| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A sufficiently malformed input to libxc (such as a malformed input ELF
or other guest-controlled data) might cause one of libxc's malloc() to
fail. In this case we need to make sure we don't dereference or do
pointer arithmetic on the result.
Search for all occurrences of \b(m|c|re)alloc in libxc, and all
functions which call them, and add appropriate error checking where
missing.
This includes the functions xc_dom_malloc*, which now print a message
when they fail so that callers don't have to do so.
The function xc_cpuid_to_str wasn't provided with a sane return value
and has a pretty strange API, which now becomes a little stranger.
There are no in-tree callers.
This is part of the fix to a security issue, XSA-55.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
v8: Move a check in xc_exchange_page to the previous patch
(ie, remove it from this patch).
v7: Add a missing check for a call to alloc_str.
Add arithmetic overflow check in xc_dom_malloc.
Coding style fix.
v6: Fix a missed call `pfn_err = calloc...' in xc_domain_restore.c.
Fix a missed call `new_pfn = xc_map_foreign_range...' in
xc_offline_page.c
v5: This patch is new in this version of the series.
|
| |
|
|
|
|
|
| |
The emacs variable to set the C style from a local variable block is
c-file-style, not c-set-style.
Signed-off-by: David Vrabel <david.vrabel@citrix.com
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since Linux's git commit ceb90fa0a8008059ecbbf9114cb89dc71a730bb6,
the privcmd.h interface between Linux and libxc specifies two new
constants, PRIVCMD_MMAPBATCH_MFN_ERROR and
PRIVCMD_MMAPBATCH_PAGED_ERROR. These constants represent the error
codes encoded in the top nibble of an mfn slot passed to the legacy
MMAPBATCH ioctl.
In particular, libxenctrl checks for the equivalent of the latter
constant when dealing with paged out frames that might be the target
of a foreign map.
Previously, the relevant constant was defined in the domctl hypervisor
interface header (XEN_DOMCTL_PFINFO_PAGEDTAB). Because this
top-nibble encoding is a contract between the dom0 kernel and libxc,
a domctl.h definition is misplaced.
- Sync the privcmd.h header to that now available in upstream Linux
- Update libxc appropriately
- Remove the unnecessary constant in domctl.h
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Ian Campbell <ian.campbelL@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>
|
| |
|
|
|
|
|
|
|
|
| |
Cleaning the python directory should completely remove the build/
directory, otherwise subsequent builds may be short-circuited and a
stale build installed.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This avoids the hypercall buffer becoming CoW on fork.
In multi-threads and multi-processes environment, e.g. the process has two
threads, thread A may call hypercall, thread B may call fork() to create child
process. After forking, all pages of the process including hypercall buffers
are cow. It will cause a write protection and return EFAULT error if hypervisor
calls copy_to_user in hypercall in thread A context,
Fix:
1. Before hypercall: use MADV_DONTFORK of madvise syscall to make the hypercall
buffer not to be copied to child process after fork.
2. After hypercall: undo the effect of MADV_DONTFORK for the hypercall buffer
by using MADV_DOFORK of madvise syscall.
3. Use mmap/nunmap for memory alloc/free instead of malloc/free to bypass libc.
Note:
Child processes must not use the opened xc_{interface,evtchn,gnttab,gntshr}
handle that inherits from parents. They should reopen the handle if they want
to interact with xc. Otherwise, it may cause segment fault to access hypercall
buffer caches of the handle.
Signed-off-by: Zhenguo Wang <wangzhenguo@huawei.com>
Signed-off-by: Xiaowei Yang <xiaowei.yang@huawei.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- s/ptr/p/ to fix build & tweaked the wording of the comments
slightly. ]
Committed-by: Ian Campbell <ian.campbell@citrix.com>
|
| |
|
|
|
|
|
|
|
|
| |
Legacy (non-pvops) gntdev drivers may require this operation to be
performed when the number of grants intended to be used simultaneously
exceeds a certain driver specific default limit, and qemu's qdisk
driver is an example of needing to do so.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace alloca() with mmap() for array sizes greater than a page in
xc_linux_osdep.c.
When mapping in large amounts of pages (in the GB range) from a guest
in to Dom0 using xc_map_foreign_bulk(), a segfault occurs in the libxc
client application. This is because the pfn array in
linux_privcmd_map_foreign_bulk() is being allocated using alloca() and
the subsequent memcpy causes the stack to blow. This patch replaces
the alloca() with mmap() for pfn array sizes greater than a page.
Fix an error print with the correct function name.
Do the same for the map array in linux_gnttab_grant_map()
Signed-off-by: Aravindh Puthiyaparambil <aravindh@virtuata.com>
Acked-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
One of the bottlenecks with foreign page-in request is the poor retry
handling in linux_privcmd_map_foreign_bulk(). It sends one request per
paged gfn at a time and it waits until the gfn is accessible. This
causes long delays in mmap requests from qemu-dm and xc_save.
Instead of sending one request at a time, walk the entire gfn list and
send batches of mmap requests. They will eventually end up in the pager's
request ring (if it has room again), and will fill up this ring so that
in turn the pager can also process page-in in batches.
Signed-off-by: Olaf Hering <olaf@aepfle.de>
Committed-by: Ian Jackson <ian.jackson.citrix.com>
|
| |
|
|
|
|
|
|
|
| |
alloca() does not return NULL on an allocation failure on Linux so
remove the unneccessary tests from this Linux-specific code.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Cc: Santosh Jodh <santosh.jodh@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
| |
Replace malloc with alloc in hot paths for improved performance.
Signed-off-by: Santosh Jodh <santosh.jodh@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
| |
mlock and munlock are implemented as macros in mini-os. Their usage
requires casting in common code. Convert them to C syntax and provide
an empty dummy function. Remove the now unneeded (void) cast from two
munlock calls.
Signed-off-by: Olaf Hering <olaf@aepfle.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
If the first ioctl fails with ENOENT it means the command is known. If a
second attempt to map each gfn happens to fail then there is no need to
run the fallback code. Some gfns are paged and the fallback code would
not fix the failure. Instead return the EINVAL to the caller.
Signed-off-by: Olaf Hering <olaf@aepfle.de>
Acked-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If the return value from the ioctl() is not ENOENT, it's possible that err[i]
will not be updated and libxc will just loop forever. Although it's unlikely
that err[i] would not be updated after the ioctl() gets through at least once,
it's better to be defensive.
Signed-off-by: Adin Scannell <adin@scannell.ca>
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The notify offset and event channels are both unsigned variables, so
testing for >= 0 will not correctly detect the use of -1 to indicate
the field is unused. Remove the useless comparison and replace with
correct range checks or comparisons to -1.
Reported-by: Anil Madhavapeddy <anil@recoil.org>
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Move (page aligned) buffer allocations in {os}_privcmd_alloc_hypercall_buffer
into a global function xc_memalign. This API is also used by Remus
compression code to allocate compression caches that need to be page aligned.
Signed-off-by: Shriram Rajagopalan <rshriram@cs.ubc.ca>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Brendan Cully <brendan@cs.ubc.ca>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
| |
These functions and the xc_gntshr device (/dev/xen/gntalloc on linux)
allow applications to create pages shared with other domains.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Normally, when a userspace process mapping a grant crashes, the domain
providing the reference receives no indication that its peer has
crashed, possibly leading to unexpected freezes or timeouts. This
function provides a notification of the unmap by signalling an event
channel and/or clearing a specific byte in the page.
This also unifies the 3 very similar grant-mapping osdep interfaces into
a single function instead of introducing yet another minor variation.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
|
| |
|
|
|
|
|
| |
This will allow us to use OS specific interfaces to ensure that the
allocated memory is safe for use as a hypercall buffer in the future.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
|
| |
|
|
|
|
|
|
|
| |
The maximum number of grants is now constrained domain-wide in linux,
so set_max_grants should be a noop there. Previously, this constraint
was per-file-description.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
This helps ensure that the osdep abstraction is complete by
allowing us to avoid including xc_private.h.
All the other OS backends could benefit from the same treatment but
since I cannot compile test I did not do this.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Ian Jackson <ian.jackson.citrix.com>
|
