This is the ABI for the two halves of a para-virtualized #4
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sound driver to communicate with each to other. Signed-off-by: Oleksandr Andrushchenko <Oleksandr_Andrushchenko@epam.com> Signed-off-by: Oleksandr Grytsov <Oleksandr_Grytsov@epam.com> Signed-off-by: Oleksandr Dmytryshyn <oleksandr.dmytryshyn@globallogic.com> Signed-off-by: Iurii Konovalenko <iurii.konovalenko@globallogic.com> --- Changes since v1: * removed __attribute__((__packed__)) from all structures definitions Changes since v2: * removed all C structures * added protocol description between frontend and backend drivers Changes since v3: * fixed some typos * renamed XENSND_PCM_FORMAT_FLOAT_** to XENSND_PCM_FORMAT_F32_** * renamed XENSND_PCM_FORMAT_FLOAT64_** to XENSND_PCM_FORMAT_F64_** * added 'id' field to the request and response packets * renamed 'stream_id' to 'stream' in the packets description * renamed 'pcm_data_rate' to 'pcm_rate' in the packets description * renamed 'pcm_stream_type' to 'pcm_type' in the packets description * removed 'stream_id' field from the response packets Changes since v4: * renamed 'stream_id' back to the to 'stream' in the packets description * moved 'id' field to the upper position in the response packets Changes since v5: * Slightly reworked request/response packets * Size of the request/response packet is changed to the 64 bytes * Now parameters for the XENSND_OP_SET_VOLUME/XENSND_OP_GET_VOLUME are passed via shared page * Added parameters for the XenBus nodes (now each stream can be mapped to the defined sound device in the backend using those parameters) * Added XenBus state diagrams description Changes since v6: * Reworked streams description in the Backend XenBus Nodes Changes since v7: * re-worked backend device parameters to be more generic and flexible * extended frontend device parameters * slightly updated state machine description added mute/unmute commands * added constants for XenStore configuration strings (fields, PCM formats etc.) * changed request/response structure size from 64 octets to 16 * introduced dynamic buffer allocation instead of static XENSND_MAX_PAGES_PER_REQUEST * re-worked open request to allow dynamic buffer allocation * re-worked read/write/volume requests, so they don't pass grefs: buffer from the open request is used for these operations to pass data * specified type of the volume value to be a signed value in steps of 0.001 dBm, while 0 being 0dBm. * added Linux include file with structure definitions Changes since v8: * changed frontend-id to frontend_id * single sound card support, configured with bunch of devices/streams * clarifucation made on sample rates and formats expressed as decimals w/o any particular ordering * put description of migration/disconnection state * replaced __attribute__((packed)) to __packed * changed padding of ring structures to 64 to fit cache line * removeed #ifdef __KERNEL * explicitly stated which indices in XenStore configuration are contiguous * added description to what frontend's defaults are * made names of virtual card/devices optional * removed PCM_FORMAT_SPECIAL * changed volume units from dBm to dB Changes since v9: * removed sndif_linux.h * moved all structures from sndif_linux.h to sndif.h * structures padded where needed * fixed Hz comment Changes since v10: * fixed tabs to 4 spaces to comply with Xen coding style * added placeholders to empty structures (C89 concern) * added missing header includes Changes since v11: * added XENSND_RSP_NOTSUPP error code * changed gref[0] to gref[1] with comment * modified comments on empty structures * removed "__" from member names * fixed indentation * added padding in union xensnd_resp * changed __XEN_PUBLIC_IO_XENSND_H__ to __XEN_PUBLIC_IO_SNDIF_H__ Changes since v12: * changed indentation for defines * missed ";" after gref[1] * documentation changes * changed req/resp structures * changed xensnd_page_directory structure * pass buffer size in open request ---
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
A convenience for working on development of the argo subsystem: setting a #define variable enables additional debug messages. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> === Jan's further remark given with the Ack: "This would better be an inline function, such that arguments passed in actually get evaluated. Otherwise you risk overlooking variables used for such logging only, and in particular the compiler then issuing warnings (breaking the build due to -Werror)." v3 added Roger's Reviewed-by v3 added Jan's Ack v2 xen-project#3 feedback, Jan: fix ifdef/define confusion error v1 xen-project#4 feedback, Jan: fix dprintk implementation
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Initialises basic data structures and performs teardown of argo state
for domain shutdown.
Inclusion of the Argo implementation is dependent on CONFIG_ARGO.
Introduces a new Xen command line parameter 'argo': bool to enable/disable
the argo hypercall. Defaults to disabled.
New headers:
public/argo.h: with definions of addresses and ring structure, including
indexes for atomic update for communication between domain and hypervisor.
xen/argo.h: to expose the hooks for integration into domain lifecycle:
argo_init: per-domain init of argo data structures for domain_create.
argo_destroy: teardown for domain_destroy and the error exit
path of domain_create.
argo_soft_reset: reset of domain state for domain_soft_reset.
Adds two new fields to struct domain:
rwlock_t argo_lock;
struct argo_domain *argo;
In accordance with recent work on _domain_destroy, argo_destroy is
idempotent. It will tear down: all rings registered by this domain, all
rings where this domain is the single sender (ie. specified partner,
non-wildcard rings), and all pending notifications where this domain is
awaiting signal about available space in the rings of other domains.
A count will be maintained of the number of rings that a domain has
registered in order to limit it below the fixed maximum limit defined here.
Macros are defined to verify the internal locking state within the argo
implementation. The macros are ASSERTed on entry to functions to validate
and document the required lock state prior to calling.
The software license on the public header is the BSD license, standard
procedure for the public Xen headers. The public header was originally
posted under a GPL license at: [1]:
https://lists.xenproject.org/archives/html/xen-devel/2013-05/msg02710.html
The following ACK by Lars Kurth is to confirm that only people being
employees of Citrix contributed to the header files in the series posted at
[1] and that thus the copyright of the files in question is fully owned by
Citrix. The ACK also confirms that Citrix is happy for the header files to
be published under a BSD license in this series (which is based on [1]).
Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com>
Acked-by: Lars Kurth <lars.kurth@citrix.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
This version contains FIXMEs for 4.12:
* Replace the hash function to get better distribution across buckets.
- Don't use casts in the replacement function.
- Drop the use of array_index_nospec.
* since argo_destroy is in _domain_destroy, remove it from domain_kill
v3 xen-project#4 Andrew: use xzalloc for struct argo_domain in argo_init
v3 xen-project#4 Andrew: reference CONFIG_ARGO in the command line documentation
v3 xen-project#7 Jan: rename ring_find_info to find_ring_info
v3 xen-project#4 Andrew: don't truncate args do_argo_op printk
v3 xen-project#7 Jan: fix numeric entries in printk format strings
v3 #10 Roger: move find functions to top of file and drop prototypes
v3 xen-project#4 Jan: meld compat check for hypercall arg types
v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state
v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn
v3 xen-project#4 Jan: reorder call to argo_init_domain in argo_init
v3 xen-project#4 Jan: ring_remove_mfns: zero count before freeing arrays
v3 xen-project#4 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set
v3 xen-project#4 Roger: remove unused and confusing d->argo_lock
v3 xen-project#4 Roger: add simple inlines in xen/argo.h, drop ifdef CONFIG_ARGO
v3 xen-project#4 Roger: simpler return -EOPNOTSUPP in do_argo_op
v3 xen-project#4 Roger: add const to domain arg to ring_remove_info
v3 xen-project#4 Roger: use XFREE
v3 xen-project#4 Roger: newline fix in wildcard_pending_list_remove
v3 xen-project#4 Roger: mfn_mapping: void* instead of uint8_t*
v3 xen-project#4 Roger: drop npages struct member in argo_ring_info; use len
v3 xen-project#4 Roger/Jan: drop many fixed width types in internal structs
v3 xen-project#4 Jason/Jan: drop pad and fixed width type in pending_ent struct
v3 xen-project#4 Eric: moved ring_find_info from register op into this commit
v3 moved hash_index function, nospec include from register op to this commit
v3 moved XEN_ARGO_DOMID_ANY defn from register op into this commit
v3 added #include <xen/sched.h> to <xen/argo.h> for domain struct defn
v3 feedback xen-project#4 Roger: reorder #includes to alphabetical order
v3 Added Ross's Reviewed-by.
v2 rewrite locking explanation comment
v2 header copyright line now includes 2019
v2 self: use ring_info backpointer in pending_ent to maintain npending
v2 self: rename all_rings_remove_info to domain_rings_remove_all
v2 feedback Jan: drop cookie, implement teardown
v2 self: add npending to track number of pending entries per ring
v2 self: amend comment on locking; drop section comments
v2 cookie_eq: test low bits first and use likely on high bits
v2 self: OVERHAUL
v2 self: s/argo_pending_ent/pending_ent/g
v2 self: drop pending_remove_ent, inline at single call site
v1 feedback Roger, Jan: drop argo prefix on static functions
v2 xen-project#4 Lars: add Acked-by and details to commit message.
v2 feedback #9 Jan: document argo boot opt in xen-command-line.markdown
v2 bugfix: xsm use in soft-reset prior to introduction
v2 feedback #9 Jan: drop 'message' from do_argo_message_op
v1 xen-project#5 feedback Paul: init/destroy unsigned, brackets and whitespace fixes
v1 xen-project#5 feedback Paul: Use mfn_eq for comparing mfns.
v1 xen-project#5 feedback Paul: init/destroy : use currd
v1 xen-project#6 (xen-project#5) feedback Jan: init/destroy: s/ENOSYS/EOPNOTSUPP/
v1 xen-project#6 feedback Paul: Folded patch 6 into patch 5.
v1 xen-project#6 feedback Jan: drop opt_argo_enabled initializer
v1 $6 feedback Jan: s/ENOSYS/EOPNOTSUPP/g and drop useless dprintk
v1. xen-project#5 feedback Paul: change the license on public header to BSD
- ack from Lars at Citrix.
v1. self, Jan: drop unnecessary xen include from sched.h
v1. self, Jan: drop inclusion of public argo.h in private one
v1. self, Jan: add include of public argo.h to argo.c
v1. self, Jan: drop fwd decl of argo_domain in priv header
v1. Paul/self/Jan: add data structures to xlat.lst and compat/argo.h to Makefile
v1. self: removed allocation of event channel since switching to VIRQ
v1. self: drop types.h include from private argo.h
v1: reorder public argo include position
v1: #13 feedback Jan: public namespace: prefix with xen
v1: self: rename pending ent "id" to "domain_id"
v1: self: add domain_cookie to ent struct
v1. #15 feedback Jan: make cmd unsigned
v1. #15 feedback Jan: make i loop variable unsigned
v1: self: adjust dprintks in init, destroy
v1: #18 feedback Jan: meld max ring count limit
v1: self: use type not struct in public defn, affects compat gen header
v1: feedback #15 Jan: handle upper-halves of hypercall args
v1: add comment explaining the 'magic' field
v1: self + Jan feedback: implement soft reset
v1: feedback #13 Roger: use ASSERT_UNREACHABLE
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
The register op is used by a domain to register a region of memory for receiving messages from either a specified other domain, or, if specifying a wildcard, any domain. This operation creates a mapping within Xen's private address space that will remain resident for the lifetime of the ring. In subsequent commits, the hypervisor will use this mapping to copy data from a sending domain into this registered ring, making it accessible to the domain that registered the ring to receive data. Wildcard any-sender rings are default disabled and registration will be refused with EPERM unless they have been specifically enabled with the argo-mac boot option introduced here. The reason why the default for wildcard rings is 'deny' is that there is currently no means to protect the ring from DoS by a noisy domain spamming the ring, affecting other domains ability to send to it. This will be addressed with XSM policy controls in subsequent work. Since denying access to any-sender rings is a significant functional constraint, a new bootparam is provided to enable overriding this: "argo-mac" variable has allowed values: 'permissive' and 'enforcing'. Even though this is a boolean variable, use these descriptive strings in order to make it obvious to an administrator that this has potential security impact. The p2m type of the memory supplied by the guest for the ring must be p2m_ram_rw and the memory will be pinned as PGT_writable_page while the ring is registered. xen_argo_gfn_t type is defined and is 64-bit on all architectures which assists with avoiding the need for compat code to translate hypercall args. This hypercall op and its interface currently only supports 4K-sized pages. array_index_nospec is used to guard the result of the ring id hash function. This is out of an abundance of caution, since this is a very basic hash function and it operates upon values supplied by the guest just before being used as an array index. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> -This version contains FIXMEs for 4.12: * find_ring_mfn: investigate using check_get_page_from_gfn() and rewrite this function using it or with adopted logic * shrink critical sections: move acquire/release of the global lock. * simplify the out label path when lock release has been moved. * - drop use of unsigned long type as hypercall args: not compat-friendly * - drop UL suffix on XEN_ARGO_REGISTER_FLAG_MASK * - guard XEN_ARGO_REGISTER_FLAG_MASK (perhaps framed by "#ifdef __XEN__") * - define XEN_ARGO_REGISTER_FLAG_MASK in terms of other flags defined * register_ring: pull write_unlock up above the cleanup actions above and add another label to aborb the two separate put_domain() calls on the error paths. -end FIXME v3 xen-project#7 Jan: comment: minimum ring size is based on minimum-sized message v3 xen-project#4 Andrew: reference CONFIG_ARGO in the command line documentation v3 xen-project#7 Jan: register_ring: fold else, if into else-if to drop indent v3 xen-project#7 Jan: remove no longer used guest_handle_is_aligned macros v3 xen-project#7 Jan: remove dead code from find_ring_mfns v3 xen-project#7 Jan: fix format string indention in printks v3 xen-project#7 Jan: remove redundant bounds check on npage in find_ring_mfns v3 xen-project#8 self/Roger: improve dprintk output in find_ring_info like find_send_info v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#7 Jan: use array_index_nospec in ring_map_page v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 xen-project#7 Jan: drop unneeded parentheses from ROUNDUP_MESSAGE defn v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#3 meld compat check for hypercall arg register struct v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback xen-project#7 Eric: fix header max ring size comment units v3 feedback xen-project#4 Roger: mfn_mapping: void* instead of uint8_t* v3 use %u for printing unsigned ints in find_ring_mfns v3 feedback xen-project#4 Jan: uint32_t -> unsigned int for npage in register_ring v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len v3 : register_ring: uint32_t -> unsigned int for private_tx_ptr v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v3 feedback xen-project#7 Roger: use opt_argo_mac_permissive : a boolean opt v3 feedback xen-project#4 Roger: reorder #includes to alphabetical order v3 feedback xen-project#7 Roger: drop comment re: Intel EPT/AMD NPT for write-only mapping v3 feedback xen-project#7 Roger: drop ptr arithmetic in update_tx_ptr, use ring struct cast v3 feedback xen-project#7 Roger: drop newline in ring_map_page v3 feedback xen-project#7 Roger: drop unneeded null check before xfree v3 feedback xen-project#7 Roger: use return and drop out label in register_ring v3 Stefano: add 4K page constraint to header file comment & commit msg v3 Julien/Stefano: 4K granularity ok: use 64-bit gfns in register interface v2 self: disallow ring resize via reregister v2 feedback Jan: drop cookie, implement teardown v2 feedback Jan: drop message from argo_message_op v2 self: move hash_index function below locking comment v2 self: OVERHAUL v2 self/Jan: remove use of magic verification field and tidy up v2 self: merge max and min ring size check clauses v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v2 feedback #9, Jan: use the argo-mac bootparam at point of introduction v2 feedback #9, Jan: rename boot opt variable to comply with convention v2 feedback #9, Jan: rename the argo_mac bootparam to argo-mac v2 feedback #9 Jan: document argo boot opt in xen-command-line.markdown v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v1 feedback Roger: s/pfn/gfn/ and retire always-64-bit type v2. feedback Jan: document the argo-mac boot opt v2. feedback Jan: simplify re-register, drop mappings v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops v1 #13 feedback, Jan: register op : s/ECONNREFUSED/ESRCH/ v1 xen-project#5 (#13) feedback Paul: register op: use currd in do_message_op v1 #13 feedback, Paul: register op: use mfn_eq comparator v1 xen-project#5 (#13) feedback Paul: register op: use currd in argo_register_ring v1 #13 feedback Paul: register op: whitespace, unsigned, bounds check v1 #13 feedback Paul: use of hex in limit constant definition v1 #13 feedback Paul, register op: set nmfns on loop termination v1 #13 feedback Paul: register op: do/while -> gotos, reindent v1 argo_ring_map_page: drop uint32_t for unsigned int v1. #13 feedback Julien: use page descriptors instead of gpfns. - adds ABI support for pages with different granularity. v1 feedback #13, Paul: adjust log level of message v1 feedback #13, Paul: use gprintk for guest-triggered warning v1 feedback #13, Paul: gprintk and XENLOG_DEBUG for ring registration v1 feedback #13, Paul: use gprintk for errs in argo_ring_map_page v1 feedback #13, Paul: use ENOMEM if global mapping fails v1 feedback Paul: overflow check before shift v1: add define for copy_field_to_guest_errno v1: fix gprintk use for ARM as its defn dislikes split format strings v1: use copy_field_to_guest_errno v1 feedback #13, Jan: argo_hash_fn: no inline, rename, change type v1 feedback #13, Paul, Jan: EFAULT -> ENOMEM in argo_ring_map_page v1 feedback #13, Jan: rename page var in argo_ring_map_page v1 feedback #13, Jan: switch uint8_t* to void* and drop cast v1 feedback #13, Jan: switch memory barrier to smp_wmb v1 feedback #13, Jan: make 'ring' comment comply with single-line style v1 feedback #13, Jan: use xzalloc_array, drop loop NULL init v1 feedback #13, Jan: init bool with false rather than 0 v1 feedback #13 Jan: use __copy; define and use __copy_field_to_guest_errno v1 feedback #13, Jan: use xzalloc, drop individual init zeroes v1 feedback #13, Jan: prefix public namespace with xen v1 feedback #13, Jan: blank line after op case in do_argo_message_op v1 self: reflow comment in argo_ring_map_page to within 80 char len v1 feedback #13, Roger: use true not 1 in assign to update_tx_ptr bool v1 feedback #21, Jan: fold in the array_index_nospec hash function guards v1 feedback #18, Jan: fold the max ring count limit into the series v1 self: use unsigned long type for XEN_ARGO_REGISTER_FLAG_MASK v1: feedback #15 Jan: handle upper-halves of hypercall args v1. feedback #13 Jan: add comment re: page alignment v1. self: confirm ring magic presence in supplied page array v1. feedback #13 Jan: add comment re: minimum ring size v1. feedback #13 Roger: use ASSERT_UNREACHABLE v1. feedback Roger: add comment to hash function
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Takes a single argument: a handle to the ring unregistration struct, which specifies the port and partner domain id or wildcard. The ring's entry is removed from the hashtable of registered rings; any entries for pending notifications are removed; and the ring is unmapped from Xen's address space. If the ring had been registered to communicate with a single specified domain (ie. a non-wildcard ring) then the partner domain state is removed from the partner domain's argo send_info hash table. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> v3 xen-project#8 Jan: pull xfree out of exclusive critical sections in unregister_ring v3 xen-project#8 Jan: rename send_find_info to find_send_info v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#8 Roger: use return and remove the out label in unregister_ring v3 xen-project#8 Roger: better debug output in send_find_info v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat check for unregister_ring struct v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v3 feedback xen-project#7 Roger: const the argo_ring_id structs in send_find_info v2 feedback Jan: drop cookie, implement teardown v2 feedback Jan: drop message from argo_message_op v2 self: OVERHAUL v2 self: reorder logic to shorten critical section v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops v1 feedback Roger, Jan: drop argo prefix on static functions v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 xen-project#5 (#14) feedback Paul: use currd in do_argo_message_op v1 xen-project#5 (#14) feedback Paul: full use currd in argo_unregister_ring v1 #13 (#14) feedback Paul: replace do/while with goto; reindent v1 self: add blank lines in unregister case in do_argo_message_op v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: blank line after op case in do_argo_message_op v1: #14 feedback Jan: replace domain id override with validation v1: #18 feedback Jan: meld the ring count limit into the series v1: feedback #15 Jan: verify zero in unused hypercall args
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
sendv operation is invoked to perform a synchronous send of buffers contained in iovs to a remote domain's registered ring. It takes: * A destination address (domid, port) for the ring to send to. It performs a most-specific match lookup, to allow for wildcard. * A source address, used to inform the destination of where to reply. * The address of an array of iovs containing the data to send * .. and the length of that array of iovs * and a 32-bit message type, available to communicate message context data (eg. kernel-to-kernel, separate from the application data). If insufficient space exists in the destination ring, it will return -EAGAIN and Xen will notify the caller when sufficient space becomes available. Accesses to the ring indices are appropriately atomic. The rings are mapped into Xen's private address space to write as needed and the mappings are retained for later use. Fixed-size types are used in some areas within this code where caution around avoiding integer overflow is important. Notifications are sent to guests via VIRQ and send_guest_global_virq is exposed in the change to enable argo to call it. VIRQ_ARGO_MESSAGE is claimed from the VIRQ previously reserved for this purpose (#11). The VIRQ notification method is used rather than sending events using evtchn functions directly because: * no current event channel type is an exact fit for the intended behaviour. ECS_IPI is closest, but it disallows migration to other VCPUs which is not necessarily a requirement for Argo. * at the point of argo_init, allocation of an event channel is complicated by none of the guest VCPUs being initialized yet and the event channel logic expects that a valid event channel has a present VCPU. * at the point of signalling a notification, the VIRQ logic is already defensive: if d->vcpu[0] is NULL, the notification is just silently dropped, whereas the evtchn_send logic is not so defensive: vcpu[0] must not be NULL, otherwise a null pointer dereference occurs. Using a VIRQ removes the need for the guest to query to determine which event channel notifications will be delivered on. This is also likely to simplify establishing future L0/L1 nested hypervisor argo communication. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> v3 xen-project#7 Jan: rename ring_find_info* to find_ring_info* v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat struct checking for hypercall args v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback #09 Eric: fix len & offset sanity check in memcpy_to_guest_ring v3 feedback xen-project#4 Roger: newline fix in wildcard_pending_list_insert v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len v3 #09 Roger: simplify EFAULT return in memcpy_to_guest_ring v3 #09 Roger: add newline before return in get_sanitized_ring v3 #09 Roger: replace while with for loop in iov_count v3 #09 Roger: drop 0 in struct init in ringbuf_insert v3 #09 Roger: comment for XEN_ARGO_MAXIOV: warn of stack overflow risk v3 #09 Roger: simplify while loop: for instead in ringbuf_insert v3 #09 Roger: drop out label for returns in ringbuf_insert v3 #09 Roger: drop newline in pending_queue v3 #09 Roger: replace second goto label with error path unlock in sendv v3 #09 Jason: check iov_len vs MAX_ARGO_MESSAGE_SIZE in iov_count v3 #09 Jason: check padding is zeroed in sendv op v3 #09 Jason: memcpy_to_guest_ring: simpler code with better loop v2 self: use ring_info backpointer in pending_ent to maintain npending v2 feedback Jan: drop cookie, implement teardown v2 self: pending_queue: reap stale ents when in need of space v2 self: pending_requeue: reclaim ents for stale domains v2.feedback Jan: only override sender domid if DOMID_ANY v2 feedback Jan: drop message from argo_message_op v2 self: check npending vs maximum limit v2 self: get_sanitized_ring instead of get_rx_ptr v2 feedback v1#13 Jan: remove double read from ringbuf insert, lower MAX_IOV v2 self: make iov_count const v2 self: iov_count : return EMSGSIZE for message too big v2 self: OVERHAUL v2 self: s/argo_pending_ent/pending_ent/g v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v1 feedback #13 Jan: drop guest_handle_okay when using copy_from_guest - reorder do_argo_op logic v2 self: add _hnd suffix to iovs variable name to indicate guest handle type v2 self: replace use of XEN_GUEST_HANDLE_NULL with two existing macros v1 #15 feedback, Jan: sendv op : s/ECONNREFUSED/ESRCH/ v1 xen-project#5 (#15) feedback Paul: sendv: use currd in do_argo_message_op v1 #13 (#15) feedback Paul: sendv op: do/while reindent only v1 #13 (#15) feedback Paul: sendv op: do/while: argo_ringbuf_insert to goto style v1 #13 (#15) feedback Paul: sendv op: do/while: reindent only again v1 #13 (#15) feedback Paul: sendv op: do/while : goto v1 #15 feedback Paul: sendv op: make page var: unsigned v1 #15 feedback Paul: sendv op: new local var for PAGE_SIZE - offset v1 xen-project#8 feedback Jan: XEN_GUEST_HANDLE : C89 compliance v1 rebase after switching register op from pfns to page descriptors v1 self: move iov DEFINE_XEN_GUEST_HANDLE out of public header into argo.c v1 #13 (#15) feedback Paul: fix loglevel for guest-triggered messages v1 : add compat xlat.lst entries v1 self: switched notification to send_guest_global_virq instead of event v1: fix gprintk use for ARM as its defn dislikes split format strings v1: init len variable to satisfy ARM compiler initialized checking v1 #13 feedback Jan: rename page var v1:#14 feedback Jan: uint8_t* -> void* v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: blank line after case op in do_argo_message_op v1: #15 feedback Jan: add comments explaining why the writes don't overrun v1: self: add ASSERT to support comment that overrun cannot happen v1: self: fail on short writes where guest manipulated the iov_lens v1: self: rename ent id to domain_id v1: self: add moan for iov rewrite v1. feedback #15 Jan: require the pad bits are zero v1. feedback #15 Jan: drop NULL check in argo_signal_domain as now using VIRQ v1. self: store domain_cookie in pending ent v1. feedback #15 Jan: use unsigned where possible v1. feedback Jan: use handle type for iov_base in public iov interface v1. self: log whenever visible error occurs v1 feedback #15, Jan: drop unnecessary mb v1 self: only update internal tx_ptr if able to return success and update the visible tx_ptr v1 self: log on failure to map ring to update visible tx_ptr v1 feedback #15 Jan: add comment re: notification size policy v1 self/Roger? remove errant space after sizeof v1. feedback #15 Jan: require iov pad be zero v1. self: rename iov_base to iov_hnd for handle in public iov interface v1: feedback #15 Jan: handle upper-halves of hypercall args; changes some types in function signatures to match. v1: self: add dprintk to sendv v1: self: add debug output to argo_iov_count v1. feedback #14 Jan: blank line before return in argo_iov_count v1 feedback #15 Jan: verify src id, not override
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Queries for data about space availability in registered rings and causes notification to be sent when space has become available. The hypercall op populates a supplied data structure with information about ring state, and if insufficient space is currently available in a given ring, the hypervisor will record the domain's expressed interest and notify it when it observes that space has become available. Checks for free space occur when this notify op is invoked, so it may be intentionally invoked with no data structure to populate (ie. a NULL argument) to trigger such a check and consequent notifications. Limit the maximum number of notify requests in a single operation to a simple fixed limit of 256. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> v3 xen-project#7 Jan: fix format string indention in printks v3 (general) Jan: drop fixed width types for ringbuf_payload_space v3 xen-project#7 Jan: rename ring_find_info_by_match to find_ring_info_by_match v3 xen-project#7 Jan: fix numeric entries in printk format strings v3: ringbuf_payload_space: simpler return 0 if get_sanitized_ring fails v3 #10 Roger: simplify ringbuf_payload_space for empty rings v3 #10 Roger: ringbuf_payload_space: add comment to explain how ret < INT32_MAX v3 #10 Roger: drop out label, use return -EFAULT in fill_ring_data v3 #10 Roger: add newline in signal_domid v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld the compat hypercall arg checking v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 self: drop braces in foreach of notify_check_pending v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v2 feedback Jan: drop cookie, implement teardown v2 notify: add flag to indicate ring is shared v2 argument name for fill_ring_data arg is now currd v2 self: check ring size vs request and flag error rather than queue signal v2 feedback Jan: drop 'message' from 'argo_message_op' v2 self: simplify signal_domid, drop unnecessary label + goto v2 self: skip the cookie check in pending_cancel v2 self: implement npending limit on number of pending entries v1 feedback #16 Jan: sanitize_ring in ringbuf_payload_space v2 self: inline fill_ring_data_array v2 self: avoid retesting dst_d for put_domain v2 self/Jan: remove use of magic verification field and tidy up v1 feedback #16 Jan: remove testing of magic in guest-supplied structure v2 self: s/argo_pending_ent/pending_ent/g v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v2 self: reduce indentation via goto out if arg NULL v1 feedback #13 Jan: resolve checking of array handle and use of __copy v1 xen-project#5 (#16) feedback Paul: notify op: use currd in do_argo_message_op v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_notify v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_notify_check_pending v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_fill_ring_data_array v1 #13 (#16) feedback Paul: notify op: do/while: reindent only v1 #13 (#16) feedback Paul: notify op: do/while: goto v1 : add compat xlat.lst entries v1: add definition for copy_field_from_guest_errno v1 #13 feedback Jan: make 'ring data' comment comply with single-line style v1 feedback #13 Jan: use __copy; so define and use __copy_field_to_guest_errno v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: add blank line after case in do_argo_message_op v1: self: rename ent id to domain_id v1: self: ent id-> domain_id v1: self: drop signal if domain_cookie mismatches v1. feedback #15 Jan: make loop i unsigned v1. self: drop unnecessary mb() in argo_notify_check_pending v1. self: add blank line v1 #16 feedback Jan: const domain arg to +argo_fill_ring_data v1. feedback #15 Jan: check unusued hypercall args are zero v1 feedback #16 Jan: add comment on space available signal policy v1. feedback #16 Jan: move declr, drop braces, lower indent v1. feedback #18 Jan: meld the resource limits into the main commit v1. feedback #16 Jan: clarify use of magic field v1. self: use single copy to read notify ring data struct v1: argo_fill_ring_data: fix dprintk types for port field v1: self: use %x for printing port as per other print sites v1. feedback Jan: add comments explaining ring full vs empty v1. following Jan: fix argo_ringbuf_payload_space calculation for empty ring
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Will inhibit initialization of the domain's argo data structure to prevent receiving any messages or notifications and access to any of the argo hypercall operations. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> v3 Daniel/Jan: add to the default xsm policy for enable v3 Add Daniel's Acked-by v3 xen-project#4 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set v2 self: fix xsm use in soft-reset prior to introduction v1 xen-project#5 (#17) feedback Paul: XSM control for any access: use currd v1 #16 feedback Jan: apply const to function signatures
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
The register op is used by a domain to register a region of memory for receiving messages from either a specified other domain, or, if specifying a wildcard, any domain. This operation creates a mapping within Xen's private address space that will remain resident for the lifetime of the ring. In subsequent commits, the hypervisor will use this mapping to copy data from a sending domain into this registered ring, making it accessible to the domain that registered the ring to receive data. Wildcard any-sender rings are default disabled and registration will be refused with EPERM unless they have been specifically enabled with the argo-mac boot option introduced here. The reason why the default for wildcard rings is 'deny' is that there is currently no means to protect the ring from DoS by a noisy domain spamming the ring, affecting other domains ability to send to it. This will be addressed with XSM policy controls in subsequent work. Since denying access to any-sender rings is a significant functional constraint, a new bootparam is provided to enable overriding this: "argo-mac" variable has allowed values: 'permissive' and 'enforcing'. Even though this is a boolean variable, use these descriptive strings in order to make it obvious to an administrator that this has potential security impact. The p2m type of the memory supplied by the guest for the ring must be p2m_ram_rw and the memory will be pinned as PGT_writable_page while the ring is registered. xen_argo_gfn_t type is defined and is 64-bit on all architectures which assists with avoiding the need for compat code to translate hypercall args. This hypercall op and its interface currently only supports 4K-sized pages. array_index_nospec is used to guard the result of the ring id hash function. This is out of an abundance of caution, since this is a very basic hash function and it operates upon values supplied by the guest just before being used as an array index. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> -This version contains FIXMEs for 4.12: * find_ring_mfn: investigate using check_get_page_from_gfn() and rewrite this function using it or with adopted logic * shrink critical sections: move acquire/release of the global lock. * simplify the out label path when lock release has been moved. * - drop use of unsigned long type as hypercall args: not compat-friendly * - drop UL suffix on XEN_ARGO_REGISTER_FLAG_MASK * - guard XEN_ARGO_REGISTER_FLAG_MASK (perhaps framed by "#ifdef __XEN__") * - define XEN_ARGO_REGISTER_FLAG_MASK in terms of other flags defined * register_ring: pull write_unlock up above the cleanup actions above and add another label to aborb the two separate put_domain() calls on the error paths. -end FIXME v3 xen-project#7 Jan: comment: minimum ring size is based on minimum-sized message v3 xen-project#4 Andrew: reference CONFIG_ARGO in the command line documentation v3 xen-project#7 Jan: register_ring: fold else, if into else-if to drop indent v3 xen-project#7 Jan: remove no longer used guest_handle_is_aligned macros v3 xen-project#7 Jan: remove dead code from find_ring_mfns v3 xen-project#7 Jan: fix format string indention in printks v3 xen-project#7 Jan: remove redundant bounds check on npage in find_ring_mfns v3 xen-project#8 self/Roger: improve dprintk output in find_ring_info like find_send_info v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#7 Jan: use array_index_nospec in ring_map_page v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 xen-project#7 Jan: drop unneeded parentheses from ROUNDUP_MESSAGE defn v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#3 meld compat check for hypercall arg register struct v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback xen-project#7 Eric: fix header max ring size comment units v3 feedback xen-project#4 Roger: mfn_mapping: void* instead of uint8_t* v3 use %u for printing unsigned ints in find_ring_mfns v3 feedback xen-project#4 Jan: uint32_t -> unsigned int for npage in register_ring v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len v3 : register_ring: uint32_t -> unsigned int for private_tx_ptr v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v3 feedback xen-project#7 Roger: use opt_argo_mac_permissive : a boolean opt v3 feedback xen-project#4 Roger: reorder #includes to alphabetical order v3 feedback xen-project#7 Roger: drop comment re: Intel EPT/AMD NPT for write-only mapping v3 feedback xen-project#7 Roger: drop ptr arithmetic in update_tx_ptr, use ring struct cast v3 feedback xen-project#7 Roger: drop newline in ring_map_page v3 feedback xen-project#7 Roger: drop unneeded null check before xfree v3 feedback xen-project#7 Roger: use return and drop out label in register_ring v3 Stefano: add 4K page constraint to header file comment & commit msg v3 Julien/Stefano: 4K granularity ok: use 64-bit gfns in register interface v2 self: disallow ring resize via reregister v2 feedback Jan: drop cookie, implement teardown v2 feedback Jan: drop message from argo_message_op v2 self: move hash_index function below locking comment v2 self: OVERHAUL v2 self/Jan: remove use of magic verification field and tidy up v2 self: merge max and min ring size check clauses v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v2 feedback #9, Jan: use the argo-mac bootparam at point of introduction v2 feedback #9, Jan: rename boot opt variable to comply with convention v2 feedback #9, Jan: rename the argo_mac bootparam to argo-mac v2 feedback #9 Jan: document argo boot opt in xen-command-line.markdown v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v1 feedback Roger: s/pfn/gfn/ and retire always-64-bit type v2. feedback Jan: document the argo-mac boot opt v2. feedback Jan: simplify re-register, drop mappings v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops v1 #13 feedback, Jan: register op : s/ECONNREFUSED/ESRCH/ v1 xen-project#5 (#13) feedback Paul: register op: use currd in do_message_op v1 #13 feedback, Paul: register op: use mfn_eq comparator v1 xen-project#5 (#13) feedback Paul: register op: use currd in argo_register_ring v1 #13 feedback Paul: register op: whitespace, unsigned, bounds check v1 #13 feedback Paul: use of hex in limit constant definition v1 #13 feedback Paul, register op: set nmfns on loop termination v1 #13 feedback Paul: register op: do/while -> gotos, reindent v1 argo_ring_map_page: drop uint32_t for unsigned int v1. #13 feedback Julien: use page descriptors instead of gpfns. - adds ABI support for pages with different granularity. v1 feedback #13, Paul: adjust log level of message v1 feedback #13, Paul: use gprintk for guest-triggered warning v1 feedback #13, Paul: gprintk and XENLOG_DEBUG for ring registration v1 feedback #13, Paul: use gprintk for errs in argo_ring_map_page v1 feedback #13, Paul: use ENOMEM if global mapping fails v1 feedback Paul: overflow check before shift v1: add define for copy_field_to_guest_errno v1: fix gprintk use for ARM as its defn dislikes split format strings v1: use copy_field_to_guest_errno v1 feedback #13, Jan: argo_hash_fn: no inline, rename, change type v1 feedback #13, Paul, Jan: EFAULT -> ENOMEM in argo_ring_map_page v1 feedback #13, Jan: rename page var in argo_ring_map_page v1 feedback #13, Jan: switch uint8_t* to void* and drop cast v1 feedback #13, Jan: switch memory barrier to smp_wmb v1 feedback #13, Jan: make 'ring' comment comply with single-line style v1 feedback #13, Jan: use xzalloc_array, drop loop NULL init v1 feedback #13, Jan: init bool with false rather than 0 v1 feedback #13 Jan: use __copy; define and use __copy_field_to_guest_errno v1 feedback #13, Jan: use xzalloc, drop individual init zeroes v1 feedback #13, Jan: prefix public namespace with xen v1 feedback #13, Jan: blank line after op case in do_argo_message_op v1 self: reflow comment in argo_ring_map_page to within 80 char len v1 feedback #13, Roger: use true not 1 in assign to update_tx_ptr bool v1 feedback #21, Jan: fold in the array_index_nospec hash function guards v1 feedback #18, Jan: fold the max ring count limit into the series v1 self: use unsigned long type for XEN_ARGO_REGISTER_FLAG_MASK v1: feedback #15 Jan: handle upper-halves of hypercall args v1. feedback #13 Jan: add comment re: page alignment v1. self: confirm ring magic presence in supplied page array v1. feedback #13 Jan: add comment re: minimum ring size v1. feedback #13 Roger: use ASSERT_UNREACHABLE v1. feedback Roger: add comment to hash function
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Takes a single argument: a handle to the ring unregistration struct, which specifies the port and partner domain id or wildcard. The ring's entry is removed from the hashtable of registered rings; any entries for pending notifications are removed; and the ring is unmapped from Xen's address space. If the ring had been registered to communicate with a single specified domain (ie. a non-wildcard ring) then the partner domain state is removed from the partner domain's argo send_info hash table. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> v3 xen-project#8 Jan: pull xfree out of exclusive critical sections in unregister_ring v3 xen-project#8 Jan: rename send_find_info to find_send_info v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#8 Roger: use return and remove the out label in unregister_ring v3 xen-project#8 Roger: better debug output in send_find_info v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat check for unregister_ring struct v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v3 feedback xen-project#7 Roger: const the argo_ring_id structs in send_find_info v2 feedback Jan: drop cookie, implement teardown v2 feedback Jan: drop message from argo_message_op v2 self: OVERHAUL v2 self: reorder logic to shorten critical section v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops v1 feedback Roger, Jan: drop argo prefix on static functions v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 xen-project#5 (#14) feedback Paul: use currd in do_argo_message_op v1 xen-project#5 (#14) feedback Paul: full use currd in argo_unregister_ring v1 #13 (#14) feedback Paul: replace do/while with goto; reindent v1 self: add blank lines in unregister case in do_argo_message_op v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: blank line after op case in do_argo_message_op v1: #14 feedback Jan: replace domain id override with validation v1: #18 feedback Jan: meld the ring count limit into the series v1: feedback #15 Jan: verify zero in unused hypercall args
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
sendv operation is invoked to perform a synchronous send of buffers contained in iovs to a remote domain's registered ring. It takes: * A destination address (domid, port) for the ring to send to. It performs a most-specific match lookup, to allow for wildcard. * A source address, used to inform the destination of where to reply. * The address of an array of iovs containing the data to send * .. and the length of that array of iovs * and a 32-bit message type, available to communicate message context data (eg. kernel-to-kernel, separate from the application data). If insufficient space exists in the destination ring, it will return -EAGAIN and Xen will notify the caller when sufficient space becomes available. Accesses to the ring indices are appropriately atomic. The rings are mapped into Xen's private address space to write as needed and the mappings are retained for later use. Fixed-size types are used in some areas within this code where caution around avoiding integer overflow is important. Notifications are sent to guests via VIRQ and send_guest_global_virq is exposed in the change to enable argo to call it. VIRQ_ARGO_MESSAGE is claimed from the VIRQ previously reserved for this purpose (#11). The VIRQ notification method is used rather than sending events using evtchn functions directly because: * no current event channel type is an exact fit for the intended behaviour. ECS_IPI is closest, but it disallows migration to other VCPUs which is not necessarily a requirement for Argo. * at the point of argo_init, allocation of an event channel is complicated by none of the guest VCPUs being initialized yet and the event channel logic expects that a valid event channel has a present VCPU. * at the point of signalling a notification, the VIRQ logic is already defensive: if d->vcpu[0] is NULL, the notification is just silently dropped, whereas the evtchn_send logic is not so defensive: vcpu[0] must not be NULL, otherwise a null pointer dereference occurs. Using a VIRQ removes the need for the guest to query to determine which event channel notifications will be delivered on. This is also likely to simplify establishing future L0/L1 nested hypervisor argo communication. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> v3 xen-project#7 Jan: rename ring_find_info* to find_ring_info* v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat struct checking for hypercall args v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback #09 Eric: fix len & offset sanity check in memcpy_to_guest_ring v3 feedback xen-project#4 Roger: newline fix in wildcard_pending_list_insert v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len v3 #09 Roger: simplify EFAULT return in memcpy_to_guest_ring v3 #09 Roger: add newline before return in get_sanitized_ring v3 #09 Roger: replace while with for loop in iov_count v3 #09 Roger: drop 0 in struct init in ringbuf_insert v3 #09 Roger: comment for XEN_ARGO_MAXIOV: warn of stack overflow risk v3 #09 Roger: simplify while loop: for instead in ringbuf_insert v3 #09 Roger: drop out label for returns in ringbuf_insert v3 #09 Roger: drop newline in pending_queue v3 #09 Roger: replace second goto label with error path unlock in sendv v3 #09 Jason: check iov_len vs MAX_ARGO_MESSAGE_SIZE in iov_count v3 #09 Jason: check padding is zeroed in sendv op v3 #09 Jason: memcpy_to_guest_ring: simpler code with better loop v2 self: use ring_info backpointer in pending_ent to maintain npending v2 feedback Jan: drop cookie, implement teardown v2 self: pending_queue: reap stale ents when in need of space v2 self: pending_requeue: reclaim ents for stale domains v2.feedback Jan: only override sender domid if DOMID_ANY v2 feedback Jan: drop message from argo_message_op v2 self: check npending vs maximum limit v2 self: get_sanitized_ring instead of get_rx_ptr v2 feedback v1#13 Jan: remove double read from ringbuf insert, lower MAX_IOV v2 self: make iov_count const v2 self: iov_count : return EMSGSIZE for message too big v2 self: OVERHAUL v2 self: s/argo_pending_ent/pending_ent/g v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v1 feedback #13 Jan: drop guest_handle_okay when using copy_from_guest - reorder do_argo_op logic v2 self: add _hnd suffix to iovs variable name to indicate guest handle type v2 self: replace use of XEN_GUEST_HANDLE_NULL with two existing macros v1 #15 feedback, Jan: sendv op : s/ECONNREFUSED/ESRCH/ v1 xen-project#5 (#15) feedback Paul: sendv: use currd in do_argo_message_op v1 #13 (#15) feedback Paul: sendv op: do/while reindent only v1 #13 (#15) feedback Paul: sendv op: do/while: argo_ringbuf_insert to goto style v1 #13 (#15) feedback Paul: sendv op: do/while: reindent only again v1 #13 (#15) feedback Paul: sendv op: do/while : goto v1 #15 feedback Paul: sendv op: make page var: unsigned v1 #15 feedback Paul: sendv op: new local var for PAGE_SIZE - offset v1 xen-project#8 feedback Jan: XEN_GUEST_HANDLE : C89 compliance v1 rebase after switching register op from pfns to page descriptors v1 self: move iov DEFINE_XEN_GUEST_HANDLE out of public header into argo.c v1 #13 (#15) feedback Paul: fix loglevel for guest-triggered messages v1 : add compat xlat.lst entries v1 self: switched notification to send_guest_global_virq instead of event v1: fix gprintk use for ARM as its defn dislikes split format strings v1: init len variable to satisfy ARM compiler initialized checking v1 #13 feedback Jan: rename page var v1:#14 feedback Jan: uint8_t* -> void* v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: blank line after case op in do_argo_message_op v1: #15 feedback Jan: add comments explaining why the writes don't overrun v1: self: add ASSERT to support comment that overrun cannot happen v1: self: fail on short writes where guest manipulated the iov_lens v1: self: rename ent id to domain_id v1: self: add moan for iov rewrite v1. feedback #15 Jan: require the pad bits are zero v1. feedback #15 Jan: drop NULL check in argo_signal_domain as now using VIRQ v1. self: store domain_cookie in pending ent v1. feedback #15 Jan: use unsigned where possible v1. feedback Jan: use handle type for iov_base in public iov interface v1. self: log whenever visible error occurs v1 feedback #15, Jan: drop unnecessary mb v1 self: only update internal tx_ptr if able to return success and update the visible tx_ptr v1 self: log on failure to map ring to update visible tx_ptr v1 feedback #15 Jan: add comment re: notification size policy v1 self/Roger? remove errant space after sizeof v1. feedback #15 Jan: require iov pad be zero v1. self: rename iov_base to iov_hnd for handle in public iov interface v1: feedback #15 Jan: handle upper-halves of hypercall args; changes some types in function signatures to match. v1: self: add dprintk to sendv v1: self: add debug output to argo_iov_count v1. feedback #14 Jan: blank line before return in argo_iov_count v1 feedback #15 Jan: verify src id, not override
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Queries for data about space availability in registered rings and causes notification to be sent when space has become available. The hypercall op populates a supplied data structure with information about ring state, and if insufficient space is currently available in a given ring, the hypervisor will record the domain's expressed interest and notify it when it observes that space has become available. Checks for free space occur when this notify op is invoked, so it may be intentionally invoked with no data structure to populate (ie. a NULL argument) to trigger such a check and consequent notifications. Limit the maximum number of notify requests in a single operation to a simple fixed limit of 256. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> v3 xen-project#7 Jan: fix format string indention in printks v3 (general) Jan: drop fixed width types for ringbuf_payload_space v3 xen-project#7 Jan: rename ring_find_info_by_match to find_ring_info_by_match v3 xen-project#7 Jan: fix numeric entries in printk format strings v3: ringbuf_payload_space: simpler return 0 if get_sanitized_ring fails v3 #10 Roger: simplify ringbuf_payload_space for empty rings v3 #10 Roger: ringbuf_payload_space: add comment to explain how ret < INT32_MAX v3 #10 Roger: drop out label, use return -EFAULT in fill_ring_data v3 #10 Roger: add newline in signal_domid v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld the compat hypercall arg checking v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 self: drop braces in foreach of notify_check_pending v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v2 feedback Jan: drop cookie, implement teardown v2 notify: add flag to indicate ring is shared v2 argument name for fill_ring_data arg is now currd v2 self: check ring size vs request and flag error rather than queue signal v2 feedback Jan: drop 'message' from 'argo_message_op' v2 self: simplify signal_domid, drop unnecessary label + goto v2 self: skip the cookie check in pending_cancel v2 self: implement npending limit on number of pending entries v1 feedback #16 Jan: sanitize_ring in ringbuf_payload_space v2 self: inline fill_ring_data_array v2 self: avoid retesting dst_d for put_domain v2 self/Jan: remove use of magic verification field and tidy up v1 feedback #16 Jan: remove testing of magic in guest-supplied structure v2 self: s/argo_pending_ent/pending_ent/g v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v2 self: reduce indentation via goto out if arg NULL v1 feedback #13 Jan: resolve checking of array handle and use of __copy v1 xen-project#5 (#16) feedback Paul: notify op: use currd in do_argo_message_op v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_notify v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_notify_check_pending v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_fill_ring_data_array v1 #13 (#16) feedback Paul: notify op: do/while: reindent only v1 #13 (#16) feedback Paul: notify op: do/while: goto v1 : add compat xlat.lst entries v1: add definition for copy_field_from_guest_errno v1 #13 feedback Jan: make 'ring data' comment comply with single-line style v1 feedback #13 Jan: use __copy; so define and use __copy_field_to_guest_errno v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: add blank line after case in do_argo_message_op v1: self: rename ent id to domain_id v1: self: ent id-> domain_id v1: self: drop signal if domain_cookie mismatches v1. feedback #15 Jan: make loop i unsigned v1. self: drop unnecessary mb() in argo_notify_check_pending v1. self: add blank line v1 #16 feedback Jan: const domain arg to +argo_fill_ring_data v1. feedback #15 Jan: check unusued hypercall args are zero v1 feedback #16 Jan: add comment on space available signal policy v1. feedback #16 Jan: move declr, drop braces, lower indent v1. feedback #18 Jan: meld the resource limits into the main commit v1. feedback #16 Jan: clarify use of magic field v1. self: use single copy to read notify ring data struct v1: argo_fill_ring_data: fix dprintk types for port field v1: self: use %x for printing port as per other print sites v1. feedback Jan: add comments explaining ring full vs empty v1. following Jan: fix argo_ringbuf_payload_space calculation for empty ring
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Will inhibit initialization of the domain's argo data structure to prevent receiving any messages or notifications and access to any of the argo hypercall operations. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> v3 Daniel/Jan: add to the default xsm policy for enable v3 Add Daniel's Acked-by v3 xen-project#4 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set v2 self: fix xsm use in soft-reset prior to introduction v1 xen-project#5 (#17) feedback Paul: XSM control for any access: use currd v1 #16 feedback Jan: apply const to function signatures
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
A convenience for working on development of the argo subsystem: setting a #define variable enables additional debug messages. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> === Jan's further remark given with the Ack: "This would better be an inline function, such that arguments passed in actually get evaluated. Otherwise you risk overlooking variables used for such logging only, and in particular the compiler then issuing warnings (breaking the build due to -Werror)." v3 added Roger's Reviewed-by v3 added Jan's Ack v2 xen-project#3 feedback, Jan: fix ifdef/define confusion error v1 xen-project#4 feedback, Jan: fix dprintk implementation
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Initialises basic data structures and performs teardown of argo state
for domain shutdown.
Inclusion of the Argo implementation is dependent on CONFIG_ARGO.
Introduces a new Xen command line parameter 'argo': bool to enable/disable
the argo hypercall. Defaults to disabled.
New headers:
public/argo.h: with definions of addresses and ring structure, including
indexes for atomic update for communication between domain and hypervisor.
xen/argo.h: to expose the hooks for integration into domain lifecycle:
argo_init: per-domain init of argo data structures for domain_create.
argo_destroy: teardown for domain_destroy and the error exit
path of domain_create.
argo_soft_reset: reset of domain state for domain_soft_reset.
Adds two new fields to struct domain:
rwlock_t argo_lock;
struct argo_domain *argo;
In accordance with recent work on _domain_destroy, argo_destroy is
idempotent. It will tear down: all rings registered by this domain, all
rings where this domain is the single sender (ie. specified partner,
non-wildcard rings), and all pending notifications where this domain is
awaiting signal about available space in the rings of other domains.
A count will be maintained of the number of rings that a domain has
registered in order to limit it below the fixed maximum limit defined here.
Macros are defined to verify the internal locking state within the argo
implementation. The macros are ASSERTed on entry to functions to validate
and document the required lock state prior to calling.
The software license on the public header is the BSD license, standard
procedure for the public Xen headers. The public header was originally
posted under a GPL license at: [1]:
https://lists.xenproject.org/archives/html/xen-devel/2013-05/msg02710.html
The following ACK by Lars Kurth is to confirm that only people being
employees of Citrix contributed to the header files in the series posted at
[1] and that thus the copyright of the files in question is fully owned by
Citrix. The ACK also confirms that Citrix is happy for the header files to
be published under a BSD license in this series (which is based on [1]).
Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com>
Acked-by: Lars Kurth <lars.kurth@citrix.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
This version contains FIXMEs for 4.12:
* Replace the hash function to get better distribution across buckets.
- Don't use casts in the replacement function.
- Drop the use of array_index_nospec.
* since argo_destroy is in _domain_destroy, remove it from domain_kill
v3 xen-project#4 Andrew: use xzalloc for struct argo_domain in argo_init
v3 xen-project#4 Andrew: reference CONFIG_ARGO in the command line documentation
v3 xen-project#7 Jan: rename ring_find_info to find_ring_info
v3 xen-project#4 Andrew: don't truncate args do_argo_op printk
v3 xen-project#7 Jan: fix numeric entries in printk format strings
v3 #10 Roger: move find functions to top of file and drop prototypes
v3 xen-project#4 Jan: meld compat check for hypercall arg types
v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state
v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn
v3 xen-project#4 Jan: reorder call to argo_init_domain in argo_init
v3 xen-project#4 Jan: ring_remove_mfns: zero count before freeing arrays
v3 xen-project#4 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set
v3 xen-project#4 Roger: remove unused and confusing d->argo_lock
v3 xen-project#4 Roger: add simple inlines in xen/argo.h, drop ifdef CONFIG_ARGO
v3 xen-project#4 Roger: simpler return -EOPNOTSUPP in do_argo_op
v3 xen-project#4 Roger: add const to domain arg to ring_remove_info
v3 xen-project#4 Roger: use XFREE
v3 xen-project#4 Roger: newline fix in wildcard_pending_list_remove
v3 xen-project#4 Roger: mfn_mapping: void* instead of uint8_t*
v3 xen-project#4 Roger: drop npages struct member in argo_ring_info; use len
v3 xen-project#4 Roger/Jan: drop many fixed width types in internal structs
v3 xen-project#4 Jason/Jan: drop pad and fixed width type in pending_ent struct
v3 xen-project#4 Eric: moved ring_find_info from register op into this commit
v3 moved hash_index function, nospec include from register op to this commit
v3 moved XEN_ARGO_DOMID_ANY defn from register op into this commit
v3 added #include <xen/sched.h> to <xen/argo.h> for domain struct defn
v3 feedback xen-project#4 Roger: reorder #includes to alphabetical order
v3 Added Ross's Reviewed-by.
v2 rewrite locking explanation comment
v2 header copyright line now includes 2019
v2 self: use ring_info backpointer in pending_ent to maintain npending
v2 self: rename all_rings_remove_info to domain_rings_remove_all
v2 feedback Jan: drop cookie, implement teardown
v2 self: add npending to track number of pending entries per ring
v2 self: amend comment on locking; drop section comments
v2 cookie_eq: test low bits first and use likely on high bits
v2 self: OVERHAUL
v2 self: s/argo_pending_ent/pending_ent/g
v2 self: drop pending_remove_ent, inline at single call site
v1 feedback Roger, Jan: drop argo prefix on static functions
v2 xen-project#4 Lars: add Acked-by and details to commit message.
v2 feedback #9 Jan: document argo boot opt in xen-command-line.markdown
v2 bugfix: xsm use in soft-reset prior to introduction
v2 feedback #9 Jan: drop 'message' from do_argo_message_op
v1 xen-project#5 feedback Paul: init/destroy unsigned, brackets and whitespace fixes
v1 xen-project#5 feedback Paul: Use mfn_eq for comparing mfns.
v1 xen-project#5 feedback Paul: init/destroy : use currd
v1 xen-project#6 (xen-project#5) feedback Jan: init/destroy: s/ENOSYS/EOPNOTSUPP/
v1 xen-project#6 feedback Paul: Folded patch 6 into patch 5.
v1 xen-project#6 feedback Jan: drop opt_argo_enabled initializer
v1 $6 feedback Jan: s/ENOSYS/EOPNOTSUPP/g and drop useless dprintk
v1. xen-project#5 feedback Paul: change the license on public header to BSD
- ack from Lars at Citrix.
v1. self, Jan: drop unnecessary xen include from sched.h
v1. self, Jan: drop inclusion of public argo.h in private one
v1. self, Jan: add include of public argo.h to argo.c
v1. self, Jan: drop fwd decl of argo_domain in priv header
v1. Paul/self/Jan: add data structures to xlat.lst and compat/argo.h to Makefile
v1. self: removed allocation of event channel since switching to VIRQ
v1. self: drop types.h include from private argo.h
v1: reorder public argo include position
v1: #13 feedback Jan: public namespace: prefix with xen
v1: self: rename pending ent "id" to "domain_id"
v1: self: add domain_cookie to ent struct
v1. #15 feedback Jan: make cmd unsigned
v1. #15 feedback Jan: make i loop variable unsigned
v1: self: adjust dprintks in init, destroy
v1: #18 feedback Jan: meld max ring count limit
v1: self: use type not struct in public defn, affects compat gen header
v1: feedback #15 Jan: handle upper-halves of hypercall args
v1: add comment explaining the 'magic' field
v1: self + Jan feedback: implement soft reset
v1: feedback #13 Roger: use ASSERT_UNREACHABLE
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
The register op is used by a domain to register a region of memory for receiving messages from either a specified other domain, or, if specifying a wildcard, any domain. This operation creates a mapping within Xen's private address space that will remain resident for the lifetime of the ring. In subsequent commits, the hypervisor will use this mapping to copy data from a sending domain into this registered ring, making it accessible to the domain that registered the ring to receive data. Wildcard any-sender rings are default disabled and registration will be refused with EPERM unless they have been specifically enabled with the argo-mac boot option introduced here. The reason why the default for wildcard rings is 'deny' is that there is currently no means to protect the ring from DoS by a noisy domain spamming the ring, affecting other domains ability to send to it. This will be addressed with XSM policy controls in subsequent work. Since denying access to any-sender rings is a significant functional constraint, a new bootparam is provided to enable overriding this: "argo-mac" variable has allowed values: 'permissive' and 'enforcing'. Even though this is a boolean variable, use these descriptive strings in order to make it obvious to an administrator that this has potential security impact. The p2m type of the memory supplied by the guest for the ring must be p2m_ram_rw and the memory will be pinned as PGT_writable_page while the ring is registered. xen_argo_gfn_t type is defined and is 64-bit on all architectures which assists with avoiding the need for compat code to translate hypercall args. This hypercall op and its interface currently only supports 4K-sized pages. array_index_nospec is used to guard the result of the ring id hash function. This is out of an abundance of caution, since this is a very basic hash function and it operates upon values supplied by the guest just before being used as an array index. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> -This version contains FIXMEs for 4.12: * find_ring_mfn: investigate using check_get_page_from_gfn() and rewrite this function using it or with adopted logic * shrink critical sections: move acquire/release of the global lock. * simplify the out label path when lock release has been moved. * - drop use of unsigned long type as hypercall args: not compat-friendly * - drop UL suffix on XEN_ARGO_REGISTER_FLAG_MASK * - guard XEN_ARGO_REGISTER_FLAG_MASK (perhaps framed by "#ifdef __XEN__") * - define XEN_ARGO_REGISTER_FLAG_MASK in terms of other flags defined * register_ring: pull write_unlock up above the cleanup actions above and add another label to aborb the two separate put_domain() calls on the error paths. -end FIXME v3 xen-project#7 Jan: comment: minimum ring size is based on minimum-sized message v3 xen-project#4 Andrew: reference CONFIG_ARGO in the command line documentation v3 xen-project#7 Jan: register_ring: fold else, if into else-if to drop indent v3 xen-project#7 Jan: remove no longer used guest_handle_is_aligned macros v3 xen-project#7 Jan: remove dead code from find_ring_mfns v3 xen-project#7 Jan: fix format string indention in printks v3 xen-project#7 Jan: remove redundant bounds check on npage in find_ring_mfns v3 xen-project#8 self/Roger: improve dprintk output in find_ring_info like find_send_info v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#7 Jan: use array_index_nospec in ring_map_page v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 xen-project#7 Jan: drop unneeded parentheses from ROUNDUP_MESSAGE defn v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#3 meld compat check for hypercall arg register struct v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback xen-project#7 Eric: fix header max ring size comment units v3 feedback xen-project#4 Roger: mfn_mapping: void* instead of uint8_t* v3 use %u for printing unsigned ints in find_ring_mfns v3 feedback xen-project#4 Jan: uint32_t -> unsigned int for npage in register_ring v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len v3 : register_ring: uint32_t -> unsigned int for private_tx_ptr v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v3 feedback xen-project#7 Roger: use opt_argo_mac_permissive : a boolean opt v3 feedback xen-project#4 Roger: reorder #includes to alphabetical order v3 feedback xen-project#7 Roger: drop comment re: Intel EPT/AMD NPT for write-only mapping v3 feedback xen-project#7 Roger: drop ptr arithmetic in update_tx_ptr, use ring struct cast v3 feedback xen-project#7 Roger: drop newline in ring_map_page v3 feedback xen-project#7 Roger: drop unneeded null check before xfree v3 feedback xen-project#7 Roger: use return and drop out label in register_ring v3 Stefano: add 4K page constraint to header file comment & commit msg v3 Julien/Stefano: 4K granularity ok: use 64-bit gfns in register interface v2 self: disallow ring resize via reregister v2 feedback Jan: drop cookie, implement teardown v2 feedback Jan: drop message from argo_message_op v2 self: move hash_index function below locking comment v2 self: OVERHAUL v2 self/Jan: remove use of magic verification field and tidy up v2 self: merge max and min ring size check clauses v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v2 feedback #9, Jan: use the argo-mac bootparam at point of introduction v2 feedback #9, Jan: rename boot opt variable to comply with convention v2 feedback #9, Jan: rename the argo_mac bootparam to argo-mac v2 feedback #9 Jan: document argo boot opt in xen-command-line.markdown v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v1 feedback Roger: s/pfn/gfn/ and retire always-64-bit type v2. feedback Jan: document the argo-mac boot opt v2. feedback Jan: simplify re-register, drop mappings v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops v1 #13 feedback, Jan: register op : s/ECONNREFUSED/ESRCH/ v1 xen-project#5 (#13) feedback Paul: register op: use currd in do_message_op v1 #13 feedback, Paul: register op: use mfn_eq comparator v1 xen-project#5 (#13) feedback Paul: register op: use currd in argo_register_ring v1 #13 feedback Paul: register op: whitespace, unsigned, bounds check v1 #13 feedback Paul: use of hex in limit constant definition v1 #13 feedback Paul, register op: set nmfns on loop termination v1 #13 feedback Paul: register op: do/while -> gotos, reindent v1 argo_ring_map_page: drop uint32_t for unsigned int v1. #13 feedback Julien: use page descriptors instead of gpfns. - adds ABI support for pages with different granularity. v1 feedback #13, Paul: adjust log level of message v1 feedback #13, Paul: use gprintk for guest-triggered warning v1 feedback #13, Paul: gprintk and XENLOG_DEBUG for ring registration v1 feedback #13, Paul: use gprintk for errs in argo_ring_map_page v1 feedback #13, Paul: use ENOMEM if global mapping fails v1 feedback Paul: overflow check before shift v1: add define for copy_field_to_guest_errno v1: fix gprintk use for ARM as its defn dislikes split format strings v1: use copy_field_to_guest_errno v1 feedback #13, Jan: argo_hash_fn: no inline, rename, change type v1 feedback #13, Paul, Jan: EFAULT -> ENOMEM in argo_ring_map_page v1 feedback #13, Jan: rename page var in argo_ring_map_page v1 feedback #13, Jan: switch uint8_t* to void* and drop cast v1 feedback #13, Jan: switch memory barrier to smp_wmb v1 feedback #13, Jan: make 'ring' comment comply with single-line style v1 feedback #13, Jan: use xzalloc_array, drop loop NULL init v1 feedback #13, Jan: init bool with false rather than 0 v1 feedback #13 Jan: use __copy; define and use __copy_field_to_guest_errno v1 feedback #13, Jan: use xzalloc, drop individual init zeroes v1 feedback #13, Jan: prefix public namespace with xen v1 feedback #13, Jan: blank line after op case in do_argo_message_op v1 self: reflow comment in argo_ring_map_page to within 80 char len v1 feedback #13, Roger: use true not 1 in assign to update_tx_ptr bool v1 feedback #21, Jan: fold in the array_index_nospec hash function guards v1 feedback #18, Jan: fold the max ring count limit into the series v1 self: use unsigned long type for XEN_ARGO_REGISTER_FLAG_MASK v1: feedback #15 Jan: handle upper-halves of hypercall args v1. feedback #13 Jan: add comment re: page alignment v1. self: confirm ring magic presence in supplied page array v1. feedback #13 Jan: add comment re: minimum ring size v1. feedback #13 Roger: use ASSERT_UNREACHABLE v1. feedback Roger: add comment to hash function
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Takes a single argument: a handle to the ring unregistration struct, which specifies the port and partner domain id or wildcard. The ring's entry is removed from the hashtable of registered rings; any entries for pending notifications are removed; and the ring is unmapped from Xen's address space. If the ring had been registered to communicate with a single specified domain (ie. a non-wildcard ring) then the partner domain state is removed from the partner domain's argo send_info hash table. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> v3 xen-project#8 Jan: pull xfree out of exclusive critical sections in unregister_ring v3 xen-project#8 Jan: rename send_find_info to find_send_info v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#8 Roger: use return and remove the out label in unregister_ring v3 xen-project#8 Roger: better debug output in send_find_info v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat check for unregister_ring struct v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v3 feedback xen-project#7 Roger: const the argo_ring_id structs in send_find_info v2 feedback Jan: drop cookie, implement teardown v2 feedback Jan: drop message from argo_message_op v2 self: OVERHAUL v2 self: reorder logic to shorten critical section v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops v1 feedback Roger, Jan: drop argo prefix on static functions v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 xen-project#5 (#14) feedback Paul: use currd in do_argo_message_op v1 xen-project#5 (#14) feedback Paul: full use currd in argo_unregister_ring v1 #13 (#14) feedback Paul: replace do/while with goto; reindent v1 self: add blank lines in unregister case in do_argo_message_op v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: blank line after op case in do_argo_message_op v1: #14 feedback Jan: replace domain id override with validation v1: #18 feedback Jan: meld the ring count limit into the series v1: feedback #15 Jan: verify zero in unused hypercall args
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
sendv operation is invoked to perform a synchronous send of buffers contained in iovs to a remote domain's registered ring. It takes: * A destination address (domid, port) for the ring to send to. It performs a most-specific match lookup, to allow for wildcard. * A source address, used to inform the destination of where to reply. * The address of an array of iovs containing the data to send * .. and the length of that array of iovs * and a 32-bit message type, available to communicate message context data (eg. kernel-to-kernel, separate from the application data). If insufficient space exists in the destination ring, it will return -EAGAIN and Xen will notify the caller when sufficient space becomes available. Accesses to the ring indices are appropriately atomic. The rings are mapped into Xen's private address space to write as needed and the mappings are retained for later use. Fixed-size types are used in some areas within this code where caution around avoiding integer overflow is important. Notifications are sent to guests via VIRQ and send_guest_global_virq is exposed in the change to enable argo to call it. VIRQ_ARGO_MESSAGE is claimed from the VIRQ previously reserved for this purpose (#11). The VIRQ notification method is used rather than sending events using evtchn functions directly because: * no current event channel type is an exact fit for the intended behaviour. ECS_IPI is closest, but it disallows migration to other VCPUs which is not necessarily a requirement for Argo. * at the point of argo_init, allocation of an event channel is complicated by none of the guest VCPUs being initialized yet and the event channel logic expects that a valid event channel has a present VCPU. * at the point of signalling a notification, the VIRQ logic is already defensive: if d->vcpu[0] is NULL, the notification is just silently dropped, whereas the evtchn_send logic is not so defensive: vcpu[0] must not be NULL, otherwise a null pointer dereference occurs. Using a VIRQ removes the need for the guest to query to determine which event channel notifications will be delivered on. This is also likely to simplify establishing future L0/L1 nested hypervisor argo communication. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> v3 xen-project#7 Jan: rename ring_find_info* to find_ring_info* v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat struct checking for hypercall args v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback #09 Eric: fix len & offset sanity check in memcpy_to_guest_ring v3 feedback xen-project#4 Roger: newline fix in wildcard_pending_list_insert v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len v3 #09 Roger: simplify EFAULT return in memcpy_to_guest_ring v3 #09 Roger: add newline before return in get_sanitized_ring v3 #09 Roger: replace while with for loop in iov_count v3 #09 Roger: drop 0 in struct init in ringbuf_insert v3 #09 Roger: comment for XEN_ARGO_MAXIOV: warn of stack overflow risk v3 #09 Roger: simplify while loop: for instead in ringbuf_insert v3 #09 Roger: drop out label for returns in ringbuf_insert v3 #09 Roger: drop newline in pending_queue v3 #09 Roger: replace second goto label with error path unlock in sendv v3 #09 Jason: check iov_len vs MAX_ARGO_MESSAGE_SIZE in iov_count v3 #09 Jason: check padding is zeroed in sendv op v3 #09 Jason: memcpy_to_guest_ring: simpler code with better loop v2 self: use ring_info backpointer in pending_ent to maintain npending v2 feedback Jan: drop cookie, implement teardown v2 self: pending_queue: reap stale ents when in need of space v2 self: pending_requeue: reclaim ents for stale domains v2.feedback Jan: only override sender domid if DOMID_ANY v2 feedback Jan: drop message from argo_message_op v2 self: check npending vs maximum limit v2 self: get_sanitized_ring instead of get_rx_ptr v2 feedback v1#13 Jan: remove double read from ringbuf insert, lower MAX_IOV v2 self: make iov_count const v2 self: iov_count : return EMSGSIZE for message too big v2 self: OVERHAUL v2 self: s/argo_pending_ent/pending_ent/g v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v1 feedback #13 Jan: drop guest_handle_okay when using copy_from_guest - reorder do_argo_op logic v2 self: add _hnd suffix to iovs variable name to indicate guest handle type v2 self: replace use of XEN_GUEST_HANDLE_NULL with two existing macros v1 #15 feedback, Jan: sendv op : s/ECONNREFUSED/ESRCH/ v1 xen-project#5 (#15) feedback Paul: sendv: use currd in do_argo_message_op v1 #13 (#15) feedback Paul: sendv op: do/while reindent only v1 #13 (#15) feedback Paul: sendv op: do/while: argo_ringbuf_insert to goto style v1 #13 (#15) feedback Paul: sendv op: do/while: reindent only again v1 #13 (#15) feedback Paul: sendv op: do/while : goto v1 #15 feedback Paul: sendv op: make page var: unsigned v1 #15 feedback Paul: sendv op: new local var for PAGE_SIZE - offset v1 xen-project#8 feedback Jan: XEN_GUEST_HANDLE : C89 compliance v1 rebase after switching register op from pfns to page descriptors v1 self: move iov DEFINE_XEN_GUEST_HANDLE out of public header into argo.c v1 #13 (#15) feedback Paul: fix loglevel for guest-triggered messages v1 : add compat xlat.lst entries v1 self: switched notification to send_guest_global_virq instead of event v1: fix gprintk use for ARM as its defn dislikes split format strings v1: init len variable to satisfy ARM compiler initialized checking v1 #13 feedback Jan: rename page var v1:#14 feedback Jan: uint8_t* -> void* v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: blank line after case op in do_argo_message_op v1: #15 feedback Jan: add comments explaining why the writes don't overrun v1: self: add ASSERT to support comment that overrun cannot happen v1: self: fail on short writes where guest manipulated the iov_lens v1: self: rename ent id to domain_id v1: self: add moan for iov rewrite v1. feedback #15 Jan: require the pad bits are zero v1. feedback #15 Jan: drop NULL check in argo_signal_domain as now using VIRQ v1. self: store domain_cookie in pending ent v1. feedback #15 Jan: use unsigned where possible v1. feedback Jan: use handle type for iov_base in public iov interface v1. self: log whenever visible error occurs v1 feedback #15, Jan: drop unnecessary mb v1 self: only update internal tx_ptr if able to return success and update the visible tx_ptr v1 self: log on failure to map ring to update visible tx_ptr v1 feedback #15 Jan: add comment re: notification size policy v1 self/Roger? remove errant space after sizeof v1. feedback #15 Jan: require iov pad be zero v1. self: rename iov_base to iov_hnd for handle in public iov interface v1: feedback #15 Jan: handle upper-halves of hypercall args; changes some types in function signatures to match. v1: self: add dprintk to sendv v1: self: add debug output to argo_iov_count v1. feedback #14 Jan: blank line before return in argo_iov_count v1 feedback #15 Jan: verify src id, not override
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Queries for data about space availability in registered rings and causes notification to be sent when space has become available. The hypercall op populates a supplied data structure with information about ring state, and if insufficient space is currently available in a given ring, the hypervisor will record the domain's expressed interest and notify it when it observes that space has become available. Checks for free space occur when this notify op is invoked, so it may be intentionally invoked with no data structure to populate (ie. a NULL argument) to trigger such a check and consequent notifications. Limit the maximum number of notify requests in a single operation to a simple fixed limit of 256. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> v3 xen-project#7 Jan: fix format string indention in printks v3 (general) Jan: drop fixed width types for ringbuf_payload_space v3 xen-project#7 Jan: rename ring_find_info_by_match to find_ring_info_by_match v3 xen-project#7 Jan: fix numeric entries in printk format strings v3: ringbuf_payload_space: simpler return 0 if get_sanitized_ring fails v3 #10 Roger: simplify ringbuf_payload_space for empty rings v3 #10 Roger: ringbuf_payload_space: add comment to explain how ret < INT32_MAX v3 #10 Roger: drop out label, use return -EFAULT in fill_ring_data v3 #10 Roger: add newline in signal_domid v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld the compat hypercall arg checking v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 self: drop braces in foreach of notify_check_pending v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v2 feedback Jan: drop cookie, implement teardown v2 notify: add flag to indicate ring is shared v2 argument name for fill_ring_data arg is now currd v2 self: check ring size vs request and flag error rather than queue signal v2 feedback Jan: drop 'message' from 'argo_message_op' v2 self: simplify signal_domid, drop unnecessary label + goto v2 self: skip the cookie check in pending_cancel v2 self: implement npending limit on number of pending entries v1 feedback #16 Jan: sanitize_ring in ringbuf_payload_space v2 self: inline fill_ring_data_array v2 self: avoid retesting dst_d for put_domain v2 self/Jan: remove use of magic verification field and tidy up v1 feedback #16 Jan: remove testing of magic in guest-supplied structure v2 self: s/argo_pending_ent/pending_ent/g v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v2 self: reduce indentation via goto out if arg NULL v1 feedback #13 Jan: resolve checking of array handle and use of __copy v1 xen-project#5 (#16) feedback Paul: notify op: use currd in do_argo_message_op v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_notify v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_notify_check_pending v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_fill_ring_data_array v1 #13 (#16) feedback Paul: notify op: do/while: reindent only v1 #13 (#16) feedback Paul: notify op: do/while: goto v1 : add compat xlat.lst entries v1: add definition for copy_field_from_guest_errno v1 #13 feedback Jan: make 'ring data' comment comply with single-line style v1 feedback #13 Jan: use __copy; so define and use __copy_field_to_guest_errno v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: add blank line after case in do_argo_message_op v1: self: rename ent id to domain_id v1: self: ent id-> domain_id v1: self: drop signal if domain_cookie mismatches v1. feedback #15 Jan: make loop i unsigned v1. self: drop unnecessary mb() in argo_notify_check_pending v1. self: add blank line v1 #16 feedback Jan: const domain arg to +argo_fill_ring_data v1. feedback #15 Jan: check unusued hypercall args are zero v1 feedback #16 Jan: add comment on space available signal policy v1. feedback #16 Jan: move declr, drop braces, lower indent v1. feedback #18 Jan: meld the resource limits into the main commit v1. feedback #16 Jan: clarify use of magic field v1. self: use single copy to read notify ring data struct v1: argo_fill_ring_data: fix dprintk types for port field v1: self: use %x for printing port as per other print sites v1. feedback Jan: add comments explaining ring full vs empty v1. following Jan: fix argo_ringbuf_payload_space calculation for empty ring
andyhhp
pushed a commit
to andyhhp/xen
that referenced
this pull request
Jan 15, 2019
Will inhibit initialization of the domain's argo data structure to prevent receiving any messages or notifications and access to any of the argo hypercall operations. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> v3 Daniel/Jan: add to the default xsm policy for enable v3 Add Daniel's Acked-by v3 xen-project#4 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set v2 self: fix xsm use in soft-reset prior to introduction v1 xen-project#5 (#17) feedback Paul: XSM control for any access: use currd v1 #16 feedback Jan: apply const to function signatures
eric-ch
pushed a commit
to eric-ch/xen
that referenced
this pull request
Jan 25, 2019
A convenience for working on development of the argo subsystem: setting a #define variable enables additional debug messages. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> === Jan's further remark given with the Ack: "This would better be an inline function, such that arguments passed in actually get evaluated. Otherwise you risk overlooking variables used for such logging only, and in particular the compiler then issuing warnings (breaking the build due to -Werror)." v3 added Roger's Reviewed-by v3 added Jan's Ack v2 xen-project#3 feedback, Jan: fix ifdef/define confusion error v1 xen-project#4 feedback, Jan: fix dprintk implementation
eric-ch
pushed a commit
to eric-ch/xen
that referenced
this pull request
Jan 25, 2019
Initialises basic data structures and performs teardown of argo state
for domain shutdown.
Inclusion of the Argo implementation is dependent on CONFIG_ARGO.
Introduces a new Xen command line parameter 'argo': bool to enable/disable
the argo hypercall. Defaults to disabled.
New headers:
public/argo.h: with definions of addresses and ring structure, including
indexes for atomic update for communication between domain and hypervisor.
xen/argo.h: to expose the hooks for integration into domain lifecycle:
argo_init: per-domain init of argo data structures for domain_create.
argo_destroy: teardown for domain_destroy and the error exit
path of domain_create.
argo_soft_reset: reset of domain state for domain_soft_reset.
Adds a new field to struct domain: struct argo_domain *argo;
In accordance with recent work on _domain_destroy, argo_destroy is
idempotent. It will tear down: all rings registered by this domain, all
rings where this domain is the single sender (ie. specified partner,
non-wildcard rings), and all pending notifications where this domain is
awaiting signal about available space in the rings of other domains.
A count will be maintained of the number of rings that a domain has
registered in order to limit it below the fixed maximum limit defined here.
Macros are defined to verify the internal locking state within the argo
implementation. The macros are ASSERTed on entry to functions to validate
and document the required lock state prior to calling.
The hash function for the hashtables that hold ring state is derived from
the string hashing function djb2 (http://www.cse.yorku.ca/~oz/hash.html)
by Daniel J. Bernstein. Basic testing with a limited number of domains and
ports has shown reasonable distribution for the table size.
The software license on the public header is the BSD license, standard
procedure for the public Xen headers. The public header was originally
posted under a GPL license at: [1]:
https://lists.xenproject.org/archives/html/xen-devel/2013-05/msg02710.html
The following ACK by Lars Kurth is to confirm that only people being
employees of Citrix contributed to the header files in the series posted at
[1] and that thus the copyright of the files in question is fully owned by
Citrix. The ACK also confirms that Citrix is happy for the header files to
be published under a BSD license in this series (which is based on [1]).
Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com>
Acked-by: Lars Kurth <lars.kurth@citrix.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
v5 xen-project#4 Roger: tweak command line doc: remove statement about top level bool
v5: add compat validation macros to primary source file: common/argo.c
v5: dropped external file for compat macros: common/compat/argo.c
v4: removed FIXME for removing argo_destroy from domain_kill
v4 Jan: amend the command line doc text referring to build configuration
v4 : use standard data structures as per common code
v4 Jan: replace hash_index with djb2-derived hash algorithm
v4 Andrew: switch argo command line option to list argo=<bool>
v4 xen-project#4 Roger: drop unneeded init of ring_count in argo_domain_init
v4 xen-project#4 Roger: replace if (ring_info->mfns) with ASSERTs in ring_unmap
v4 xen-project#4 Roger: rewrite the locking verification macros
v4 xen-project#4 Roger: make L1 lock description comment clearer about R(L1) and W(L1)
v4 Andrew: fix split of dprintk in ring_map_info across v4 commits
v3 xen-project#4 Andrew: use xzalloc for struct argo_domain in argo_init
v3 xen-project#4 Andrew: reference CONFIG_ARGO in the command line documentation
v3 xen-project#7 Jan: rename ring_find_info to find_ring_info
v3 xen-project#4 Andrew: don't truncate args do_argo_op printk
v3 xen-project#7 Jan: fix numeric entries in printk format strings
v3 #10 Roger: move find functions to top of file and drop prototypes
v3 xen-project#4 Jan: meld compat check for hypercall arg types
v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state
v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn
v3 xen-project#4 Jan: reorder call to argo_init_domain in argo_init
v3 xen-project#4 Jan: ring_remove_mfns: zero count before freeing arrays
v3 xen-project#4 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set
v3 xen-project#4 Roger: remove unused and confusing d->argo_lock
v3 xen-project#4 Roger: add simple inlines in xen/argo.h, drop ifdef CONFIG_ARGO
v3 xen-project#4 Roger: simpler return -EOPNOTSUPP in do_argo_op
v3 xen-project#4 Roger: add const to domain arg to ring_remove_info
v3 xen-project#4 Roger: use XFREE
v3 xen-project#4 Roger: newline fix in wildcard_pending_list_remove
v3 xen-project#4 Roger: mfn_mapping: void* instead of uint8_t*
v3 xen-project#4 Roger: drop npages struct member in argo_ring_info; use len
v3 xen-project#4 Roger/Jan: drop many fixed width types in internal structs
v3 xen-project#4 Jason/Jan: drop pad and fixed width type in pending_ent struct
v3 xen-project#4 Eric: moved ring_find_info from register op into this commit
v3 moved hash_index function, nospec include from register op to this commit
v3 moved XEN_ARGO_DOMID_ANY defn from register op into this commit
v3 added #include <xen/sched.h> to <xen/argo.h> for domain struct defn
v3 feedback xen-project#4 Roger: reorder #includes to alphabetical order
v3 Added Ross's Reviewed-by.
v2 rewrite locking explanation comment
v2 header copyright line now includes 2019
v2 self: use ring_info backpointer in pending_ent to maintain npending
v2 self: rename all_rings_remove_info to domain_rings_remove_all
v2 feedback Jan: drop cookie, implement teardown
v2 self: add npending to track number of pending entries per ring
v2 self: amend comment on locking; drop section comments
v2 cookie_eq: test low bits first and use likely on high bits
v2 self: OVERHAUL
v2 self: s/argo_pending_ent/pending_ent/g
v2 self: drop pending_remove_ent, inline at single call site
v1 feedback Roger, Jan: drop argo prefix on static functions
v2 xen-project#4 Lars: add Acked-by and details to commit message.
v2 feedback #9 Jan: document argo boot opt in xen-command-line.markdown
v2 bugfix: xsm use in soft-reset prior to introduction
v2 feedback #9 Jan: drop 'message' from do_argo_message_op
v1 xen-project#5 feedback Paul: init/destroy unsigned, brackets and whitespace fixes
v1 xen-project#5 feedback Paul: Use mfn_eq for comparing mfns.
v1 xen-project#5 feedback Paul: init/destroy : use currd
v1 xen-project#6 (xen-project#5) feedback Jan: init/destroy: s/ENOSYS/EOPNOTSUPP/
v1 xen-project#6 feedback Paul: Folded patch 6 into patch 5.
v1 xen-project#6 feedback Jan: drop opt_argo_enabled initializer
v1 $6 feedback Jan: s/ENOSYS/EOPNOTSUPP/g and drop useless dprintk
v1. xen-project#5 feedback Paul: change the license on public header to BSD
- ack from Lars at Citrix.
v1. self, Jan: drop unnecessary xen include from sched.h
v1. self, Jan: drop inclusion of public argo.h in private one
v1. self, Jan: add include of public argo.h to argo.c
v1. self, Jan: drop fwd decl of argo_domain in priv header
v1. Paul/self/Jan: add data structures to xlat.lst and compat/argo.h to Makefile
v1. self: removed allocation of event channel since switching to VIRQ
v1. self: drop types.h include from private argo.h
v1: reorder public argo include position
v1: #13 feedback Jan: public namespace: prefix with xen
v1: self: rename pending ent "id" to "domain_id"
v1: self: add domain_cookie to ent struct
v1. #15 feedback Jan: make cmd unsigned
v1. #15 feedback Jan: make i loop variable unsigned
v1: self: adjust dprintks in init, destroy
v1: #18 feedback Jan: meld max ring count limit
v1: self: use type not struct in public defn, affects compat gen header
v1: feedback #15 Jan: handle upper-halves of hypercall args
v1: add comment explaining the 'magic' field
v1: self + Jan feedback: implement soft reset
v1: feedback #13 Roger: use ASSERT_UNREACHABLE
eric-ch
pushed a commit
to eric-ch/xen
that referenced
this pull request
Jan 25, 2019
The register op is used by a domain to register a region of memory for receiving messages from either a specified other domain, or, if specifying a wildcard, any domain. This operation creates a mapping within Xen's private address space that will remain resident for the lifetime of the ring. In subsequent commits, the hypervisor will use this mapping to copy data from a sending domain into this registered ring, making it accessible to the domain that registered the ring to receive data. Wildcard any-sender rings are default disabled and registration will be refused with EPERM unless they have been specifically enabled with the new mac-permissive flag that is added to the argo boot option here. The reason why the default for wildcard rings is 'deny' is that there is currently no means to protect the ring from DoS by a noisy domain spamming the ring, affecting other domains ability to send to it. This will be addressed with XSM policy controls in subsequent work. Since denying access to any-sender rings is a significant functional constraint, the new option "mac-permissive" for the argo bootparam enables overriding this. eg: "argo=1,mac-permissive=1" The p2m type of the memory supplied by the guest for the ring must be p2m_ram_rw and the memory will be pinned as PGT_writable_page while the ring is registered. xen_argo_gfn_t type is defined and is 64-bit on all architectures which assists with avoiding the need for compat code to translate hypercall args. This hypercall op and its interface currently only supports 4K-sized pages. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> v5 xen-project#7 Roger: add BUILD_BUG_ON for MAX_RING_SIZE, PAGE_SIZE v5 xen-project#7 Roger: gprintk(XENLOG_ERR,.. for denied existing ring v5: add compat validation macros to primary source file: common/argo.c v5 : convert hypercall arg structs to struct form for compat checking v5: dropped external file for compat macros: common/compat/argo.c v4 v3#07 Jan: shrink critical sections in register_ring v4 v3#07 Jan: revise register flag MASK in header, note 32-bitness of args v4 feedback: use standard data structures per common code, not loop macros v4 Andrew: use the single argo command line option list v4 xen-project#7 Jan: rewrite find_ring_mfn to use check_get_page_from_gfn v4 xen-project#7 Roger: add FIXME to ring_map_page for vmap contiguous ring mapping v3 xen-project#7 Jan: comment: minimum ring size is based on minimum-sized message v3 xen-project#4 Andrew: reference CONFIG_ARGO in the command line documentation v3 xen-project#7 Jan: register_ring: fold else, if into else-if to drop indent v3 xen-project#7 Jan: remove no longer used guest_handle_is_aligned macros v3 xen-project#7 Jan: remove dead code from find_ring_mfns v3 xen-project#7 Jan: fix format string indention in printks v3 xen-project#7 Jan: remove redundant bounds check on npage in find_ring_mfns v3 xen-project#8 self/Roger: improve dprintk output in find_ring_info like find_send_info v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#7 Jan: use array_index_nospec in ring_map_page v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 xen-project#7 Jan: drop unneeded parentheses from ROUNDUP_MESSAGE defn v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#3 meld compat check for hypercall arg register struct v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback xen-project#7 Eric: fix header max ring size comment units v3 feedback xen-project#4 Roger: mfn_mapping: void* instead of uint8_t* v3 use %u for printing unsigned ints in find_ring_mfns v3 feedback xen-project#4 Jan: uint32_t -> unsigned int for npage in register_ring v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len v3 : register_ring: uint32_t -> unsigned int for private_tx_ptr v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v3 feedback xen-project#7 Roger: use opt_argo_mac_permissive : a boolean opt v3 feedback xen-project#4 Roger: reorder #includes to alphabetical order v3 feedback xen-project#7 Roger: drop comment re: Intel EPT/AMD NPT for write-only mapping v3 feedback xen-project#7 Roger: drop ptr arithmetic in update_tx_ptr, use ring struct cast v3 feedback xen-project#7 Roger: drop newline in ring_map_page v3 feedback xen-project#7 Roger: drop unneeded null check before xfree v3 feedback xen-project#7 Roger: use return and drop out label in register_ring v3 Stefano: add 4K page constraint to header file comment & commit msg v3 Julien/Stefano: 4K granularity ok: use 64-bit gfns in register interface v2 self: disallow ring resize via reregister v2 feedback Jan: drop cookie, implement teardown v2 feedback Jan: drop message from argo_message_op v2 self: move hash_index function below locking comment v2 self: OVERHAUL v2 self/Jan: remove use of magic verification field and tidy up v2 self: merge max and min ring size check clauses v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v2 feedback #9, Jan: use the argo-mac bootparam at point of introduction v2 feedback #9, Jan: rename boot opt variable to comply with convention v2 feedback #9, Jan: rename the argo_mac bootparam to argo-mac v2 feedback #9 Jan: document argo boot opt in xen-command-line.markdown v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v1 feedback Roger: s/pfn/gfn/ and retire always-64-bit type v2. feedback Jan: document the argo-mac boot opt v2. feedback Jan: simplify re-register, drop mappings v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops v1 #13 feedback, Jan: register op : s/ECONNREFUSED/ESRCH/ v1 xen-project#5 (#13) feedback Paul: register op: use currd in do_message_op v1 #13 feedback, Paul: register op: use mfn_eq comparator v1 xen-project#5 (#13) feedback Paul: register op: use currd in argo_register_ring v1 #13 feedback Paul: register op: whitespace, unsigned, bounds check v1 #13 feedback Paul: use of hex in limit constant definition v1 #13 feedback Paul, register op: set nmfns on loop termination v1 #13 feedback Paul: register op: do/while -> gotos, reindent v1 argo_ring_map_page: drop uint32_t for unsigned int v1. #13 feedback Julien: use page descriptors instead of gpfns. - adds ABI support for pages with different granularity. v1 feedback #13, Paul: adjust log level of message v1 feedback #13, Paul: use gprintk for guest-triggered warning v1 feedback #13, Paul: gprintk and XENLOG_DEBUG for ring registration v1 feedback #13, Paul: use gprintk for errs in argo_ring_map_page v1 feedback #13, Paul: use ENOMEM if global mapping fails v1 feedback Paul: overflow check before shift v1: add define for copy_field_to_guest_errno v1: fix gprintk use for ARM as its defn dislikes split format strings v1: use copy_field_to_guest_errno v1 feedback #13, Jan: argo_hash_fn: no inline, rename, change type v1 feedback #13, Paul, Jan: EFAULT -> ENOMEM in argo_ring_map_page v1 feedback #13, Jan: rename page var in argo_ring_map_page v1 feedback #13, Jan: switch uint8_t* to void* and drop cast v1 feedback #13, Jan: switch memory barrier to smp_wmb v1 feedback #13, Jan: make 'ring' comment comply with single-line style v1 feedback #13, Jan: use xzalloc_array, drop loop NULL init v1 feedback #13, Jan: init bool with false rather than 0 v1 feedback #13 Jan: use __copy; define and use __copy_field_to_guest_errno v1 feedback #13, Jan: use xzalloc, drop individual init zeroes v1 feedback #13, Jan: prefix public namespace with xen v1 feedback #13, Jan: blank line after op case in do_argo_message_op v1 self: reflow comment in argo_ring_map_page to within 80 char len v1 feedback #13, Roger: use true not 1 in assign to update_tx_ptr bool v1 feedback #21, Jan: fold in the array_index_nospec hash function guards v1 feedback #18, Jan: fold the max ring count limit into the series v1 self: use unsigned long type for XEN_ARGO_REGISTER_FLAG_MASK v1: feedback #15 Jan: handle upper-halves of hypercall args v1. feedback #13 Jan: add comment re: page alignment v1. self: confirm ring magic presence in supplied page array v1. feedback #13 Jan: add comment re: minimum ring size v1. feedback #13 Roger: use ASSERT_UNREACHABLE v1. feedback Roger: add comment to hash function
eric-ch
pushed a commit
to eric-ch/xen
that referenced
this pull request
Jan 25, 2019
Takes a single argument: a handle to the ring unregistration struct, which specifies the port and partner domain id or wildcard. The ring's entry is removed from the hashtable of registered rings; any entries for pending notifications are removed; and the ring is unmapped from Xen's address space. If the ring had been registered to communicate with a single specified domain (ie. a non-wildcard ring) then the partner domain state is removed from the partner domain's argo send_info hash table. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> v5: add compat validation macros to primary source file: common/argo.c v5: dropped external file for compat macros: common/compat/argo.c v4 # Jan: shrink the critical sections in unregister v4 : use standard data structures as per common code v4 xen-project#8 Roger: skip send_info lookup for wildcard rings v4: add ASSERT_UNREACHABLE for missing sender domain or send_info v4: reduce indentation by using goto v4: add unlikely to currd->argo check v4 xen-project#8 Jan: move put_domain outside L2 critical section v4: include ring data in debug output when ring not found v3 xen-project#8 Jan: pull xfree out of exclusive critical sections in unregister_ring v3 xen-project#8 Jan: rename send_find_info to find_send_info v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#8 Roger: use return and remove the out label in unregister_ring v3 xen-project#8 Roger: better debug output in send_find_info v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat check for unregister_ring struct v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v3 feedback xen-project#7 Roger: const the argo_ring_id structs in send_find_info v2 feedback Jan: drop cookie, implement teardown v2 feedback Jan: drop message from argo_message_op v2 self: OVERHAUL v2 self: reorder logic to shorten critical section v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops v1 feedback Roger, Jan: drop argo prefix on static functions v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 xen-project#5 (#14) feedback Paul: use currd in do_argo_message_op v1 xen-project#5 (#14) feedback Paul: full use currd in argo_unregister_ring v1 #13 (#14) feedback Paul: replace do/while with goto; reindent v1 self: add blank lines in unregister case in do_argo_message_op v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: blank line after op case in do_argo_message_op v1: #14 feedback Jan: replace domain id override with validation v1: #18 feedback Jan: meld the ring count limit into the series v1: feedback #15 Jan: verify zero in unused hypercall args
eric-ch
pushed a commit
to eric-ch/xen
that referenced
this pull request
Jan 25, 2019
sendv operation is invoked to perform a synchronous send of buffers contained in iovs to a remote domain's registered ring. It takes: * A destination address (domid, port) for the ring to send to. It performs a most-specific match lookup, to allow for wildcard. * A source address, used to inform the destination of where to reply. * The address of an array of iovs containing the data to send * .. and the length of that array of iovs * and a 32-bit message type, available to communicate message context data (eg. kernel-to-kernel, separate from the application data). If insufficient space exists in the destination ring, it will return -EAGAIN and Xen will notify the caller when sufficient space becomes available. Accesses to the ring indices are appropriately atomic. The rings are mapped into Xen's private address space to write as needed and the mappings are retained for later use. Notifications are sent to guests via VIRQ and send_guest_global_virq is exposed in the change to enable argo to call it. VIRQ_ARGO_MESSAGE is claimed from the VIRQ previously reserved for this purpose (#11). The VIRQ notification method is used rather than sending events using evtchn functions directly because: * no current event channel type is an exact fit for the intended behaviour. ECS_IPI is closest, but it disallows migration to other VCPUs which is not necessarily a requirement for Argo. * at the point of argo_init, allocation of an event channel is complicated by none of the guest VCPUs being initialized yet and the event channel logic expects that a valid event channel has a present VCPU. * at the point of signalling a notification, the VIRQ logic is already defensive: if d->vcpu[0] is NULL, the notification is just silently dropped, whereas the evtchn_send logic is not so defensive: vcpu[0] must not be NULL, otherwise a null pointer dereference occurs. Using a VIRQ removes the need for the guest to query to determine which event channel notifications will be delivered on. This is also likely to simplify establishing future L0/L1 nested hypervisor argo communication. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> v5 #09 Roger: add comment explaining post-iovs tx_ptr round up + wrap v5 #09 Roger: remove redundant len bounds check vs MAX_ARGO_MESSAGE_SIZE v5 #09 Roger: ringbuf_insert: WARN not ERR on empty iovs v5 #09 Roger: bugfix: set rc = -EFAULT if !guest_handle_okay v5 use EBUSY when cannot add to the pending ent queue: many domains active v5: add compat validation macros to primary source file: common/argo.c v5: dropped external file for compat macros: common/compat/argo.c v5 : convert hypercall arg structs to struct form for compat checking v5 : switch argo_iov to needs translation in xlat.lst v4 Jan: remove use of fixed-width types from iov_count, ringbuf_insert v4 xen-project#7 Jan: shrink critical sections in sendv v3 xen-project#7 Jan: header: note 32-bitness of hypercall message tuype arg v4 : use standard data structures as per common code v4 self: bugfix memcpy_to_guest_ring: head_len must check (offset + len) v4 #09 Roger: drop MESSAGE from VIRQ_ARGO_MESSAGE v3 xen-project#7 Jan: rename ring_find_info* to find_ring_info* v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat struct checking for hypercall args v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback #09 Eric: fix len & offset sanity check in memcpy_to_guest_ring v3 feedback xen-project#4 Roger: newline fix in wildcard_pending_list_insert v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len v3 #09 Roger: simplify EFAULT return in memcpy_to_guest_ring v3 #09 Roger: add newline before return in get_sanitized_ring v3 #09 Roger: replace while with for loop in iov_count v3 #09 Roger: drop 0 in struct init in ringbuf_insert v3 #09 Roger: comment for XEN_ARGO_MAXIOV: warn of stack overflow risk v3 #09 Roger: simplify while loop: for instead in ringbuf_insert v3 #09 Roger: drop out label for returns in ringbuf_insert v3 #09 Roger: drop newline in pending_queue v3 #09 Roger: replace second goto label with error path unlock in sendv v3 #09 Jason: check iov_len vs MAX_ARGO_MESSAGE_SIZE in iov_count v3 #09 Jason: check padding is zeroed in sendv op v3 #09 Jason: memcpy_to_guest_ring: simpler code with better loop v2 self: use ring_info backpointer in pending_ent to maintain npending v2 feedback Jan: drop cookie, implement teardown v2 self: pending_queue: reap stale ents when in need of space v2 self: pending_requeue: reclaim ents for stale domains v2.feedback Jan: only override sender domid if DOMID_ANY v2 feedback Jan: drop message from argo_message_op v2 self: check npending vs maximum limit v2 self: get_sanitized_ring instead of get_rx_ptr v2 feedback v1#13 Jan: remove double read from ringbuf insert, lower MAX_IOV v2 self: make iov_count const v2 self: iov_count : return EMSGSIZE for message too big v2 self: OVERHAUL v2 self: s/argo_pending_ent/pending_ent/g v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v1 feedback #13 Jan: drop guest_handle_okay when using copy_from_guest - reorder do_argo_op logic v2 self: add _hnd suffix to iovs variable name to indicate guest handle type v2 self: replace use of XEN_GUEST_HANDLE_NULL with two existing macros v1 #15 feedback, Jan: sendv op : s/ECONNREFUSED/ESRCH/ v1 xen-project#5 (#15) feedback Paul: sendv: use currd in do_argo_message_op v1 #13 (#15) feedback Paul: sendv op: do/while reindent only v1 #13 (#15) feedback Paul: sendv op: do/while: argo_ringbuf_insert to goto style v1 #13 (#15) feedback Paul: sendv op: do/while: reindent only again v1 #13 (#15) feedback Paul: sendv op: do/while : goto v1 #15 feedback Paul: sendv op: make page var: unsigned v1 #15 feedback Paul: sendv op: new local var for PAGE_SIZE - offset v1 xen-project#8 feedback Jan: XEN_GUEST_HANDLE : C89 compliance v1 rebase after switching register op from pfns to page descriptors v1 self: move iov DEFINE_XEN_GUEST_HANDLE out of public header into argo.c v1 #13 (#15) feedback Paul: fix loglevel for guest-triggered messages v1 : add compat xlat.lst entries v1 self: switched notification to send_guest_global_virq instead of event v1: fix gprintk use for ARM as its defn dislikes split format strings v1: init len variable to satisfy ARM compiler initialized checking v1 #13 feedback Jan: rename page var v1:#14 feedback Jan: uint8_t* -> void* v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: blank line after case op in do_argo_message_op v1: #15 feedback Jan: add comments explaining why the writes don't overrun v1: self: add ASSERT to support comment that overrun cannot happen v1: self: fail on short writes where guest manipulated the iov_lens v1: self: rename ent id to domain_id v1: self: add moan for iov rewrite v1. feedback #15 Jan: require the pad bits are zero v1. feedback #15 Jan: drop NULL check in argo_signal_domain as now using VIRQ v1. self: store domain_cookie in pending ent v1. feedback #15 Jan: use unsigned where possible v1. feedback Jan: use handle type for iov_base in public iov interface v1. self: log whenever visible error occurs v1 feedback #15, Jan: drop unnecessary mb v1 self: only update internal tx_ptr if able to return success and update the visible tx_ptr v1 self: log on failure to map ring to update visible tx_ptr v1 feedback #15 Jan: add comment re: notification size policy v1 self/Roger? remove errant space after sizeof v1. feedback #15 Jan: require iov pad be zero v1. self: rename iov_base to iov_hnd for handle in public iov interface v1: feedback #15 Jan: handle upper-halves of hypercall args; changes some types in function signatures to match. v1: self: add dprintk to sendv v1: self: add debug output to argo_iov_count v1. feedback #14 Jan: blank line before return in argo_iov_count v1 feedback #15 Jan: verify src id, not override
eric-ch
pushed a commit
to eric-ch/xen
that referenced
this pull request
Jan 25, 2019
Queries for data about space availability in registered rings and causes notification to be sent when space has become available. The hypercall op populates a supplied data structure with information about ring state and if insufficient space is currently available in a given ring, the hypervisor will record the domain's expressed interest and notify it when it observes that space has become available. Checks for free space occur when this notify op is invoked, so it may be intentionally invoked with no data structure to populate (ie. a NULL argument) to trigger such a check and consequent notifications. Limit the maximum number of notify requests in a single operation to a simple fixed limit of 256. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> v5: add EBUSY ent flag when too many domains are already on pending list v5: reorder notify flags: error flags last, fixed state first v5: add compat validation macros to primary source file: common/argo.c v5 : convert hypercall arg structs to struct form for compat checking v5: dropped external file for compat macros: common/compat/argo.c v4 #10 Roger: consolidate notify flags; infer pending notify if needed v4 bugfix: take L3 before accessing ring_info in fill_ring_data v4 #10 Roger: shorten notify flag names: drop _DATA_F v4 #10 self/Roger: fill_ring_data: check pending_requeue error code v4 : use standard data structures as per common code v4 #10 Roger: lower indentation in fill_ring_data by using goto v4 #10 Roger: reword the XEN_ARGO_RING_DATA_F_SUFFICIENT comment v4 fix location of a FIXME that was incorrectly moved by this later commit v3 xen-project#7 Jan: fix format string indention in printks v3 (general) Jan: drop fixed width types for ringbuf_payload_space v3 xen-project#7 Jan: rename ring_find_info_by_match to find_ring_info_by_match v3 xen-project#7 Jan: fix numeric entries in printk format strings v3: ringbuf_payload_space: simpler return 0 if get_sanitized_ring fails v3 #10 Roger: simplify ringbuf_payload_space for empty rings v3 #10 Roger: ringbuf_payload_space: add comment to explain how ret < INT32_MAX v3 #10 Roger: drop out label, use return -EFAULT in fill_ring_data v3 #10 Roger: add newline in signal_domid v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld the compat hypercall arg checking v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 self: drop braces in foreach of notify_check_pending v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v2 feedback Jan: drop cookie, implement teardown v2 notify: add flag to indicate ring is shared v2 argument name for fill_ring_data arg is now currd v2 self: check ring size vs request and flag error rather than queue signal v2 feedback Jan: drop 'message' from 'argo_message_op' v2 self: simplify signal_domid, drop unnecessary label + goto v2 self: skip the cookie check in pending_cancel v2 self: implement npending limit on number of pending entries v1 feedback #16 Jan: sanitize_ring in ringbuf_payload_space v2 self: inline fill_ring_data_array v2 self: avoid retesting dst_d for put_domain v2 self/Jan: remove use of magic verification field and tidy up v1 feedback #16 Jan: remove testing of magic in guest-supplied structure v2 self: s/argo_pending_ent/pending_ent/g v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v2 self: reduce indentation via goto out if arg NULL v1 feedback #13 Jan: resolve checking of array handle and use of __copy v1 xen-project#5 (#16) feedback Paul: notify op: use currd in do_argo_message_op v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_notify v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_notify_check_pending v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_fill_ring_data_array v1 #13 (#16) feedback Paul: notify op: do/while: reindent only v1 #13 (#16) feedback Paul: notify op: do/while: goto v1 : add compat xlat.lst entries v1: add definition for copy_field_from_guest_errno v1 #13 feedback Jan: make 'ring data' comment comply with single-line style v1 feedback #13 Jan: use __copy; so define and use __copy_field_to_guest_errno v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: add blank line after case in do_argo_message_op v1: self: rename ent id to domain_id v1: self: ent id-> domain_id v1: self: drop signal if domain_cookie mismatches v1. feedback #15 Jan: make loop i unsigned v1. self: drop unnecessary mb() in argo_notify_check_pending v1. self: add blank line v1 #16 feedback Jan: const domain arg to +argo_fill_ring_data v1. feedback #15 Jan: check unusued hypercall args are zero v1 feedback #16 Jan: add comment on space available signal policy v1. feedback #16 Jan: move declr, drop braces, lower indent v1. feedback #18 Jan: meld the resource limits into the main commit v1. feedback #16 Jan: clarify use of magic field v1. self: use single copy to read notify ring data struct v1: argo_fill_ring_data: fix dprintk types for port field v1: self: use %x for printing port as per other print sites v1. feedback Jan: add comments explaining ring full vs empty v1. following Jan: fix argo_ringbuf_payload_space calculation for empty ring
eric-ch
pushed a commit
to eric-ch/xen
that referenced
this pull request
Jan 25, 2019
Will inhibit initialization of the domain's argo data structure to prevent receiving any messages or notifications and access to any of the argo hypercall operations. Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> v3 Daniel/Jan: add to the default xsm policy for enable v3 Add Daniel's Acked-by v3 xen-project#4 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set v2 self: fix xsm use in soft-reset prior to introduction v1 xen-project#5 (#17) feedback Paul: XSM control for any access: use currd v1 #16 feedback Jan: apply const to function signatures
olafhering
pushed a commit
to olafhering/xen
that referenced
this pull request
May 10, 2021
ASAN reported one issue when Live Updating Xenstored:
=================================================================
==873==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc194f53e0 at pc 0x555c6b323292 bp 0x7ffc194f5340 sp 0x7ffc194f5338
WRITE of size 1 at 0x7ffc194f53e0 thread T0
#0 0x555c6b323291 in dump_state_node_perms xen/tools/xenstore/xenstored_core.c:2468
#1 0x555c6b32746e in dump_state_special_node xen/tools/xenstore/xenstored_domain.c:1257
#2 0x555c6b32a702 in dump_state_special_nodes xen/tools/xenstore/xenstored_domain.c:1273
xen-project#3 0x555c6b32ddb3 in lu_dump_state xen/tools/xenstore/xenstored_control.c:521
xen-project#4 0x555c6b32e380 in do_lu_start xen/tools/xenstore/xenstored_control.c:660
xen-project#5 0x555c6b31b461 in call_delayed xen/tools/xenstore/xenstored_core.c:278
xen-project#6 0x555c6b32275e in main xen/tools/xenstore/xenstored_core.c:2357
xen-project#7 0x7f95eecf3d09 in __libc_start_main ../csu/libc-start.c:308
xen-project#8 0x555c6b3197e9 in _start (/usr/local/sbin/xenstored+0xc7e9)
Address 0x7ffc194f53e0 is located in stack of thread T0 at offset 80 in frame
#0 0x555c6b32713e in dump_state_special_node xen/tools/xenstore/xenstored_domain.c:1232
This frame has 2 object(s):
[32, 40) 'head' (line 1233)
[64, 80) 'sn' (line 1234) <== Memory access at offset 80 overflows this variable
This is happening because the callers are passing a pointer to a variable
allocated on the stack. However, the field perms is a dynamic array, so
Xenstored will end up to read outside of the variable.
Rework the code so the permissions are written one by one in the fd.
Fixes: ed6eebf ("tools/xenstore: dump the xenstore state for live update")
Signed-off-by: Julien Grall <jgrall@amazon.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Luca Fancellu <luca.fancellu@arm.com>
olafhering
pushed a commit
to olafhering/xen
that referenced
this pull request
Jan 31, 2022
…ning NULL If we are in libxl_list_vcpu() and we are returning NULL, let's avoid touching the output parameter *nr_vcpus_out, which the caller should have initialized to 0. The current behavior could be problematic if are creating a domain and, in the meantime, an existing one is destroyed when we have already done some steps of the loop. At which point, we'd return a NULL list of vcpus but with something different than 0 as the number of vcpus in that list. And this can cause troubles in the callers (e.g., nr_vcpus_on_nodes()), when they do a libxl_vcpuinfo_list_free(). Crashes due to this are rare and difficult to reproduce, but have been observed, with stack traces looking like this one: #0 libxl_bitmap_dispose (map=map@entry=0x50) at libxl_utils.c:626 #1 0x00007fe72c993a32 in libxl_vcpuinfo_dispose (p=p@entry=0x38) at _libxl_types.c:692 #2 0x00007fe72c94e3c4 in libxl_vcpuinfo_list_free (list=0x0, nr=<optimized out>) at libxl_utils.c:1059 xen-project#3 0x00007fe72c9528bf in nr_vcpus_on_nodes (vcpus_on_node=0x7fe71000eb60, suitable_cpumap=0x7fe721df0d38, tinfo_elements=48, tinfo=0x7fe7101b3900, gc=0x7fe7101bbfa0) at libxl_numa.c:258 xen-project#4 libxl__get_numa_candidate (gc=gc@entry=0x7fe7100033a0, min_free_memkb=4233216, min_cpus=4, min_nodes=min_nodes@entry=0, max_nodes=max_nodes@entry=0, suitable_cpumap=suitable_cpumap@entry=0x7fe721df0d38, numa_cmpf=0x7fe72c940110 <numa_cmpf>, cndt_out=0x7fe721df0cf0, cndt_found=0x7fe721df0cb4) at libxl_numa.c:394 xen-project#5 0x00007fe72c94152b in numa_place_domain (d_config=0x7fe721df11b0, domid=975, gc=0x7fe7100033a0) at libxl_dom.c:209 xen-project#6 libxl__build_pre (gc=gc@entry=0x7fe7100033a0, domid=domid@entry=975, d_config=d_config@entry=0x7fe721df11b0, state=state@entry=0x7fe710077700) at libxl_dom.c:436 xen-project#7 0x00007fe72c92c4a5 in libxl__domain_build (gc=0x7fe7100033a0, d_config=d_config@entry=0x7fe721df11b0, domid=975, state=0x7fe710077700) at libxl_create.c:444 xen-project#8 0x00007fe72c92de8b in domcreate_bootloader_done (egc=0x7fe721df0f60, bl=0x7fe7100778c0, rc=<optimized out>) at libxl_create.c:1222 #9 0x00007fe72c980425 in libxl__bootloader_run (egc=egc@entry=0x7fe721df0f60, bl=bl@entry=0x7fe7100778c0) at libxl_bootloader.c:403 #10 0x00007fe72c92f281 in initiate_domain_create (egc=egc@entry=0x7fe721df0f60, dcs=dcs@entry=0x7fe7100771b0) at libxl_create.c:1159 #11 0x00007fe72c92f456 in do_domain_create (ctx=ctx@entry=0x7fe71001c840, d_config=d_config@entry=0x7fe721df11b0, domid=domid@entry=0x7fe721df10a8, restore_fd=restore_fd@entry=-1, send_back_fd=send_back_fd@entry=-1, params=params@entry=0x0, ao_how=0x0, aop_console_how=0x7fe721df10f0) at libxl_create.c:1856 #12 0x00007fe72c92f776 in libxl_domain_create_new (ctx=0x7fe71001c840, d_config=d_config@entry=0x7fe721df11b0, domid=domid@entry=0x7fe721df10a8, ao_how=ao_how@entry=0x0, aop_console_how=aop_console_how@entry=0x7fe721df10f0) at libxl_create.c:2075 Signed-off-by: Dario Faggioli <dfaggioli@suse.com> Tested-by: James Fehlig <jfehlig@suse.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
olafhering
pushed a commit
to olafhering/xen
that referenced
this pull request
Feb 16, 2022
…ning NULL If we are in libxl_list_vcpu() and we are returning NULL, let's avoid touching the output parameter *nr_vcpus_out, which the caller should have initialized to 0. The current behavior could be problematic if are creating a domain and, in the meantime, an existing one is destroyed when we have already done some steps of the loop. At which point, we'd return a NULL list of vcpus but with something different than 0 as the number of vcpus in that list. And this can cause troubles in the callers (e.g., nr_vcpus_on_nodes()), when they do a libxl_vcpuinfo_list_free(). Crashes due to this are rare and difficult to reproduce, but have been observed, with stack traces looking like this one: #0 libxl_bitmap_dispose (map=map@entry=0x50) at libxl_utils.c:626 #1 0x00007fe72c993a32 in libxl_vcpuinfo_dispose (p=p@entry=0x38) at _libxl_types.c:692 #2 0x00007fe72c94e3c4 in libxl_vcpuinfo_list_free (list=0x0, nr=<optimized out>) at libxl_utils.c:1059 xen-project#3 0x00007fe72c9528bf in nr_vcpus_on_nodes (vcpus_on_node=0x7fe71000eb60, suitable_cpumap=0x7fe721df0d38, tinfo_elements=48, tinfo=0x7fe7101b3900, gc=0x7fe7101bbfa0) at libxl_numa.c:258 xen-project#4 libxl__get_numa_candidate (gc=gc@entry=0x7fe7100033a0, min_free_memkb=4233216, min_cpus=4, min_nodes=min_nodes@entry=0, max_nodes=max_nodes@entry=0, suitable_cpumap=suitable_cpumap@entry=0x7fe721df0d38, numa_cmpf=0x7fe72c940110 <numa_cmpf>, cndt_out=0x7fe721df0cf0, cndt_found=0x7fe721df0cb4) at libxl_numa.c:394 xen-project#5 0x00007fe72c94152b in numa_place_domain (d_config=0x7fe721df11b0, domid=975, gc=0x7fe7100033a0) at libxl_dom.c:209 xen-project#6 libxl__build_pre (gc=gc@entry=0x7fe7100033a0, domid=domid@entry=975, d_config=d_config@entry=0x7fe721df11b0, state=state@entry=0x7fe710077700) at libxl_dom.c:436 xen-project#7 0x00007fe72c92c4a5 in libxl__domain_build (gc=0x7fe7100033a0, d_config=d_config@entry=0x7fe721df11b0, domid=975, state=0x7fe710077700) at libxl_create.c:444 xen-project#8 0x00007fe72c92de8b in domcreate_bootloader_done (egc=0x7fe721df0f60, bl=0x7fe7100778c0, rc=<optimized out>) at libxl_create.c:1222 #9 0x00007fe72c980425 in libxl__bootloader_run (egc=egc@entry=0x7fe721df0f60, bl=bl@entry=0x7fe7100778c0) at libxl_bootloader.c:403 #10 0x00007fe72c92f281 in initiate_domain_create (egc=egc@entry=0x7fe721df0f60, dcs=dcs@entry=0x7fe7100771b0) at libxl_create.c:1159 #11 0x00007fe72c92f456 in do_domain_create (ctx=ctx@entry=0x7fe71001c840, d_config=d_config@entry=0x7fe721df11b0, domid=domid@entry=0x7fe721df10a8, restore_fd=restore_fd@entry=-1, send_back_fd=send_back_fd@entry=-1, params=params@entry=0x0, ao_how=0x0, aop_console_how=0x7fe721df10f0) at libxl_create.c:1856 #12 0x00007fe72c92f776 in libxl_domain_create_new (ctx=0x7fe71001c840, d_config=d_config@entry=0x7fe721df11b0, domid=domid@entry=0x7fe721df10a8, ao_how=ao_how@entry=0x0, aop_console_how=aop_console_how@entry=0x7fe721df10f0) at libxl_create.c:2075 Signed-off-by: Dario Faggioli <dfaggioli@suse.com> Tested-by: James Fehlig <jfehlig@suse.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com> master commit: d9d3496 master date: 2022-01-31 10:58:07 +0100
olafhering
pushed a commit
to olafhering/xen
that referenced
this pull request
Feb 16, 2022
…ning NULL If we are in libxl_list_vcpu() and we are returning NULL, let's avoid touching the output parameter *nr_vcpus_out, which the caller should have initialized to 0. The current behavior could be problematic if are creating a domain and, in the meantime, an existing one is destroyed when we have already done some steps of the loop. At which point, we'd return a NULL list of vcpus but with something different than 0 as the number of vcpus in that list. And this can cause troubles in the callers (e.g., nr_vcpus_on_nodes()), when they do a libxl_vcpuinfo_list_free(). Crashes due to this are rare and difficult to reproduce, but have been observed, with stack traces looking like this one: #0 libxl_bitmap_dispose (map=map@entry=0x50) at libxl_utils.c:626 #1 0x00007fe72c993a32 in libxl_vcpuinfo_dispose (p=p@entry=0x38) at _libxl_types.c:692 #2 0x00007fe72c94e3c4 in libxl_vcpuinfo_list_free (list=0x0, nr=<optimized out>) at libxl_utils.c:1059 xen-project#3 0x00007fe72c9528bf in nr_vcpus_on_nodes (vcpus_on_node=0x7fe71000eb60, suitable_cpumap=0x7fe721df0d38, tinfo_elements=48, tinfo=0x7fe7101b3900, gc=0x7fe7101bbfa0) at libxl_numa.c:258 xen-project#4 libxl__get_numa_candidate (gc=gc@entry=0x7fe7100033a0, min_free_memkb=4233216, min_cpus=4, min_nodes=min_nodes@entry=0, max_nodes=max_nodes@entry=0, suitable_cpumap=suitable_cpumap@entry=0x7fe721df0d38, numa_cmpf=0x7fe72c940110 <numa_cmpf>, cndt_out=0x7fe721df0cf0, cndt_found=0x7fe721df0cb4) at libxl_numa.c:394 xen-project#5 0x00007fe72c94152b in numa_place_domain (d_config=0x7fe721df11b0, domid=975, gc=0x7fe7100033a0) at libxl_dom.c:209 xen-project#6 libxl__build_pre (gc=gc@entry=0x7fe7100033a0, domid=domid@entry=975, d_config=d_config@entry=0x7fe721df11b0, state=state@entry=0x7fe710077700) at libxl_dom.c:436 xen-project#7 0x00007fe72c92c4a5 in libxl__domain_build (gc=0x7fe7100033a0, d_config=d_config@entry=0x7fe721df11b0, domid=975, state=0x7fe710077700) at libxl_create.c:444 xen-project#8 0x00007fe72c92de8b in domcreate_bootloader_done (egc=0x7fe721df0f60, bl=0x7fe7100778c0, rc=<optimized out>) at libxl_create.c:1222 #9 0x00007fe72c980425 in libxl__bootloader_run (egc=egc@entry=0x7fe721df0f60, bl=bl@entry=0x7fe7100778c0) at libxl_bootloader.c:403 #10 0x00007fe72c92f281 in initiate_domain_create (egc=egc@entry=0x7fe721df0f60, dcs=dcs@entry=0x7fe7100771b0) at libxl_create.c:1159 #11 0x00007fe72c92f456 in do_domain_create (ctx=ctx@entry=0x7fe71001c840, d_config=d_config@entry=0x7fe721df11b0, domid=domid@entry=0x7fe721df10a8, restore_fd=restore_fd@entry=-1, send_back_fd=send_back_fd@entry=-1, params=params@entry=0x0, ao_how=0x0, aop_console_how=0x7fe721df10f0) at libxl_create.c:1856 #12 0x00007fe72c92f776 in libxl_domain_create_new (ctx=0x7fe71001c840, d_config=d_config@entry=0x7fe721df11b0, domid=domid@entry=0x7fe721df10a8, ao_how=ao_how@entry=0x0, aop_console_how=aop_console_how@entry=0x7fe721df10f0) at libxl_create.c:2075 Signed-off-by: Dario Faggioli <dfaggioli@suse.com> Tested-by: James Fehlig <jfehlig@suse.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com> master commit: d9d3496 master date: 2022-01-31 10:58:07 +0100
olafhering
pushed a commit
to olafhering/xen
that referenced
this pull request
Mar 14, 2022
At the moment, Xen does not decode any of the arm64 instructions. This means that when hsr_dabt.isv == 0, Xen cannot handle those instructions. This will lead to Xen to abort the guests (from which those instructions originate). With this patch, Xen is able to decode ldr/str post indexing instructions. These are a subset of instructions for which hsr_dabt.isv == 0. The following instructions are now supported by Xen :- 1. ldr x2, [x1], xen-project#8 2. ldr w2, [x1], #-4 3. ldr x2, [x1], #-8 4. ldr w2, [x1], xen-project#4 5. ldrh w2, [x1], #2 6. ldrb w2, [x1], #1 7. str x2, [x1], xen-project#8 8. str w2, [x1], #-4 9. strh w2, [x1], #2 10. strb w2, [x1], #1 In the subsequent patch, decode_arm64() will get invoked when hsr_dabt.isv == 0. Signed-off-by: Ayan Kumar Halder <ayankuma@xilinx.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
sound driver to communicate with each to other.
Signed-off-by: Oleksandr Andrushchenko Oleksandr_Andrushchenko@epam.com
Signed-off-by: Oleksandr Grytsov Oleksandr_Grytsov@epam.com
Signed-off-by: Oleksandr Dmytryshyn oleksandr.dmytryshyn@globallogic.com
Signed-off-by: Iurii Konovalenko iurii.konovalenko@globallogic.com
Changes since v1:
Changes since v2:
Changes since v3:
Changes since v4:
Changes since v5:
passed via shared page
to the defined sound device in the backend using those parameters)
Changes since v6:
Changes since v7:
(fields, PCM formats etc.)
static XENSND_MAX_PAGES_PER_REQUEST
buffer from the open request is used for these operations to pass data
of 0.001 dBm, while 0 being 0dBm.
Changes since v8:
devices/streams
decimals w/o any particular ordering
are contiguous
Changes since v9:
Changes since v10:
Changes since v11:
Changes since v12: