dgit.raspbian.org Git

libxl: synchronise configuration when we hotplug a device

We update JSON version first, then write to xenstore, so that we
maintain the following invariant: any device which is present in
xenstore has a corresponding entry in JSON.

The workflow is as followed:
   lock json config
       read json config
       update in-memory json config with new entry, replacing
         any stale entry
       for loop
           open xs transaction
           check device existence, abort if it exists
           write in-memory json config to disk
           commit xs transaction
       end for loop
   unlock json config

Please see comment in libxl_internal.h for correctness proof.

As those routines are called both during domain creation and device
hotplug, we add a flag to indicate whether we need to update JSON
config. This flag is only set to true when we hotplug a device. We
cannot update JSON config during domain creation as JSON config is
committed to disk only when domain creation finishes.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: rework domain userdata file lock

The lock introduced in d2cd9d4f ("libxl: functions to lock / unlock
libxl userdata store") has a bug that can leak the lock file when domain
destruction races with other functions that try to get hold of the lock.

There are several issues:
1. The lock is released too early with libxl__userdata_destroyall
   deletes everything in userdata store, including the lock file.
2. The check of domain existence is only done at the beginning of lock
   function, by the time the lock is acquired, the domain might have
   been gone already.

The effect of this two issues is we can run into such situation:

     Process 1                        Process 2 domain destruction
   # LOCK FUNCTION                 # LOCK FUNCTION
    check domain existence          check domain existence
                                    acquire lock (file created)
                                   # LOCK FUNCTION
                                    destroy all files (lock file deleted,
                                                       lock released)
    acquire lock (file created)
   # LOCK FUNCTION                  destroy domain
                                   # UNLOCK (close fd only)
   [ lock file leaked ]

Fix this problem by deploying following changes:

1. Unlink lock file in unlock function.
2. Modify libxl__userdata_destroyall to not delete domain-userdata-lock,
   so that the lock remains held until unlock function is called.
3. Check domain still exists when the lock is acquired, unlock if
   domain is already gone.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: check for GICv3 platform support

ID_AA64PFR0_EL1 register provides information about GIC support.
Check for this register in GICv3 driver.

Also print GICv3 support information in boot log

Signed-off-by: Vijaya Kumar K <Vijaya.Kumar@caviumnetworks.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: add SGI handling for GICv3

In ARMv8, write to ICC_SGI1R_EL1 register raises trap to EL2.
Handle the trap and inject SGI to vcpu.

Signed-off-by: Vijaya Kumar K <Vijaya.Kumar@caviumnetworks.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: Update Dom0 GIC dt node with GICv3 information

Update GIC device tree node for DOM0 with GICv3
information. GIC hw specfic device tree information
is moved to respective GIC driver.

Signed-off-by: Vijaya Kumar K <Vijaya.Kumar@caviumnetworks.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: Add virtual GICv3 support

Add virtual GICv3 driver support.
Also, with this patch vgic_irq_rank structure is modified to
hold GICv2 GICD_TARGET and GICv3 GICD_ROUTER registers under
union.

This patch adds only basic GICv3 support.
Does not support Interrupt Translation support (ITS)

Signed-off-by: Vijaya Kumar K <Vijaya.Kumar@caviumnetworks.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

xen/arm: Add support for GIC v3

Add support for GIC v3 specification System register access(SRE)
is enabled to access cpu and virtual interface registers based
on kernel GICv3 driver.

This patch adds only basic v3 support.
Does not support Interrupt Translation support (ITS)

Signed-off-by: Vijaya Kumar K <Vijaya.Kumar@caviumnetworks.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

xen/arm: Add vgic callback to read irq priority

Use callback in vgic driver to read priority for
a given irq

Signed-off-by: Vijaya Kumar K <Vijaya.Kumar@caviumnetworks.com>

xen/arm: Calculate irq rank from irq number

irq rank calculated is not generic and assumes
hardware register size value which does not work
for future GIC versions like V3.

Signed-off-by: Vijaya Kumar K <Vijaya.Kumar@caviumnetworks.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

x86/APIC: reduce self-IPI related code

send_IPI_self_{phys,flat}() were identical and send_IPI_self_x2apic()
was misplaced and pointlessly (implictly) had a non-x2APIC code path.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

xen: arm: fix boot on arndale.

The differences between Arndale and the Odoid-XU are more interesting
than first though, which results in 0bf8ddecb4df "xen/arm: Add
support for the Odroid-XU board." breaking boot on arndale.

Revert back to arndale compatible behaviour while we sort this out.
Specifically we must (counterintuitively) use the regular (!ns)
sysram and the correct offset is 0x0 and 0x1c.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Julien Grall <julien.grall@linaro.org>

libxc/bitops: Add or() to the available bitmap operations

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
CC: Ian Jackson <Ian.Jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

tools/[lib]xl: Correct use of init/dispose for libxl_domain_restore_params

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
CC: Ian Jackson <Ian.Jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

tools/libxl: Fix stray blank line from debug logging

LOG() automatically adds a newline.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
CC: Ian Jackson <Ian.Jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: add missing dependency for xen-init-dom0 in Makefile

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xc_cpuid_x86.c: Simplify masking conditions and remove redundant work

* Since there would not be 32-bit hypervisor, we do not need
  hypervisor_is_64bit() again.

* Remove xen_64bit from xc_cpuid_pv_policy().

* Move conditionals for LM/NX masking into architectural logic.

* Since RDTSCP could be used for both 64-bit and 32-bit architectures,
  we do not need the tying to 64-bit in intel_xc_cpuid_policy().

* vmx_cpuid_intercept() has covered SYSCALL masking when vmexit and
  original is_64bit or is_pae could not cover whether guest OS is really
  in long mode or not. Here to drop the conditionals and leave it to
  vmexit handler to do the real work.

Signed-off-by: Zhuo Song <songzhuo.sz@alibaba-inc.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
[ ijc -- inserted missing ) to fix compile error ]

linux_gntshr_munmap: munmap takes a length, not a page count

This fixes a bug where if a client shares more than 1 page, the
munmap call fails to clean up everything. A process which does
a lot of sharing and unsharing can run out of resources.

This patch also fixes in-tree callers of
- xc_gntshr_munmap
- xc_gnttab_munmap
to supply page counts rather than lengths.

Signed-off-by: David Scott <dave.scott@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: Add support for the Odroid-XU board.

The Odroid-XU from hardkernel is an Exynos 5410 based board.

This patch introduces a generic PLATFORM exynos5 which hopefully is
applicable to the majority of  exynos5 based SoCs. It currently has
only been tested on an exynos5410 based (OdroidXU) board and hence
that is the only board listed.

Previously only the Arndale board, based on an exynos5250 was
supported. It was the only exynos based platform that was supported
and it was called exynos5. It has now been renamed to exynos5250. The
Arndale currently is a separate platform mostly cause I do not have
one to test and for the most part the code path for that board is
preserved. To be specific it varies from the generic implementation
as follows:

1. exynos5250 based specific DT mapping for CHIPID and PWM region. I
   believe mainline kernel's DTS for the arndale has those mappings
   already in place.
2. exynos5250 based cpu up code. It appears that exynos5250 already
   has the secondary core powered up and in wfe and hence a
   cpu_up_send_sgi suffices. Here too, I believe that the generic
   code path might be acceptable.

Most of the code for the cpu bring up has been ported over from
mainline linux, and hence should be generic enough for future exynos
based SoCs. All reference to hardcoded memory locations have been
avoided. They are now gleaned from the device tree.

The existing SMP bringup code has been broken since 4557c2292854
"xen: arm: rewrite start of day page table and cpu bring up" which
moved the arndale CPU kick from secure world to non-secure world
without updating it to match the new environment.  Specifically the
sysram address remained hardcoded to the S sysram address and not the
NS sysram address, this is now correctly taken from DT. Secondly the
offset within the sysram where the start address is written is 0x1c
for NS bringup, rather than 0x0 as it is in S bringup.

Signed-off-by: Suriyan Ramasami <suriyan.r@gmail.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- updated commit log as discussed on list, plus reformatted
         slightly.
         s/exynos5XXXX/exynos5XXX/ in one error message ]

x86/mwait-idle: Broadwell support

Broadwell (BDW) is similar to Haswell (HSW), the preceding processor generation.

Currently, the only difference in their C-state tables is that PC3 max exit latency
is 33usec on HSW and 40usec on BDW.

Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>

x86/mwait-idle: disable Baytrail Core and Module C6 auto-demotion

Power efficiency improves on Baytrail (Intel Atom Processor E3000)
when Linux disables C6 auto-demotion.

Based on work by Srinidhi Kasagar <srinidhi.kasagar@intel.com>.

Signed-off-by: Len Brown <len.brown@intel.com>
Do the MSR writes on all CPUs rather than just the current one.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

x86, idle: add barriers to CLFLUSH workaround

... since the documentation is explicit that CLFLUSH is only ordered
with respect to MFENCE.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>

evtchn: check control block exists when using FIFO-based events

When using the FIFO-based event channels, there are no checks for the
existance of a control block when binding an event or moving it to a
different VCPU.  This is because events may be bound when the ABI is
in 2-level mode (e.g., by the toolstack before the domain is started).

The guest may trigger a Xen crash in evtchn_fifo_set_pending() if:

  a) the event is bound to a VCPU without a control block; or
  b) VCPU 0 does not have a control block.

In case (a), Xen will crash when looking up the current queue.  In
(b), Xen will crash when looking up the old queue (which defaults to a
queue on VCPU 0).

By allocating all the per-VCPU structures when enabling the FIFO ABI,
we can be sure that v->evtchn_fifo is always valid.

EVTCHNOP_init_control_block for all the other CPUs need only map the
shared control block.

A single check in evtchn_fifo_set_pending() before accessing the
control block fixes all cases where the guest has not initialized some
control blocks.

This is XSA-107.

Reported-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

xen/common: do not implicitly permit access to mapped I/O memory

Currently, the XEN_DOMCTL_memory_mapping hypercall implicitly grants
to a domain access permission to the I/O memory areas mapped in its
guest address space. This conflicts with the presence of a specific
hypercall (XEN_DOMCTL_iomem_permission) used to grant such a permission
to a domain.
This commit separates the functions of the two hypercalls by having only
the latter be able to permit I/O memory access to a domain, and the
former just performing the mapping after a permissions check on both the
granting and the grantee domains.

Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
Cc: Dario Faggioli <dario.faggioli@citrix.com>
Cc: Paolo Valente <paolo.valente@unimore.it>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Julien Grall <julien.grall@citrix.com>
Cc: Ian Campbell <Ian.Campbell@eu.citrix.com>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Eric Trudeau <etrudeau@broadcom.com>
Cc: Viktor Kleinik <viktor.kleinik@globallogic.com>
Cc: Andrii Tseglytskyi <andrii.tseglytskyi@globallogic.com>

tools/libxl: cleanup the do_pci_add() function

This function modifies the do_pci_add() function in libxl_pci.c
by unindenting a code block whose condition was removed in the
previous commit. The block was left as is to facilitate functional
review of the previous commit; this commit cleans it up.
This commit introduces no functional change.

Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
Acked-by: Ian Campbell <Ian.Campbell@eu.citrix.com>
Cc: Dario Faggioli <dario.faggioli@citrix.com>
Cc: Paolo Valente <paolo.valente@unimore.it>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Julien Grall <julien.grall@citrix.com>
Cc: Jan Beulich <JBeulich@suse.com>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Eric Trudeau <etrudeau@broadcom.com>
Cc: Viktor Kleinik <viktor.kleinik@globallogic.com>
Cc: Andrii Tseglytskyi <andrii.tseglytskyi@globallogic.com>

tools/libxl: explicitly grant access to needed I/O-memory ranges

This commit changes the existing libxl code to be sure to grant access
permission to PCI-related I/O memory ranges, while setting up passthrough
of PCI devices specified in the domain's configuration, and to VGA-related
memory ranges, while setting up VGA passthrough (if gfx_passthru = 1 in
the domain's configuration).
As for the latter, the newly-added code does not replace any existing one,
but instead matches the calls to xc_domain_memory_mapping() performed by
QEMU on the path that is executed if gfx passthru is enabled and follows
the registration of a new VGA controller (in register_vga_regions(),
defined in hw/pt-graphics.c). In fact, VGA needs some extra memory
ranges to be mapped with respect to PCI; QEMU expects that access to those
memory ranges is implicitly granted when he calls the hypervisor with the
function xc_domain_memory_mapping(): this commit calls iomem_permission
for it when needed by checking the passthru PCI device's class.

NOTE: the code added by this commit still does not verify if the passthru
      of the framebuffer area is being performed for the primary GPU, but
      only replicates the behavior of QEMU which is limited to performing
      the passthru for all PCI devices of VGA class.

This commit is instrumental to the last one in the series, which will
separate the functions of the iomem_permission and memory_mapping DOMCTLs,
so that requesting an I/O-memory range will not imply that access to such
a range is implicitly granted.

Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
Acked-by: Ian Campbell <Ian.Campbell@eu.citrix.com>
Cc: Dario Faggioli <dario.faggioli@citrix.com>
Cc: Paolo Valente <paolo.valente@unimore.it>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Julien Grall <julien.grall@citrix.com>
Cc: Jan Beulich <JBeulich@suse.com>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Eric Trudeau <etrudeau@broadcom.com>
Cc: Viktor Kleinik <viktor.kleinik@globallogic.com>
Cc: Andrii Tseglytskyi <andrii.tseglytskyi@globallogic.com>

xsm/flask: handle XEN_DOMCTL_memory_mapping for all architectures

Currently, FLASK only handles the memory_mapping hypercall for the
x86 architecture. As the DOMCTL's hook now is in common code and
no more specific to x86, this commit lets the DOMCTL be handled also
for other architectures.

Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
Reviewed-by: Julien Grall <julien.grall@citrix.com>
Acked-by: Ian Campbell <Ian.Campbell@eu.citrix.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Dario Faggioli <dario.faggioli@citrix.com>
Cc: Paolo Valente <paolo.valente@unimore.it>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Jan Beulich <JBeulich@suse.com>
Cc: Keir Fraser <keir@xen.org>
Cc: Tim Deegan <tim@xen.org>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Eric Trudeau <etrudeau@broadcom.com>
Cc: Viktor Kleinik <viktor.kleinik@globallogic.com>
Cc: Andrii Tseglytskyi <andrii.tseglytskyi@globallogic.com>

libxl: introduce helper to initialise Dom0

This small helper is responsible for generating Dom0 JSON config
stub and writing Dom0 xenstore entries. This helpers subsumes two calls
to xenstore-write in xencommons script.

Dom0 UUID is intentionally left untouched, so it is always all
zeros. This makes sure that we don't leak Dom0 stubs across rebooting.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- folded in incremental patch for *BSD ]

libxl: disallow attaching the same device more than once

Originally the code allowed users to attach the same device more than
once. It just stupidly overwrites xenstore entries. This is bogus as
frontend will be very confused.

Introduce a helper function to check if the device to be written to
xenstore already exists. A new error code is also introduced.

The check and add are within one xs transaction.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: introduce libxl__device_from_pcidev

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: store a copy of configuration when creating domain

The configuration is stored in libxl-json format. It will be used as
template to reconstruct domain configuration during runtime.

There's only one write to disk when domain creation finishes. We
therefore have a window that the domain exists but has no JSON config in
disk. We define this state as domain being created or destroyed. Any
other operations that need to access JSON config should bail.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: libxl-json format and internal functions to get / set it

Introduce a new format in libxl userdata store called "libxl-json". This
file format contains JSON version of libxl_domain_config, generated by
libxl. Applications are not supposed to access this file directly.

Two internal functions to get and set libxl_domain_configuration
are also introduced. Also introduce a new error code to indicate
abnormal state that libxl-json config file is empty.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: properly lock userdata store

Originally libxl user data store didn't have lock at all. There could be
such race condition as mentioned by Ian Jackson:

  Task 1                                 Task 2
  Creating the domain                    Trying to shut down

    actually create domain
                                           observe domid
                                           start domain destruction
                                           delete all userdata
                                           destroy domain
    store the userdata
      *** forbidden state created: userdata exists but domain doesn't
      *** userdata has been leaked
    [ would now bomb out ]

This patch adds in proper locking to libxl user data store. The lock is
associated with a specific domain (i.e. a per-domain lock).

As for locking hierachy, we first take CTX lock (which is implemented
with pthread recursive mutex so even if the application has taken it
we're fine), then take the file lock. These locks are released in
reversed order.

A new libxl error code ERROR_LOCK_FAIL is introduced to describe failure
to acquire locks.

Also factor out libxl__userdata_{retrieve,store}, so that other
functions that already hold the lock can call them to manipulate
user data.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: functions to lock / unlock libxl userdata store

This lock is used to protect all userdata files related to a particular
domain, which include but are not limited to domain configuration. A
new "domain-userdata-lock" entry is introduced in libxl registry.

This lock works among different processes and different threads within
the same process.

Locking protocol inspired by Ian Jackson's chiark-utils with-lock-ex. A
file lock is taken with flock(2). If that succeeds that thread fstat the
fd and stat the lock file path. If the device and inode match then the
lock has been successfully acquired. This lock remains acquired until
the lock file gets deleted or released by flock(2). If device and inode
don't match then another thread acquired the lock and deleted the file
in the meantime; lock procedure should restart.

Portability note: this lock utilises flock(2) so a proper implementation
of flock(2) is required -- that is, it should not be implemented with
fcntl(2).

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: make userdata_path libxl internal function

Later patch will make use of it to generate file path and name.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: introduce XENFEAT_grant_map_identity

The flag specifies that the hypervisor maps a grant page to guest
physical address == machine address of the page in addition to the
normal grant mapping address.

Frontends are allowed to map the same page multiple times using multiple
grant references. On the backend side it can be difficult to find out
the physical address corresponding to a particular machine address,
especially at the completion of a dma operation. To simplify address
translations, we introduce a second mapping of the grant at physical
address == machine address so that dom0 can issue cache maintenance
operations without having to find the pfn.

Call arch_grant_map_page_identity and arch_grant_unmap_page_identity
from __gnttab_map_grant_ref and __gnttab_unmap_common to introduce the
second mapping if the domain is directly mapped. To do so we also need
to change gnttab_need_iommu_mapping to just be defined as
is_domain_direct_mapped on arm.

Remove arm_smmu_map_page and arm_smmu_unmap_page as they have become
unused.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: introduce arch_grant_(un)map_page_identity

Introduce two arch specific functions to create a new p2m mapping of
granted pages at pfn == mfn.
We don't an x86 implementation as these functions should never be
compiled on x86 (they are called from an if (0) statement).

Base the implementation of arm_smmu_(un)map_page on
arch_grant_(un)map_page_identity.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Jan Beulich <jbeulich@suse.com>

xen/x86: introduce is_domain_direct_mapped(d) as ((void)(d), 0) on x86

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

xen/arm: domain_vgic_init: Avoid double free on shared_irqs

When the function domain_vgic_init is failing to initialize pending_irqs,
it will free shared_irqs. Few call later, domain_vgic_free will be called
an try to free a second time the same variable. This will result to a double
free.

Remove the free in domain_vgic_init and rely on domain_vgic_free to correctly
release the memory.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: move itargets initialization to vgic-v2

itarget registers are GIC version specific. So move
initialization of these registers to vgic-v2 driver.

Signed-off-by: Vijaya Kumar K <Vijaya.Kumar@caviumnetworks.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Reviewed-by: Julien Grall <julien.grall@linaro.org>

mini-os: arm: events

Signed-off-by: Karim Allah Ahmed <karim.allah.ahmed@gmail.com>
Signed-off-by: Thomas Leonard <talex5@gmail.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

mini-os: arm: scheduling

Based on an initial patch by Karim Raslan.

Signed-off-by: Karim Allah Ahmed <karim.allah.ahmed@gmail.com>
Signed-off-by: Thomas Leonard <talex5@gmail.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

mini-os: arm: memory management

Based on an initial patch by Karim Raslan.

Signed-off-by: Karim Allah Ahmed <karim.allah.ahmed@gmail.com>
Signed-off-by: Thomas Leonard <talex5@gmail.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

mini-os: arm: boot code

Based on an initial patch by Karim Raslan.

Signed-off-by: Karim Allah Ahmed <karim.allah.ahmed@gmail.com>
Signed-off-by: Thomas Leonard <talex5@gmail.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

mini-os: arm: add header files

Adds header files for future ARM support.
Based on work by Karim Allah Ahmed.

Signed-off-by: Karim Allah Ahmed <karim.allah.ahmed@gmail.com>
Signed-off-by: Thomas Leonard <talex5@gmail.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

mini-os: move poor rand function to test.c

It's only used by test.c and probably isn't something that should be
exposed for general use (it just calls gettimeofday).

This is also useful for ARM, which doesn't use math.c, where this used
to live.

Signed-off-by: Thomas Leonard <talex5@gmail.com>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

mini-os: added HYPERVISOR_xsm_op

Avoids using _hypercall1 in events.c.

Signed-off-by: Thomas Leonard <talex5@gmail.com>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

mini-os: don't include lib.h from mm.h

This breaks the include cycle hypervisor.h -> hypercall-x86_32.h -> mm.h
-> lib.h -> gntmap.h -> os.h -> hypervisor.h.

Signed-off-by: Thomas Leonard <talex5@gmail.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

tools/xen-access: Print gla valid/fault information

Extend the print-out of the memory violations to show gla valid/fault information.

Signed-off-by: Tamas K Lengyel <tamas.lengyel@zentific.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

configure: disable stubdomain build by default on FreeBSD

Stubdomain code as-is doesn't compile on FreeBSD, so disable it for
now in order to have a working build.

Please re-run autoconf after committing.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen: arm: introduce uImage probe function for Dom0

Patch adds a possibility to boot dom0 kernel from uImage.

uImage header format:
http://git.denx.de/cgi-bin/gitweb.cgi?p=u-boot.git;a=blob;f=include/image.h

Signed-off-by: Oleksandr Dmytryshyn <oleksandr.dmytryshyn@globallogic.com>
Reviewed-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- fixed up coding style nit to be consistent with surrounding,
         but differently wrong, coding style.
         s/Not supported/Unsupported/
         s/uimage->arch/uimage.arch/ ]

tools/libxl: Fix build of libxl with ./configure --disable-blktap2

Autoconf already has appropriate Linux/non-Linux logic for CONFIG_BLKTAP2.

Let LIBXL_BLKTAP inherit directly from CONFIG_BLKTAP2, rather than requiring a
further LIBXL_BLKTAP=n in addition to ./configure --disable-blktap2 to get
libxl to successfully link under Linux.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
CC: Ian Jackson <Ian.Jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

stubdom: do not set CONFIG_TEST for caml & C stubdom examples

caml & C stubdom examples should not enable the tests, they already
provide their own main function.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xl: convert vcpuid to signed in main_vcpupin()

As it needs to be, considering that we assign -1 to it (and
that, later, we check for it to be -1), to signify 'all vcpus'.

While at it, fix a coding style nit and improve error reporting.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Reviewed-by: Don Slutz <dslutz@verizon.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

tools/ocaml: remove uint32 use

OCaml is replacing its own uint32 type with the ISO C99 uint32_t type
in 4.03.0+dev. Ths patch replaces the remaining uses of uint32 with
uint32_t in the ocaml C code for xen.

Signed-off-by: Michael Young <m.a.young@durham.ac.uk>
Acked-by: David Scott <dave.scott@citrix.com>

xen: arm: Don't pass "multiboot, module" DTB nodes to dom0.

Support for loading these was added in a860dfeec090 "xen: arm: implement
generic multiboot compatibility strings".

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

vNUMA: fix build on ARM after commit 9695014966

The new domctl isn't really x86-specific.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Tested-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

libxc: Introduce xc_domain_setvnuma to set vNUMA

With the introduction of the XEN_DOMCTL_setvnumainfo
in patch titled: "xen: vnuma topology and subop hypercalls"
we put in the plumbing here to use from the toolstack. The user
is allowed to call this multiple times if they wish so.
It will error out if the nr_vnodes or nr_vcpus is zero.

Signed-off-by: Elena Ufimtseva <ufimtseva@gmail.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xsm bits for vNUMA hypercalls

Define xsm_get_vnumainfo hypercall used for domain which
wish to receive vnuma topology. Add xsm hook for
XEN_DOMCTL_setvnumainfo. Also adds basic policies.

Signed-off-by: Elena Ufimtseva <ufimtseva@gmail.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

xen: vnuma topology and subop hypercalls

Define interface, structures and hypercalls for toolstack to
build vnuma topology and for guests that wish to retrieve it.
Two subop hypercalls introduced by patch:
XEN_DOMCTL_setvnumainfo to define vNUMA domain topology per domain
and XENMEM_get_vnumainfo to retrieve that topology by guest.

Signed-off-by: Elena Ufimtseva <ufimtseva@gmail.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86: remove redundancy of MSR_P6_{PERFCTR,EVNTSEL} definitions

Not only did the EVNTSEL ones get defined twice, we can also easily
abstract out the numbers previously attached to them.

While at it also remove an unused Geode-related define.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Kevin Tian <kevint.tian@intel.com>

numa.c: convert to xen coding style

Convert to Xen coding style from mixed one.

Signed-off-by: Elena Ufimtseva <ufimtseva@gmail.com>

xen/arm: make accesses to desc->status flags atomic

This way we don't need to take the desc->lock in order to access
desc->status in many of the gic and vgic functions.

Using *_bit manipulation functions on desc->status is safe on arm64:
status is an unsigned int but is the first field of a struct that
contains pointers, therefore the alignement of the struct is at least 8
bytes.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: introduce bit access macros for the IRQ line status flags

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
CC: Jan Beulich <jbeulich@suse.com>

xen/arm: take the rank lock before accessing ipriority

Currently we read ipriority from vgic_vcpu_inject_irq without taking the
rank lock. Fix that by taking the rank lock and reading ipriority at the
beginning of the function.

As vgic_vcpu_inject_irq is called from the irq.c upon receiving an
interrupt, we need to change the implementation of vgic_lock/unlock_rank
to spin_lock_irqsave to make it safe in irq context.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: remove workaround to inject evtchn_irq on irq enable

evtchn_upcall_pending is already set by common code at vcpu creation,
therefore on ARM we also need to call vgic_vcpu_inject_irq for it.
Currently we do that from vgic_enable_irqs as a workaround.

Do this properly by introducing an appropriate arch specific hook:
arch_evtchn_inject. arch_evtchn_inject is called by map_vcpu_info to
inject the evtchn irq into the guest. On ARM is implemented by calling
vgic_vcpu_inject_irq.

On x86 guests typically don't call VCPUOP_register_vcpu_info on vcpu0,
therefore avoiding the issue. However theoretically they could call
VCPUOP_register_vcpu_info on vcpu0 and in that case Xen would need to
inject the event channel notification into the guest if the guest is
HVM. So implement arch_evtchn_inject on x86 by calling
hvm_assert_evtchn_irq.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen: introduce sched_move_irqs

Introduce sched_move_irqs: it calls arch_move_irqs and
evtchn_move_pirqs.
Replace calls to evtchn_move_pirqs with calls to sched_move_irqs.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
CC: jbeulich@suse.com
CC: tim@xen.org
CC: keir.xen@gmail.com

xen/arm: physical irq follow virtual irq

Migrate physical irqs to the same physical cpu that is running the vcpu
expected to receive the irqs. That is done when enabling irqs, when the
guest writes to GICD_ITARGETSR and when Xen migrates a vcpu to a
different pcpu.

In case of virq migration, if the virq is inflight and in a GICH_LR
register already, delay migrating the corresponding physical irq until
the virq is EOIed by the guest and the MIGRATING flag has been cleared.
This way we make sure that the pcpu running the old vcpu gets
interrupted with a new irq of the same kind, clearing the GICH_LR sooner.

Introduce a new arch specific function, arch_move_irqs, that is empty on
x86 and implements the vgic irq migration code on ARM.
arch_move_irqs is going to be called by from sched.c.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen/arm: support irq delivery to vcpu > 0

Use vgic_get_target_vcpu to retrieve the target vcpu from do_IRQ.
Remove in-code comments about missing implementation of SGI delivery to
vcpus other than 0.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: inflight irqs during migration

We need to take special care when migrating irqs that are already
inflight from one vcpu to another. See "The effect of changes to an
GICD_ITARGETSR", part of chapter 4.3.12 of the ARM Generic Interrupt
Controller Architecture Specification, IHI 0048B.

The main issue from the Xen point of view is that the lr_pending and
inflight lists are per-vcpu. The lock we take to protect them is also
per-vcpu.

In order to avoid issues, if the irq is still lr_pending, we can
immediately move it to the new vcpu for injection.

Otherwise if it is in a GICH_LR register, set a new flag
GIC_IRQ_GUEST_MIGRATING. If GIC_IRQ_GUEST_MIGRATING is set we'll change
the affinity of the physical irq when clearing the LR (in a following
commit). Therefore if the irq is inflight in an LR when the guest writes
to itarget, we wait until the LR is cleared before changing physical
irq affinity. This guarantees that the old vcpu is going to be
interrupted and clear the LR, either because it has been descheduled
after EOIing the interrupt or because it is interrupted by the second
physical irq coming.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen/arm: move setting GIC_IRQ_GUEST_QUEUED earlier

It makes the code cleaner, especially with the following patches.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: observe itargets setting in vgic_enable_irqs and vgic_disable_irqs

vgic_enable_irqs should enable irq delivery to the vcpu specified by
GICD_ITARGETSR, rather than the vcpu that wrote to GICD_ISENABLER.
Similarly vgic_disable_irqs should use the target vcpu specified by
itarget to disable irqs.

itargets can be set to a mask but vgic_get_target_vcpu always returns
the lower vcpu in the mask.

Correctly initialize itargets for SPIs.

Ignore bits in GICD_ITARGETSR corresponding to invalid vcpus.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

Merge branch 'staging' of ssh://xenbits.xen.org/home/xen/git/xen into staging

libxl: libxl error code is signed integer

Fix two occurences of "unsigned int rc".

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

x86/NMI: allow passing just "watchdog" again

This capability got inadvertently lost in commit 3ea2ba980a ("x86/NMI:
allow processing unknown NMIs when watchdog is enabled") due to an
oversight of mine.

Reported-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/current: provide additional information to optimise get_cpu_info()

Exactly as with c/s d55c5eefe "x86: use compiler visible "add" instead of
inline assembly "or" in get_cpu_info()", this is achieved by providing more
information to the compiler.

This causes a net drop of almost 4K of .text

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/traps: remove redundant trapnr parameter from fatal_trap()

It is always available via regs->entry_vector.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/hvm: fix operator precedence bug introduced by 3d4d4f9336

Bitwise or has greater precedence than the ternary operator, making the result
of the expression a constant P2M_UNSHARE.

Coverity-ID: 1234633
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Don Slutz <dslutz@verizon.com>

tools/libxl: handle the iomem parameter with the memory_mapping hcall

Currently, the configuration-parsing code concerning the handling of the
iomem parameter only invokes the XEN_DOMCTL_iomem_permission hypercall.
This commit lets the XEN_DOMCTL_memory_mapping hypercall be invoked
after XEN_DOMCTL_iomem_permission when the iomem parameter is parsed
from a domU configuration file, so that the address range can be mapped
to the address space of the domU. The hypercall is invoked only in case
of domains using an auto-translated physmap.

Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
Acked-by: Ian Campbell <Ian.Campbell@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@citrix.com>
Cc: Dario Faggioli <dario.faggioli@citrix.com>
Cc: Paolo Valente <paolo.valente@unimore.it>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Jan Beulich <JBeulich@suse.com>
Cc: Keir Fraser <keir@xen.org>
Cc: Tim Deegan <tim@xen.org>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Eric Trudeau <etrudeau@broadcom.com>
Cc: Viktor Kleinik <viktor.kleinik@globallogic.com>
Cc: Andrii Tseglytskyi <andrii.tseglytskyi@globallogic.com>

tools/libxl: parse optional start gfn from the iomem config option

Currently, the "iomem" domU config option allows to specify a machine
address range to be mapped to the domU. However, there is no way to
specify the guest address range used for the mapping. This commit
extends the iomem option handling code to parse an additional, optional
parameter: this parameter, if given, specifies the start guest address
used for the mapping; if no start guest address is given, a 1:1 mapping
is performed as default.

Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
Acked-by: Ian Campbell <Ian.Campbell@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@citrix.com>
Cc: Dario Faggioli <dario.faggioli@citrix.com>
Cc: Paolo Valente <paolo.valente@unimore.it>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Jan Beulich <JBeulich@suse.com>
Cc: Keir Fraser <keir@xen.org>
Cc: Tim Deegan <tim@xen.org>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Eric Trudeau <etrudeau@broadcom.com>
Cc: Viktor Kleinik <viktor.kleinik@globallogic.com>
Cc: Andrii Tseglytskyi <andrii.tseglytskyi@globallogic.com>

xen/common: move the memory_mapping DOMCTL hypercall to common code

This commit moves to common code the implementation of the memory_mapping
DOMCTL, currently available only for the x86 architecture. It also adds
a definition for the PADDR_BITS constant for ARM, that is to be used in
common code and currently not available for the ARM architecture.

Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
Acked-by: Julien Grall <julien.grall@citrix.com>
Tested-by: Julien Grall <julien.grall@citrix.com>
Cc: Dario Faggioli <dario.faggioli@citrix.com>
Cc: Paolo Valente <paolo.valente@unimore.it>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Ian Campbell <Ian.Campbell@eu.citrix.com>
Cc: Keir Fraser <keir@xen.org>
Cc: Tim Deegan <tim@xen.org>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Eric Trudeau <etrudeau@broadcom.com>
Cc: Viktor Kleinik <viktor.kleinik@globallogic.com>
Cc: Andrii Tseglytskyi <andrii.tseglytskyi@globallogic.com>

xen/x86: factor out map and unmap from the memory_mapping DOMCTL

This commit factors out from the XEN_DOMCTL_memory_mapping hypercall
implementation, currently available only for x86, the operations
related to memory ranges map and unmap. The code is factored out
into two {map|unmap}_mmio_regions() functions for x86, that will match
the corresponding pair of ARM functions when the DOMCTL will be moved
to common code in the following commit. This commit also adds an
unmap_mmio_regions() function for ARM so that the following transition
to common code is cleaner.

Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
Acked-by: Ian Campbell <Ian.Campbell@eu.citrix.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
Acked-by: Julien Grall <julien.grall@citrix.com>
Cc: Dario Faggioli <dario.faggioli@citrix.com>
Cc: Paolo Valente <paolo.valente@unimore.it>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Keir Fraser <keir@xen.org>
Cc: Tim Deegan <tim@xen.org>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Eric Trudeau <etrudeau@broadcom.com>
Cc: Viktor Kleinik <viktor.kleinik@globallogic.com>
Cc: Andrii Tseglytskyi <andrii.tseglytskyi@globallogic.com>

xen/common: add ARM stub for the function memory_type_changed()

MTRR-related code is not available for the ARM architecture. Given
that the memory_type_changed() function would be called also from
common code, its invocation is currently ifdef'd out to be only
compiled in on an x86 machine. This commit adds an empty stub for ARM.

Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
Acked-by: Ian Campbell <Ian.Campbell@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@citrix.com>
Cc: Dario Faggioli <dario.faggioli@citrix.com>
Cc: Paolo Valente <paolo.valente@unimore.it>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Jan Beulich <JBeulich@suse.com>
Cc: Keir Fraser <keir@xen.org>
Cc: Tim Deegan <tim@xen.org>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Eric Trudeau <etrudeau@broadcom.com>
Cc: Viktor Kleinik <viktor.kleinik@globallogic.com>
Cc: Andrii Tseglytskyi <andrii.tseglytskyi@globallogic.com>

arch/x86: cleanup memory_mapping DOMCTL

This commit lets the end mfn be computed only once while handling a
XEN_DOMCTL_memory_mapping hypercall. Also, the name of the tmp_rc
local variable is changed to rc.

Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
Cc: Dario Faggioli <dario.faggioli@citrix.com>
Cc: Paolo Valente <paolo.valente@unimore.it>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Julien Grall <julien.grall@citrix.com>
Cc: Ian Campbell <Ian.Campbell@eu.citrix.com>
Cc: Keir Fraser <keir@xen.org>
Cc: Tim Deegan <tim@xen.org>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Eric Trudeau <etrudeau@broadcom.com>
Cc: Viktor Kleinik <viktor.kleinik@globallogic.com>
Cc: Andrii Tseglytskyi <andrii.tseglytskyi@globallogic.com>

arch/x86: warn if to-be-removed mapping does not exist

Currently, when a memory mapping is removed with the memory_mapping
DOMCTL, no check is performed on the existence of such a mapping.
This commit adds such a consistency check to the code performing the
unmap, emitting a warning message if the check fails.

Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Cc: Dario Faggioli <dario.faggioli@citrix.com>
Cc: Paolo Valente <paolo.valente@unimore.it>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Julien Grall <julien.grall@citrix.com>
Cc: Ian Campbell <Ian.Campbell@eu.citrix.com>
Cc: Keir Fraser <keir@xen.org>
Cc: Tim Deegan <tim@xen.org>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Eric Trudeau <etrudeau@broadcom.com>
Cc: Viktor Kleinik <viktor.kleinik@globallogic.com>
Cc: Andrii Tseglytskyi <andrii.tseglytskyi@globallogic.com>

arch/arm: unmap partially-mapped memory regions

This commit modifies the function apply_p2m_changes() so that it
destroys changes performed while mapping a memory region, if errors are
seen during the operation. The implemented behaviour includes destroying
only mappings created during the latest invocation of apply_p2m_changes().
This is useful to avoid that memory areas remain partially accessible
to guests.

Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
Cc: Dario Faggioli <dario.faggioli@citrix.com>
Cc: Paolo Valente <paolo.valente@unimore.it>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Julien Grall <julien.grall@citrix.com>
Cc: Ian Campbell <Ian.Campbell@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Keir Fraser <keir@xen.org>
Cc: Tim Deegan <tim@xen.org>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Eric Trudeau <etrudeau@broadcom.com>
Cc: Viktor Kleinik <viktor.kleinik@globallogic.com>
Cc: Andrii Tseglytskyi <andrii.tseglytskyi@globallogic.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

arch/arm: add consistency check to REMOVE p2m changes

Currently, the REMOVE case of the switch in apply_p2m_changes()
does not perform any consistency check on the mapping to be removed.
More in detail, the code does not check if the guest address to be
unmapped is actually mapped to the machine address given as a
parameter.
This commit adds the above-described consistency check to the REMOVE
path of apply_p2m_changes() and lets a warning be emitted when trying
to remove a non-existent mapping. This is instrumental to one of the
following commits, which implements the possibility to trigger the
removal of p2m ranges via the memory_mapping DOMCTL for ARM.

Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Reviewed-by: Julien Grall <julien.grall@citrix.com>
Cc: Dario Faggioli <dario.faggioli@citrix.com>
Cc: Paolo Valente <paolo.valente@unimore.it>
Cc: Ian Campbell <Ian.Campbell@eu.citrix.com>
Cc: Jan Beulich <JBeulich@suse.com>
Cc: Keir Fraser <keir@xen.org>
Cc: Tim Deegan <tim@xen.org>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Eric Trudeau <etrudeau@broadcom.com>
Cc: Viktor Kleinik <viktor.kleinik@globallogic.com>
Cc: Andrii Tseglytskyi <andrii.tseglytskyi@globallogic.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: Stringify the register name in sysreg read write macros

The register name parameter in {READ,WRITE}_SYSREG{32,64}
macros is replaced as register name in mrs and msr assembly
instruction.

If this register name is macro indirection, the register
name is not replaced with designated macro. So replace the register
name with __stringify macro, which replaces register name
if it is macro

Signed-off-by: Vijaya Kumar K <Vijaya.Kumar@caviumnetworks.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

xen/arm: Introduce sizes.h

Add sizes.h file similar to include/linux/sizes.h of
kernel code. These size macros helps in porting
kernel drivers to Xen

Signed-off-by: Vijaya Kumar K <Vijaya.Kumar@caviumnetworks.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

EPT: utilize GLA->GPA translation known for certain faults

Rather than doing the translation ourselves in __hvmemul_{read,write}()
leverage that we know the association for faults other than such having
occurred when translating addresses of page tables.

There is one intentional but not necessarily obvious (and possibly
subtle) adjustment to behavior: __hvmemul_read() no longer blindly
bails on instruction fetches matching the MMIO GVA (the callers of
handle_mmio_with_translation() now control the behavior via the struct
npfec they pass, and it didn't seem right to bail here rather than just
falling through to the unaccelerated path)

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>

tools: (lib)xl: remove stray uses of build_info->u.pv.{kernel, ramdisk, cmdline}

The commit 11dffa2359e8 "xen: pass kernel initrd to qemu" deprecated these in
favour of build_info->{kernel,ramdisk,cmdline} but missed a couple of uses.

The ARM case breaks guest boot by omitting the command line from the DTB while
the xl SXP one is mostly cosmetic.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Cc: Chunyan Liu <cyliu@suse.com>
Reviewed-by: Julien Grall <julien.grall@linaro.org>

x86/NMI: allow processing unknown NMIs when watchdog is enabled

Change NMI processing so that if watchdog=force is passed on the
command-line and the NMI is not caused by a perf counter overflow (i.e.
likely not a watchdog "tick"), the NMI is handled by the unknown NMI
handler.

This allows injection of NMIs from IPMI controllers that don't set the
IOCK/SERR bits to trigger the unknown NMI handler rather than be
ignored.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Fix command line parsing (don't enable the watchdog on e.g.
"watchdog=xyz").

Signed-off-by: Jan Beulich <jbeulich@suse.com>

update pvSCSI protocol description

Update the protocol description of the pvSCSI framework used to pass through
SCSI devices to a guest (pv or hvm).

The main changes are:
- added comments
- add support for larger SG-lists by putting them in an own granted page
- deprecate VSCSIIF_ACT_SCSI_SG_PRESET action with related structures
- add ref_rqid for action VSCSIIF_ACT_SCSI_ABORT to be able to specify the
  request to abort
- deprecate timeout_per_command as this really should be handled by the
  backend in case of default settings or by the guest domain by aborting a
  long running command

This update is related to the rework of the pvSCSI backend and frontend drivers
in the Linux kernel. This interface version is included in that rework, too.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

x86/ats: Disable Address Translation Services by default

Xen cannot safely use any ATS functionality until it gains asynchronous queued
invalidation support, because of the current synchronous wait for completion.

Do not turn ATS on by default.

While editing the default in the command line documentation, correct the
statement regarding PCI Passthrough. ATS is purely a performance
optimisation, and is certainly not required for PCI Passthrough to function.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>

x86/mem_event: deliver gla fault EPT violation information

On Intel EPT the exit qualification generated by a violation also
includes a bit (EPT_GLA_FAULT) which describes the following
information: Set if the access causing the EPT violation is to a
guest-physical address that is the translation of a linear address.
Clear if the access causing the EPT violation is to a paging-structure
entry as part of a page walk or the update of an accessed or dirty bit.

For more information see Table 27-7 in the Intel SDM.

This patch extends the mem_event system to deliver this extra
information, which could be useful for determining the cause of a
violation.

Signed-off-by: Tamas K Lengyel <tamas.lengyel@zentific.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>
Acked-by: Tim Deegan <tim@xen.org>

x86/hvm: treat non-instruction fetch nested page faults also as read violations

As pointed out by Jan Beulich in
http://lists.xen.org/archives/html/xen-devel/2014-08/msg01269.html:
"Read-modify-write instructions absolutely need to be treated as read
accesses, yet hardware doesn't guarantee to tell us so (they may
surface as just write accesses)." This patch addresses the issue in
both the VMX and the SVM side.

VMX: Treat all write data access violations also as read violations (in
addition to those that were already reported as read violations).
SVM: Refine the meaning of read data access violations to distinguish
between read/write and instruction fetch access violations.

With this patch both VMX and SVM specific nested page fault handling code reports violations the same way, thus abstracting the hardware specific behaviour from the layers above.

Suggested-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: Tamas K Lengyel <tamas.lengyel@zentific.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Tim Deegan <tim@xen.org>

x86: consolidate boolean inputs in hvm and p2m into a shared bitmap

This patch consolidates the boolean input parameters of
hvm_hap_nested_page_fault and p2m_mem_access_check into a common bitmap
and defines the bitmap members accordingly.

Signed-off-by: Tamas K Lengyel <tamas.lengyel@zentific.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Tim Deegan <tim@xen.org>

tools/libxl: Initialise both parts of ctx->sigchld_selfpipe[] to -1

Otherwise, if it is not used, libxl_ctx_free() will close fd 0.

Reported-by: Alex Bligh <alex@alex.org.uk>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ian Campbell <Ian.Campbell@citrix.com>
CC: Ian Jackson <Ian.Jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

tools/libxc: Set max_elem to zero in xc_lockprof_query_number()

If max_elem is not zero then hypervisor's spinlock_profile_ucopy_elem()
will attempt to copy profile data into user's data buffer. Since this
buffer is explicitly set to (the equivalent of) NULL the copy will fail,
causing xenlockprof to fail as well.

Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen arm/arm64: minor improvement in smp_send_call_function_mask()

Currently, smp_send_call_function_mask() function implemented
by xen arm/arm64 will use IPI to call function on current CPU.

This means that current smp_send_call_function_mask() will do
the following on current CPU:
Trigger SGI for current CPU => Xen takes interrupt on current CPU
=> IPI interrupt handler will call smp_call_function_interrupt()

This patch improves the above by straight away calling
smp_call_function_interrupt() for current CPU. This is very
similar to smp_send_call_function_mask() implemented by Xen x86.

Signed-off-by: Anup Patel <anup.patel@linaro.org>
Signed-off-by: Pranavkumar Sawargaonkar <pranavkumar@linaro.org>
Acked-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xl.cfg: add 'cmdline' in config file

Currently in xl.cfg, use 'root' and 'extra' to generate the command
line. 'cmdline' could be a more generic equivalent. So, add 'cmdline'
in xl.cfg and let it be preferred. 'root' and 'extra' still works.
But when 'cmdline' is specified, 'root' and 'extra' will be ignored.

[HVM config example]
[snip]
builder="hvm"
device_model_override="/home/cyliu/git/qemu/x86_64-softmmu/qemu-system-x86_64"
kernel="/mnt/vmlinuz-3.0.13-0.27-default"
ramdisk="/mnt/initrd-3.0.13-0.27-default"
root="/dev/hda2"
extra="console=tty0 console=ttyS0"
[snip]

or:

[snip]
builder="hvm"
device_model_override="/home/cyliu/git/qemu/x86_64-softmmu/qemu-system-x86_64"
kernel="/mnt/vmlinuz-3.0.13-0.27-default"
ramdisk="/mnt/initrd-3.0.13-0.27-default"
cmdline="root=/dev/hda2 console=tty0 console=ttyS0"
[snip]

Signed-off-by: Chunyan Liu <cyliu@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>