mirrored from git://xenbits.xen.org/xen.git
-
Notifications
You must be signed in to change notification settings - Fork 335
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merge pull request #1 from xen-project/staging #5
Open
blackskygg
wants to merge
9
commits into
xen-project:staging
Choose a base branch
from
blackskygg:staging
base: staging
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…hysmap This is for the proposal "Allow setting up shared memory areas between VMs from xl config file". See: https://lists.xen.org/archives/html/xen-devel/2017-08/msg03242.html Then plan is to use XENMEM_add_to_physmap_batch to map the shared pages from one domU to another and use XENMEM_remove_from_physmap to cancel the sharing. A wrapper to XENMEM_add_to_physmap_batch was added in the following commit: commit 20e725e Now add the wrapper to XENMEM_remove_from_physmap. Signed-off-by: Zhongze Liu <[email protected]> Reviewed-by: Stefano Stabellini <[email protected]> Acked-by: Wei Liu <[email protected]> Cc: Ian Jackson <[email protected]> Cc: Wei Liu <[email protected]> Cc: Stefano Stabellini <[email protected]> Cc: Julien Grall <[email protected]> Cc: [email protected] V4: * change domid_t to uint32_t
The existing XENMAPSPACE_gmfn_foreign subop of XENMEM_add_to_physmap forbids a Dom0 to map memory pages from one DomU to another, which restricts some useful yet not dangerous use cases -- such as sharing pages among DomU's so that they can do shm-based communication. This patch introduces XENMAPSPACE_gmfn_share to address this inconvenience, which is mostly the same as XENMAPSPACE_gmfn_foreign but has its own xsm check. Specifically, the patch: * Introduces a new av permission MMU__SHARE_MEM to denote if two domains can share memory by using the new subop; * Introduces xsm_map_gmfn_share() to check if (current) has proper permission over (t) AND MMU__SHARE_MEM is allowed between (d) and (t); * Modify the default xen.te to allow MMU__SHARE_MEM for normal domains that allow grant mapping/event channels. The new subop is marked unsupported for x86 because calling p2m_add_foregin on two DomU's is currently not supported on x86. This is for the proposal "Allow setting up shared memory areas between VMs from xl config file" (see [1]). [1] https://lists.xen.org/archives/html/xen-devel/2017-08/msg03242.html Signed-off-by: Zhongze Liu <[email protected]> Cc: Daniel De Graaf <[email protected]> Cc: Ian Jackson <[email protected]> Cc: Wei Liu <[email protected]> Cc: Stefano Stabellini <[email protected]> Cc: Julien Grall <[email protected]> Cc: [email protected] V3: * Change several if statements to the GCC '... = a ?: b' extention. * lookup the current domain in the hooks instead of passing it as an arg V4: * eliminate the duplicated (c) over (d) check * Added a new subop instead of modifying the old subop
…gions Add a new structure to the IDL familiy to represent static shared memory regions as proposed in the proposal "Allow setting up shared memory areas between VMs from xl config file" (see [1]). And deleted some trailing white spaces. [1] https://lists.xen.org/archives/html/xen-devel/2017-08/msg03242.html Signed-off-by: Zhongze Liu <[email protected]> Reviewed-by: Stefano Stabellini <[email protected]> Acked-by: Wei Liu <[email protected]> Cc: Wei Liu <[email protected]> Cc: Ian Jackson <[email protected]> Cc: Stefano Stabellini <[email protected]> Cc: Julien Grall <[email protected]> Cc: [email protected]
Add libxl__sshm_add to map shared pages from one DomU to another, The mapping process involves the follwing steps: * Set defaults and check for further errors in the static_shm configs: overlapping areas, invalid ranges, duplicated master domain, no master domain etc. * Write infomation of static shared memory areas into the appropriate xenstore paths. * Use xc_domain_add_to_physmap_batch to do the page sharing. * Set the refcount of the shared region accordingly Temporarily mark this as unsupported on x86 because calling p2m_add_foreign on two domU's is currently not allowd on x86 (see the comments in x86/mm/p2m.c:p2m_add_foreign for more details). This is for the proposal "Allow setting up shared memory areas between VMs from xl config file" (see [1]). [1] https://lists.xen.org/archives/html/xen-devel/2017-08/msg03242.html Signed-off-by: Zhongze Liu <[email protected]> Cc: Wei Liu <[email protected]> Cc: Ian Jackson <[email protected]> Cc: Stefano Stabellini <[email protected]> Cc: Julien Grall <[email protected]> Cc: [email protected] V3: * unmap the successfully mapped pages whenever rc != 0 V4: * use XENMAPSPACE_gmfn_share instead of *_gmfn_foreign
…truction Add libxl__sshm_del to unmap static shared memory areas mapped by libxl__sshm_add during domain creation. The unmapping process is: * For a master: decrease the refcount of the sshm region, if the refcount reaches 0, cleanup the whole sshm path. * For a slave: unmap the shared pages, and cleanup related xs entries. decrease the refcount of the sshm region, if the refcount reaches 0, cleanup the whole sshm path. This is for the proposal "Allow setting up shared memory areas between VMs from xl config file" (see [1]). [1] https://lists.xen.org/archives/html/xen-devel/2017-08/msg03242.html Signed-off-by: Zhongze Liu <[email protected]> Cc: Ian Jackson <[email protected]> Cc: Wei Liu <[email protected]> Cc: Stefano Stabellini <[email protected]> Cc: Julien Grall <[email protected]> Cc: [email protected]
…g files Add the parsing utils for the newly introduced libxl_static_sshm struct to the libxl/libxlu_* family. And add realated parsing code in xl to parse the struct from xl config files. This is for the proposal "Allow setting up shared memory areas between VMs from xl config file" (see [1]). [1] https://lists.xen.org/archives/html/xen-devel/2017-08/msg03242.html Signed-off-by: Zhongze Liu <[email protected]> Cc: Wei Liu <[email protected]> Cc: Ian Jackson <[email protected]> Cc: Stefano Stabellini <[email protected]> Cc: Julien Grall <[email protected]> Cc: [email protected]
Add docs to document the motivation, usage, use cases and other relevant information about the static shared memory feature. This is for the proposal "Allow setting up shared memory areas between VMs from xl config file". See: https://lists.xen.org/archives/html/xen-devel/2017-08/msg03242.html Signed-off-by: Zhongze Liu <[email protected]> Cc: Ian Jackson <[email protected]> Cc: Wei Liu <[email protected]> Cc: Stefano Stabellini <[email protected]> Cc: Julien Grall <[email protected]> Cc: [email protected]
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Initialises basic data structures and performs teardown of argo state for domain shutdown. Inclusion of the Argo implementation is dependent on CONFIG_ARGO. Introduces a new Xen command line parameter 'argo': bool to enable/disable the argo hypercall. Defaults to disabled. New headers: public/argo.h: with definions of addresses and ring structure, including indexes for atomic update for communication between domain and hypervisor. xen/argo.h: to expose the hooks for integration into domain lifecycle: argo_init: per-domain init of argo data structures for domain_create. argo_destroy: teardown for domain_destroy and the error exit path of domain_create. argo_soft_reset: reset of domain state for domain_soft_reset. Adds two new fields to struct domain: rwlock_t argo_lock; struct argo_domain *argo; In accordance with recent work on _domain_destroy, argo_destroy is idempotent. It will tear down: all rings registered by this domain, all rings where this domain is the single sender (ie. specified partner, non-wildcard rings), and all pending notifications where this domain is awaiting signal about available space in the rings of other domains. A count will be maintained of the number of rings that a domain has registered in order to limit it below the fixed maximum limit defined here. Macros are defined to verify the internal locking state within the argo implementation. The macros are ASSERTed on entry to functions to validate and document the required lock state prior to calling. The software license on the public header is the BSD license, standard procedure for the public Xen headers. The public header was originally posted under a GPL license at: [1]: https://lists.xenproject.org/archives/html/xen-devel/2013-05/msg02710.html The following ACK by Lars Kurth is to confirm that only people being employees of Citrix contributed to the header files in the series posted at [1] and that thus the copyright of the files in question is fully owned by Citrix. The ACK also confirms that Citrix is happy for the header files to be published under a BSD license in this series (which is based on [1]). Signed-off-by: Christopher Clark <[email protected]> Acked-by: Lars Kurth <[email protected]> Reviewed-by: Ross Philipson <[email protected]> This version contains FIXMEs for 4.12: * Replace the hash function to get better distribution across buckets. - Don't use casts in the replacement function. - Drop the use of array_index_nospec. * since argo_destroy is in _domain_destroy, remove it from domain_kill v3 xen-project#4 Andrew: use xzalloc for struct argo_domain in argo_init v3 xen-project#4 Andrew: reference CONFIG_ARGO in the command line documentation v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#4 Andrew: don't truncate args do_argo_op printk v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat check for hypercall arg types v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 xen-project#4 Jan: reorder call to argo_init_domain in argo_init v3 xen-project#4 Jan: ring_remove_mfns: zero count before freeing arrays v3 xen-project#4 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set v3 xen-project#4 Roger: remove unused and confusing d->argo_lock v3 xen-project#4 Roger: add simple inlines in xen/argo.h, drop ifdef CONFIG_ARGO v3 xen-project#4 Roger: simpler return -EOPNOTSUPP in do_argo_op v3 xen-project#4 Roger: add const to domain arg to ring_remove_info v3 xen-project#4 Roger: use XFREE v3 xen-project#4 Roger: newline fix in wildcard_pending_list_remove v3 xen-project#4 Roger: mfn_mapping: void* instead of uint8_t* v3 xen-project#4 Roger: drop npages struct member in argo_ring_info; use len v3 xen-project#4 Roger/Jan: drop many fixed width types in internal structs v3 xen-project#4 Jason/Jan: drop pad and fixed width type in pending_ent struct v3 xen-project#4 Eric: moved ring_find_info from register op into this commit v3 moved hash_index function, nospec include from register op to this commit v3 moved XEN_ARGO_DOMID_ANY defn from register op into this commit v3 added #include <xen/sched.h> to <xen/argo.h> for domain struct defn v3 feedback xen-project#4 Roger: reorder #includes to alphabetical order v3 Added Ross's Reviewed-by. v2 rewrite locking explanation comment v2 header copyright line now includes 2019 v2 self: use ring_info backpointer in pending_ent to maintain npending v2 self: rename all_rings_remove_info to domain_rings_remove_all v2 feedback Jan: drop cookie, implement teardown v2 self: add npending to track number of pending entries per ring v2 self: amend comment on locking; drop section comments v2 cookie_eq: test low bits first and use likely on high bits v2 self: OVERHAUL v2 self: s/argo_pending_ent/pending_ent/g v2 self: drop pending_remove_ent, inline at single call site v1 feedback Roger, Jan: drop argo prefix on static functions v2 xen-project#4 Lars: add Acked-by and details to commit message. v2 feedback #9 Jan: document argo boot opt in xen-command-line.markdown v2 bugfix: xsm use in soft-reset prior to introduction v2 feedback #9 Jan: drop 'message' from do_argo_message_op v1 xen-project#5 feedback Paul: init/destroy unsigned, brackets and whitespace fixes v1 xen-project#5 feedback Paul: Use mfn_eq for comparing mfns. v1 xen-project#5 feedback Paul: init/destroy : use currd v1 xen-project#6 (xen-project#5) feedback Jan: init/destroy: s/ENOSYS/EOPNOTSUPP/ v1 xen-project#6 feedback Paul: Folded patch 6 into patch 5. v1 xen-project#6 feedback Jan: drop opt_argo_enabled initializer v1 $6 feedback Jan: s/ENOSYS/EOPNOTSUPP/g and drop useless dprintk v1. xen-project#5 feedback Paul: change the license on public header to BSD - ack from Lars at Citrix. v1. self, Jan: drop unnecessary xen include from sched.h v1. self, Jan: drop inclusion of public argo.h in private one v1. self, Jan: add include of public argo.h to argo.c v1. self, Jan: drop fwd decl of argo_domain in priv header v1. Paul/self/Jan: add data structures to xlat.lst and compat/argo.h to Makefile v1. self: removed allocation of event channel since switching to VIRQ v1. self: drop types.h include from private argo.h v1: reorder public argo include position v1: #13 feedback Jan: public namespace: prefix with xen v1: self: rename pending ent "id" to "domain_id" v1: self: add domain_cookie to ent struct v1. #15 feedback Jan: make cmd unsigned v1. #15 feedback Jan: make i loop variable unsigned v1: self: adjust dprintks in init, destroy v1: #18 feedback Jan: meld max ring count limit v1: self: use type not struct in public defn, affects compat gen header v1: feedback #15 Jan: handle upper-halves of hypercall args v1: add comment explaining the 'magic' field v1: self + Jan feedback: implement soft reset v1: feedback #13 Roger: use ASSERT_UNREACHABLE
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
The register op is used by a domain to register a region of memory for receiving messages from either a specified other domain, or, if specifying a wildcard, any domain. This operation creates a mapping within Xen's private address space that will remain resident for the lifetime of the ring. In subsequent commits, the hypervisor will use this mapping to copy data from a sending domain into this registered ring, making it accessible to the domain that registered the ring to receive data. Wildcard any-sender rings are default disabled and registration will be refused with EPERM unless they have been specifically enabled with the argo-mac boot option introduced here. The reason why the default for wildcard rings is 'deny' is that there is currently no means to protect the ring from DoS by a noisy domain spamming the ring, affecting other domains ability to send to it. This will be addressed with XSM policy controls in subsequent work. Since denying access to any-sender rings is a significant functional constraint, a new bootparam is provided to enable overriding this: "argo-mac" variable has allowed values: 'permissive' and 'enforcing'. Even though this is a boolean variable, use these descriptive strings in order to make it obvious to an administrator that this has potential security impact. The p2m type of the memory supplied by the guest for the ring must be p2m_ram_rw and the memory will be pinned as PGT_writable_page while the ring is registered. xen_argo_gfn_t type is defined and is 64-bit on all architectures which assists with avoiding the need for compat code to translate hypercall args. This hypercall op and its interface currently only supports 4K-sized pages. array_index_nospec is used to guard the result of the ring id hash function. This is out of an abundance of caution, since this is a very basic hash function and it operates upon values supplied by the guest just before being used as an array index. Signed-off-by: Christopher Clark <[email protected]> -This version contains FIXMEs for 4.12: * find_ring_mfn: investigate using check_get_page_from_gfn() and rewrite this function using it or with adopted logic * shrink critical sections: move acquire/release of the global lock. * simplify the out label path when lock release has been moved. * - drop use of unsigned long type as hypercall args: not compat-friendly * - drop UL suffix on XEN_ARGO_REGISTER_FLAG_MASK * - guard XEN_ARGO_REGISTER_FLAG_MASK (perhaps framed by "#ifdef __XEN__") * - define XEN_ARGO_REGISTER_FLAG_MASK in terms of other flags defined * register_ring: pull write_unlock up above the cleanup actions above and add another label to aborb the two separate put_domain() calls on the error paths. -end FIXME v3 xen-project#7 Jan: comment: minimum ring size is based on minimum-sized message v3 xen-project#4 Andrew: reference CONFIG_ARGO in the command line documentation v3 xen-project#7 Jan: register_ring: fold else, if into else-if to drop indent v3 xen-project#7 Jan: remove no longer used guest_handle_is_aligned macros v3 xen-project#7 Jan: remove dead code from find_ring_mfns v3 xen-project#7 Jan: fix format string indention in printks v3 xen-project#7 Jan: remove redundant bounds check on npage in find_ring_mfns v3 xen-project#8 self/Roger: improve dprintk output in find_ring_info like find_send_info v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#7 Jan: use array_index_nospec in ring_map_page v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 xen-project#7 Jan: drop unneeded parentheses from ROUNDUP_MESSAGE defn v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#3 meld compat check for hypercall arg register struct v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback xen-project#7 Eric: fix header max ring size comment units v3 feedback xen-project#4 Roger: mfn_mapping: void* instead of uint8_t* v3 use %u for printing unsigned ints in find_ring_mfns v3 feedback xen-project#4 Jan: uint32_t -> unsigned int for npage in register_ring v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len v3 : register_ring: uint32_t -> unsigned int for private_tx_ptr v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v3 feedback xen-project#7 Roger: use opt_argo_mac_permissive : a boolean opt v3 feedback xen-project#4 Roger: reorder #includes to alphabetical order v3 feedback xen-project#7 Roger: drop comment re: Intel EPT/AMD NPT for write-only mapping v3 feedback xen-project#7 Roger: drop ptr arithmetic in update_tx_ptr, use ring struct cast v3 feedback xen-project#7 Roger: drop newline in ring_map_page v3 feedback xen-project#7 Roger: drop unneeded null check before xfree v3 feedback xen-project#7 Roger: use return and drop out label in register_ring v3 Stefano: add 4K page constraint to header file comment & commit msg v3 Julien/Stefano: 4K granularity ok: use 64-bit gfns in register interface v2 self: disallow ring resize via reregister v2 feedback Jan: drop cookie, implement teardown v2 feedback Jan: drop message from argo_message_op v2 self: move hash_index function below locking comment v2 self: OVERHAUL v2 self/Jan: remove use of magic verification field and tidy up v2 self: merge max and min ring size check clauses v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v2 feedback #9, Jan: use the argo-mac bootparam at point of introduction v2 feedback #9, Jan: rename boot opt variable to comply with convention v2 feedback #9, Jan: rename the argo_mac bootparam to argo-mac v2 feedback #9 Jan: document argo boot opt in xen-command-line.markdown v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v1 feedback Roger: s/pfn/gfn/ and retire always-64-bit type v2. feedback Jan: document the argo-mac boot opt v2. feedback Jan: simplify re-register, drop mappings v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops v1 #13 feedback, Jan: register op : s/ECONNREFUSED/ESRCH/ v1 xen-project#5 (#13) feedback Paul: register op: use currd in do_message_op v1 #13 feedback, Paul: register op: use mfn_eq comparator v1 xen-project#5 (#13) feedback Paul: register op: use currd in argo_register_ring v1 #13 feedback Paul: register op: whitespace, unsigned, bounds check v1 #13 feedback Paul: use of hex in limit constant definition v1 #13 feedback Paul, register op: set nmfns on loop termination v1 #13 feedback Paul: register op: do/while -> gotos, reindent v1 argo_ring_map_page: drop uint32_t for unsigned int v1. #13 feedback Julien: use page descriptors instead of gpfns. - adds ABI support for pages with different granularity. v1 feedback #13, Paul: adjust log level of message v1 feedback #13, Paul: use gprintk for guest-triggered warning v1 feedback #13, Paul: gprintk and XENLOG_DEBUG for ring registration v1 feedback #13, Paul: use gprintk for errs in argo_ring_map_page v1 feedback #13, Paul: use ENOMEM if global mapping fails v1 feedback Paul: overflow check before shift v1: add define for copy_field_to_guest_errno v1: fix gprintk use for ARM as its defn dislikes split format strings v1: use copy_field_to_guest_errno v1 feedback #13, Jan: argo_hash_fn: no inline, rename, change type v1 feedback #13, Paul, Jan: EFAULT -> ENOMEM in argo_ring_map_page v1 feedback #13, Jan: rename page var in argo_ring_map_page v1 feedback #13, Jan: switch uint8_t* to void* and drop cast v1 feedback #13, Jan: switch memory barrier to smp_wmb v1 feedback #13, Jan: make 'ring' comment comply with single-line style v1 feedback #13, Jan: use xzalloc_array, drop loop NULL init v1 feedback #13, Jan: init bool with false rather than 0 v1 feedback #13 Jan: use __copy; define and use __copy_field_to_guest_errno v1 feedback #13, Jan: use xzalloc, drop individual init zeroes v1 feedback #13, Jan: prefix public namespace with xen v1 feedback #13, Jan: blank line after op case in do_argo_message_op v1 self: reflow comment in argo_ring_map_page to within 80 char len v1 feedback #13, Roger: use true not 1 in assign to update_tx_ptr bool v1 feedback #21, Jan: fold in the array_index_nospec hash function guards v1 feedback #18, Jan: fold the max ring count limit into the series v1 self: use unsigned long type for XEN_ARGO_REGISTER_FLAG_MASK v1: feedback #15 Jan: handle upper-halves of hypercall args v1. feedback #13 Jan: add comment re: page alignment v1. self: confirm ring magic presence in supplied page array v1. feedback #13 Jan: add comment re: minimum ring size v1. feedback #13 Roger: use ASSERT_UNREACHABLE v1. feedback Roger: add comment to hash function
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Takes a single argument: a handle to the ring unregistration struct, which specifies the port and partner domain id or wildcard. The ring's entry is removed from the hashtable of registered rings; any entries for pending notifications are removed; and the ring is unmapped from Xen's address space. If the ring had been registered to communicate with a single specified domain (ie. a non-wildcard ring) then the partner domain state is removed from the partner domain's argo send_info hash table. Signed-off-by: Christopher Clark <[email protected]> v3 xen-project#8 Jan: pull xfree out of exclusive critical sections in unregister_ring v3 xen-project#8 Jan: rename send_find_info to find_send_info v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#8 Roger: use return and remove the out label in unregister_ring v3 xen-project#8 Roger: better debug output in send_find_info v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat check for unregister_ring struct v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v3 feedback xen-project#7 Roger: const the argo_ring_id structs in send_find_info v2 feedback Jan: drop cookie, implement teardown v2 feedback Jan: drop message from argo_message_op v2 self: OVERHAUL v2 self: reorder logic to shorten critical section v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops v1 feedback Roger, Jan: drop argo prefix on static functions v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 xen-project#5 (#14) feedback Paul: use currd in do_argo_message_op v1 xen-project#5 (#14) feedback Paul: full use currd in argo_unregister_ring v1 #13 (#14) feedback Paul: replace do/while with goto; reindent v1 self: add blank lines in unregister case in do_argo_message_op v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: blank line after op case in do_argo_message_op v1: #14 feedback Jan: replace domain id override with validation v1: #18 feedback Jan: meld the ring count limit into the series v1: feedback #15 Jan: verify zero in unused hypercall args
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
sendv operation is invoked to perform a synchronous send of buffers contained in iovs to a remote domain's registered ring. It takes: * A destination address (domid, port) for the ring to send to. It performs a most-specific match lookup, to allow for wildcard. * A source address, used to inform the destination of where to reply. * The address of an array of iovs containing the data to send * .. and the length of that array of iovs * and a 32-bit message type, available to communicate message context data (eg. kernel-to-kernel, separate from the application data). If insufficient space exists in the destination ring, it will return -EAGAIN and Xen will notify the caller when sufficient space becomes available. Accesses to the ring indices are appropriately atomic. The rings are mapped into Xen's private address space to write as needed and the mappings are retained for later use. Fixed-size types are used in some areas within this code where caution around avoiding integer overflow is important. Notifications are sent to guests via VIRQ and send_guest_global_virq is exposed in the change to enable argo to call it. VIRQ_ARGO_MESSAGE is claimed from the VIRQ previously reserved for this purpose (#11). The VIRQ notification method is used rather than sending events using evtchn functions directly because: * no current event channel type is an exact fit for the intended behaviour. ECS_IPI is closest, but it disallows migration to other VCPUs which is not necessarily a requirement for Argo. * at the point of argo_init, allocation of an event channel is complicated by none of the guest VCPUs being initialized yet and the event channel logic expects that a valid event channel has a present VCPU. * at the point of signalling a notification, the VIRQ logic is already defensive: if d->vcpu[0] is NULL, the notification is just silently dropped, whereas the evtchn_send logic is not so defensive: vcpu[0] must not be NULL, otherwise a null pointer dereference occurs. Using a VIRQ removes the need for the guest to query to determine which event channel notifications will be delivered on. This is also likely to simplify establishing future L0/L1 nested hypervisor argo communication. Signed-off-by: Christopher Clark <[email protected]> v3 xen-project#7 Jan: rename ring_find_info* to find_ring_info* v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat struct checking for hypercall args v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback #09 Eric: fix len & offset sanity check in memcpy_to_guest_ring v3 feedback xen-project#4 Roger: newline fix in wildcard_pending_list_insert v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len v3 #09 Roger: simplify EFAULT return in memcpy_to_guest_ring v3 #09 Roger: add newline before return in get_sanitized_ring v3 #09 Roger: replace while with for loop in iov_count v3 #09 Roger: drop 0 in struct init in ringbuf_insert v3 #09 Roger: comment for XEN_ARGO_MAXIOV: warn of stack overflow risk v3 #09 Roger: simplify while loop: for instead in ringbuf_insert v3 #09 Roger: drop out label for returns in ringbuf_insert v3 #09 Roger: drop newline in pending_queue v3 #09 Roger: replace second goto label with error path unlock in sendv v3 #09 Jason: check iov_len vs MAX_ARGO_MESSAGE_SIZE in iov_count v3 #09 Jason: check padding is zeroed in sendv op v3 #09 Jason: memcpy_to_guest_ring: simpler code with better loop v2 self: use ring_info backpointer in pending_ent to maintain npending v2 feedback Jan: drop cookie, implement teardown v2 self: pending_queue: reap stale ents when in need of space v2 self: pending_requeue: reclaim ents for stale domains v2.feedback Jan: only override sender domid if DOMID_ANY v2 feedback Jan: drop message from argo_message_op v2 self: check npending vs maximum limit v2 self: get_sanitized_ring instead of get_rx_ptr v2 feedback v1#13 Jan: remove double read from ringbuf insert, lower MAX_IOV v2 self: make iov_count const v2 self: iov_count : return EMSGSIZE for message too big v2 self: OVERHAUL v2 self: s/argo_pending_ent/pending_ent/g v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v1 feedback #13 Jan: drop guest_handle_okay when using copy_from_guest - reorder do_argo_op logic v2 self: add _hnd suffix to iovs variable name to indicate guest handle type v2 self: replace use of XEN_GUEST_HANDLE_NULL with two existing macros v1 #15 feedback, Jan: sendv op : s/ECONNREFUSED/ESRCH/ v1 xen-project#5 (#15) feedback Paul: sendv: use currd in do_argo_message_op v1 #13 (#15) feedback Paul: sendv op: do/while reindent only v1 #13 (#15) feedback Paul: sendv op: do/while: argo_ringbuf_insert to goto style v1 #13 (#15) feedback Paul: sendv op: do/while: reindent only again v1 #13 (#15) feedback Paul: sendv op: do/while : goto v1 #15 feedback Paul: sendv op: make page var: unsigned v1 #15 feedback Paul: sendv op: new local var for PAGE_SIZE - offset v1 xen-project#8 feedback Jan: XEN_GUEST_HANDLE : C89 compliance v1 rebase after switching register op from pfns to page descriptors v1 self: move iov DEFINE_XEN_GUEST_HANDLE out of public header into argo.c v1 #13 (#15) feedback Paul: fix loglevel for guest-triggered messages v1 : add compat xlat.lst entries v1 self: switched notification to send_guest_global_virq instead of event v1: fix gprintk use for ARM as its defn dislikes split format strings v1: init len variable to satisfy ARM compiler initialized checking v1 #13 feedback Jan: rename page var v1:#14 feedback Jan: uint8_t* -> void* v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: blank line after case op in do_argo_message_op v1: #15 feedback Jan: add comments explaining why the writes don't overrun v1: self: add ASSERT to support comment that overrun cannot happen v1: self: fail on short writes where guest manipulated the iov_lens v1: self: rename ent id to domain_id v1: self: add moan for iov rewrite v1. feedback #15 Jan: require the pad bits are zero v1. feedback #15 Jan: drop NULL check in argo_signal_domain as now using VIRQ v1. self: store domain_cookie in pending ent v1. feedback #15 Jan: use unsigned where possible v1. feedback Jan: use handle type for iov_base in public iov interface v1. self: log whenever visible error occurs v1 feedback #15, Jan: drop unnecessary mb v1 self: only update internal tx_ptr if able to return success and update the visible tx_ptr v1 self: log on failure to map ring to update visible tx_ptr v1 feedback #15 Jan: add comment re: notification size policy v1 self/Roger? remove errant space after sizeof v1. feedback #15 Jan: require iov pad be zero v1. self: rename iov_base to iov_hnd for handle in public iov interface v1: feedback #15 Jan: handle upper-halves of hypercall args; changes some types in function signatures to match. v1: self: add dprintk to sendv v1: self: add debug output to argo_iov_count v1. feedback #14 Jan: blank line before return in argo_iov_count v1 feedback #15 Jan: verify src id, not override
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Queries for data about space availability in registered rings and causes notification to be sent when space has become available. The hypercall op populates a supplied data structure with information about ring state, and if insufficient space is currently available in a given ring, the hypervisor will record the domain's expressed interest and notify it when it observes that space has become available. Checks for free space occur when this notify op is invoked, so it may be intentionally invoked with no data structure to populate (ie. a NULL argument) to trigger such a check and consequent notifications. Limit the maximum number of notify requests in a single operation to a simple fixed limit of 256. Signed-off-by: Christopher Clark <[email protected]> v3 xen-project#7 Jan: fix format string indention in printks v3 (general) Jan: drop fixed width types for ringbuf_payload_space v3 xen-project#7 Jan: rename ring_find_info_by_match to find_ring_info_by_match v3 xen-project#7 Jan: fix numeric entries in printk format strings v3: ringbuf_payload_space: simpler return 0 if get_sanitized_ring fails v3 #10 Roger: simplify ringbuf_payload_space for empty rings v3 #10 Roger: ringbuf_payload_space: add comment to explain how ret < INT32_MAX v3 #10 Roger: drop out label, use return -EFAULT in fill_ring_data v3 #10 Roger: add newline in signal_domid v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld the compat hypercall arg checking v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 self: drop braces in foreach of notify_check_pending v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v2 feedback Jan: drop cookie, implement teardown v2 notify: add flag to indicate ring is shared v2 argument name for fill_ring_data arg is now currd v2 self: check ring size vs request and flag error rather than queue signal v2 feedback Jan: drop 'message' from 'argo_message_op' v2 self: simplify signal_domid, drop unnecessary label + goto v2 self: skip the cookie check in pending_cancel v2 self: implement npending limit on number of pending entries v1 feedback #16 Jan: sanitize_ring in ringbuf_payload_space v2 self: inline fill_ring_data_array v2 self: avoid retesting dst_d for put_domain v2 self/Jan: remove use of magic verification field and tidy up v1 feedback #16 Jan: remove testing of magic in guest-supplied structure v2 self: s/argo_pending_ent/pending_ent/g v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v2 self: reduce indentation via goto out if arg NULL v1 feedback #13 Jan: resolve checking of array handle and use of __copy v1 xen-project#5 (#16) feedback Paul: notify op: use currd in do_argo_message_op v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_notify v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_notify_check_pending v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_fill_ring_data_array v1 #13 (#16) feedback Paul: notify op: do/while: reindent only v1 #13 (#16) feedback Paul: notify op: do/while: goto v1 : add compat xlat.lst entries v1: add definition for copy_field_from_guest_errno v1 #13 feedback Jan: make 'ring data' comment comply with single-line style v1 feedback #13 Jan: use __copy; so define and use __copy_field_to_guest_errno v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: add blank line after case in do_argo_message_op v1: self: rename ent id to domain_id v1: self: ent id-> domain_id v1: self: drop signal if domain_cookie mismatches v1. feedback #15 Jan: make loop i unsigned v1. self: drop unnecessary mb() in argo_notify_check_pending v1. self: add blank line v1 #16 feedback Jan: const domain arg to +argo_fill_ring_data v1. feedback #15 Jan: check unusued hypercall args are zero v1 feedback #16 Jan: add comment on space available signal policy v1. feedback #16 Jan: move declr, drop braces, lower indent v1. feedback #18 Jan: meld the resource limits into the main commit v1. feedback #16 Jan: clarify use of magic field v1. self: use single copy to read notify ring data struct v1: argo_fill_ring_data: fix dprintk types for port field v1: self: use %x for printing port as per other print sites v1. feedback Jan: add comments explaining ring full vs empty v1. following Jan: fix argo_ringbuf_payload_space calculation for empty ring
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Will inhibit initialization of the domain's argo data structure to prevent receiving any messages or notifications and access to any of the argo hypercall operations. Signed-off-by: Christopher Clark <[email protected]> Acked-by: Daniel De Graaf <[email protected]> v3 Daniel/Jan: add to the default xsm policy for enable v3 Add Daniel's Acked-by v3 xen-project#4 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set v2 self: fix xsm use in soft-reset prior to introduction v1 xen-project#5 (#17) feedback Paul: XSM control for any access: use currd v1 #16 feedback Jan: apply const to function signatures
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
The register op is used by a domain to register a region of memory for receiving messages from either a specified other domain, or, if specifying a wildcard, any domain. This operation creates a mapping within Xen's private address space that will remain resident for the lifetime of the ring. In subsequent commits, the hypervisor will use this mapping to copy data from a sending domain into this registered ring, making it accessible to the domain that registered the ring to receive data. Wildcard any-sender rings are default disabled and registration will be refused with EPERM unless they have been specifically enabled with the argo-mac boot option introduced here. The reason why the default for wildcard rings is 'deny' is that there is currently no means to protect the ring from DoS by a noisy domain spamming the ring, affecting other domains ability to send to it. This will be addressed with XSM policy controls in subsequent work. Since denying access to any-sender rings is a significant functional constraint, a new bootparam is provided to enable overriding this: "argo-mac" variable has allowed values: 'permissive' and 'enforcing'. Even though this is a boolean variable, use these descriptive strings in order to make it obvious to an administrator that this has potential security impact. The p2m type of the memory supplied by the guest for the ring must be p2m_ram_rw and the memory will be pinned as PGT_writable_page while the ring is registered. xen_argo_gfn_t type is defined and is 64-bit on all architectures which assists with avoiding the need for compat code to translate hypercall args. This hypercall op and its interface currently only supports 4K-sized pages. array_index_nospec is used to guard the result of the ring id hash function. This is out of an abundance of caution, since this is a very basic hash function and it operates upon values supplied by the guest just before being used as an array index. Signed-off-by: Christopher Clark <[email protected]> -This version contains FIXMEs for 4.12: * find_ring_mfn: investigate using check_get_page_from_gfn() and rewrite this function using it or with adopted logic * shrink critical sections: move acquire/release of the global lock. * simplify the out label path when lock release has been moved. * - drop use of unsigned long type as hypercall args: not compat-friendly * - drop UL suffix on XEN_ARGO_REGISTER_FLAG_MASK * - guard XEN_ARGO_REGISTER_FLAG_MASK (perhaps framed by "#ifdef __XEN__") * - define XEN_ARGO_REGISTER_FLAG_MASK in terms of other flags defined * register_ring: pull write_unlock up above the cleanup actions above and add another label to aborb the two separate put_domain() calls on the error paths. -end FIXME v3 xen-project#7 Jan: comment: minimum ring size is based on minimum-sized message v3 xen-project#4 Andrew: reference CONFIG_ARGO in the command line documentation v3 xen-project#7 Jan: register_ring: fold else, if into else-if to drop indent v3 xen-project#7 Jan: remove no longer used guest_handle_is_aligned macros v3 xen-project#7 Jan: remove dead code from find_ring_mfns v3 xen-project#7 Jan: fix format string indention in printks v3 xen-project#7 Jan: remove redundant bounds check on npage in find_ring_mfns v3 xen-project#8 self/Roger: improve dprintk output in find_ring_info like find_send_info v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#7 Jan: use array_index_nospec in ring_map_page v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 xen-project#7 Jan: drop unneeded parentheses from ROUNDUP_MESSAGE defn v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#3 meld compat check for hypercall arg register struct v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback xen-project#7 Eric: fix header max ring size comment units v3 feedback xen-project#4 Roger: mfn_mapping: void* instead of uint8_t* v3 use %u for printing unsigned ints in find_ring_mfns v3 feedback xen-project#4 Jan: uint32_t -> unsigned int for npage in register_ring v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len v3 : register_ring: uint32_t -> unsigned int for private_tx_ptr v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v3 feedback xen-project#7 Roger: use opt_argo_mac_permissive : a boolean opt v3 feedback xen-project#4 Roger: reorder #includes to alphabetical order v3 feedback xen-project#7 Roger: drop comment re: Intel EPT/AMD NPT for write-only mapping v3 feedback xen-project#7 Roger: drop ptr arithmetic in update_tx_ptr, use ring struct cast v3 feedback xen-project#7 Roger: drop newline in ring_map_page v3 feedback xen-project#7 Roger: drop unneeded null check before xfree v3 feedback xen-project#7 Roger: use return and drop out label in register_ring v3 Stefano: add 4K page constraint to header file comment & commit msg v3 Julien/Stefano: 4K granularity ok: use 64-bit gfns in register interface v2 self: disallow ring resize via reregister v2 feedback Jan: drop cookie, implement teardown v2 feedback Jan: drop message from argo_message_op v2 self: move hash_index function below locking comment v2 self: OVERHAUL v2 self/Jan: remove use of magic verification field and tidy up v2 self: merge max and min ring size check clauses v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v2 feedback #9, Jan: use the argo-mac bootparam at point of introduction v2 feedback #9, Jan: rename boot opt variable to comply with convention v2 feedback #9, Jan: rename the argo_mac bootparam to argo-mac v2 feedback #9 Jan: document argo boot opt in xen-command-line.markdown v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v1 feedback Roger: s/pfn/gfn/ and retire always-64-bit type v2. feedback Jan: document the argo-mac boot opt v2. feedback Jan: simplify re-register, drop mappings v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops v1 #13 feedback, Jan: register op : s/ECONNREFUSED/ESRCH/ v1 xen-project#5 (#13) feedback Paul: register op: use currd in do_message_op v1 #13 feedback, Paul: register op: use mfn_eq comparator v1 xen-project#5 (#13) feedback Paul: register op: use currd in argo_register_ring v1 #13 feedback Paul: register op: whitespace, unsigned, bounds check v1 #13 feedback Paul: use of hex in limit constant definition v1 #13 feedback Paul, register op: set nmfns on loop termination v1 #13 feedback Paul: register op: do/while -> gotos, reindent v1 argo_ring_map_page: drop uint32_t for unsigned int v1. #13 feedback Julien: use page descriptors instead of gpfns. - adds ABI support for pages with different granularity. v1 feedback #13, Paul: adjust log level of message v1 feedback #13, Paul: use gprintk for guest-triggered warning v1 feedback #13, Paul: gprintk and XENLOG_DEBUG for ring registration v1 feedback #13, Paul: use gprintk for errs in argo_ring_map_page v1 feedback #13, Paul: use ENOMEM if global mapping fails v1 feedback Paul: overflow check before shift v1: add define for copy_field_to_guest_errno v1: fix gprintk use for ARM as its defn dislikes split format strings v1: use copy_field_to_guest_errno v1 feedback #13, Jan: argo_hash_fn: no inline, rename, change type v1 feedback #13, Paul, Jan: EFAULT -> ENOMEM in argo_ring_map_page v1 feedback #13, Jan: rename page var in argo_ring_map_page v1 feedback #13, Jan: switch uint8_t* to void* and drop cast v1 feedback #13, Jan: switch memory barrier to smp_wmb v1 feedback #13, Jan: make 'ring' comment comply with single-line style v1 feedback #13, Jan: use xzalloc_array, drop loop NULL init v1 feedback #13, Jan: init bool with false rather than 0 v1 feedback #13 Jan: use __copy; define and use __copy_field_to_guest_errno v1 feedback #13, Jan: use xzalloc, drop individual init zeroes v1 feedback #13, Jan: prefix public namespace with xen v1 feedback #13, Jan: blank line after op case in do_argo_message_op v1 self: reflow comment in argo_ring_map_page to within 80 char len v1 feedback #13, Roger: use true not 1 in assign to update_tx_ptr bool v1 feedback #21, Jan: fold in the array_index_nospec hash function guards v1 feedback #18, Jan: fold the max ring count limit into the series v1 self: use unsigned long type for XEN_ARGO_REGISTER_FLAG_MASK v1: feedback #15 Jan: handle upper-halves of hypercall args v1. feedback #13 Jan: add comment re: page alignment v1. self: confirm ring magic presence in supplied page array v1. feedback #13 Jan: add comment re: minimum ring size v1. feedback #13 Roger: use ASSERT_UNREACHABLE v1. feedback Roger: add comment to hash function
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Takes a single argument: a handle to the ring unregistration struct, which specifies the port and partner domain id or wildcard. The ring's entry is removed from the hashtable of registered rings; any entries for pending notifications are removed; and the ring is unmapped from Xen's address space. If the ring had been registered to communicate with a single specified domain (ie. a non-wildcard ring) then the partner domain state is removed from the partner domain's argo send_info hash table. Signed-off-by: Christopher Clark <[email protected]> v3 xen-project#8 Jan: pull xfree out of exclusive critical sections in unregister_ring v3 xen-project#8 Jan: rename send_find_info to find_send_info v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#8 Roger: use return and remove the out label in unregister_ring v3 xen-project#8 Roger: better debug output in send_find_info v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat check for unregister_ring struct v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v3 feedback xen-project#7 Roger: const the argo_ring_id structs in send_find_info v2 feedback Jan: drop cookie, implement teardown v2 feedback Jan: drop message from argo_message_op v2 self: OVERHAUL v2 self: reorder logic to shorten critical section v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops v1 feedback Roger, Jan: drop argo prefix on static functions v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 xen-project#5 (#14) feedback Paul: use currd in do_argo_message_op v1 xen-project#5 (#14) feedback Paul: full use currd in argo_unregister_ring v1 #13 (#14) feedback Paul: replace do/while with goto; reindent v1 self: add blank lines in unregister case in do_argo_message_op v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: blank line after op case in do_argo_message_op v1: #14 feedback Jan: replace domain id override with validation v1: #18 feedback Jan: meld the ring count limit into the series v1: feedback #15 Jan: verify zero in unused hypercall args
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
sendv operation is invoked to perform a synchronous send of buffers contained in iovs to a remote domain's registered ring. It takes: * A destination address (domid, port) for the ring to send to. It performs a most-specific match lookup, to allow for wildcard. * A source address, used to inform the destination of where to reply. * The address of an array of iovs containing the data to send * .. and the length of that array of iovs * and a 32-bit message type, available to communicate message context data (eg. kernel-to-kernel, separate from the application data). If insufficient space exists in the destination ring, it will return -EAGAIN and Xen will notify the caller when sufficient space becomes available. Accesses to the ring indices are appropriately atomic. The rings are mapped into Xen's private address space to write as needed and the mappings are retained for later use. Fixed-size types are used in some areas within this code where caution around avoiding integer overflow is important. Notifications are sent to guests via VIRQ and send_guest_global_virq is exposed in the change to enable argo to call it. VIRQ_ARGO_MESSAGE is claimed from the VIRQ previously reserved for this purpose (#11). The VIRQ notification method is used rather than sending events using evtchn functions directly because: * no current event channel type is an exact fit for the intended behaviour. ECS_IPI is closest, but it disallows migration to other VCPUs which is not necessarily a requirement for Argo. * at the point of argo_init, allocation of an event channel is complicated by none of the guest VCPUs being initialized yet and the event channel logic expects that a valid event channel has a present VCPU. * at the point of signalling a notification, the VIRQ logic is already defensive: if d->vcpu[0] is NULL, the notification is just silently dropped, whereas the evtchn_send logic is not so defensive: vcpu[0] must not be NULL, otherwise a null pointer dereference occurs. Using a VIRQ removes the need for the guest to query to determine which event channel notifications will be delivered on. This is also likely to simplify establishing future L0/L1 nested hypervisor argo communication. Signed-off-by: Christopher Clark <[email protected]> v3 xen-project#7 Jan: rename ring_find_info* to find_ring_info* v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat struct checking for hypercall args v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback #09 Eric: fix len & offset sanity check in memcpy_to_guest_ring v3 feedback xen-project#4 Roger: newline fix in wildcard_pending_list_insert v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len v3 #09 Roger: simplify EFAULT return in memcpy_to_guest_ring v3 #09 Roger: add newline before return in get_sanitized_ring v3 #09 Roger: replace while with for loop in iov_count v3 #09 Roger: drop 0 in struct init in ringbuf_insert v3 #09 Roger: comment for XEN_ARGO_MAXIOV: warn of stack overflow risk v3 #09 Roger: simplify while loop: for instead in ringbuf_insert v3 #09 Roger: drop out label for returns in ringbuf_insert v3 #09 Roger: drop newline in pending_queue v3 #09 Roger: replace second goto label with error path unlock in sendv v3 #09 Jason: check iov_len vs MAX_ARGO_MESSAGE_SIZE in iov_count v3 #09 Jason: check padding is zeroed in sendv op v3 #09 Jason: memcpy_to_guest_ring: simpler code with better loop v2 self: use ring_info backpointer in pending_ent to maintain npending v2 feedback Jan: drop cookie, implement teardown v2 self: pending_queue: reap stale ents when in need of space v2 self: pending_requeue: reclaim ents for stale domains v2.feedback Jan: only override sender domid if DOMID_ANY v2 feedback Jan: drop message from argo_message_op v2 self: check npending vs maximum limit v2 self: get_sanitized_ring instead of get_rx_ptr v2 feedback v1#13 Jan: remove double read from ringbuf insert, lower MAX_IOV v2 self: make iov_count const v2 self: iov_count : return EMSGSIZE for message too big v2 self: OVERHAUL v2 self: s/argo_pending_ent/pending_ent/g v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v1 feedback #13 Jan: drop guest_handle_okay when using copy_from_guest - reorder do_argo_op logic v2 self: add _hnd suffix to iovs variable name to indicate guest handle type v2 self: replace use of XEN_GUEST_HANDLE_NULL with two existing macros v1 #15 feedback, Jan: sendv op : s/ECONNREFUSED/ESRCH/ v1 xen-project#5 (#15) feedback Paul: sendv: use currd in do_argo_message_op v1 #13 (#15) feedback Paul: sendv op: do/while reindent only v1 #13 (#15) feedback Paul: sendv op: do/while: argo_ringbuf_insert to goto style v1 #13 (#15) feedback Paul: sendv op: do/while: reindent only again v1 #13 (#15) feedback Paul: sendv op: do/while : goto v1 #15 feedback Paul: sendv op: make page var: unsigned v1 #15 feedback Paul: sendv op: new local var for PAGE_SIZE - offset v1 xen-project#8 feedback Jan: XEN_GUEST_HANDLE : C89 compliance v1 rebase after switching register op from pfns to page descriptors v1 self: move iov DEFINE_XEN_GUEST_HANDLE out of public header into argo.c v1 #13 (#15) feedback Paul: fix loglevel for guest-triggered messages v1 : add compat xlat.lst entries v1 self: switched notification to send_guest_global_virq instead of event v1: fix gprintk use for ARM as its defn dislikes split format strings v1: init len variable to satisfy ARM compiler initialized checking v1 #13 feedback Jan: rename page var v1:#14 feedback Jan: uint8_t* -> void* v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: blank line after case op in do_argo_message_op v1: #15 feedback Jan: add comments explaining why the writes don't overrun v1: self: add ASSERT to support comment that overrun cannot happen v1: self: fail on short writes where guest manipulated the iov_lens v1: self: rename ent id to domain_id v1: self: add moan for iov rewrite v1. feedback #15 Jan: require the pad bits are zero v1. feedback #15 Jan: drop NULL check in argo_signal_domain as now using VIRQ v1. self: store domain_cookie in pending ent v1. feedback #15 Jan: use unsigned where possible v1. feedback Jan: use handle type for iov_base in public iov interface v1. self: log whenever visible error occurs v1 feedback #15, Jan: drop unnecessary mb v1 self: only update internal tx_ptr if able to return success and update the visible tx_ptr v1 self: log on failure to map ring to update visible tx_ptr v1 feedback #15 Jan: add comment re: notification size policy v1 self/Roger? remove errant space after sizeof v1. feedback #15 Jan: require iov pad be zero v1. self: rename iov_base to iov_hnd for handle in public iov interface v1: feedback #15 Jan: handle upper-halves of hypercall args; changes some types in function signatures to match. v1: self: add dprintk to sendv v1: self: add debug output to argo_iov_count v1. feedback #14 Jan: blank line before return in argo_iov_count v1 feedback #15 Jan: verify src id, not override
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Queries for data about space availability in registered rings and causes notification to be sent when space has become available. The hypercall op populates a supplied data structure with information about ring state, and if insufficient space is currently available in a given ring, the hypervisor will record the domain's expressed interest and notify it when it observes that space has become available. Checks for free space occur when this notify op is invoked, so it may be intentionally invoked with no data structure to populate (ie. a NULL argument) to trigger such a check and consequent notifications. Limit the maximum number of notify requests in a single operation to a simple fixed limit of 256. Signed-off-by: Christopher Clark <[email protected]> v3 xen-project#7 Jan: fix format string indention in printks v3 (general) Jan: drop fixed width types for ringbuf_payload_space v3 xen-project#7 Jan: rename ring_find_info_by_match to find_ring_info_by_match v3 xen-project#7 Jan: fix numeric entries in printk format strings v3: ringbuf_payload_space: simpler return 0 if get_sanitized_ring fails v3 #10 Roger: simplify ringbuf_payload_space for empty rings v3 #10 Roger: ringbuf_payload_space: add comment to explain how ret < INT32_MAX v3 #10 Roger: drop out label, use return -EFAULT in fill_ring_data v3 #10 Roger: add newline in signal_domid v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld the compat hypercall arg checking v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 self: drop braces in foreach of notify_check_pending v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v2 feedback Jan: drop cookie, implement teardown v2 notify: add flag to indicate ring is shared v2 argument name for fill_ring_data arg is now currd v2 self: check ring size vs request and flag error rather than queue signal v2 feedback Jan: drop 'message' from 'argo_message_op' v2 self: simplify signal_domid, drop unnecessary label + goto v2 self: skip the cookie check in pending_cancel v2 self: implement npending limit on number of pending entries v1 feedback #16 Jan: sanitize_ring in ringbuf_payload_space v2 self: inline fill_ring_data_array v2 self: avoid retesting dst_d for put_domain v2 self/Jan: remove use of magic verification field and tidy up v1 feedback #16 Jan: remove testing of magic in guest-supplied structure v2 self: s/argo_pending_ent/pending_ent/g v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v2 self: reduce indentation via goto out if arg NULL v1 feedback #13 Jan: resolve checking of array handle and use of __copy v1 xen-project#5 (#16) feedback Paul: notify op: use currd in do_argo_message_op v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_notify v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_notify_check_pending v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_fill_ring_data_array v1 #13 (#16) feedback Paul: notify op: do/while: reindent only v1 #13 (#16) feedback Paul: notify op: do/while: goto v1 : add compat xlat.lst entries v1: add definition for copy_field_from_guest_errno v1 #13 feedback Jan: make 'ring data' comment comply with single-line style v1 feedback #13 Jan: use __copy; so define and use __copy_field_to_guest_errno v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: add blank line after case in do_argo_message_op v1: self: rename ent id to domain_id v1: self: ent id-> domain_id v1: self: drop signal if domain_cookie mismatches v1. feedback #15 Jan: make loop i unsigned v1. self: drop unnecessary mb() in argo_notify_check_pending v1. self: add blank line v1 #16 feedback Jan: const domain arg to +argo_fill_ring_data v1. feedback #15 Jan: check unusued hypercall args are zero v1 feedback #16 Jan: add comment on space available signal policy v1. feedback #16 Jan: move declr, drop braces, lower indent v1. feedback #18 Jan: meld the resource limits into the main commit v1. feedback #16 Jan: clarify use of magic field v1. self: use single copy to read notify ring data struct v1: argo_fill_ring_data: fix dprintk types for port field v1: self: use %x for printing port as per other print sites v1. feedback Jan: add comments explaining ring full vs empty v1. following Jan: fix argo_ringbuf_payload_space calculation for empty ring
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Will inhibit initialization of the domain's argo data structure to prevent receiving any messages or notifications and access to any of the argo hypercall operations. Signed-off-by: Christopher Clark <[email protected]> Acked-by: Daniel De Graaf <[email protected]> v3 Daniel/Jan: add to the default xsm policy for enable v3 Add Daniel's Acked-by v3 xen-project#4 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set v2 self: fix xsm use in soft-reset prior to introduction v1 xen-project#5 (#17) feedback Paul: XSM control for any access: use currd v1 #16 feedback Jan: apply const to function signatures
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Initialises basic data structures and performs teardown of argo state for domain shutdown. Inclusion of the Argo implementation is dependent on CONFIG_ARGO. Introduces a new Xen command line parameter 'argo': bool to enable/disable the argo hypercall. Defaults to disabled. New headers: public/argo.h: with definions of addresses and ring structure, including indexes for atomic update for communication between domain and hypervisor. xen/argo.h: to expose the hooks for integration into domain lifecycle: argo_init: per-domain init of argo data structures for domain_create. argo_destroy: teardown for domain_destroy and the error exit path of domain_create. argo_soft_reset: reset of domain state for domain_soft_reset. Adds two new fields to struct domain: rwlock_t argo_lock; struct argo_domain *argo; In accordance with recent work on _domain_destroy, argo_destroy is idempotent. It will tear down: all rings registered by this domain, all rings where this domain is the single sender (ie. specified partner, non-wildcard rings), and all pending notifications where this domain is awaiting signal about available space in the rings of other domains. A count will be maintained of the number of rings that a domain has registered in order to limit it below the fixed maximum limit defined here. Macros are defined to verify the internal locking state within the argo implementation. The macros are ASSERTed on entry to functions to validate and document the required lock state prior to calling. The software license on the public header is the BSD license, standard procedure for the public Xen headers. The public header was originally posted under a GPL license at: [1]: https://lists.xenproject.org/archives/html/xen-devel/2013-05/msg02710.html The following ACK by Lars Kurth is to confirm that only people being employees of Citrix contributed to the header files in the series posted at [1] and that thus the copyright of the files in question is fully owned by Citrix. The ACK also confirms that Citrix is happy for the header files to be published under a BSD license in this series (which is based on [1]). Signed-off-by: Christopher Clark <[email protected]> Acked-by: Lars Kurth <[email protected]> Reviewed-by: Ross Philipson <[email protected]> This version contains FIXMEs for 4.12: * Replace the hash function to get better distribution across buckets. - Don't use casts in the replacement function. - Drop the use of array_index_nospec. * since argo_destroy is in _domain_destroy, remove it from domain_kill v3 xen-project#4 Andrew: use xzalloc for struct argo_domain in argo_init v3 xen-project#4 Andrew: reference CONFIG_ARGO in the command line documentation v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#4 Andrew: don't truncate args do_argo_op printk v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat check for hypercall arg types v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 xen-project#4 Jan: reorder call to argo_init_domain in argo_init v3 xen-project#4 Jan: ring_remove_mfns: zero count before freeing arrays v3 xen-project#4 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set v3 xen-project#4 Roger: remove unused and confusing d->argo_lock v3 xen-project#4 Roger: add simple inlines in xen/argo.h, drop ifdef CONFIG_ARGO v3 xen-project#4 Roger: simpler return -EOPNOTSUPP in do_argo_op v3 xen-project#4 Roger: add const to domain arg to ring_remove_info v3 xen-project#4 Roger: use XFREE v3 xen-project#4 Roger: newline fix in wildcard_pending_list_remove v3 xen-project#4 Roger: mfn_mapping: void* instead of uint8_t* v3 xen-project#4 Roger: drop npages struct member in argo_ring_info; use len v3 xen-project#4 Roger/Jan: drop many fixed width types in internal structs v3 xen-project#4 Jason/Jan: drop pad and fixed width type in pending_ent struct v3 xen-project#4 Eric: moved ring_find_info from register op into this commit v3 moved hash_index function, nospec include from register op to this commit v3 moved XEN_ARGO_DOMID_ANY defn from register op into this commit v3 added #include <xen/sched.h> to <xen/argo.h> for domain struct defn v3 feedback xen-project#4 Roger: reorder #includes to alphabetical order v3 Added Ross's Reviewed-by. v2 rewrite locking explanation comment v2 header copyright line now includes 2019 v2 self: use ring_info backpointer in pending_ent to maintain npending v2 self: rename all_rings_remove_info to domain_rings_remove_all v2 feedback Jan: drop cookie, implement teardown v2 self: add npending to track number of pending entries per ring v2 self: amend comment on locking; drop section comments v2 cookie_eq: test low bits first and use likely on high bits v2 self: OVERHAUL v2 self: s/argo_pending_ent/pending_ent/g v2 self: drop pending_remove_ent, inline at single call site v1 feedback Roger, Jan: drop argo prefix on static functions v2 xen-project#4 Lars: add Acked-by and details to commit message. v2 feedback #9 Jan: document argo boot opt in xen-command-line.markdown v2 bugfix: xsm use in soft-reset prior to introduction v2 feedback #9 Jan: drop 'message' from do_argo_message_op v1 xen-project#5 feedback Paul: init/destroy unsigned, brackets and whitespace fixes v1 xen-project#5 feedback Paul: Use mfn_eq for comparing mfns. v1 xen-project#5 feedback Paul: init/destroy : use currd v1 xen-project#6 (xen-project#5) feedback Jan: init/destroy: s/ENOSYS/EOPNOTSUPP/ v1 xen-project#6 feedback Paul: Folded patch 6 into patch 5. v1 xen-project#6 feedback Jan: drop opt_argo_enabled initializer v1 $6 feedback Jan: s/ENOSYS/EOPNOTSUPP/g and drop useless dprintk v1. xen-project#5 feedback Paul: change the license on public header to BSD - ack from Lars at Citrix. v1. self, Jan: drop unnecessary xen include from sched.h v1. self, Jan: drop inclusion of public argo.h in private one v1. self, Jan: add include of public argo.h to argo.c v1. self, Jan: drop fwd decl of argo_domain in priv header v1. Paul/self/Jan: add data structures to xlat.lst and compat/argo.h to Makefile v1. self: removed allocation of event channel since switching to VIRQ v1. self: drop types.h include from private argo.h v1: reorder public argo include position v1: #13 feedback Jan: public namespace: prefix with xen v1: self: rename pending ent "id" to "domain_id" v1: self: add domain_cookie to ent struct v1. #15 feedback Jan: make cmd unsigned v1. #15 feedback Jan: make i loop variable unsigned v1: self: adjust dprintks in init, destroy v1: #18 feedback Jan: meld max ring count limit v1: self: use type not struct in public defn, affects compat gen header v1: feedback #15 Jan: handle upper-halves of hypercall args v1: add comment explaining the 'magic' field v1: self + Jan feedback: implement soft reset v1: feedback #13 Roger: use ASSERT_UNREACHABLE
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
The register op is used by a domain to register a region of memory for receiving messages from either a specified other domain, or, if specifying a wildcard, any domain. This operation creates a mapping within Xen's private address space that will remain resident for the lifetime of the ring. In subsequent commits, the hypervisor will use this mapping to copy data from a sending domain into this registered ring, making it accessible to the domain that registered the ring to receive data. Wildcard any-sender rings are default disabled and registration will be refused with EPERM unless they have been specifically enabled with the argo-mac boot option introduced here. The reason why the default for wildcard rings is 'deny' is that there is currently no means to protect the ring from DoS by a noisy domain spamming the ring, affecting other domains ability to send to it. This will be addressed with XSM policy controls in subsequent work. Since denying access to any-sender rings is a significant functional constraint, a new bootparam is provided to enable overriding this: "argo-mac" variable has allowed values: 'permissive' and 'enforcing'. Even though this is a boolean variable, use these descriptive strings in order to make it obvious to an administrator that this has potential security impact. The p2m type of the memory supplied by the guest for the ring must be p2m_ram_rw and the memory will be pinned as PGT_writable_page while the ring is registered. xen_argo_gfn_t type is defined and is 64-bit on all architectures which assists with avoiding the need for compat code to translate hypercall args. This hypercall op and its interface currently only supports 4K-sized pages. array_index_nospec is used to guard the result of the ring id hash function. This is out of an abundance of caution, since this is a very basic hash function and it operates upon values supplied by the guest just before being used as an array index. Signed-off-by: Christopher Clark <[email protected]> -This version contains FIXMEs for 4.12: * find_ring_mfn: investigate using check_get_page_from_gfn() and rewrite this function using it or with adopted logic * shrink critical sections: move acquire/release of the global lock. * simplify the out label path when lock release has been moved. * - drop use of unsigned long type as hypercall args: not compat-friendly * - drop UL suffix on XEN_ARGO_REGISTER_FLAG_MASK * - guard XEN_ARGO_REGISTER_FLAG_MASK (perhaps framed by "#ifdef __XEN__") * - define XEN_ARGO_REGISTER_FLAG_MASK in terms of other flags defined * register_ring: pull write_unlock up above the cleanup actions above and add another label to aborb the two separate put_domain() calls on the error paths. -end FIXME v3 xen-project#7 Jan: comment: minimum ring size is based on minimum-sized message v3 xen-project#4 Andrew: reference CONFIG_ARGO in the command line documentation v3 xen-project#7 Jan: register_ring: fold else, if into else-if to drop indent v3 xen-project#7 Jan: remove no longer used guest_handle_is_aligned macros v3 xen-project#7 Jan: remove dead code from find_ring_mfns v3 xen-project#7 Jan: fix format string indention in printks v3 xen-project#7 Jan: remove redundant bounds check on npage in find_ring_mfns v3 xen-project#8 self/Roger: improve dprintk output in find_ring_info like find_send_info v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#7 Jan: use array_index_nospec in ring_map_page v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 xen-project#7 Jan: drop unneeded parentheses from ROUNDUP_MESSAGE defn v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#3 meld compat check for hypercall arg register struct v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback xen-project#7 Eric: fix header max ring size comment units v3 feedback xen-project#4 Roger: mfn_mapping: void* instead of uint8_t* v3 use %u for printing unsigned ints in find_ring_mfns v3 feedback xen-project#4 Jan: uint32_t -> unsigned int for npage in register_ring v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len v3 : register_ring: uint32_t -> unsigned int for private_tx_ptr v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v3 feedback xen-project#7 Roger: use opt_argo_mac_permissive : a boolean opt v3 feedback xen-project#4 Roger: reorder #includes to alphabetical order v3 feedback xen-project#7 Roger: drop comment re: Intel EPT/AMD NPT for write-only mapping v3 feedback xen-project#7 Roger: drop ptr arithmetic in update_tx_ptr, use ring struct cast v3 feedback xen-project#7 Roger: drop newline in ring_map_page v3 feedback xen-project#7 Roger: drop unneeded null check before xfree v3 feedback xen-project#7 Roger: use return and drop out label in register_ring v3 Stefano: add 4K page constraint to header file comment & commit msg v3 Julien/Stefano: 4K granularity ok: use 64-bit gfns in register interface v2 self: disallow ring resize via reregister v2 feedback Jan: drop cookie, implement teardown v2 feedback Jan: drop message from argo_message_op v2 self: move hash_index function below locking comment v2 self: OVERHAUL v2 self/Jan: remove use of magic verification field and tidy up v2 self: merge max and min ring size check clauses v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v2 feedback #9, Jan: use the argo-mac bootparam at point of introduction v2 feedback #9, Jan: rename boot opt variable to comply with convention v2 feedback #9, Jan: rename the argo_mac bootparam to argo-mac v2 feedback #9 Jan: document argo boot opt in xen-command-line.markdown v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v1 feedback Roger: s/pfn/gfn/ and retire always-64-bit type v2. feedback Jan: document the argo-mac boot opt v2. feedback Jan: simplify re-register, drop mappings v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops v1 #13 feedback, Jan: register op : s/ECONNREFUSED/ESRCH/ v1 xen-project#5 (#13) feedback Paul: register op: use currd in do_message_op v1 #13 feedback, Paul: register op: use mfn_eq comparator v1 xen-project#5 (#13) feedback Paul: register op: use currd in argo_register_ring v1 #13 feedback Paul: register op: whitespace, unsigned, bounds check v1 #13 feedback Paul: use of hex in limit constant definition v1 #13 feedback Paul, register op: set nmfns on loop termination v1 #13 feedback Paul: register op: do/while -> gotos, reindent v1 argo_ring_map_page: drop uint32_t for unsigned int v1. #13 feedback Julien: use page descriptors instead of gpfns. - adds ABI support for pages with different granularity. v1 feedback #13, Paul: adjust log level of message v1 feedback #13, Paul: use gprintk for guest-triggered warning v1 feedback #13, Paul: gprintk and XENLOG_DEBUG for ring registration v1 feedback #13, Paul: use gprintk for errs in argo_ring_map_page v1 feedback #13, Paul: use ENOMEM if global mapping fails v1 feedback Paul: overflow check before shift v1: add define for copy_field_to_guest_errno v1: fix gprintk use for ARM as its defn dislikes split format strings v1: use copy_field_to_guest_errno v1 feedback #13, Jan: argo_hash_fn: no inline, rename, change type v1 feedback #13, Paul, Jan: EFAULT -> ENOMEM in argo_ring_map_page v1 feedback #13, Jan: rename page var in argo_ring_map_page v1 feedback #13, Jan: switch uint8_t* to void* and drop cast v1 feedback #13, Jan: switch memory barrier to smp_wmb v1 feedback #13, Jan: make 'ring' comment comply with single-line style v1 feedback #13, Jan: use xzalloc_array, drop loop NULL init v1 feedback #13, Jan: init bool with false rather than 0 v1 feedback #13 Jan: use __copy; define and use __copy_field_to_guest_errno v1 feedback #13, Jan: use xzalloc, drop individual init zeroes v1 feedback #13, Jan: prefix public namespace with xen v1 feedback #13, Jan: blank line after op case in do_argo_message_op v1 self: reflow comment in argo_ring_map_page to within 80 char len v1 feedback #13, Roger: use true not 1 in assign to update_tx_ptr bool v1 feedback #21, Jan: fold in the array_index_nospec hash function guards v1 feedback #18, Jan: fold the max ring count limit into the series v1 self: use unsigned long type for XEN_ARGO_REGISTER_FLAG_MASK v1: feedback #15 Jan: handle upper-halves of hypercall args v1. feedback #13 Jan: add comment re: page alignment v1. self: confirm ring magic presence in supplied page array v1. feedback #13 Jan: add comment re: minimum ring size v1. feedback #13 Roger: use ASSERT_UNREACHABLE v1. feedback Roger: add comment to hash function
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Takes a single argument: a handle to the ring unregistration struct, which specifies the port and partner domain id or wildcard. The ring's entry is removed from the hashtable of registered rings; any entries for pending notifications are removed; and the ring is unmapped from Xen's address space. If the ring had been registered to communicate with a single specified domain (ie. a non-wildcard ring) then the partner domain state is removed from the partner domain's argo send_info hash table. Signed-off-by: Christopher Clark <[email protected]> v3 xen-project#8 Jan: pull xfree out of exclusive critical sections in unregister_ring v3 xen-project#8 Jan: rename send_find_info to find_send_info v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#8 Roger: use return and remove the out label in unregister_ring v3 xen-project#8 Roger: better debug output in send_find_info v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat check for unregister_ring struct v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v3 feedback xen-project#7 Roger: const the argo_ring_id structs in send_find_info v2 feedback Jan: drop cookie, implement teardown v2 feedback Jan: drop message from argo_message_op v2 self: OVERHAUL v2 self: reorder logic to shorten critical section v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops v1 feedback Roger, Jan: drop argo prefix on static functions v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 xen-project#5 (#14) feedback Paul: use currd in do_argo_message_op v1 xen-project#5 (#14) feedback Paul: full use currd in argo_unregister_ring v1 #13 (#14) feedback Paul: replace do/while with goto; reindent v1 self: add blank lines in unregister case in do_argo_message_op v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: blank line after op case in do_argo_message_op v1: #14 feedback Jan: replace domain id override with validation v1: #18 feedback Jan: meld the ring count limit into the series v1: feedback #15 Jan: verify zero in unused hypercall args
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
sendv operation is invoked to perform a synchronous send of buffers contained in iovs to a remote domain's registered ring. It takes: * A destination address (domid, port) for the ring to send to. It performs a most-specific match lookup, to allow for wildcard. * A source address, used to inform the destination of where to reply. * The address of an array of iovs containing the data to send * .. and the length of that array of iovs * and a 32-bit message type, available to communicate message context data (eg. kernel-to-kernel, separate from the application data). If insufficient space exists in the destination ring, it will return -EAGAIN and Xen will notify the caller when sufficient space becomes available. Accesses to the ring indices are appropriately atomic. The rings are mapped into Xen's private address space to write as needed and the mappings are retained for later use. Fixed-size types are used in some areas within this code where caution around avoiding integer overflow is important. Notifications are sent to guests via VIRQ and send_guest_global_virq is exposed in the change to enable argo to call it. VIRQ_ARGO_MESSAGE is claimed from the VIRQ previously reserved for this purpose (#11). The VIRQ notification method is used rather than sending events using evtchn functions directly because: * no current event channel type is an exact fit for the intended behaviour. ECS_IPI is closest, but it disallows migration to other VCPUs which is not necessarily a requirement for Argo. * at the point of argo_init, allocation of an event channel is complicated by none of the guest VCPUs being initialized yet and the event channel logic expects that a valid event channel has a present VCPU. * at the point of signalling a notification, the VIRQ logic is already defensive: if d->vcpu[0] is NULL, the notification is just silently dropped, whereas the evtchn_send logic is not so defensive: vcpu[0] must not be NULL, otherwise a null pointer dereference occurs. Using a VIRQ removes the need for the guest to query to determine which event channel notifications will be delivered on. This is also likely to simplify establishing future L0/L1 nested hypervisor argo communication. Signed-off-by: Christopher Clark <[email protected]> v3 xen-project#7 Jan: rename ring_find_info* to find_ring_info* v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat struct checking for hypercall args v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback #09 Eric: fix len & offset sanity check in memcpy_to_guest_ring v3 feedback xen-project#4 Roger: newline fix in wildcard_pending_list_insert v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len v3 #09 Roger: simplify EFAULT return in memcpy_to_guest_ring v3 #09 Roger: add newline before return in get_sanitized_ring v3 #09 Roger: replace while with for loop in iov_count v3 #09 Roger: drop 0 in struct init in ringbuf_insert v3 #09 Roger: comment for XEN_ARGO_MAXIOV: warn of stack overflow risk v3 #09 Roger: simplify while loop: for instead in ringbuf_insert v3 #09 Roger: drop out label for returns in ringbuf_insert v3 #09 Roger: drop newline in pending_queue v3 #09 Roger: replace second goto label with error path unlock in sendv v3 #09 Jason: check iov_len vs MAX_ARGO_MESSAGE_SIZE in iov_count v3 #09 Jason: check padding is zeroed in sendv op v3 #09 Jason: memcpy_to_guest_ring: simpler code with better loop v2 self: use ring_info backpointer in pending_ent to maintain npending v2 feedback Jan: drop cookie, implement teardown v2 self: pending_queue: reap stale ents when in need of space v2 self: pending_requeue: reclaim ents for stale domains v2.feedback Jan: only override sender domid if DOMID_ANY v2 feedback Jan: drop message from argo_message_op v2 self: check npending vs maximum limit v2 self: get_sanitized_ring instead of get_rx_ptr v2 feedback v1#13 Jan: remove double read from ringbuf insert, lower MAX_IOV v2 self: make iov_count const v2 self: iov_count : return EMSGSIZE for message too big v2 self: OVERHAUL v2 self: s/argo_pending_ent/pending_ent/g v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v1 feedback #13 Jan: drop guest_handle_okay when using copy_from_guest - reorder do_argo_op logic v2 self: add _hnd suffix to iovs variable name to indicate guest handle type v2 self: replace use of XEN_GUEST_HANDLE_NULL with two existing macros v1 #15 feedback, Jan: sendv op : s/ECONNREFUSED/ESRCH/ v1 xen-project#5 (#15) feedback Paul: sendv: use currd in do_argo_message_op v1 #13 (#15) feedback Paul: sendv op: do/while reindent only v1 #13 (#15) feedback Paul: sendv op: do/while: argo_ringbuf_insert to goto style v1 #13 (#15) feedback Paul: sendv op: do/while: reindent only again v1 #13 (#15) feedback Paul: sendv op: do/while : goto v1 #15 feedback Paul: sendv op: make page var: unsigned v1 #15 feedback Paul: sendv op: new local var for PAGE_SIZE - offset v1 xen-project#8 feedback Jan: XEN_GUEST_HANDLE : C89 compliance v1 rebase after switching register op from pfns to page descriptors v1 self: move iov DEFINE_XEN_GUEST_HANDLE out of public header into argo.c v1 #13 (#15) feedback Paul: fix loglevel for guest-triggered messages v1 : add compat xlat.lst entries v1 self: switched notification to send_guest_global_virq instead of event v1: fix gprintk use for ARM as its defn dislikes split format strings v1: init len variable to satisfy ARM compiler initialized checking v1 #13 feedback Jan: rename page var v1:#14 feedback Jan: uint8_t* -> void* v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: blank line after case op in do_argo_message_op v1: #15 feedback Jan: add comments explaining why the writes don't overrun v1: self: add ASSERT to support comment that overrun cannot happen v1: self: fail on short writes where guest manipulated the iov_lens v1: self: rename ent id to domain_id v1: self: add moan for iov rewrite v1. feedback #15 Jan: require the pad bits are zero v1. feedback #15 Jan: drop NULL check in argo_signal_domain as now using VIRQ v1. self: store domain_cookie in pending ent v1. feedback #15 Jan: use unsigned where possible v1. feedback Jan: use handle type for iov_base in public iov interface v1. self: log whenever visible error occurs v1 feedback #15, Jan: drop unnecessary mb v1 self: only update internal tx_ptr if able to return success and update the visible tx_ptr v1 self: log on failure to map ring to update visible tx_ptr v1 feedback #15 Jan: add comment re: notification size policy v1 self/Roger? remove errant space after sizeof v1. feedback #15 Jan: require iov pad be zero v1. self: rename iov_base to iov_hnd for handle in public iov interface v1: feedback #15 Jan: handle upper-halves of hypercall args; changes some types in function signatures to match. v1: self: add dprintk to sendv v1: self: add debug output to argo_iov_count v1. feedback #14 Jan: blank line before return in argo_iov_count v1 feedback #15 Jan: verify src id, not override
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Queries for data about space availability in registered rings and causes notification to be sent when space has become available. The hypercall op populates a supplied data structure with information about ring state, and if insufficient space is currently available in a given ring, the hypervisor will record the domain's expressed interest and notify it when it observes that space has become available. Checks for free space occur when this notify op is invoked, so it may be intentionally invoked with no data structure to populate (ie. a NULL argument) to trigger such a check and consequent notifications. Limit the maximum number of notify requests in a single operation to a simple fixed limit of 256. Signed-off-by: Christopher Clark <[email protected]> v3 xen-project#7 Jan: fix format string indention in printks v3 (general) Jan: drop fixed width types for ringbuf_payload_space v3 xen-project#7 Jan: rename ring_find_info_by_match to find_ring_info_by_match v3 xen-project#7 Jan: fix numeric entries in printk format strings v3: ringbuf_payload_space: simpler return 0 if get_sanitized_ring fails v3 #10 Roger: simplify ringbuf_payload_space for empty rings v3 #10 Roger: ringbuf_payload_space: add comment to explain how ret < INT32_MAX v3 #10 Roger: drop out label, use return -EFAULT in fill_ring_data v3 #10 Roger: add newline in signal_domid v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld the compat hypercall arg checking v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 self: drop braces in foreach of notify_check_pending v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v2 feedback Jan: drop cookie, implement teardown v2 notify: add flag to indicate ring is shared v2 argument name for fill_ring_data arg is now currd v2 self: check ring size vs request and flag error rather than queue signal v2 feedback Jan: drop 'message' from 'argo_message_op' v2 self: simplify signal_domid, drop unnecessary label + goto v2 self: skip the cookie check in pending_cancel v2 self: implement npending limit on number of pending entries v1 feedback #16 Jan: sanitize_ring in ringbuf_payload_space v2 self: inline fill_ring_data_array v2 self: avoid retesting dst_d for put_domain v2 self/Jan: remove use of magic verification field and tidy up v1 feedback #16 Jan: remove testing of magic in guest-supplied structure v2 self: s/argo_pending_ent/pending_ent/g v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v2 self: reduce indentation via goto out if arg NULL v1 feedback #13 Jan: resolve checking of array handle and use of __copy v1 xen-project#5 (#16) feedback Paul: notify op: use currd in do_argo_message_op v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_notify v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_notify_check_pending v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_fill_ring_data_array v1 #13 (#16) feedback Paul: notify op: do/while: reindent only v1 #13 (#16) feedback Paul: notify op: do/while: goto v1 : add compat xlat.lst entries v1: add definition for copy_field_from_guest_errno v1 #13 feedback Jan: make 'ring data' comment comply with single-line style v1 feedback #13 Jan: use __copy; so define and use __copy_field_to_guest_errno v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: add blank line after case in do_argo_message_op v1: self: rename ent id to domain_id v1: self: ent id-> domain_id v1: self: drop signal if domain_cookie mismatches v1. feedback #15 Jan: make loop i unsigned v1. self: drop unnecessary mb() in argo_notify_check_pending v1. self: add blank line v1 #16 feedback Jan: const domain arg to +argo_fill_ring_data v1. feedback #15 Jan: check unusued hypercall args are zero v1 feedback #16 Jan: add comment on space available signal policy v1. feedback #16 Jan: move declr, drop braces, lower indent v1. feedback #18 Jan: meld the resource limits into the main commit v1. feedback #16 Jan: clarify use of magic field v1. self: use single copy to read notify ring data struct v1: argo_fill_ring_data: fix dprintk types for port field v1: self: use %x for printing port as per other print sites v1. feedback Jan: add comments explaining ring full vs empty v1. following Jan: fix argo_ringbuf_payload_space calculation for empty ring
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Will inhibit initialization of the domain's argo data structure to prevent receiving any messages or notifications and access to any of the argo hypercall operations. Signed-off-by: Christopher Clark <[email protected]> Acked-by: Daniel De Graaf <[email protected]> v3 Daniel/Jan: add to the default xsm policy for enable v3 Add Daniel's Acked-by v3 xen-project#4 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set v2 self: fix xsm use in soft-reset prior to introduction v1 xen-project#5 (#17) feedback Paul: XSM control for any access: use currd v1 #16 feedback Jan: apply const to function signatures
eric-ch
pushed a commit
to eric-ch/xen
that referenced
this pull request
Jan 25, 2019
Initialises basic data structures and performs teardown of argo state for domain shutdown. Inclusion of the Argo implementation is dependent on CONFIG_ARGO. Introduces a new Xen command line parameter 'argo': bool to enable/disable the argo hypercall. Defaults to disabled. New headers: public/argo.h: with definions of addresses and ring structure, including indexes for atomic update for communication between domain and hypervisor. xen/argo.h: to expose the hooks for integration into domain lifecycle: argo_init: per-domain init of argo data structures for domain_create. argo_destroy: teardown for domain_destroy and the error exit path of domain_create. argo_soft_reset: reset of domain state for domain_soft_reset. Adds a new field to struct domain: struct argo_domain *argo; In accordance with recent work on _domain_destroy, argo_destroy is idempotent. It will tear down: all rings registered by this domain, all rings where this domain is the single sender (ie. specified partner, non-wildcard rings), and all pending notifications where this domain is awaiting signal about available space in the rings of other domains. A count will be maintained of the number of rings that a domain has registered in order to limit it below the fixed maximum limit defined here. Macros are defined to verify the internal locking state within the argo implementation. The macros are ASSERTed on entry to functions to validate and document the required lock state prior to calling. The hash function for the hashtables that hold ring state is derived from the string hashing function djb2 (http://www.cse.yorku.ca/~oz/hash.html) by Daniel J. Bernstein. Basic testing with a limited number of domains and ports has shown reasonable distribution for the table size. The software license on the public header is the BSD license, standard procedure for the public Xen headers. The public header was originally posted under a GPL license at: [1]: https://lists.xenproject.org/archives/html/xen-devel/2013-05/msg02710.html The following ACK by Lars Kurth is to confirm that only people being employees of Citrix contributed to the header files in the series posted at [1] and that thus the copyright of the files in question is fully owned by Citrix. The ACK also confirms that Citrix is happy for the header files to be published under a BSD license in this series (which is based on [1]). Signed-off-by: Christopher Clark <[email protected]> Acked-by: Lars Kurth <[email protected]> Reviewed-by: Ross Philipson <[email protected]> v5 xen-project#4 Roger: tweak command line doc: remove statement about top level bool v5: add compat validation macros to primary source file: common/argo.c v5: dropped external file for compat macros: common/compat/argo.c v4: removed FIXME for removing argo_destroy from domain_kill v4 Jan: amend the command line doc text referring to build configuration v4 : use standard data structures as per common code v4 Jan: replace hash_index with djb2-derived hash algorithm v4 Andrew: switch argo command line option to list argo=<bool> v4 xen-project#4 Roger: drop unneeded init of ring_count in argo_domain_init v4 xen-project#4 Roger: replace if (ring_info->mfns) with ASSERTs in ring_unmap v4 xen-project#4 Roger: rewrite the locking verification macros v4 xen-project#4 Roger: make L1 lock description comment clearer about R(L1) and W(L1) v4 Andrew: fix split of dprintk in ring_map_info across v4 commits v3 xen-project#4 Andrew: use xzalloc for struct argo_domain in argo_init v3 xen-project#4 Andrew: reference CONFIG_ARGO in the command line documentation v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#4 Andrew: don't truncate args do_argo_op printk v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat check for hypercall arg types v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 xen-project#4 Jan: reorder call to argo_init_domain in argo_init v3 xen-project#4 Jan: ring_remove_mfns: zero count before freeing arrays v3 xen-project#4 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set v3 xen-project#4 Roger: remove unused and confusing d->argo_lock v3 xen-project#4 Roger: add simple inlines in xen/argo.h, drop ifdef CONFIG_ARGO v3 xen-project#4 Roger: simpler return -EOPNOTSUPP in do_argo_op v3 xen-project#4 Roger: add const to domain arg to ring_remove_info v3 xen-project#4 Roger: use XFREE v3 xen-project#4 Roger: newline fix in wildcard_pending_list_remove v3 xen-project#4 Roger: mfn_mapping: void* instead of uint8_t* v3 xen-project#4 Roger: drop npages struct member in argo_ring_info; use len v3 xen-project#4 Roger/Jan: drop many fixed width types in internal structs v3 xen-project#4 Jason/Jan: drop pad and fixed width type in pending_ent struct v3 xen-project#4 Eric: moved ring_find_info from register op into this commit v3 moved hash_index function, nospec include from register op to this commit v3 moved XEN_ARGO_DOMID_ANY defn from register op into this commit v3 added #include <xen/sched.h> to <xen/argo.h> for domain struct defn v3 feedback xen-project#4 Roger: reorder #includes to alphabetical order v3 Added Ross's Reviewed-by. v2 rewrite locking explanation comment v2 header copyright line now includes 2019 v2 self: use ring_info backpointer in pending_ent to maintain npending v2 self: rename all_rings_remove_info to domain_rings_remove_all v2 feedback Jan: drop cookie, implement teardown v2 self: add npending to track number of pending entries per ring v2 self: amend comment on locking; drop section comments v2 cookie_eq: test low bits first and use likely on high bits v2 self: OVERHAUL v2 self: s/argo_pending_ent/pending_ent/g v2 self: drop pending_remove_ent, inline at single call site v1 feedback Roger, Jan: drop argo prefix on static functions v2 xen-project#4 Lars: add Acked-by and details to commit message. v2 feedback #9 Jan: document argo boot opt in xen-command-line.markdown v2 bugfix: xsm use in soft-reset prior to introduction v2 feedback #9 Jan: drop 'message' from do_argo_message_op v1 xen-project#5 feedback Paul: init/destroy unsigned, brackets and whitespace fixes v1 xen-project#5 feedback Paul: Use mfn_eq for comparing mfns. v1 xen-project#5 feedback Paul: init/destroy : use currd v1 xen-project#6 (xen-project#5) feedback Jan: init/destroy: s/ENOSYS/EOPNOTSUPP/ v1 xen-project#6 feedback Paul: Folded patch 6 into patch 5. v1 xen-project#6 feedback Jan: drop opt_argo_enabled initializer v1 $6 feedback Jan: s/ENOSYS/EOPNOTSUPP/g and drop useless dprintk v1. xen-project#5 feedback Paul: change the license on public header to BSD - ack from Lars at Citrix. v1. self, Jan: drop unnecessary xen include from sched.h v1. self, Jan: drop inclusion of public argo.h in private one v1. self, Jan: add include of public argo.h to argo.c v1. self, Jan: drop fwd decl of argo_domain in priv header v1. Paul/self/Jan: add data structures to xlat.lst and compat/argo.h to Makefile v1. self: removed allocation of event channel since switching to VIRQ v1. self: drop types.h include from private argo.h v1: reorder public argo include position v1: #13 feedback Jan: public namespace: prefix with xen v1: self: rename pending ent "id" to "domain_id" v1: self: add domain_cookie to ent struct v1. #15 feedback Jan: make cmd unsigned v1. #15 feedback Jan: make i loop variable unsigned v1: self: adjust dprintks in init, destroy v1: #18 feedback Jan: meld max ring count limit v1: self: use type not struct in public defn, affects compat gen header v1: feedback #15 Jan: handle upper-halves of hypercall args v1: add comment explaining the 'magic' field v1: self + Jan feedback: implement soft reset v1: feedback #13 Roger: use ASSERT_UNREACHABLE
eric-ch
pushed a commit
to eric-ch/xen
that referenced
this pull request
Jan 25, 2019
The register op is used by a domain to register a region of memory for receiving messages from either a specified other domain, or, if specifying a wildcard, any domain. This operation creates a mapping within Xen's private address space that will remain resident for the lifetime of the ring. In subsequent commits, the hypervisor will use this mapping to copy data from a sending domain into this registered ring, making it accessible to the domain that registered the ring to receive data. Wildcard any-sender rings are default disabled and registration will be refused with EPERM unless they have been specifically enabled with the new mac-permissive flag that is added to the argo boot option here. The reason why the default for wildcard rings is 'deny' is that there is currently no means to protect the ring from DoS by a noisy domain spamming the ring, affecting other domains ability to send to it. This will be addressed with XSM policy controls in subsequent work. Since denying access to any-sender rings is a significant functional constraint, the new option "mac-permissive" for the argo bootparam enables overriding this. eg: "argo=1,mac-permissive=1" The p2m type of the memory supplied by the guest for the ring must be p2m_ram_rw and the memory will be pinned as PGT_writable_page while the ring is registered. xen_argo_gfn_t type is defined and is 64-bit on all architectures which assists with avoiding the need for compat code to translate hypercall args. This hypercall op and its interface currently only supports 4K-sized pages. Signed-off-by: Christopher Clark <[email protected]> v5 xen-project#7 Roger: add BUILD_BUG_ON for MAX_RING_SIZE, PAGE_SIZE v5 xen-project#7 Roger: gprintk(XENLOG_ERR,.. for denied existing ring v5: add compat validation macros to primary source file: common/argo.c v5 : convert hypercall arg structs to struct form for compat checking v5: dropped external file for compat macros: common/compat/argo.c v4 v3#07 Jan: shrink critical sections in register_ring v4 v3#07 Jan: revise register flag MASK in header, note 32-bitness of args v4 feedback: use standard data structures per common code, not loop macros v4 Andrew: use the single argo command line option list v4 xen-project#7 Jan: rewrite find_ring_mfn to use check_get_page_from_gfn v4 xen-project#7 Roger: add FIXME to ring_map_page for vmap contiguous ring mapping v3 xen-project#7 Jan: comment: minimum ring size is based on minimum-sized message v3 xen-project#4 Andrew: reference CONFIG_ARGO in the command line documentation v3 xen-project#7 Jan: register_ring: fold else, if into else-if to drop indent v3 xen-project#7 Jan: remove no longer used guest_handle_is_aligned macros v3 xen-project#7 Jan: remove dead code from find_ring_mfns v3 xen-project#7 Jan: fix format string indention in printks v3 xen-project#7 Jan: remove redundant bounds check on npage in find_ring_mfns v3 xen-project#8 self/Roger: improve dprintk output in find_ring_info like find_send_info v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#7 Jan: use array_index_nospec in ring_map_page v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 xen-project#7 Jan: drop unneeded parentheses from ROUNDUP_MESSAGE defn v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#3 meld compat check for hypercall arg register struct v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback xen-project#7 Eric: fix header max ring size comment units v3 feedback xen-project#4 Roger: mfn_mapping: void* instead of uint8_t* v3 use %u for printing unsigned ints in find_ring_mfns v3 feedback xen-project#4 Jan: uint32_t -> unsigned int for npage in register_ring v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len v3 : register_ring: uint32_t -> unsigned int for private_tx_ptr v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v3 feedback xen-project#7 Roger: use opt_argo_mac_permissive : a boolean opt v3 feedback xen-project#4 Roger: reorder #includes to alphabetical order v3 feedback xen-project#7 Roger: drop comment re: Intel EPT/AMD NPT for write-only mapping v3 feedback xen-project#7 Roger: drop ptr arithmetic in update_tx_ptr, use ring struct cast v3 feedback xen-project#7 Roger: drop newline in ring_map_page v3 feedback xen-project#7 Roger: drop unneeded null check before xfree v3 feedback xen-project#7 Roger: use return and drop out label in register_ring v3 Stefano: add 4K page constraint to header file comment & commit msg v3 Julien/Stefano: 4K granularity ok: use 64-bit gfns in register interface v2 self: disallow ring resize via reregister v2 feedback Jan: drop cookie, implement teardown v2 feedback Jan: drop message from argo_message_op v2 self: move hash_index function below locking comment v2 self: OVERHAUL v2 self/Jan: remove use of magic verification field and tidy up v2 self: merge max and min ring size check clauses v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v2 feedback #9, Jan: use the argo-mac bootparam at point of introduction v2 feedback #9, Jan: rename boot opt variable to comply with convention v2 feedback #9, Jan: rename the argo_mac bootparam to argo-mac v2 feedback #9 Jan: document argo boot opt in xen-command-line.markdown v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v1 feedback Roger: s/pfn/gfn/ and retire always-64-bit type v2. feedback Jan: document the argo-mac boot opt v2. feedback Jan: simplify re-register, drop mappings v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops v1 #13 feedback, Jan: register op : s/ECONNREFUSED/ESRCH/ v1 xen-project#5 (#13) feedback Paul: register op: use currd in do_message_op v1 #13 feedback, Paul: register op: use mfn_eq comparator v1 xen-project#5 (#13) feedback Paul: register op: use currd in argo_register_ring v1 #13 feedback Paul: register op: whitespace, unsigned, bounds check v1 #13 feedback Paul: use of hex in limit constant definition v1 #13 feedback Paul, register op: set nmfns on loop termination v1 #13 feedback Paul: register op: do/while -> gotos, reindent v1 argo_ring_map_page: drop uint32_t for unsigned int v1. #13 feedback Julien: use page descriptors instead of gpfns. - adds ABI support for pages with different granularity. v1 feedback #13, Paul: adjust log level of message v1 feedback #13, Paul: use gprintk for guest-triggered warning v1 feedback #13, Paul: gprintk and XENLOG_DEBUG for ring registration v1 feedback #13, Paul: use gprintk for errs in argo_ring_map_page v1 feedback #13, Paul: use ENOMEM if global mapping fails v1 feedback Paul: overflow check before shift v1: add define for copy_field_to_guest_errno v1: fix gprintk use for ARM as its defn dislikes split format strings v1: use copy_field_to_guest_errno v1 feedback #13, Jan: argo_hash_fn: no inline, rename, change type v1 feedback #13, Paul, Jan: EFAULT -> ENOMEM in argo_ring_map_page v1 feedback #13, Jan: rename page var in argo_ring_map_page v1 feedback #13, Jan: switch uint8_t* to void* and drop cast v1 feedback #13, Jan: switch memory barrier to smp_wmb v1 feedback #13, Jan: make 'ring' comment comply with single-line style v1 feedback #13, Jan: use xzalloc_array, drop loop NULL init v1 feedback #13, Jan: init bool with false rather than 0 v1 feedback #13 Jan: use __copy; define and use __copy_field_to_guest_errno v1 feedback #13, Jan: use xzalloc, drop individual init zeroes v1 feedback #13, Jan: prefix public namespace with xen v1 feedback #13, Jan: blank line after op case in do_argo_message_op v1 self: reflow comment in argo_ring_map_page to within 80 char len v1 feedback #13, Roger: use true not 1 in assign to update_tx_ptr bool v1 feedback #21, Jan: fold in the array_index_nospec hash function guards v1 feedback #18, Jan: fold the max ring count limit into the series v1 self: use unsigned long type for XEN_ARGO_REGISTER_FLAG_MASK v1: feedback #15 Jan: handle upper-halves of hypercall args v1. feedback #13 Jan: add comment re: page alignment v1. self: confirm ring magic presence in supplied page array v1. feedback #13 Jan: add comment re: minimum ring size v1. feedback #13 Roger: use ASSERT_UNREACHABLE v1. feedback Roger: add comment to hash function
eric-ch
pushed a commit
to eric-ch/xen
that referenced
this pull request
Jan 25, 2019
Takes a single argument: a handle to the ring unregistration struct, which specifies the port and partner domain id or wildcard. The ring's entry is removed from the hashtable of registered rings; any entries for pending notifications are removed; and the ring is unmapped from Xen's address space. If the ring had been registered to communicate with a single specified domain (ie. a non-wildcard ring) then the partner domain state is removed from the partner domain's argo send_info hash table. Signed-off-by: Christopher Clark <[email protected]> v5: add compat validation macros to primary source file: common/argo.c v5: dropped external file for compat macros: common/compat/argo.c v4 # Jan: shrink the critical sections in unregister v4 : use standard data structures as per common code v4 xen-project#8 Roger: skip send_info lookup for wildcard rings v4: add ASSERT_UNREACHABLE for missing sender domain or send_info v4: reduce indentation by using goto v4: add unlikely to currd->argo check v4 xen-project#8 Jan: move put_domain outside L2 critical section v4: include ring data in debug output when ring not found v3 xen-project#8 Jan: pull xfree out of exclusive critical sections in unregister_ring v3 xen-project#8 Jan: rename send_find_info to find_send_info v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#8 Roger: use return and remove the out label in unregister_ring v3 xen-project#8 Roger: better debug output in send_find_info v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat check for unregister_ring struct v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v3 feedback xen-project#7 Roger: const the argo_ring_id structs in send_find_info v2 feedback Jan: drop cookie, implement teardown v2 feedback Jan: drop message from argo_message_op v2 self: OVERHAUL v2 self: reorder logic to shorten critical section v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops v1 feedback Roger, Jan: drop argo prefix on static functions v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 xen-project#5 (#14) feedback Paul: use currd in do_argo_message_op v1 xen-project#5 (#14) feedback Paul: full use currd in argo_unregister_ring v1 #13 (#14) feedback Paul: replace do/while with goto; reindent v1 self: add blank lines in unregister case in do_argo_message_op v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: blank line after op case in do_argo_message_op v1: #14 feedback Jan: replace domain id override with validation v1: #18 feedback Jan: meld the ring count limit into the series v1: feedback #15 Jan: verify zero in unused hypercall args
eric-ch
pushed a commit
to eric-ch/xen
that referenced
this pull request
Jan 25, 2019
sendv operation is invoked to perform a synchronous send of buffers contained in iovs to a remote domain's registered ring. It takes: * A destination address (domid, port) for the ring to send to. It performs a most-specific match lookup, to allow for wildcard. * A source address, used to inform the destination of where to reply. * The address of an array of iovs containing the data to send * .. and the length of that array of iovs * and a 32-bit message type, available to communicate message context data (eg. kernel-to-kernel, separate from the application data). If insufficient space exists in the destination ring, it will return -EAGAIN and Xen will notify the caller when sufficient space becomes available. Accesses to the ring indices are appropriately atomic. The rings are mapped into Xen's private address space to write as needed and the mappings are retained for later use. Notifications are sent to guests via VIRQ and send_guest_global_virq is exposed in the change to enable argo to call it. VIRQ_ARGO_MESSAGE is claimed from the VIRQ previously reserved for this purpose (#11). The VIRQ notification method is used rather than sending events using evtchn functions directly because: * no current event channel type is an exact fit for the intended behaviour. ECS_IPI is closest, but it disallows migration to other VCPUs which is not necessarily a requirement for Argo. * at the point of argo_init, allocation of an event channel is complicated by none of the guest VCPUs being initialized yet and the event channel logic expects that a valid event channel has a present VCPU. * at the point of signalling a notification, the VIRQ logic is already defensive: if d->vcpu[0] is NULL, the notification is just silently dropped, whereas the evtchn_send logic is not so defensive: vcpu[0] must not be NULL, otherwise a null pointer dereference occurs. Using a VIRQ removes the need for the guest to query to determine which event channel notifications will be delivered on. This is also likely to simplify establishing future L0/L1 nested hypervisor argo communication. Signed-off-by: Christopher Clark <[email protected]> v5 #09 Roger: add comment explaining post-iovs tx_ptr round up + wrap v5 #09 Roger: remove redundant len bounds check vs MAX_ARGO_MESSAGE_SIZE v5 #09 Roger: ringbuf_insert: WARN not ERR on empty iovs v5 #09 Roger: bugfix: set rc = -EFAULT if !guest_handle_okay v5 use EBUSY when cannot add to the pending ent queue: many domains active v5: add compat validation macros to primary source file: common/argo.c v5: dropped external file for compat macros: common/compat/argo.c v5 : convert hypercall arg structs to struct form for compat checking v5 : switch argo_iov to needs translation in xlat.lst v4 Jan: remove use of fixed-width types from iov_count, ringbuf_insert v4 xen-project#7 Jan: shrink critical sections in sendv v3 xen-project#7 Jan: header: note 32-bitness of hypercall message tuype arg v4 : use standard data structures as per common code v4 self: bugfix memcpy_to_guest_ring: head_len must check (offset + len) v4 #09 Roger: drop MESSAGE from VIRQ_ARGO_MESSAGE v3 xen-project#7 Jan: rename ring_find_info* to find_ring_info* v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat struct checking for hypercall args v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback #09 Eric: fix len & offset sanity check in memcpy_to_guest_ring v3 feedback xen-project#4 Roger: newline fix in wildcard_pending_list_insert v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len v3 #09 Roger: simplify EFAULT return in memcpy_to_guest_ring v3 #09 Roger: add newline before return in get_sanitized_ring v3 #09 Roger: replace while with for loop in iov_count v3 #09 Roger: drop 0 in struct init in ringbuf_insert v3 #09 Roger: comment for XEN_ARGO_MAXIOV: warn of stack overflow risk v3 #09 Roger: simplify while loop: for instead in ringbuf_insert v3 #09 Roger: drop out label for returns in ringbuf_insert v3 #09 Roger: drop newline in pending_queue v3 #09 Roger: replace second goto label with error path unlock in sendv v3 #09 Jason: check iov_len vs MAX_ARGO_MESSAGE_SIZE in iov_count v3 #09 Jason: check padding is zeroed in sendv op v3 #09 Jason: memcpy_to_guest_ring: simpler code with better loop v2 self: use ring_info backpointer in pending_ent to maintain npending v2 feedback Jan: drop cookie, implement teardown v2 self: pending_queue: reap stale ents when in need of space v2 self: pending_requeue: reclaim ents for stale domains v2.feedback Jan: only override sender domid if DOMID_ANY v2 feedback Jan: drop message from argo_message_op v2 self: check npending vs maximum limit v2 self: get_sanitized_ring instead of get_rx_ptr v2 feedback v1#13 Jan: remove double read from ringbuf insert, lower MAX_IOV v2 self: make iov_count const v2 self: iov_count : return EMSGSIZE for message too big v2 self: OVERHAUL v2 self: s/argo_pending_ent/pending_ent/g v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v1 feedback #13 Jan: drop guest_handle_okay when using copy_from_guest - reorder do_argo_op logic v2 self: add _hnd suffix to iovs variable name to indicate guest handle type v2 self: replace use of XEN_GUEST_HANDLE_NULL with two existing macros v1 #15 feedback, Jan: sendv op : s/ECONNREFUSED/ESRCH/ v1 xen-project#5 (#15) feedback Paul: sendv: use currd in do_argo_message_op v1 #13 (#15) feedback Paul: sendv op: do/while reindent only v1 #13 (#15) feedback Paul: sendv op: do/while: argo_ringbuf_insert to goto style v1 #13 (#15) feedback Paul: sendv op: do/while: reindent only again v1 #13 (#15) feedback Paul: sendv op: do/while : goto v1 #15 feedback Paul: sendv op: make page var: unsigned v1 #15 feedback Paul: sendv op: new local var for PAGE_SIZE - offset v1 xen-project#8 feedback Jan: XEN_GUEST_HANDLE : C89 compliance v1 rebase after switching register op from pfns to page descriptors v1 self: move iov DEFINE_XEN_GUEST_HANDLE out of public header into argo.c v1 #13 (#15) feedback Paul: fix loglevel for guest-triggered messages v1 : add compat xlat.lst entries v1 self: switched notification to send_guest_global_virq instead of event v1: fix gprintk use for ARM as its defn dislikes split format strings v1: init len variable to satisfy ARM compiler initialized checking v1 #13 feedback Jan: rename page var v1:#14 feedback Jan: uint8_t* -> void* v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: blank line after case op in do_argo_message_op v1: #15 feedback Jan: add comments explaining why the writes don't overrun v1: self: add ASSERT to support comment that overrun cannot happen v1: self: fail on short writes where guest manipulated the iov_lens v1: self: rename ent id to domain_id v1: self: add moan for iov rewrite v1. feedback #15 Jan: require the pad bits are zero v1. feedback #15 Jan: drop NULL check in argo_signal_domain as now using VIRQ v1. self: store domain_cookie in pending ent v1. feedback #15 Jan: use unsigned where possible v1. feedback Jan: use handle type for iov_base in public iov interface v1. self: log whenever visible error occurs v1 feedback #15, Jan: drop unnecessary mb v1 self: only update internal tx_ptr if able to return success and update the visible tx_ptr v1 self: log on failure to map ring to update visible tx_ptr v1 feedback #15 Jan: add comment re: notification size policy v1 self/Roger? remove errant space after sizeof v1. feedback #15 Jan: require iov pad be zero v1. self: rename iov_base to iov_hnd for handle in public iov interface v1: feedback #15 Jan: handle upper-halves of hypercall args; changes some types in function signatures to match. v1: self: add dprintk to sendv v1: self: add debug output to argo_iov_count v1. feedback #14 Jan: blank line before return in argo_iov_count v1 feedback #15 Jan: verify src id, not override
eric-ch
pushed a commit
to eric-ch/xen
that referenced
this pull request
Jan 25, 2019
Queries for data about space availability in registered rings and causes notification to be sent when space has become available. The hypercall op populates a supplied data structure with information about ring state and if insufficient space is currently available in a given ring, the hypervisor will record the domain's expressed interest and notify it when it observes that space has become available. Checks for free space occur when this notify op is invoked, so it may be intentionally invoked with no data structure to populate (ie. a NULL argument) to trigger such a check and consequent notifications. Limit the maximum number of notify requests in a single operation to a simple fixed limit of 256. Signed-off-by: Christopher Clark <[email protected]> v5: add EBUSY ent flag when too many domains are already on pending list v5: reorder notify flags: error flags last, fixed state first v5: add compat validation macros to primary source file: common/argo.c v5 : convert hypercall arg structs to struct form for compat checking v5: dropped external file for compat macros: common/compat/argo.c v4 #10 Roger: consolidate notify flags; infer pending notify if needed v4 bugfix: take L3 before accessing ring_info in fill_ring_data v4 #10 Roger: shorten notify flag names: drop _DATA_F v4 #10 self/Roger: fill_ring_data: check pending_requeue error code v4 : use standard data structures as per common code v4 #10 Roger: lower indentation in fill_ring_data by using goto v4 #10 Roger: reword the XEN_ARGO_RING_DATA_F_SUFFICIENT comment v4 fix location of a FIXME that was incorrectly moved by this later commit v3 xen-project#7 Jan: fix format string indention in printks v3 (general) Jan: drop fixed width types for ringbuf_payload_space v3 xen-project#7 Jan: rename ring_find_info_by_match to find_ring_info_by_match v3 xen-project#7 Jan: fix numeric entries in printk format strings v3: ringbuf_payload_space: simpler return 0 if get_sanitized_ring fails v3 #10 Roger: simplify ringbuf_payload_space for empty rings v3 #10 Roger: ringbuf_payload_space: add comment to explain how ret < INT32_MAX v3 #10 Roger: drop out label, use return -EFAULT in fill_ring_data v3 #10 Roger: add newline in signal_domid v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld the compat hypercall arg checking v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 self: drop braces in foreach of notify_check_pending v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v2 feedback Jan: drop cookie, implement teardown v2 notify: add flag to indicate ring is shared v2 argument name for fill_ring_data arg is now currd v2 self: check ring size vs request and flag error rather than queue signal v2 feedback Jan: drop 'message' from 'argo_message_op' v2 self: simplify signal_domid, drop unnecessary label + goto v2 self: skip the cookie check in pending_cancel v2 self: implement npending limit on number of pending entries v1 feedback #16 Jan: sanitize_ring in ringbuf_payload_space v2 self: inline fill_ring_data_array v2 self: avoid retesting dst_d for put_domain v2 self/Jan: remove use of magic verification field and tidy up v1 feedback #16 Jan: remove testing of magic in guest-supplied structure v2 self: s/argo_pending_ent/pending_ent/g v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v2 self: reduce indentation via goto out if arg NULL v1 feedback #13 Jan: resolve checking of array handle and use of __copy v1 xen-project#5 (#16) feedback Paul: notify op: use currd in do_argo_message_op v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_notify v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_notify_check_pending v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_fill_ring_data_array v1 #13 (#16) feedback Paul: notify op: do/while: reindent only v1 #13 (#16) feedback Paul: notify op: do/while: goto v1 : add compat xlat.lst entries v1: add definition for copy_field_from_guest_errno v1 #13 feedback Jan: make 'ring data' comment comply with single-line style v1 feedback #13 Jan: use __copy; so define and use __copy_field_to_guest_errno v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: add blank line after case in do_argo_message_op v1: self: rename ent id to domain_id v1: self: ent id-> domain_id v1: self: drop signal if domain_cookie mismatches v1. feedback #15 Jan: make loop i unsigned v1. self: drop unnecessary mb() in argo_notify_check_pending v1. self: add blank line v1 #16 feedback Jan: const domain arg to +argo_fill_ring_data v1. feedback #15 Jan: check unusued hypercall args are zero v1 feedback #16 Jan: add comment on space available signal policy v1. feedback #16 Jan: move declr, drop braces, lower indent v1. feedback #18 Jan: meld the resource limits into the main commit v1. feedback #16 Jan: clarify use of magic field v1. self: use single copy to read notify ring data struct v1: argo_fill_ring_data: fix dprintk types for port field v1: self: use %x for printing port as per other print sites v1. feedback Jan: add comments explaining ring full vs empty v1. following Jan: fix argo_ringbuf_payload_space calculation for empty ring
eric-ch
pushed a commit
to eric-ch/xen
that referenced
this pull request
Jan 25, 2019
Will inhibit initialization of the domain's argo data structure to prevent receiving any messages or notifications and access to any of the argo hypercall operations. Signed-off-by: Christopher Clark <[email protected]> Acked-by: Daniel De Graaf <[email protected]> v3 Daniel/Jan: add to the default xsm policy for enable v3 Add Daniel's Acked-by v3 xen-project#4 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set v2 self: fix xsm use in soft-reset prior to introduction v1 xen-project#5 (#17) feedback Paul: XSM control for any access: use currd v1 #16 feedback Jan: apply const to function signatures
olafhering
pushed a commit
to olafhering/xen
that referenced
this pull request
May 10, 2021
ASAN reported one issue when Live Updating Xenstored: ================================================================= ==873==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc194f53e0 at pc 0x555c6b323292 bp 0x7ffc194f5340 sp 0x7ffc194f5338 WRITE of size 1 at 0x7ffc194f53e0 thread T0 #0 0x555c6b323291 in dump_state_node_perms xen/tools/xenstore/xenstored_core.c:2468 #1 0x555c6b32746e in dump_state_special_node xen/tools/xenstore/xenstored_domain.c:1257 #2 0x555c6b32a702 in dump_state_special_nodes xen/tools/xenstore/xenstored_domain.c:1273 xen-project#3 0x555c6b32ddb3 in lu_dump_state xen/tools/xenstore/xenstored_control.c:521 xen-project#4 0x555c6b32e380 in do_lu_start xen/tools/xenstore/xenstored_control.c:660 xen-project#5 0x555c6b31b461 in call_delayed xen/tools/xenstore/xenstored_core.c:278 xen-project#6 0x555c6b32275e in main xen/tools/xenstore/xenstored_core.c:2357 xen-project#7 0x7f95eecf3d09 in __libc_start_main ../csu/libc-start.c:308 xen-project#8 0x555c6b3197e9 in _start (/usr/local/sbin/xenstored+0xc7e9) Address 0x7ffc194f53e0 is located in stack of thread T0 at offset 80 in frame #0 0x555c6b32713e in dump_state_special_node xen/tools/xenstore/xenstored_domain.c:1232 This frame has 2 object(s): [32, 40) 'head' (line 1233) [64, 80) 'sn' (line 1234) <== Memory access at offset 80 overflows this variable This is happening because the callers are passing a pointer to a variable allocated on the stack. However, the field perms is a dynamic array, so Xenstored will end up to read outside of the variable. Rework the code so the permissions are written one by one in the fd. Fixes: ed6eebf ("tools/xenstore: dump the xenstore state for live update") Signed-off-by: Julien Grall <[email protected]> Reviewed-by: Juergen Gross <[email protected]> Reviewed-by: Luca Fancellu <[email protected]>
olafhering
pushed a commit
to olafhering/xen
that referenced
this pull request
Jan 31, 2022
…ning NULL If we are in libxl_list_vcpu() and we are returning NULL, let's avoid touching the output parameter *nr_vcpus_out, which the caller should have initialized to 0. The current behavior could be problematic if are creating a domain and, in the meantime, an existing one is destroyed when we have already done some steps of the loop. At which point, we'd return a NULL list of vcpus but with something different than 0 as the number of vcpus in that list. And this can cause troubles in the callers (e.g., nr_vcpus_on_nodes()), when they do a libxl_vcpuinfo_list_free(). Crashes due to this are rare and difficult to reproduce, but have been observed, with stack traces looking like this one: #0 libxl_bitmap_dispose (map=map@entry=0x50) at libxl_utils.c:626 #1 0x00007fe72c993a32 in libxl_vcpuinfo_dispose (p=p@entry=0x38) at _libxl_types.c:692 #2 0x00007fe72c94e3c4 in libxl_vcpuinfo_list_free (list=0x0, nr=<optimized out>) at libxl_utils.c:1059 xen-project#3 0x00007fe72c9528bf in nr_vcpus_on_nodes (vcpus_on_node=0x7fe71000eb60, suitable_cpumap=0x7fe721df0d38, tinfo_elements=48, tinfo=0x7fe7101b3900, gc=0x7fe7101bbfa0) at libxl_numa.c:258 xen-project#4 libxl__get_numa_candidate (gc=gc@entry=0x7fe7100033a0, min_free_memkb=4233216, min_cpus=4, min_nodes=min_nodes@entry=0, max_nodes=max_nodes@entry=0, suitable_cpumap=suitable_cpumap@entry=0x7fe721df0d38, numa_cmpf=0x7fe72c940110 <numa_cmpf>, cndt_out=0x7fe721df0cf0, cndt_found=0x7fe721df0cb4) at libxl_numa.c:394 xen-project#5 0x00007fe72c94152b in numa_place_domain (d_config=0x7fe721df11b0, domid=975, gc=0x7fe7100033a0) at libxl_dom.c:209 xen-project#6 libxl__build_pre (gc=gc@entry=0x7fe7100033a0, domid=domid@entry=975, d_config=d_config@entry=0x7fe721df11b0, state=state@entry=0x7fe710077700) at libxl_dom.c:436 xen-project#7 0x00007fe72c92c4a5 in libxl__domain_build (gc=0x7fe7100033a0, d_config=d_config@entry=0x7fe721df11b0, domid=975, state=0x7fe710077700) at libxl_create.c:444 xen-project#8 0x00007fe72c92de8b in domcreate_bootloader_done (egc=0x7fe721df0f60, bl=0x7fe7100778c0, rc=<optimized out>) at libxl_create.c:1222 #9 0x00007fe72c980425 in libxl__bootloader_run (egc=egc@entry=0x7fe721df0f60, bl=bl@entry=0x7fe7100778c0) at libxl_bootloader.c:403 #10 0x00007fe72c92f281 in initiate_domain_create (egc=egc@entry=0x7fe721df0f60, dcs=dcs@entry=0x7fe7100771b0) at libxl_create.c:1159 #11 0x00007fe72c92f456 in do_domain_create (ctx=ctx@entry=0x7fe71001c840, d_config=d_config@entry=0x7fe721df11b0, domid=domid@entry=0x7fe721df10a8, restore_fd=restore_fd@entry=-1, send_back_fd=send_back_fd@entry=-1, params=params@entry=0x0, ao_how=0x0, aop_console_how=0x7fe721df10f0) at libxl_create.c:1856 #12 0x00007fe72c92f776 in libxl_domain_create_new (ctx=0x7fe71001c840, d_config=d_config@entry=0x7fe721df11b0, domid=domid@entry=0x7fe721df10a8, ao_how=ao_how@entry=0x0, aop_console_how=aop_console_how@entry=0x7fe721df10f0) at libxl_create.c:2075 Signed-off-by: Dario Faggioli <[email protected]> Tested-by: James Fehlig <[email protected]> Reviewed-by: Anthony PERARD <[email protected]>
olafhering
pushed a commit
to olafhering/xen
that referenced
this pull request
Feb 16, 2022
…ning NULL If we are in libxl_list_vcpu() and we are returning NULL, let's avoid touching the output parameter *nr_vcpus_out, which the caller should have initialized to 0. The current behavior could be problematic if are creating a domain and, in the meantime, an existing one is destroyed when we have already done some steps of the loop. At which point, we'd return a NULL list of vcpus but with something different than 0 as the number of vcpus in that list. And this can cause troubles in the callers (e.g., nr_vcpus_on_nodes()), when they do a libxl_vcpuinfo_list_free(). Crashes due to this are rare and difficult to reproduce, but have been observed, with stack traces looking like this one: #0 libxl_bitmap_dispose (map=map@entry=0x50) at libxl_utils.c:626 #1 0x00007fe72c993a32 in libxl_vcpuinfo_dispose (p=p@entry=0x38) at _libxl_types.c:692 #2 0x00007fe72c94e3c4 in libxl_vcpuinfo_list_free (list=0x0, nr=<optimized out>) at libxl_utils.c:1059 xen-project#3 0x00007fe72c9528bf in nr_vcpus_on_nodes (vcpus_on_node=0x7fe71000eb60, suitable_cpumap=0x7fe721df0d38, tinfo_elements=48, tinfo=0x7fe7101b3900, gc=0x7fe7101bbfa0) at libxl_numa.c:258 xen-project#4 libxl__get_numa_candidate (gc=gc@entry=0x7fe7100033a0, min_free_memkb=4233216, min_cpus=4, min_nodes=min_nodes@entry=0, max_nodes=max_nodes@entry=0, suitable_cpumap=suitable_cpumap@entry=0x7fe721df0d38, numa_cmpf=0x7fe72c940110 <numa_cmpf>, cndt_out=0x7fe721df0cf0, cndt_found=0x7fe721df0cb4) at libxl_numa.c:394 xen-project#5 0x00007fe72c94152b in numa_place_domain (d_config=0x7fe721df11b0, domid=975, gc=0x7fe7100033a0) at libxl_dom.c:209 xen-project#6 libxl__build_pre (gc=gc@entry=0x7fe7100033a0, domid=domid@entry=975, d_config=d_config@entry=0x7fe721df11b0, state=state@entry=0x7fe710077700) at libxl_dom.c:436 xen-project#7 0x00007fe72c92c4a5 in libxl__domain_build (gc=0x7fe7100033a0, d_config=d_config@entry=0x7fe721df11b0, domid=975, state=0x7fe710077700) at libxl_create.c:444 xen-project#8 0x00007fe72c92de8b in domcreate_bootloader_done (egc=0x7fe721df0f60, bl=0x7fe7100778c0, rc=<optimized out>) at libxl_create.c:1222 #9 0x00007fe72c980425 in libxl__bootloader_run (egc=egc@entry=0x7fe721df0f60, bl=bl@entry=0x7fe7100778c0) at libxl_bootloader.c:403 #10 0x00007fe72c92f281 in initiate_domain_create (egc=egc@entry=0x7fe721df0f60, dcs=dcs@entry=0x7fe7100771b0) at libxl_create.c:1159 #11 0x00007fe72c92f456 in do_domain_create (ctx=ctx@entry=0x7fe71001c840, d_config=d_config@entry=0x7fe721df11b0, domid=domid@entry=0x7fe721df10a8, restore_fd=restore_fd@entry=-1, send_back_fd=send_back_fd@entry=-1, params=params@entry=0x0, ao_how=0x0, aop_console_how=0x7fe721df10f0) at libxl_create.c:1856 #12 0x00007fe72c92f776 in libxl_domain_create_new (ctx=0x7fe71001c840, d_config=d_config@entry=0x7fe721df11b0, domid=domid@entry=0x7fe721df10a8, ao_how=ao_how@entry=0x0, aop_console_how=aop_console_how@entry=0x7fe721df10f0) at libxl_create.c:2075 Signed-off-by: Dario Faggioli <[email protected]> Tested-by: James Fehlig <[email protected]> Reviewed-by: Anthony PERARD <[email protected]> master commit: d9d3496 master date: 2022-01-31 10:58:07 +0100
olafhering
pushed a commit
to olafhering/xen
that referenced
this pull request
Feb 16, 2022
…ning NULL If we are in libxl_list_vcpu() and we are returning NULL, let's avoid touching the output parameter *nr_vcpus_out, which the caller should have initialized to 0. The current behavior could be problematic if are creating a domain and, in the meantime, an existing one is destroyed when we have already done some steps of the loop. At which point, we'd return a NULL list of vcpus but with something different than 0 as the number of vcpus in that list. And this can cause troubles in the callers (e.g., nr_vcpus_on_nodes()), when they do a libxl_vcpuinfo_list_free(). Crashes due to this are rare and difficult to reproduce, but have been observed, with stack traces looking like this one: #0 libxl_bitmap_dispose (map=map@entry=0x50) at libxl_utils.c:626 #1 0x00007fe72c993a32 in libxl_vcpuinfo_dispose (p=p@entry=0x38) at _libxl_types.c:692 #2 0x00007fe72c94e3c4 in libxl_vcpuinfo_list_free (list=0x0, nr=<optimized out>) at libxl_utils.c:1059 xen-project#3 0x00007fe72c9528bf in nr_vcpus_on_nodes (vcpus_on_node=0x7fe71000eb60, suitable_cpumap=0x7fe721df0d38, tinfo_elements=48, tinfo=0x7fe7101b3900, gc=0x7fe7101bbfa0) at libxl_numa.c:258 xen-project#4 libxl__get_numa_candidate (gc=gc@entry=0x7fe7100033a0, min_free_memkb=4233216, min_cpus=4, min_nodes=min_nodes@entry=0, max_nodes=max_nodes@entry=0, suitable_cpumap=suitable_cpumap@entry=0x7fe721df0d38, numa_cmpf=0x7fe72c940110 <numa_cmpf>, cndt_out=0x7fe721df0cf0, cndt_found=0x7fe721df0cb4) at libxl_numa.c:394 xen-project#5 0x00007fe72c94152b in numa_place_domain (d_config=0x7fe721df11b0, domid=975, gc=0x7fe7100033a0) at libxl_dom.c:209 xen-project#6 libxl__build_pre (gc=gc@entry=0x7fe7100033a0, domid=domid@entry=975, d_config=d_config@entry=0x7fe721df11b0, state=state@entry=0x7fe710077700) at libxl_dom.c:436 xen-project#7 0x00007fe72c92c4a5 in libxl__domain_build (gc=0x7fe7100033a0, d_config=d_config@entry=0x7fe721df11b0, domid=975, state=0x7fe710077700) at libxl_create.c:444 xen-project#8 0x00007fe72c92de8b in domcreate_bootloader_done (egc=0x7fe721df0f60, bl=0x7fe7100778c0, rc=<optimized out>) at libxl_create.c:1222 #9 0x00007fe72c980425 in libxl__bootloader_run (egc=egc@entry=0x7fe721df0f60, bl=bl@entry=0x7fe7100778c0) at libxl_bootloader.c:403 #10 0x00007fe72c92f281 in initiate_domain_create (egc=egc@entry=0x7fe721df0f60, dcs=dcs@entry=0x7fe7100771b0) at libxl_create.c:1159 #11 0x00007fe72c92f456 in do_domain_create (ctx=ctx@entry=0x7fe71001c840, d_config=d_config@entry=0x7fe721df11b0, domid=domid@entry=0x7fe721df10a8, restore_fd=restore_fd@entry=-1, send_back_fd=send_back_fd@entry=-1, params=params@entry=0x0, ao_how=0x0, aop_console_how=0x7fe721df10f0) at libxl_create.c:1856 #12 0x00007fe72c92f776 in libxl_domain_create_new (ctx=0x7fe71001c840, d_config=d_config@entry=0x7fe721df11b0, domid=domid@entry=0x7fe721df10a8, ao_how=ao_how@entry=0x0, aop_console_how=aop_console_how@entry=0x7fe721df10f0) at libxl_create.c:2075 Signed-off-by: Dario Faggioli <[email protected]> Tested-by: James Fehlig <[email protected]> Reviewed-by: Anthony PERARD <[email protected]> master commit: d9d3496 master date: 2022-01-31 10:58:07 +0100
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
sync with upstream