dgit.raspbian.org Git

xen: arm: do not pass a machine ID to dom0

Xen relies on DTB and we pass in a suitable device-tree so we don't
need to (and shouldn't) pretend to be a Versatile Express here.

We already don't pass a machine ID to domU in the same way.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen: arm: rename atag_paddr argument fdt_paddr

We don't support ATAGs and this is always actually an FDT address.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen: arm32: Don't bother with the bootloader provided ARM-Linux machine type

Everything is DTB based and on 64-bit there is no such concept even in
Linux.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

trivial: Optimize printnum

Reuse the string of hexadecimal numbers to simplify printnum implementation

Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: comment the use of second_linear_offset() in mm.c

Signed-off-by: Tim Deegan <tim@xen.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

tools/ocaml: oxenstored: correctly handle a full ring.

Change 26521:2c0fd406f02c (part of XSA-38 / CVE-2013-0215) incorrectly
caused us to ignore rather than process a completely full ring. Check if
producer and consumer are equal before masking to avoid this, since prod ==
cons + PAGE_SIZE after masking becomes prod == cons.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

x86: move watchdog declarations from config.h to nmi.h

They don't belong into the former.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86: use single definitions for a few constants

... rather than having a C and an assembly one.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

xenoprof: avoid division by 0

Signed-off-by: Tim Deegan <tim@xen.org>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
Committed-by: Jan Beulich <jbeulich@suse.com>

hvm: Allow triple fault to imply crash rather than reboot

While the triple fault action on native hardware will result in a system
reset, any modern operating system can and will make use of less violent
reboot methods. As a result, the most likely cause of a triple fault is a
fatal software bug.

This patch allows the toolstack to indicate that a triple fault should mean a
crash rather than a reboot. The default of reboot still remains the same.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
Committed-by: Jan Beulich <jbeulich@suse.com>

x86: explicit suffix in inline assembler (for clang).

This fixes the clang build, and has no effect on gcc's output.

Signed-off-by: Tim Deegan <tim@xen.org>
Committed-by: Jan Beulich <jbeulich@suse.com>

x86/setup: don't relocate the VGA hole.

Copying the contents of the VGA hole is at best pointless and at worst
dangerous. Booting Xen on Xen, it causes a very long delay as each
byte is referred to qemu.

Since we were already discarding the first 1MB of the relocated area,
just avoid copying it in the first place.

Reported-by: Jon Ludlam <jonathan.ludlam@eu.citrix.com>
Signed-off-by: Tim Deegan <tim@xen.org>
Committed-by: Keir Fraser <keir@xen.org>

AMD IOMMU: handle MSI for phantom functions

With ordinary requests allowed to come from phantom functions, the
remapping tables ought to be set up to also allow for MSI triggers to
come from other than the "real" device too.

It is not clear to me whether the alias-ID handling also needs
adjustment for this to work properly, or whether firmware can be
expected to properly express this through a device alias range
descriptor (or multiple device alias ones).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

AMD IOMMU: also spot missing IO-APIC entries in IVRS table

Apart from dealing duplicate conflicting entries, we also have to
handle firmware omitting IO-APIC entries in IVRS altogether. Not doing
so has resulted in c/s 26517:601139e2b0db to crash such systems during
boot (whereas with the change here the IOMMU gets disabled just as is
being done in the other cases, i.e. unless global tables are being
used).

Debugging this issue has also pointed out that the debug log output is
pretty ugly to look at - consolidate the output, and add one extra
item for the IVHD special entries, so that future issues are easier
to analyze.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Sander Eikelenboom <linux@eikelenboom.it>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

xen/flask: fix crash on debugkey "i"

The IRQs beyond nr_static_irqs do not all have an associated PCI
device, so only query the device SID if pci is not NULL.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Jan Beulich <jbeulich@suse.com>
Committed-by: Keir Fraser <keir@xen.org>

gcc4.8 build fix: Add -Wno-unused-local-typedefs to CFLAGS.

Based on a patch by M A Young <m.a.young@durham.ac.uk>

Signed-off-by: Keir Fraser <keir@xen.org>

tools: Fix memset(&p,0,sizeof(p)) idiom in several places.

gcc 4.8 identifies several places where code of the form memset(x, 0,
sizeof(x)); is used incorrectly, meaning that less memory is set to
zero than required.

Signed-off-by: Michael Young <m.a.young@durham.ac.uk>
Committed-by: Keir Fraser <keir@xen.org>

x86: fix map_domain_page() leak from vcpu_destroy_pagetables()

Introduced by c/s 26450:4816763549e0 and exposed with
26523:fd997a96d448.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

unmodified_drivers: __devinit was removed in linux-3.8

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Merge with __init handling.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

x86: Add Xenoprofile support for AMD Family16h

Add Xenoprofile support for AMD Family16h. The corresponded OProfile
patch has already been submitted to OProfile mailing list.
(http://marc.info/?l=oprofile-list&m=136036136017302&w=2 ).

Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

x86/HAP: Add global enable/disable command line option

Also, correct a copy&paste error in the documentation.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Jan Beulich <jbeulich@suse.com>

x86: debugging code for testing 16Tb support on smaller memory systems

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

oxenstored: Enforce a maximum message size of 4096 bytes

The maximum size of a message is part of the protocol spec in
xen/include/public/io/xs_wire.h

Before this patch a client which sends an overly large message can
cause a buffer read overrun.

Note if a badly-behaved client sends a very large message
then it will be difficult for them to make their connection
work again-- they will probably need to reboot.

Signed-off-by: David Scott <dave.scott@eu.citrix.com>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

tools/ocaml: oxenstored: Be more paranoid about ring reading

oxenstored makes use of the OCaml Xenbus bindings, in which the
function xs_ring_read in tools/ocaml/libs/xb/xs_ring_stubs.c is used
to read from the shared memory Xenstore ring.

This function does not correctly handle all possible (prod, cons)
states when MASK_XENSTORE_IDX(prod) > MASK_XENSTORE_IDX(cons).

The root cause is the use of the unmasked values of prod and cons to
calculate to_read.  If prod is set to an out-of-range value, the ring
peer can cause to_read to be too large or even negative.  This allows
the ring peer to force oxenstored to read and write out of range for
the buffers leading to a crash or possibly to privilege escalation.

Correct this by masking the values of cons and prod at the start, so
we only deal with masked values.  This makes the logic simpler, as
semantically inappropriate values of the upper bits of the ring
pointers are simply ignored.

The same vulnerability does not exist in the ring writer because the
only use made of the unmasked value is the check which prevents the
prod pointer overtaking the cons pointer.  A ring peer which defeats
this check will suffer only lost data.

However, additionally, precautions need to be taken to ensure that
req_cons and req_prod are only read once in each function.  Without
the use of volatile or some asm construct, the compiler can "prove"
that req_cons and req_prod do not change unexpectedly and is permitted
to "amplify" the read of (say) req_cons into two reads at different
times, giving two different values for use as cons, and then use the
two sources of cons interchangeably.  (The use of xen_mb() does not
forbid this.)

Therefore do the reads of req_cons and req_prod through a volatile
pointer in both xs_ring_read and xs_ring_write.

This is currently believed to be a theoretical vulnerability as we are
not aware of any compilers which amplify reads in this way.

This is a security issue, part of XSA-38 / CVE-2013-0215.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Tested-by: Matthew Daley <mattjd@gmail.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

xen: enable stubdom on a per arch basis

... and disable on ARM (for now).

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

AMD,IOMMU: Make per-device interrupt remapping table default

Using global interrupt remapping table may be insecure, as
described by XSA-36. This patch makes per-device mode default.

This is XSA-36 / CVE-2013-0153.

Signed-off-by: Boris Ostrovsky <boris.ostrovsky@amd.com>
Moved warning in amd_iov_detect() to location covering all cases.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

AMD,IOMMU: Disable IOMMU if SATA Combined mode is on

AMD's SP5100 chipset can be placed into SATA Combined mode
that may cause prevent dom0 from booting when IOMMU is
enabled and per-device interrupt remapping table is used.
While SP5100 erratum 28 requires BIOSes to disable this mode,
some may still use it.

This patch checks whether this mode is on and, if per-device
table is in use, disables IOMMU.

This is XSA-36 / CVE-2013-0153.

Signed-off-by: Boris Ostrovsky <boris.ostrovsky@amd.com>
Flipped operands of && in amd_iommu_init() to make the message issued
by amd_sp5100_erratum28() match reality (when amd_iommu_perdev_intremap
is zero, there's really no point in calling the function).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

AMD,IOMMU: Clean up old entries in remapping tables when creating new one

When changing the affinity of an IRQ associated with a passed
through PCI device, clear previous mapping.

This is XSA-36 / CVE-2013-0153.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
In addition, because some BIOSes may incorrectly program IVRS
entries for IOAPIC try to check for entry's consistency. Specifically,
if conflicting entries are found disable IOMMU if per-device
remapping table is used. If entries refer to bogus IOAPIC IDs
disable IOMMU unconditionally

Signed-off-by: Boris Ostrovsky <boris.ostrovsky@amd.com>

ACPI: acpi_table_parse() should return handler's error code

Currently, the error code returned by acpi_table_parse()'s handler
is ignored. This patch will propagate handler's return value to
acpi_table_parse()'s caller.

Signed-off-by: Boris Ostrovsky <boris.ostrovsky@amd.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

xen: arm: fix build of hvm.c

Add include of xsm/xsm.h to fix:

hvm.c: In function 'do_hvm_op': hvm.c:37:9: error: implicit declaration of function 'xsm_hvm_param' [-Werror=implicit-function-declaration]
hvm.c:37:9: error: nested extern declaration of 'xsm_hvm_param' [-Werror=nested-externs]
hvm.c:37:28: error: 'XSM_TARGET' undeclared (first use in this function)
hvm.c:37:28: note: each undeclared identifier is reported only once for each function it appears in
cc1: all warnings being treated as errors

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

libxl: fix xcflags assignment in libxl__domain_suspend

Currently ->xcflags remains 1 because the braces are placed incorrectly.
Put each logical unit into its own braces to fix assigment to xcflags.

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

tools: update ocamlfind handling

configure checks just for ocamlc, but the tools in tools/ocaml depend
also on ocamlfind. On my workstation I have just ocamlc installed, but
no ocamlfind. As a result make will fail.

Update configure.ac to check also for OCAMLFIND, update various
Makefiles and replace hardcoded ocamlfind string with $(OCAMLFIND)

Please rerun autogen.sh after applying this patch.

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xencommons: redirect serial and parallel to /dev/null

Upstream QEMU doesn't support -nographic with -daemonize unless monitor,
serial and parallel outputs are all redirected:

/* According to documentation and historically, -nographic redirects
* serial port, parallel port and monitor to stdio, which does not work
* with -daemonize. We can redirect these to null instead, but since
* -nographic is legacy, let's just error out.
* We disallow -nographic only if all other ports are not redirected
* explicitly, to not break existing legacy setups which uses
* -nographic _and_ redirects all ports explicitly - this is valid
* usage, -nographic is just a no-op in this case.
*/

Considering that we do want to redirect them to /dev/null anyway, do so.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Tested-by: Sander Eikelenboom <linux@eikelenboom.it>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- handled reject vs 26352:9a1610c1e564 "xencommons: Stop QEMU in
do_stop()" and rewrapped the resulting long line ]
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: implement vcpu_timer_destroy

Implement a function to destroy the per-vcpu phys and virt timers, call
it from vcpu_destroy.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: implement domain_relinquish_resources

put_page on every entry in xenpage_list and page_list

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: implement arch_domain_destroy

Implement arch_domain_destroy, use it in the error path of
arch_domain_create.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

x86/HVM: assorted RTC emulation adjustments

- only call check_update_timer() on REG_B writes when SET changes
- only call alarm_timer_update() on REG_B writes when relevant bits
  change
- instead properly handle AF and PF when the guest is not also setting
  AIE/PIE respectively (for UF this was already the case, only a
  comment was slightly inaccurate), including calling the respective
  update functions upon REG_C reads

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Olaf Hering <olaf@aepfle.de>

Revert 26503:69398345c10e

This conflicts with changes done in 26486:7648ef657fe7 and
26489:83a3fa9c8434 (i.e. the code added by them needs adjustment in
order for the change here to be correct).

x86/EFI: simplify PCI option ROM retrieval

While putting together the kernel side of this I realized that c/s
26397:d9c7b82aa7b1 went a little too far in requiring a buffer for the
option ROM contents - all that is really needed is handing Dom0
physical address and size of the data block.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

nEPT: fix INVEPT instruction parameter

While emulating the INVEPT instruction in L0 VMM, the EPT pointer
should be fetched from the instruction decoding result, but not
the current loaded EPT pointer.

Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

nEPT: fix EPT pointer setting for L2 guest

Each time in virtual_vmentry(), the code needs to cover both EPT
and shadow mode for L2 guest, updating different EPT pointer to
shadow VMCS.

This fixes the issue that, launch a guest with EPT, then kill it
and launch a second guest with shadow, the second guest will hang
at the startup screen.

Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Acked by: Eddie Dong <eddie.dong@intel.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

x86/nestedhvm: properly clean up after failure to set up all vCPU-s

This implies that the individual destroy functions will have to remain
capable of being called for a vCPU that the corresponding init function
was never run on.

Once at it, also clean up some inefficiencies in the corresponding
parameter validation code.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

VMX: disable SMEP feature when guest is in non-paging mode

SMEP is disabled if CPU is in non-paging mode in hardware.
However Xen always uses paging mode to emulate guest non-paging
mode with HAP. To emulate this behavior, SMEP needs to be manually
disabled when guest switches to non-paging mode.

We met an issue that, SMP Linux guest with recent kernel (enable
SMEP support, for example, 3.5.3) would crash with triple fault if
setting unrestricted_guest=0 in grub. This is because Xen uses an
identity mapping page table to emulate the non-paging mode, where
the page table is set with USER flag. If SMEP is still enabled in
this case, guest will meet unhandlable page fault and then crash.

Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Signed-off-by: Xiantao Zhang <xiantao.zhang@intel.com>
Committed-by: Keir Fraser <keir@xen.org>

vmx: Simplify cr0 update handling by deferring cr4 changes to the cr4 handler.

Signed-off-by: Keir Fraser <keir@xen.org>

xen: Fix some over-long source lines.

Signed-off-by: Keir Fraser <keir@xen.org>

xen: Define debug_build() based on NDEBUG. Use it in a few printk's.

Signed-off-by: Keir Fraser <keir@xen.org>

xen: print "debug=y|n" during hypervisor startup

So that we can easily figure out whether or not we are running a
debug build of Xen (e.g., via `xl dmesg').

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

mini-os: build fixes for lwip 1.3.2

Various fixes to mini-os needed to build lwip 1.3.2:

- Don't build the tests.
- Add BSD-style endianness macros to endian.h.
- free() is called via a function pointer so it needs to be a real
function. Do the same for malloc() and realloc().

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Committed-by: Keir Fraser <keir@xen.org>

xen/arch/arm: add XSM hook to HVMOP_{get,set}_param

This hook is not x86-specific; move it out of CONFIG_X86.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

xen: arm: implement domain_page_map_to_mfn

This was recently (re?)introduced on x86 in 26447:f831d8dcf18f and is
now used in generic code (specifically tmem in 26454:38847c15d8cd).

This fixes the build on ARM.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

tools: revert to installing in /usr

26470:acaf29203cf9 missed a bunch of hardcoded paths, e.g. in the
initscripts. I think at this juncture it is appropriate to revert
this change and try again after some more testing.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

update SVM and IOMMU maintenance ownership

Remove myself from SVM and IOMMU maintainer list, as I don't work for
AMD anymore.

Signed-off-by: Wei Huang <huangwei@gmail.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

stubdom: Install xenstore stubdom in $(XENFIRMWAREDIR)

Removes hardcoded /usr prefix.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

tools: revert to using /var and /etc/

26470:acaf29203cf9 "tools+stubdom: install under /usr/local by
default" moved more stuff under /usr/local than was desirable.

In particular SYSCONFIG_DIR (configuration for initscripts) moved to
/usr/local/etc/{sysconfig,defaults} while the initscripts themselves
(correctly) remained in /etc/init.d. Moving /etc/xen/scripts breaks
the udev bakcned rules file. Lastly stuff under /var was moved to
/usr/local/var.

Move these back to /etc/ and /var. Moving /etc wholesale rather thsn
just the problematic bits is preferable for consistency.

Although there seems to be some disagreement about /usr/local/var vs
/var using /var is compatible with the FHS and what we think most
people will expect.

Most of this impacts Linux only but NetBSD appears to have been using
/usr/local/var/lib which I have also reset to /var/lib.

Note that we already paid no attention to autoconf --sysconfdir or
--localstatedir ('etc' and 'var' respectively) so there is no change
from that PoV.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

build: cleanup configure detritus at toplevel and stubdom

These files were left over after
$ git clean -f -dx
$ ./configure
$ make distclean
and picked up by a subsequent.
$ git clean -f -dx

Ensure that these files are also correctly ignored.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

nested vmx: enable VMCS shadowing feature

The current logic for handling the non-root VMREAD/VMWRITE is by
VM-Exit and emulate, which may bring certain overhead.

On new Intel platform, it introduces a new feature called VMCS
shadowing, where non-root VMREAD/VMWRITE will not trigger VM-Exit,
and the hardware will read/write the virtual VMCS instead.
This is proved to have performance improvement with the feature.

Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Acked-by: Jun Nakajima <jun.nakajima@intel.com>
Acked-by Eddie Dong <eddie.dong@intel.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

nested vmx: optimize for bulk access of virtual VMCS

After we use the VMREAD/VMWRITE to build up the virtual VMCS, each
access to the virtual VMCS needs two VMPTRLD and one VMCLEAR to
switch the environment, which might be an overhead to performance.
This commit tries to handle multiple virtual VMCS access together
to improve the performance.

Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Acked-by Eddie Dong <eddie.dong@intel.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

nested vmx: use VMREAD/VMWRITE to construct vVMCS if enabled VMCS shadowing

Before the VMCS shadowing feature, we use memory operation to build up
the virtual VMCS. This does work since this virtual VMCS will never be
loaded into real hardware. However after we introduce the VMCS
shadowing feature, this VMCS will be loaded into hardware, which
requires all fields in the VMCS accessed by VMREAD/VMWRITE.

Besides, the virtual VMCS revision identifer should also meet the
hardware's requirement, instead of using a faked one.

Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Acked-by Eddie Dong <eddie.dong@intel.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

nested vmx: Use a list to store the launched vvmcs for L1 VMM

Originally we use a virtual VMCS field to store the launch state of
a certain vmcs. However if we introduce VMCS shadowing feature, this
virtual VMCS should also be able to load into real hardware,
and VMREAD/VMWRITE operate invalid fields.

The new approach is to store the launch state into a list for L1 VMM.

Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Acked-by Eddie Dong <eddie.dong@intel.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

docs: add docs/configure missed in 26484:f57e1546fb08

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

docs: check for documentation generation tools in docs/configure.

It is sometimes hard to discover all the optional tools that should be
on a system to build all available Xen documentation. By checking for
documentation generation tools at ./configure time and displaying a
warning, Xen packagers will more easily learn about new optional build
dependencies, like markdown, when they are introduced.

Based on a patch by Matt Wilson. Changed to use a separate
docs/configure which is called from the top-level in the same manner
as stubdoms.

Rerun autogen.sh and "git add docs/configure" after applying this patch.

Signed-off-by: Matt Wilson <msw@amazon.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Matt Wilson <msw@amazon.com>
(For the change to introduce docs/configure)
Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

docs: drop doxygen stuff

In the 300+ page PDF this produces I couldn't see anything which
wasn't the autogenerated doxygen boilerplate stuff.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

docs: Remove xen-api docs

This document is about an old unmaintained version of the XenAPI,
which bears little to no relation to what is implemented in xapi and
which is only partially implemented in xend (which is deprecated). The
doc hasn't seen much in the way of updates since 2009.

Anyone who is actually interested can continue to use the version
which was in 4.2.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xl: SWITCH_FOREACH_OPT handles special options directly.

This removes the need for the "case 0: case 2:" boilerplate in every
main_foo(). Calls exit(3) directly which is OK since xl cleans up the
context etc in an atexit(3) handler.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xl: Introduce helper macro for option parsing.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xl: allow def_getopt to handle long options

Improves consistency of option parsing and error handling.

Consistently support --help for all options.

Many users of getopt_long were needlessly passing an option_index
pointer which was not used.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

libxl: libxl__prepare_ao_device should reset num_exec

num_exec was not cleared when calling libxl__prepare_ao_device.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

x86/HVM: fixed _hvm_hw_fix_cpu()

Prevent the compiler from re-ordering the reads and writes.
Suggested by Jan Beulich.

Signed-off-by: Razvan Cojocaru <rzvncj@gmail.com>
Acked-by: Tim Deegan <tim@xen.org>
Acked-by: Keir Fraser <keir@xen.org>
Committed-by: Jan Beulich <jbeulich@suse.com>

libxc: drop relics of running on non-PAE 32-bit hosts

Additionally drop unused (and dangerous) defines and typedefs, plus
a minor legibility improvement to setup_pgtables_x86_{32_pae,64}().

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>

xen: arm: print arm32 not x86_64 in xen info.

Reported-by: Lars Rasmusson <Lars.Rasmusson@sics.se>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

libxc: match types of 'subject' and 'foreigndom' between struct xc_mmu and do_mmu_update

In do_mmu_update() (in the hypervisor) the parameter 'foreigndom' is
'unsigned int' and both its high (bits 31-16) and low (bits 15-0) are
parts utilised, as explained here:
http://xenbits.xen.org/docs/unstable/hypercall/include,public,xen.h.html#Func_HYPERVISOR_mmu_update

However, the actual parameter, i.e., the 'subject' field in
struct xc_mmu is declared as domid_t, which typedef-s to uint16_t.
This means we are never able to pass anything via the higher 16 bits
of 'foreigndom', which in turns may cause the hypercall to fail when
called on an actual foreign domain.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen: Simplify the space of spaces supported by XENMEM_add_to_physmap(_range)

XENMAPSPACE_gmfn_foreign is not supported by XENMEM_add_to_physmap.

Although in theory XENMEM_add_to_physmap_range could support
XENMAPSPACE_gmfn_range this is no different to
XENMAPSPACE_gmfn in the context of the ranged hypercall so disallow it
to avoid any confusion.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen: arm: do not panic when failing to translate a guest address

The gva_to_{par,ipa} functions currently panic if the guest address
cannot be translated. Often the input comes from the guest so
panicing the host is a bit harsh!

Change the API of those functions to allow them to return a failure
and plumb it through where it is used.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

vtpm/vtpmmgr: Use libpolarssl.a instead of hardcoding own list of .o files

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

tools+stubdom: install under /usr/local by default.

This is the defacto (or FHS mandated?) standard location for software
built from source, in order to avoid clashing with packaged software
which is installed under /usr/bin etc.

I think there is benefit in having Xen's install behave more like the
majority of other OSS software out there.

The major downside here is in the transition from 4.2 to 4.3 where
people who have built from source will innevitably discover breakage
because 4.3 no longer overwrites stuff in /usr like it used to so they
pickup old stale bits from /usr instead of new stuff from /usr/local.

Packages will use ./configure --prefix=/usr or whatever helper macro
their package manager gives them. I have confirmed that doing this
results in the same list of installed files as before this patch was
applied.

The hypervisor remains in /boot/ and there is no intention to move it.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Matt Wilson <msw@amazon.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

libxl: fix stale timeout event callback race

Because there is not necessarily any lock held at the point the
application (eg, libvirt) calls libxl_osevent_occurred_timeout, in a
multithreaded program those calls may be arbitrarily delayed in
relation to other activities within the program.

Specifically this means when ->timeout_deregister returns, libxl does
not know whether it can safely dispose of the for_libxl value or
whether it needs to retain it in case of an in-progress call to
_occurred_timeout.

The interface could be fixed by requiring the application to make a
new call into libxl to say that the deregistration was complete.

However that new call would have to be threaded through the
application's event loop; this is complicated and some application
authors are likely not to implement it properly.  Furthermore the
easiest way to implement this facility in most event loops is to queue
up a time event for "now".

Shortcut all of this by having libxl always call timeout_modify
setting abs={0,0} (ie, ASAP) instead of timeout_deregister.  This will
cause the application to call _occurred_timeout.  When processing this
calldown we see that we were no longer actually interested and simply
throw it away.

Additionally, there is a race between _occurred_timeout and
->timeout_modify.  If libxl ever adjusts the deadline for a timeout
the application may already be in the process of calling _occurred, in
which case the situation with for_app's lifetime becomes very
complicated.  Therefore abolish libxl__ev_time_modify_{abs,rel} (which
have no callers) and promise to the application only ever to call
->timeout_modify with abs=={0,0}.  The application still needs to cope
with ->timeout_modify racing with its internal function which calls
_occurred_timeout.  Document this.

This is a forwards-compatible change for applications using the libxl
API, and will hopefully eliminate these races in callback-supplying
applications (such as libvirt) without the need for corresponding
changes to the application.  (It is possible that this might expose
bugs in applications, though, as previously libxl would never call
libxl_osevent_hooks->timeout_modify and now it never calls
->timeout_deregister).

For clarity, fold the body of time_register_finite into its one
remaining call site.  This makes the semantics of ev->infinite
slightly clearer.

Cc: Bamvor Jian Zhang <bjzhang@suse.com>
Cc: Ian Campbell <Ian.Campbell@citrix.com>
Tested-by: Jim Fehlig <jfehlig@suse.com>
Acked-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

libxl: fix stale fd event callback race

Because there is not necessarily any lock held at the point the
application (eg, libvirt) calls libxl_osevent_occurred_timeout and
..._fd, in a multithreaded program those calls may be arbitrarily
delayed in relation to other activities within the program.

libxl therefore needs to be prepared to receive very old event
callbacks. Arrange for this to be the case for fd callbacks.

This requires a new layer of indirection through a "hook nexus" struct
which can outlive the libxl__ev_foo. Allocation and deallocation of
these nexi is mostly handled in the OSEVENT macros which wrap up
the application's callbacks.

Document the problem and the solution in a comment in libxl_event.c
just before the definition of struct libxl__osevent_hook_nexus.

There is still a race relating to libxl__osevent_occurred_timeout;
this will be addressed in the following patch.

Reported-by: Bamvor Jian Zhang <bjzhang@suse.com>
Cc: Bamvor Jian Zhang <bjzhang@suse.com>
Cc: Ian Campbell <Ian.Campbell@citrix.com>
Tested-by: Jim Fehlig <jfehlig@suse.com>
Acked-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen: infrastructure to have cross-platform video drivers

- introduce a new HAS_VIDEO config variable;
- build xen/drivers/video/font* if HAS_VIDEO;
- rename vga_puts to video_puts;
- rename vga_init to video_init;
- rename vga_endboot to video_endboot.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: introduce early_ioremap

Introduce a function to map a range of physical memory into Xen virtual
memory.
It doesn't need domheap to be setup.
It is going to be used to map the videoram.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: flush the entire dest_va 2MB mapping

At the beginning of setup_pagetables we modify a 2MB mapping but we only
flush the first 4KB of it.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: introduce flush_xen_data_tlb_range_va

Add flush_xen_data_tlb_range_va, that flushes a range of virtual addresses.
Replace all the calls to flush_xen_data_tlb_va with calls to
flush_xen_data_tlb_range_va and remove flush_xen_data_tlb_va.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/arm: add missing FIRST, SECOND and THIRD MASK and SIZE definitions

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

x86/mm: remove two files left over from the previous vram patches.

I seem to have missed these when reverting 26399:b0e618cb0233.

Signed-off-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

x86/HVM: generalize IRQ raising on RTC_REG_B writes

Raise the RTC IRQ not only when UIE gets set while UF was already set,
but generalize this to cover AIE and PIE as well.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/HVM: use cached original value in RTC_REG_B writing code

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/HVM: fix RTC hour conversions

Properly mask off bit 7 when retrieving the hour values in
alarm_timer_update(), and properly use RTC_HOURS_ALARM's bit 7 when
converting from 12- to 24-hour value.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/HVM: adjust rtc_timer_update()

Don't look at RTC_PIE in rtc_timer_update(), and hence don't call the
function on REG_B writes at all.

Also handle the two other possible clock bases.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/HVM: consolidate toggling of RTC IRQ

Note that in the RTC_UIE/RTC_UF case, this also fixes the lack of
setting RTC_IRQF.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/HVM: use RTC_* names instead of literal numbers

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86: support up to 16Tb

This mainly involves adjusting the number of L4 entries needing copying
between page tables (which is now different between PV and HVM/idle
domains), and changing the cutoff point and method when more than the
supported amount of memory is found in a system.

Since TMEM doesn't currently cope with the full 1:1 map not always
being visible, it gets forcefully disabled in that case.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>

tmem: partial adjustments for x86 16Tb support

Despite the changes below, tmem still has code assuming to be able to
directly access all memory, or mapping arbitrary amounts of not
directly accessible memory. I cannot see how to fix this without
converting _all_ its domheap allocations to xenheap ones. And even then
I wouldn't be certain about there not being other cases where the "all
memory is always mapped" assumption would be broken. Therefore, tmem
gets disabled by the next patch for the time being if the full 1:1
mapping isn't always visible.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>
Acked-by: Keir Fraser <keir@xen.org>

x86: properly use map_domain_page() in miscellaneous places

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86: properly use map_domain_page() in nested HVM code

This eliminates a couple of incorrect/inconsistent uses of
map_domain_page() from VT-x code.

Note that this does _not_ add error handling where none was present
before, even though I think NULL returns from any of the mapping
operations touched here need to properly be handled. I just don't know
this code well enough to figure out what the right action in each case
would be.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86: properly use map_domain_page() during page table manipulation

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86: properly use map_domain_page() during domain creation/destruction

This involves no longer storing virtual addresses of the per-domain
mapping L2 and L3 page tables.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86: consolidate initialization of PV guest L4 page tables

So far this has been repeated in 3 places, requiring to remember to
update all of them if a change is being made.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

x86: properly use map_domain_page() when building Dom0

This requires a minor hack to allow the correct page tables to be used
while running on Dom0's page tables (as they can't be determined from
"current" at that time).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86: re-introduce map_domain_page() et al

This is being done mostly in the form previously used on x86-32,
utilizing the second L3 page table slot within the per-domain mapping
area for those mappings. It remains to be determined whether that
concept is really suitable, or whether instead re-implementing at least
the non-global variant from scratch would be better.

Also add the helpers {clear,copy}_domain_page() as well as initial uses
of them.

One question is whether, to exercise the non-trivial code paths, we
shouldn't make the trivial shortcuts conditional upon NDEBUG being
defined. See the debugging patch at the end of the series.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86: extend frame table virtual space

... to allow frames for up to 16Tb.

At the same time, add the super page frame table coordinates to the
comment describing the address space layout.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86: introduce virt_to_xen_l1e()

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>