dgit.raspbian.org Git

arm: map GICV in all domains, not just dom0.

This requires that we allocate all p2m pages from domheap without a particular
dom because max pages is not setup yet so there is no allocation available to
us.

At some point we should create a separate p2m allocation (similar to x86's shadow allocation) and use that.

Also we seem to have been calling p2m_alloc_table twice for dom0.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: make vgic lock safe for use in interrupt context.

In particular vgic_vcpu_inject_irq can be called in both interrupt and regular
context.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <Stefano.Stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: split pending SPIs (global) out from pending PPIs and SGIs (per CPU)

This tracks SPIs in struct arch_domain and PPIs+SGIs in struct arch_vcpu which
seems more logical.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: use correct attributes for mappings in copy_from_paddr()

The DTB is in RAM (hence bufferable), kernel is in flash and therefor requires
a device type mapping (hence dev shared).

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: David Vrabel <david.vrabel@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: implement vcpu_show_execution_state

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: implement vpl011 (UART) emulator.

This is not interended to provide a full emulation, but rather just enough to
satisfy the use made by Linux' boot time decompressor code (which is too early
for DT etc)

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: allow p2m to be created with specific MATTR.

Rename p2m_create_entry to p2m_create_table since it can now only be used to
insert non-leaf entries into the page table.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

x86/hvm: fix BUFIOREQ evtchn init for a stubdom

This is a missing part from the previous patch that add the BUFIOREQ_EVTCHN
parameter. This patch changes the ownership of the buifioreq event channel to
the stubdom (when HVM_PARAM_DM_DOMAIN is set within the stubdom).

This patch introduces an helper to replace a xen port.

This fix the initialization of QEMU inside the stubdomain.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Add error handling to first invocation of hvm_replace_event_channel().
Adjust type of hvm_replace_event_channel()'s second parameter.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

xl: ensure handle_domain & preserve_domain update the global domid not a shadow

xl keeps the current domid in a global variable, however it also has various
functions (including the two above) which take a domid parameter which shadows
this.

This fixes the issue introduced by 25563:dbf54d93ac40 "xl: initialise domid to
an explicitly invalid value" but does not tackle the wider problem.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Roger Pau Monne <roger.pau@citrix.com>
Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

QEMU_TAG update

xl: Clarify 'xend is running' error message

* Give reason for check (unpredictable results)
* Give a better recommendation (shut down xend)
* Make it clear that -f is overriding a safety check.

Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: refactor stdvga opinon support.

Be ready to add and describe new vga interface

Signed-off-by: Zhou Peng <ailvpeng25@gmail.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

QEMU_TAG update

MAINTAINTERS: update xen-devel email address

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

xl: initialise domid to an explicitly invalid value

also ensure it is invalid whenever we destroy the domain.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>

libxl: log on failure in cpupool_info and libxl__domain_cpupool

Also in cpupool_info propagate the failure value from
libxl_cpumap_alloc.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>

libxl: correct type of cpupool variable.

libxl__domain_cpupool returns int and can return ERROR_* so we need to
use a signed type.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>

libxl: initialise cpupoolinfo in libxl__domain_scheduler

If libxl_cpupool_info fails then we would call
libxl_cpupoolinfo_dispose on an uninitialised struct, and possibly
free an invalid pointer.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>

xl: rename "list-vm" command to "vm-list"

All of the other "list" verbs are of the form "$noun-list". For
example: "pci-list", "vcpu-list", "network-list", "block-list", etc.

Additionally, many people have well trained muscle memory from years
of typing "xm li". "xl li" was ambiguous due to "xl list-vm", thus
resulting in "command not implemented".

Finally, this command was missing from the xl man page.

Signed-off-by: Matt Wilson <msw@amazon.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>

docs: various typos

Signed-off-by: Tim Deegan <tim@xen.org>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>

autoconf: correctly parse *_INCLUDES and *_LIB env vars

Parse those options correctly, since the "+=" operator is not valid.
Also added CPPFLAGS, so headers checks don't give strange results.

Please rerun configure after applying.

Signed-off-by: Roger Pau Monne <roger.pau@citrix.com>
Cc: Christoph Egger <Christoph.Egger@amd.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: make libxl-save-helper depend on the autogenerated code targets

Fixes this build failure:
In file included from libxl_save_helper.c:44:
libxl.h:346:26: error: _libxl_types.h: No such file or directory

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: libxl__xs_transaction_commit should always clear the transaction.

This includes the EAGAIN case.

Users are of the form:

   xs_transaction_t t = 0;

   for (;;) {
        rc = libxl__xs_transaction_start(gc, &t);

rc = stuff
if (rc) goto out;
...more...

        rc = libxl__xs_transaction_commit(gc, &t);
        if (!rc) break;
        if (rc<0) goto out;
    }
  ...
out:

So in EAGAIN (commit -> +1) we will go round the loop again and call start
which leads to:
    xl: libxl_xshelp.c:174: libxl__xs_transaction_start: Assertion `!*t' failed.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: further fixups re LIBXL_DOMAIN_TYPE

* Abolish the macro LIBXL__DOMAIN_IS_TYPE which had incorrect error
  handling.  At every call site, replace it with an open-coded call to
  libxl_domain_type and check against LIBXL_DOMAIN_TYPE_INVALID.

* This involves adding an `out:' to libxl_domain_unpause.

* In libxl_domain_destroy and do_pci_add, do not `default: abort();'
  if the domain type cannot be found.  Instead switch on
  LIBXL_DOMAIN_TYPE_INVALID specifically and do some actual error
  handling.

* In libxl__primary_console_find, remove a spurious default clause
  from the domain type switch.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: do not leak an event struct on ignored ao progress

On entry to libxl__ao_progress_report, the caller has allocated an
event. If the progress report is to be ignored, we need to free it.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: do not leak spawned middle children

libxl__spawn_spawn would, when libxl__spawn_detach was called, make
the spawn become idle immediately.  However it still has a child
process which needs to be waited for: the `detachable' spawned
child.

This is wrong because the ultimate in-libxl caller may return to the
application, with a child process still forked but not reaped libxl
contrary to the documented behaviour of libxl.

Instead, replace libxl__spawn_detach with libxl__spawn_initiate_detach
which is asynchronous.  The detachable spawned children are abolished;
instead, we defer calling back to the in-libxl user until the middle
child has been reaped.

Also, remove erroneous comment suggesting that `death' callback
parameter to libxl__ev_child_fork may be NULL.  It may not, and there
are no callers which pass NULL.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: do not leak dms->saved_state

This was allocated using asprintf but never freed. Use GCSPRINTF.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

xl: Handle return value from libxl_domain_suspend correctly

libxl_domain_suspend returns a libxl error code. So it must be
wrapped with MUST and not CHK_ERRNO.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: Get compiler to warn about gc_opt==NULL

Since it used to be legal to pass gc_opt==NULL, and there are various
patches floating about and under development which do so, add a
compiler annotation which makes the build fail when that is done.

This turns a runtime crash into a build failure, and should ensure
that we don't accidentally commit a broken combination of patches.

This is something of an annoying approach because it adds a macro
invocation to the RHS of every declaration of a function taking a
gc_opt. So it should be reverted after Xen 4.2rc1.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: Do not pass NULL as gc_opt; introduce NOGC

In 25182:6c3345d7e9d9 the practice of passing NULL to gc-using memory
allocation functions was introduced.  However, the arrangements there
were not correct as committed, because the error handling and logging
depends on getting a ctx from the gc - so an allocation error would in
fact result in libxl dereferencing NULL.

Instead, provide a special dummy gc in the ctx, called `nogc_gc'.  It
is marked out specially by having alloc_maxsize==-1, which is
otherwise invalid.

Functions which need to actually look into the gc use the new test
function gc_is_real (whose purpose is mainly clarity of the code) to
check whether the gc is the dummy one, and do nothing if it is.  And
we provide a helper macro NOGC which uses the in-scope real gc to find
the ctx and hence the dummy gc (and which replaces the previous
#define NOGC NULL).

Change all callers which pass 0 or NULL to an allocation function to
use NOGC or &ctx->nogc_gc, as applicable in the context.

We add a comment near the definition of LIBXL_INIT_GC pointing out
that it isn't any more the only place a libxl__gc struct is
initialised, for the benefit of anyone changing the contents of gc's
in the future.

Also, actually document that libxl__ptr_add is legal with ptr==NULL,
and change a couple of calls not to check for NULL argument.

Reported-by: Bamvor Jian Zhang <bjzhang@suse.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Bamvor Jian Zhang <bjzhang@suse.com>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: Add a gc to libxl_cpumap_alloc, ..._to_hex_string

In the next patch we are going to change the definition of NOGC to
require a local variable libxl__gc *gc. And this means that passing 0
to libxl__calloc is going to be wrong.

libxl_cpumap_alloc doesn't have a gc but passes 0 to libxl_calloc
Fix this by:
- introducing an `out' label and an rc variable
- replacing the returns with rc = ERROR_BLAH; goto out;
- adding uses of GC_INIT and GC_FREE.
- changing NULL to NOGC in the call to libxl__calloc

Likewise fix libxl_cpumap_to_hex_string by:
- adding a libxl_ctx* parameter and updating the one call site
- adding uses of GC_INIT and GC_FREE.
- changing NULL to NOGC in the call to libxl__zalloc

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Dario Faggioli <raistlin@linux.it>
Acked-by: Roger Pau Monne <roger.pau@entel.upc.edu>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: Add a gc to libxl_get_cpu_topology

In the next-but-one patch we are going to change the definition of
NOGC to require a local variable libxl__gc *gc.

libxl_get_cpu_topology doesn't have one but does use NOGC.
Fix this by:
- introducing an `out' label
- replacing the only call to `return' with a suitable assignment
to ret and a `goto out'.
- adding uses of GC_INIT and GC_FREE.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: Make libxl__domain_save_device_model asynchronous

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: prepare for asynchronous writing of qemu save file

* Combine the various calls to libxl__device_model_savefile into one
  at the start of libxl__domain_suspend, storing the result in the
  dss.  Consequently a few functions take a dss instead of some or all
  of their other arguments.

* Make libxl__domain_save_device_model's API into an asynchronous
  style which takes a callback.  The function is, however, still
  synchronous; it will be made actually async in the next patch.

* Consequently make libxl__remus_domain_checkpoint_callback into an
  asynchronous callback.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: datacopier: provide "prefix data" facility

This will be used to write the qemu data banner to the save/migration
stream.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: wait for qemu to acknowledge logdirty command

The current migration code in libxl instructs qemu to start or stop
logdirty, but it does not wait for an acknowledgement from qemu before
continuing.  This might lead to memory corruption (!)

Fix this by waiting for qemu to acknowledge the command.

Unfortunately the necessary ao arrangements for waiting for this
command are unique because qemu has a special protocol for this
particular operation.

Also, this change means that the switch_qemu_logdirty callback
implementation in libxl can no longer synchronously produce its return
value, as it now needs to wait for xenstore.  So we tell the
marshalling code generator that it is a message which does not need a
reply.  This turns the callback function called by the marshaller into
one which returns void; the callback function arranges to later
explicitly sends the reply to the helper, when the xs watch triggers
and the appropriate value is read from xenstore.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: provide libxl__xs_*_checked and libxl__xs_transaction_*

These useful utility functions make dealing with xenstore a little
less painful.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: rename libxl_dom:save_helper to physmap_path

"save_helper" isn't very descriptive. Also it is now confusing
because it reads like it might refer to the libxl-save-helper
executable which runs xc_domain_save and xc_domain_restore.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: domain save/restore: run in a separate process

libxenctrl expects to be able to simply run the save or restore
operation synchronously.  This won't work well in a process which is
trying to handle multiple domains.

The options are:

- Block such a whole process (eg, the whole of libvirt) while
   migration completes (or until it fails).

- Create a thread to run xc_domain_save and xc_domain_restore on.
   This is quite unpalatable.  Multithreaded programming is error
   prone enough without generating threads in libraries, particularly
   if the thread does some very complex operation.

- Fork and run the operation in the child without execing.  This is
   no good because we would need to negotiate with the caller about
   fds we would inherit (and we might be a very large process).

- Fork and exec a helper.

Of these options the latter is the most palatable.

Consequently:

* A new helper program libxl-save-helper (which does both save and
   restore).  It will be installed in /usr/lib/xen/bin.  It does not
   link against libxl, only libxc, and its error handling does not
   need to be very advanced.  It does contain a plumbing through of
   the logging interface into the callback stream.

* A small ad-hoc protocol between the helper and libxl which allows
   log messages and the libxc callbacks to be passed up and down.
   Protocol doc comment is in libxl_save_helper.c.

* To avoid a lot of tedium the marshalling boilerplate (stubs for the
   helper and the callback decoder for libxl) is generated with a
   small perl script.

* Implement new functionality to spawn the helper, monitor its
   output, provide responses, and check on its exit status.

* The functions libxl__xc_domain_restore_done and
   libxl__xc_domain_save_done now turn out to want be called in the
   same place.  So make their state argument a void* so that the two
   functions are type compatible.

The domain save path still writes the qemu savefile synchronously.
This will need to be fixed in a subsequent patch.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: domain save: API changes for asynchrony

Change the internal and external APIs for domain save (suspend) to be
capable of asynchronous operation.  The implementation remains
synchronous.  The interfaces surrounding device model saving are still
synchronous.

Public API changes:

* libxl_domain_save takes an ao_how.

* libxl_domain_remus_start takes an ao_how.  If the
   libxl_domain_remus_info is NULL, we abort rather than returning an
   error.

* The `suspend_callback' function passed to libxl_domain_save is
   never called by the existing implementation in libxl.  Abolish it.

* libxl_domain_save takes its flags parameter as an argument.
   Thus libxl_domain_suspend_info is abolished.

* XL_SUSPEND_* flags renamed to LIBXL_SAVE_*.

* Callers in xl updated.

Internal code restructuring:

* libxl__domain_suspend_state member types and names rationalised.

* libxl__domain_suspend renamed from libxl__domain_suspend_common.
   (_common here actually meant "internal function").

* libxl__domain_suspend takes a libxl__domain_suspend_state, which
   where the parameters to the operation are filled in by the caller.

* xc_domain_save is now called via libxl__xc_domain_save which can
   itself become asynchronous.

* Consequently, libxl__domain_suspend is split into two functions at
   the callback boundary; the second half is
   libxl__xc_domain_save_done.

* libxl__domain_save_device_model is now called by the actual
   implementation rather than by the public wrapper.  It is already in
   its proper place in the domain save execution sequence.  So
   officially make it part of that execution sequence, renaming it to
   domain_save_device_model.

* Effectively, rewrite the public wrapper functions
   libxl_domain_suspend and libxl_domain_remus_start.

* Remove a needless #include <xenctrl.h>

* libxl__domain_suspend aborts on unexpected domain types rather
   than mysteriously returning EINVAL.

* struct save_callbacks moved from the stack to the dss.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: domain restore: reshuffle, preparing for ao

We are going to arrange that libxl, instead of calling
xc_domain_restore, calls a stub function which forks and execs a
helper program, so that restore can be asynchronous rather than
blocking the whole toolstack.

This stub function will be called libxl__xc_domain_restore.

However, its prospective call site is unsuitable for a function which
needs to make a callback, and is buried in two nested single-call-site
functions which are logically part of the domain creation procedure.

So we first abolish those single-call-site functions, integrate their
contents into domain creation in their proper temporal order, and
break out libxl__xc_domain_restore ready for its reimplementation.

No functional change - just the following reorganisation:

* Abolish libxl__domain_restore_common, as it had only one caller.
  Move its contents into (what was) domain_restore.

* There is a new stage function domcreate_rebuild_done containing what
  used to be the bulk of domcreate_bootloader_done, since
  domcreate_bootloader_done now simply starts the restore (or does the
  rebuild) and arranges to call the next stage.

* Move the contents of domain_restore into its correct place in the
  domain creation sequence.  We put it inside
  domcreate_bootloader_done, which now either calls
  libxl__xc_domain_restore which will call the new function
  domcreate_rebuild_done, or calls domcreate_rebuild_done directly.

* Various general-purpose local variables (`i' etc.) and convenience
  alias variables need to be shuffled about accordingly.

* Consequently libxl__toolstack_restore needs to gain external linkage
  as it is now in a different file to its user.

* Move the xc_domain_save callbacks struct from the stack into
  libxl__domain_create_state.

In general the moved code remains almost identical.  Two returns in
what used to be libxl__domain_restore_common have been changed to set
the return value and "goto out", and the call sites for the abolished
and new functions have been adjusted.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: domain save: rename variables etc.

Preparatory work for making domain suspend asynchronous:

* Rename `struct suspendinfo' to `libxl__domain_suspend_state'
  and move it to libxl_internal.h.

* Rename variables `si' to `dss'.

* Change the stack-allocated state and callbacks from
    struct suspendinfo si;
    struct save_callbacks callbacks;
    struct restore_callbacks callbacks;
  to
    libxl__domain_suspend_state dss[1];
    struct save_callbacks callbacks[1];
    struct restore_callbacks callbacks[1];
  so that it may be referred to as a pointer variable everywhere.

* Rename the variable `flags' (in libxl__domain_suspend_state) to
  `xcflags', to help distinguish it from the other `flags' which is
  passed in from the calling application in libxl_domain_suspend_info.
  Abolish the local variable in libxl__domain_suspend_common, as it
  can use the one in the dss.

* Move the prototypes of suspend-related functions in libxl_internal.h
  to after the definition of the state struct.

* Replace several ctx variables with gc variables and
  consequently references to ctx with CTX.  Change references
  to `dss->gc' in the functional code to simply `gc'.

* Use LOG* rather than LIBXL__LOG* in a number of places.

* In libxl__domain_save_device_model use `rc' instead of `ret'.

* Introduce and use `gc' and `domid' in
  libxl__domain_suspend_common_callback.

* Wrap some long lines.

* Add an extra pair of parens for clarity in a flag test.

* Remove two pointless casts from void* to a struct*.

No functional change whatsoever.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxc: Do not segfault if (e.g.) switch_qemu_logdirty fails

In xc_domain_save the local variable `ob' is initialised to NULL.
There are then various startup actions.  Some of these `goto out' on
failure; for example the call to callbacks->switch_qemu_logdirty on
l.978.  However, out is used both by success and error paths.  So it
attempts (l.2043) to flush the current output buffer.  If ob has not
yet been assigned a non-NULL value, this segfaults.  So make the call
to outbuf_flush conditional on ob.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxc: xc_domain_restore, make toolstack_restore const-correct

Update the one provider of this callback, in libxl.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: allow setting more than 31 vcpus

In current implementation, it uses integer to record current avail
cpus and this only allows user to specify 31 vcpus. In following
patch, it uses cpumap instead integer which make more sense than
before. Also there is no limit to the max vcpus.

Signed-off-by: Yang Zhang <yang.z.zhang@Intel.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: allow to allocate cpumap with specific size

Currently, libxl_cpumap_alloc()allocate the cpumap with size of number
of physical cpus. In some place, we may want to allocate specific size
of cpumap. This patch allow to pass a argument to specific the size
that you want to allocate. If pass 0, it means the size is equal to
number of physical cpus.

Signed-off-by: Yang Zhang <yang.z.zhang@Intel.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

xen,pod: Only sweep in an emergency, and only for 4k pages

Testing has shown that doing sweeps for superpages slows down boot
significantly, but does not result in a significantly higher number of
superpages after boot. Early sweeping for 4k pages causes superpages
to be broken up unnecessarily.

Only sweep if we're really out of memory.

v2:
- Move unrelated code-motion hunk to another patch
v3:
- Remove now-unused reclaim_super from pod struct

Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

xen,pod: Zero-check recently populated pages (checklast)

When demand-populating pages due to guest accesses, check recently populated
pages to see if we can reclaim them for the cache.  This should keep the PoD
cache filled when the start-of-day scrubber is going through.

The number 128 was chosen by experiment.  Windows does its page
scrubbing in parallel; while a small nubmer like 4 works well for
single VMs, it breaks down as multiple vcpus are scrubbing different
pages in parallel.  Increasing to 128 works well for higher numbers of
vcpus.

v2:
- Wrapped some long lines
- unsigned int for index, unsigned long for array
v3:
- Use PAGE_ORDER_2M instead of 9
- Removed inappropriate use of p2m_pod_zero_check_superpage() return value

Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

xen,pod: Try to reclaim superpages when ballooning down

Windows balloon drivers can typically only get 4k pages from the kernel,
and so hand them back at that level.  Try to regain superpages by checking
the superpage frame that the 4k page is in to see if we can reclaim the whole
thing for the PoD cache.

This also modifies p2m_pod_zero_check_superpage() to return SUPERPAGE_PAGES on
success.

v2:
- Rewritten to simply to the check as in demand-fault case, without needing
   to know that the p2m entry is a superpage.
- Also, took out the re-writing of the reclaim loop, leaving it optimized for
   4k pages (by far the most common case), and simplifying the patch.
v3:
- Add SoB

Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

docs: Use lists.xen.org not lists.xensource.com

[ Also s/greatful/grateful/, twice -iwj ]

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

hgignore/gitignore: add xen/arch/x86/boot/reloc.bin, .lnk

25479:61dfb3da56b0 added a .PRECIOUS which causes these files to be
left over more often. They should have been ignored already, though.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

QEMU_TAG update

libxl: disable msitranslate by default

msitranslate is known to cause problems with some device drivers,
because it sets the real device in MSI mode while making the guest think
is actually in legacy interrupts mode. Some drivers are able to spot this
inconsistency and break (Nvidia drivers for example).

Disable msitranslate by default.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: do not ignore the per-device msitranslate and power_mgmt opts

Do not ignore the per-device msitranslate and power_mgmt options: they
need to be appended to the bdf.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: document the memory ownership of some functions

Specifying they allocate dynamic memory that needs to be explicitly freed.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

arm: fix build after c/s 25477:e12e0b038219

Only x86 currently has a struct vcpu field arch.gdbsx_vcpu_event. But
as the whole function domain_pause_for_debugger() is pointless to be
compiled when there's no arch support, simply introduce another HAS_*
macro, enabled only on x86.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>

xen,pod: Cosmetic code motion

No point in doing the assignment if we're just going to crash anyway.

Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>

x86/mm: Clean up unshare path for foreign mappings

In its current shape, if Xen unshares a foreign gfn successfully while building
a foreign writable map, it is left with a reference to the old shared page in
the "target" var.

Instead, push unsharing request down on the initial get_page_from_gfn call,
which will DTRT.

This allows for greatly simplifying the unshare related condition handling,
removing ugly comments and s86_64 ifdef-ery.

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

x86/hvm: increase struct hvm_vcpu_io's mmio_large_read[]

Since the emulator now supports a few 256-bit memory operations, this
array needs to follow (and the comments should, too).

To limit growth, re-order the mmio_large_write_* fields so that the
two mmio_large_*_bytes fields end up adjacent to each other.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

docs/xen-headers: allow headers to be symlinks

There's no apparent reason not to permit this, and since we don't
support out-of-source-tree builds, the least overhead way of doing
multiple, differently configured (perhaps different architecture)
builds from a single source tree is to create symlinked build trees.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxl: fix a typo in the GCREALLOC_ARRAY macro

Causing a build failure when trying to use it:

xxx: error: expected ';' before ')' token
xxx: error: expected statement before ')' token

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: fix locking in create_p2m_entries

For some reason we were holding the lock over only the unmaps at the end of
the function, rather than for the whole walk.

We might want to be more clever in the future, but for now lets just lock for
the whole walk+create process.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: map fixmaps non-executable.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: dump guest s1 walk on data abort which is not a stage 2 issue.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: dump a page table walk when va_to_par fails.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: context switch a bunch of guest state.

I haven't investigated what if any of this could be done lazily.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: Add simple cpu_{sibling, core}_mask

This needs to be done for all cpus. The allocations require smp_prepare_cpus
to be called a bit later on.

In a previous version of this patch these maps were being zeroed (instead of
setting the CPU itself in them). This in turn causes cpumask_first to return
NR_CPUS, which in turn was causing default_vcpu0_location to misbehave and
read off the end of its cnt array.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: do not set max_vcpus = 8 in arch_domain_create.

XEN_DOMCTL_max_vcpus cannot reduce max_vcpus and therefore we can't create a
smaller guest.

The limit of 8 (due to GIC limits) should be expressed in MAX_VIRT_CPUS.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: implement stub version of flush_tlb_mask.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: stub out sync_vcpu_execstate

We don't do lazy exec state switching so there isn't actually anything to do.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: remove hard tabs from init_idle_domain

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: implement p2m lookup

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: remove unnecessarily verbose print from p2m_load_VTTBR

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: print domid as part of debug trap

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: allocate and setup a guest vcpu.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: hook up domctl and memory_op

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: enable interrupts while handling traps

For most traps we can do this as soon as we have saved the necessary state.
For IRQs and FIQs we must wait until we have acked the interrupt with the GIC.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: restore stack on return from trap.

We align the stack before calling into C code but we weren't undoing this on
return.

Collapse continue_(non)idle_domain into continue_new_vcpu.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: correct and expand TLB flush CP15 registers

Correct spelling of TLBIALLHIS and correct definition of TLBIALLNSNHIS.

Add a few more.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: handy function to print a walk of a page table

Include helpers for dumping hypervisor walks and guest p2m walks.

Useful for debug but not actually used in this patch.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: allocate top level p2m page for all non-idle domains

Not just dom0.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: fix build with gcc 4.7.x

As was already pointed out months ago (see
http://lists.xen.org/archives/html/xen-devel/2012-02/msg00826.html),
gcc 4.7.x (imo validly) refuses to take both -mcpu=cortex-a15 and
-march=armv7-a due to conflicting feature sets causing amibiguity in
instruction selection. Since the former implies the latter, just use
the former (and drop the -march=).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

Fix check if guest enabled nested paging.

Fixes crashes with Windows guests when shadow-on-nested is used.

Signed-off-by: Christoph Egger <Christoph.Egger@amd.com>
Acked-by: Tim Deegan <tim@xen.org>

libxl: fix validation of scheduling parameters for sedf

2205914617cb does its job in correcting the "wrong domain being
considered" issue introduced by 9d1fd58ff602. Unfortunately, when
dealing (again!) with the sedf scheduler, it is required for the
vCPUs of a domain to have been allocated and setup already (in
the hypervisor), when the first call to libxl_domain_sched_params_get()
happens, and that is not true.

This fixes that by avoiding calling that function at all, as we
only need to know which scheduler the domain is running under,
and that is provided by libxl__domain_scheduler() which is safe
to be called there.

While at it, also improve a bit the comments about the whole
sedf parameter validation and mangling process.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

x86/PCI: pass correct register value to XSM

When attempting to use AMD's extension to access the extended PCI config
space, only the low byte of the register number was being passed to XSM.
Include the correct value of the register if this feature is enabled;
otherwise, bits 24-30 of port cf8 are reserved, so disallow the invalid
access.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Don't fail the permission check except when the MSR can't be read.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
Committed-by: Jan Beulich <jbeulich@suse.com>

AMD IOMMU: add mechanism to protect their PCI devices' config spaces

Recent Dom0 kernels want to disable PCI MSI on all devices, yet doing
so on AMD IOMMUs (which get represented by a PCI device) disables part
of the functionality set up by the hypervisor.

Add a mechanism to mark certain PCI devices as having write protected
config spaces (both through port based [method 1] accesses and, for
x86-64, mmconfig), and use that for AMD's IOMMUs.

Note that due to ptwr_do_page_fault() being run first, there'll be a
MEM_LOG() issued for each such mmconfig based write attempt. If that's
undesirable, the order of the calls in fixup_page_fault() would need
to be swapped.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Wei Wang <wei.wang2@amd.com>
Acked-by: Keir Fraser <keir@xen.org>

libxl: validate scheduler parameters

This was previously done by xl itself however the domain was not
created at that point so there was no domid to check. This happened to
work on first boot because xl's global domid was initialised to zero
so we would (incorrectly) validate the new domain to be against
domain0. On reboot though we would try to use the old domain's id and
fail.

sched_params_valid is moved and gains a gc+domid parameters and
s/ctx/CTX/. The call is placed after
libxl__domain_build_info_setdefault in the create path, because
set_defaults doesn't have access to the domid and there are other
callers which don't even have a domid to give it.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

x86-64: revert mmconfig part of c/s 24425:053a44894279

These additions did not fulfill their purpose - they checked hypervisor
config space accesses instead of guest (Dom0) ones.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86/PCI: fix guest_io_read() when pci_cfg_ok() denies access

For a multi-byte aligned read, this so far resulted in 0x00ff to be
put in the guest's register rather than 0xffff or 0xffffffff, which in
turn could confuse bus scanning functions (which, when reading vendor
and/or device IDs, expect to get back all zeroes or all ones).

As the value gets masked to the read width when merging back into the
full result, setting the initial value to all ones should not harm any
or the other cases.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

xl: fix sedf parameters checking

25468:9d1fd58ff602 was bogus in not letting a new domain being created
if its scheduling parameters --when running under the sedf scheduler--
were not fully specified, making creation fail like in this example
here below:

2012-06-16 07:37:47 Z executing ssh ... root@10.80.248.105 xl create /etc/xen/debian.guest.osstest.cfg
libxl: error: libxl.c:3619:sched_sedf_domain_set: setting domain sched sedf: Invalid argument
libxl: error: libxl_create.c:710:domcreate_bootloader_done: cannot (re-)build domain: -3
Parsing config from /etc/xen/debian.guest.osstest.cfg

This is due to the fact the values for period, slice, weight and
extratime should be consistent among each others, and if not all
are explicitly specified, someone has to make that happen. That
was right the purpose of the change in question, but it was failing
at achieving so.

This commit fixes things by forcing unspecified parameters to
sensible values, depending on the ones the user provided.

Signed-off-by: Dario Faggioli <dario.faggioli@citix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86/mm: fix mod_l1_entry() return value when encountering r/o MMIO page

While putting together the workaround announced in
http://lists.xen.org/archives/html/xen-devel/2012-06/msg00709.html, I
found that mod_l1_entry(), upon encountering a set bit in
mmio_ro_ranges, would return 1 instead of 0 (the removal of the write
permission is supposed to be entirely transparent to the caller, even
more so to the calling guest).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86-64/EFI: document building and usage

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86-64: don't allow non-canonical addresses to be set for any callback

Rather than deferring the detection of these to the point where they
get actually used (the fix for XSA-7, 25480:76eaf5966c05, causing a #GP
to be raised by IRET, which invokes the guest's [fragile] fail-safe
callback), don't even allow such to be set.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

x86, cpufreq: Change powernow's CPB status immediately

When command to modify turbo mode (CPB on AMD processors) comes
in the actual change happens later, when P-state transition is
requested. There is no time limit on when this transition will
occur and therefore change in CPB state may take long time from
the moment when command to toggle it is issued.

This patch makes CPB mode change happen immediately when request
is made.

Signed-off-by: Boris Ostrovsky <boris.ostrovsky@amd.com>
Committed-by: Keir Fraser <keir@xen.org>

libxl: propagate down the error from libxl_domain_sched_params_set

So that the caller (e.g., libxl__build_post() ) knows and can deal with it.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

SVM: fix performance decrease with asid assignment

Do not clear asid cleanbit unconditionally. This shaves off 100 cycles
from the VMRUN instruction.

Signed-off-by: Christoph Egger <Christoph.Egger@amd.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

x86-64: detect processors subject to AMD erratum #121 and refuse to boot

Processors with this erratum are subject to a DoS attack by unprivileged
guest users.

This is XSA-9 / CVE-2012-2934.

Signed-off-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86_64: Do not execute sysret with a non-canonical return address

Check for non-canonical guest RIP before attempting to execute sysret.
If sysret is executed with a non-canonical value in RCX, Intel CPUs
take the fault in ring0, but we will necessarily already have switched
to the the user's stack pointer.

This is a security vulnerability, XSA-7 / CVE-2012-0217.

Signed-off-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: Ian Campbell <Ian.Campbell@citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Tested-by: Ian Campbell <Ian.Campbell@citrix.com>
Acked-by: Keir Fraser <keir.xen@gmail.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86: get rid of BOOT_TRAMPOLINE

We recently saw a machine that has the EBDA extending as low as
0x7c000, so that Xen fails to boot after relocating the trampoline.
To fix this, I removed BOOT_TRAMPOLINE and bootsym_phys completely.

Here are the parts:

1) the trampoline segment is set to 64k below the EBDA.  head.S grows
the ability to relocate the trampoline segment

2) reloc.c is made position-independent.  It allocates data below the
trampoline, whose address is passed in _eax.

3) cmdline.S is called before relocating, so all bootsym_phys there
become sym_phys.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
jb: - fall back to low memory size (instead of segment 0x7c00) if EBDA
      value is out of range
    - also add upper limit check on EBDA value
    - fix and simplify inline assembly operands in reloc_mbi_struct()
    - use lret instead of retf
    - renamed early_stack to wakeup_stack, defined and used now only
      in wakeup.S
    - aligned reloc.bin's end of .text to 16 bytes, so that checking
      __bss_start == end works reliably

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Committed-by: Keir Fraser <keir@xen.org>

x86/nmi: Fix deadlock in unknown_nmi_error()

Additionally, correct the text description to reflect what is being
done, and make use of fatal_trap() in preference to kexec_crash() in
case an unknown NMI occurs before a kdump kernel has been loaded.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>