dgit.raspbian.org Git

tmem: cleanup: drop useless function 'tmem_copy_page'

Use memcpy directly.

Signed-off-by: Bob Liu <bob.liu@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

tmem: cleanup: drop some debug code

"SENTINELS" and "DECL_CYC_COUNTER" are hacky code for debugging, there are not
suitable exist in upstream code.

Signed-off-by: Bob Liu <bob.liu@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

tmem: cleanup: drop unused sub command

TMEM_READ/TMEM_WRITE/TMEM_XCHG/TMEM_NEW_PAGE are never used, drop them to make
things simple and clean.

To be clear - we are bit lucky here - as none of the other implementors
of the tmem API are using it (Windows GPLPV code, SLES11, Linux upstream).

The spec says that the operations can return an error code (-ENOSYS for
example) so we are OK doing that.

Signed-off-by: Bob Liu <bob.liu@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

evtchn/fifo: don't corrupt queues if an old tail is linked

An event may still be the tail of a queue even if the queue is now
empty (an 'old tail' event).  There is logic to handle the case when
this old tail event needs to be added to the now empty queue (by
checking for q->tail == port).

However, this does not cover all cases.

1. An old tail may be re-added simultaneously with another event.
   LINKED is set on the old tail, and the other CPU may misinterpret
   this as the old tail still being valid and set LINK instead of
   HEAD.  All events on this queue will then be lost.

2. If the old tail event on queue A is moved to a different queue B
   (by changing its VCPU or priority), the event may then be linked
   onto queue B.  When another event is linked onto queue A it will
   check the old tail, see that it is linked (but on queue B) and
   overwrite the LINK field, corrupting both queues.

When an event is linked, save the vcpu id and priority of the queue it
is being linked onto.  Use this when linking an event to check if it
is an unlinked old tail event.  If it is an old tail event, the old
queue is empty and old_q->tail is invalidated to ensure adding another
event to old_q will update HEAD.  The tail is invalidated by setting
it to 0 since the event 0 is never linked.

The old_q->lock is held while setting LINKED to avoid the race with
the test of LINKED in evtchn_fifo_set_link().

Since a event channel may move queues after old_q->lock is acquired,
we must check that we have the correct lock and retry if not.  Since
changing VCPUs or priority is expected to be rare events that are
serialized in the guest, we try at most 3 times before dropping the
event.  This prevents a malicious guest from repeatedly adjusting
priority to prevent another domain from acquiring old_q->lock.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

evtchn/fifo: initialize priority when events are bound

Event channel ports that are reused or that were not in the initial
bucket would have a non-default priority.

Add an init evtchn_port_op hook and use this to set the priority when
an event channel is bound.

Within this new evtchn_fifo_init() call, also check if the event is
already on a queue and print a warning, as this event may have its
first event delivered on a queue with the wrong VCPU or priority.
This guest is expected to prevent this (if it cares) by not unbinding
events that are still linked.

Reported-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

IOMMU: make page table deallocation preemptible

This too can take an arbitrary amount of time.

In fact, the bulk of the work is being moved to a tasklet, as handling
the necessary preemption logic in line seems close to impossible given
that the teardown may also be invoked on error paths.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Xiantao Zhang <xiantao.zhang@intel.com>

Merge branch 'staging' of ssh://xenbits.xen.org/home/xen/git/xen into staging

xen: arm: context switch the aux memory attribute registers

We appear to have somehow missed these. Linux doesn't actually use them and
none of the processors I've looked at actually define any bits in them (so
they are UNK/SBZP) but it is good form to context switch them anyway.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

AMD/IOMMU: fix infinite loop due to ivrs_bdf_entries larger than 16-bit value

Certain AMD systems could have upto 0x10000 ivrs_bdf_entries.
However, the loop variable (bdf) is declared as u16 which causes
inifinite loop when parsing IOMMU event log with IO_PAGE_FAULT event.
This patch changes the variable to u32 instead.

Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

VTD/DMAR: free() correct pointer on error from acpi_parse_one_atsr()

Free the allocated structure rather than the ACPI table ATS entry.

On further analysis, there is another memory leak. acpi_parse_dev_scope()
could allocate scope->devices, and return with -ENOMEM. All callers of
acpi_parse_dev_scope() would then free the underlying structure, loosing the
pointer.

These errors can only actually be reached through acpi_parse_dev_scope()
(which passes type = DMAR_TYPE), but I am quite surprised Coverity didn't spot
it.

Coverity-ID: 1146949
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

AMD/microcode: avoid use-after-free for the microcode buffer

It is possible to free the mc_old buffer and then store it for use in the case
of resume.

This keeps the old semantics of being able to return an error even after a
successful microcode application.

Coverity-ID 1146953
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>

AMD/iommu_detect: don't leak iommu structure on error paths

Tweak the logic slightly to return the real errors from
get_iommu_{,msi_}capabilities(), which at the moment is no functional change.

Coverity-ID: 1146950
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

Merge branch 'staging' of ssh://xenbits.xen.org/home/xen/git/xen into staging

xen: driver/char: fix const declaration of DT compatible list

The data type for DT compatible list should be:
const char * const[] __initconst

Fix every serial drivers which support device tree.

Spotted-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

ns16550: support ns16550a

Ns16550a devices are Ns16550 devices with additional capabilities.
Decare XEN is compatible with this device, to be able to use unmodified
devicetrees.

Signed-off-by: Tsahee Zidenberg <tsahee@gmx.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen/dts: specific bad cell count error

Specify in the error message if bad cell count is in device or parent.

Signed-off-by: Tsahee Zidenberg <tsahee@gmx.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

libxc: Document xenctrl.h event channel calls

Provide semantic documentation for how the libxc calls relate to the
hypervisor interface, and how they are to be used.

Also document the bug (present at least in Linux 3.12) that setting
the evtchn fd to nonblocking doesn't in fact make xc_evtchn_pending
nonblocking, and describe the appropriate workaround.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
CC: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
CC: Jan Beulich <JBeulich@suse.com>
CC: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

docs: Document event-channel-based suspend protocol

Document the event channel protocol in xenstore-paths.markdown, in the
section for ~/device/suspend/event-channel.

Protocol reverse-engineered from commentary and commit messages of
  4539594d46f9  Add facility to get notification of domain suspend ...
  17636f47a474  Teach xc_save to use event-channel-based ...
and implementations in
  xc_save (current version)
  libxl (current version)
  linux-2.6.18-xen (mercurial 1241:2993033a77ca)

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
CC: Keir Fraser <keir@xen.org>
CC: Shriram Rajagopalan <rshriram@cs.ubc.ca>

xen: Document that EVTCHNOP_bind_interdomain signals

EVTCHNOP_bind_interdomain signals the event channel. Document this.

Also explain the usual use pattern.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
CC: Keir Fraser <keir@xen.org>
CC: Jan Beulich <JBeulich@suse.com>

xen: Document XEN_DOMCTL_subscribe

Arguably this domctl is misnamed. But, for now, document its actual
behaviour (reverse-engineered from the code and found in the commit
message for 4539594d46f9) under its actual name.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
CC: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
CC: Shriram Rajagopalan <rshriram@cs.ubc.ca>
CC: Jan Beulich <JBeulich@suse.com>

xen/arm: Allow ballooning working with 1:1 memory mapping

With the lack of iommu, dom0 must have a 1:1 memory mapping for all
these guest physical address. When the balloon decides to give back a
page to the kernel, this page must have the same address as previously.
Otherwise, we will loose the 1:1 mapping and will break DMA-capable
devices.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Cc: Keir Fraser <keir@xen.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

VMX: Eliminate cr3 save/loading exiting when UG enabled

With the feature of unrestricted guest, there should be no vmexit
be triggered when guest accesses the cr3 in non-paging mode. This
patch will clear the cr3 save/loading bit in vmcs control filed to
eliminate cr3 access vmexit on UG avaliable hardware.

The previous patch (commit c9efe34c119418a5ac776e5d91aeefcce4576518)
did the same thing compare to this one. But it will cause guest fail
to boot up on non-UG hardware which is repoted by Jan and it has been
reverted (commit 1e2bf05ec37cf04b0e01585eae524509179f165e).

This patch incorporate the fixing and guest are working well both in
UG and non-UG platform with this patch.

Reported-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Yang Zhang <yang.z.zhang@Intel.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

VMX,apicv: Set "NMI-window exiting" for NMI

Enable NMI-window exiting if interrupt is blocked by NMI under apicv enabled
platform.

Signed-off-by: Yang Zhang <yang.z.zhang@Intel.com>

IOMMU: make page table population preemptible

Since this can take an arbitrary amount of time, the rooting domctl as
well as all involved code must become aware of this requiring a
continuation.

The subject domain's rel_mem_list is being (ab)used for this, in a way
similar to and compatible with broken page offlining.

Further, operations get slightly re-ordered in assign_device(): IOMMU
page tables now get set up _before_ the first device gets assigned, at
once closing a small timing window in which the guest may already see
the device but wouldn't be able to access it.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Xiantao Zhang <xiantao.zhang@intel.com>

fix XENMEM_add_to_physmap_range preemption handling

Just like for all other hypercalls we shouldn't be modifying the input
structure - all of the fields are, even if not explicitly documented,
just inputs (the one OUT one really refers to the memory pointed to by
that handle rather than the handle itself).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Acked-by: Keir Fraser <keir@xen.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

move XENMEM_add_to_physmap_range handling framework to common code

There's really nothing really architecture specific here; the
architecture specific handling is limited to
xenmem_add_to_physmap_one().

This further eliminates the erroneous bailing from
xenmem_add_to_physmap_range() if xenmem_add_to_physmap_one() fails.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Acked-by: Keir Fraser <keir@xen.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

fix XENMEM_add_to_physmap preemption handling

Just like for all other hypercalls we shouldn't be modifying the input
structure - all of the fields are, even if not explicitly documented,
just inputs.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Acked-by: Keir Fraser <keir@xen.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

move XENMEM_add_to_physmap handling framework to common code

There's really nothing really architecture specific here; the
architecture specific handling is limited to
xenmem_add_to_physmap_one().

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Acked-by: Keir Fraser <keir@xen.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

Nested VMX: Setup the virtual NMI exiting info

When inject a virtual nmi exit to L1, hypervisor need to set the
virtual vmcs with right vaule which is missing in current Xen.

Signed-off-by: Yang Zhang <yang.z.zhang@Intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>

Merge branch 'staging' of ssh://xenbits.xen.org/home/xen/git/xen into staging

xen/arm: p2m: Don't create new table when the mapping is removed

When Xen is removing/relinquishing mapping, it will create second/third tables
if they don't exist.

Non-existent table means the address range was never mapped, so Xen can safely
skip them.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xenstore: sanity check incoming message body lengths

This is for the client-side receiving messages from xenstored, so there
is no security impact, unlike XSA-72.

Coverity-ID: 1055449
Coverity-ID: 1056028
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

tools/libx: xl uptime doesn't require argument

The current behavior is:

42sh> xl uptime
'xl uptime' requires at least 1 argument.

Usage: xl [-v] uptime [-s] [Domain]

The normal behavior should list uptime for each domain when there is no
parameters.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

Merge branch 'master' into staging

Update QEMU_UPSTREAM_REVISION

Switch to specific tag, for 4.4.0 RC1 release.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

QEMU_TAG update

xen: arm: further clarify the requirement for cached mappings

We need to include all shared memory, including grant table mappings etc
in this statement.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

xen/arm: p2m: Fix hypercall preemption when domain is relinquish memory mapping

The commit 84f29a9 "xen/arm: Add relinquish_p2m_mapping to remove reference on
every mapped page" doesn't save correctly the next gfn when the hypercall
is preempted.

Instead of storing the next gfn, it store the next mfn. Fix it by using
'addr' instead of 'maddr'.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

Merge branch 'staging' of ssh://xenbits.xen.org/home/xen/git/xen into staging

xen/arm: grant-table: Support read-only mapping

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: Set foreign page type to p2m_map_foreign

Xen needs to know that the current page belongs to another domain. Also take
a reference to this page.

The current process to add a foreign page is:
   1) get the page from the foreign p2m
   2) take a reference on the page with the foreign domain in parameters
   3) add the page to the current domain p2m

If the foreign domain drops the page:
    - before 2), get_page will return NULL because the page doesn't
    belong anymore to the domain
    - after 2), the current domain already have a reference. Write will
    occur to an old page which is not yet released. It can corrupt the foreign
    domain.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: Add relinquish_p2m_mapping to remove reference on every mapped page

This function will be called when the domain relinquishes its memory.
It removes refcount on every mapped page to a valid MFN.

Currently, Xen doesn't take reference on every new mapping but only for foreign
mapping. Restrict the function only on foreign mapping.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: Handle remove foreign mapping

Modify get_page_from_gfn to take reference on foreign mapping. This will avoid
specific handling in the common code.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: Retrieve p2m type in get_page_from_gfn

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: p2m: Extend p2m_lookup parameters to retrieve the p2m type

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: Store p2m type in each page of the guest

Use the field 'avail' to store the type of the page. Rename it to 'type' for
convenience.
The information stored in this field will be retrieved in a future patch to
change the behaviour when the page is removed.

Also introduce guest_physmap_add_entry to map and set a specific p2m type for
a page.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: Implement p2m_type_t as an enum

Until now, Xen doesn't know the type of the page (ram, foreign page, mmio,...).
Introduce p2m_type_t with basic types:
    - p2m_invalid: Nothing is mapped here
    - p2m_ram_rw: Normal read/write guest RAM
    - p2m_ram_ro: Read-only guest RAM
    - p2m_mmio_direct: Read/write mapping of device memory
    - p2m_map_foreign: RAM page from foreign guest
    - p2m_grant_map_rw: Read/write grant mapping
    - p2m_grant_map_ro: Read-only grant mapping

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: move mfn_to_p2m_entry in arch/arm/p2m.c

The function mfn_to_p2m_entry will be extended in a following patch to handle
p2m_type_t. It will break compilation because p2m_type_t is not defined
(interdependence between includes).
It's easier to move the function in arch/arm/p2m.c and it's not harmful as the
function is only used in this file.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: Introduce steps in domain_relinquish_resource

In a later patch, a new step will be added. It will avoid to check every step
when the function was preempted.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

x86/efi: update .gitignore/.hgignore

Signed-off-by: Tim Deegan <tim@xen.org>
Acked-by: Jan Beulich <jbeulich@suse.com>

xen: arm: process XENMEM_add_to_physmap_range forwards not backwards.

Jan points out that processing the list backwards is rather counter intuitive
and that the effect of the hypercall can differ between forwards and backwards
processing (e.g. in the presence of duplicate idx or gpfn, which would be
unusual but as Jan says, users are a creative bunch)

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Cc: Mukesh Rathor <mukesh.rathor@oracle.com>

xen: arm: clarify cacheability requirements of hypercall arguments.

Accepting hypercall arguments which are either consistently in cached or
uncached is tricky and/or potentially slow, requiring a guest mapping lookup
to determine whether/when to do a cache clean or invalidate.

There are very few reasons, and no current use cases in practice, for a guest
to use uncached memory for their hypercall arguments. Therefore mandate that
all hypercall arguments must be mapped inner-cacheable.

Do not place any restriction on the outer-cacheability or on the cache
fill/flush strategy used.

If use cases arise then we can consider specific exemptions to this rule.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

libxl: Fix error handling in libxl__device_nic_from_xs_be

Previously, this function would leak the temporary return from xs_read for
handle and mac address. Fix both of these and the rest of the error handling.

This requires changing its return type and fixing the callers.

Introduce here a READ_BACKEND macro to make the code less repetitive.

Coverity ID: 1055886

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- spell out what the leaks were in the commit message ]

tools/libxc: Fix error checking for xc_get_{cpu, node}map_size() callers

c/s 2e82c18cd850592ae9a1f682eb93965a868b5f2f changed the error returns of
xc_get_{cpu,node}map_size() to now include returning -1. This invalidated the
error checks from callers, which expected 0 to be the only error case.

Coverity ID: 1135907 1135908 1135909 1135910 1135911 1135912 1135913 1135914

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>
CC: Ian Jackson <Ian.Jackson@eu.citrix.com>
CC: George Dunlap <george.dunlap@eu.citrix.com>

xl: Fix CHK_ERRNO()

The macro CHK_ERRNO() was being used to check two different error schemes, and
succeeded at neither.

Split the macro into two; CHK_SYSCALL() for calls which return -1 and set
errno on error, and CHK_ERRNOVAL() for calls which return an errno.

In both cases, ensure that strerror() now gets called with the error integer.

Coverity ID: 1055570 1090374 1130516

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Release-acked-by: George Dunlap <george.dunlap@eu.citrix.com>

x86/memshr: fix preemption in relinquish_shared_pages()

For one, should hypercall_preempt_check() return false the first time
it gets called, it would never have got called again (because count,
being checked for equality, didn't get reset to zero).

And then, if there were a huge range of unshared pages, with count not
getting incremented at all in that case there would also not be any
preemption.

Fix this by using a biased increment (ratio 1:16 for unshared vs shared
pages), and flushing the count to zero in case of a "false" return from
hypercall_preempt_check().

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>

x86/mm: Prevent leaking domain mappings in paging_log_dirty_op()

Coverity ID: 1135374 1135375 1135376 1135377

If {copy_to,clear}_guest_offset() fails, we would leak the domain mappings for
l4 thru l1.

Fixing this requires having conditional unmaps on the faulting path, which in
turn requires explicitly initialising the pointers to NULL because of the
early ENOMEM exit.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <JBeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>

Xend: handle died domain in getVCPUInfo()

When created new guest on NUMA server, xend tried to get the best node
by calculated all vcpus info, if domain already be terminated then
getVCPUInfo() will throw below exception and guest start failed:

[2013-09-04 20:01:26 6254] ERROR (XendDomainInfo:496) VM start failed
Traceback (most recent call last):
  File "/usr/lib64/python2.4/site-packages/xen/xend/XendDomainInfo.py", line 482, in start
    XendTask.log_progress(31, 60, self._initDomain)
  File "/usr/lib64/python2.4/site-packages/xen/xend/XendTask.py", line 209, in log_progress
    retval = func(*args, **kwds)
  File "/usr/lib64/python2.4/site-packages/xen/xend/XendDomainInfo.py", line 2918, in _initDomain
    node = self._setCPUAffinity()
  File "/usr/lib64/python2.4/site-packages/xen/xend/XendDomainInfo.py", line 2835, in _setCPUAffinity
    best_node = find_relaxed_node(candidate_node_list)[0]
  File "/usr/lib64/python2.4/site-packages/xen/xend/XendDomainInfo.py", line 2803, in find_relaxed_node
    cpuinfo = dom.getVCPUInfo()
  File "/usr/lib64/python2.4/site-packages/xen/xend/XendDomainInfo.py", line 1600, in getVCPUInfo
    raise XendError(str(exn))
XendError: (3, 'No such process')

This patch will check return value of xc.vcpu_getinfo() and make sure the
error not caused by domain died before throw the exception.

Signed-off-by: Joe Jin <joe.jin@oracle.com>
Acked-by: Matt Wilson <msw@amazon.com>
Cc: Keir Fraser <keir@xen.org>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Ian Campbell <ian.campbell@citrix.com>
Cc: Roger Pau Monne <roger.pau@citrix.com>

xen/arm: disable a physical IRQ when the guest disables the corresponding IRQ

In vgic_disable_irqs remove irqs from the lr_pending queue so that they
won't get automatically injected in the guest on maintenance interrupts.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen/arm: Only enable physical IRQs when the guest asks

Set/Unset IRQ_DISABLED from gic_irq_enable and gic_irq_disable.
Enable IRQs when the guest requests it, not unconditionally at boot time.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Julien Grall <julien.grall@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: implement gic_irq_enable and gic_irq_disable

Rename gic_irq_startup to gic_irq_enable.
Rename gic_irq_shutdown to gic_irq_disable.

Implement gic_irq_startup and gic_irq_shutdown calling gic_irq_enable
and gic_irq_disable.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: do not add a second irq to the LRs if one is already present

When the guest re-enable IRQs, do not add guest IRQs to LRs twice.

Suggested-by: Julien Grall <julien.grall@linaro.org>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: track the state of guest IRQs

Introduce a status field in struct pending_irq. Valid states are
GUEST_PENDING, GUEST_VISIBLE and GUEST_ENABLED and they are not mutually
exclusive. See the in-code comment for an explanation of the states and
how they are used.
Use atomic operations to set and clear the status bits. Note that
setting GIC_IRQ_GUEST_VISIBLE and clearing GIC_IRQ_GUEST_PENDING can be
done in two separate operations as the underlying pending status is
actually only cleared on the LR after the guest ACKs the interrupts.
Until that happens it's not possible to receive another interrupt.

The main effect of this patch is that an IRQ can be set to GUEST_PENDING
while it is being serviced by the guest. In maintenance_interrupt we
check whether GUEST_PENDING is set and if it is we add the irq back into
the lr_pending queue so that it's going to be reinjected one more time,
if the interrupt is still enabled at the vgicd level.
If it is not, it is going to be injected as soon as the guest renables
the interrupt.

One exception is evtchn_irq: in that case we don't want to
set the GIC_IRQ_GUEST_PENDING bit if it is already GUEST_VISIBLE,
because as part of the event handling loop, the guest would realize that
new events are present even without a new notification.
Also we already have a way to figure out exactly when we do need to
inject a second notification if vgic_vcpu_inject_irq is called after the
end of the guest event handling loop and before the guest EOIs the
interrupt (see db453468d92369e7182663fb13e14d83ec4ce456 "arm: vgic: fix
race between evtchn upcall and evtchnop_send").

Don't call gic_inject_irq_stop from maintenance_interrupt because
gic_inject (called by leave_hypervisor_tail) is going to call
gic_inject_irq_start/stop appropriately later anyway.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: Physical IRQ is not always equal to virtual IRQ

When Xen needs to EOI a physical IRQ, we should use the IRQ number
in irq_desc instead of the virtual IRQ.

Remove the eoi flag in maintenance_interrupt and replace the check with
a check on p->desc != NULL.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

tools: libxc: flush data cache after loading images into guest memory

On ARM guest OSes are started with MMU and Caches disables (as they are on
native) however caching is enabled in the domain running the builder and
therefore we must flush the cache as we load the blobs, otherwise when the
guest starts running it may not see them. The dom0 build in the hypervisor has
the same requirements and already does the right thing.

The mechanism for performing a cache flush from userspace is OS specific, so
implement this as a new osdep hook:

- On 32-bit ARM Linux provides a system call to flush the cache.
- On 64-bit ARM Linux the processor is configured to allow cache flushes
   directly from userspace.
- Non-Linux platforms will need to provide their own implementation. If
   similar mechanisms are not available then a new privcmd ioctl should be a
   suitable alternative.

No cache maintenance is required on x86, so provide a stub for all non-Linux
platforms which returns success on x86 only and log an error otherwise.

This fixes guest building on Xgene which has a very large L3 cache and so is
particularly susceptible to this problem. It has also been observed
sporadically on midway.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Andre Przywara <andre.przywara@calxeda.com>
Cc: Pranavkumar Sawargaonkar <psawargaonkar@apm.com>
Cc: Anup Patel <apatel@apm.com>

xl: check for libxl_list_vm failure in print_uptime

Signed-off-by: Matthew Daley <mattd@bugfuzz.com>

xenconsole: adjust pty opening error checking and handling

Currently we check the pty path received from xenstore with access(); if
it indicates that the pty is not accessible, we loop around and wait for
a new path to appear in xenstore.

This has several issues:
* If a path has been written to xenstore, it can be assumed that that
  pty should already be accessible to xenconsole, and hence any error
  that occurs while trying to open it should be fatal and not ignored
* If access() indicates no access to the pty, the memory allocated for
  the path is leaked when going around the loop again
* The accessibility of the pty could change between the access() and
  open() calls, leading to a TOCTOU race (this is what Coverity is
  complaining about).

By removing the explicit access() check and just erroring out whenever
open() fails, we fix all these issues.

Coverity-ID: 1056047
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86/pvh: disable MTRR feature on cpuid for Dom0

MTRR is not available for PVH Dom0, so prevent cpuid from
reporting it as an available feature.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>

evtchn/fifo: map correct pages when guest is HVM

If a HVM guest attempts to use the FIFO-based ABI it will not receive
any events and destroying the guest may crash Xen or trigger an assert
when attempting to unmap a control block page. This occurs because
Xen maps the wrong page for both the control blocks and the event
arrays.

In map_guest_page(), use the MFN of the guest's page and not the GFN
when calling map_domain_page_global().

Reported-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>

tools/xenstored: Avoid buffer overflows while setting up sockets

Coverity ID: 1055996 1056002

Cache the xs_daemon_socket{,_ro}() strings to save pointlessly
re-snprintf()'ing the same path, and add explicit size checks against
addr.sun_path before strcpy()'ing into it.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
CC: Matthew Daley <mattd@bugfuzz.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: fix unsigned less-than-0 comparison in e820_sanitize

Both src[i].size and delta are unsigned, so checking their difference
for being less than 0 doesn't work.

Coverity-ID: 1055615
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: check for xc_domain_setmaxmem failure in libxl__build_pre

Coverity-ID: 1087115
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Reviewed-by: Dario Faggioli <dario.faggioli@citrix.com>

libxl: don't leak ptr in libxl_list_vm error case

While at it, tidy up the function; there's no point in allocating more
than the amount of domains actually returned by xc_domain_getinfolist
(barring the caveat described in the newly-added comment)

Coverity-ID: 1055888
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>

xenstore: check F_SETFL fcntl invocation in setnonblock

...and check the newly-added result of setnonblock itself where used.

Coverity-ID: 1055103
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86/p2m: restrict auditing to debug builds

... since iterating through all of a guest's pages may take unduly
long.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Tim Deegan <tim@xen.org>

ocaml: do not install test binaries

Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- added back an Empty install rule ]

xen/elf: header: fix typoes in elfnote.h

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

Merge branch 'staging' of ssh://xenbits.xen.org/home/xen/git/xen into staging

libxl: ocaml: add some missing CAML macros

Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Acked-by: David Scott <dave.scott@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: ocaml: drop the ocaml heap lock before calling into libxl

Ocaml has a heap lock which must be held whenever ocaml code is running. Ocaml
usually drops this lock when it enters a potentially blocking low-level
function, such as writing to a file. Libxl has its own lock, which it may
acquire when being called.

Things get interesting when libxl calls back into ocaml code. There is a risk
of ending up in a deadlock when a thread holds both locks at the same time,
then temporarily drop the ocaml lock, while another thread calls another libxl
function.

To avoid deadlocks, we drop the ocaml heap lock before entering libxl, and
reacquire it in callbacks to ocaml. This way, the ocaml heap lock is never held
together with the libxl lock, except in osevent registration callbacks, and
xentoollog callbacks. If we guarantee to not call any libxl functions inside
those callbacks, we can avoid deadlocks.

This patch handle the dropping and reacquiring of the ocaml heap lock by the
caml_enter_blocking_section and caml_leave_blocking_section functions, and
related macros. We are also careful to not call any functions that access the
ocaml heap while the ocaml heap lock is dropped. This often involves copying
ocaml values to C before dropping the ocaml lock.

The ao_how in aohow_val is now malloc'ed, just to make this function a little
easier to use.

Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Acked-by: David Scott <dave.scott@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: ocaml: add console reader functions

Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Acked-by: David Scott <dave.scott@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: ocaml: add VM lifecycle operations

Also:
* Reorganise toplevel OCaml functions into modules of Xenlight.
* Factor out the management of ao_how into the function aohow_val. The ao_how
is now malloc'ed, just to make this function a little easier to use.

Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: David Scott <dave.scott@eu.citrix.com>

libxl: ocaml: add disk and cdrom helper functions

Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Acked-by: David Scott <dave.scott@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: ocaml: allow device operations to be called asynchronously

Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
CC: David Scott <dave.scott@eu.citrix.com>

libxl: ocaml: event management

Having bindings to the low-level functions libxl_osevent_register_hooks and
related, allows to run an event loop in OCaml; either one we write ourselves,
or one that is available elsewhere.

The Lwt cooperative threads library (http://ocsigen.org/lwt/), which is quite
popular these days, has an event loop that can be easily extended to poll any
additional fds that we get from libxl. Lwt provides a "lightweight" threading
model, which does not let you run any other (POSIX) threads in your
application, and therefore excludes an event loop implemented in the C
bindings.

Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Acked-by: David Scott <dave.scott@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: ocaml: implement some simple tests

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: David Scott <dave.scott@eu.citrix.com>

libxl: ocaml: add simple test case for xentoollog

Add a simple noddy test case (tools/ocaml/test) for the the Xentoollog OCaml
module.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Acked-by: David Scott <dave.scott@eu.citrix.com>

xen: arm: inject unhandled instruction and data aborts to the guest.

Currently an unhandled data abort in guest context leads to us killing the
guest and an unhandled instruction abort in guest context leads to us killing
the host!

Andre pointed out that an unhandled data abort can be caused by e.g. dmidecode
looking for things which are not there in the guests physical address space.
Propagating the fault to the guest allows it to properly SIGSEGV the
processes.

A guest kernel can trivially jump to an unmapped physical address which would
cause an instruction abort. Killing the host for that is obviously bad.
Instead inject the exception so the guest kernel can SIGSEGV or panic() etc as
it deems appropriate.

Tested on arm64 (Mustang) and arm32 (Midway) with a dom0 kernel late_initcall
which either dereferences or jumps to address 0, provoking both behaviours and
resulting correctly in a guest kernel panic. Also tested on fast models with a
32-bit dom0 on a 64-bit hypervisor, which behaved correctly.

In addition tested on both platforms with a userspace program which either
calls to or dereferences address 0. The process is correctly killed with SEGV.

Lastly tested on Mustang with a 32-bit version of the userspace test on a
64-bit dom0 kernel.

I think that covers all the cases.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
Cc: Andre Przywara <andre.przywara@calxeda.com>
[ ijc -- fixed up whitespace in if statements in cpsr_mode_switch ]

kexec/x86: do not map crash kernel area

This mapping was apparently never used.

Suggested-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Acked-by: David Vrabel <david.vrabel@citrix.com>

x86/PV: don't commit debug register values early in arch_set_info_guest()

They're being taken care of later (via set_debugreg()), and temporarily
copying them into struct vcpu means that bad values may end up getting
loaded during context switch if the vCPU is already running and the
function errors out between the premature and real commit step, leading
to the same issue that XSA-12 dealt with.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/cpuidle: publish new states only after fully initializing them

Since state information coming from Dom0 can arrive at any time, on
any CPU, we ought to make sure that a new state is fully initialized
before the target CPU might be using it.

Once touching that code, also do minor cleanup: A missing (but benign)
"break" and some white space adjustments.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Liu Jinsong <jinsong.liu@intel.com>

MAINTAINERS: Add Andres Lagar-Cavilla for mem-sharing/paging

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

amd/passthrough: Do not leak domain mappings from do_invalidate_dte()

Coverity ID: 1135379

As the code stands, the domain mapping will be leaked on each error path.

The mapping can be for a much shorter period of time, and all the relevent
information can be pulled out at once.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <JBeulich@suse.com>
Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Tested-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>

IOMMU: clear "don't flush" override on error paths

Both xenmem_add_to_physmap() and iommu_populate_page_table() each have
an error path that fails to clear that flag, thus suppressing further
flushes on the respective pCPU.

In iommu_populate_page_table() also slightly re-arrange code to avoid
the false impression of the flag in question being guarded by a
domain's page_alloc_lock.

This is CVE-2013-6400 / XSA-80.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen: list interfaces subject to the security process exception in XSA-77

List all the sub ops of:
  __HYPERVISOR_domctl
  __HYPERVISOR_sysctl
  __HYPERVISOR_memory_op
  __HYPERVISOR_tmem_op
which are subject to the policy given in
http://xenbits.xen.org/xsa/advisory-77.html

It is expected that these lists will be whittled away as each interface is
audited for safety.

New interfaces should be expected to be safe when introduced (IOW the list
should never be expanded).

This is XSA-77.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

libxl: ocaml: remove dead code in xentoollog bindings

Found by Coverty. CIDs: 1128567 1128568 1128576 1128577.

Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: David Scott <dave.scott@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: ocaml: fix memory corruption when converting string and key/values lists

Found by Coverty. CIDs: 1128562 1128563 1128564 1128565.

Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: David Scott <dave.scott@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: Fix regression after commit d963923

The commit d963923 "xen: arm: correct return value of
raw_copy_{to/from}_guest_*, raw_clear_guest" doesn't permit to boot guest
on Xen ARM.

Remove the stray semicolon from the end of the if statement.

Also we want to get the right rc in the error arrays, so we need to do the
copy_to_guest_offset before checking the rc returned by
xenmem_add_to_physmap_one.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- expanded commit log ]

xen: arm: correct return value of raw_copy_{to/from}_guest_*, raw_clear_guest

This is a generic interface which is supposed to return the number of bytes
which were not copied. Make it so.

Update the incorrect callers prepare_dtb, decode_thumb{2} and
xenmem_add_to_physmap_range.

In the xenmem_add_to_physmap_range case, observe that we are not propagating
errors from xenmem_add_to_physmap_one and do so.

In the decode_thumb case and an emacs magic block to decode.c

Make the flush_dcache parameter to the helper an int while at it.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: arm: correct definition of DCISW (data cache invalidate by set/way)

We don't actually use this but I was using it locally for debugging and it
tripped me up.

Also add DCCIMVAC "data cache clean and invalidate by MVA" which is the only
cache op missing from cpregs.h.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>