dgit.raspbian.org Git

x86: use 2M superpages for text/data/bss mappings

This balloons the size of Xen in memory from 4.4MB to 8MB, because of the
required alignment adjustments.

However
* All mappings are 2M superpages.
* .text (and .init at boot) are the only sections marked executable.
* .text and .rodata are marked read-only.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86: reorder .data and .init when linking

In preparation for using superpage mappings, .data and .bss will both want to
be mapped as read-write. By making them adjacent, they can share the same
superpage and will not require superpage alignment between themselves.

While making this change, fix a latent alignment bug whereby the alignment for
.bss.stack_aligned was in .init. __init_end only needs page alignment (due to
being reclaimed after boot), while .bss.stack_aligned really does needs
STACK_SIZE alignment.

Suggested-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86: disable CR0.WP while applying alternatives

In preparation for marking .text as read-only, care needs to be taken not to
fault while applying alternatives.

Swapping back to RW mappings is a possibility, but would require additional
TLB management. A temporary disabling of CR0.WP is cleaner.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

memguard: drop memguard_init() entirely

The use of MAP_SMALL_PAGES causes shattering of the superpages making up the
Xen virtual region, and is counter to the purpose of this series.
Furthermore, it is not required for the memguard infrastructure to function
(which itself uses map_pages_to_xen() for creating holes).

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <JBeulich@suse.com>
Acked-by: Stefano Stabellini <stefano.stabellini@citrix.com>

x86: construct the {l2,l3}_bootmap at compile time

... rather than at runtime.

The bootmaps are discarded in zap_low_mappings(), so the tables themselves can
live in .init.data and be reclaimed after boot.

Hooking the l1_identmap into l2_xenmap stays for safety, along with a longer
comment explaining why.

This does not change the EFI construction of {l2,l3}_bootmap. EFI already
constructs them cleanly in their relocated form.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86: improvements to build-time pagetable generation

* Additional comments, including size and runtime use.
* Consistent use of .quad, rather than a mix including .long.

No change in runtime behaviour.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

lockprof: move .lockprofile.data into .rodata

The entire contents of .lockprofile.data are unchanging pointers to
lock_profile structure in .data. Annotate the type as such, and link the
section in .rodata. As these are just pointers, 32byte alignment is
unnecessary.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

public: typo: use ' as apostrophe in grant_table.h

If grep 2.23 is installed, build fails like this:
...
mkdir -p compat
grep -v 'DEFINE_XEN_GUEST_HANDLE(long)' public/grant_table.h | \
python /home/SOURCES/xen/xen/xen.git/xen/tools/compat-build-source.py >compat/grant_table.c.new
mv -f compat/grant_table.c.new compat/grant_table.c
gcc ... -o compat/grant_table.i compat/grant_table.c
compat/grant_table.c:33:1: error: unterminated comment
/*
^
compat/grant_table.c:28:0: error: unterminated #ifndef
#ifndef __XEN_PUBLIC_GRANT_TABLE_H__
^
Makefile:62: recipe for target 'compat/grant_table.i' failed
make[3]: *** [compat/grant_table.i] Error 1
rm compat/grant_table.c
make[3]: Leaving directory '/home/SOURCES/xen/xen/xen.git/xen/include'
...

This is because grant_table.h contains this (note the
apostrophe): "granter\92s memory", and `grep -v', in version
2.23, stops processing the file (while, for instance,
until 2.22, this was not happening).

Although the above behavior is likely an issue in grep,
(https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22461)
I think we better switch to using " ' " in that line
anyway, as we do basically everywhere else (even in
the same file).

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>

x86/hvm: print register state upon triple fault

A sample looks like:

(XEN) d1v0 Triple fault - invoking HVM shutdown action 1
(XEN) *** Dumping Dom1 vcpu#0 state: ***
(XEN) ----[ Xen-4.7-unstable  x86_64  debug=y  Not tainted ]----
(XEN) CPU:    2
(XEN) RIP:    0000:[<0000000000100005>]
(XEN) RFLAGS: 0000000000010002   CONTEXT: hvm guest (d1v0)
(XEN) rax: 0000000000000020   rbx: 0000000000000000   rcx: 0000000000000000
(XEN) rdx: 0000000000000000   rsi: 0000000000000000   rdi: 0000000000000000
(XEN) rbp: 0000000000000000   rsp: 0000000000000000   r8:  0000000000000000
(XEN) r9:  0000000000000000   r10: 0000000000000000   r11: 0000000000000000
(XEN) r12: 0000000000000000   r13: 0000000000000000   r14: 0000000000000000
(XEN) r15: 0000000000000000   cr0: 0000000000000011   cr4: 0000000000000000
(XEN) cr3: 0000000000000000   cr2: 0000000000000000
(XEN) ds: 0000   es: 0000   fs: 0000   gs: 0000   ss: 0000   cs: 0000

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

work around Clang generating .data.rel.ro section for init-only files

Clang-3.8 generates several .data.rel.ro sections when compiling Xen.  As
these contain no global symbols, they should be .data.rel.ro.local.  This
breaks the SPECIAL_DATA_SECTIONS check when converting the transition units to
being init-only.

For alternatives.c, explicitly move the nops arrays into __initconst.  For efi
boot.c, manually create the optimisation performed by Clang by collapsing the
switch statement into a lookup table.  The double use of const is required to
avoid breaking the ARM build by creating a section type conflict with
fdt_guid.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

x86/hvm: collect information of TSC scaling ratio

Both VMX TSC scaling and SVM TSC ratio use the 64-bit TSC scaling ratio,
but the number of fractional bits of the ratio is different between VMX
and SVM. This patch adds the architecture code to collect the number of
fractional bits and other related information into fields of struct
hvm_function_table so that they can be used in the common code.

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>

version: Document guest_handle

And what it is usually used for.

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

xenoprof: drop unnecessary macro

This macro doesn't really provide a benefit. When support is added the
implementer can implement this how it needs to be and not conform to the
macro. Additionally this change limits the output of the warning to just
once instead of nrpages worth. While editing this area I dropped
trailing whitespace.

Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

use XEN_SYSCTL_SCHEDOP_* for sysctl operation checks

In flask_sysctl_scheduler_op() and sched_adjust_global() the test for
the desired operation is done with the wrong constants. While the
values are correct, the names are not.

Correct the error message for the case of an unknown operation in
flask_sysctl_scheduler_op(), too.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

x86/hvm: add pkeys support for cpuid handling

This patch adds pkeys support for cpuid handing.

Pkeys hardware support is CPUID.7.0.ECX[3]:PKU. software support is
CPUID.7.0.ECX[4]:OSPKE and it reflects the support setting of CR4.PKE.

X86_FEATURE_OSXSAVE depends on guest X86_FEATURE_XSAVE, but cpu_has_xsave
function reflects hypervisor X86_FEATURE_XSAVE, it is fixed too.

Signed-off-by: Huaitong Han <huaitong.han@intel.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

x86/hvm: add xstate support for pkeys

The XSAVE feature set can operate on PKRU state only if the feature set is
enabled (CR4.OSXSAVE = 1) and has been configured to manage PKRU state
(XCR0[9] = 1). And XCR0.PKRU is disabled on PV mode without PKU feature
enabled.

Signed-off-by: Huaitong Han <huaitong.han@intel.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>

x86/hvm: add pkeys support for guest_walk_tables

Protection keys define a new 4-bit protection key field(PKEY) in bits 62:59 of
leaf entries of the page tables.

PKRU register defines 32 bits, there are 16 domains and 2 attribute bits per
domain in pkru, for each i (0 = i = 15), PKRU[2i] is the access-disable bit for
protection key i (ADi); PKRU[2i+1] is the write-disable bit for protection key
i (WDi). PKEY is index to a defined domain.

A fault is considered as a PKU violation if all of the following conditions are
true:
1.CR4_PKE=1.
2.EFER_LMA=1.
3.Page is present with no reserved bit violations.
4.The access is not an instruction fetch.
5.The access is to a user page.
6.PKRU.AD=1
or The access is a data write and PKRU.WD=1
and either CR0.WP=1 or it is a user access.

Signed-off-by: Huaitong Han <huaitong.han@intel.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>

credit1: trace vCPU boost/unboost

Add tracepoints and a performance counter for
boosting and unboosting in Credit1.

Note that they (the trace points) do not cover
the case of the idle vCPU being boosted to run
a tasklet, as there already is
TRC_CSCHED_SCHED_TASKLET for that.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

sched: get rid of static private schedulers' structures

In fact, they look rather useless: they are never
referenced neither directly, nor via the sched_data
pointer, as a dynamic copy that overrides them is
allocated as the very first step of a scheduler's
initialization.

While there, take the chance to also reset the sched_data
pointer to NULL, upon scheduler de-initialization.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>

Merge branch 'staging' of xenbits.xen.org:/home/xen/git/xen into staging

common: re-arrange struct kernel_param fields

Even if placed in .init.* there's no reason to needlessly bloat the
binary due to padding fields the compiler needs to insert on 64-bit
architectures.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

Revert "init: annotate all command line parameter infrastructure as const"

This reverts commit 59b151d2c0bf37f3f2f984096d384dfdfa03a8f4,
as it breaks the build with older gcc.

x86/vm_event: consolidate hvm_event_fill_regs and p2m_vm_event_fill_regs

Currently the registers saved in the request depend on which type of event
is filling in the registers. In this patch we consolidate the two versions
of register filling function as to return a fix set of registers irrespective
of the underlying event.

Signed-off-by: Tamas K Lengyel <tlengyel@novetta.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>
Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com>

x86: drop register reload from INT80 malicious MSI guard

None of the restored registers are actually of interest to the
subsequent code (as opposed to the similar construct on the compat
mode hypercall path).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

arm: CONFIG_ARM_{32, 64} defined by Kconfig

CONFIG_ARM_32 and CONFIG_ARM_64 is defined by Kconfig.

Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

x86: CONFIG_X86 defined by Kconfig

CONFIG_X86 is defined by Kconfig when building for x86.

Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/PVHv2: add XEN_ prefix to HVM_START_MAGIC_VALUE

Reported by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

introduce IS_ALIGNED()

And a few open-coded alignment checks which I encountered

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

sched: tracing: enable TSC tracing for all events

it is enabled for pretty much all of them already.
There were just a few that had it disabled.

When tracing a scheduler, timing information is
really important, so enable it everywhere scheduling
related.

Note that this was not really a problem if looking
at the traces with xenalyze, but it was if using
xentrace_format.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>

init: annotate all command line parameter infrastructure as const

There is no reason for any of it to be modified. Additionally, link
.init.setup beside the other constant .init data.

No functional change.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
[jb: reduce alignments to 8]
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

m4/python: fix typo in LDFLAGS variable name

[ also, reran autogen.sh ]

Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

MAINTAINERS: add Doug Goldstein for Travis CI config

Add myself as the maintainer for the Travis CI config.

Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

Merge branch 'staging' of xenbits.xen.org:/home/xen/git/xen into staging

tools/xenalyze: Fix build with clang

1) EXIT_REASON_EXCEPTION_NMI is 0, and Clang complains:

xenalyze.c:513:33: error: initializer overrides prior initialization of this subobject [-Werror,-Winitializer-overrides]
    [EXIT_REASON_EXCEPTION_NMI]="EXCEPTION_NMI",
                                ^~~~~~~~~~~~~~~
xenalyze.c:512:11: note: previous initialization is here
    [0] = "NONE",
          ^~~~~~

2) cr3_time_compare(), eip_compare(), ipi_send() and cr3_compare_start() are
   declared as nested functions, which is a GCCism not supported by Clang.

   As they don't actually make use of the interesting feature offered by
   nested functions (i.e. dynamic scoping), move them to just being normal
   functions.

3) clear_interval_summary(), update_cpi() and clear_interval_cpi() are all
   unused.  The former isn't reference anywhere, so is deleted, while the other
   two are called from currently #if 0'd code.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>

xenpaging: don't try to log via xch if xc_interface_close fails

Since xch may not be valid (enough) any longer, xc_interface_close
already logs anything of any use before it tears down the integrated
logger so there is no need to log any further in the application via
that path.

CID: 1056203

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

tools: gtracestat: make all functions and global data static

After "Drop unused functions do_cstate and single_cstate helper" make
all the remaining functions and global data static and in the process
allow the compiler to notice that cond_rec_init() is also unused, thus
remove it.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

tools: gtracestat: Drop unused functions do_cstate and single_cstate helper

These have always been dead code since the code was added AFAICT.

This eliminates the code containing CID 10567079, 10567080, 10567081
and 10567082 (all apparently some confusion between max_cx_num vs
MAX_CX_NR, but given the lack of callers its hard to tell what was
intended)

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

build: convert xenoprof to Kconfig

Convert the xenoprof x86 build time option to Kconfig.

Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

xenoprof: fix up ability to disable it

Allow Xenoprof to be fully disabled when toggling the option off.

Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>

xl: create: close restore_fd_to_close on error

Currently the fd is opened and then later closed and
restore_fd_to_close set back to -1, however there are several goto out
and goto error_out paths in the interim.

Since the code resets restore_fd_to_close to -1 it is OK to check this
and close on the out path too.

CID: 1055897

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

xl: use xrealloc in domain create

Using bare realloc risks leaking the old pointer if the realloc fails.

Since xrealloc exits on such failures, drop the error handling.

Noticed while fixing, but not related to, CID 1055898.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

tools: libxl: Simplify logic in libxl__realloc

Replace the loop exit and separate test for loop overrun with an
assert in the loop body.

This simplifies the code. It also (hopefully) avoids Coverity
thinking that gc->alloc_maxsize might change, resulting in the loop
failing to find the right answer but also failing to abort.

(gc->alloc_maxsize can't change because gcs are all singlethreaded:
either they are on the stack of a specific thread, or they belong to
an ao and are covered by the ctx lock.)

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

travis: drop bridge-utils and iproute2

These packages are not permitted inside travis, and are not necessary for
building Xen.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Doug Goldstein <cardoe@cardoe.com>

x86/monitor: minor left-shift undefined behavior checks

This minor patch adds a range-check to avoid left-shift caused undefined
behavior. Also replaces '1 <<' w/ '1U <<' @ x86 monitor.h in an effort to avoid
a future potential '1 << 31' that would cause a similar issue.

Signed-off-by: Corneliu ZUZU <czuzu@bitdefender.com>
Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com>

travis: add randconfig test target

Add another build target which uses randconfig to randomize the config
file so that we build test more than the default config.

Signed-off-by: Doug Goldstein <cardoe@cardoe.com>

add randconfig target to Makefile

This allows us to generate a random config which can be used for build
testing random configurations.

Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

mkelf32: Remove the 32-bit hypervisor support

We do not compile 32-bit hypervisor anymore so the code for
the ELFCLASS32 is effectively dead.

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

x86: fix unintended fallthrough case from XSA-154

... and annotate the other deliberate one: Coverity objects otherwise.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
One of the two instances was actually a bug.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

x86/hvm_event: fix uninitialized struct field usage introduced by c/s f5365e6

c/s f5365e6: "xen/vm-events: Move parts of monitor_domctl code to common-side",
introduced a use without initialization issue.
hvm_event_breakpoint calls hvm_event_traps(&req) and if sync is true that
ors some bits into req->flags which was never initialised.
Reported by Coverity Scan.

Initializes req @ hvm_event_breakpoint entry.

Coverity-ID: 1353192
Signed-off-by: Corneliu ZUZU <czuzu@bitdefender.com>
Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

avoid left shifting into a sign bit

Clang 3.8 notices, and objects because it is undefined behaviour.

"error: shifting a negative signed value is undefined [-Werror,-Wshift-negative-value]"

Use unsigned constants rather than signed ones.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Feng Wu <feng.wu@intel.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

x86: drop failsafe callback invocation from assembly

Afaict this was never necessary on a 64-bit hypervisor, and was instead
just blindly cloned over from 32-bit code: We don't fiddle with (and
hence don't reload) any of DS, ES, FS, or GS, and an exception on IRET
itself can equally well be reported to the guest as that very exception
on the target of that IRET.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

VMX: fold redundant code

No need to do this in two slightly different ways, possibly keeping the
compiler from folding the code for us.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86emul: fix rIP handling

Deal with rIP just like with any other register: Truncate to designated
width upon entry, write back the zero-extended 32-bit value when
emulating 32-bit code, and leave the upper 48 bits unchanged for 16-bit
code.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/mm: slightly simplify mod_l1_entry()

Re-order code to simplify error cleanup.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

RTDS: pack trace data better for xentrace_format

when tracing runstate changes, the vcpu and domain IDs
are encoded in the lower and higher, respectively, parts
of a 32 bits integer. When decoding a trace with
xentrace_format, this makes it possible to display
such events like this:

CPU0  833435853624 (+     768)  running_to_runnable [ dom:vcpu = 0x7fff0000 ]
CPU0  833435854416 (+     792)  runnable_to_running [ dom:vcpu = 0x00000007 ]

For consistency, we should do the same when displaying
the events coming from the RTDS scheduler (when using
the same tool), and to do that, we need to invert the
order in which the fields are being put in the trace
struct right now.

While there, we also:
- fix the use of TRC_RTDS_SCHED_TASKLET (it should
   only be involved when a tasklet is scheduled, not
   _every_ time rt_schedule() is invoked!);
- remove a very chatty and useless (nothing has been
   picked!) use of TRC_RTDS_RUNQ_PICK.

In fact, one can already figure out when nothing has been
picked from the runqueue, by looking at when cpu_idle
is invoked --which is the same thing one would do if on
Credit or Credit2.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>

credit2: pack trace data better for xentrace_format

when tracing runstate changes, the vcpu and domain IDs
are encoded in the lower and higher, respectively, parts
of a 32 bits integer. When decoding a trace with
xentrace_format, this makes it possible to display
such events like this:

CPU0 833435853624 (+ 768) running_to_runnable [ dom:vcpu = 0x7fff0000 ]
CPU0 833435854416 (+ 792) runnable_to_running [ dom:vcpu = 0x00000007 ]

For consistency, we should do the same when displaying
the events coming from the Credit2 scheduler (when using
the same tool), and to do that, we need to invert the
order in which the fields are being put in the trace
struct right now.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>

sched: improve domain creation tracing

by doing the following two things:

- move TRC_SCHED_DOM_{ADD,REM}, into the functions
   that do the actual scheduling-related domain
   initialization;

- add two 'generic' DOM_{ADD,REM} events. They're
   made part of the TRC_DOM0 tracing class, as Dom0
   is, usually, from where domains are created and
   destroyed.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

sched: move up the trace record for vcpu_wake and vcpu_sleep

vcpu_wake() and vcpu_sleep() are called before the specific
schedulers wakeup and sleep routines (in fact, it is them
that calls those specific routine).

Make the trace reflect that, by moving the records up. In
fact, it is more natural and easy to find the record of
the event (e.g., the wakeup) *before* the records of the
actions that deals with the event itself.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>

credit: __runq_tickle takes a useless cpu parameter

as it is always acts on v->processor of the vcpu that
we are tickling.

Getting rid of it makes the code easier to understand
and better looking.

While there, remove a spurious blank line.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>

x86: avoid flush IPI when possible

Since CLFLUSH, other than WBINVD, is a cache coherency domain wide
flush, there's no need to IPI other CPUs if this is the only flushing
being requested. (As a secondary change, move a local variable into the
scope where it's actually needed.)

As a secondary change also eliminate another leftover from 32-bit days:
invalidate_interrupt() can clear FLUSH_TLB_GLOBAL alongside FLUSH_TLB,
since write_ptbase() (as a descendant of __sync_local_execstate()) now
unconditionally fiddles with CR4.PGE.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

libxc: fix leak of t_info in xc_tbuf_get_size()

Avoid leaking the memory mapping of the trace buffer

Coverity ID 1351228

Signed-off-by: Harmandeep Kaur <write.harmandeep@gmail.com>
Reviewed-by: Dario Faggioli <dario.faggioli@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

xen/arm64: Make sure we get all debug output

Starting in the wrong ELx mode I get the following debug output:

...
- Current EL 00000004 -
- Xen must be entered in NS EL2 mode -
- Boot failed -

The output of "Please update the bootloader" is missing here, because
string concatenation in gas, unlike in C, keeps the \0 between each
individual string.

Make sure this is output, too. With this, we get

...
- Current EL 00000004 -
- Xen must be entered in NS EL2 mode -
- Please update the bootloader -
- Boot failed -

as intended.

Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- added same change to arm32 case ]

xenpaging: do not leak if --pagefile given twice

By freeing filename (which is either NULL or the previous iteration of
this argument). This implements a semantic where the last --pagefile
given on the command line takes precedence.

This is the same semantic as the other options have.

CID: 1198792

Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>

docs: fix typo in xl-disk-configuration.txt

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

libxlu_cfg: reject unknown characters following '\'

When dequoting config strings in xlu__cfgl_dequote(), unknown
characters following a '\', and the '\' itself, are discarded.
E.g. a disk configuration string containing

rbd:pool/image:mon_host=192.168.0.100\:6789

would be dequoted as

rbd:pool/image:mon_host=192.168.0.1006789

Instead of discarding the '\' and unknown character, reject the
string and set error to EINVAL.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

x86/PMU: make {acquire,release}_pmu_ownership names consistent

The function names were inconsistent with acquire and release being
called acquire_pmu_ownership() and release_pmu_ownship() respectively.
Function prototypes were available for both spellings so this change
makes them consistent and drops the dual function prototypes.
Additionally change the internal variable names within those functions
to ownership as well.

Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>

Revert "x86/HVM: differentiate IO/mem resources tracked by ioreq server"

This reverts commit f5a32c5b8eacbcd727939c9b4d2d98cf619bcbd6;
we're aiming at a different solution now.

x86/PVHv2: update the start info structure layout

After some discussion around the new boot ABI consensus has been reached
about the layout and contents of the start info. The following patch updates
the layout to what has been agreed.

Also, the new layout is described in binary terms in order to avoid issues
with alignments when using C structs.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

MAINTAINERS: add myself as seabios maintainer

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

public: make some constants usable for assembler

Some constants defined in xen/include/public/xen.h are not usable in
assembler sources as they are either defined with "U" or "UL" suffixes
or they are inside #ifndef __ASSEMBLY__ areas.

Change this as grub2 could make use of those definitions.

This requires to move the definition of mk_unsigned_long() up. While
we are touching this macro, rename it in order to avoid namespace
pollution. This in turn requires adaption of some arch-x86 specific
headers.

Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

cleanup xen/config.h

config.h contains an unused definition of mk_unsigned_long().

Remove it.

Signed-off-by: Juergen Gross <jgross@suse.com>

x86emul: relax asm() constraints

Let's give the compiler as much liberty at picking instruction operands
as possible. Also drop unnecessary size modifiers when the correct size
can already be derived from the asm() operands. Finally also drop an
"unsigned" from idiv_dbl()'s second parameter, allowing a cast to be
eliminated.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86emul: fold almost identical code

AAM/AAD as well as DAA/DAS emulation code is respectively almost
identical. Fold each pair, following what's already the case for
AAA/AAS.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/HVM: fold hypercall tables

In order to reduce the risk of unintentionally adding a function
pointer to just one of the two tables, merge them into one, with each
entry pair getting generated by a single macro invocation (at once
dropping all explicit casting outside the macro definition).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/VMX: sanitize rIP before re-entering guest

... to prevent guest user mode arranging for a guest crash (due to
failed VM entry). (On the AMD system I checked, hardware is doing
exactly the canonicalization being added here.)

Note that fixing this in an architecturally correct way would be quite
a bit more involved: Making the x86 instruction emulator check all
branch targets for validity, plus dealing with invalid rIP resulting
from update_guest_eip() or incoming directly during a VM exit. The only
way to get the latter right would be by not having hardware do the
injection.

Note further that there are a two early returns from
vmx_vmexit_handler(): One (through vmx_failed_vmentry()) leads to
domain_crash() anyway, and the other covers real mode only and can
neither occur with a non-canonical rIP nor result in an altered rIP,
so we don't need to force those paths through the checking logic.

This is CVE-2016-2271 / XSA-170.

Reported-by: 刘令 <liuling-it@360.cn>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86: enforce consistent cachability of MMIO mappings

We've been told by Intel that inconsistent cachability between
multiple mappings of the same page can affect system stability only
when the affected page is an MMIO one. Since the stale data issue is
of no relevance to the hypervisor (since all guest memory accesses go
through proper accessors and validation), handling of RAM pages
remains unchanged here. Any MMIO mapped by domains however needs to be
done consistently (all cachable mappings or all uncachable ones), in
order to avoid Machine Check exceptions. Since converting existing
cachable mappings to uncachable (at the time an uncachable mapping
gets established) would in the PV case require tracking all mappings,
allow MMIO to only get mapped uncachable (UC, UC-, or WC).

This also implies that in the PV case we mustn't use the L1 PTE update
fast path when cachability flags get altered.

Since in the HVM case at least for now we want to continue honoring
pinned cachability attributes for pages not mapped by the hypervisor,
special case handling of r/o MMIO pages (forcing UC) gets added there.
Arguably the counterpart change to p2m-pt.c may not be necessary, since
UC- (which already gets enforced there) is probably strict enough.

Note that the shadow code changes include fixing the write protection
of r/o MMIO ranges: shadow_l1e_remove_flags() and its siblings, other
than l1e_remove_flags() and alike, return the new PTE (and hence
ignoring their return values makes them no-ops).

This is CVE-2016-2270 / XSA-154.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

xen/vm-events: Move parts of monitor_domctl code to common-side.

This patch moves monitor_domctl to common-side.
Purpose: move what's common to common, prepare for implementation
of such vm-events on ARM.

* move get_capabilities to arch-side => arch_monitor_get_capabilities.
* add arch-side monitor op handling function => arch_monitor_domctl_op.
e.g. X86-side handles XEN_DOMCTL_MONITOR_OP_EMULATE_EACH_REP op
* add arch-side monitor event handling function => arch_monitor_domctl_event.
e.g. X86-side handles XEN_DOMCTL_MONITOR_EVENT_MOV_TO_MSR event enable/disable
* remove status_check

Signed-off-by: Corneliu ZUZU <czuzu@bitdefender.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com>

xen/arm: fix file comments

Add file header comment and local variable block @ EOF
of xen/arch/arm/hvm.c.

Signed-off-by: Corneliu ZUZU <czuzu@bitdefender.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

libxl: close fd's in parent when spawning qdisk

Coverity points out that these remain open in the parent upon
success, which is a resource leak.

To fix this rejig the exit paths such that success and error cases
both close the two fds, this means adjusting the callback to only
happen for the error case and it also makes sense to rename the label
from "error" to just "out".

Compile tested only.

CID: 1130518 (null) and 1130517 (logfile_w).

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

tools: libxl: NULL terminate partially constructed hex string

Coverity (correctly) complains that the strncpy(p, "0x", 2) will not
null terminate p.

Although we can see that in the rest of the function p will
definitely be NULL terminated by the time it is complete there is no
harm in passing 3 to the strncpy and allowing it to NULL terminate to
placate Coverity. We know this is safe because the allocation to hold
the string includes a "+3" for the 0x and the terminating NULL.

Compile tested only.

CID: 1198708

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

tools: libxl: free devpath on failure in libxl__blktap_devpath

The underlying code paths in tap_ctl_create attempt to handle both
*devpath == NULL (by allocating) and *devpath != NULL (caller provided
name) and if they allocate tend to write the return immediately before
doing other potentially error generating tasks. All of which makes
handling this at a lower level rather more complicated than handling
it in the error path of libxl__blktap_devpath.

Note that libxl__blktap_devpath initialises devpath to NULL and if the
earlier GCSPRINTF succeeds then the value is returned earlier.
Therefore if we make it to the call to tap_ctl_create then devpath is
still NULL on entry, therefore on the error path devpath is either
still NULL or has been set to a freshly allocated value by
tap_ctl_create. Since free(NULL) is fine it is sufficient to just
free(devpath).

I also considered adding a non-NULL devnull to the gc, even on
failure, but that would have required a comment to explain the
apparently strange behaviour.

Compile tested only.

CID: 1215177

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

stubdom: fix link farm runes

Previously in the three problematic libraries all public headers were
linked to source code directory. We should have created an include
directory for each library and linked public headers there.

Note that there was no breakage for those three libraries before this
patch. This patch merely changes the location headers are linked to so
that all libraries follow the same pattern.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

docs: document shortcomings of running QEMU as non-root

Running QEMU as non-root causes migration and PCI passthrough not to
work properly. Migration can be fixed rather easily
(http://marc.info/?l=xen-devel&m=145382864118600), but PCI passthrough
cannot (http://marc.info/?l=xen-devel&m=145286946113964).

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

tools/libxc: Fix use of zlib-options when building the domain builder

c/s de0f8c7c changed the use of zlib-options, and moved it from being locally
generated to coming from ./configure.

However, it neglected to modify the users of zlib-options. The curious use of
$(call ...) was to select either the -D or -l options as appropriate, but c/s
de0f8c7c broke this by loosing the `grep`.

Instead, use $(filter ...) to pick out either the -D or -l options. This
fixes the build with Clang, which complains at passing '-llzma' when trying
to compile xc_dom_bzimageloader.c to xc_dom_bzimageloader.o.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Roger Pau Monné <roger.pau@citrix.com>

x86emul: MSR indexes are only 32 bits wide

... and hence the respective {read,write}_msr() hook parameter doesn't
need to be "unsigned long".

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/traps: improve hypervisor stack overflow detection

A sample Gentoo compliation of Xen contains

    lea    -0x1058(%rsp),%rsp
    orq    $0x0,(%rsp)
    lea    0x1020(%rsp),%rsp

Whatever the reason for silly code like this, it fools the current stack
overflow detection logic in the #DF handler (which triggers reliably on the
'orq' instruction).

Update the overflow condition to declare an overflow if %esp is anywhere
within the guard page, rather than just within the upper 8th of the page.

Additionally, check %esp against the expected stack base in all builds.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

x86: merge 2 hvm_event_... functions into 1

This patch merges almost identical functions hvm_event_int3 and
hvm_event_single_step into a single function called hvm_event_breakpoint.
Also fixes event.c file header comment in the process.

Signed-off-by: Corneliu ZUZU <czuzu@bitdefender.com>
Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

vm_event: remove xc_mem_access_enable_emulate() and friends

xc_mem_access_enable_emulate() and xc_mem_access_disable_emulate()
are currently no-ops, that is all they do is set a flag that
nobody else checks. The user can already set the EMULATE flags in
the vm_event response if emulation is desired, and having an extra
check above that is not inherently safer, but it does complicate
(currenly unnecessarily) the API. This patch removes these
functions and the corresponding hypervisor code.

Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
Acked-by: Tamas K Lengyel <tamas@tklengyel.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

x86: fix errors arising from c/s dab76ff

Coverity correctly identifies that the changes in mtrr_attrib_to_str()
introduce dead code. strings[] is a 2d array, rather than an array of
strings, which means that strings[x] will never be a NULL pointer.

Adjust the check to compenstate, by looking for a NUL in strings[x][0]
instead.

Curiously, Coverity did not notice the same error with memory_type_to_str().
There was also a further error; the strings were not NULL terminated, which
made the return type of memory_type_to_str() erronious.

Bump the 2D array to 3 characters, so the strings retain their NUL characters,
and introduce an ASSERT() as requested on one thread of the original patch.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86: improvements to pv_cpuid()

pv_cpuid() has two completely separate paths inside it depending on whether
current is dom0 or a domU.  This causes unnecessary divergence, and
complicates future improvements.  Take steps to undo it.

Changes:
* Create leaf and subleaf variables and use them consistently, instead of a
   mix of {a,c} and regs->e{a,c}x as the input parameters.
* Combine the dom0 and domU hypervisor leaf handling, with an early exit.
* Apply sanity checks to domU as well.  This brings PV domU cpuid handling in
   line with HVM domains and PV dom0.
* Perform a real cpuid instruction for calculating CPUID.0xD[ECX=0].EBX.  The
   correct xcr0 is in context, and this avoids the O(M*N) loop over the domain
   cpuid policy list which exists currently.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

arm/config: Declare ELFSIZE_64.

Otherwise any code that tries to use Elf_* macros would
require us to use Elf64_* types instead of the more
friendly Elf_ one.

This is OK to do since 32-bit ARM uses LPAE mode.

Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

travis: add initial Travis CI script to do builds

This is just suppose to do a simple compile test on Travis CI. Currently
due to linux86 (bcc/bin86/dev86) not being whitelisted the tools cannot
be built.

Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>

build: remove .config from /boot when uninstalling

c/s 361b4f9f0f0d4adc19df428e224a7b8fa62cd392
"build: save generated xen .config" forgot to remove
the config file when uninstalling.

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

uniformally use __ varients for attribute names

Otherwise, debug code such as "void __attribute__((noreturn)) foobar()" fails
to compile when the noreturn itself gets expanded, resulting in
__attribute__((__attribute__((noreturn)))).

No function change.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

x86: drop uefi_call_wrapper() and EFI_FUNCTION_WRAPPER

Nothing in the codebase uses them, and clang falls into the #error case

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86: fix build following c/s 623c720f "x86: use CLFLUSHOPT when available"

CentOS 7 gets into trouble when compiling Xen citing:

  flushtlb.c: Assembler messages:
  flushtlb.c:149: Error: value of 256 too large for field of 1 bytes at 1

The line number is wrong, and the error message not helpful.  It turns out
that the intermediate generated assembly was

  # 139 "arch/x86/flushtlb.c" 1
      661:
      rex clflush (%r15)
  662:
  .pushsection .altinstructions,"a"

and it was having trouble combining the explicit REX prefix with the REX.B
required for the use of %r15.

Follow what Linux does and use a redundant %ds prefix instead, for a final
generated instruction of `3e 41 0f ae 3f`

While modifying this line, fix the indentation which was out by one space.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Tested-by: Doug Goldstein <cardoe@cardoe.com>
Introduce and use NOP_DS_PREFIX.

Also the above description of the issue is slightly wrong: We're not
suffering from some gas versions not being able to combine multiple REX
prefixes, but from the replacement instruction, when requiring a REX
prefix in order to express the memory operand, becoming one byte longer
than the original one, triggering the respective build time safety
check.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

Merge branch 'staging' of ssh://xenbits.xen.org/home/xen/git/xen into staging

tools/console: correct make dependencies for _paths.h

Correct dependencies for _paths.h to avoid build failure with make -j.
Only main.c requires _paths.h. This fixes commit 8398ec70 ("xenconsole:
Ensure exclusive access to console using locks")

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Ian Campbell <ian.campbell@citrix.com>
Cc: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

tools: probe for existence of qemu-xen stderr trace backend.

QEMU upstream commit ed7f5f1d8db0 ("trace: convert stderr backend to
log") renamed the "stderr" trace backend to "log", which breaks the
xen build when pointed at a QEMU tree after that point:

./configure of QEMU fail with:
"ERROR: invalid trace backends
Please choose supported trace backends."

Upstream also changed, in baf86d6b3ca0 ("trace: switch default backend
to "log""), to use "log" as the default backend (previously it was
"nop").

Use ./scripts/tracetool.py to check for the presence of the stderr
backend and if it is present then explicitly enable it. If the stderr
backend is not present then assume a newer QEMU which defaults to
"log" and simply accept that default (there is a 1 commit window
upstream where this would result in no trace backend being enabled).

The check is done using the older (deprecated?) --check-backend/--backend
variant of the tracetool.py options rather than the new plural
versions since the singular was supported even by very old versions of
QEMU. New QEMU has compatibility code but if/when that is removed we
will still do the right thing i.e. no explict configuiration resulting
in the upstream default (currently "log").

If the explicit selection of the "stderr" backend is required then it
is now done unconditionally (not depending on debug=y), which is
simpler to arrange here but also matches the newer upstream's default
to "log" which is not conditional on debug being enabled either.

Tested with current qemu-xen-unstable (e9d8252) and current QEMU
upstream master (88c73d1), both out of tree via
QEMU_UPSTREAM_URL=/path/to/qemu-xen.git.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Cc: Paul Durrant <paul.durrant@citrix.com>
Cc: Anthony PERARD <anthony.perard@citrix.com>
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>