| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
|
|
|
|
| |
Updated the figlet version number to "Xen 4.3-rc". Also remove the
paragraph touting the benefits of Xen 4.2. At some point we should
replace it with a paragraph touting the benefits of Xen 4.3.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libxc (libxenctrl, libxenguest):
New claim_enabled field in struct xc_dom_image;
New nr_outstanding_pages field in struct xc_dominfo;
New fields in struct xc_hvm_build_args (xenguest.h).
libxl:
new fields in dominfo domain_build_info device_vfb device_vkb
device_disk etc. etc. etc.
libxlu #includes libxl headers so needs to inherit its new soname
Use Xen version for new sonames since we don't in fact guarantee
ABI (as opposed to API) stability across releases.
xenstore (libxenstore):
New flag XS_UNWATCH_FILTER, so bump minor version only.
This was the result of reviewing the output from:
git-checkout staging
cd tools
git-diff RELEASE-4.2.2 `find -name \*.h`
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
|
|
|
|
| |
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
|
|
| |
Signed-off-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
blktap does not support the insert / eject commands, and so is not
suitable for cd-roms.
This fixes the bug where libxl uses tapdisk as a cdrom back-end, causing
subsequent eject / insert commands to fail.
Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>
CC: Fabio Fantoni <fabio.fantoni@heliman.it>
CC: Stefano Stabellini <stefano.stabellini@citrix.com>
CC: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Only in cases where we don't know what to do we should leave the IRTE
blank (suppressing all validation), but we should always log a warning
in those cases (as being insecure).
This is CVE-2013-1952 / XSA-49.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: "Zhang, Xiantao" <xiantao.zhang@intel.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This simply streamlines code in a few places, where room for
improvement was noticed during the earlier here and the patches in
the XSA-45 series.
This also drops the bogus use of the domain lock in the CR3 write
emulation (which protected against nothing).
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This drops the "preemptible" parameters from various functions where
now they can't (or shouldn't, validated by assertions) be run in non-
preemptible mode anymore, to prove that manipulations of at least L3
and L4 page tables and page table entries are now always preemptible,
i.e. the earlier patches actually fulfill their purpose of fixing the
resulting security issue.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on the IRQ we need to
- not look at the PIC at all is this is the LAPIC timer (in that case
we're dealing with a vector number rather than an IRQ one),
- not look at the PIC for any non-legacy interrupt,
- look at the correct PIC for the IRQ (which will always be PIC 2 for
the RTC, and possibly also for HPET).
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Roger Pau Monné <roger.pau@citrix.com> (FreeBSD guest)
Reviewed-by: Tim Deegan <tim@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We must store the new values before calling rtc_update_irq(), and we
need to call rtc_timer_update() when PIE transitions from 0 to 1 (as we
may have previously turned off the periodic timer due to the guest not
reading REG_C, and hence may have to re-enable it in order to start
IRQs getting delivered to the guest).
Note that the timer is being kept running if PIE transitions from 1 to
0, to match the behavior of keeping it running for a brief period of
time if the guest doesn't clear PF in time (in order to avoid
permanently destroying and re-creating the periodic timer).
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Roger Pau Monné <roger.pau@citrix.com> (FreeBSD guest)
Reviewed-by: Tim Deegan <tim@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are BIOSes that want to map the IO-APIC MMIO region from some
ACPI method(s), and there is at least one BIOS flavor that wants to
use this mapping to clear an RTE's mask bit. While we can't allow the
latter, we can permit reads and simply drop write attempts, leveraging
the already existing infrastructure introduced for dealing with AMD
IOMMUs' representation as PCI devices.
This fixes an interrupt setup problem on a system where _CRS evaluation
involved the above described BIOS/ACPI behavior, and is expected to
also deal with a boot time crash of pv-ops Linux upon encountering the
same kind of system.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
... as they may take significant amounts of time.
This requires cloning the tweaked continuation logic from
do_mmuext_op() to do_mmu_update().
Note that in mod_l[34]_entry() a negative "preemptible" value gets
passed to put_page_from_l[34]e() now, telling the callee to store the
respective page in current->arch.old_guest_table (for a hypercall
continuation to pick up), rather than carrying out the put right away.
This is going to be made a little more explicit by a subsequent cleanup
patch.
This is part of CVE-2013-1918 / XSA-45.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
... as it may take significant amounts of time.
Since we can't re-invoke the operation in a second attempt, the
continuation logic must be slightly tweaked so that we make sure
do_mmuext_op() gets run one more time even when the preempted unpin
operation was the last one in a batch.
This is part of CVE-2013-1918 / XSA-45.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>
|
|
|
|
|
|
|
|
|
|
| |
.. as the root page table validation (and the dropping of an eventual
old one) can require meaningful amounts of time.
This is part of CVE-2013-1918 / XSA-45.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>
|
|
|
|
|
|
|
|
|
|
| |
... as dropping the old page tables may take significant amounts of
time.
This is part of CVE-2013-1918 / XSA-45.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>
|
|
|
|
|
|
|
|
|
| |
... as it may take significant amounts of time.
This is part of CVE-2013-1918 / XSA-45.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>
|
|
|
|
|
|
|
|
|
| |
... as it may take significant amounts of time.
This is part of CVE-2013-1918 / XSA-45.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
... as it may take significant amounts of time.
The function, being moved to mm.c as the better home for it anyway, and
to avoid having to make a new helper function there non-static, is
given a "preemptible" parameter temporarily (until, in a subsequent
patch, its other caller is also being made capable of dealing with
preemption).
This is part of CVE-2013-1918 / XSA-45.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>
|
|
|
|
|
|
|
|
| |
This fixes a regression from 63753b3e ("x86: allow
VCPUOP_register_vcpu_info to work again on PVHVM guests").
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Sander Eikelenboom <linux@eikelenboom.it>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The event is supposed to become owned, and therefore freed, by the application
and the const prevents this.
Unfortunately there is no way to remove the const without breaking existing
callers. The best we can do is use the LIBXL_API_VERSION provisions to remove
the const for callers who wish only to support the 4.3 API and newer.
Callers who wish to support 4.2 will need to live with casting away the const.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
|
|
| |
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since libxl checks for the existance of /var/run/xenstored.pid in order
to ensure xenstore is running, create this file when starting the
xenstore stub domain. This also changes the Makefile to enable the
creation of the init-xenstore-domain tool during tools compilation,
since the existing Makefile incorrectly added to the ALL_TARGETS list
when compiling the stubdom, when this variable is not used.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
|
|
|
|
|
|
| |
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolution of a backend name to a domid needs to happen a little earlier
in some cases.
For example, if a domU is specified as a backend for a
disk and, as previously written, libxl__device_disk_setdefault() calls
libxl__resolve_domid() last, then disk->backend_domid still equals
LIBXL_TOOLSTACK_DOMID when libxl__device_disk_set_backend() is called.
This results in libxl__device_disk_set_backend() making an incorrect
attempt to validate the target by calling stat() on a file on dom0,
resulting in ERROR_INVAL (see libxl_device.c lines 239-248), which
prevents creation of the frontend domain.
Likewise, libxl__device_nic_setdefault() previously made use of
nic->backend_domid before it was set.
Signed-off-by: Eric Shelton <eshelton@pobox.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
|
|
|
|
|
|
|
|
|
|
|
|
| |
These headers cannot use the CONFIG_FOO defines provided when building Xen
(since they aren't provided when building tools or by external components) and
need to use the compiler provided architecture defines.
This manifested itself as a failure to build xenctx.c on ARM64 due to the
missing symbols contains .
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
|
|
|
|
|
|
|
|
|
| |
The emacs variable to set the C style from a local variable block is
c-file-style, not c-set-style.
These were either missed by 82639998a5f2 or have crept back in since.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rename do_block to vcpu_block.
Move the call to local_event_delivery_enable out of vcpu_block, to a new
static function called vcpu_block_enable_events.
Use vcpu_block_enable_events instead of do_block throughout in
schedule.c
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
|
| |
Move the flush after the pagetable entry has actually been written to
avoid races with other vcpus refreshing the same entriy.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
|
|
|
|
|
|
|
|
|
| |
__cpu_disable shouldn't be called on machine_halt, in fact it cannot
succeed: cpu_disable_scheduler won't be able to migrate away vcpus to
others pcpus.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
|
|
|
|
|
| |
Signed-off-by: Marek Marczykowski <marmarek@invisiblethingslab.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
|
|
|
|
|
|
|
|
|
|
|
| |
In the GIC manual, the number of interrupt lines is computed with the
following formula: 32(N + 1) where N is the value retrieved from GICD_TYPER.
Without the +1 Xen doesn't initialize the last 32 interrupts and can get
garbage on these registers.
Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
strlen returns size_t:
policydb.c: In function policydb_read:
policydb.c:1779: error: format %lu expects type long unsigned int, but argument 3 has type size_t
This is probably benign on 64-bit x86 but was found by Dharshini on 32-bit Xen
4.2.x. I expect it affects ARM too.
Reported-by: Dharshini Tharmaraj <dharshinitharmaraj@gmail.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
hvm_enable() copies the table contents rather than storing the pointer,
so there's no need to keep these tables post-boot.
Also constify the return values of the per-vendor initialization
functions, making clear that once the per-vendor initialization is
complete, the vendor specific tables won't get modified anymore.
Finally, in hvm_enable(), use the returned pointer for all read
accesses as being more efficient than global variable accesses. Writes
of course still need to go to the global variable.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
|
|
|
|
|
|
| |
The top two bits (indicating error/warning classification) need to
remain the top two bits.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
| |
uint16_t is not suitable to store VMCE_INJECT_BROADCAST (which is
defined as -1).
Signed-off-by: Liu Jinsong <jinsong.liu@intel.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The commit a8a1f236a296 "libxl: Only call stat() when adding a disk if we
expect a device to exist." changed things to only stat the file when the phy
backend was explicitly requested. This broke the case where we are probing and
would normally be able to decide on the phy option.
Since the intention of that commit was to allow for backends with no explicit
file in dom0 (i.e. network remote backend such as ceph) the lowest impact fix
appears to be to make that explicit. It turns out that tap disk can also
potentially handle such paths.
The only backend which requires a local file/device is PHY but we need to
handle UNKNOWN too in order for subsequent probing to work. Note that it is
not possible to autoprobe the backend if the path is not a local object, so we
don't need to worry about autoprobing ceph etc.
This should probably be revisited to rationalize the probing.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Roger Pau Monné <roger.pau@citrix.com>
|
|
|
|
|
|
|
| |
nr_lrs is only used in gic.c
Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
|
|
|
|
|
|
|
|
|
| |
If a write is ignored, the function should return success.
Currently Xen will throw a data abort exception if the write in VGIC is
ignored.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a patch to forward-port a Xend behaviour. Xend writes IO ABI used for
all frontends. Blkfront before 2.6.26 relies on this behaviour otherwise guest
cannot boot when running in 32-on-64 mode. Blkfront after 2.6.26 writes that
node itself, in which case it's just an overwrite to an existing node which
should be OK.
In fact Xend writes the ABI for all frontends including console and vif. But
nowadays only old disk frontends rely on that behaviour so that we only write
the ABI for disk frontends in libxl, minimizing the impact.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
|
|
|
|
|
|
|
|
| |
arm64/head.S: Assembler messages:
arm64/head.S:391: Error: operand 1 should be an integer register -- `mov pc,lr'
Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
|
|
|
|
|
|
|
| |
A bit basic and fuggly but a start.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
|
|
| |
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
|
|
|
| |
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
|
|
|
|
|
| |
I noticed this because XEN_DOMCTL_getvcpucontext won't return anything for a
VCPU which isn't initialised.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the domheap mappings are supposed to be per-PCPU. Therefore xen_pgtable
becomes a per-PCPU variable and we allocate and setup the page tables for each
secondary PCPU just before we tell it to come up.
Each secondary PCPU starts out on the boot page table but switches to its own
page tables ASAP.
The boot PCPU uses the boot pagetables as its own.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: TIm Deegan <tim@xen.org>
|
|
|
|
|
| |
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
|
|
|
|
|
| |
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The intention is that in a subsequent patch each PCPU will have its own
pagetables and that xen_pgtable will become a per-cpu variable. The boot
pagetables will become the boot cpu's pagetables.
For now leave a #define in place for those places which semantically do mean
xen_pgtable and not boot_pgtable.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
|
|
|
|
|
|
|
|
| |
Install qemu into the location specified via configure --prefix.
You will notice when you use something else than /usr/local.
Signed-off-by: Christoph Egger <chegger@amazon.de>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
|