| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
| |
Instead of placing string parsing inside the hypervisor, use binary
structures like other Xen hypercalls do.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
| |
A number of build problems crept in once again. Fix them.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
|
| |
|
|
| |
Signed-off-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a PCI System Error (SERR) is asserted it causes an NMI. If this NMI
occurs while the CPU is in printk() then Xen may deadlock as
pci_serr_error() calls console_force_unlock() which screws up the
console lock.
printk() isn't safe to call from NMI context so defer the diagnostic
message to a softirq.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Tested-by: George Dunlap <george.dunlap@eu.citrix.com>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
| |
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
|
| |
Booleans are currently only addressable by using a sequence number
that is not easily accessible to tools. Add new FLASK operations to
get/set booleans by name, and to get the name of a boolean given its
ID.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
| |
If the XSM hook denied access, the execution incorrectly continued on
after an extra unlock domain.
Reported-by: John McDermott <john.mcdermott@nrl.navy.mil>
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
| |
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
|
| |
Instead of returning -EINVAL for all errors, return -EEXIST if adding
an entry that overlaps with an existing entry, and -ENOENT if
attempting to remove an entry that does not exist. Adding an ocontext
that already exists with the same SID is no longer an error.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
| |
XSM permissions are defined in terms of IRQs, not PIRQs; use the
correct number when checking permission in unmap_domain_pirq.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
|
| |
When checking permissions in map_domain_pirq, the msi_desc field of
the irq_desc is not yet populated with the PCI device being used. Pass
in the msi_info structure which contains the intended PCI device whose
label will be used in the security check.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
|
| |
Because the PCI-MSI IRQ numbers are allocated dynamically, labeling
them by number is not useful. Instead, for all IRQs beyond
nr_irqs_gsi, use the associated msi_desc to find the PCI device and
use the label of the PCI device for the IRQ.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
| |
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In FLASK, event channel labels are distinct from the labels of the
domain using them. When debugging policy issues, it is useful to be
able to view the current label of event channels; add this label to
the event channel dump.
This patch also adds the IRQ associated with a PIRQ for event channels
bound to a PIRQ, and moves the xen_consumer flag to the front to
create more consistent alignment in the output.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
| |
Never mind that ballooning a shared page makes no sense. We still fix it
because it may be exercised.
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Signed-off-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
|
|
|
| |
Have them used locked accesors to the gfn and the underlying shared mfn.
Have them return the number of shared refs to the underlying mfn.
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
| |
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Signed-off-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
|
|
| |
There are several corner cases in which a page is paged back in, not by paging,
and the stats are not properly updated.
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
p2m lookups
Currently, mm-locks.h enforces a strict ordering between locks in the mm
layer lest there be an inversion in the order locks are taken and thus
the risk of deadlock.
Once p2m lookups becoming synchronized, get_gfn* calls take the p2m lock, and a
new set of inversion arises. Reorder some of the locks in the shadow code so
that even in this case no deadlocks happen.
After this, synchronized p2m lookups are in principle ready to be enabled in
shadow mode.
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
count
Xen doesn't clean the type flag when dropping the type count for a page to
zero. So, looking at the type flag when nominating a page for paging it's
incorrect. Look at the type count instead.
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Signed-off-by: Adin Scannell <adin@scannell.ca>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This state in the paging state machine became unnecessary after the last
few updates.
Once eliminated, rename p2m_ram_paging_in_start to p2m_ram_paging_in.
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
| |
Signed-off-by: Dietmar Hahn <dietmar.hahn@ts.fujitsu.com>
Committed-by: Jan Beulich <jbeulich@suse.com>
|
| |
|
|
|
|
|
|
|
| |
If the guest is an HVM guest and it is not using the vector callback
mechanism, refuse to remap pirqs onto event channels.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Tested-by: Paulian Bogdan Marinca <paulian@marinca.net>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
| |
Signed-off-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let p2m_mem_paging_nominate and p2m_mem_paging_evict return just one
error number. EINVAL is not very helpful in case of nominate, it can
happen if the pager tries to nominate a ballooned page. In this case the
gfn is not backed by a mfn, the pager can not know that. Similar with
evict, anything can happen between nominate and evict.
This change helps the pager to decide if the returned error is from the
function itself, or if it happend earlier. In the latter case, it is
most likely fatal and should be handled as such.
nominate and evict return EBUSY, which is supposed to mean
"pager request reached target function, and failed."
Signed-off-by: Olaf Hering <olaf@aepfle.de>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order for the toolstack to use reserved grant table entries, the
grant table for a guest must be initialized prior to the guest's boot.
When the guest switches grant table versions (necessary if the guest
is using v2 grant tables, or on kexec if switching grant versions),
these initial grants will be cleared. Instead of clearing them,
preserve the grants across the type change.
Attempting to preserve v2-only features such as sub-page grants will
produce a warning and clear the resulting v1 grant entry.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The XEN_DOMCTL_getdomaininfo domctl does not allow manipulation of
domains, only basic information such as size and state, so its use
does not fully justify making a domain privileged. XSM modules can
also provide fine-grained control over what domains are visible to
domains that call getdomaininfo.
If XSM is disabled (either at compile time or by using the dummy XSM
module) then there is no change in behavior: only IS_PRIV domains can
use this domctl. If enabled, the XSM module controls access.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
| |
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch sends global VIRQs to a domain designated as the VIRQ
handler
instead of sending all global VIRQ events to dom0. This is required in
order to run xenstored in a stubdom, because VIRQ_DOM_EXC must be sent
to xenstored for domain destruction to work properly.
This patch was inspired by the xenstored stubdomain patch series sent
to xen-devel by Alex Zeffertt in 2009.
Signed-off-by: Diego Ongaro <diego.ongaro@citrix.com>
Signed-off-by: Alex Zeffertt <alex.zeffertt@eu.citrix.com>
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reinstates the XENMEM_remove_from_physmap hypercall
which was removed in 19041:ee62aaafff46 because it was not used.
However, is now needed in order to support xenstored stub domains.
The xenstored stub domain is not priviliged like dom0 and so cannot
unilaterally map the xenbus page of other guests into it's address
space. Therefore, before creating a domU the domain builder needs to
seed its grant table with a grant ref allowing the xenstored stub
domain to access the new domU's xenbus page.
At present domU's do not start with their grant table mapped.
Instead it gets mapped when the guest requests a grant table from
the hypervisor.
In order to seed the grant table, the domain builder first needs to
map it into dom0 address space. But the hypercall to do this
requires a gpfn (guest pfn), which is an mfn for PV guest, but a pfn
for HVM guests. Therfore, in order to seed the grant table of an
HVM guest, dom0 needs to *temporarily* map it into the guest's
"physical" address space.
Hence the need to reinstate the XENMEM_remove_from_physmap hypercall.
Signed-off-by: Alex Zeffertt <alex.zeffertt@eu.citrix.com>
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PHYSDEVOP_pirq_eoi_gmfn changes the semantics of PHYSDEVOP_eoi.
In order to improve the interface this patch:
- renames PHYSDEVOP_pirq_eoi_gmfn to PHYSDEVOP_pirq_eoi_gmfn_v1;
- introduces PHYSDEVOP_pirq_eoi_gmfn_v2, that is like
PHYSDEVOP_pirq_eoi_gmfn_v1 but it doesn't modify the behaviour of
another hypercall;
- bump __XEN_LATEST_INTERFACE_VERSION__;
- #define PHYSDEVOP_pirq_eoi_gmfn to PHYSDEVOP_pirq_eoi_gmfn_v1 or
PHYSDEVOP_pirq_eoi_gmfn_v2 depending on the __XEN_INTERFACE_VERSION.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If Xen is going to relinquish the VGA console, flush the linear frame
buffer after zeroing it in vesa_endboot().
Failing to do so in some circumstances leads to the actual linear
framebuffer on the graphics card still containing the output of the
Xen boot console can lead to ugly graphics output when dom0 is setting
up the graphics card for its own use.
While the patch is quite large, it is mostly just code motion to
prevent having to forward declare lfb_flush(). The only functional
change to vesa_endboot() is to insert a call to lbf_flush().
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currenty, not specifying 'console=<foo>' on the command line causes
Xen to default to 'vga'. Alternativly, the user can explicitly
specifiy 'console=vga|com1|com2'.
However, there is no way to specify that neither vga nor serial should
be used. Specifying 'console=' does have the effect that neither vga
nor serial is set up, but at the cost of an "Bad console= option ''"
warning.
Therefore, expliticly support a 'console=none' option which does not
set up vga and does not set up serial, but does not trigger the bad
console warning.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Introduce a new flag to disable iommu emulation on old iommu systems.
This patch is taken from my v4 patch queue, which is till pending, to
make old or non-iommu system to run cleanly without interfered by
iommuv2 codes. This might be helpful to isolate iommuv2 code in
debugging unstable regressions. The reset part of v4 will be re-based.
Signed-off-by: Wei Wang <wei.wang2@amd.com>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
| |
They seem to have been introduced by accident in 23311:f4585056b9ae
when some 'static inline' functions were moved out of a header
Signed-off-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
| |
Having an absolute path in a #include confuses distcc's pump mode
so get rid ofit by using the same runes for both BSDs.
Signed-off-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
|
|
|
| |
In the mm layer, if we take lock A, then lock B, and the recursively lock A,
the deadlock detector panics. This is not a deadlock risk because we
already 'own' the outer lock (A), so we will not contend for that resource.
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
|
|
|
| |
Limit such queries only to p2m_query types. This is more compatible
with the name and intended semantics: perform only a lookup, and explicitly
in an unlocked way.
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
|
|
| |
If we hit the page after nominate but before paging it out, don't decrement the
domain count of paged out pages.
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
| |
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
| |
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Olaf Hering <olaf@aepfle.de>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
|
|
| |
Because shared pages are owned by dom_cow, the ownership test
while foreign mapping fails.
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
|
|
| |
Holding the p2m lock during a p2m teardown, while unsharing entries pointing to
shared frames, causes a locking inversion and deadlock panic.
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When restoring a p2m entry in the paging_load path, we were not updating the
m2p entry correctly.
Also take advantage of this to act on an old suggestion: once done with the
load, promote the p2m entry to the final guest accessible type. This simplifies
logic.
Tested to work with xenpaging.
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Olaf Hering <olaf@aepfle.de>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The name 'shared_info' for the list of shared pages backed by a share frame
collided with the identifier also used for a domain's shared info page. To
avoid grep/cscope/etc aliasing, rename the shared memory token to 'sharing.
This patch only addresses style, and performs no functional changes. To ease
reviwing, the patch was left as a stand-alone last-slot addition to the queue
to avoid propagating changes throughout the whole series.
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
| |
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
| |
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Signed-off-by: Adin Scannell <adin@scannell.ca>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
|
|
|
| |
This domctl is useful to, for example, populate parts of a domain's physmap
with shared frames, directly.
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Signed-off-by: Adin Scannell <adin@scannell.ca>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch also moves the existing sharing-related memory op to the
correct location, and adds logic to the audit() method that uses the
new information.
This patch only provides the Xen implementation of the domctls.
Signed-off-by: Andres Lagar-Cavilla <andres@scannell.ca>
Signed-off-by: Adin Scannell <adin@scannell.ca>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
|
