uncomfortable size. Carve out the tmem
related functions to libxl_tmem.c.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: move device specific functions out of libxl.c

Move the few generic device specific functions left in libxl.c to
libxl_device.c.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: carve out memory specific functions from libxl.c

libxl.c has grown to an uncomfortable size. Carve out the memory
related functions to libxl_mem.c.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: carve out console specific functions from libxl.c

libxl.c has grown to an uncomfortable size. Carve out the console
related functions (including channels, keyboard and frame buffer)
to libxl_console.c.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: carve out disk specific functions from libxl.c

libxl.c has grown to an uncomfortable size. Carve out the disk
related functions to libxl_disk.c.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: carve out scheduler specific functions from libxl.c

libxl.c has grown to an uncomfortable size. Carve out the scheduler
related functions to libxl_sched.c.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: carve out cpupool specific functions from libxl.c

libxl.c has grown to an uncomfortable size. Carve out the cpupool
related functions to libxl_cpupool.c.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: white space cleanup

Before moving code to new sources clean up some white space issues in
libxl.c.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: make some functions global to prepare splitting up libxl.c

Splitting up libxl.c will require two functions to be globally visible.
Add their prototypes to libxl_internal.h.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>

libxl: adjust copyright comment of libxl.c

The copyright of libxl.c is a little bit outdated.

Adjust it to reality.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86emul/test: fix 32-bit build

Commit 7603eb256 ("x86emul: use eflags definitions in x86-defns.h")
removed the EFLG_* definitions without updating the use sites (which
- oddly enough - happen to all be in 32-bit only code paths).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/iommu: add missing break

50a498 failed to add a break in the p2m_mmio_direct case, so Xen was still not
adding IOMMU entries for p2m_mmio_direct regions.

Spotted by Coverity.

Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

common/vm_event: prevent guest locking with large max_vcpus

It is currently possible for the guest to lock when subscribing
to synchronous vm_events if max_vcpus is larger than the
number of available ring buffer slots. This patch no longer
blocks already paused VCPUs, fixing the issue for this use
case, and wakes up as many blocked VCPUs as there are slots
available in the ring buffer, eliminating the blockage for
asynchronous events.

Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
Acked-by: Tamas K Lengyel <tamas@tklengyel.com>

x86/acpi: fix unmapping of low 1MB memory in acpi_os_unmap_memory

Current code in acpi_os_map_memory uses the direct map in order to map memory
in the low 1MB, but acpi_os_unmap_memory doesn't takes that into account, and
always tries to perform a vunmap, which results in the following WARN:

(XEN) Xen WARN at vmap.c:185
(XEN) ----[ Xen-4.9-unstable  x86_64  debug=y   Tainted:  C   ]----
(XEN) CPU:    0
(XEN) RIP:    e008:[<ffff82d0801369d7>] vmap.c#vm_free+0xd7/0xe0
[...]
(XEN) Xen call trace:
(XEN)    [<ffff82d0801369d7>] vmap.c#vm_free+0xd7/0xe0
(XEN)    [<ffff82d0802bdeda>] acpi_find_root_pointer+0x3a/0x170
(XEN)    [<ffff82d0802bd0ee>] acpi_os_get_root_pointer+0x4e/0x60
(XEN)    [<ffff82d0802d74d0>] domain_build.c#pvh_setup_acpi_xsdt+0x90/0x240
(XEN)    [<ffff82d0802d5d1a>] domain_build.c#pvh_setup_acpi+0x18a/0x2e0
(XEN)    [<ffff82d0802d3ad2>] domain_build.c#construct_dom0_pvh+0xd2/0x120
(XEN)    [<ffff82d0802c9174>] __start_xen+0x1d14/0x2420
(XEN)    [<ffff82d080100073>] __high_start+0x53/0x60

Fix this by checking if the virtual address passed to acpi_os_unmap_memory
belongs to the direct map.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/vmx: fix build with clang 3.8.0

The usage of the __transparent__ attribute in 991033fa introduces some issues
when compiled with clang 3.8.0:

xen/include/asm/hvm/vmx/vmx.h:605:15: error: transparent_union attribute can only be
      applied to a union definition; attribute ignored [-Werror,-Wignored-attributes]
typedef union __transparent__ ept_qual {
              ^
xen/include/xen/compiler.h:50:44: note: expanded from macro '__transparent__'

This can be easily fixed by moving the attribute to the end of the definition,
but then the following error triggers:

xen/include/asm/hvm/vmx/vmx.h:607:5: error: size of field '' (16 bits) does not
      match the size of the first field in transparent union; transparent_union attribute ignored
      [-Werror,-Wignored-attributes]
    struct {
    ^
xen/include/asm/hvm/vmx/vmx.h:606:19: note: size of first field is 64 bits
    unsigned long raw;
                  ^

Which can be fixed by introducing a new field in the nested structure that
contains the padding in order to match the size of an unsigned long.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/vmx: Introduce a bitfield structure for EPT_VIOLATION EXIT_QUALIFICATIONs

This results in rather more readable code. No functional change.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>

x86/p2m: Reposition p2m_teardown_nestedp2m() to avoid its forward declaration

While adjusting these functions, use unsigned int rather than uint8_t for the
loop variable, and fix the whitespace style.

No functional change.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>

x86/vmx: improve vmread_safe()

The original function doesn't distinguish between Valid and Invalid
VMfails.  Improved function returns error code depending on the outcome:

        VMsucceed: 0
      VMfailValid: VM Instruction Error Number
    VMfailInvalid: VMX_INSN_FAIL_INVALID (~0)

Existing users of __vmread_safe() are updated and double underscore
prefix is removed from the function's name because such prefixes are
reserved to a compiler.

Signed-off-by: Sergey Dyasli <sergey.dyasli@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>

x86/vmx: introduce vmwrite_safe()

Any fail during the original __vmwrite() leads to BUG() which can be
easily exploited from a guest in the nested vmx mode.

The new function returns error code depending on the outcome:

          VMsucceed: 0
        VMfailValid: VM Instruction Error Number
      VMfailInvalid: a new VMX_INSN_FAIL_INVALID

A new macro GAS_VMX_OP is introduced in order to improve the
readability of asm.  Existing ASM_FLAG_OUT macro is reused and copied
into asm_defns.h

Signed-off-by: Sergey Dyasli <sergey.dyasli@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>

x86/hvm: add vcpu parameter to guest memory copy function

Current __hvm_copy assumes that the destination memory belongs to the current
vcpu, but this is not always the case since for PVHv2 Dom0 build hvm copy
functions are used with current being the idle vcpu. Add a new vcpu parameter
to hvm copy in order to solve that. Note that only hvm_copy_to_guest_phys is
changed to take a vcpu parameter, because that's the only one at the moment
that's required in order to build a PVHv2 Dom0.

While there, also assert that the passed vcpu belongs to a HVM guest.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Fix the build, retaining prior log message attributes.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

x86/iommu: add IOMMU entries for p2m_mmio_direct pages

There's nothing wrong with allowing the domain to perform DMA transfers to
MMIO areas that it already can access from the CPU, and this allows us to
remove the hack in set_identity_p2m_entry for PVH Dom0.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>

VT-d: make print_vtd_entries() less verbose

Especially printing virtual addresses of mappings of the individual
pages seems rather useless here - this mostly obfuscates the important
numbers, and hinders comparing two printouts. Printing the page table
level indexes isn't very useful either, as the immediately following
lines will print the indexes again as part of printing the raw entries.

Take the opportunity and also
- adjust some format specifiers,
- widen (zero-pad) array indexes to their nominal width.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>

xen/arm: Fix ARM build following c/s 11c397c

c/s 11c397c broke the ARM build by introducing a common ACCESS_ONCE() which is
different to the definition in smmu.c

The SMMU code included a scalar typecheck, which is worth keeping in the
common case, given ACCESS_ONCE()'s restrictions. However, express the
typecheck differently so as to avoid Coverity complaints about unused
variables.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Acked-by: Julien Grall <julien.grall@arm.com>

xen/arm64: Don't zero BSS when booting using EFI

Commit 146786b "efi: create efi_enabled()" introduced a variable
efi_flags stored in BSS and used to pass information between the stub
and Xen. However on ARM, BSS is zeroed after the stub has finished to
run and before Xen is started. This means that the bits set in efi_flags
will be lost.

We were not affected before because all the variables used to pass
information between Xen and the stub are living in initdata or data.

Looking at the description of the field SizeOfRawData in the PE/COFF
header (see [1]):

"If this is less than VirtualSize, the remainder of the section is
zero-filled. Because the SizeOfRawData field is rounded but the
VirtualSize field is not, it is possible for SizeOfRawData to be greater
than VirtualSize as well. When a section contains only uninitialized
data, this field should be zero."

Both VirtualSize and SizeOfRawData are correctly set in the header (see
arch/arm/arm64/head.S) so the EFI firmware will zero BSS for us.

Therefore we don't need to zero BSS before running the EFI stub and can
skip the one between the EFI stub and Xen.

To avoid another branch instruction, slightly refactor the code. The
register x26 is allocated to hold whether BSS is skipped. The value will
be:
- 0 when the code is running on CPU0 and EFI is not used
- 1 when EFI is used or running on other processor than the boot one.

[1] https://msdn.microsoft.com/en-us/library/windows/desktop/ms680547(v=vs.85).aspx

Signed-off-by: Julien Grall <julien.grall@arm.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

x86/p2m: Stop other vcpus using a nested p2m before clearing it

Until the IPI has completed, other processors might be running on this nested
p2m object. clear_domain_page() does not guarantee to make 8-byte atomic
updates, which means that a pagewalk on a remote processor might encounter a
partial update.

This is currently safe as other issues prevents a nested p2m ever being shared
between two cpus (although this is contrary to the original plan).

Setting p2m->np2m_base to P2M_BASE_EADDR before the IPI ensures that the IPI'd
processors won't continue to use the flushed mappings.

While modifying this function, remove all the trailing whitespace and tweak
style in the affected areas.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/time: Adjust init-time handling of pit0_ticks

There is no need for the volatile cast in the timer interrupt; the compiler
may not elide the update. This reduces the generated assembly from a read,
local modify, write to a single add instruction.

Drop the memory barriers from timer_irq_works(), as they are not needed.
pit0_ticks is only modified by timer_interrupt() running on the same CPU, so
all that is required is a volatile reference to prevent the compiler from
eliding the second read.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

libxl: don't segfault when creating domain with invalid pvusb device

Creating a domain with an invalid controller specification for a pvusb
device will currently segfault.

Avoid this by bailing out early in case of a mandatory xenstore path
not existing.

Signed-of-by: Juergen Gross <jgross@suse.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

x86/vmx: Drop ept_get_*() helpers

The ept_get_*() helpers are not used consistently, and are more verbose than
the code they wrap. Drop the wrappers and use the internal union names
consistently.

While making these adjustments, drop the redundant ept_* prefix from mt, wl
and ad, and rename the asr field to mfn for consistency with Xen's existing
terminology.

No functional change.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>

xl: Make the devid attribute manually settable for nics

This permits to have control over the devid attribute when attaching new nics.
It may become useful if one has its own nic indexing somewhere else than xl/xenstore.

Signed-off-by: Fatih Acar <fatih.acar@gandi.net>
Signed-off-by: Nikita Kozlov <nikita.kozlov@gandi.net>
Signed-off-by: Vincent Legout <vincent.legout@gandi.net>
Signed-off-by: Baptiste Daroussin <baptiste.daroussin@gandi.net>
Acked-by: Wei Liu <wei.liu2@citrix.com>

fuzz/x86emul: remove bogus check against fuzzer msr index

The "reg" variable in fuzz_read_msr stores the real MSR index, not an
index within the fuzzer.

The rest of that function already handles things correctly. We just need
to remove the bogus check.

Spotted by Coverity.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/time: correctly honor late clearing of TSC related feature flags

As such clearing of flags may have an impact on the selected rendezvous
function, defer the establishing of a rendezvous function other than
the initial default one (std) until after all APs have been brought up.

But don't allow such feature flags to be cleared during CPU hotplug:
Platform and local system times may have diverged significantly by
then, potentially causing noticeably (even if only temporary) strange
behavior. As we're anyway expecting only sufficiently similar CPUs to
appear during hotplug, this shouldn't be introducing new limitations.

Reported-by: Joao Martins <joao.m.martins@oracle.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

page_alloc: clear nr_bootmem_regions in end_boot_allocator()

... to make alloc_boot_pages() fail for late callers. Don't rely on
reaching the BOOT_BUG_ON(1) near the end of that function though, but
instead make this situation easier to distinguish from actual
allocation failures by adding an explicit check.

While there, make the iteration variable unsigned and guard against
underflow.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

Merge branch 'staging' of xenbits.xen.org:/home/xen/git/xen into staging

VT-d/RMRR: Adjust the return values of register_one_rmrr()

Adjust/manage the return values of register_one_rmrr() such that new
callers log errors for non-debug builds too, while not affecting the
behavior of the original callers.

Signed-off-by: Venu Busireddy <venu.busireddy@oracle.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>

xen/common: Replace __FUNCTION__ with __func__

__func__ is standard C99, whereas __FUNCTION__ is a GCCism.

No functional change.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

x86/ept: allow write-combining on !mfn_valid() MMIO mappings again

For some MMIO regions, such as those high above RAM, mfn_valid() will
return false.

Since the fix for XSA-154 in commit c61a6f74f80e ("x86: enforce
consistent cachability of MMIO mappings"), guests have no longer been
able to use PAT to obtain write-combining on such regions because the
'ignore PAT' bit is set in EPT.

We probably want to err on the side of caution and preserve that
behaviour for addresses in mmio_ro_ranges, but not for normal MMIO
mappings. That necessitates a slight refactoring to check mfn_valid()
later, and let the MMIO case get through to the right code path.

Since we're not bailing out for !mfn_valid() immediately, the range
checks need to be adjusted to cope \97 simply by masking in the low bits
to account for 'order' instead of adding, to avoid overflow when the mfn
is INVALID_MFN (which happens on unmap, since we carefully call this
function to fill in the EMT even though the PTE won't be valid).

The range checks are also slightly refactored to put only one of them in
the fast path in the common case. If it doesn't overlap, then it
*definitely* isn't contained, so we don't need both checks. And if it
overlaps and is only one page, then it definitely *is* contained.

Finally, add a comment clarifying how that 'return -1' works \97 it isn't
returning an error and causing the mapping to fail; it relies on
resolve_misconfig() being able to split the mapping later. So it's
*only* sane to do it where order>0 and the 'problem' will be solved by
splitting the large page. Not for blindly returning 'error', which I was
tempted to do in my first attempt.

Signed-off-by: David Woodhouse <dwmw@amazon.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>

xenstore: remove XS_RESTRICT support

XS_RESTRICT and the xenstore library function xs_restrict() have never
been usable in all configurations and there are no known users.

This functionality was thought to limit access rights of device models
to xenstore in order to avoid affecting other domains in case of a
security breech. Unfortunately XS_RESTRICT won't help as current
qemu is requiring access to dom0 only accessible xenstore paths to
work correctly. So this command is useless and should be removed.

In order to avoid problems in the future remove all support for
XS_RESTRICT from xenstore.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: David Scott <dave@recoil.org>

xen/mm: Alter is_iomem_page() to use mfn_t

Switch its return type to bool to match its use, and simplify the ARM
implementation slightly.

No functional change.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Julien Grall <julien.grall@arm.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

fuzz: update README.afl example

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

fuzz/x86emul: print out minimal input size

... so that users can know how big the initial input should be.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

fuzz/x86emul: update fuzzer

Provide the fuzzer with more ops, and more sophisticated input
structure.

Based on a patch originally written by Andrew and George.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: George Dunlap <george.dunlap@citrix.com>
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86emul: use CR definitions in x86-defns.h

And remove the duplicates.

No functional change.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86: add UMIP CR4 bit

It will be used later to remove duplicates in x86emul.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86emul: use msr definitions in msr-index.h

Change the names used in code according to numeric values. Remove the
now unused macros in x86_emualte.c and fix indentation. This in turns
requires including msr-index.h and removing duplicates in userspace
x86_emulate.c in userspace harness program.

No functional change.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86emul: use eflags definitions in x86-defns.h

Basically this patch does 's/EFLG_/X86_EFLAGS_/g' and with indentation
fixed up. And remove the duplicates in x86_emualte.c. This in turn
requires userspace test harness to include x86-defns.h. Also remove a
few duplicates in userspace harness program.

No functional change.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86emul/test: use x86-vendors.h

No functional change.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86: extract vendor numeric id to x86-vendors.h

They will be shared between xen and userspace programs.

This is not strictly necessary, but it helps reduce overall code size.

No functional change.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

x86: extract macros to x86-defns.h

... so that they can be used by userspace x86 instruction emulator test
program and fuzzer as well.

No functional change.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

fuzz/x86emul: use macro to reduce repetition in Makefile

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86emul/test: add missing dependency for x86_emulate.o

f4497d6b74 added x86_emulate.h private header but didn't add dependency
for it.

Use macro to reduce repetition.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

Fix mispelling of length

There are quite a few usage of "lenght" instead of "length" in different
part of the repo. Correct it once for all.

Signed-off-by: Julien Grall <julien.grall@arm.com>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Dario Faggioli <dario.faggioli@citrix.com>

xl: track size of diskws with a dedicated counter

The num_disks field can change during guest lifetime. Don't use that as
the size of diskws, use a dedicated counter instead.

Also free diskws and reset diskws to NULL after disabling events so that
it will be automatically re-created when the guest reboots.

Reported-by: Fatih Acar <fatih.acar@gandi.net>
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Tested-by: Fatih Acar <fatih.acar@gandi.net>

xl: free event in DOMAIN_RESTART_RENAME error path

Otherwise it is leaked. Found by code inspection.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

compat.h: drop COMPAT_HANDLE_PARAM()

The need for 8844ed299a ("x86/dmop: Fix compat_dm_op() ABI") has made
clear that its presence is actively dangerous. At the hypercall entry
points XEN_GUEST_HANDLE_PARAM() should be used anyway (regardless of
whether these are native or compat entry points), and passing around
handles internally shouldn't use their compat representation either.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>

Merge branch 'staging' of xenbits.xen.org:/home/xen/git/xen into staging

x86: undo vm_init() movement from 1a6e3220cc

There must not be any alloc_xen_pagetable() calls between
end_boot_allocator() and the setting of SYS_STATE_boot.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

xl: Fix assertion on domain reboot with new configuration

libxl_domain_build_info_dispose is not resetting the type field to LIBXL_DOMAIN_TYPE_INVALID.
Instead, it is memseting the struct to 0 thus when libxl_domain_build_info_init_type is called
after a dispose on the same struct, an assertion is triggered because type != LIBXL_DOMAIN_TYPE_INVALID.
Calling libxl_domain_build_info_init makes sure the type field is correctly initialized.

Signed-off-by: Fatih Acar <fatih.acar@gandi.net>
Signed-off-by: Nikita Kozlov <nikita.kozlov@gandi.net>
Signed-off-by: Vincent Legout <vincent.legout@gandi.net>
Signed-off-by: Baptiste Daroussin <baptiste.daroussin@gandi.net>
Acked-by: Wei Liu <wei.liu2@citrix.com>

libs/gnttab: add FreeBSD handlers for the grant-table user-space device

This patch adds the headers and helpers for the FreeBSD gntdev, used in order
to map grants from remote domains and to allocate grants on behalf of the
current domain.

Current code has been tested with the QEMU/Qdisk backend.

Signed-off-by: Akshay Jaggi <akshay1994.leo@gmail.com>
[ added dummy stub for osdep_gnttab_grant_copy ]
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Move PAGE_* back to {linux,freebsd}.c due to breakage in stubdom build.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>

acpi: switch to dynamic mapping at SYS_STATE_boot

We can switch ACPI from using fixmap to dynamic mapping as soon as
the system enters SYS_STATE_boot. This will allow us, for example,
to map MADT on systems with large number of processors where the
table might not fit into NUM_FIXMAP_ACPI_PAGES (currently set to 4).

To avoid having a window between system entering SYS_STATE_boot and
vmap area being initialized move vm_init() a little higher.

Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/HVM: make hvm_find_io_handler() static

This reduces the chance of misuse - calling it must in particular
always be accompanied by calling the corresponding ->complete() hook.
Constify its parameter at once.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>

x86emul: correct behavior for single iteration REP INS/OUTS

The initial operation done on these paths may raise an exception (for
->read_io() that's possible only on the PV path, when the I/O port
access check has been deferred). We have to suppress put_rep_prefix()
updating rCX in that case. From an abstract perspective this also
applies to RETRY being returned.

Reported-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Tested-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/dmop: Fix compat_dm_op() ABI

The parameter to compat_dm_op() is a pointer to an array of
compat_dm_op_buf_t's in guest RAM.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

xen: credit2: non Credit2 pCPUs are ok during shutdown/suspend.

Commit 7478ebe1602e6 ("xen: credit2: fix shutdown/suspend
when playing with cpupools"), while doing the right thing
for actual code, forgot to update the ASSERT()s accordingly,
in csched2_vcpu_migrate().

In fact, as stated there already, during shutdown/suspend,
we must allow a Credit2 vCPU to temporarily migrate to a
non Credit2 BSP, without any ASSERT() triggering.

Move them down, after the check for whether or not we are
shutting down, where the assumption that the pCPU must be
valid Credit2 ones, is valid.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>

xen/tools: tracing: credits can go negative, so use int.

For Credit2, in both the trace records, inside Xen,
and in their parsing, in xenalyze.

In fact, as it is quite a bit better, in order to
understand how much negative credits have gone for
a certain vCPU, to see an actual negative number,
as compared to a wrapped around unsigned!

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>

xen: credit2: improve debug dump output.

Scheduling information debug dump for Credit2 is hard
to read as it contains the same information repeated
multiple time in different ways.

In fact, in Credit2, CPUs are grouped in runqueus. Before
this change, for each CPU, we were printing the while
content of the runqueue, as shown below:

CPU[00]  sibling=000003, core=0000ff
    run: [32767.0] flags=0 cpu=0 credit=-1073741824 [w=0] load=0 (~0%)
      1: [0.0] flags=0 cpu=2 credit=3860932 [w=256] load=262144 (~100%)
      2: [0.1] flags=0 cpu=2 credit=3859906 [w=256] load=262144 (~100%)
CPU[01]  sibling=000003, core=0000ff
    run: [32767.1] flags=0 cpu=1 credit=-1073741824 [w=0] load=0 (~0%)
      1: [0.0] flags=0 cpu=2 credit=2859840 [w=256] load=262144 (~100%)
      2: [0.3] flags=0 cpu=2 credit=-17466062 [w=256] load=262144 (~100%)
CPU[02]  sibling=00000c, core=0000ff
    run: [0.0] flags=2 cpu=2 credit=1858628 [w=256] load=262144 (~100%)
      1: [0.3] flags=0 cpu=2 credit=-17466062 [w=256] load=262144 (~100%)
      2: [0.1] flags=0 cpu=2 credit=-23957055 [w=256] load=262144 (~100%)
CPU[03]  sibling=00000c, core=0000ff
    run: [32767.3] flags=0 cpu=3 credit=-1073741824 [w=0] load=0 (~0%)
      1: [0.1] flags=0 cpu=2 credit=-3957055 [w=256] load=262144 (~100%)
      2: [0.0] flags=0 cpu=2 credit=-6216254 [w=256] load=262144 (~100%)
CPU[04]  sibling=000030, core=0000ff
    run: [32767.4] flags=0 cpu=4 credit=-1073741824 [w=0] load=0 (~0%)
      1: [0.1] flags=0 cpu=2 credit=3782667 [w=256] load=262144 (~100%)
      2: [0.3] flags=0 cpu=2 credit=-16287483 [w=256] load=262144 (~100%)

As it can be seen, all the CPUs print the whole content
of the runqueue they belong to, at the time of their
sampling, and this is cumbersome and hard to interpret!

In new output format we print, for each CPU, only the vCPU
that is running there (if that's not the idle vCPU, in which
case, nothing is printed), while the runqueues content
is printed only once, in a dedicated section.

An example:

CPUs info:
CPU[02]  runq=0, sibling=00000c, core=0000ff
    run: [0.3] flags=2 cpu=2 credit=8054391 [w=256] load=262144 (~100%)
CPU[14]  runq=1, sibling=00c000, core=00ff00
    run: [0.4] flags=2 cpu=14 credit=8771420 [w=256] load=262144 (~100%)
... ... ... ... ... ... ... ... ...
Runqueue info:
runqueue 0:
      0: [0.1] flags=0 cpu=2 credit=7869771 [w=256] load=262144 (~100%)
      1: [0.0] flags=0 cpu=2 credit=7709649 [w=256] load=262144 (~100%)
runqueue 1:
      0: [0.5] flags=0 cpu=14 credit=-1188 [w=256] load=262144 (~100%)

Note that there still is risk of inconsistency between
what is printed in the 'Runqueue info:' and in 'CPUs info:'
sections. That is unavoidable, as the relevant locks are
released and re-acquired, around each single operation.

At least, the inconsistency is less severe than before.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>

fuzz: don't buffer stdout in afl stubs

... to avoid obscuring output.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

xen/arm: acpi: Relax hw domain mapping attributes to p2m_mmio_direct_c

Since the hardware domain is a trusted domain, we extend the
trust to include making final decisions on what attributes to
use when mapping memory regions.

For ACPI configured hardware domains, this patch relaxes the hardware
domains mapping attributes to p2m_mmio_direct_c. This will allow the
hardware domain to control the attributes via its S1 mappings.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Acked-by: Julien Grall <julien.grall@arm.com>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>

Revert "xen/arm: Map mmio-sram nodes as un-cached memory"

This reverts commit 1e75ed8b64bc1a9b47e540e6f100f17ec6d97f1b.

The default attribute mapping for MMIO as been relaxed and now rely on
the hardware domain to set the correct memory attribute

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>

xen/arm: dt: Relax hw domain mapping attributes to p2m_mmio_direct_c

Since the hardware domain is a trusted domain, we extend the
trust to include making final decisions on what attributes to
use when mapping memory regions.

For device-tree configured hardware domains, this patch relaxes
the hardware domains mapping attributes to p2m_mmio_direct_c.
This will allow the hardware domain to control the attributes
via its S1 mappings.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>